Commit 994dad7c authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

SASL/EXTERNAL fixes and cleanup

parent 28f25cc3
...@@ -838,8 +838,12 @@ slap_sasl_canonicalize( ...@@ -838,8 +838,12 @@ slap_sasl_canonicalize(
* the authcID temporarily in conn->c_sasl_dn. We necessarily * the authcID temporarily in conn->c_sasl_dn. We necessarily
* finish Canonicalizing before Authorizing, so there is no * finish Canonicalizing before Authorizing, so there is no
* conflict with slap_sasl_authorize's use of this temp var. * conflict with slap_sasl_authorize's use of this temp var.
*
* The SASL EXTERNAL mech is backwards from all the other mechs,
* it does authzID before the authcID. If we see that authzID
* has already been done, don't do anything special with authcID.
*/ */
if ( flags == SASL_CU_AUTHID ) { if ( flags == SASL_CU_AUTHID && !auxvals[PROP_AUTHZ].values ) {
conn->c_sasl_dn.bv_val = (char *) in; conn->c_sasl_dn.bv_val = (char *) in;
} else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) { } else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) {
rc = strcmp( in, conn->c_sasl_dn.bv_val ); rc = strcmp( in, conn->c_sasl_dn.bv_val );
......
...@@ -58,16 +58,17 @@ int slap_sasl_setpolicy( const char *arg ) ...@@ -58,16 +58,17 @@ int slap_sasl_setpolicy( const char *arg )
{ {
int rc = LDAP_SUCCESS; int rc = LDAP_SUCCESS;
if ( strcasecmp( arg, "none" ) == 0 ) if ( strcasecmp( arg, "none" ) == 0 ) {
authz_policy = SASL_AUTHZ_NONE; authz_policy = SASL_AUTHZ_NONE;
else if ( strcasecmp( arg, "from" ) == 0 ) } else if ( strcasecmp( arg, "from" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM; authz_policy = SASL_AUTHZ_FROM;
else if ( strcasecmp( arg, "to" ) == 0 ) } else if ( strcasecmp( arg, "to" ) == 0 ) {
authz_policy = SASL_AUTHZ_TO; authz_policy = SASL_AUTHZ_TO;
else if ( strcasecmp( arg, "both" ) == 0 ) } else if ( strcasecmp( arg, "both" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO; authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
else } else {
rc = LDAP_OTHER; rc = LDAP_OTHER;
}
return rc; return rc;
} }
...@@ -299,8 +300,9 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out ) ...@@ -299,8 +300,9 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
saslname, 0, 0 ); saslname, 0, 0 );
#endif #endif
if (( saslname == NULL ) || ( nSaslRegexp == 0 )) if (( saslname == NULL ) || ( nSaslRegexp == 0 )) {
return( 0 ); return( 0 );
}
/* Match the normalized SASL name to the saslregexp patterns */ /* Match the normalized SASL name to the saslregexp patterns */
for( reg = SaslRegexp,i=0; i<nSaslRegexp; i++,reg++ ) { for( reg = SaslRegexp,i=0; i<nSaslRegexp; i++,reg++ ) {
...@@ -309,8 +311,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out ) ...@@ -309,8 +311,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
break; break;
} }
if( i >= nSaslRegexp ) if( i >= nSaslRegexp ) return( 0 );
return( 0 );
/* /*
* The match pattern may have been of the form "a(b.*)c(d.*)e" and the * The match pattern may have been of the form "a(b.*)c(d.*)e" and the
...@@ -487,9 +488,9 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o, ...@@ -487,9 +488,9 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o,
if (dn_match(sm->dn, &e->e_nname)) { if (dn_match(sm->dn, &e->e_nname)) {
sm->match = 1; sm->match = 1;
return -1; /* short-circuit the search */ return -1; /* short-circuit the search */
} else {
return 1;
} }
return 1;
} }
/* /*
...@@ -519,12 +520,12 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert ...@@ -519,12 +520,12 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
assertDN->bv_val, rule->bv_val,0 ); assertDN->bv_val, rule->bv_val,0 );
#else #else
Debug( LDAP_DEBUG_TRACE, Debug( LDAP_DEBUG_TRACE,
"===>slap_sasl_match: comparing DN %s to rule %s\n", assertDN->bv_val, rule->bv_val, 0 ); "===>slap_sasl_match: comparing DN %s to rule %s\n",
assertDN->bv_val, rule->bv_val, 0 );
#endif #endif
rc = slap_parseURI( rule, &searchbase, &scope, &filter ); rc = slap_parseURI( rule, &searchbase, &scope, &filter );
if( rc != LDAP_SUCCESS ) if( rc != LDAP_SUCCESS ) goto CONCLUDED;
goto CONCLUDED;
/* Massive shortcut: search scope == base */ /* Massive shortcut: search scope == base */
if( scope == LDAP_SCOPE_BASE ) { if( scope == LDAP_SCOPE_BASE ) {
...@@ -534,10 +535,11 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert ...@@ -534,10 +535,11 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
rc = regexec(&reg, assertDN->bv_val, 0, NULL, 0); rc = regexec(&reg, assertDN->bv_val, 0, NULL, 0);
regfree( &reg ); regfree( &reg );
} }
if ( rc == 0 ) if ( rc == 0 ) {
rc = LDAP_SUCCESS; rc = LDAP_SUCCESS;
else } else {
rc = LDAP_INAPPROPRIATE_AUTH; rc = LDAP_INAPPROPRIATE_AUTH;
}
goto CONCLUDED; goto CONCLUDED;
} }
...@@ -576,14 +578,16 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert ...@@ -576,14 +578,16 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL, scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
/*attrs=*/NULL, /*attrsonly=*/0 ); /*attrs=*/NULL, /*attrsonly=*/0 );
if (sm.match) if (sm.match) {
rc = LDAP_SUCCESS; rc = LDAP_SUCCESS;
else } else {
rc = LDAP_INAPPROPRIATE_AUTH; rc = LDAP_INAPPROPRIATE_AUTH;
}
CONCLUDED: CONCLUDED:
if( searchbase.bv_len ) ch_free( searchbase.bv_val ); if( searchbase.bv_len ) ch_free( searchbase.bv_val );
if( filter ) filter_free( filter ); if( filter ) filter_free( filter );
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY, LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_match: comparison returned %d\n", rc, 0, 0 ); "slap_sasl_match: comparison returned %d\n", rc, 0, 0 );
...@@ -626,14 +630,12 @@ slap_sasl_check_authz( Connection *conn, ...@@ -626,14 +630,12 @@ slap_sasl_check_authz( Connection *conn,
rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
searchDN, ad, &vals ); searchDN, ad, &vals );
if( rc != LDAP_SUCCESS ) if( rc != LDAP_SUCCESS ) goto COMPLETE;
goto COMPLETE;
/* Check if the *assertDN matches any **vals */ /* Check if the *assertDN matches any **vals */
for( i=0; vals[i].bv_val != NULL; i++ ) { for( i=0; vals[i].bv_val != NULL; i++ ) {
rc = slap_sasl_match( conn, &vals[i], assertDN, authc ); rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
if ( rc == LDAP_SUCCESS ) if ( rc == LDAP_SUCCESS ) goto COMPLETE;
goto COMPLETE;
} }
rc = LDAP_INAPPROPRIATE_AUTH; rc = LDAP_INAPPROPRIATE_AUTH;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment