upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-20 22:59:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

First cut SASL "interactive" and "quiet" modes (default is "automatic")

Browse source
This commit is contained in:
Kurt Zeilenga 2000-07-17 00:56:29 +00:00
parent 76f3601c3b
commit 95eea5accc
14 changed files with 923 additions and 182 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

112
clients/tools/ldapdelete.c
View file

@ -27,9 +27,11 @@ static char *ldaphost = NULL;
static int ldapport = 0; static int ldapport = 0;
static int prune = 0; static int prune = 0;
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
static char *sasl_mech = NULL;
static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL; static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL; static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
static char *sasl_secprops = NULL; static char *sasl_secprops = NULL;
#endif #endif
static int use_tls = 0; static int use_tls = 0;
@ -61,6 +63,7 @@ usage( const char *s )
" -D binddn\tbind DN\n" " -D binddn\tbind DN\n"
" -f file\t\tread operations from `file'\n" " -f file\t\tread operations from `file'\n"
" -h host\t\tLDAP server\n" " -h host\t\tLDAP server\n"
" -I\t\tuse SASL Interactive mode\n"
" -k\t\tuse Kerberos authentication\n" " -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n" " -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
@ -68,6 +71,8 @@ usage( const char *s )
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n" " -P version\tprocotol version (default: 3)\n"
" -Q\t\tuse SASL Quiet mode\n"
" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\trun in verbose mode (diagnostics to standard output)\n" " -v\t\trun in verbose mode (diagnostics to standard output)\n"
" -w passwd\tbind passwd (for simple authentication)\n" " -w passwd\tbind passwd (for simple authentication)\n"
@ -96,13 +101,17 @@ main( int argc, char **argv )
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog; prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
while (( i = getopt( argc, argv, "cf:r" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) { while (( i = getopt( argc, argv, "cf:r" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) { switch( i ) {
/* Delete Specific Options */ /* Delete Specific Options */
case 'c': /* continuous operation mode */ case 'c': /* continuous operation mode */
++contoper; ++contoper;
break; break;
case 'f': /* read DNs from a file */ case 'f': /* read DNs from a file */
if( fp != NULL ) {
fprintf( stderr, "%s: -f previously specified\n" );
return EXIT_FAILURE;
}
if (( fp = fopen( optarg, "r" )) == NULL ) { if (( fp = fopen( optarg, "r" )) == NULL ) {
perror( optarg ); perror( optarg );
exit( EXIT_FAILURE ); exit( EXIT_FAILURE );
@ -120,9 +129,17 @@ main( int argc, char **argv )
debug |= atoi( optarg ); debug |= atoi( optarg );
break; break;
case 'D': /* bind DN */ case 'D': /* bind DN */
if( binddn != NULL ) {
fprintf( stderr, "%s: -D previously specified\n" );
return EXIT_FAILURE;
}
binddn = strdup( optarg ); binddn = strdup( optarg );
break; break;
case 'h': /* ldap host */ case 'h': /* ldap host */
if( ldaphost != NULL ) {
fprintf( stderr, "%s: -h previously specified\n" );
return EXIT_FAILURE;
}
ldaphost = strdup( optarg ); ldaphost = strdup( optarg );
break; break;
case 'k': /* kerberos bind */ case 'k': /* kerberos bind */
@ -179,8 +196,12 @@ main( int argc, char **argv )
break; break;
case 'O': case 'O':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_secprops != NULL ) {
fprintf( stderr, "%s: -O previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n", fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version ); prog, version );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
@ -189,9 +210,9 @@ main( int argc, char **argv )
"authentication choice\n", prog ); "authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_secprops = strdup( optarg );
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -199,6 +220,10 @@ main( int argc, char **argv )
#endif #endif
break; break;
case 'p': case 'p':
if( ldapport ) {
fprintf( stderr, "%s: -p previously specified\n" );
return EXIT_FAILURE;
}
ldapport = atoi( optarg ); ldapport = atoi( optarg );
break; break;
case 'P': case 'P':
@ -225,8 +250,59 @@ main( int argc, char **argv )
usage( prog ); usage( prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
} break; } break;
case 'Q':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Q incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_flags = LUTIL_SASL_QUIET;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
case 'R':
#ifdef HAVE_CYRUS_SASL
if( sasl_realm != NULL ) {
fprintf( stderr, "%s: -R previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -R incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_realm = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'U': case 'U':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authc_id != NULL ) {
fprintf( stderr, "%s: -U previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n", fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version ); prog, version );
@ -240,9 +316,7 @@ main( int argc, char **argv )
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg ); sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -258,7 +332,7 @@ main( int argc, char **argv )
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
@ -268,6 +342,10 @@ main( int argc, char **argv )
break; break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_mech != NULL ) {
fprintf( stderr, "%s: -Y previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n", fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version ); prog, version );
@ -277,9 +355,9 @@ main( int argc, char **argv )
fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_mech = strdup( optarg );
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -296,6 +374,10 @@ main( int argc, char **argv )
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authz_id != NULL ) {
fprintf( stderr, "%s: -X previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version ); prog, version );
@ -308,9 +390,7 @@ main( int argc, char **argv )
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -413,6 +493,8 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) { if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
void *defaults;
if( sasl_secprops != NULL ) { if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops ); (void *) sasl_secprops );
@ -425,8 +507,16 @@ main( int argc, char **argv )
} }
} }
defaults = lutil_sasl_defaults( ld, sasl_flags,
sasl_mech,
sasl_realm,
sasl_authc_id,
passwd.bv_val,
sasl_authz_id );
rc = ldap_sasl_interactive_bind_s( ld, binddn, rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL, lutil_sasl_interact ); sasl_mech, NULL, NULL,
lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); ldap_perror( ld, "ldap_sasl_interactive_bind_s" );

110
clients/tools/ldapmodify.c
View file

@ -39,6 +39,8 @@ static struct berval passwd = { 0, NULL };
static char *ldaphost = NULL; static char *ldaphost = NULL;
static int ldapport = 0; static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL; static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL; static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL; static char *sasl_mech = NULL;
@ -109,12 +111,15 @@ usage( const char *prog )
" -D dn\t\tbind DN\n" " -D dn\t\tbind DN\n"
" -f file\t\tread operations from `file'\n" " -f file\t\tread operations from `file'\n"
" -h host\t\tLDAP server\n" " -h host\t\tLDAP server\n"
" -I\t\tuse SASL Interactive mode\n"
" -k\t\tuse Kerberos authentication\n" " -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n" " -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -n\t\tprint changes, don't actually do them\n" " -n\t\tprint changes, don't actually do them\n"
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -Q\t\tuse SASL Quiet mode\n"
" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\tverbose mode\n" " -v\t\tverbose mode\n"
" -w passwd\tbind password (for Simple authentication)\n" " -w passwd\tbind password (for Simple authentication)\n"
@ -151,7 +156,7 @@ main( int argc, char **argv )
authmethod = -1; authmethod = -1;
version = -1; version = -1;
while (( i = getopt( argc, argv, "acrf:F" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) { while (( i = getopt( argc, argv, "acrf:F" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) { switch( i ) {
/* Modify Options */ /* Modify Options */
case 'a': /* add */ case 'a': /* add */
@ -161,6 +166,10 @@ main( int argc, char **argv )
contoper = 1; contoper = 1;
break; break;
case 'f': /* read from file */ case 'f': /* read from file */
if( infile != NULL ) {
fprintf( stderr, "%s: -f previously specified\n" );
return EXIT_FAILURE;
}
infile = strdup( optarg ); infile = strdup( optarg );
break; break;
case 'F': /* force all changes records to be used */ case 'F': /* force all changes records to be used */
@ -178,9 +187,17 @@ main( int argc, char **argv )
debug |= atoi( optarg ); debug |= atoi( optarg );
break; break;
case 'D': /* bind DN */ case 'D': /* bind DN */
if( binddn != NULL ) {
fprintf( stderr, "%s: -D previously specified\n" );
return EXIT_FAILURE;
}
binddn = strdup( optarg ); binddn = strdup( optarg );
break; break;
case 'h': /* ldap host */ case 'h': /* ldap host */
if( ldaphost != NULL ) {
fprintf( stderr, "%s: -h previously specified\n" );
return EXIT_FAILURE;
}
ldaphost = strdup( optarg ); ldaphost = strdup( optarg );
break; break;
case 'k': /* kerberos bind */ case 'k': /* kerberos bind */
@ -237,8 +254,12 @@ main( int argc, char **argv )
break; break;
case 'O': case 'O':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_secprops != NULL ) {
fprintf( stderr, "%s: -O previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n", fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version ); prog, version );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
@ -247,9 +268,9 @@ main( int argc, char **argv )
"authentication choice\n", prog ); "authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_secprops = strdup( optarg );
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -257,6 +278,10 @@ main( int argc, char **argv )
#endif #endif
break; break;
case 'p': case 'p':
if( ldapport ) {
fprintf( stderr, "%s: -p previously specified\n" );
return EXIT_FAILURE;
}
ldapport = atoi( optarg ); ldapport = atoi( optarg );
break; break;
case 'P': case 'P':
@ -283,8 +308,59 @@ main( int argc, char **argv )
usage( prog ); usage( prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
} break; } break;
case 'Q':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Q incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_flags = LUTIL_SASL_QUIET;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
case 'R':
#ifdef HAVE_CYRUS_SASL
if( sasl_realm != NULL ) {
fprintf( stderr, "%s: -R previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -R incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_realm = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'U': case 'U':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authc_id != NULL ) {
fprintf( stderr, "%s: -U previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n", fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version ); prog, version );
@ -298,9 +374,7 @@ main( int argc, char **argv )
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg ); sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -316,7 +390,7 @@ main( int argc, char **argv )
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
@ -326,6 +400,10 @@ main( int argc, char **argv )
break; break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_mech != NULL ) {
fprintf( stderr, "%s: -Y previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n", fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version ); prog, version );
@ -335,9 +413,9 @@ main( int argc, char **argv )
fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_mech = strdup( optarg );
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -354,6 +432,10 @@ main( int argc, char **argv )
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authz_id != NULL ) {
fprintf( stderr, "%s: -X previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version ); prog, version );
@ -366,9 +448,7 @@ main( int argc, char **argv )
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -477,6 +557,8 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) { if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
void *defaults;
if( sasl_secprops != NULL ) { if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops ); (void *) sasl_secprops );
@ -489,8 +571,16 @@ main( int argc, char **argv )
} }
} }
defaults = lutil_sasl_defaults( ld, sasl_flags,
sasl_mech,
sasl_realm,
sasl_authc_id,
passwd.bv_val,
sasl_authz_id );
rc = ldap_sasl_interactive_bind_s( ld, binddn, rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL, lutil_sasl_interact ); sasl_mech, NULL, NULL,
lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); ldap_perror( ld, "ldap_sasl_interactive_bind_s" );

119
clients/tools/ldapmodrdn.c
View file

@ -37,6 +37,8 @@ static struct berval passwd = { 0, NULL };
static char *ldaphost = NULL; static char *ldaphost = NULL;
static int ldapport = 0; static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL; static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL; static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL; static char *sasl_mech = NULL;
@ -73,6 +75,7 @@ usage( const char *s )
" -d level\tset LDAP debugging level to `level'\n" " -d level\tset LDAP debugging level to `level'\n"
" -D binddn\tbind DN\n" " -D binddn\tbind DN\n"
" -h host\t\tLDAP server\n" " -h host\t\tLDAP server\n"
" -I\t\tuse SASL Interactive mode\n"
" -k\t\tuse Kerberos authentication\n" " -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n" " -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
@ -80,6 +83,8 @@ usage( const char *s )
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n" " -P version\tprocotol version (default: 3)\n"
" -Q\t\tuse SASL Quiet mode\n"
" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\trun in verbose mode (diagnostics to standard output)\n" " -v\t\trun in verbose mode (diagnostics to standard output)\n"
" -w passwd\tbind passwd (for simple authentication)\n" " -w passwd\tbind passwd (for simple authentication)\n"
@ -109,12 +114,22 @@ main(int argc, char **argv)
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog; prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
while (( i = getopt( argc, argv, "cf:rs:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) { while (( i = getopt( argc, argv, "cf:rs:" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) { switch( i ) {
/* Modrdn Options */ /* Modrdn Options */
case 'c': case 'c':
contoper++; contoper++;
break; break;
case 'f': /* read from file */
if( infile != NULL ) {
fprintf( stderr, "%s: -f previously specified\n" );
return EXIT_FAILURE;
}
infile = strdup( optarg );
break;
case 'r': /* remove old RDN */
remove++;
break;
case 's': /* newSuperior */ case 's': /* newSuperior */
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
@ -124,9 +139,6 @@ main(int argc, char **argv)
newSuperior = strdup( optarg ); newSuperior = strdup( optarg );
version = LDAP_VERSION3; version = LDAP_VERSION3;
break; break;
case 'r': /* remove old RDN */
remove++;
break;
/* Common Options */ /* Common Options */
case 'C': case 'C':
@ -136,9 +148,17 @@ main(int argc, char **argv)
debug |= atoi( optarg ); debug |= atoi( optarg );
break; break;
case 'D': /* bind DN */ case 'D': /* bind DN */
if( binddn != NULL ) {
fprintf( stderr, "%s: -D previously specified\n" );
return EXIT_FAILURE;
}
binddn = strdup( optarg ); binddn = strdup( optarg );
break; break;
case 'h': /* ldap host */ case 'h': /* ldap host */
if( ldaphost != NULL ) {
fprintf( stderr, "%s: -h previously specified\n" );
return EXIT_FAILURE;
}
ldaphost = strdup( optarg ); ldaphost = strdup( optarg );
break; break;
case 'k': /* kerberos bind */ case 'k': /* kerberos bind */
@ -195,8 +215,12 @@ main(int argc, char **argv)
break; break;
case 'O': case 'O':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_secprops != NULL ) {
fprintf( stderr, "%s: -O previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n", fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version ); prog, version );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
@ -205,9 +229,9 @@ main(int argc, char **argv)
"authentication choice\n", prog ); "authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_secprops = strdup( optarg );
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -215,6 +239,10 @@ main(int argc, char **argv)
#endif #endif
break; break;
case 'p': case 'p':
if( ldapport ) {
fprintf( stderr, "%s: -p previously specified\n" );
return EXIT_FAILURE;
}
ldapport = atoi( optarg ); ldapport = atoi( optarg );
break; break;
case 'P': case 'P':
@ -241,8 +269,59 @@ main(int argc, char **argv)
usage( prog ); usage( prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
} break; } break;
case 'Q':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Q incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_flags = LUTIL_SASL_QUIET;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
case 'R':
#ifdef HAVE_CYRUS_SASL
if( sasl_realm != NULL ) {
fprintf( stderr, "%s: -R previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -R incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_realm = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'U': case 'U':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authc_id != NULL ) {
fprintf( stderr, "%s: -U previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n", fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version ); prog, version );
@ -256,9 +335,7 @@ main(int argc, char **argv)
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg ); sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -274,7 +351,7 @@ main(int argc, char **argv)
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
@ -284,6 +361,10 @@ main(int argc, char **argv)
break; break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_mech != NULL ) {
fprintf( stderr, "%s: -Y previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n", fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version ); prog, version );
@ -293,9 +374,9 @@ main(int argc, char **argv)
fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_mech = strdup( optarg );
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -312,6 +393,10 @@ main(int argc, char **argv)
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authz_id != NULL ) {
fprintf( stderr, "%s: -X previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version ); prog, version );
@ -324,9 +409,7 @@ main(int argc, char **argv)
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -444,6 +527,8 @@ main(int argc, char **argv)
if ( authmethod == LDAP_AUTH_SASL ) { if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
void *defaults;
if( sasl_secprops != NULL ) { if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops ); (void *) sasl_secprops );
@ -456,8 +541,16 @@ main(int argc, char **argv)
} }
} }
defaults = lutil_sasl_defaults( ld, sasl_flags,
sasl_mech,
sasl_realm,
sasl_authc_id,
passwd.bv_val,
sasl_authz_id );
rc = ldap_sasl_interactive_bind_s( ld, binddn, rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL, lutil_sasl_interact ); sasl_mech, NULL, NULL,
lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); ldap_perror( ld, "ldap_sasl_interactive_bind_s" );

