Commit 6d1a322f authored by Howard Chu's avatar Howard Chu
Browse files

Finished slap_sasl_setpass for Cyrus 1.5; Cyrus 2.1 is incomplete.

Added conn->c_sasl_dn, streamlined slap_sasl_bind.
parent ffe5b623
......@@ -602,17 +602,26 @@ slap_sasl_authorize(
"authcid=\"%s\" authzid=\"%s\"\n",
conn ? conn->c_connid : -1, auth_identity, requested_user );
#endif
if ( conn->c_sasl_dn.bv_val ) {
ch_free( conn->c_sasl_dn.bv_val );
conn->c_sasl_dn.bv_val = NULL;
conn->c_sasl_dn.bv_len = 0;
}
prop_getnames( props, slap_propnames, auxvals );
AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
/* Nothing to do if no authzID was given */
if ( !auxvals[1].name || !auxvals[1].values )
if ( !auxvals[1].name || !auxvals[1].values ) {
conn->c_sasl_dn = authcDN;
return SASL_OK;
}
AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
rc = slap_sasl_authorized( &authcDN, &authzDN );
ch_free( authcDN.bv_val );
if ( rc != LDAP_SUCCESS ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
......@@ -625,9 +634,12 @@ slap_sasl_authorize(
#endif
sasl_seterror( sconn, 0, "not authorized" );
ch_free( authzDN.bv_val );
return SASL_NOAUTHZ;
}
conn->c_sasl_sdn = authzDN;
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
"slap_sasl_authorize: conn %d authorization allowed\n",
......@@ -654,6 +666,11 @@ slap_sasl_authorize(
char *realm;
*user = NULL;
if ( conn->c_sasl_dn.bv_val ) {
ch_free( conn->c_sasl_dn.bv_val );
conn->c_sasl_dn.bv_val = NULL;
conn->c_sasl_dn.bv_len = 0;
}
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
......@@ -700,7 +717,7 @@ slap_sasl_authorize(
"Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
#endif
*user = authcDN.bv_val;
conn->c_sasl_dn = authcDN;
*errstr = NULL;
return SASL_OK;
}
......@@ -712,6 +729,7 @@ slap_sasl_authorize(
}
rc = slap_sasl_authorized( &authcDN, &authzDN );
ch_free( authcDN.bv_val );
if( rc ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
......@@ -724,7 +742,6 @@ slap_sasl_authorize(
#endif
*errstr = "not authorized";
ch_free( authcDN.bv_val );
ch_free( authzDN.bv_val );
return SASL_NOAUTHZ;
}
......@@ -739,9 +756,7 @@ slap_sasl_authorize(
(long) (conn ? conn->c_connid : -1), 0, 0 );
#endif
ch_free( authcDN.bv_val );
*user = authzDN.bv_val;
conn->c_sasl_dn = authzDN;
*errstr = NULL;
return SASL_OK;
}
......@@ -1169,18 +1184,11 @@ int slap_sasl_bind(
response.bv_len = reslen;
if ( sc == SASL_OK ) {
#if SASL_VERSION_MAJOR >= 2
struct propctx *props = sasl_auxprop_getctx( ctx );
struct propval vals[3];
sasl_ssf_t *ssf = NULL;
prop_getnames( props, slap_propnames, vals );
AC_MEMCPY( edn, vals[0].values[0], sizeof(*edn) );
if ( vals[1].name && vals[1].values ) {
ch_free( edn->bv_val );
AC_MEMCPY( edn, vals[1].values[0], sizeof(*edn) );
}
*edn = conn->c_sasl_dn;
conn->c_sasl_dn.bv_val = NULL;
conn->c_sasl_dn.bv_len = 0;
rc = LDAP_SUCCESS;
......@@ -1196,46 +1204,6 @@ int slap_sasl_bind(
send_ldap_sasl( conn, op, rc,
NULL, NULL, NULL, NULL,
response.bv_len ? &response : NULL );
#else
char *username = NULL;
sc = sasl_getprop( ctx,
SASL_USERNAME, (SASL_CONST void **)&username );
if ( sc != SASL_OK ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_ERR,
"slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc ));
#else
Debug(LDAP_DEBUG_TRACE,
"slap_sasl_bind: getprop(USERNAME) failed!\n",
0, 0, 0);
#endif
send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
NULL, "no SASL username", NULL, NULL );
} else {
sasl_ssf_t *ssf = NULL;
rc = LDAP_SUCCESS;
ber_str2bv( username, 0, 1, edn );
(void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf );
*ssfp = ssf ? *ssf : 0;
if( *ssfp ) {
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
conn->c_sasl_layers++;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
}
send_ldap_sasl( conn, op, rc,
NULL, NULL, NULL, NULL,
response.bv_len ? &response : NULL );
}
#endif
} else if ( sc == SASL_CONTINUE ) {
send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
......@@ -1297,13 +1265,18 @@ slap_sasl_setpass(
int rc;
struct berval id = { 0, NULL }; /* needs to come from connection */
struct berval new = { 0, NULL };
struct berval old = { 0, NULL };
assert( reqoid != NULL );
assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 );
if( id.bv_len == 0 ) {
*text = "not yet implemented";
rc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME,
(SASL_CONST void **)&id.bv_val );
if( rc != SASL_OK ) {
*text = "unable to retrieve SASL username";
rc = LDAP_OTHER;
goto done;
}
#ifdef NEW_LOGGING
......@@ -1316,7 +1289,7 @@ slap_sasl_setpass(
#endif
rc = slap_passwd_parse( reqdata,
NULL, NULL, &new, text );
NULL, &old, &new, text );
if( rc != LDAP_SUCCESS ) {
goto done;
......@@ -1334,10 +1307,16 @@ slap_sasl_setpass(
*rspdata = slap_passwd_return( &new );
}
#if SASL_VERSION_MAJOR < 2
rc = sasl_setpass( conn->c_sasl_context,
id.bv_val, new.bv_val, new.bv_len, SASL_SET_CREATE,
text );
id.bv_val, new.bv_val, new.bv_len, 0, text );
#else
rc = sasl_setpass( conn->c_sasl_context, id.bv_val,
old.bv_val, old.bv_len, new.bv_val, new.bv_len, 0 );
if( rc != SASL_OK ) {
*text = sasl_errdetail( conn->c_sasl_context );
}
#endif
switch(rc) {
case SASL_OK:
rc = LDAP_SUCCESS;
......
......@@ -1549,6 +1549,7 @@ typedef struct slap_conn {
/* only can be changed by binding thread */
int c_sasl_bind_in_progress; /* multi-op bind in progress */
struct berval c_sasl_bind_mech; /* mech in progress */
struct berval c_sasl_dn; /* temporary storage */
struct berval c_cdn;
/* authorization backend */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment