From: Howard Chu Date: Wed, 21 Jan 2004 08:56:34 +0000 (+0000) Subject: Import ITS#2871 from HEAD - always set mech, don't parse realms. X-Git-Tag: OPENLDAP_REL_ENG_2_1_26~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee333c45c270569baa4fbff589605d0b8bde64f6;p=thirdparty%2Fopenldap.git Import ITS#2871 from HEAD - always set mech, don't parse realms. --- diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 3f4f2f8867..6cc9a3e7bb 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -987,7 +987,7 @@ backend_check_restrictions( if( requires & SLAP_REQUIRE_STRONG ) { /* should check mechanism */ if( ( op->o_transport_ssf < ssf->sss_transport - && op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 ) + && op->o_authtype == LDAP_AUTH_SIMPLE ) || op->o_dn.bv_len == 0 ) { *text = "strong authentication required"; return LDAP_STRONG_AUTH_REQUIRED; @@ -995,7 +995,7 @@ backend_check_restrictions( } if( requires & SLAP_REQUIRE_SASL ) { - if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) { + if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) { *text = "SASL authentication required"; return LDAP_STRONG_AUTH_REQUIRED; } diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index d70dc00e02..f13189f39f 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -131,7 +131,7 @@ do_bind( tag = ber_scanf( ber, /*{*/ "m}", &cred ); } else { - tag = ber_scanf( ber, "{o" /*}*/, &mech ); + tag = ber_scanf( ber, "{m" /*}*/, &mech ); if ( tag != LBER_ERROR ) { ber_len_t len; @@ -298,9 +298,7 @@ do_bind( slap_sasl_reset(conn); } } else { - conn->c_sasl_bind_mech = mech; - mech.bv_val = NULL; - mech.bv_len = 0; + ber_dupbv( &conn->c_sasl_bind_mech, &mech ); } ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); @@ -383,6 +381,7 @@ do_bind( } if ( method == LDAP_AUTH_SIMPLE ) { + ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech ); /* accept "anonymous" binds */ if ( cred.bv_len == 0 || ndn.bv_len == 0 ) { rc = LDAP_SUCCESS; @@ -465,6 +464,7 @@ do_bind( #endif goto cleanup; } + ber_str2bv( "KRBV4", sizeof("KRBV4")-1, 0, &mech ); #endif } else { @@ -564,9 +564,9 @@ do_bind( } /* log authorization identity */ Statslog( LDAP_DEBUG_STATS, - "conn=%lu op=%lu BIND dn=\"%s\" mech=simple (SLAPI) ssf=0\n", + "conn=%lu op=%lu BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n", op->o_connid, op->o_opid, - conn->c_dn.bv_val, 0, 0 ); + conn->c_dn.bv_val, mech.bv_val, 0 ); ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } #ifdef NEW_LOGGING @@ -614,9 +614,9 @@ do_bind( /* log authorization identity */ Statslog( LDAP_DEBUG_STATS, - "conn=%lu op=%lu BIND dn=\"%s\" mech=simple ssf=0\n", + "conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=0\n", op->o_connid, op->o_opid, - conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 ); + conn->c_dn.bv_val, mech.bv_val, 0 ); #ifdef NEW_LOGGING LDAP_LOG( OPERATION, DETAIL1, @@ -657,6 +657,13 @@ do_bind( #endif /* defined( LDAP_SLAPI ) */ cleanup: + if ( rc == LDAP_SUCCESS ) { + if ( method != LDAP_AUTH_SASL ) { + ber_dupbv( &conn->c_authmech, &mech ); + } + conn->c_authtype = method; + } + conn->c_sasl_bindop = NULL; if( pdn.bv_val != NULL ) { @@ -665,9 +672,6 @@ cleanup: if( ndn.bv_val != NULL ) { free( ndn.bv_val ); } - if ( mech.bv_val != NULL ) { - free( mech.bv_val ); - } return rc; } diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 1d24c361f8..e108351101 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1548,9 +1548,8 @@ static struct berval ext_bv = BER_BVC( "EXTERNAL" ); int slap_sasl_getdn( Connection *conn, char *id, int len, char *user_realm, struct berval *dn, int flags ) { - char *c1; int rc, is_dn = SET_NONE, do_norm = 1; - struct berval dn2; + struct berval dn2, *mech; #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, @@ -1576,14 +1575,20 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, len = 0; } + if ( conn->c_sasl_bind_mech.bv_len ) { + mech = &conn->c_sasl_bind_mech; + } else { + mech = &conn->c_authmech; + } + /* An authcID needs to be converted to authzID form. Set the * values directly into *dn; they will be normalized later. (and * normalizing always makes a new copy.) An ID from a TLS certificate * is already normalized, so copy it and skip normalization. */ if( flags & SLAP_GETDN_AUTHCID ) { - if( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len && - strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) + if( mech->bv_len == ext_bv.bv_len && + strcasecmp( ext_bv.bv_val, mech->bv_val ) == 0 ) { /* EXTERNAL DNs are already normalized */ do_norm = 0; @@ -1618,23 +1623,32 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* Username strings */ if( is_dn == SET_U ) { - char *p, *realm; + char *p; + struct berval realm = { 0, NULL }, c1 = *dn; len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; - /* username may have embedded realm name */ +#if 0 + /* userids can legally have embedded '@' chars; + * the realm should be set by those mechanisms + * that support it by means of the user_realm + * variable + */ if( ( realm = strchr( dn->bv_val, '@') ) ) { *realm++ = '\0'; len += sizeof(",cn=")-2; - } else if( user_realm && *user_realm ) { - len += strlen( user_realm ) + sizeof(",cn=")-1; + } else +#endif + if( user_realm && *user_realm ) { + realm.bv_val = user_realm; + realm.bv_len = strlen( user_realm ); + len += realm.bv_len + sizeof(",cn=")-1; } - if( conn->c_sasl_bind_mech.bv_len ) { - len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1; + if( mech->bv_len ) { + len += mech->bv_len + sizeof(",cn=")-1; } /* Build the new dn */ - c1 = dn->bv_val; dn->bv_val = SLAP_MALLOC( len+1 ); if( dn->bv_val == NULL ) { #ifdef NEW_LOGGING @@ -1647,21 +1661,16 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, return LDAP_OTHER; } p = lutil_strcopy( dn->bv_val, "uid=" ); - p = lutil_strncopy( p, c1, dn->bv_len ); + p = lutil_strncopy( p, c1.bv_val, dn->bv_len ); - if( realm ) { - int rlen = dn->bv_len - ( realm - c1 ); - p = lutil_strcopy( p, ",cn=" ); - p = lutil_strncopy( p, realm, rlen ); - realm[-1] = '@'; - } else if( user_realm && *user_realm ) { + if( realm.bv_len ) { p = lutil_strcopy( p, ",cn=" ); - p = lutil_strcopy( p, user_realm ); + p = lutil_strncopy( p, realm.bv_val, realm.bv_len ); } - if( conn->c_sasl_bind_mech.bv_len ) { + if( mech->bv_len ) { p = lutil_strcopy( p, ",cn=" ); - p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val ); + p = lutil_strcopy( p, mech->bv_val ); } p = lutil_strcopy( p, ",cn=auth" ); dn->bv_len = p - dn->bv_val; @@ -1670,7 +1679,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 ); #else - Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 ); + Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 ); #endif } else {