Commit 5fc22599 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Update SASL code to reuse context through life of session.

Replace 'negotiated' with 'interactive' bind
Add hooks for SASL/EXTERNAL
Disable SASL security layers
Rework SASL command line and config file parameters
parent 3fa223ad
......@@ -139,11 +139,12 @@ main( int argc, char **argv )
#ifdef GO500_HOSTNAME
strcpy( myhost, GO500_HOSTNAME );
#else
if ( myhost[0] == '\0' && gethostname( myhost, sizeof(myhost) )
if ( myhost[0] == '\0' && gethostname( myhost, sizeof(myhost)-1 )
== -1 ) {
perror( "gethostname" );
exit( EXIT_FAILURE );
}
myhost[sizeof(myhost)-1] = '\0';
#endif
#ifdef HAVE_SYSCONF
......
......@@ -176,11 +176,12 @@ main (int argc, char **argv )
#ifdef GO500GW_HOSTNAME
strcpy( myhost, GO500GW_HOSTNAME );
#else
if ( myhost[0] == '\0' && gethostname( myhost, sizeof(myhost) )
if ( myhost[0] == '\0' && gethostname( myhost, sizeof(myhost)-1 )
== -1 ) {
perror( "gethostname" );
exit( EXIT_FAILURE );
}
myhost[sizeof(myhost)-1] = '\0';
#endif
/* detach if stderr is redirected or no debugging */
......
......@@ -17,9 +17,10 @@
#include <ac/unistd.h>
#include <ldap.h>
#include "lutil_ldap.h"
static char *binddn = NULL;
static struct berval passwd = { 0, NULL};
static struct berval passwd = { 0, NULL };
static char *ldaphost = NULL;
static int ldapport = 0;
static int prune = 0;
......@@ -27,8 +28,7 @@ static int prune = 0;
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
static int sasl_integrity = 0;
static int sasl_privacy = 0;
static char *sasl_secprops = NULL;
#endif
static int use_tls = 0;
static int not, verbose, contoper;
......@@ -55,15 +55,13 @@ usage( const char *s )
" -C\t\tchase referrals\n"
" -d level\tset LDAP debugging level to `level'\n"
" -D binddn\tbind DN\n"
" -E\t\trequest SASL privacy (-EE to make it critical)\n"
" -f file\t\tdelete DNs listed in `file'\n"
" -h host\t\tLDAP server\n"
" -I\t\trequest SASL integrity checking (-II to make it\n"
" \tcritical)\n"
" -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -n\t\tshow what would be done but don't actually delete\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n"
" -r\t\tdelete recursively\n"
......@@ -92,7 +90,7 @@ main( int argc, char **argv )
authmethod = LDAP_AUTH_SIMPLE;
version = -1;
while (( i = getopt( argc, argv, "cCD:d:Ef:h:IKMnP:p:rU:vWw:X:Y:Z" )) != EOF ) {
while (( i = getopt( argc, argv, "cCD:d:f:h:KMnO:P:p:rU:vWw:X:Y:Z" )) != EOF ) {
switch( i ) {
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
......@@ -176,19 +174,9 @@ main( int argc, char **argv )
return( EXIT_FAILURE );
}
break;
case 'I':
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_integrity++;
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'E':
#ifdef HAVE_CYRUS_SASL
sasl_privacy++;
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
......@@ -341,37 +329,25 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
int minssf = 0, maxssf = 0;
if ( sasl_integrity > 0 )
maxssf = 1;
if ( sasl_integrity > 1 )
minssf = 1;
if ( sasl_privacy > 0 )
maxssf = 100000; /* Something big value */
if ( sasl_privacy > 1 )
minssf = 56;
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MINSSF,
(void *)&minssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MINSSF"
"%d\n", minssf);
return( EXIT_FAILURE );
}
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MAXSSF,
(void *)&maxssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MAXSSF"
"%d\n", maxssf);
return( EXIT_FAILURE );
ldap_set_sasl_interact_proc( ld, lutil_sasl_interact );
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
if( rc != LDAP_OPT_SUCCESS ) {
fprintf( stderr,
"Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n",
sasl_secprops );
return( EXIT_FAILURE );
}
}
rc = ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
sasl_authz_id, sasl_mech,
passwd.bv_len ? &passwd : NULL,
NULL, NULL );
rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_negotiated_sasl_bind_s" );
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
return( EXIT_FAILURE );
}
#else
......
