Commit f224e695 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Add experimental code to check simple bind passwords

against Cyrus SASLdb.  Like other cleartext mechanisms,
should be protected from eavesdropping.
parent b9e7d777
This diff is collapsed.
......@@ -135,6 +135,8 @@ OL_ARG_ENABLE(slapd,[ --enable-slapd enable building slapd], yes)dnl
OL_ARG_ENABLE(cleartext,[ --enable-cleartext enable cleartext passwords], yes)dnl
OL_ARG_ENABLE(crypt,[ --enable-crypt enable crypt(3) passwords], auto)dnl
OL_ARG_ENABLE(kpasswd,[ --enable-kpasswd enable kerberos password verification], no)dnl
OL_ARG_ENABLE(spasswd,[ --enable-spasswd enable (Cyrus) SASL password verification], no)dnl
OL_ARG_ENABLE(modules,[ --enable-modules enable dynamic module support], no)dnl
OL_ARG_ENABLE(modules,[ --enable-modules enable dynamic module support], no)dnl
OL_ARG_ENABLE(multimaster,[ --enable-multimaster enable multimaster replication], no)dnl
OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl
......@@ -401,6 +403,13 @@ elif test $ol_enable_kbind = no -o $ol_enable_kpasswd = no ; then
fi
fi
if test $ol_enable_spasswd = yes ; then
if test $ol_with_cyrus_sasl = no ; then
AC_MSG_ERROR([options require --with-cyrus-sasl])
fi
ol_with_cyrus_sasl=yes
fi
AC_MSG_RESULT(done)
dnl ----------------------------------------------------------------
......@@ -2208,6 +2217,9 @@ fi
if test "$ol_link_kpasswd" != no ; then
AC_DEFINE(SLAPD_KPASSWD,1,[define to support Kerberos passwords])
fi
if test "$ol_link_spasswd" != no ; then
AC_DEFINE(SLAPD_SPASSWD,1,[define to support SASL passwords])
fi
if test "$ol_enable_multimaster" != no ; then
AC_DEFINE(SLAPD_MULTIMASTER,1,[define to support multimaster replication])
fi
......
......@@ -71,6 +71,11 @@ lutil_authpasswd_hash LDAP_P((
struct berval **salt, /* salt to store */
const char *method ));
#if defined( SLAPD_SPASSWD ) && defined( HAVE_CYRUS_SASL )
/* cheat to avoid pulling in <sasl.h> */
LIBLUTIL_F( struct sasl_conn * ) lutil_passwd_sasl_conn;
#endif
LIBLUTIL_F( int )
lutil_passwd LDAP_P((
const struct berval *passwd, /* stored password */
......
......@@ -874,6 +874,9 @@
/* define to support Kerberos passwords */
#undef SLAPD_KPASSWD
/* define to support SASL passwords */
#undef SLAPD_SPASSWD
/* define to support multimaster replication */
#undef SLAPD_MULTIMASTER
......
......@@ -22,6 +22,10 @@
#include <ac/stdlib.h>
#include <ac/string.h>
#ifdef SLAPD_SPASSWD
# include <sasl.h>
#endif
#ifdef SLAPD_KPASSWD
# include <ac/krb.h>
# include <ac/krb5.h>
......@@ -86,10 +90,19 @@ static int chk_sha1(
const struct berval *passwd,
const struct berval *cred );
#ifdef SLAPD_SPASSWD
static int chk_sasl(
const struct pw_scheme *scheme,
const struct berval *passwd,
const struct berval *cred );
#endif
#ifdef SLAPD_KPASSWD
static int chk_kerberos(
const struct pw_scheme *scheme,
const struct berval *passwd,
const struct berval *cred );
#endif
static int chk_crypt(
const struct pw_scheme *scheme,
......@@ -132,6 +145,10 @@ static const struct pw_scheme pw_schemes[] =
{ {sizeof("{SMD5}")-1, "{SMD5}"}, chk_smd5, hash_smd5 },
{ {sizeof("{MD5}")-1, "{MD5}"}, chk_md5, hash_md5 },
#ifdef SLAPD_SPASSWD
{ {sizeof("{SASL}")-1, "{SASL}"}, chk_sasl, NULL },
#endif
#ifdef SLAPD_KPASSWD
{ {sizeof("{KERBEROS}")-1, "{KERBEROS}"}, chk_kerberos, NULL },
#endif
......@@ -542,6 +559,59 @@ static int chk_md5(
return rc ? 1 : 0;
}
#ifdef SLAPD_SPASSWD
#ifdef HAVE_CYRUS_SASL
sasl_conn_t *lutil_passwd_sasl_conn = NULL;
#endif
static int chk_sasl(
const struct pw_scheme *sc,
const struct berval * passwd,
const struct berval * cred )
{
int i;
int rtn;
for( i=0; i<cred->bv_len; i++) {
if(cred->bv_val[i] == '\0') {
return 1; /* NUL character in password */
}
}
if( cred->bv_val[i] != '\0' ) {
return 1; /* cred must behave like a string */
}
for( i=0; i<passwd->bv_len; i++) {
if(passwd->bv_val[i] == '\0') {
return 1; /* NUL character in password */
}
}
if( passwd->bv_val[i] != '\0' ) {
return 1; /* passwd must behave like a string */
}
rtn = 1;
#ifdef HAVE_CYRUS_SASL
if( lutil_passwd_sasl_conn != NULL ) {
const char *errstr = NULL;
int sc;
sc = sasl_checkpass( lutil_passwd_sasl_conn,
passwd->bv_val, passwd->bv_len,
cred->bv_val, cred->bv_len,
&errstr );
rtn = ( sc != SASL_OK );
}
#endif
return rtn;
}
#endif
#ifdef SLAPD_KPASSWD
static int chk_kerberos(
const struct pw_scheme *sc,
......
......@@ -19,6 +19,11 @@ char **supportedSASLMechanisms = NULL;
char *sasl_host = NULL;
#ifdef HAVE_CYRUS_SASL
#ifdef SLAPD_SPASSWD
#include <lutil.h>
#endif
static void *slap_sasl_mutex_new(void)
{
ldap_pvt_thread_mutex_t *mutex;
......@@ -158,13 +163,21 @@ int sasl_init( void )
mechs, 0, 0 );
supportedSASLMechanisms = str2charray( mechs, "," );
#ifdef SLAPD_SPASSWD
lutil_passwd_sasl_conn = server;
#else
sasl_dispose( &server );
#endif
return 0;
}
int sasl_destroy( void )
{
#ifdef SLAPD_SPASSWD
sasl_dispose( &lutil_passwd_sasl_conn );
#endif
charray_free( supportedSASLMechanisms );
return 0;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment