Commit 994dad7c authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

SASL/EXTERNAL fixes and cleanup

parent 28f25cc3
......@@ -838,8 +838,12 @@ slap_sasl_canonicalize(
* the authcID temporarily in conn->c_sasl_dn. We necessarily
* finish Canonicalizing before Authorizing, so there is no
* conflict with slap_sasl_authorize's use of this temp var.
*
* The SASL EXTERNAL mech is backwards from all the other mechs,
* it does authzID before the authcID. If we see that authzID
* has already been done, don't do anything special with authcID.
*/
if ( flags == SASL_CU_AUTHID ) {
if ( flags == SASL_CU_AUTHID && !auxvals[PROP_AUTHZ].values ) {
conn->c_sasl_dn.bv_val = (char *) in;
} else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) {
rc = strcmp( in, conn->c_sasl_dn.bv_val );
......
......@@ -58,16 +58,17 @@ int slap_sasl_setpolicy( const char *arg )
{
int rc = LDAP_SUCCESS;
if ( strcasecmp( arg, "none" ) == 0 )
if ( strcasecmp( arg, "none" ) == 0 ) {
authz_policy = SASL_AUTHZ_NONE;
else if ( strcasecmp( arg, "from" ) == 0 )
} else if ( strcasecmp( arg, "from" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM;
else if ( strcasecmp( arg, "to" ) == 0 )
} else if ( strcasecmp( arg, "to" ) == 0 ) {
authz_policy = SASL_AUTHZ_TO;
else if ( strcasecmp( arg, "both" ) == 0 )
} else if ( strcasecmp( arg, "both" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
else
} else {
rc = LDAP_OTHER;
}
return rc;
}
......@@ -299,8 +300,9 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
saslname, 0, 0 );
#endif
if (( saslname == NULL ) || ( nSaslRegexp == 0 ))
if (( saslname == NULL ) || ( nSaslRegexp == 0 )) {
return( 0 );
}
/* Match the normalized SASL name to the saslregexp patterns */
for( reg = SaslRegexp,i=0; i<nSaslRegexp; i++,reg++ ) {
......@@ -309,8 +311,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
break;
}
if( i >= nSaslRegexp )
return( 0 );
if( i >= nSaslRegexp ) return( 0 );
/*
* The match pattern may have been of the form "a(b.*)c(d.*)e" and the
......@@ -487,9 +488,9 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
if (dn_match(sm->dn, &e->e_nname)) {
sm->match = 1;
return -1; /* short-circuit the search */
} else {
return 1;
}
return 1;
}
/*
......@@ -519,12 +520,12 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
assertDN->bv_val, rule->bv_val,0 );
#else
Debug( LDAP_DEBUG_TRACE,
"===>slap_sasl_match: comparing DN %s to rule %s\n", assertDN->bv_val, rule->bv_val, 0 );
"===>slap_sasl_match: comparing DN %s to rule %s\n",
assertDN->bv_val, rule->bv_val, 0 );
#endif
rc = slap_parseURI( rule, &searchbase, &scope, &filter );
if( rc != LDAP_SUCCESS )
goto CONCLUDED;
if( rc != LDAP_SUCCESS ) goto CONCLUDED;
/* Massive shortcut: search scope == base */
if( scope == LDAP_SCOPE_BASE ) {
......@@ -534,10 +535,11 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
rc = regexec(&reg, assertDN->bv_val, 0, NULL, 0);
regfree( &reg );
}
if ( rc == 0 )
if ( rc == 0 ) {
rc = LDAP_SUCCESS;
else
} else {
rc = LDAP_INAPPROPRIATE_AUTH;
}
goto CONCLUDED;
}
......@@ -576,14 +578,16 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
/*attrs=*/NULL, /*attrsonly=*/0 );
if (sm.match)
if (sm.match) {
rc = LDAP_SUCCESS;
else
} else {
rc = LDAP_INAPPROPRIATE_AUTH;
}
CONCLUDED:
if( searchbase.bv_len ) ch_free( searchbase.bv_val );
if( filter ) filter_free( filter );
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_match: comparison returned %d\n", rc, 0, 0 );
......@@ -626,14 +630,12 @@ slap_sasl_check_authz( Connection *conn,
rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
searchDN, ad, &vals );
if( rc != LDAP_SUCCESS )
goto COMPLETE;
if( rc != LDAP_SUCCESS ) goto COMPLETE;
/* Check if the *assertDN matches any **vals */
for( i=0; vals[i].bv_val != NULL; i++ ) {
rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
if ( rc == LDAP_SUCCESS )
goto COMPLETE;
if ( rc == LDAP_SUCCESS ) goto COMPLETE;
}
rc = LDAP_INAPPROPRIATE_AUTH;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment