From a71a7cdd9853643c8bfa3338ddbaec9f21a0145a Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 24 Jul 2000 23:05:45 +0000 Subject: [PATCH] Rework authorization handling such that authzid u:user gets mapped to authzdn uid=user. Disallow authzid in DN form until we have a validator. --- servers/slapd/sasl.c | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 52b0860802..bb8cf2aed6 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -89,6 +89,12 @@ slap_sasl_authorize( return SASL_BADAUTH; } + Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: " + "authcid=\"%s\" authzid=\"%s\"\n", + (long) (conn ? conn->c_connid : -1), + authcid ? authcid : "", + authcid ? authcid : "" ); + if ( authzid == NULL || *authzid == '\0' || strcmp( authcid, authzid ) == 0 ) { @@ -461,20 +467,27 @@ int slap_sasl_bind( realm ? realm : "", (unsigned long) ( ssf ? *ssf : 0 ) ); - if( !strncasecmp( username, "anonymous", sizeof("anonyous")-1 ) && + + rc = LDAP_SUCCESS; + + if( username == NULL || ( + !strncasecmp( username, "anonymous", sizeof("anonyous")-1 ) && ( ( username[sizeof("anonymous")] == '\0' ) || - ( username[sizeof("anonymous")] == '@' ) ) ) + ( username[sizeof("anonymous")] == '@' ) ) ) ) { Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n", 0, 0, 0); - } else { + } else if ( username[0] == 'u' && username[1] == ':' + && username[2] != '\0' + && strpbrk( &username[2], "=,;\"\\") == NULL ) + { *edn = ch_malloc( sizeof( "uid= + realm=" ) - + ( username ? strlen( username ) : 0 ) + + strlen( &username[2] ) + ( realm ? strlen( realm ) : 0 ) ); strcpy( *edn, "uid=" ); - strcat( *edn, username ); + strcat( *edn, &username[2] ); if( realm && *realm ) { strcat( *edn, " + realm=" ); @@ -483,11 +496,23 @@ int slap_sasl_bind( Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n", *edn, 0, 0); + + } else { + rc = LDAP_INAPPROPRIATE_AUTH; + errstr = "authorization disallowed"; + Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: %s\n", + errstr, 0, 0); } - send_ldap_sasl( conn, op, rc = LDAP_SUCCESS, - NULL, NULL, NULL, NULL, - response.bv_len ? &response : NULL ); + if( rc == LDAP_SUCCESS ) { + send_ldap_sasl( conn, op, rc, + NULL, NULL, NULL, NULL, + response.bv_len ? &response : NULL ); + + } else { + send_ldap_result( conn, op, rc, + NULL, errstr, NULL, NULL ); + } } } else if ( sc == SASL_CONTINUE ) { -- 2.39.5