SASL/EXTERNAL fixes and cleanup

servers/slapd/sasl.c

@@ -838,8 +838,12 @@ slap_sasl_canonicalize(
 	 * the authcID temporarily in conn->c_sasl_dn. We necessarily
 	 * finish Canonicalizing before Authorizing, so there is no
 	 * conflict with slap_sasl_authorize's use of this temp var.
+	 *
+	 * The SASL EXTERNAL mech is backwards from all the other mechs,
+	 * it does authzID before the authcID. If we see that authzID
+	 * has already been done, don't do anything special with authcID.
 	 */
-	if ( flags == SASL_CU_AUTHID ) {
+	if ( flags == SASL_CU_AUTHID && !auxvals[PROP_AUTHZ].values ) {
 		conn->c_sasl_dn.bv_val = (char *) in;
 	} else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) {
 		rc = strcmp( in, conn->c_sasl_dn.bv_val );

servers/slapd/saslauthz.c

@@ -58,16 +58,17 @@ int slap_sasl_setpolicy( const char *arg )
 {
 	int rc = LDAP_SUCCESS;
 
-	if ( strcasecmp( arg, "none" ) == 0 )
+	if ( strcasecmp( arg, "none" ) == 0 ) {
 		authz_policy = SASL_AUTHZ_NONE;
-	else if ( strcasecmp( arg, "from" ) == 0 )
+	} else if ( strcasecmp( arg, "from" ) == 0 ) {
 		authz_policy = SASL_AUTHZ_FROM;
-	else if ( strcasecmp( arg, "to" ) == 0 )
+	} else if ( strcasecmp( arg, "to" ) == 0 ) {
 		authz_policy = SASL_AUTHZ_TO;
-	else if ( strcasecmp( arg, "both" ) == 0 )
+	} else if ( strcasecmp( arg, "both" ) == 0 ) {
 		authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
-	else
+	} else {
 		rc = LDAP_OTHER;
+	}
 	return rc;
 }
 
@@ -299,8 +300,9 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
 	   saslname, 0, 0 );
 #endif
 
-	if (( saslname == NULL ) || ( nSaslRegexp == 0 ))
+	if (( saslname == NULL ) || ( nSaslRegexp == 0 )) {
 		return( 0 );
+	}
 
 	/* Match the normalized SASL name to the saslregexp patterns */
 	for( reg = SaslRegexp,i=0;  i<nSaslRegexp;  i++,reg++ ) {
@@ -309,8 +311,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
 			break;
 	}
 
-	if( i >= nSaslRegexp )
-		return( 0 );
+	if( i >= nSaslRegexp ) return( 0 );
 
 	/*
 	 * The match pattern may have been of the form "a(b.*)c(d.*)e" and the
@@ -487,9 +488,9 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
 	if (dn_match(sm->dn, &e->e_nname)) {
 		sm->match = 1;
 		return -1;	/* short-circuit the search */
-	} else {
-		return 1;
 	}
+
+	return 1;
 }
 
 /*
@@ -519,12 +520,12 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
 		assertDN->bv_val, rule->bv_val,0 );
 #else
 	Debug( LDAP_DEBUG_TRACE,
-	   "===>slap_sasl_match: comparing DN %s to rule %s\n", assertDN->bv_val, rule->bv_val, 0 );
+	   "===>slap_sasl_match: comparing DN %s to rule %s\n",
+		assertDN->bv_val, rule->bv_val, 0 );
 #endif
 
 	rc = slap_parseURI( rule, &searchbase, &scope, &filter );
-	if( rc != LDAP_SUCCESS )
-		goto CONCLUDED;
+	if( rc != LDAP_SUCCESS ) goto CONCLUDED;
 
 	/* Massive shortcut: search scope == base */
 	if( scope == LDAP_SCOPE_BASE ) {
@@ -534,10 +535,11 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
 			rc = regexec(&reg, assertDN->bv_val, 0, NULL, 0);
 			regfree( &reg );
 		}
-		if ( rc == 0 )
+		if ( rc == 0 ) {
 			rc = LDAP_SUCCESS;
-		else
+		} else {
 			rc = LDAP_INAPPROPRIATE_AUTH;
+		}
 		goto CONCLUDED;
 	}
 
@@ -576,14 +578,16 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
 	   scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
 	   /*attrs=*/NULL, /*attrsonly=*/0 );
 
-	if (sm.match)
+	if (sm.match) {
 		rc = LDAP_SUCCESS;
-	else
+	} else {
 		rc = LDAP_INAPPROPRIATE_AUTH;
+	}
 
 CONCLUDED:
 	if( searchbase.bv_len ) ch_free( searchbase.bv_val );
 	if( filter ) filter_free( filter );
+
 #ifdef NEW_LOGGING
 	LDAP_LOG( TRANSPORT, ENTRY, 
 		"slap_sasl_match: comparison returned %d\n", rc, 0, 0 );
@@ -626,14 +630,12 @@ slap_sasl_check_authz( Connection *conn,
 
 	rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
 		searchDN, ad, &vals );
-	if( rc != LDAP_SUCCESS )
-		goto COMPLETE;
+	if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
 	/* Check if the *assertDN matches any **vals */
 	for( i=0; vals[i].bv_val != NULL; i++ ) {
 		rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
-		if ( rc == LDAP_SUCCESS )
-			goto COMPLETE;
+		if ( rc == LDAP_SUCCESS ) goto COMPLETE;
 	}
 	rc = LDAP_INAPPROPRIATE_AUTH;