327
clients/tools/ldappasswd.c
View file

@ -42,9 +42,12 @@ usage(const char *s)
" -C\t\tchase referrals\n" " -C\t\tchase referrals\n"
" -D binddn\tbind DN\n" " -D binddn\tbind DN\n"
" -h host\t\tLDAP server (default: localhost)\n" " -h host\t\tLDAP server (default: localhost)\n"
" -I\t\tuse SASL Interactive mode\n"
" -n\t\tmake no modifications\n" " -n\t\tmake no modifications\n"
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -Q\t\tuse SASL Quiet mode\n"
" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\tverbose mode\n" " -v\t\tverbose mode\n"
" -w passwd\tbind password (for simple authentication)\n" " -w passwd\tbind password (for simple authentication)\n"
@ -76,13 +79,16 @@ main( int argc, char *argv[] )
int want_newpw = 0; int want_newpw = 0;
int want_oldpw = 0; int want_oldpw = 0;
int noupdates = 0; int not = 0;
int i; int i;
int ldapport = 0; int ldapport = 0;
int debug = 0; int debug = 0;
int version = -1; int version = -1;
int authmethod = -1; int authmethod = -1;
int manageDSAit = 0;
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
char *sasl_realm = NULL;
char *sasl_authc_id = NULL; char *sasl_authc_id = NULL;
char *sasl_authz_id = NULL; char *sasl_authz_id = NULL;
char *sasl_mech = NULL; char *sasl_mech = NULL;
@ -105,7 +111,7 @@ main( int argc, char *argv[] )
usage (argv[0]); usage (argv[0]);
while( (i = getopt( argc, argv, while( (i = getopt( argc, argv,
"Aa:Ss:" "Cd:D:h:nO:p:U:vw:WxX:Y:Z" )) != EOF ) "Aa:Ss:" "Cd:D:h:InO:p:QRU:vw:WxX:Y:Z" )) != EOF )
{ {
switch (i) { switch (i) {
/* Password Options */ /* Password Options */
@ -120,7 +126,7 @@ main( int argc, char *argv[] )
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
break; break;
@ -135,86 +141,251 @@ main( int argc, char *argv[] )
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
break; break;
/* Common Options */ /* Common Options (including options we don't use) */
case 'C': case 'C':
referrals++; referrals++;
break; break;
case 'd':
case 'D': /* bind distinguished name */ debug |= atoi( optarg );
binddn = strdup (optarg);
break; break;
case 'D': /* bind DN */
case 'd': /* debugging option */ if( binddn != NULL ) {
debug |= atoi (optarg); fprintf( stderr, "%s: -D previously specified\n" );
return EXIT_FAILURE;
}
binddn = strdup( optarg );
break; break;
case 'h': /* ldap host */ case 'h': /* ldap host */
ldaphost = strdup (optarg); if( ldaphost != NULL ) {
break; fprintf( stderr, "%s: -h previously specified\n" );
return EXIT_FAILURE;
case 'n': /* don't update entry(s) */
noupdates++;
break;
case 'p': /* ldap port */
ldapport = strtol( optarg, NULL, 10 );
break;
case 'v': /* verbose */
verbose++;
break;
case 'W': /* prompt for bind password */
want_bindpw++;
break;
case 'w': /* bind password */
passwd.bv_val = strdup (optarg);
{
char* p;
for( p = optarg; *p == '\0'; p++ ) {
*p = '*';
} }
} ldaphost = strdup( optarg );
passwd.bv_len = strlen( passwd.bv_val );
break; break;
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
case 'O': if( authmethod != -1 ) {
#ifdef HAVE_CYRUS_SASL fprintf( stderr, "%s: -k incompatible with previous "
sasl_secprops = strdup( optarg ); "authentication choice\n", prog );
authmethod = LDAP_AUTH_SASL; return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV4;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
argv[0] ); return EXIT_FAILURE;
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'Y': case 'M':
/* enable Manage DSA IT */
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
manageDSAit++;
version = LDAP_VERSION3;
break;
case 'n': /* print deletes, don't actually do them */
++not;
break;
case 'O':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if ( strcasecmp( optarg, "any" ) && if( sasl_secprops != NULL ) {
strcmp( optarg, "*" ) ) { fprintf( stderr, "%s: -O previously specified\n" );
sasl_mech = strdup( optarg ); return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_secprops = strdup( optarg );
#else #else
fprintf( stderr, "%s was not compiled with SASL " fprintf( stderr, "%s: not compiled with SASL support\n",
"support\n", argv[0] ); prog );
return( EXIT_FAILURE );
#endif
break;
case 'p':
if( ldapport ) {
fprintf( stderr, "%s: -p previously specified\n" );
return EXIT_FAILURE;
}
ldapport = atoi( optarg );
break;
case 'P':
switch( atoi(optarg) ) {
case 2:
if( version == LDAP_VERSION3 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION2;
break;
case 3:
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "%s: protocol version should be 2 or 3\n",
prog );
usage( prog );
return( EXIT_FAILURE );
} break;
case 'Q':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Q incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_flags = LUTIL_SASL_QUIET;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
case 'R':
#ifdef HAVE_CYRUS_SASL
if( sasl_realm != NULL ) {
fprintf( stderr, "%s: -R previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -R incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_realm = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'U': case 'U':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
sasl_authc_id = strdup( optarg ); if( sasl_authc_id != NULL ) {
fprintf( stderr, "%s: -U previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg );
#else #else
fprintf( stderr, "%s was not compiled with SASL " fprintf( stderr, "%s: was not compiled with SASL support\n",
"support\n", argv[0] ); prog );
return( EXIT_FAILURE );
#endif
break;
case 'v': /* verbose mode */
verbose++;
break;
case 'w': /* password */
passwd.bv_val = strdup( optarg );
{
char* p;
for( p = optarg; *p == '\0'; p++ ) {
*p = '\0';
}
}
passwd.bv_len = strlen( passwd.bv_val );
break;
case 'W':
want_bindpw++;
break;
case 'Y':
#ifdef HAVE_CYRUS_SASL
if( sasl_mech != NULL ) {
fprintf( stderr, "%s: -Y previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_mech = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
@ -228,24 +399,46 @@ main( int argc, char *argv[] )
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
sasl_authz_id = strdup( optarg ); if( sasl_authz_id != NULL ) {
fprintf( stderr, "%s: -X previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: -X incompatible with "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg );
#else #else
fprintf( stderr, "%s was not compiled with SASL " fprintf( stderr, "%s: not compiled with SASL support\n",
"support\n", argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'Z': case 'Z':
#ifdef HAVE_TLS #ifdef HAVE_TLS
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -Z incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
use_tls++; use_tls++;
#else #else
fprintf( stderr, "%s was not compiled with TLS " fprintf( stderr, "%s: not compiled with TLS support\n",
"support\n", argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
default: default:
fprintf( stderr, "%s: unrecongized option -%c\n", fprintf( stderr, "%s: unrecongized option -%c\n",
prog, optopt ); prog, optopt );
@ -359,6 +552,8 @@ main( int argc, char *argv[] )
if ( authmethod == LDAP_AUTH_SASL ) { if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
void *defaults;
if( sasl_secprops != NULL ) { if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops ); (void *) sasl_secprops );
@ -371,8 +566,16 @@ main( int argc, char *argv[] )
} }
} }
defaults = lutil_sasl_defaults( ld, sasl_flags,
sasl_mech,
sasl_realm,
sasl_authc_id,
passwd.bv_val,
sasl_authz_id );
rc = ldap_sasl_interactive_bind_s( ld, binddn, rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL, lutil_sasl_interact ); sasl_mech, NULL, NULL,
lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
@ -435,7 +638,7 @@ main( int argc, char *argv[] )
ber_free( ber, 1 ); ber_free( ber, 1 );
} }
if ( noupdates ) { if ( not ) {
rc = LDAP_SUCCESS; rc = LDAP_SUCCESS;
goto skip; goto skip;
} }

