bind/sasl cleanup PRIOR TO moving call from backend to frontend

servers/slapd/bind.c

@@ -54,9 +54,8 @@ do_bind(
 
 	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-	/* Force to connection to "anonymous" until bind succeeds.
-	 * This may need to be relocated or done on a case by case basis
-	 * to handle certain SASL mechanisms.
+	/*
+	 * Force to connection to "anonymous" until bind succeeds.
 	 */
 
 	if ( conn->c_cdn != NULL ) {
@@ -69,6 +68,7 @@ do_bind(
 		conn->c_dn = NULL;
 	}
 
+	conn->c_authc_backend = NULL;
 	conn->c_authz_backend = NULL;
 
 	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
@@ -172,16 +172,23 @@ do_bind(
 		Debug( LDAP_DEBUG_ANY, "do_bind: unknown version=%ld\n",
 			(unsigned long) version, 0, 0 );
 		send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
-			NULL, "version not supported", NULL, NULL );
+			NULL, "requested protocol version not supported", NULL, NULL );
 		goto cleanup;
 	}
 
+	/* we set connection version regardless of whether bind succeeds
+	 * or not.
+	 */
+	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+	conn->c_protocol = version;
+	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
 	if ( method == LDAP_AUTH_SASL ) {
 		if ( version < LDAP_VERSION3 ) {
 			Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n",
 				(unsigned long) version, 0, 0 );
 			send_ldap_disconnect( conn, op,
-				LDAP_PROTOCOL_ERROR, "sasl bind requires LDAPv3" );
+				LDAP_PROTOCOL_ERROR, "SASL bind requires LDAPv3" );
 			rc = SLAPD_DISCONNECT;
 			goto cleanup;
 		}
@@ -190,8 +197,8 @@ do_bind(
 			Debug( LDAP_DEBUG_ANY,
 				"do_bind: no sasl mechanism provided\n",
 				0, 0, 0 );
-			send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
-				NULL, "no sasl mechanism provided", NULL, NULL );
+			send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
+				NULL, "no SASL mechanism provided", NULL, NULL );
 			goto cleanup;
 		}
 
@@ -200,7 +207,7 @@ do_bind(
 				"do_bind: sasl mechanism=\"%s\" not supported.\n",
 				mech, 0, 0 );
 			send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
-				NULL, "sasl mechanism not supported", NULL, NULL );
+				NULL, "SASL mechanism not supported", NULL, NULL );
 			goto cleanup;
 		}
 
@@ -227,7 +234,10 @@ do_bind(
 			assert( conn->c_authstate == NULL );
 #endif
 		}
+		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
 	} else {
+		/* Not SASL, cancel any in-progress bind */
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
 		if ( conn->c_authmech != NULL ) {
@@ -240,22 +250,24 @@ do_bind(
 				free(conn->c_authstate);
 				conn->c_authstate = NULL;
 			}
+
 			free(conn->c_authmech);
 			conn->c_authmech = NULL;
 		}
+
+		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 	}
 
-	conn->c_protocol = version;
-	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
-
-	/* accept null binds */
-	if ( ndn == NULL || *ndn == '\0' ) {
+	/* accept "anonymous" binds */
+	if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
 		/*
-		 * we already forced connection to "anonymous", we just
-		 * need to send success
+		 * we already forced connection to "anonymous",
+		 * just need to send success
 		 */
 		send_ldap_result( conn, op, LDAP_SUCCESS,
 			NULL, NULL, NULL, NULL );
+		Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
+	   		version, 0, 0 );
 		goto cleanup;
 	}
 
@@ -266,11 +278,7 @@ do_bind(
 	 */
 
 	if ( (be = select_backend( ndn )) == NULL ) {
-		if ( cred.bv_len == 0 ) {
-			send_ldap_result( conn, op, LDAP_SUCCESS,
-				NULL, NULL, NULL, NULL );
-
-		} else if ( default_referral ) {
+		if ( default_referral ) {
 			send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 				NULL, NULL, default_referral, NULL );
 
@@ -306,10 +314,6 @@ do_bind(
 			method, mech, &cred, &edn );
 
 		if ( ret == 0 ) {
-#ifdef HAVE_CYRUS_SASL
-			int ssf = 0;
-#endif
-
 			ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
 			conn->c_cdn = dn;
@@ -322,8 +326,8 @@ do_bind(
 				ndn = NULL;
 			}
 
-			Debug( LDAP_DEBUG_TRACE, "do_bind: bound \"%s\" to \"%s\"\n",
-	    		conn->c_cdn, conn->c_dn, method );
+			Debug( LDAP_DEBUG_TRACE, "do_bind: v%d bind: \"%s\" to \"%s\"\n",
+	    		version, conn->c_cdn, conn->c_dn, );
 
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
@@ -331,21 +335,13 @@ do_bind(
 			send_ldap_result( conn, op, LDAP_SUCCESS,
 				NULL, NULL, NULL, NULL );
 
-#ifdef HAVE_CYRUS_SASL
-			if ( conn->c_sasl_context != NULL && 
-				sasl_getprop( conn->c_sasl_context, SASL_SSF, (void **)&ssf )
-					== SASL_OK && ssf ) {
-				/* Enable encode/decode */
-				ldap_pvt_sasl_install( conn->c_sb, conn->c_sasl_context );
-			}
-#endif
 		} else if (edn != NULL) {
 			free( edn );
 		}
 
 	} else {
 		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
-			NULL, "Function not implemented", NULL, NULL );
+			NULL, "bind function not implemented", NULL, NULL );
 	}
 
 cleanup:

servers/slapd/sasl.c

@@ -162,7 +162,8 @@ int sasl_bind(
 		callbacks[cbnum].id = SASL_CB_LIST_END;
 		callbacks[cbnum].proc = NULL;
 		callbacks[cbnum].context = NULL;
-	
+
+		/* create new SASL context */
 		if ( sasl_server_new( "ldap", NULL, be->be_realm,
 			callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_context ) != SASL_OK ) {
 			send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
@@ -185,6 +186,7 @@ int sasl_bind(
 				NULL, errstr, NULL, NULL );
 		}
 	}
+
 	if ( sc == SASL_OK ) {
 		char *authzid;
 
@@ -199,7 +201,7 @@ int sasl_bind(
 			if ( strcasecmp( authzid, "anonymous" ) == 0 ) {
 				*edn = ch_strdup( "" );
 			} else {
-				*edn = ch_malloc( strlen( authzid ) + sizeof( "authzid=" ) );
+				*edn = ch_malloc( sizeof( "authzid=" ) + strlen( authzid ) );
 				strcpy( *edn, "authzid=" );
 				strcat( *edn, authzid );
 			}
@@ -214,7 +216,7 @@ int sasl_bind(
 		 */
 		conn->c_bind_in_progress = 1;
 		send_ldap_sasl( conn, op, LDAP_SASL_BIND_IN_PROGRESS,
-			/* matched */ NULL, /* text */ NULL, /* refs */ NULL, /* controls */ NULL,  &response );
+			NULL, NULL, NULL, NULL,  &response );
 	} 
 
 	Debug(LDAP_DEBUG_TRACE, "<== sasl_bind: rc=%d\n", rc, 0, 0);