From 4613fdc878380d876311a4356079f663048cf1d9 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Wed, 3 Jun 2009 00:09:52 +0000
Subject: [PATCH] ITS#6147

---
 CHANGES                     |  1 +
 doc/man/man5/slapd-config.5 |  5 +++++
 doc/man/man5/slapd.conf.5   |  5 +++++
 servers/slapd/bconfig.c     | 10 +++++++++-
 servers/slapd/proto-slap.h  |  1 +
 servers/slapd/sasl.c        | 22 ++++++++++++++++++++++
 6 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 665aa68a9c..2d84a41160 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,7 @@ OpenLDAP 2.4.17 Engineering
 	Fixed libldap tls NULL error messages (ITS#6079)
 	Fixed liblutil opendir/closedir on windows (ITS#6041)
 	Fixed liblutil for _GNU_SOURCE (ITS#5464,ITS#5666)
+	Added slapd sasl auxprop support (ITS#6147)
 	Fixed slapd assert with closing connections (ITS#6111)
 	Fixed slapd cert validation (ITS#6098)
 	Fixed slapd errno handling (ITS#6037)
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index bde39220f3..e3e76914ae 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -665,6 +665,11 @@ ldapsearch -x -b "" -s base "+"
 .br
 See RFC 4512 section 5.1 for details.
 .TP
+.B olcSaslAuxprops: <plugin> [...]
+Specify which auxprop plugins to use for authentication lookups. The
+default is empty, which just uses slapd's internal support. Usually
+no other auxprop plugins are needed.
+.TP
 .B olcSaslHost: <fqdn>
 Used to specify the fully qualified domain name used for SASL processing.
 .TP
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 4229c7a022..5753beba2c 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -814,6 +814,11 @@ ldapsearch -x -b "" -s base "+"
 .br
 See RFC 4512 section 5.1 for details.
 .TP
+.B sasl-auxprops <plugin> [...]
+Specify which auxprop plugins to use for authentication lookups. The
+default is empty, which just uses slapd's internal support. Usually
+no other auxprop plugins are needed.
+.TP
 .B sasl-host <fqdn>
 Used to specify the fully qualified domain name used for SASL processing.
 .TP
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index d78ae6176d..fae59ceb3b 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -530,6 +530,14 @@ static ConfigTable config_back_cf_table[] = {
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "sasl-authz-policy", NULL, 2, 2, 0, ARG_MAGIC|CFG_AZPOLICY,
 		&config_generic, NULL, NULL, NULL },
+	{ "sasl-auxprops", NULL, 2, 0, 0,
+#ifdef HAVE_CYRUS_SASL
+		ARG_STRING|ARG_UNIQUE, &slap_sasl_auxprops,
+#else
+		ARG_IGNORED, NULL,
+#endif
+		"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
+			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "sasl-host", "host", 2, 2, 0,
 #ifdef HAVE_CYRUS_SASL
 		ARG_STRING|ARG_UNIQUE, &sasl_host,
@@ -757,7 +765,7 @@ static ConfigOCs cf_ocs[] = {
 		 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
 		 "olcRootDSE $ "
-		 "olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
+		 "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
 		 "olcSecurity $ olcServerID $ olcSizeLimit $ "
 		 "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
 		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index e52288cc67..afa95ac91f 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1934,6 +1934,7 @@ LDAP_SLAPD_V (int)		global_idletimeout;
 LDAP_SLAPD_V (char *)	global_host;
 LDAP_SLAPD_V (char *)	global_realm;
 LDAP_SLAPD_V (char *)	sasl_host;
+LDAP_SLAPD_V (char *)	slap_sasl_auxprops;
 LDAP_SLAPD_V (char **)	default_passwd_hash;
 LDAP_SLAPD_V (int)		lber_debug;
 LDAP_SLAPD_V (int)		ldap_syslog;
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 459d38ce61..14e3d25b6e 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -63,8 +63,29 @@ typedef struct sasl_ctx {
 
 static struct berval ext_bv = BER_BVC( "EXTERNAL" );
 
+char *slap_sasl_auxprops;
+
 #ifdef HAVE_CYRUS_SASL
 
+/* Just use our internal auxprop by default */
+static int
+slap_sasl_getopt(
+	void *context,
+	const char *plugin_name,
+	const char *option,
+	const char **result,
+	unsigned *len)
+{
+	if ( strcmp( option, "auxprop_plugin" )) {
+		return SASL_FAIL;
+	}
+	if ( slap_sasl_auxprops )
+		*result = slap_sasl_auxprops;
+	else
+		*result = "slapd";
+	return SASL_OK;
+}
+
 int
 slap_sasl_log(
 	void *context,
@@ -1078,6 +1099,7 @@ int slap_sasl_init( void )
 	int rc;
 	static sasl_callback_t server_callbacks[] = {
 		{ SASL_CB_LOG, &slap_sasl_log, NULL },
+		{ SASL_CB_GETOPT, &slap_sasl_getopt, NULL },
 		{ SASL_CB_LIST_END, NULL, NULL }
 	};
 #endif
-- 
GitLab