Commit 55ae3cff authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

SASL code without backend support. Should work with

external store, but not yet tested.  [Intent is to support
both in same server... may not be doable]
parent 5043287a
......@@ -213,25 +213,27 @@ do_bind(
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_authmech != NULL ) {
assert( conn->c_bind_in_progress );
if ( conn->c_sasl_bind_mech != NULL ) {
assert( conn->c_sasl_bind_in_progress );
if((strcmp(conn->c_authmech, mech) != 0)) {
if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
/* mechanism changed, cancel in progress bind */
conn->c_bind_in_progress = 0;
if( conn->c_authstate != NULL ) {
free(conn->c_authstate);
conn->c_authstate = NULL;
}
free(conn->c_authmech);
conn->c_authmech = NULL;
conn->c_sasl_bind_in_progress = 0;
free( conn->c_sasl_bind_mech );
conn->c_sasl_bind_mech = NULL;
#ifdef HAVE_CYRUS_SASL
sasl_dispose(&conn->c_sasl_bind_context);
conn->c_sasl_bind_context = NULL;
#endif
}
#ifdef LDAP_DEBUG
} else {
assert( !conn->c_bind_in_progress );
assert( conn->c_authmech == NULL );
assert( conn->c_authstate == NULL );
assert( !conn->c_sasl_bind_in_progress );
assert( conn->c_sasl_bind_mech == NULL );
#ifdef HAVE_CYRUS_SASL
assert( conn->c_sasl_bind_context == NULL );
#endif
#endif
}
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
......@@ -240,19 +242,19 @@ do_bind(
/* Not SASL, cancel any in-progress bind */
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_authmech != NULL ) {
assert( conn->c_bind_in_progress );
if ( conn->c_sasl_bind_mech != NULL ) {
assert( conn->c_sasl_bind_in_progress );
/* cancel in progress bind */
conn->c_bind_in_progress = 0;
conn->c_sasl_bind_in_progress = 0;
if( conn->c_authstate != NULL ) {
free(conn->c_authstate);
conn->c_authstate = NULL;
}
free(conn->c_sasl_bind_mech);
conn->c_sasl_bind_mech = NULL;
free(conn->c_authmech);
conn->c_authmech = NULL;
#ifdef HAVE_CYRUS_SASL
sasl_dispose(&conn->c_sasl_bind_context);
conn->c_sasl_bind_context = NULL;
#endif
}
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
......
......@@ -353,6 +353,7 @@ long connection_init(
assert( c != NULL );
if( c->c_struct_state == SLAP_C_UNINITIALIZED ) {
c->c_authmech = NULL;
c->c_dn = NULL;
c->c_cdn = NULL;
......@@ -363,12 +364,11 @@ long connection_init(
c->c_ops = NULL;
c->c_pending_ops = NULL;
c->c_authmech = NULL;
c->c_authstate = NULL;
c->c_sasl_bind_mech = NULL;
#ifdef HAVE_CYRUS_SASL
c->c_sasl_context = NULL;
#endif /* HAVE_CYRUS_SASL */
c->c_sasl_bind_context = NULL;
#endif
c->c_sb = ber_sockbuf_alloc( );
c->c_currentber = NULL;
......@@ -384,6 +384,7 @@ long connection_init(
ldap_pvt_thread_mutex_lock( &c->c_mutex );
