ITS#5812

CHANGES

 OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.14 Engineering
+	Added libldap option to disable SASL host canonicalization (ITS#5812)
 	Fixed libldap deref handling (ITS#5768)
 	Fixed libldap peer cert memory leak (ITS#5849)
 	Fixed libldap_r deref building (ITS#5768)

clients/tools/common.c

@@ -62,6 +62,7 @@ int		contoper = 0;
 int		debug = 0;
 char		*infile = NULL;
 int		dont = 0;
+int		nocanon = 0;
 int		referrals = 0;
 int		verbose = 0;
 int		ldif = 0;
@@ -300,6 +301,7 @@ N_("  -H URI     LDAP Uniform Resource Identifier(s)\n"),
 N_("  -I         use SASL Interactive mode\n"),
 N_("  -M         enable Manage DSA IT control (-MM to make critical)\n"),
 N_("  -n         show what would be done but don't actually do it\n"),
+N_("  -N         do not use reverse DNS to canonicalize SASL host name\n"),
 N_("  -O props   SASL security properties\n"),
 N_("  -o <opt>[=<optparam] general options\n"),
 N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
@@ -708,6 +710,9 @@ tool_args( int argc, char **argv )
 		case 'n':	/* print operations, don't actually do them */
 			dont++;
 			break;
+		case 'N':
+			nocanon++;
+			break;
 		case 'o':
 			control = ber_strdup( optarg );
 			if ( (cvalue = strchr( control, '=' )) != NULL ) {
@@ -1258,6 +1263,14 @@ dnssrv_free:;
 			exit( EXIT_FAILURE );
 		}
 
+		/* canon */
+		if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
+			nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
+		{
+			fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n",
+				nocanon ? "on" : "off" );
+			exit( EXIT_FAILURE );
+		}
 		if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
 			!= LDAP_OPT_SUCCESS )
 		{

clients/tools/ldapcompare.c

@@ -102,7 +102,7 @@ static int docompare LDAP_P((
 
 
 const char options[] = "z"
-	"Cd:D:e:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+	"Cd:D:e:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
 
 #ifdef LDAP_CONTROL_DONTUSECOPY
 int dontUseCopy = 0;

clients/tools/ldapdelete.c

@@ -78,7 +78,7 @@ usage( void )
 
 
 const char options[] = "r"
-	"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
+	"cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
 
 int
 handle_private_option( int i )

clients/tools/ldapexop.c

@@ -49,7 +49,7 @@ usage( void )
 
 
 const char options[] = ""
-	"d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
+	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )

clients/tools/ldapmodify.c

@@ -151,7 +151,7 @@ usage( void )
 
 
 const char options[] = "aE:rS:"
-	"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+	"cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )

clients/tools/ldapmodrdn.c

@@ -91,7 +91,7 @@ usage( void )
 
 
 const char options[] = "rs:"
-	"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+	"cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )

clients/tools/ldappasswd.c

@@ -81,7 +81,7 @@ usage( void )
 
 
 const char options[] = "a:As:St:T:"
-	"d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
+	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )

clients/tools/ldapsearch.c

@@ -265,7 +265,7 @@ urlize(char *url)
 
 
 const char options[] = "a:Ab:cE:F:l:Ls:S:tT:uz:"
-	"Cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+	"Cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )

clients/tools/ldapwhoami.c

@@ -62,7 +62,7 @@ usage( void )
 
 
 const char options[] = ""
-	"d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
+	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )

doc/devel/args

 Tools           ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
-ldapcompare      * DE**HI*K M*OPQR  UVWXYZ   de *h**k *nop*    vwxyz
-ldapdelete       *CDE**HI*K M*OPQR  UVWXYZ  cdef*h**k *nop*    vwxyz
-ldapmodify       *CDE**HI*K M*OPQRS UVWXYZabcde *h**k *nop*r t vwxy
-ldapmodrdn       *CDE**HI*K M*OPQR  UVWXYZ  cdef*h**k *nop*rs  vwxy
-ldappasswd      A*CDE**HI*   *O QRS UVWXYZa  def*h**  * o * s  vwxy  
-ldapsearch      A*CDE**HI*KLM*OPQRSTUVWXYZab def*h**kl*nop* stuvwxyz
-ldapurl          *  E**H *   *    S       ab   f*h**  *  p* s
-ldapwhoami       * DE**HI*   *O QR  UVWXYZ   def*h**  *nop*    vwxy 
+ldapcompare      * DE**HI** MNOPQR  UVWXYZ   de *h*** *nop*    vwxyz
+ldapdelete       *CDE**HI** MNOPQR  UVWXYZ  cdef*h*** *nop*    vwxyz
+ldapexop         * D **HI**  NO QR  UVWXYZ   de *h*** *nop     vwxy
+ldapmodify       *CDE**HI** MNOPQRS UVWXYZabcde *h*** *nop*r t vwxy
+ldapmodrdn       *CDE**HI** MNOPQR  UVWXYZ  cdef*h*** *nop*rs  vwxy
+ldappasswd      A*CDE**HI**  NO QRS UVWXYZa  def*h*** * o * s  vwxy  
+ldapsearch      A*CDE**HI**LMNOPQRSTUVWXYZab def*h***l*nop* stuvwxyz
+ldapurl          *  E**H **       S       ab   f*h*** *  p* s
+ldapwhoami       * DE**HI**  NO QR  UVWXYZ   def*h*** *nop*    vwxy 
 