......@@ -29,20 +29,20 @@
#include <ldap.h>
#include "lutil_ldap.h"
#include "ldif.h"
#include "ldap_defaults.h"
static char *prog;
static char *binddn = NULL;
static struct berval passwd = { 0, NULL};
static struct berval passwd = { 0, NULL };
static char *ldaphost = NULL;
static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
static int sasl_integrity = 0;
static int sasl_privacy = 0;
static char *sasl_secprops = NULL;
#endif
static int use_tls = 0;
static int ldapadd, replace, not, verbose, contoper, force;
......@@ -104,16 +104,14 @@ usage( const char *prog )
" -C\t\tchase referrals\n"
" -d level\tset LDAP debugging level to `level'\n"
" -D dn\t\tbind DN\n"
" -E\t\trequest SASL privacy (-EE to make it critical)\n"
" -f file\t\tperform sequence of operations listed in file\n"
" -F\t\tforce all changes records to be used\n"
" -h host\t\tLDAP server\n"
" -I\t\trequest SASL integrity checking (-II to make it\n"
" \tcritical)\n"
" -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -n\t\tprint changes, don't actually do them\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
" -r\t\treplace values\n"
" -U user\t\tSASL authentication identity (username)\n"
......@@ -151,7 +149,7 @@ main( int argc, char **argv )
authmethod = LDAP_AUTH_SIMPLE;
version = -1;
while (( i = getopt( argc, argv, "acCD:d:EFf:h:IKkMnP:p:rtU:vWw:X:Y:Z" )) != EOF ) {
while (( i = getopt( argc, argv, "acCD:d:Ff:h:KkMnO:P:p:rtU:vWw:X:Y:Z" )) != EOF ) {
switch( i ) {
case 'a': /* add */
ldapadd = 1;
......@@ -237,19 +235,9 @@ main( int argc, char **argv )
usage( argv[0] );
}
break;
case 'I':
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_integrity++;
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'E':
#ifdef HAVE_CYRUS_SASL
sasl_privacy++;
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
......@@ -404,37 +392,25 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
int minssf = 0, maxssf = 0;
if ( sasl_integrity > 0 )
maxssf = 1;
if ( sasl_integrity > 1 )
minssf = 1;
if ( sasl_privacy > 0 )
maxssf = 100000; /* Something big value */
if ( sasl_privacy > 1 )
minssf = 56;
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MINSSF,
(void *)&minssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MINSSF"
"%d\n", minssf);
return( EXIT_FAILURE );
}
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MAXSSF,
(void *)&maxssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MINSSF"
"%d\n", minssf);
return( EXIT_FAILURE );
ldap_set_sasl_interact_proc( ld, lutil_sasl_interact );
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
if( rc != LDAP_OPT_SUCCESS ) {
fprintf( stderr,
"Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n",
sasl_secprops );
return( EXIT_FAILURE );
}
}
rc = ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
sasl_authz_id, sasl_mech,
passwd.bv_len ? &passwd : NULL,
NULL, NULL );
rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_negotiated_sasl_bind_s" );
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
return( EXIT_FAILURE );
}
#else
......
