From: Nick Porter Date: Tue, 11 Apr 2023 09:15:12 +0000 (+0100) Subject: Correct state machine for SASL bind auth X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e18d943d9940c3f9eeae8823a08595f94d2f74c3;p=thirdparty%2Ffreeradius-server.git Correct state machine for SASL bind auth There needs to be one more call to ldap_sasl_interactive_bind after ldap_result returns success to complete the SASL bind. It is the return code of ldap_sasl_interactive_bind which indicates whether a further call is required or not. --- diff --git a/src/lib/ldap/sasl.c b/src/lib/ldap/sasl.c index 8373a0ab08..ddd277cd6d 100644 --- a/src/lib/ldap/sasl.c +++ b/src/lib/ldap/sasl.c @@ -372,13 +372,14 @@ static unlang_action_t ldap_async_sasl_auth_bind_start(UNUSED rlm_rcode_t *p_res RDEBUG2("%s SASL bind auth operation as %s", sasl_ctx->rmech ? "Continuing" : "Starting", sasl_ctx->dn); - ret = ldap_sasl_interactive_bind(sasl_ctx->c->handle, sasl_ctx->dn, sasl_ctx->mechs, + ret = ldap_sasl_interactive_bind(sasl_ctx->c->handle, NULL, sasl_ctx->mechs, NULL, NULL, LDAP_SASL_AUTOMATIC, _sasl_interact, sasl_ctx, sasl_ctx->result, &sasl_ctx->rmech, &bind_auth_ctx->msgid); switch (ret) { case LDAP_SUCCESS: + bind_auth_ctx->ret = LDAP_PROC_SUCCESS; return UNLANG_ACTION_CALCULATE_RESULT; case LDAP_SASL_BIND_IN_PROGRESS: diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 9954dfaddd..48ce9694ce 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -717,6 +717,13 @@ static void _ldap_bind_auth_io_read(UNUSED fr_event_list_t *el, UNUSED int fd, U case LDAP_PROC_SUCCESS: if (bind_auth_ctx->type == LDAP_BIND_SIMPLE) break; + + /* + * With SASL binds, we will be here after ldap_sasl_interactive_bind + * returned LDAP_SASL_BIND_IN_PROGRESS. That always requires a further + * call of ldap_sasl_interactive_bind to get the final result. + */ + bind_auth_ctx->ret = LDAP_PROC_CONTINUE; FALL_THROUGH; case LDAP_PROC_CONTINUE: @@ -1154,7 +1161,6 @@ static unlang_action_t mod_authenticate_resume(rlm_rcode_t *p_result, UNUSED int auth_ctx->password, mod_env->user_sasl_proxy.vb_strvalue, mod_env->user_sasl_realm.vb_strvalue) < 0) goto fail; #else - RDEBUG("Configuration item 'sasl.mech' is not supported. " "The linked version of libldap does not provide ldap_sasl_bind( function"); RETURN_MODULE_FAIL;