Add "sasl-external-x509dn-convert" configuration option aimed

at providing authid TLS/X.509 to LDAP DN mapping. Experimental.
2026-01-04 14:10:39 -05:00 · 2001-01-19 00:47:32 +00:00 · 2001-01-19 00:47:32 +00:00 · 28d1dbd8ac
commit 28d1dbd8ac
parent 1302713f09
3 changed files with 36 additions and 10 deletions
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -46,6 +46,7 @@ char   *slapd_args_file = NULL;

 int nSaslRegexp = 0;
 SaslRegexp_t *SaslRegexp = NULL;
+int sasl_external_x509dn_convert;

 static char	*fp_getline(FILE *fp, int *lineno);
 static void	fp_getline_init(int *lineno);
@ -550,6 +551,9 @@ read_config( const char *fname )
 				return 1;
 			}

+		} else if ( strcasecmp( cargv[0], "sasl-external-x509dn-convert" ) == 0 ) {
+			sasl_external_x509dn_convert++;
+
 		/* set UCDATA path */
 		} else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) {
 			int err;
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -811,6 +811,7 @@ LDAP_SLAPD_F (int)		global_idletimeout;
 LDAP_SLAPD_F (int)		global_schemacheck;
 LDAP_SLAPD_F (char)		*global_host;
 LDAP_SLAPD_F (char)		*global_realm;
+LDAP_SLAPD_F (int)		sasl_external_x509dn_convert;
 LDAP_SLAPD_F (char)		*default_passwd_hash;
 LDAP_SLAPD_F (int)		lber_debug;
 LDAP_SLAPD_F (int)		ldap_syslog;
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@ -27,7 +27,6 @@

 static sasl_security_properties_t sasl_secprops;

-
 static int
 slap_sasl_log(
 	void *context,
@ -107,21 +106,43 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags )
 		return( LDAP_SUCCESS );
 	}
 	ctx = conn->c_sasl_context;
-	dn = ch_strdup( id );
 	len = strlen( id );

-	/* An authcID will need to be prefixed with u: */
+	/* An authcID needs to be converted to authzID form */
 	if( flags & FLAG_GETDN_AUTHCID ) {
-		dn = ch_realloc( dn, len+3 );
-		memmove( dn+2, dn, len+1 );
-		dn[0] = 'u';
-		dn[1] = ':';
-		len += 2;
+		if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech
+			&& ( strcasecmp( LDAP_SASL_EXTERNAL, conn->c_sasl_bind_mech ) == 0 ) 
+			&& len && dn[0] == '/' and dn[len-1]== '/' )
+		{
+			/* check SASL external for X.509 style DN and */
+			/* convert to dn:<dn> form */
+			char *tmpdn = ldap_dcedn2dn( id );
+			len = strlen( tmpdn );
+
+			dn = ch_malloc( dn, len+4 );
+			dn[0] = 'd';
+			dn[1] = 'n';
+			dn[2] = ':';
+			memmove( &dn[3], tmpdn, len+1 );
+			len += 3;
+
+		} else {
+			/* convert to u:<username> form */
+			dn = ch_malloc( dn, len+3 );
+			dn[0] = 'u';
+			dn[1] = ':';
+			memmove( &dn[2], id, len+1 );
+			len += 2;
+		}
+	} else {
+		dn = ch_strdup( id );
 	}

 	/* An authzID must be properly prefixed */
-	if( flags & FLAG_GETDN_AUTHZID && strncasecmp( dn, "u:", 2 ) &&
-	  strncasecmp( dn, "dn:", 3 ) ) {
+	if( flags & FLAG_GETDN_AUTHZID
+		&& strncasecmp( dn, "u:", 2 )
+		&& strncasecmp( dn, "dn:", 3 ) )
+	{
 		ch_free( dn );
 		*dnptr = NULL;
 		return( LDAP_INAPPROPRIATE_AUTH );