......@@ -29,17 +29,17 @@
#include <ac/unistd.h>
#include <ldap.h>
#include "lutil_ldap.h"
static char *binddn = NULL;
static struct berval passwd = { 0, NULL};
static struct berval passwd = { 0, NULL };
static char *ldaphost = NULL;
static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
static int sasl_integrity = 0;
static int sasl_privacy = 0;
static char *sasl_secprops = NULL;
#endif
static int use_tls = 0;
static int not, verbose, contoper;
......@@ -66,15 +66,13 @@ usage( const char *s )
" -C\t\tchase referrals\n"
" -d level\tset LDAP debugging level to `level'\n"
" -D binddn\tbind DN\n"
" -E\t\trequest SASL privacy (-EE to make it critical)\n"
" -f file\t\tdo renames listed in `file'\n"
" -h host\t\tLDAP server\n"
" -I\t\trequest SASL integrity checking (-II to make it\n"
" \tcritical)\n"
" -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -n\t\tshow what would be done but don't actually do it\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n"
" -r\t\tremove old RDN\n"
......@@ -108,7 +106,7 @@ main(int argc, char **argv)
myname = (myname = strrchr(argv[0], '/')) == NULL ? argv[0] : ++myname;
while (( i = getopt( argc, argv, "cCD:d:Ef:h:IKkMnP:p:rs:U:vWw:X:Y:Z" )) != EOF ) {
while (( i = getopt( argc, argv, "cCD:d:f:h:KkMnO:P:p:rs:U:vWw:X:Y:Z" )) != EOF ) {
switch( i ) {
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
......@@ -193,19 +191,9 @@ main(int argc, char **argv)
return( EXIT_FAILURE );
}
break;
case 'I':
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_integrity++;
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'E':
#ifdef HAVE_CYRUS_SASL
sasl_privacy++;
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
......@@ -383,37 +371,25 @@ main(int argc, char **argv)
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
int minssf = 0, maxssf = 0;
if ( sasl_integrity > 0 )
maxssf = 1;
if ( sasl_integrity > 1 )
minssf = 1;
if ( sasl_privacy > 0 )
maxssf = 100000; /* Something big value */
if ( sasl_privacy > 1 )
minssf = 56;
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MINSSF,
(void *)&minssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MINSSF"
"%d\n", minssf);
return( EXIT_FAILURE );
}
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MAXSSF,
(void *)&maxssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MAXSSF"
"%d\n", maxssf);
return( EXIT_FAILURE );
ldap_set_sasl_interact_proc( ld, lutil_sasl_interact );
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
if( rc != LDAP_OPT_SUCCESS ) {
fprintf( stderr,
"Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n",
sasl_secprops );
return( EXIT_FAILURE );
}
}
rc = ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
sasl_authz_id, sasl_mech,
passwd.bv_len ? &passwd : NULL,
NULL, NULL );
rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_negotiated_sasl_bind_s" );
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
return( EXIT_FAILURE );
}
#else
......
......@@ -19,6 +19,7 @@
#include <ldap.h>
#include "lutil_ldap.h"
#include "ldap_defaults.h"
static int verbose = 0;
......@@ -41,6 +42,7 @@ usage(const char *s)
" -I\t\trequest SASL integrity checking (-II to make it\n"
" \tcritical)\n"
" -n\t\tmake no modifications\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
" -S\t\tprompt for new password\n"
" -s secret\tnew password\n"
......@@ -65,7 +67,7 @@ main( int argc, char *argv[] )
char *dn = NULL;
char *binddn = NULL;
struct berval passwd = { 0, NULL};
struct berval passwd = { 0, NULL };
char *newpw = NULL;
char *oldpw = NULL;
......@@ -83,8 +85,7 @@ main( int argc, char *argv[] )
char *sasl_authc_id = NULL;
char *sasl_authz_id = NULL;
char *sasl_mech = NULL;
int sasl_integrity = 0;
int sasl_privacy = 0;
char *sasl_secprops = NULL;
#endif
int use_tls = 0;
int referrals = 0;
......@@ -101,7 +102,7 @@ main( int argc, char *argv[] )
usage (argv[0]);
while( (i = getopt( argc, argv,
"Aa:CD:d:EIh:np:Ss:U:vWw:X:Y:Z" )) != EOF )
"Aa:CD:d:h:nO:p:Ss:U:vWw:X:Y:Z" )) != EOF )
{
switch (i) {
case 'A': /* prompt for oldr password */
......@@ -176,23 +177,13 @@ main( int argc, char *argv[] )
