Support for Cyrus SASLv2. Untested.

libraries/libldap/cyrus.c

@@ -23,7 +23,13 @@
 ldap_pvt_thread_mutex_t ldap_int_sasl_mutex;
 #endif
 
+#ifdef HAVE_CYRUS_SASL2
+#include <sasl/sasl.h>
+#define SASL_CONST const
+#else
 #include <sasl.h>
+#define SASL_CONST
+#endif
 
 /*
 * Various Cyrus SASL related stuff.
@@ -119,6 +125,14 @@ sb_sasl_remove( Sockbuf_IO_Desc *sbiod )
 	assert( sbiod != NULL );
 	
 	p = (struct sb_sasl_data *)sbiod->sbiod_pvt;
+#ifdef HAVE_CYRUS_SASL2
+	/*
+	 * SASLv2 encode/decode buffers are managed by
+	 * libsasl2. Ensure they are not freed by liblber.
+	 */
+	p->buf_in.buf_base = NULL;
+	p->buf_out.buf_base = NULL;
+#endif
 	ber_pvt_sb_buf_destroy( &p->sec_buf_in );
 	ber_pvt_sb_buf_destroy( &p->buf_in );
 	ber_pvt_sb_buf_destroy( &p->buf_out );
@@ -193,7 +207,11 @@ sb_sasl_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 	if ( len == 0 )
 		return bufptr;
 
+#ifdef HAVE_CYRUS_SASL2
+	ber_pvt_sb_buf_init( &p->buf_in );
+#else
 	ber_pvt_sb_buf_destroy( &p->buf_in );
+#endif
 
 	/* Read the length of the packet */
 	while ( p->sec_buf_in.buf_ptr < 4 ) {
@@ -241,7 +259,8 @@ sb_sasl_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 
 	/* Decode the packet */
 	ret = sasl_decode( p->sasl_context, p->sec_buf_in.buf_base,
-		p->sec_buf_in.buf_end, &p->buf_in.buf_base,
+		p->sec_buf_in.buf_end,
+		(SASL_CONST char **)&p->buf_in.buf_base,
 		(unsigned *)&p->buf_in.buf_end );
 	if ( ret != SASL_OK ) {
 		ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
@@ -282,8 +301,13 @@ sb_sasl_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 	}
 
 	/* now encode the next packet. */
+#ifdef HAVE_CYRUS_SASL2
+	ber_pvt_sb_buf_init( &p->buf_out );
+#else
 	ber_pvt_sb_buf_destroy( &p->buf_out );
-	ret = sasl_encode( p->sasl_context, buf, len, &p->buf_out.buf_base,
+#endif
+	ret = sasl_encode( p->sasl_context, buf, len,
+		(SASL_CONST char **)&p->buf_out.buf_base,
 		(unsigned *)&p->buf_out.buf_size );
 	if ( ret != SASL_OK ) {
 		ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
@@ -417,8 +441,13 @@ ldap_int_sasl_open(
 		return ld->ld_errno;
 	}
 
+#ifdef HAVE_CYRUS_SASL2
+	rc = sasl_client_new( "ldap", host, NULL, NULL,
+		session_callbacks, 0, &ctx );
+#else
 	rc = sasl_client_new( "ldap", host, session_callbacks,
 		SASL_SECURITY_LAYER, &ctx );
+#endif
 	LDAP_FREE( session_callbacks );
 
 	if ( rc != SASL_OK ) {
@@ -432,13 +461,17 @@ ldap_int_sasl_open(
 	lc->lconn_sasl_ctx = ctx;
 
 	if( ssf ) {
+#ifdef HAVE_CYRUS_SASL2
+		(void) sasl_setprop( ctx, SASL_SSF_EXTERNAL,
+			(void *) &ssf );
+#else
 		sasl_external_properties_t extprops;
 		memset(&extprops, 0L, sizeof(extprops));
 		extprops.ssf = ssf;
 
 		(void) sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 			(void *) &extprops );
-
+#endif
 		Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: ssf=%ld\n",
 			(long) ssf, 0, 0 );
 	}
@@ -523,9 +556,11 @@ ldap_int_sasl_bind(
 	do {
 		saslrc = sasl_client_start( ctx,
 			mechs,
+#ifndef HAVE_CYRUS_SASL2
 			NULL,
+#endif
 			&prompts,
-			&ccred.bv_val,
+			(SASL_CONST char **)&ccred.bv_val,
 			&credlen,
 			&mech );
 
