From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Sun, 1 Jun 2025 16:28:06 +0000 (-0600)
Subject: Explicitly store the result of edit get password operations
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3302ce024bd3c340bad0bafce344dc2c64bd5b37;p=thirdparty%2Ffreeradius-server.git

Explicitly store the result of edit get password operations
---

diff --git a/src/lib/ldap/base.h b/src/lib/ldap/base.h
index 07311916a44..d0a42052a93 100644
--- a/src/lib/ldap/base.h
+++ b/src/lib/ldap/base.h
@@ -840,7 +840,7 @@ int		fr_ldap_conn_directory_alloc_async(fr_ldap_connection_t *ldap_conn);
 /*
  *	edir.c - Edirectory integrations
  */
-unlang_action_t	fr_ldap_edir_get_password(request_t *request, char const *dn,
+unlang_action_t	fr_ldap_edir_get_password(unlang_result_t *p_result, request_t *request, char const *dn,
 					  fr_ldap_thread_trunk_t *ttrunk, fr_dict_attr_t const *password_da);
 
 char const	*fr_ldap_edir_errstr(int code);
@@ -912,7 +912,8 @@ int		fr_ldap_sasl_bind_auth_send(fr_ldap_sasl_ctx_t *sasl_ctx,
 					    int *msgid,
 					    fr_ldap_connection_t *ldap_conn);
 
-unlang_action_t	fr_ldap_sasl_bind_auth_async(request_t *request,
+unlang_action_t	fr_ldap_sasl_bind_auth_async(unlang_result_t *p_result,
+					     request_t *request,
 					     fr_ldap_thread_t *thread,
 					     char const *mechs,
 					     char const *identity,
diff --git a/src/lib/ldap/bind.c b/src/lib/ldap/bind.c
index 2993ed2dc80..8985a15de3b 100644
--- a/src/lib/ldap/bind.c
+++ b/src/lib/ldap/bind.c
@@ -332,13 +332,13 @@ unlang_action_t fr_ldap_bind_auth_async(unlang_result_t *p_result, request_t *re
 
 	if (!ttrunk) {
 		ERROR("Failed to get trunk connection for LDAP bind");
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
 	treq = trunk_request_alloc(ttrunk->trunk, request);
 	if (!treq) {
 		ERROR ("Failed to allocate trunk request for LDAP bind");
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
 	MEM(bind_auth_ctx = talloc(treq, fr_ldap_bind_auth_ctx_t));
@@ -365,7 +365,7 @@ unlang_action_t fr_ldap_bind_auth_async(unlang_result_t *p_result, request_t *re
 	default:
 		ERROR("Failed to enqueue bind request");
 		trunk_request_free(&treq);
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
 	return unlang_function_push(p_result,
diff --git a/src/lib/ldap/edir.c b/src/lib/ldap/edir.c
index 4137eef8cc2..b650bc2c024 100644
--- a/src/lib/ldap/edir.c
+++ b/src/lib/ldap/edir.c
@@ -280,6 +280,7 @@ static void ldap_edir_get_password_cancel(UNUSED request_t *request, UNUSED fr_s
 
 /** Initiate retrieval of the universal password from Novell eDirectory
  *
+ * @param[out] p_result		Where to write the result of the operation.
  * @param[in] request		Current request.
  * @param[in] dn		of the user whose password is to be retrieved.
  * @param[in] ttrunk		on which to send the LDAP request.
@@ -288,7 +289,8 @@ static void ldap_edir_get_password_cancel(UNUSED request_t *request, UNUSED fr_s
  *	- UNLANG_ACTION_PUSHED_CHILD on success.
  *	- UNLANG_ACTION_FAIL on failure.
  */
-unlang_action_t fr_ldap_edir_get_password(request_t *request, char const *dn, fr_ldap_thread_trunk_t *ttrunk,
+unlang_action_t fr_ldap_edir_get_password(unlang_result_t *p_result,
+					  request_t *request, char const *dn, fr_ldap_thread_trunk_t *ttrunk,
 					  fr_dict_attr_t const *password_da)
 {
 	ldap_edir_ctx_t	*edir_ctx;
@@ -296,7 +298,7 @@ unlang_action_t fr_ldap_edir_get_password(request_t *request, char const *dn, fr
 
