From b057507e2337252f5524dad73b5e2c4d4c1c6f51 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Fri, 10 May 2002 19:26:35 +0000 Subject: [PATCH] Cleanup HAVE_TLS dependencies, cleanup username with embedded realm handling --- servers/slapd/sasl.c | 60 ++++++++++++++++---------------------------- 1 file changed, 21 insertions(+), 39 deletions(-) diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 3d6113b917..f9a083d9d1 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -178,13 +178,16 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* An authcID needs to be converted to authzID form */ if( flags & FLAG_GETDN_AUTHCID ) { +#ifdef HAVE_TLS if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { /* X.509 DN is already normalized */ do_norm = 0; is_dn = SET_DN; - } else { + } else +#endif + { /* convert to u: form */ is_dn = SET_U; } @@ -210,10 +213,14 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* Username strings */ if( is_dn == SET_U ) { - char *p; + char *p, *realm; len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; - if( user_realm && *user_realm ) { + /* username may have embedded realm name */ + if( realm = strchr( dn->bv_val, '@') ) { + *realm++ = '\0'; + len += sizeof(",cn=")-2; + } else if( user_realm && *user_realm ) { len += strlen( user_realm ) + sizeof(",cn=")-1; } @@ -228,7 +235,11 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, p = slap_strcopy( p, c1 ); ch_free( c1 ); - if( user_realm && *user_realm ) { + if( realm ) { + p = slap_strcopy( p, ",cn=" ); + p = slap_strcopy( p, realm ); + realm[-1] = '@'; + } else if( user_realm && *user_realm ) { p = slap_strcopy( p, ",cn=" ); p = slap_strcopy( p, user_realm ); } @@ -469,8 +480,7 @@ slap_sasl_canonicalize( Connection *conn = (Connection *)context; struct propctx *props = sasl_auxprop_getctx( sconn ); struct berval dn; - int rc, ext = 0; - char *realm; + int rc; const char *names[2]; *out_len = 0; @@ -505,20 +515,8 @@ slap_sasl_canonicalize( } } - /* If using SASL-EXTERNAL, don't modify the ID in any way */ - if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { - ext = 1; - realm = NULL; - } else { - /* Else look for an embedded realm in the name */ - realm = strchr( in, '@' ); - if ( realm ) *realm++ = '\0'; - } - rc = slap_sasl_getdn( conn, (char *)in, inlen, realm ? realm : (char *)user_realm, &dn, + rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn, (flags & SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID ); - if ( realm ) - realm[-1] = '@'; if ( rc != LDAP_SUCCESS ) { sasl_seterror( sconn, 0, ldap_err2string( rc ) ); return SASL_NOAUTHZ; @@ -628,9 +626,9 @@ slap_sasl_authorize( const char **errstr) { struct berval authcDN, authzDN; - int rc, ext = 0; + int rc: Connection *conn = context; - char *realm, *xrealm; + char *realm; *user = NULL; @@ -664,16 +662,7 @@ slap_sasl_authorize( /* Convert the identities to DN's. If no authzid was given, client will be bound as the DN matching their username */ - if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { - ext = 1; - xrealm = NULL; - } else { - xrealm = strchr( authcid, '@' ); - if ( xrealm ) *xrealm++ = '\0'; - } - rc = slap_sasl_getdn( conn, (char *)authcid, 0, xrealm ? xrealm : realm, &authcDN, FLAG_GETDN_AUTHCID ); - if ( xrealm ) xrealm[-1] = '@'; + rc = slap_sasl_getdn( conn, (char *)authcid, 0, realm, &authcDN, FLAG_GETDN_AUTHCID ); if( rc != LDAP_SUCCESS ) { *errstr = ldap_err2string( rc ); return SASL_NOAUTHZ; @@ -692,14 +681,7 @@ slap_sasl_authorize( *errstr = NULL; return SASL_OK; } - if ( ext ) { - xrealm = NULL; - } else { - xrealm = strchr( authzid, '@' ); - if ( xrealm ) *xrealm++ = '\0'; - } - rc = slap_sasl_getdn( conn, (char *)authzid, 0, xrealm ? xrealm : realm, &authzDN, FLAG_GETDN_AUTHZID ); - if ( xrealm ) xrealm[-1] = '@'; + rc = slap_sasl_getdn( conn, (char *)authzid, 0, realm, &authzDN, FLAG_GETDN_AUTHZID ); if( rc != LDAP_SUCCESS ) { ch_free( authcDN.bv_val ); *errstr = ldap_err2string( rc ); -- 2.39.5