@@ -539,6 +574,14 @@ ldap_int_sasl_bind(
 			}
 		}
 
+#ifdef HAVE_CYRUS_SASL2
+		/* XXX the application should free interact results. */
+		if ( prompts != NULL && prompts->result != NULL ) {
+			LDAP_FREE( (void *)prompts->result );
+			prompts->result = NULL;
+		}
+#endif
+
 		if( saslrc == SASL_INTERACT ) {
 			int res;
 			if( !interact ) break;
@@ -565,7 +608,9 @@ ldap_int_sasl_bind(
 		rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls, &scred );
 
 		if ( ccred.bv_val != NULL ) {
+#ifndef HAVE_CYRUS_SASL2
 			LDAP_FREE( ccred.bv_val );
+#endif
 			ccred.bv_val = NULL;
 		}
 
@@ -598,12 +643,20 @@ ldap_int_sasl_bind(
 				(scred == NULL) ? NULL : scred->bv_val,
 				(scred == NULL) ? 0 : scred->bv_len,
 				&prompts,
-				&ccred.bv_val,
+				(SASL_CONST char **)&ccred.bv_val,
 				&credlen );
 
 			Debug( LDAP_DEBUG_TRACE, "sasl_client_start: %d\n",
 				saslrc, 0, 0 );
 
+#ifdef HAVE_CYRUS_SASL2
+			/* XXX the application should free interact results. */
+			if ( prompts != NULL && prompts->result != NULL ) {
+				LDAP_FREE( (void *)prompts->result );
+				prompts->result = NULL;
+			}
+#endif
+
 			if( saslrc == SASL_INTERACT ) {
 				int res;
 				if( !interact ) break;
@@ -632,18 +685,22 @@ ldap_int_sasl_bind(
 	}
 
 	if( flags != LDAP_SASL_QUIET ) {
-		saslrc = sasl_getprop( ctx, SASL_USERNAME, (void **) &data );
+		saslrc = sasl_getprop( ctx, SASL_USERNAME, (SASL_CONST void **) &data );
 		if( saslrc == SASL_OK && data && *data ) {
 			fprintf( stderr, "SASL username: %s\n", data );
 		}
 
-		saslrc = sasl_getprop( ctx, SASL_REALM, (void **) &data );
+#ifdef HAVE_CYRUS_SASL2
+		saslrc = sasl_getprop( ctx, SASL_DEFUSERREALM, (SASL_CONST void **) &data );
+#else
+		saslrc = sasl_getprop( ctx, SASL_REALM, (SASL_CONST void **) &data );
+#endif
 		if( saslrc == SASL_OK && data && *data ) {
 			fprintf( stderr, "SASL realm: %s\n", data );
 		}
 	}
 
-	saslrc = sasl_getprop( ctx, SASL_SSF, (void **) &ssf );
+	saslrc = sasl_getprop( ctx, SASL_SSF, (SASL_CONST void **) &ssf );
 	if( saslrc == SASL_OK ) {
 		if( flags != LDAP_SASL_QUIET ) {
 			fprintf( stderr, "SASL SSF: %lu\n",
@@ -670,21 +727,27 @@ ldap_int_sasl_external(
 {
 	int sc;
 	sasl_conn_t *ctx;
+#ifndef HAVE_CYRUS_SASL2
 	sasl_external_properties_t extprops;
+#endif
 
 	ctx = conn->lconn_sasl_ctx;
 
 	if ( ctx == NULL ) {
 		return LDAP_LOCAL_ERROR;
 	}
-    
+   
+#ifdef HAVE_CYRUS_SASL2 
+	sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf );
+#else
 	memset( &extprops, '\0', sizeof(extprops) );
 	extprops.ssf = ssf;
 	extprops.auth_id = (char *) authid;
-    
+
 	sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 		(void *) &extprops );
-    
+#endif
+
 	if ( sc != SASL_OK ) {
 		return LDAP_LOCAL_ERROR;
 	}
@@ -853,7 +916,7 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
 			}
 
 			sc = sasl_getprop( ctx, SASL_SSF,
-				(void **) &ssf );
+				(SASL_CONST void **) &ssf );
 
 			if ( sc != SASL_OK ) {
 				return -1;
@@ -899,7 +962,9 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 
 	case LDAP_OPT_X_SASL_SSF_EXTERNAL: {
 		int sc;
+#ifndef HAVE_CYRUS_SASL2
 		sasl_external_properties_t extprops;
+#endif
 		sasl_conn_t *ctx;
 
 		if( ld->ld_defconn == NULL ) {
@@ -912,12 +977,16 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 			return -1;
 		}
 
+#ifdef HAVE_CYRUS_SASL2
+		sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, arg);
+#else
 		memset(&extprops, 0L, sizeof(extprops));
 
 		extprops.ssf = * (ber_len_t *) arg;
 
 		sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 			(void *) &extprops );
+#endif
 
 		if ( sc != SASL_OK ) {
 			return -1;

libraries/libldap/ldap-int.h

@@ -24,7 +24,11 @@
 
 #ifdef HAVE_CYRUS_SASL
 	/* the need for this should be removed */
+#ifdef HAVE_CYRUS_SASL2
+#include <sasl/sasl.h>
+#else
 #include <sasl.h>
+#endif
 
 #define SASL_MAX_BUFF_SIZE	65536
 #define SASL_MIN_BUFF_SIZE	4096

libraries/liblutil/sasl.c

@@ -13,7 +13,11 @@
 #include <ac/string.h>
 #include <ac/unistd.h>
 
+#ifdef HAVE_CYRUS_SASL2
+#include <sasl/sasl.h>
+#else
 #include <sasl.h>
+#endif
 
 #include <ldap.h>
 #include "lutil_ldap.h"
@@ -155,7 +159,7 @@ static int interaction(
 
 	if( interact->len > 0 ) {
 		/* duplicate */
-		char *p = interact->result;
+		char *p = (char *)interact->result;
 		interact->result = strdup( p );
 
 		/* zap */

servers/slapd/sasl.c

@@ -17,7 +17,14 @@
 
 #ifdef HAVE_CYRUS_SASL
 #include <limits.h>
+#ifdef HAVE_CYRUS_SASL2
+#include <sasl/sasl.h>
+#include <lutil.h>
+#define	SASL_CONST const
+#else
 #include <sasl.h>
+#define	SASL_CONST
+#endif
 
 #include <ldap_pvt.h>
 
@@ -47,6 +54,40 @@ slap_sasl_log(
 	}
 
 	switch (priority) {
+#ifdef HAVE_CYRUS_SASL2
+	case SASL_LOG_NONE:
+		level = LDAP_DEBUG_NONE;
+		label = "None";
+		break;
+	case SASL_LOG_ERR:
+		level = LDAP_DEBUG_ANY;
+		label = "Error";
+		break;
+	case SASL_LOG_FAIL:
+		level = LDAP_DEBUG_ANY;
+		label = "Failure";
+		break;
+	case SASL_LOG_WARN:
+		level = LDAP_DEBUG_TRACE;
+		label = "Warning";
+		break;
+	case SASL_LOG_NOTE:
+		level = LDAP_DEBUG_TRACE;
+		label = "Notice";
+		break;
+	case SASL_LOG_DEBUG:
+		level = LDAP_DEBUG_TRACE;
+		label = "Debug";
+		break;
+	case SASL_LOG_TRACE:
+		level = LDAP_DEBUG_TRACE;
+		label = "Trace";
+		break;
+	case SASL_LOG_PASS:
+		level = LDAP_DEBUG_TRACE;
+		label = "Password Trace";
+		break;
+#else
 	case SASL_LOG_ERR:
 		level = LDAP_DEBUG_ANY;
 		label = "Error";
@@ -59,6 +100,7 @@ slap_sasl_log(
 		level = LDAP_DEBUG_TRACE;
 		label = "Info";
 		break;
+#endif
 	default:
 		return SASL_BADPARAM;
 	}
@@ -90,9 +132,9 @@ slap_sasl_log(
 
 static struct berval ext_bv = { sizeof("EXTERNAL")-1, "EXTERNAL" };
 
-int slap_sasl_getdn( Connection *conn, char *id, struct berval *dn, int flags )
+int slap_sasl_getdn( Connection *conn, char *id, char *user_realm, struct berval *dn, int flags )
 {
-	char *c=NULL, *c1;
+	char *c1;
 	int rc, len, is_dn = 0;
 	sasl_conn_t *ctx;
 	struct berval dn2;
@@ -162,24 +204,8 @@ int slap_sasl_getdn( Connection *conn, char *id, struct berval *dn, int flags )
 		char *p;
 		len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
 