110
clients/tools/ldapsearch.c
View file

@ -68,6 +68,7 @@ usage( const char *s )
"\t-D binddn\tbind DN\n" "\t-D binddn\tbind DN\n"
"\t-f file\t\tread operations from `file'\n" "\t-f file\t\tread operations from `file'\n"
"\t-h host\t\tLDAP server\n" "\t-h host\t\tLDAP server\n"
"\t-I\t\tuse SASL Interactive mode\n"
"\t-k\t\tuse Kerberos authentication\n" "\t-k\t\tuse Kerberos authentication\n"
"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n" "\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n" "\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n"
@ -75,6 +76,8 @@ usage( const char *s )
"\t-O secprops\tSASL security properties\n" "\t-O secprops\tSASL security properties\n"
"\t-p port\t\tport on LDAP server\n" "\t-p port\t\tport on LDAP server\n"
"\t-P version\tprocotol version (default: 3)\n" "\t-P version\tprocotol version (default: 3)\n"
"\t-Q\t\tuse SASL Quiet mode\n"
"\t-R realm\tSASL realm\n"
"\t-U user\t\tSASL authentication identity (username)\n" "\t-U user\t\tSASL authentication identity (username)\n"
"\t-v\t\trun in verbose mode (diagnostics to standard output)\n" "\t-v\t\trun in verbose mode (diagnostics to standard output)\n"
"\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n" "\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n"
@ -143,6 +146,8 @@ static char *base = NULL;
static char *ldaphost = NULL; static char *ldaphost = NULL;
static int ldapport = 0; static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL; static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL; static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL; static char *sasl_mech = NULL;
@ -174,7 +179,7 @@ main( int argc, char **argv )
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog; prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
while (( i = getopt( argc, argv, while (( i = getopt( argc, argv,
"Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z")) != EOF ) "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z")) != EOF )
{ {
switch( i ) { switch( i ) {
/* Search Options */ /* Search Options */
@ -199,6 +204,10 @@ main( int argc, char **argv )
base = strdup( optarg ); base = strdup( optarg );
break; break;
case 'f': /* input file */ case 'f': /* input file */
if( infile != NULL ) {
fprintf( stderr, "%s: -f previously specified\n" );
return EXIT_FAILURE;
}
infile = strdup( optarg ); infile = strdup( optarg );
break; break;
case 'l': /* time limit */ case 'l': /* time limit */
@ -248,9 +257,17 @@ main( int argc, char **argv )
debug |= atoi( optarg ); debug |= atoi( optarg );
break; break;
case 'D': /* bind DN */ case 'D': /* bind DN */
if( binddn != NULL ) {
fprintf( stderr, "%s: -D previously specified\n" );
return EXIT_FAILURE;
}
binddn = strdup( optarg ); binddn = strdup( optarg );
break; break;
case 'h': /* ldap host */ case 'h': /* ldap host */
if( ldaphost != NULL ) {
fprintf( stderr, "%s: -h previously specified\n" );
return EXIT_FAILURE;
}
ldaphost = strdup( optarg ); ldaphost = strdup( optarg );
break; break;
case 'k': /* kerberos bind */ case 'k': /* kerberos bind */
@ -307,8 +324,12 @@ main( int argc, char **argv )
break; break;
case 'O': case 'O':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_secprops != NULL ) {
fprintf( stderr, "%s: -O previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n", fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version ); prog, version );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
@ -317,9 +338,9 @@ main( int argc, char **argv )
"authentication choice\n", prog ); "authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_secprops = strdup( optarg );
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -327,6 +348,10 @@ main( int argc, char **argv )
#endif #endif
break; break;
case 'p': case 'p':
if( ldapport ) {
fprintf( stderr, "%s: -p previously specified\n" );
return EXIT_FAILURE;
}
ldapport = atoi( optarg ); ldapport = atoi( optarg );
break; break;
case 'P': case 'P':
@ -353,8 +378,59 @@ main( int argc, char **argv )
usage( prog ); usage( prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
} break; } break;
case 'Q':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Q incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_flags = LUTIL_SASL_QUIET;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
case 'R':
#ifdef HAVE_CYRUS_SASL
if( sasl_realm != NULL ) {
fprintf( stderr, "%s: -R previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -R incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_realm = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'U': case 'U':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authc_id != NULL ) {
fprintf( stderr, "%s: -U previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n", fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version ); prog, version );
@ -368,9 +444,7 @@ main( int argc, char **argv )
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg ); sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -386,7 +460,7 @@ main( int argc, char **argv )
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
@ -396,6 +470,10 @@ main( int argc, char **argv )
break; break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_mech != NULL ) {
fprintf( stderr, "%s: -Y previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n", fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version ); prog, version );
@ -405,9 +483,9 @@ main( int argc, char **argv )
fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE; return EXIT_FAILURE;
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_mech = strdup( optarg );
#else #else
fprintf( stderr, "%s: was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
prog ); prog );
@ -424,6 +502,10 @@ main( int argc, char **argv )
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( sasl_authz_id != NULL ) {
fprintf( stderr, "%s: -X previously specified\n" );
return EXIT_FAILURE;
}
if( version == LDAP_VERSION2 ) { if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version ); prog, version );
@ -436,9 +518,7 @@ main( int argc, char **argv )
} }
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3; version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s: not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
prog ); prog );
@ -604,6 +684,8 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) { if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
void *defaults;
if( sasl_secprops != NULL ) { if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops ); (void *) sasl_secprops );
@ -616,8 +698,16 @@ main( int argc, char **argv )
} }
} }
defaults = lutil_sasl_defaults( ld, sasl_flags,
sasl_mech,
sasl_realm,
sasl_authc_id,
passwd.bv_val,
sasl_authz_id );
rc = ldap_sasl_interactive_bind_s( ld, binddn, rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL, lutil_sasl_interact ); sasl_mech, NULL, NULL,
lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); ldap_perror( ld, "ldap_sasl_interactive_bind_s" );

