Commit cc78fb52 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

ITS#3419: values in built auth DNs may need DN escaping, so build them via ldap_dn2bv

parent 810abc14
......@@ -8,6 +8,8 @@ slapauth \- Check a list of string-represented IDs for authc/authz.
.B [\-v]
.B [\-d level]
.B [\-f slapd.conf]
.B [\-M mech]
.B [\-R realm]
.B [\-U authcID]
.B [\-X authzID]
.B ID [...]
......@@ -42,6 +44,12 @@ specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-M " mech"
specify a mechanism.
.TP
.BI \-R " realm"
specify a realm.
.TP
.BI \-U " authcID"
specify an ID to be used as
.I authcID
......
......@@ -1600,44 +1600,63 @@ int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id,
/* Username strings */
if( is_dn == SET_U ) {
char *p;
struct berval realm = BER_BVNULL, c1 = *dn;
ber_len_t len;
len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" );
if( user_realm && *user_realm ) {
ber_str2bv( user_realm, 0, 0, &realm );
len += realm.bv_len + STRLENOF( ",cn=" );
/* ITS#3419: values may need escape */
LDAPRDN DN[ 5 ];
LDAPAVA *RDNs[ 4 ][ 2 ];
LDAPAVA AVAs[ 4 ];
int irdn;
irdn = 0;
DN[ irdn ] = RDNs[ irdn ];
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
BER_BVSTR( &AVAs[ irdn ].la_attr, "uid" );
AVAs[ irdn ].la_value = *dn;
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
AVAs[ irdn ].la_private = NULL;
RDNs[ irdn ][ 1 ] = NULL;
if ( user_realm && *user_realm ) {
irdn++;
DN[ irdn ] = RDNs[ irdn ];
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value );
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
AVAs[ irdn ].la_private = NULL;
RDNs[ irdn ][ 1 ] = NULL;
}
if( mech->bv_len ) {
len += mech->bv_len + STRLENOF( ",cn=" );
if ( !BER_BVISNULL( mech ) ) {
irdn++;
DN[ irdn ] = RDNs[ irdn ];
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
AVAs[ irdn ].la_value = *mech;
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
AVAs[ irdn ].la_private = NULL;
RDNs[ irdn ][ 1 ] = NULL;
}
/* Build the new dn */
dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx );
if( dn->bv_val == NULL ) {
Debug( LDAP_DEBUG_ANY,
"slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
return LDAP_OTHER;
}
p = lutil_strcopy( dn->bv_val, "uid=" );
p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
irdn++;
DN[ irdn ] = RDNs[ irdn ];
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
BER_BVSTR( &AVAs[ irdn ].la_value, "auth" );
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
AVAs[ irdn ].la_private = NULL;
RDNs[ irdn ][ 1 ] = NULL;
if( realm.bv_len ) {
p = lutil_strcopy( p, ",cn=" );
p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
}
irdn++;
DN[ irdn ] = NULL;
if( mech->bv_len ) {
p = lutil_strcopy( p, ",cn=" );
p = lutil_strcopy( p, mech->bv_val );
rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx );
if ( rc != LDAP_SUCCESS ) {
BER_BVZERO( dn );
return rc;
}
p = lutil_strcopy( p, ",cn=auth" );
dn->bv_len = p - dn->bv_val;
Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
} else {
/* Dup the DN in any case, so we don't risk
......
......@@ -40,7 +40,7 @@ do_check( Connection *c, Operation *op, struct berval *id )
struct berval authcdn;
int rc;
rc = slap_sasl_getdn( c, op, id, NULL, &authcdn, SLAP_GETDN_AUTHCID );
rc = slap_sasl_getdn( c, op, id, realm, &authcdn, SLAP_GETDN_AUTHCID );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
id->bv_val, rc,
......@@ -91,6 +91,8 @@ slapauth( int argc, char **argv )
op = (Operation *)opbuf;
connection_fake_init( &conn, op, &conn );
conn.c_sasl_bind_mech = mech;
if ( !BER_BVISNULL( &authzID ) ) {
struct berval authzdn;
......
......@@ -72,7 +72,7 @@ usage( int tool, const char *progname )
break;
case SLAPAUTH:
options = "\t[-U authcID] [-X authzID] ID [...]\n";
options = "\t[-U authcID] [-X authzID] [-R realm] [-M mech] ID [...]\n";
break;
case SLAPACL:
......@@ -138,7 +138,7 @@ slap_tool_init(
break;
case SLAPAUTH:
options = "d:f:U:vX:";
options = "d:f:M:R:U:vX:";
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
break;
......@@ -217,6 +217,10 @@ slap_tool_init(
retrieve_ctxcsn = 1;
break;
case 'M':
ber_str2bv( optarg, 0, 0, &mech );
break;
case 'n': /* which config file db to index */
dbnum = atoi( optarg ) - 1;
break;
......@@ -229,6 +233,10 @@ slap_tool_init(
replica_demotion = 1;
break;
case 'R':
realm = optarg;
break;
case 's': /* dump subtree */
subtree = strdup( optarg );
break;
......
......@@ -57,6 +57,8 @@ typedef struct tool_vars {
struct berval tv_baseDN;
struct berval tv_authcID;
struct berval tv_authzID;
struct berval tv_mech;
char *tv_realm;
} tool_vars;
extern tool_vars tool_globals;
......@@ -81,6 +83,8 @@ extern tool_vars tool_globals;
#define baseDN tool_globals.tv_baseDN
#define authcID tool_globals.tv_authcID
#define authzID tool_globals.tv_authzID
#define mech tool_globals.tv_mech
#define realm tool_globals.tv_realm
void slap_tool_init LDAP_P((
const char* name,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment