From: Stephan Bosch Date: Sun, 12 Mar 2023 01:28:57 +0000 (+0100) Subject: auth: db-ldap - Move sasl code to separate module X-Git-Tag: 2.4.2~334 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96a94c4c9d38ae782ba8013fa2b727ba442ef7ea;p=thirdparty%2Fdovecot%2Fcore.git auth: db-ldap - Move sasl code to separate module --- diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am index 1537174392..f0fdd91373 100644 --- a/src/auth/Makefile.am +++ b/src/auth/Makefile.am @@ -75,7 +75,7 @@ auth_LDADD = $(auth_libs) $(LIBDOVECOT) $(AUTH_LIBS) $(BINARY_LDFLAGS) $(AUTH_LU auth_DEPENDENCIES = $(auth_libs) $(LIBDOVECOT_DEPS) auth_SOURCES = main.c $(auth_common_sources) -ldap_sources = db-ldap.c db-ldap-settings.c passdb-ldap.c userdb-ldap.c +ldap_sources = db-ldap.c db-ldap-sasl.c db-ldap-settings.c passdb-ldap.c userdb-ldap.c lua_sources = db-lua.c passdb-lua.c userdb-lua.c auth_common_sources = \ @@ -155,6 +155,7 @@ headers = \ auth-worker-connection.h \ auth-worker-server.h \ db-ldap.h \ + db-ldap-sasl.h \ db-ldap-settings.h \ db-sql.h \ db-passwd-file.h \ diff --git a/src/auth/db-ldap-sasl.c b/src/auth/db-ldap-sasl.c new file mode 100644 index 0000000000..5abac0fe81 --- /dev/null +++ b/src/auth/db-ldap-sasl.c @@ -0,0 +1,85 @@ +/* Copyright (c) 2023 Dovecot authors, see the included COPYING file */ + +#include "lib.h" +#include "ldap-sasl.h" +#include "db-ldap.h" +#include "db-ldap-sasl.h" + +#if defined(BUILTIN_LDAP) || defined(PLUGIN_BUILD) + +#include +#include + +#ifndef LDAP_SASL_QUIET +# define LDAP_SASL_QUIET 0 /* Doesn't exist in Solaris LDAP */ +#endif + +struct db_ldap_sasl_bind_context { + const char *authcid; + const char *passwd; + const char *realm; + const char *authzid; +}; + +#ifdef HAVE_LDAP_SASL +static int +sasl_interact(LDAP *ld ATTR_UNUSED, unsigned int flags ATTR_UNUSED, + void *defaults, void *interact) +{ + struct db_ldap_sasl_bind_context *context = defaults; + sasl_interact_t *in; + const char *str; + + for (in = interact; in->id != SASL_CB_LIST_END; in++) { + switch (in->id) { + case SASL_CB_GETREALM: + str = context->realm; + break; + case SASL_CB_AUTHNAME: + str = context->authcid; + break; + case SASL_CB_USER: + str = context->authzid; + break; + case SASL_CB_PASS: + str = context->passwd; + break; + default: + str = NULL; + break; + } + if (str != NULL) { + in->len = strlen(str); + in->result = str; + } + } + return LDAP_SUCCESS; +} + +int db_ldap_bind_sasl_interactive(struct ldap_connection *conn) +{ + struct db_ldap_sasl_bind_context context; + + i_zero(&context); + context.authcid = conn->set->auth_dn; + context.passwd = conn->set->auth_dn_password; + context.realm = conn->set->auth_sasl_realm; + context.authzid = conn->set->auth_sasl_authz_id; + + const char *mechs = t_array_const_string_join( + &conn->set->auth_sasl_mechanisms, " "); + + /* There doesn't seem to be a way to do SASL binding + asynchronously.. */ + return ldap_sasl_interactive_bind_s(conn->ld, NULL, mechs, + NULL, NULL, LDAP_SASL_QUIET, + sasl_interact, &context); +} +#else +int db_ldap_bind_sasl_interactive(struct ldap_connection *conn ATTR_UNUSED) +{ + i_unreached(); /* already checked at init */ +} +#endif + +#endif diff --git a/src/auth/db-ldap-sasl.h b/src/auth/db-ldap-sasl.h new file mode 100644 index 0000000000..03804df6c3 --- /dev/null +++ b/src/auth/db-ldap-sasl.h @@ -0,0 +1,6 @@ +#ifndef DB_LDAP_SASL_H +#define DB_LDAP_SASL_H + +int db_ldap_bind_sasl_interactive(struct ldap_connection *conn); + +#endif diff --git a/src/auth/db-ldap-settings.c b/src/auth/db-ldap-settings.c index 6c8feb334e..d91fd7f4ea 100644 --- a/src/auth/db-ldap-settings.c +++ b/src/auth/db-ldap-settings.c @@ -8,6 +8,7 @@ #ifdef HAVE_LDAP /* */ +#include "ldap-sasl.h" #include "ldap-settings-parse.h" static bool ldap_setting_check(void *_set, pool_t pool, const char **error_r); diff --git a/src/auth/db-ldap-settings.h b/src/auth/db-ldap-settings.h index a5f2d09fa3..dc341dd394 100644 --- a/src/auth/db-ldap-settings.h +++ b/src/auth/db-ldap-settings.h @@ -1,20 +1,6 @@ #ifndef DB_LDAP_SETTINGS_H #define DB_LDAP_SETTINGS_H -/* */ -#define HAVE_LDAP_SASL -#ifdef HAVE_SASL_SASL_H -# include -#elif defined (HAVE_SASL_H) -# include -#else -# undef HAVE_LDAP_SASL -#endif -#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2 -# undef HAVE_LDAP_SASL -#endif -/* */ - enum db_ldap_lookup_type { DB_LDAP_LOOKUP_TYPE_PASSDB, DB_LDAP_LOOKUP_TYPE_USERDB, diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c index 9309ccffd3..9e0bc14d1d 100644 --- a/src/auth/db-ldap.c +++ b/src/auth/db-ldap.c @@ -18,6 +18,7 @@ #include "ssl-settings.h" #include "userdb.h" #include "db-ldap.h" +#include "db-ldap-sasl.h" #include "ldap-utils.h" #include @@ -26,10 +27,6 @@ # define OPENLDAP_TLS_OPTIONS #endif -#ifndef LDAP_SASL_QUIET -# define LDAP_SASL_QUIET 0 /* Doesn't exist in Solaris LDAP */ -#endif - /* Older versions may require calling ldap_result() twice */ #if LDAP_VENDOR_VERSION <= 20112 # define OPENLDAP_ASYNC_WORKAROUND @@ -73,13 +70,6 @@ struct db_ldap_result_iterate_context { LDAP *ld; }; -struct db_ldap_sasl_bind_context { - const char *authcid; - const char *passwd; - const char *realm; - const char *authzid; -}; - static struct ldap_connection *ldap_connections = NULL; static int db_ldap_bind(struct ldap_connection *conn); @@ -94,6 +84,8 @@ static bool db_ldap_abort_requests(struct ldap_connection *conn, bool error, const char *reason); static void db_ldap_request_free(struct ldap_request *request); +extern int db_ldap_bind_sasl_interactive(struct ldap_connection *conn); + static int ldap_get_errno(struct ldap_connection *conn) { int ret, err; @@ -693,42 +685,6 @@ static void ldap_input(struct ldap_connection *conn) } } -#ifdef HAVE_LDAP_SASL -static int -sasl_interact(LDAP *ld ATTR_UNUSED, unsigned int flags ATTR_UNUSED, - void *defaults, void *interact) -{ - struct db_ldap_sasl_bind_context *context = defaults; - sasl_interact_t *in; - const char *str; - - for (in = interact; in->id != SASL_CB_LIST_END; in++) { - switch (in->id) { - case SASL_CB_GETREALM: - str = context->realm; - break; - case SASL_CB_AUTHNAME: - str = context->authcid; - break; - case SASL_CB_USER: - str = context->authzid; - break; - case SASL_CB_PASS: - str = context->passwd; - break; - default: - str = NULL; - break; - } - if (str != NULL) { - in->len = strlen(str); - in->result = str; - } - } - return LDAP_SUCCESS; -} -#endif - static void ldap_connection_timeout(struct ldap_connection *conn) { i_assert(conn->conn_state == LDAP_CONN_STATE_BINDING); @@ -737,26 +693,11 @@ static void ldap_connection_timeout(struct ldap_connection *conn) db_ldap_conn_close(conn); } -#ifdef HAVE_LDAP_SASL static int db_ldap_bind_sasl(struct ldap_connection *conn) { - struct db_ldap_sasl_bind_context context; int ret; - i_zero(&context); - context.authcid = conn->set->auth_dn; - context.passwd = conn->set->auth_dn_password; - context.realm = conn->set->auth_sasl_realm; - context.authzid = conn->set->auth_sasl_authz_id; - - const char *mechs = t_array_const_string_join( - &conn->set->auth_sasl_mechanisms, " "); - - /* There doesn't seem to be a way to do SASL binding - asynchronously.. */ - ret = ldap_sasl_interactive_bind_s(conn->ld, NULL, mechs, - NULL, NULL, LDAP_SASL_QUIET, - sasl_interact, &context); + ret = db_ldap_bind_sasl_interactive(conn); if (db_ldap_connect_finish(conn, ret) < 0) return -1; @@ -764,14 +705,6 @@ static int db_ldap_bind_sasl(struct ldap_connection *conn) return 0; } -#else -static int db_ldap_bind_sasl(struct ldap_connection *conn ATTR_UNUSED) -{ - i_unreached(); /* already checked at init */ - - return -1; -} -#endif static int db_ldap_bind_simple(struct ldap_connection *conn) { diff --git a/src/lib-ldap/Makefile.am b/src/lib-ldap/Makefile.am index 496984954e..c866896b73 100644 --- a/src/lib-ldap/Makefile.am +++ b/src/lib-ldap/Makefile.am @@ -36,6 +36,7 @@ headers = \ noinst_HEADERS = \ ldap-connection-pool.h \ ldap-private.h \ + ldap-sasl.h \ ldap-settings.h \ ldap-settings-parse.h diff --git a/src/lib-ldap/ldap-sasl.h b/src/lib-ldap/ldap-sasl.h new file mode 100644 index 0000000000..2e303f1439 --- /dev/null +++ b/src/lib-ldap/ldap-sasl.h @@ -0,0 +1,16 @@ +#ifndef LDAP_SASL_H +#define LDAP_SASL_H + +#define HAVE_LDAP_SASL +#ifdef HAVE_SASL_SASL_H +# include +#elif defined (HAVE_SASL_H) +# include +#else +# undef HAVE_LDAP_SASL +#endif +#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2 +# undef HAVE_LDAP_SASL +#endif + +#endif