 	if (!dn || !*dn) {
 		REDEBUG("Missing DN");
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
 	MEM(edir_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_edir_ctx_t));
@@ -311,10 +313,13 @@ unlang_action_t fr_ldap_edir_get_password(request_t *request, char const *dn, fr
 	if (err) {
 		REDEBUG("Failed to encode user DN: %s", fr_ldap_edir_errstr(err));
 		talloc_free(edir_ctx);
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
-	return unlang_function_push(NULL, request, ldap_edir_get_password_start, ldap_edir_get_password_resume,
+	return unlang_function_push(p_result,
+				    request,
+				    ldap_edir_get_password_start,
+				    ldap_edir_get_password_resume,
 				    ldap_edir_get_password_cancel, ~FR_SIGNAL_CANCEL,
 				    UNLANG_SUB_FRAME, edir_ctx);
 }
diff --git a/src/lib/ldap/sasl.c b/src/lib/ldap/sasl.c
index b3e52ccd041..d8b5399f3ce 100644
--- a/src/lib/ldap/sasl.c
+++ b/src/lib/ldap/sasl.c
@@ -489,6 +489,7 @@ static unlang_action_t ldap_async_sasl_bind_auth_results(unlang_result_t *p_resu
 
 /** Initiate an async SASL LDAP bind for authentication
  *
+ * @param[out] p_result		Where to write the result of the bind.
  * @param[in] request		this bind relates to.
  * @param[in] thread		whose connection the bind should be performed on.
  * @param[in] mechs		SASL mechanisms to use.
@@ -500,8 +501,9 @@ static unlang_action_t ldap_async_sasl_bind_auth_results(unlang_result_t *p_resu
  *	- 0 on success.
  *	- -1 on failure.
 */
-unlang_action_t fr_ldap_sasl_bind_auth_async(request_t *request, fr_ldap_thread_t *thread, char const *mechs,
-				 char const *identity, char const *password, char const *proxy, char const *realm)
+unlang_action_t fr_ldap_sasl_bind_auth_async(unlang_result_t *p_result,
+					     request_t *request, fr_ldap_thread_t *thread, char const *mechs,
+					     char const *identity, char const *password, char const *proxy, char const *realm)
 {
 	fr_ldap_bind_auth_ctx_t *bind_auth_ctx;
 	trunk_request_t	*treq;
@@ -510,13 +512,13 @@ unlang_action_t fr_ldap_sasl_bind_auth_async(request_t *request, fr_ldap_thread_
 
 	if (!ttrunk) {
 		ERROR("Failed to get trunk connection for LDAP bind");
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
 	treq = trunk_request_alloc(ttrunk->trunk, request);
 	if (!treq) {
 		ERROR("Failed to allocate trunk request for LDAP bind");
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
 	MEM(bind_auth_ctx = talloc_zero(treq, fr_ldap_bind_auth_ctx_t));
@@ -548,10 +550,10 @@ unlang_action_t fr_ldap_sasl_bind_auth_async(request_t *request, fr_ldap_thread_
 	default:
 		ERROR("Failed to enqueue bind request");
 		trunk_request_free(&treq);
-		return UNLANG_ACTION_FAIL;
+		RETURN_UNLANG_FAIL;
 	}
 
-	return unlang_function_push(NULL,
+	return unlang_function_push(p_result,
 				    request,
 				    ldap_async_sasl_bind_auth_start,
 				    ldap_async_sasl_bind_auth_results,
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index c27b8f41685..7ff04a140a3 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -1585,10 +1585,10 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(unlang_result_t *p_resu
 #ifdef WITH_SASL
 		RDEBUG2("Login attempt using identity \"%pV\"", &call_env->user_sasl_authname);
 
-		return fr_ldap_sasl_bind_auth_async(request, auth_ctx->thread, call_env->user_sasl_mech.vb_strvalue,
-						 call_env->user_sasl_authname.vb_strvalue,
-						 auth_ctx->password, call_env->user_sasl_proxy.vb_strvalue,
-						 call_env->user_sasl_realm.vb_strvalue);
+		return fr_ldap_sasl_bind_auth_async(p_result, request, auth_ctx->thread, call_env->user_sasl_mech.vb_strvalue,
+						    call_env->user_sasl_authname.vb_strvalue,
+						    auth_ctx->password, call_env->user_sasl_proxy.vb_strvalue,
+						    call_env->user_sasl_realm.vb_strvalue);
 #else
 		RDEBUG("Configuration item 'sasl.mech' is not supported.  "
 		       "The linked version of libldap does not provide ldap_sasl_bind( function");
@@ -1734,7 +1734,7 @@ static unlang_action_t mod_authorize_resume(unlang_result_t *p_result, request_t
 			 */
 			REPEAT_MOD_AUTHORIZE_RESUME;
 			autz_ctx->status = LDAP_AUTZ_EDIR_BIND;
-			return fr_ldap_edir_get_password(request, autz_ctx->dn, autz_ctx->ttrunk,
+			return fr_ldap_edir_get_password(p_result, request, autz_ctx->dn, autz_ctx->ttrunk,
 							 attr_cleartext_password);
 		}
 		FALL_THROUGH;