passwd.bv_len = strlen( passwd.bv_val );
break;
case 'I':
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_integrity++;
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL "
"support\n", argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'E':
#ifdef HAVE_CYRUS_SASL
sasl_privacy++;
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL "
"support\n", argv[0] );
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
......@@ -342,37 +333,25 @@ main( int argc, char *argv[] )
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
int minssf = 0, maxssf = 0;
if ( sasl_integrity > 0 )
maxssf = 1;
if ( sasl_integrity > 1 )
minssf = 1;
if ( sasl_privacy > 0 )
maxssf = 100000; /* Something big value */
if ( sasl_privacy > 1 )
minssf = 56;
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MINSSF,
(void *)&minssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MINSSF"
"%d\n", minssf);
return( EXIT_FAILURE );
}
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MAXSSF,
(void *)&maxssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MAXSSF"
"%d\n", maxssf);
return( EXIT_FAILURE );
ldap_set_sasl_interact_proc( ld, lutil_sasl_interact );
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
if( rc != LDAP_OPT_SUCCESS ) {
fprintf( stderr,
"Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n",
sasl_secprops );
return( EXIT_FAILURE );
}
}
rc = ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
sasl_authz_id, sasl_mech,
passwd.bv_len ? &passwd : NULL,
NULL, NULL );
rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_negotiated_sasl_bind_s" );
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
return( EXIT_FAILURE );
}
#else
......
......@@ -31,6 +31,7 @@
#include "ldif.h"
#include "lutil.h"
#include "lutil_ldap.h"
#include "ldap_defaults.h"
static void
......@@ -64,6 +65,7 @@ usage( const char *s )
"\t\t\tand version\n"
"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n"
"\t-n\t\tshow what would be done but don't actually search\n"
"\t-O secprops\tSASL security properties\n"
"\t-p port\t\tport on LDAP server\n"
"\t-P version\tprocotol version (default: 3)\n"
"\t-s scope\tone of base, one, or sub (search scope)\n"
......@@ -143,8 +145,7 @@ static int ldapport = 0;
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
static int sasl_integrity = 0;
static int sasl_privacy = 0;
static char *sasl_secprops = NULL;
#endif
static int use_tls = 0;
static char *sortattr = NULL;
......@@ -170,7 +171,7 @@ main( int argc, char **argv )
authmethod = LDAP_AUTH_SIMPLE;
while (( i = getopt( argc, argv,
"Aa:b:CD:d:Ef:h:IKkLl:MnP:p:RS:s:T:tU:uV:vWw:X:Y:Zz:")) != EOF )
"Aa:b:CD:d:f:h:KkLl:MnO:P:p:RS:s:T:tU:uV:vWw:X:Y:Zz:")) != EOF )
{
switch( i ) {
case 'n': /* do nothing */
......@@ -309,19 +310,9 @@ main( int argc, char **argv )
usage( argv[0] );
}
break;
case 'I':
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_integrity++;
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'E':
#ifdef HAVE_CYRUS_SASL
sasl_privacy++;
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
......@@ -531,37 +522,25 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
int minssf = 0, maxssf = 0;
if ( sasl_integrity > 0 )
maxssf = 1;
if ( sasl_integrity > 1 )
minssf = 1;
if ( sasl_privacy > 0 )
maxssf = 100000; /* Something big value */
if ( sasl_privacy > 1 )
minssf = 56;
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MINSSF,
(void *)&minssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MINSSF"
"%d\n", minssf);
return( EXIT_FAILURE );
}
if ( ldap_set_option( ld, LDAP_OPT_X_SASL_MAXSSF,
(void *)&maxssf ) != LDAP_OPT_SUCCESS ) {
fprintf( stderr, "Could not set LDAP_OPT_X_SASL_MAXSSF"
"%d\n", maxssf);
return( EXIT_FAILURE );
ldap_set_sasl_interact_proc( ld, lutil_sasl_interact );
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
if( rc != LDAP_OPT_SUCCESS ) {
fprintf( stderr,
"Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n",
sasl_secprops );
return( EXIT_FAILURE );
}
}
rc = ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
sasl_authz_id, sasl_mech,
passwd.bv_len ? &passwd : NULL,