assert( c->c_struct_state == SLAP_C_UNUSED );
assert( c->c_authmech == NULL );
assert( c->c_dn == NULL );
assert( c->c_cdn == NULL );
assert( c->c_listener_url == NULL );
......@@ -392,10 +393,9 @@ long connection_init(
assert( c->c_sock_name == NULL );
assert( c->c_ops == NULL );
assert( c->c_pending_ops == NULL );
assert( c->c_authmech == NULL );
assert( c->c_authstate == NULL );
assert( c->c_sasl_bind_mech == NULL );
#ifdef HAVE_CYRUS_SASL
assert( c->c_sasl_context == NULL );
assert( c->c_sasl_bind_context == NULL );
#endif
assert( c->c_currentber == NULL );
......@@ -468,6 +468,10 @@ connection_destroy( Connection *c )
c->c_activitytime = c->c_starttime = 0;
if(c->c_authmech != NULL ) {
free(c->c_authmech);
c->c_authmech = NULL;
}
if(c->c_dn != NULL) {
free(c->c_dn);
c->c_dn = NULL;
......@@ -505,23 +509,18 @@ connection_destroy( Connection *c )
free(c->c_sock_name);
c->c_sock_name = NULL;
}
if(c->c_authmech != NULL ) {
free(c->c_authmech);
c->c_authmech = NULL;
}
if(c->c_authstate != NULL ) {
free(c->c_authstate);
c->c_authstate = NULL;
}
c->c_sasl_bind_in_progress = 0;
if(c->c_sasl_bind_mech != NULL) {
free(c->c_sasl_bind_mech);
c->c_sasl_bind_mech = NULL;
}
#ifdef HAVE_CYRUS_SASL
if(c->c_sasl_context != NULL ) {
sasl_dispose( &c->c_sasl_context );
c->c_sasl_context = NULL;
if(c->c_sasl_bind_context != NULL ) {
sasl_dispose( &c->c_sasl_bind_context );
c->c_sasl_bind_context = NULL;
}
#endif /* HAVE_CYRUS_SASL */
c->c_bind_in_progress = 0;
#endif
if ( c->c_currentber != NULL ) {
ber_free( c->c_currentber, 1 );
......@@ -730,7 +729,7 @@ connection_operation( void *arg_v )
num_ops_initiated++;
ldap_pvt_thread_mutex_unlock( &num_ops_mutex );
if( conn->c_bind_in_progress && tag != LDAP_REQ_BIND ) {
if( conn->c_sasl_bind_in_progress && tag != LDAP_REQ_BIND ) {
Debug( LDAP_DEBUG_ANY, "connection_operation: "
"error: SASL bind in progress (tag=%ld).\n",
(long) tag, 0, 0 );
......@@ -826,7 +825,7 @@ operations_error:
* the backend to set this.
*/
if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
conn->c_bind_in_progress = 1;
conn->c_sasl_bind_in_progress = 1;
}
}
......
......@@ -136,7 +136,7 @@ monitor_info(
c->c_ops != NULL ? "x" : "",
c->c_pending_ops != NULL ? "p" : "",
connection_state2str( c->c_conn_state ),
c->c_bind_in_progress ? "S" : "",
c->c_sasl_bind_in_progress ? "S" : "",
c->c_cdn ? c->c_cdn : "<anonymous>",
......
......@@ -537,7 +537,7 @@ LIBSLAPD_F (int) sasl_init(void);
LIBSLAPD_F (int) sasl_destroy(void);
#ifdef HAVE_CYRUS_SASL
LIBSLAPD_F (int) sasl_errldap LDAP_P(( int ));
LIBSLAPD_F (int) sasl_bind LDAP_P((Backend *,
LIBSLAPD_F (int) sasl_bind LDAP_P((
Connection *, Operation *,
char *, char *, char *, struct berval *, char **));
#endif
......
......@@ -16,6 +16,7 @@
#include <ldap_log.h>
char **supportedSASLMechanisms = NULL;
char *sasl_host = NULL;
#ifdef HAVE_CYRUS_SASL
static void *sasl_pvt_mutex_new(void)
......@@ -64,7 +65,16 @@ int sasl_init( void )
return -1;
}
rc = sasl_server_new( "ldap", NULL, NULL, NULL,
if( sasl_host == NULL ) {
char hostname[MAXHOSTNAMELEN+1];
if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) {
hostname[MAXHOSTNAMELEN] = '\0';
sasl_host = hostname;
}
}
rc = sasl_server_new( "ldap", sasl_host, NULL, NULL,
SASL_SECURITY_LAYER,
&server );
......@@ -118,7 +128,6 @@ int sasl_destroy( void )
#ifdef HAVE_CYRUS_SASL
int sasl_bind(
Backend *be,
Connection *conn,
Operation *op,
char *dn,
......@@ -135,10 +144,11 @@ int sasl_bind(
Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=%s, mech=%s, cred->bv_len=%d\n",
dn, mech, cred ? cred->bv_len : 0 );
if ( conn->c_sasl_context == NULL ) {
if ( conn->c_sasl_bind_context ) {
sasl_callback_t callbacks[4];
int cbnum = 0;
#if 0
if (be->be_sasl_authorize) {
callbacks[cbnum].id = SASL_CB_PROXY_POLICY;
callbacks[cbnum].proc = be->be_sasl_authorize;
......@@ -159,18 +169,22 @@ int sasl_bind(
callbacks[cbnum].context = be;
++cbnum;
}
#endif
callbacks[cbnum].id = SASL_CB_LIST_END;
callbacks[cbnum].proc = NULL;
callbacks[cbnum].context = NULL;
/* create new SASL context */
if ( sasl_server_new( "ldap", NULL, be->be_realm,
callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_context ) != SASL_OK ) {
sc = sasl_server_new( "ldap", sasl_host, global_realm,
callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_bind_context );
if( sc != SASL_OK ) {
send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
NULL, NULL, NULL, NULL );
} else {
conn->c_authmech = ch_strdup( mech );
sc = sasl_server_start( conn->c_sasl_context, conn->c_authmech,
sc = sasl_server_start( conn->c_sasl_bind_context, conn->c_authmech,
cred->bv_val, cred->bv_len, (char **)&response.bv_val,
(unsigned *)&response.bv_len, &errstr );
if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
......@@ -179,7 +193,7 @@ int sasl_bind(
}
}
} else {
sc = sasl_server_step( conn->c_sasl_context, cred->bv_val, cred->bv_len,
sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len,
(char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr );
if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ),
......@@ -190,7 +204,7 @@ int sasl_bind(
if ( sc == SASL_OK ) {
char *authzid;
if ( ( sc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME,
if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME,
(void **)&authzid ) ) != SASL_OK ) {
send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ),
NULL, NULL, NULL, NULL );
......@@ -210,11 +224,11 @@ int sasl_bind(
}
} else if ( sc == SASL_CONTINUE ) {
/*
* We set c_bind_in_progress because it doesn't appear
* We set c_sasl_bind_in_progress because it doesn't appear
* that connection.c sets this (unless do_bind() itself
* returns LDAP_SASL_BIND_IN_PROGRESS).
*/
conn->c_bind_in_progress = 1;
conn->c_sasl_bind_in_progress = 1;
send_ldap_sasl( conn, op, LDAP_SASL_BIND_IN_PROGRESS,
NULL, NULL, NULL, NULL, &response );
}
......
......@@ -1015,11 +1015,11 @@ typedef struct slap_conn {
char *c_sock_name; /* sock name (trans=addr:port) */
/* only can be changed by binding thread */
int c_bind_in_progress; /* multi-op bind in progress */
int c_sasl_bind_in_progress; /* multi-op bind in progress */
char *c_sasl_bind_mech; /* mech in progress */
#ifdef HAVE_CYRUS_SASL
sasl_conn_t *c_sasl_context;
sasl_conn_t *c_sasl_bind_context; /* Cyrus SASL state data */
#endif
void *c_authstate; /* SASL state data */
/* authentication backend */
Backend *c_authc_backend;
......
......@@ -146,7 +146,6 @@ int sasl_destroy(void) {
#ifdef HAVE_CYRUS_SASL
int sasl_bind(
Backend *be,
Connection *conn,
Operation *op,
char *dn,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment