Correct state machine for SASL bind auth

author Nick Porter <nick@portercomputing.co.uk>

Tue, 11 Apr 2023 09:15:12 +0000 (10:15 +0100)

committer Nick Porter <nick@portercomputing.co.uk>

Tue, 11 Apr 2023 09:15:12 +0000 (10:15 +0100)
author Nick Porter <nick@portercomputing.co.uk>
Tue, 11 Apr 2023 09:15:12 +0000 (10:15 +0100)
committer Nick Porter <nick@portercomputing.co.uk>
Tue, 11 Apr 2023 09:15:12 +0000 (10:15 +0100)
diff --git a/src/lib/ldap/sasl.c b/src/lib/ldap/sasl.c

index 8373a0ab08afd245960c8bb5087ec522108e83f0..ddd277cd6d438d308ef3d8c3756b6436625e148b 100644 (file)
--- a/src/lib/ldap/sasl.c
+++ b/src/lib/ldap/sasl.c
@@ -372,13 +372,14 @@ static unlang_action_t ldap_async_sasl_auth_bind_start(UNUSED rlm_rcode_t *p_res
  
         RDEBUG2("%s SASL bind auth operation as %s", sasl_ctx->rmech ? "Continuing" : "Starting", sasl_ctx->dn);
  
-       ret = ldap_sasl_interactive_bind(sasl_ctx->c->handle, sasl_ctx->dn, sasl_ctx->mechs,
+       ret = ldap_sasl_interactive_bind(sasl_ctx->c->handle, NULL, sasl_ctx->mechs,
                                          NULL, NULL, LDAP_SASL_AUTOMATIC,
                                          _sasl_interact, sasl_ctx, sasl_ctx->result,
                                          &sasl_ctx->rmech, &bind_auth_ctx->msgid);
  
         switch (ret) {
         case LDAP_SUCCESS:
+               bind_auth_ctx->ret = LDAP_PROC_SUCCESS;
                 return UNLANG_ACTION_CALCULATE_RESULT;
  
         case LDAP_SASL_BIND_IN_PROGRESS:
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c

index 9954dfadddd898e3be53d2138e7b37671264c19b..48ce9694ceff724b94cbe878777fa392ad0f42c3 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -717,6 +717,13 @@ static void _ldap_bind_auth_io_read(UNUSED fr_event_list_t *el, UNUSED int fd, U
  
                 case LDAP_PROC_SUCCESS:
                         if (bind_auth_ctx->type == LDAP_BIND_SIMPLE) break;
+
+                       /*
+                        *      With SASL binds, we will be here after ldap_sasl_interactive_bind
+                        *      returned LDAP_SASL_BIND_IN_PROGRESS.  That always requires a further
+                        *      call of ldap_sasl_interactive_bind to get the final result.
+                        */
+                       bind_auth_ctx->ret = LDAP_PROC_CONTINUE;
                         FALL_THROUGH;
  
                 case LDAP_PROC_CONTINUE:
@@ -1154,7 +1161,6 @@ static unlang_action_t mod_authenticate_resume(rlm_rcode_t *p_result, UNUSED int
                                                  auth_ctx->password, mod_env->user_sasl_proxy.vb_strvalue,
                                                  mod_env->user_sasl_realm.vb_strvalue) < 0) goto fail;
  #else
-               
                 RDEBUG("Configuration item 'sasl.mech' is not supported.  "
                        "The linked version of libldap does not provide ldap_sasl_bind( function");
                 RETURN_MODULE_FAIL;
author	Nick Porter <nick@portercomputing.co.uk>
	Tue, 11 Apr 2023 09:15:12 +0000 (10:15 +0100)
committer	Nick Porter <nick@portercomputing.co.uk>
	Tue, 11 Apr 2023 09:15:12 +0000 (10:15 +0100)
src/lib/ldap/sasl.c		patch \| blob \| blame \| history
src/modules/rlm_ldap/rlm_ldap.c		patch \| blob \| blame \| history