From: Marco Bettini Date: Fri, 6 Sep 2024 15:04:16 +0000 (+0000) Subject: auth: ldap - Change string auth_sasl_mechanism into bool list auth_sasl_mechanisms X-Git-Tag: 2.4.0~459 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dff1a96c858e514fdd17ce611af8462e7c9bdd7a;p=thirdparty%2Fdovecot%2Fcore.git auth: ldap - Change string auth_sasl_mechanism into bool list auth_sasl_mechanisms --- diff --git a/src/auth/db-ldap-settings.c b/src/auth/db-ldap-settings.c index 18c9e2de70..0ab93f75f1 100644 --- a/src/auth/db-ldap-settings.c +++ b/src/auth/db-ldap-settings.c @@ -1,6 +1,7 @@ /* Copyright (c) 2005-2024 Dovecot authors, see the included COPYING file */ #include "lib.h" +#include "array.h" #include "settings.h" #include "db-ldap-settings.h" @@ -22,7 +23,7 @@ static const struct setting_define ldap_setting_defines[] = { DEF(STR, connection_group), DEF(STR, auth_dn), DEF(STR, auth_dn_password), - DEF(STR, auth_sasl_mechanism), + DEF(BOOLLIST, auth_sasl_mechanisms), DEF(STR, auth_sasl_realm), DEF(STR, auth_sasl_authz_id), DEF(BOOL, starttls), @@ -38,7 +39,7 @@ static const struct ldap_settings ldap_default_settings = { .connection_group = "", .auth_dn = "", .auth_dn_password = "", - .auth_sasl_mechanism = "", + .auth_sasl_mechanisms = ARRAY_INIT, .auth_sasl_realm = "", .auth_sasl_authz_id = "", .starttls = FALSE, @@ -183,7 +184,7 @@ static bool ldap_setting_check(void *_set, pool_t pool ATTR_UNUSED, #endif #ifndef HAVE_LDAP_SASL - if (*set->auth_sasl_mechanism != '\0') { + if (!array_is_empty(&set->auth_sasl_mechanisms)) { *error_r = "ldap_auth_sasl_mechanism set, but no SASL support compiled in"; return FALSE; } @@ -202,7 +203,7 @@ int ldap_setting_post_check(const struct ldap_settings *set, const char **error_ } if (set->version < 3) { - if (*set->auth_sasl_mechanism != '\0') { + if (!array_is_empty(&set->auth_sasl_mechanisms)) { *error_r = "ldap_auth_sasl_mechanism requires ldap_version=3"; return -1; } diff --git a/src/auth/db-ldap-settings.h b/src/auth/db-ldap-settings.h index 26ab3bc104..00b441e079 100644 --- a/src/auth/db-ldap-settings.h +++ b/src/auth/db-ldap-settings.h @@ -20,7 +20,7 @@ struct ldap_settings { const char *auth_dn; const char *auth_dn_password; - const char *auth_sasl_mechanism; + ARRAY_TYPE(const_string) auth_sasl_mechanisms; const char *auth_sasl_realm; const char *auth_sasl_authz_id; diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c index 8db3f6df24..8d8dffc054 100644 --- a/src/auth/db-ldap.c +++ b/src/auth/db-ldap.c @@ -759,10 +759,12 @@ static int db_ldap_bind_sasl(struct ldap_connection *conn) context.realm = conn->set->auth_sasl_realm; context.authzid = conn->set->auth_sasl_authz_id; + const char *mechs = t_array_const_string_join( + &conn->set->auth_sasl_mechanisms, " "); + /* There doesn't seem to be a way to do SASL binding asynchronously.. */ - ret = ldap_sasl_interactive_bind_s(conn->ld, NULL, - conn->set->auth_sasl_mechanism, + ret = ldap_sasl_interactive_bind_s(conn->ld, NULL, mechs, NULL, NULL, LDAP_SASL_QUIET, sasl_interact, &context); if (db_ldap_connect_finish(conn, ret) < 0) @@ -816,15 +818,12 @@ static int db_ldap_bind_simple(struct ldap_connection *conn) static int db_ldap_bind(struct ldap_connection *conn) { - if (*conn->set->auth_sasl_mechanism != '\0') { - if (db_ldap_bind_sasl(conn) < 0) - return -1; - } else { - if (db_ldap_bind_simple(conn) < 0) - return -1; - } - - return 0; + int ret; + if (array_is_empty(&conn->set->auth_sasl_mechanisms)) + ret = db_ldap_bind_simple(conn); + else + ret = db_ldap_bind_sasl(conn); + return ret < 0 ? -1 : 0; } static void db_ldap_get_fd(struct ldap_connection *conn)