tag = ber_scanf( ber, /*{*/ "m}", &cred );
} else {
- tag = ber_scanf( ber, "{o" /*}*/, &mech );
+ tag = ber_scanf( ber, "{m" /*}*/, &mech );
if ( tag != LBER_ERROR ) {
ber_len_t len;
slap_sasl_reset(conn);
}
} else {
- conn->c_sasl_bind_mech = mech;
- mech.bv_val = NULL;
- mech.bv_len = 0;
+ ber_dupbv( &conn->c_sasl_bind_mech, &mech );
}
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
}
if ( method == LDAP_AUTH_SIMPLE ) {
+ ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech );
/* accept "anonymous" binds */
if ( cred.bv_len == 0 || ndn.bv_len == 0 ) {
rc = LDAP_SUCCESS;
#endif
goto cleanup;
}
+ ber_str2bv( "KRBV4", sizeof("KRBV4")-1, 0, &mech );
#endif
} else {
}
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND dn=\"%s\" mech=simple (SLAPI) ssf=0\n",
+ "conn=%lu op=%lu BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n",
op->o_connid, op->o_opid,
- conn->c_dn.bv_val, 0, 0 );
+ conn->c_dn.bv_val, mech.bv_val, 0 );
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
}
#ifdef NEW_LOGGING
/* log authorization identity */
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND dn=\"%s\" mech=simple ssf=0\n",
+ "conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=0\n",
op->o_connid, op->o_opid,
- conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 );
+ conn->c_dn.bv_val, mech.bv_val, 0 );
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, DETAIL1,
#endif /* defined( LDAP_SLAPI ) */
cleanup:
+ if ( rc == LDAP_SUCCESS ) {
+ if ( method != LDAP_AUTH_SASL ) {
+ ber_dupbv( &conn->c_authmech, &mech );
+ }
+ conn->c_authtype = method;
+ }
+
conn->c_sasl_bindop = NULL;
if( pdn.bv_val != NULL ) {
if( ndn.bv_val != NULL ) {
free( ndn.bv_val );
}
- if ( mech.bv_val != NULL ) {
- free( mech.bv_val );
- }
return rc;
}
int slap_sasl_getdn( Connection *conn, char *id, int len,
char *user_realm, struct berval *dn, int flags )
{
- char *c1;
int rc, is_dn = SET_NONE, do_norm = 1;
- struct berval dn2;
+ struct berval dn2, *mech;
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
len = 0;
}
+ if ( conn->c_sasl_bind_mech.bv_len ) {
+ mech = &conn->c_sasl_bind_mech;
+ } else {
+ mech = &conn->c_authmech;
+ }
+
/* An authcID needs to be converted to authzID form. Set the
* values directly into *dn; they will be normalized later. (and
* normalizing always makes a new copy.) An ID from a TLS certificate
* is already normalized, so copy it and skip normalization.
*/
if( flags & SLAP_GETDN_AUTHCID ) {
- if( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len &&
- strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
+ if( mech->bv_len == ext_bv.bv_len &&
+ strcasecmp( ext_bv.bv_val, mech->bv_val ) == 0 )
{
/* EXTERNAL DNs are already normalized */
do_norm = 0;
/* Username strings */
if( is_dn == SET_U ) {
- char *p, *realm;
+ char *p;
+ struct berval realm = { 0, NULL }, c1 = *dn;
len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
- /* username may have embedded realm name */
+#if 0
+ /* userids can legally have embedded '@' chars;
+ * the realm should be set by those mechanisms
+ * that support it by means of the user_realm
+ * variable
+ */
if( ( realm = strchr( dn->bv_val, '@') ) ) {
*realm++ = '\0';
len += sizeof(",cn=")-2;
- } else if( user_realm && *user_realm ) {
- len += strlen( user_realm ) + sizeof(",cn=")-1;
+ } else
+#endif
+ if( user_realm && *user_realm ) {
+ realm.bv_val = user_realm;
+ realm.bv_len = strlen( user_realm );
+ len += realm.bv_len + sizeof(",cn=")-1;
}
- if( conn->c_sasl_bind_mech.bv_len ) {
- len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1;
+ if( mech->bv_len ) {
+ len += mech->bv_len + sizeof(",cn=")-1;
}
/* Build the new dn */
- c1 = dn->bv_val;
dn->bv_val = SLAP_MALLOC( len+1 );
if( dn->bv_val == NULL ) {
#ifdef NEW_LOGGING
return LDAP_OTHER;
}
p = lutil_strcopy( dn->bv_val, "uid=" );
- p = lutil_strncopy( p, c1, dn->bv_len );
+ p = lutil_strncopy( p, c1.bv_val, dn->bv_len );
- if( realm ) {
- int rlen = dn->bv_len - ( realm - c1 );
- p = lutil_strcopy( p, ",cn=" );
- p = lutil_strncopy( p, realm, rlen );
- realm[-1] = '@';
- } else if( user_realm && *user_realm ) {
+ if( realm.bv_len ) {
p = lutil_strcopy( p, ",cn=" );
- p = lutil_strcopy( p, user_realm );
+ p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
}
- if( conn->c_sasl_bind_mech.bv_len ) {
+ if( mech->bv_len ) {
p = lutil_strcopy( p, ",cn=" );
- p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val );
+ p = lutil_strcopy( p, mech->bv_val );
}
p = lutil_strcopy( p, ",cn=auth" );
dn->bv_len = p - dn->bv_val;
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 );
#else
- Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+ Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
#endif
} else {