 
 * reserved
@@ -33,6 +34,8 @@ ldapwhoami       * DE**HI*   *O QR  UVWXYZ   def*h**  *nop*    vwxy
 	-x simple bind
 	-y Bind password-file
 	-w Bind password
+
+Not used
 	-4 IPv4 only
 	-6 IPv6 only
 
@@ -51,7 +54,7 @@ ldapwhoami       * DE**HI*   *O QR  UVWXYZ   def*h**  *nop*    vwxy
 	-Q SASL quiet mode (default: automatic)
 
 
-* LDAPv2+ Only (DEPRECATED)
+* LDAPv2+ Only (REMOVED)
 	-K LDAPv2 Kerberos Bind (Step 1 only)
 	-k LDAPv2 Kerberos Bind
 

include/ldap.h

@@ -177,6 +177,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_SASL_SSF_MAX			0x6108
 #define LDAP_OPT_X_SASL_MAXBUFSIZE		0x6109
 #define LDAP_OPT_X_SASL_MECHLIST		0x610a /* read-only */
+#define LDAP_OPT_X_SASL_NOCANON			0x610b
 
 /* OpenLDAP GSSAPI options */
 #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT      0x6200

libraries/libldap/cyrus.c

@@ -446,10 +446,21 @@ ldap_int_sasl_bind(
 	}
 
 	{
-		char *saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+		char *saslhost;
+		int nocanon = (int)LDAP_BOOL_GET( &ld->ld_options,
+			LDAP_BOOL_SASL_NOCANON );
+
+		/* If we don't need to canonicalize just use the host
+		 * from the LDAP URI.
+		 */
+		if ( nocanon )
+			saslhost = ld->ld_defconn->lconn_server->lud_host;
+		else 
+			saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
 			"localhost" );
 		rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
-		LDAP_FREE( saslhost );
+		if ( !nocanon )
+			LDAP_FREE( saslhost );
 	}
 
 	if ( rc != LDAP_SUCCESS ) return rc;
@@ -996,6 +1007,9 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
 		case LDAP_OPT_X_SASL_MAXBUFSIZE:
 			*(ber_len_t *)arg = ld->ld_options.ldo_sasl_secprops.maxbufsize;
 			break;
+		case LDAP_OPT_X_SASL_NOCANON:
+			*(int *)arg = (int) LDAP_BOOL_GET(&ld->ld_options, LDAP_BOOL_SASL_NOCANON );
+			break;
 
 		case LDAP_OPT_X_SASL_SECPROPS:
 			/* this option is write only */
@@ -1010,7 +1024,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
 int
 ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 {
-	if ( ld == NULL || arg == NULL )
+	if ( ld == NULL )
+		return -1;
+
+	if ( arg == NULL && option != LDAP_OPT_X_SASL_NOCANON )
 		return -1;
 
 	switch ( option ) {
@@ -1063,6 +1080,13 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 	case LDAP_OPT_X_SASL_MAXBUFSIZE:
 		ld->ld_options.ldo_sasl_secprops.maxbufsize = *(ber_len_t *)arg;
 		break;
+	case LDAP_OPT_X_SASL_NOCANON:
+		if ( arg == LDAP_OPT_OFF ) {
+			LDAP_BOOL_CLR(&ld->ld_options, LDAP_BOOL_SASL_NOCANON );
+		} else {
+			LDAP_BOOL_SET(&ld->ld_options, LDAP_BOOL_SASL_NOCANON );
+		}
+		break;
 
 	case LDAP_OPT_X_SASL_SECPROPS: {
 		int sc;

libraries/libldap/init.c

@@ -106,6 +106,7 @@ static const struct ol_attribute {
 	{1, ATTR_STRING,	"SASL_AUTHZID",		NULL,
 		offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
 	{0, ATTR_SASL,		"SASL_SECPROPS",	NULL,	LDAP_OPT_X_SASL_SECPROPS},
+	{0, ATTR_BOOL,		"SASL_NOCANON",	NULL,	LDAP_BOOL_SASL_NOCANON},
 #endif
 
 #ifdef HAVE_GSSAPI

libraries/libldap/ldap-int.h

@@ -121,6 +121,7 @@ LDAP_BEGIN_DECL
 #define LDAP_BOOL_RESTART		1
 #define LDAP_BOOL_TLS			3
 #define	LDAP_BOOL_CONNECT_ASYNC		4
+#define	LDAP_BOOL_SASL_NOCANON		5
 
 #define LDAP_BOOLEANS	unsigned long
 #define LDAP_BOOL(n)	((LDAP_BOOLEANS)1 << (n))