-		/* Figure out how much data we have for the dn */
-		rc = sasl_getprop( ctx,	SASL_REALM, (void **)&c );
-		if( rc != SASL_OK && rc != SASL_NOTDONE ) {
-#ifdef NEW_LOGGING
-			LDAP_LOG(( "sasl", LDAP_LEVEL_ERR,
-				"slap_sasl_getdn: getprop(REALM) failed.\n" ));
-#else
-			Debug(LDAP_DEBUG_TRACE,
-				"getdn: getprop(REALM) failed!\n", 0,0,0);
-#endif
-
-			ch_free( dn->bv_val );
-			*dn = slap_empty_bv;
-			return( LDAP_OPERATIONS_ERROR );
-		}
-
-		if( c && *c ) {
-			len += strlen( c ) + sizeof(",cn=")-1;
+ 		if( user_realm && *user_realm ) {
+ 			len += strlen( user_realm ) + sizeof(",cn=")-1;
 		}
 
 		if( conn->c_sasl_bind_mech.bv_len ) {
@@ -193,9 +219,9 @@ int slap_sasl_getdn( Connection *conn, char *id, struct berval *dn, int flags )
 		p = slap_strcopy( p, c1 );
 		ch_free( c1 );
 
-		if( c ) {
+		if( user_realm ) {
 			p = slap_strcopy( p, ",cn=" );
-			p = slap_strcopy( p, c );
+			p = slap_strcopy( p, user_realm );
 		}
 		if( conn->c_sasl_bind_mech.bv_len ) {
 			p = slap_strcopy( p, ",cn=" );
@@ -256,8 +282,198 @@ int slap_sasl_getdn( Connection *conn, char *id, struct berval *dn, int flags )
 	return( LDAP_SUCCESS );
 }
 
+#ifdef HAVE_CYRUS_SASL2
+static int
+slap_sasl_checkpass(
+	sasl_conn_t *sconn,
+	void *context,
+	const char *username,
+	const char *pass,
+	unsigned passlen,
+	struct propctx *propctx)
+{
+	Connection *conn = (Connection *)context;
+	struct berval dn, cred;
+	int rc;
+	BerVarray vals, bv;
+
+	cred.bv_val = (char *)pass;
+	cred.bv_len = passlen;
 
+	/* XXX can we do both steps at once? */
+	rc = slap_sasl_getdn( conn, (char *)username, NULL, &dn,
+		FLAG_GETDN_AUTHCID | FLAG_GETDN_FINAL );
+	if ( rc != LDAP_SUCCESS ) {
+		sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+		return SASL_NOUSER;
+	}
+
+	if ( dn.bv_len == 0 ) {
+		sasl_seterror( sconn, 0, "No password is associated with the Root DSE" );
+		if ( dn.bv_val != NULL ) {
+			ch_free( dn.bv_val );
+		}
+		return SASL_NOUSER;
+	}
+
+	rc = backend_attribute( NULL, NULL, NULL, NULL, &dn,
+		slap_schema.si_ad_userPassword, &vals);
+	if ( rc != LDAP_SUCCESS ) {
+		ch_free( dn.bv_val );
+		sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+		return SASL_NOVERIFY;
+	}
+
+	rc = SASL_NOVERIFY;
+
+	if ( vals != NULL ) {
+		for ( bv = vals; bv->bv_val != NULL; bv++ ) {
+			if ( !lutil_passwd( bv, &cred, NULL ) ) {
+				rc = SASL_OK;
+				break;
+			}
+		}
+		ber_bvarray_free( vals );
+	}
+
+	if ( rc != SASL_OK ) {
+		sasl_seterror( sconn, 0,
+			ldap_err2string( LDAP_INVALID_CREDENTIALS ) );
+	}
+
+	ch_free( dn.bv_val );
+
+	return rc;
+}
+
+static int
+slap_sasl_canonicalize(
+	sasl_conn_t *sconn,
+	void *context,
+	const char *in,
+	unsigned inlen,
+	unsigned flags,
+	const char *user_realm,
+	char *out,
+	unsigned out_max,
+	unsigned *out_len)
+{
+	Connection *conn = (Connection *)context;
+	struct berval dn;
+	int rc;
+
+	*out_len = 0;
+
+#ifdef NEW_LOGGING
+	LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+		"slap_sasl_canonicalize: conn %d %s=\"%s\"\n",
+			conn ? conn->c_connid : -1,
+			(flags == SASL_CU_AUTHID) ? "authcid" : "authzid",
+			in ? in : "<empty>" ));
+#else
+	Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: "
+		"%s=\"%s\"\n",
+			conn ? conn->c_connid : -1,
+			(flags == SASL_CU_AUTHID) ? "authcid" : "authzid",
+			in ? in : "<empty>" );
+#endif
+
+	rc = slap_sasl_getdn( conn, (char *)in, (char *)user_realm, &dn,
+		(flags == SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID );
+	if ( rc != LDAP_SUCCESS ) {
+		sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+		return SASL_NOAUTHZ;
+	}		
+
+	if ( out_max < dn.bv_len ) {
+		return SASL_BUFOVER;
+	}
+
+	AC_MEMCPY( out, dn.bv_val, dn.bv_len );
+	out[dn.bv_len] = '\0';
+
+	*out_len = dn.bv_len;
+
+	ch_free( dn.bv_val );
+
+#ifdef NEW_LOGGING
+	LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+		"slap_sasl_canonicalize: conn %d %s=\"%s\"\n",
+			conn ? conn->c_connid : -1,
+			(flags == SASL_CU_AUTHID) ? "authcDN" : "authzDN",
+			out ));
+#else
+	Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: "
+		"%s=\"%s\"\n",
+			conn ? conn->c_connid : -1,
+			(flags == SASL_CU_AUTHID) ? "authcDN" : "authzDN",
+			out );
+#endif
+
+	return SASL_OK;
+}
 
+static int
+slap_sasl_authorize(
+	sasl_conn_t *sconn,
+	void *context,
+	const char *requested_user,
+	unsigned rlen,
+	const char *auth_identity,
+	unsigned alen,
+	const char *def_realm,
+	unsigned urlen,
+	struct propctx *propctx)
+{
+	Connection *conn = (Connection *)context;
+	struct berval authcDN, authzDN;
+	int rc;
+
+	authcDN.bv_val = (char *)auth_identity;
+	authcDN.bv_len = alen;
+
+	authzDN.bv_val = (char *)requested_user;
+	authzDN.bv_len = rlen;
+
+#ifdef NEW_LOGGING
+	LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+		"slap_sasl_authorize: conn %d authcDN=\"%s\" authzDN=\"%s\"\n",
+			conn ? conn->c_connid : -1, authcDN.bv_val, authzDN.bv_val));
+#else
+	Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
+		"authcDN=\"%s\" authzDN=\"%s\"\n",
+		conn ? conn->c_connid : -1, authcDN.bv_val, authzDN.bv_val );
+#endif
+
+	rc = slap_sasl_authorized( &authcDN, &authzDN );
+	if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+		LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
+			   "slap_sasl_authorize: conn %ld  authorization disallowed (%d)\n",
+			   (long)(conn ? conn->c_connid : -1), rc ));
+#else
+		Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+			" authorization disallowed (%d)\n",
+			(long) (conn ? conn->c_connid : -1), rc, 0 );
+#endif
+
+		sasl_seterror( sconn, 0, "not authorized" );
+		return SASL_NOAUTHZ;
+	}
+
+#ifdef NEW_LOGGING
+	LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+		   "slap_sasl_authorize: conn %d authorization allowed\n",
+		   (long)(conn ? conn->c_connid : -1 ) ));
+#else
+	Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+		" authorization allowed\n",
+		(long) (conn ? conn->c_connid : -1), 0, 0 );
+#endif
+
+	return SASL_OK;
+} 
+#else
 static int
 slap_sasl_authorize(
 	void *context,
@@ -269,12 +485,13 @@ slap_sasl_authorize(
 	struct berval authcDN, authzDN;
 	int rc;
 	Connection *conn = context;
+	char *realm;
 
 	*user = NULL;
 
 #ifdef NEW_LOGGING
 	LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
-		   "slap_sas_authorize: conn %d	 authcid=\"%s\" authzid=\"%s\"\n",
+		   "slap_sasl_authorize: conn %d	 authcid=\"%s\" authzid=\"%s\"\n",
 		   conn ? conn->c_connid : -1,
 		   authcid ? authcid : "<empty>",
 		   authzid ? authzid : "<empty>" ));
@@ -286,10 +503,23 @@ slap_sasl_authorize(
 		authzid ? authzid : "<empty>" );
 #endif
 
+	/* Figure out how much data we have for the dn */
+	rc = sasl_getprop( ctx, SASL_REALM, (void **)&realm );
+	if( rc != SASL_OK && rc != SASL_NOTDONE ) {
+#ifdef NEW_LOGGING
+		LDAP_LOG(( "sasl", LDAP_LEVEL_ERR,
+			"slap_sasl_authorize: getprop(REALM) failed.\n" ));
+#else
+		Debug(LDAP_DEBUG_TRACE,
+			"authorize: getprop(REALM) failed!\n", 0,0,0);
+#endif
+		*errstr = "Could not extract realm";
+		return SASL_NOAUTHZ;
+	}
 
 	/* Convert the identities to DN's. If no authzid was given, client will
 	   be bound as the DN matching their username */
-	rc = slap_sasl_getdn( conn, (char *)authcid, &authcDN, FLAG_GETDN_AUTHCID );
+	rc = slap_sasl_getdn( conn, (char *)authcid, realm, &authcDN, FLAG_GETDN_AUTHCID );
 	if( rc != LDAP_SUCCESS ) {