22
include/ldap.h
View file

@ -131,13 +131,16 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_TRY 4 #define LDAP_OPT_X_TLS_TRY 4
/* OpenLDAP SASL options */ /* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_SSF 0x6100 /* read-only */ #define LDAP_OPT_X_SASL_MECH 0x6100
#define LDAP_OPT_X_SASL_SSF_EXTERNAL 0x6101 /* write-only */ #define LDAP_OPT_X_SASL_REALM 0x6101
#define LDAP_OPT_X_SASL_SECPROPS 0x6102 /* write-only */ #define LDAP_OPT_X_SASL_AUTHCID 0x6102
#define LDAP_OPT_X_SASL_AUTHZID 0x6103
#define LDAP_OPT_X_SASL_SSF_MIN 0x6103 #define LDAP_OPT_X_SASL_SSF 0x6104 /* read-only */
#define LDAP_OPT_X_SASL_SSF_MAX 0x6104 #define LDAP_OPT_X_SASL_SSF_EXTERNAL 0x6105 /* write-only */
#define LDAP_OPT_X_SASL_MAXBUFSIZE 0x6105 #define LDAP_OPT_X_SASL_SECPROPS 0x6106 /* write-only */
#define LDAP_OPT_X_SASL_SSF_MIN 0x6107
#define LDAP_OPT_X_SASL_SSF_MAX 0x6108
#define LDAP_OPT_X_SASL_MAXBUFSIZE 0x6109
/* on/off values */ /* on/off values */
@ -695,7 +698,7 @@ ldap_sasl_bind LDAP_P((
/* V3 SASL Interaction Function Callback Prototype */ /* V3 SASL Interaction Function Callback Prototype */
/* when using Cyrus SASL, interact is pointer to sasl_interact_t */ /* when using Cyrus SASL, interact is pointer to sasl_interact_t */
typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P(( typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P((
LDAP *ld, void *interact )); LDAP *ld, void* defaults, void *interact ));
LDAP_F( int ) LDAP_F( int )
ldap_sasl_interactive_bind_s LDAP_P(( ldap_sasl_interactive_bind_s LDAP_P((
@ -704,7 +707,8 @@ ldap_sasl_interactive_bind_s LDAP_P((
LDAP_CONST char *saslMechanism, LDAP_CONST char *saslMechanism,
LDAPControl **serverControls, LDAPControl **serverControls,
LDAPControl **clientControls, LDAPControl **clientControls,
LDAP_SASL_INTERACT_PROC *proc )); LDAP_SASL_INTERACT_PROC *proc,
LDAP_CONST void *defaults ));
LDAP_F( int ) LDAP_F( int )
ldap_sasl_bind_s LDAP_P(( ldap_sasl_bind_s LDAP_P((

21
include/lutil_ldap.h
View file

@ -21,9 +21,28 @@
LDAP_BEGIN_DECL LDAP_BEGIN_DECL
/*
* Automatic (default): use defaults, prompt otherwise
* Interactive: prompt always
* Quiet: never prompt
*/
#define LUTIL_SASL_AUTOMATIC 0U
#define LUTIL_SASL_INTERACTIVE 1U
#define LUTIL_SASL_QUIET 2U
LDAP_LUTIL_F( void * )
lutil_sasl_defaults LDAP_P((
LDAP *ld,
unsigned flags,
char *mech,
char *realm,
char *authcid,
char *passwd,
char *authzid ));
LDAP_LUTIL_F( int ) LDAP_LUTIL_F( int )
lutil_sasl_interact LDAP_P(( lutil_sasl_interact LDAP_P((
LDAP *ld, void *p )); LDAP *ld, void *defaults, void *p ));
LDAP_END_DECL LDAP_END_DECL

24
libraries/libldap/cyrus.c
View file

@ -455,7 +455,8 @@ ldap_int_sasl_bind(
const char *mechs, const char *mechs,
LDAPControl **sctrls, LDAPControl **sctrls,
LDAPControl **cctrls, LDAPControl **cctrls,
LDAP_SASL_INTERACT_PROC *interact ) LDAP_SASL_INTERACT_PROC *interact,
void * defaults )
{ {
char *data; char *data;
const char *mech = NULL; const char *mech = NULL;
@ -525,7 +526,7 @@ ldap_int_sasl_bind(
if( saslrc == SASL_INTERACT ) { if( saslrc == SASL_INTERACT ) {
if( !interact ) break; if( !interact ) break;
rc = (interact)( ld, prompts ); rc = (interact)( ld, defaults, prompts );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
break; break;
} }
@ -574,7 +575,7 @@ ldap_int_sasl_bind(
if( saslrc == SASL_INTERACT ) { if( saslrc == SASL_INTERACT ) {
int res; int res;
if( !interact ) break; if( !interact ) break;
res = (interact)( ld, prompts ); res = (interact)( ld, defaults, prompts );
if( res != LDAP_SUCCESS ) { if( res != LDAP_SUCCESS ) {
break; break;
} }
@ -740,6 +741,23 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
return -1; return -1;
switch ( option ) { switch ( option ) {
case LDAP_OPT_X_SASL_MECH: {
*(char **)arg = ld->ld_options.ldo_def_sasl_mech
? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_mech ) : NULL;
} break;
case LDAP_OPT_X_SASL_REALM: {
*(char **)arg = ld->ld_options.ldo_def_sasl_realm
? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_realm ) : NULL;
} break;
case LDAP_OPT_X_SASL_AUTHCID: {
*(char **)arg = ld->ld_options.ldo_def_sasl_authcid
? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authcid ) : NULL;
} break;
case LDAP_OPT_X_SASL_AUTHZID: {
*(char **)arg = ld->ld_options.ldo_def_sasl_authzid
? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authzid ) : NULL;
} break;
case LDAP_OPT_X_SASL_SSF: { case LDAP_OPT_X_SASL_SSF: {
int sc; int sc;
sasl_ssf_t *ssf; sasl_ssf_t *ssf;

