Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Nadezhda Ivanova
OpenLDAP
Commits
994dad7c
Commit
994dad7c
authored
Dec 14, 2002
by
Kurt Zeilenga
Browse files
SASL/EXTERNAL fixes and cleanup
parent
28f25cc3
Changes
2
Hide whitespace changes
Inline
Side-by-side
servers/slapd/sasl.c
View file @
994dad7c
...
...
@@ -838,8 +838,12 @@ slap_sasl_canonicalize(
* the authcID temporarily in conn->c_sasl_dn. We necessarily
* finish Canonicalizing before Authorizing, so there is no
* conflict with slap_sasl_authorize's use of this temp var.
*
* The SASL EXTERNAL mech is backwards from all the other mechs,
* it does authzID before the authcID. If we see that authzID
* has already been done, don't do anything special with authcID.
*/
if
(
flags
==
SASL_CU_AUTHID
)
{
if
(
flags
==
SASL_CU_AUTHID
&&
!
auxvals
[
PROP_AUTHZ
].
values
)
{
conn
->
c_sasl_dn
.
bv_val
=
(
char
*
)
in
;
}
else
if
(
flags
==
SASL_CU_AUTHZID
&&
conn
->
c_sasl_dn
.
bv_val
)
{
rc
=
strcmp
(
in
,
conn
->
c_sasl_dn
.
bv_val
);
...
...
servers/slapd/saslauthz.c
View file @
994dad7c
...
...
@@ -58,16 +58,17 @@ int slap_sasl_setpolicy( const char *arg )
{
int
rc
=
LDAP_SUCCESS
;
if
(
strcasecmp
(
arg
,
"none"
)
==
0
)
if
(
strcasecmp
(
arg
,
"none"
)
==
0
)
{
authz_policy
=
SASL_AUTHZ_NONE
;
else
if
(
strcasecmp
(
arg
,
"from"
)
==
0
)
}
else
if
(
strcasecmp
(
arg
,
"from"
)
==
0
)
{
authz_policy
=
SASL_AUTHZ_FROM
;
else
if
(
strcasecmp
(
arg
,
"to"
)
==
0
)
}
else
if
(
strcasecmp
(
arg
,
"to"
)
==
0
)
{
authz_policy
=
SASL_AUTHZ_TO
;
else
if
(
strcasecmp
(
arg
,
"both"
)
==
0
)
}
else
if
(
strcasecmp
(
arg
,
"both"
)
==
0
)
{
authz_policy
=
SASL_AUTHZ_FROM
|
SASL_AUTHZ_TO
;
else
}
else
{
rc
=
LDAP_OTHER
;
}
return
rc
;
}
...
...
@@ -299,8 +300,9 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
saslname
,
0
,
0
);
#endif
if
((
saslname
==
NULL
)
||
(
nSaslRegexp
==
0
))
if
((
saslname
==
NULL
)
||
(
nSaslRegexp
==
0
))
{
return
(
0
);
}
/* Match the normalized SASL name to the saslregexp patterns */
for
(
reg
=
SaslRegexp
,
i
=
0
;
i
<
nSaslRegexp
;
i
++
,
reg
++
)
{
...
...
@@ -309,8 +311,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
break
;
}
if
(
i
>=
nSaslRegexp
)
return
(
0
);
if
(
i
>=
nSaslRegexp
)
return
(
0
);
/*
* The match pattern may have been of the form "a(b.*)c(d.*)e" and the
...
...
@@ -487,9 +488,9 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
if
(
dn_match
(
sm
->
dn
,
&
e
->
e_nname
))
{
sm
->
match
=
1
;
return
-
1
;
/* short-circuit the search */
}
else
{
return
1
;
}
return
1
;
}
/*
...
...
@@ -519,12 +520,12 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
assertDN
->
bv_val
,
rule
->
bv_val
,
0
);
#else
Debug
(
LDAP_DEBUG_TRACE
,
"===>slap_sasl_match: comparing DN %s to rule %s
\n
"
,
assertDN
->
bv_val
,
rule
->
bv_val
,
0
);
"===>slap_sasl_match: comparing DN %s to rule %s
\n
"
,
assertDN
->
bv_val
,
rule
->
bv_val
,
0
);
#endif
rc
=
slap_parseURI
(
rule
,
&
searchbase
,
&
scope
,
&
filter
);
if
(
rc
!=
LDAP_SUCCESS
)
goto
CONCLUDED
;
if
(
rc
!=
LDAP_SUCCESS
)
goto
CONCLUDED
;
/* Massive shortcut: search scope == base */
if
(
scope
==
LDAP_SCOPE_BASE
)
{
...
...
@@ -534,10 +535,11 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
rc
=
regexec
(
&
reg
,
assertDN
->
bv_val
,
0
,
NULL
,
0
);
regfree
(
&
reg
);
}
if
(
rc
==
0
)
if
(
rc
==
0
)
{
rc
=
LDAP_SUCCESS
;
else
}
else
{
rc
=
LDAP_INAPPROPRIATE_AUTH
;
}
goto
CONCLUDED
;
}
...
...
@@ -576,14 +578,16 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
scope
,
/*deref=*/
1
,
/*sizelimit=*/
0
,
/*time=*/
0
,
filter
,
/*fstr=*/
NULL
,
/*attrs=*/
NULL
,
/*attrsonly=*/
0
);
if
(
sm
.
match
)
if
(
sm
.
match
)
{
rc
=
LDAP_SUCCESS
;
else
}
else
{
rc
=
LDAP_INAPPROPRIATE_AUTH
;
}
CONCLUDED:
if
(
searchbase
.
bv_len
)
ch_free
(
searchbase
.
bv_val
);
if
(
filter
)
filter_free
(
filter
);
#ifdef NEW_LOGGING
LDAP_LOG
(
TRANSPORT
,
ENTRY
,
"slap_sasl_match: comparison returned %d
\n
"
,
rc
,
0
,
0
);
...
...
@@ -626,14 +630,12 @@ slap_sasl_check_authz( Connection *conn,
rc
=
backend_attribute
(
NULL
,
NULL
,
conn
->
c_sasl_bindop
,
NULL
,
searchDN
,
ad
,
&
vals
);
if
(
rc
!=
LDAP_SUCCESS
)
goto
COMPLETE
;
if
(
rc
!=
LDAP_SUCCESS
)
goto
COMPLETE
;
/* Check if the *assertDN matches any **vals */
for
(
i
=
0
;
vals
[
i
].
bv_val
!=
NULL
;
i
++
)
{
rc
=
slap_sasl_match
(
conn
,
&
vals
[
i
],
assertDN
,
authc
);
if
(
rc
==
LDAP_SUCCESS
)
goto
COMPLETE
;
if
(
rc
==
LDAP_SUCCESS
)
goto
COMPLETE
;
}
rc
=
LDAP_INAPPROPRIATE_AUTH
;
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment