rework SASL callbacks

libraries/libldap/cyrus.c

@@ -34,7 +34,7 @@ int ldap_int_sasl_init( void )
 	/* XXX not threadsafe */
 	static int sasl_initialized = 0;
 
-	static sasl_callback_t client_callbacks[] = {
+	sasl_callback_t client_callbacks[] = {
 #ifdef SASL_CB_GETREALM
 		{ SASL_CB_GETREALM, NULL, NULL },
 #endif
@@ -380,6 +380,19 @@ ldap_int_sasl_open(
 {
 	int rc;
 	sasl_conn_t *ctx;
+
+	sasl_callback_t session_callbacks[] = {
+#ifdef SASL_CB_GETREALM
+		{ SASL_CB_GETREALM, NULL, NULL },
+#endif
+		{ SASL_CB_USER, NULL, NULL },
+		{ SASL_CB_AUTHNAME, NULL, NULL },
+		{ SASL_CB_PASS, NULL, NULL },
+		{ SASL_CB_ECHOPROMPT, NULL, NULL },
+		{ SASL_CB_NOECHOPROMPT, NULL, NULL },
+		{ SASL_CB_LIST_END, NULL, NULL }
+	};
+
 	assert( lc->lconn_sasl_ctx == NULL );
 
 	if ( host == NULL ) {
@@ -388,7 +401,7 @@ ldap_int_sasl_open(
 	}
 
 	rc = sasl_client_new( "ldap", host,
-		NULL,
+		session_callbacks,
 #ifdef LDAP_SASL_SECURITY_LAYER
 		SASL_SECURITY_LAYER,
 #else

servers/slapd/sasl.c

@@ -67,6 +67,35 @@ sasl_cb_log(
 	return SASL_OK;
 }
 
+static int
+slap_sasl_proxy_policy(
+	void *context,
+	const char *authcid,
+	const char *authzid,
+	const char **user,
+	const char **errstr)
+{
+	char *canon = NULL;
+
+	if ( !authcid || *authcid ) {
+		*errstr = "empty authentication identity";
+		return SASL_BADAUTH;
+	}
+
+	if ( !authzid || *authzid ) {
+		size_t len = sizeof("u:") + strlen( authcid );
+		canon = ch_malloc( len );
+		strcpy( canon, "u:" );
+		strcpy( &canon[sizeof("u:")-1], authcid );
+
+		*user = canon;
+		return SASL_OK;
+	}
+
+	*errstr = "no proxy policy";
+    return SASL_BADAUTH;
+}
+
 
 static int
 slap_sasl_err2ldap( int saslerr )
@@ -186,6 +215,7 @@ int slap_sasl_open( Connection *conn )
 	sasl_conn_t *ctx = NULL;
 	sasl_callback_t session_callbacks[] = {
 		{ SASL_CB_LOG, &sasl_cb_log, conn },
+		{ SASL_CB_PROXY_POLICY, &slap_sasl_proxy_policy, conn },
 		{ SASL_CB_LIST_END, NULL, NULL }
 	};