45
libraries/libldap/init.c
View file

@ -69,17 +69,25 @@ static const struct ol_attribute {
{0, ATTR_BOOL, "RESTART", NULL, LDAP_BOOL_RESTART}, {0, ATTR_BOOL, "RESTART", NULL, LDAP_BOOL_RESTART},
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
{0, ATTR_SASL, "SASL_SECPROPS",NULL, LDAP_OPT_X_SASL_SECPROPS}, {1, ATTR_STRING, "SASL_MECH", NULL,
offsetof(struct ldapoptions, ldo_def_sasl_mech)},
{1, ATTR_STRING, "SASL_REALM", NULL,
offsetof(struct ldapoptions, ldo_def_sasl_realm)},
{1, ATTR_STRING, "SASL_AUTHCID", NULL,
offsetof(struct ldapoptions, ldo_def_sasl_authcid)},
{1, ATTR_STRING, "SASL_AUTHZID", NULL,
offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
{0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS},
#endif #endif
#ifdef HAVE_TLS #ifdef HAVE_TLS
{0, ATTR_TLS, "TLS", NULL, LDAP_OPT_X_TLS}, {0, ATTR_TLS, "TLS", NULL, LDAP_OPT_X_TLS},
{0, ATTR_TLS, "TLS_CERT", NULL, LDAP_OPT_X_TLS_CERTFILE}, {1, ATTR_TLS, "TLS_CERT", NULL, LDAP_OPT_X_TLS_CERTFILE},
{0, ATTR_TLS, "TLS_KEY", NULL, LDAP_OPT_X_TLS_KEYFILE}, {1, ATTR_TLS, "TLS_KEY", NULL, LDAP_OPT_X_TLS_KEYFILE},
{0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE}, {0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE},
{0, ATTR_TLS, "TLS_CACERTDIR",NULL, LDAP_OPT_X_TLS_CACERTDIR}, {0, ATTR_TLS, "TLS_CACERTDIR",NULL, LDAP_OPT_X_TLS_CACERTDIR},
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, {1, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, {1, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
#endif #endif
{0, ATTR_NONE, NULL, NULL, 0} {0, ATTR_NONE, NULL, NULL, 0}
@ -395,10 +403,12 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
LDAP_BOOL_SET(gopts, LDAP_BOOL_REFERRALS); LDAP_BOOL_SET(gopts, LDAP_BOOL_REFERRALS);
#ifdef HAVE_TLS
gopts->ldo_tls_ctx = NULL;
#endif
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
gopts->ldo_def_sasl_mech = NULL;
gopts->ldo_def_sasl_realm = NULL;
gopts->ldo_def_sasl_authcid = NULL;
gopts->ldo_def_sasl_authzid = NULL;
memset( &gopts->ldo_sasl_secprops, '\0', sizeof(gopts->ldo_sasl_secprops) ); memset( &gopts->ldo_sasl_secprops, '\0', sizeof(gopts->ldo_sasl_secprops) );
gopts->ldo_sasl_secprops.max_ssf = INT_MAX; gopts->ldo_sasl_secprops.max_ssf = INT_MAX;
@ -406,6 +416,10 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts->ldo_sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS; gopts->ldo_sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
#endif #endif
#ifdef HAVE_TLS
gopts->ldo_tls_ctx = NULL;
#endif
gopts->ldo_valid = LDAP_INITIALIZED; gopts->ldo_valid = LDAP_INITIALIZED;
return; return;
@ -450,6 +464,21 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl )
return; return;
} }
#ifdef HAVE_CYRUS_SASL
{
/* set authentication identity to current user name */
char *user = getenv("USER");
if( user == NULL ) user = getenv("USERNAME");
if( user == NULL ) user = getenv("LOGNAME");
if( user != NULL ) {
/* this value is leaked, need at_exit() handler */
gopts->ldo_def_sasl_authcid = LDAP_STRDUP( user );
}
}
#endif
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
openldap_ldap_init_w_userconf(LDAP_USERRC_FILE); openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);

24
libraries/libldap/ldap-int.h
View file

@ -125,7 +125,17 @@ struct ldapoptions {
LDAPURLDesc *ldo_defludp; LDAPURLDesc *ldo_defludp;
int ldo_defport; int ldo_defport;
char* ldo_defbase; char* ldo_defbase;
char* ldo_defbinddn; /* simple bind dn */ char* ldo_defbinddn; /* bind dn */
#ifdef HAVE_CYRUS_SASL
char* ldo_def_sasl_mech; /* SASL Mechanism(s) */
char* ldo_def_sasl_realm; /* SASL realm */
char* ldo_def_sasl_authcid; /* SASL authentication identity */
char* ldo_def_sasl_authzid; /* SASL authorization identity */
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
#endif
#ifdef LDAP_CONNECTIONLESS #ifdef LDAP_CONNECTIONLESS
int ldo_cldaptries; /* connectionless search retry count */ int ldo_cldaptries; /* connectionless search retry count */
@ -145,9 +155,6 @@ struct ldapoptions {
/* tls context */ /* tls context */
void *ldo_tls_ctx; void *ldo_tls_ctx;
int ldo_tls_mode; int ldo_tls_mode;
#endif
#ifdef HAVE_CYRUS_SASL
struct sasl_security_properties ldo_sasl_secprops;
#endif #endif
LDAP_BOOLEANS ldo_booleans; /* boolean options */ LDAP_BOOLEANS ldo_booleans; /* boolean options */
}; };
@ -545,9 +552,12 @@ LDAP_F (int) ldap_int_sasl_config LDAP_P(( struct ldapoptions *lo,
int option, const char *arg )); int option, const char *arg ));
LDAP_F (int) ldap_int_sasl_bind LDAP_P(( LDAP_F (int) ldap_int_sasl_bind LDAP_P((
struct ldap *, LDAP_CONST char *, struct ldap *ld,
const char *, LDAPControl **, LDAPControl **, const char *,
LDAP_SASL_INTERACT_PROC *interact )); const char *,
LDAPControl **, LDAPControl **,
LDAP_SASL_INTERACT_PROC *interact,
void *defaults));
/* /*
* in tls.c * in tls.c

12
libraries/libldap/open.c
View file

@ -140,10 +140,20 @@ ldap_create( LDAP **ldp )
ld->ld_valid = LDAP_VALID_SESSION; ld->ld_valid = LDAP_VALID_SESSION;
/* but not pointers to malloc'ed items */ /* but not pointers to malloc'ed items */
ld->ld_options.ldo_defludp = NULL;
ld->ld_options.ldo_sctrls = NULL; ld->ld_options.ldo_sctrls = NULL;
ld->ld_options.ldo_cctrls = NULL; ld->ld_options.ldo_cctrls = NULL;
#ifdef HAVE_CYRUS_SASL
ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
? LDAP_STRDUP( gopts->ldo_def_sasl_mech ) : NULL;
ld->ld_options.ldo_def_sasl_realm = gopts->ldo_def_sasl_realm
? LDAP_STRDUP( gopts->ldo_def_sasl_realm ) : NULL;
ld->ld_options.ldo_def_sasl_authcid = gopts->ldo_def_sasl_authcid
? LDAP_STRDUP( gopts->ldo_def_sasl_authcid ) : NULL;
ld->ld_options.ldo_def_sasl_authzid = gopts->ldo_def_sasl_authzid
? LDAP_STRDUP( gopts->ldo_def_sasl_authzid ) : NULL;
#endif
ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp); ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
if ( ld->ld_options.ldo_defludp == NULL ) { if ( ld->ld_options.ldo_defludp == NULL ) {

6
libraries/libldap/sasl.c
View file

@ -410,7 +410,8 @@ ldap_sasl_interactive_bind_s(
LDAP_CONST char *mechs, LDAP_CONST char *mechs,
LDAPControl **serverControls, LDAPControl **serverControls,
LDAPControl **clientControls, LDAPControl **clientControls,
LDAP_SASL_INTERACT_PROC *interact ) LDAP_SASL_INTERACT_PROC *interact,
void *defaults )
{ {
int rc; int rc;
@ -436,7 +437,8 @@ ldap_sasl_interactive_bind_s(
} }
rc = ldap_int_sasl_bind( ld, dn, mechs, rc = ldap_int_sasl_bind( ld, dn, mechs,
serverControls, clientControls, interact ); serverControls, clientControls,
interact, defaults );
return rc; return rc;
} }

105
libraries/liblutil/sasl.c
View file

@ -18,15 +18,80 @@
#include <ldap.h> #include <ldap.h>
#include "lutil_ldap.h" #include "lutil_ldap.h"
static int interaction(
sasl_interact_t *interact ) typedef struct lutil_sasl_defaults_s {
unsigned flags;
char *mech;
char *realm;
char *authcid;
char *passwd;
char *authzid;
} lutilSASLdefaults;
void *
lutil_sasl_defaults(
LDAP *ld,
unsigned flags,
char *mech,
char *realm,
char *authcid,
char *passwd,
char *authzid )
{ {
lutilSASLdefaults *defaults;
defaults = ber_memalloc( sizeof( lutilSASLdefaults ) );
if( defaults == NULL ) return NULL;
defaults->flags = flags;
defaults->mech = mech;
defaults->realm = realm;
defaults->authcid = authcid;
defaults->passwd = passwd;
defaults->authzid = authzid;
if( defaults->mech == NULL ) {
ldap_get_option( ld, LDAP_OPT_X_SASL_MECH, &defaults->mech );
}
if( defaults->realm == NULL ) {
ldap_get_option( ld, LDAP_OPT_X_SASL_REALM, &defaults->realm );
}
if( defaults->authcid == NULL ) {
ldap_get_option( ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid );
}
if( defaults->authzid == NULL ) {
ldap_get_option( ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid );
}
return defaults;
}
static int interaction(
sasl_interact_t *interact, lutilSASLdefaults *defaults )
{
unsigned flags = defaults ? defaults->flags : 0;
const char *dflt = interact->defresult;
char input[1024]; char input[1024];
int noecho=0; int noecho=0;
int challenge=0; int challenge=0;
switch( interact->id ) { switch( interact->id ) {
case SASL_CB_GETREALM:
if( defaults ) dflt = defaults->realm;
break;
case SASL_CB_AUTHNAME:
if( defaults ) dflt = defaults->authcid;
break;
case SASL_CB_PASS:
if( defaults ) dflt = defaults->passwd;
noecho = 1;
break;
case SASL_CB_USER:
if( defaults ) dflt = defaults->authzid;
break;
case SASL_CB_NOECHOPROMPT: case SASL_CB_NOECHOPROMPT:
noecho = 1; noecho = 1;
challenge = 1; challenge = 1;
@ -34,22 +99,31 @@ static int interaction(
case SASL_CB_ECHOPROMPT: case SASL_CB_ECHOPROMPT:
challenge = 1; challenge = 1;
break; break;
case SASL_CB_PASS: }
noecho = 1;
break; if( dflt && !*dflt ) dflt = NULL;
if( flags != LUTIL_SASL_INTERACTIVE && dflt ) {
goto use_default;
}
if( flags == LUTIL_SASL_QUIET ) {
/* don't prompt */
return LDAP_OTHER;
} }
if( challenge ) { if( challenge ) {
if( interact->challenge ) { if( interact->challenge ) {
fprintf( stderr, "Challenge: %s\n", interact->challenge ); fprintf( stderr, "Challenge: %s\n", interact->challenge );
} }
if( interact->defresult ) {
fprintf( stderr, "Default Result: %s\n", interact->defresult );
} }
if( dflt ) {
fprintf( stderr, "Default: %s\n", dflt );
} }
sprintf( input, "%s: ", sprintf( input, "%s: ",
interact->prompt ? interact->prompt : "Interaction required" ); interact->prompt ? interact->prompt : "Interact" );
if( noecho ) { if( noecho ) {
interact->result = (char *) getpassphrase( input ); interact->result = (char *) getpassphrase( input );
@ -88,8 +162,17 @@ static int interaction(
memset( p, '\0', interact->len ); memset( p, '\0', interact->len );
} else { } else {
use_default:
/* must be empty */ /* must be empty */
interact->result = strdup(""); interact->result = strdup( (dflt && *dflt) ? dflt : "" );
interact->len = interact->result
? strlen( interact->result ) : 0;
}
if( defaults && defaults->passwd && interact->id == SASL_CB_PASS ) {
/* zap password after first use */
memset( defaults->passwd, '\0', strlen(defaults->passwd) );
defaults->passwd = NULL;
} }
return LDAP_SUCCESS; return LDAP_SUCCESS;
@ -97,6 +180,7 @@ static int interaction(
int lutil_sasl_interact( int lutil_sasl_interact(
LDAP *ld, LDAP *ld,
void *defaults,
void *in ) void *in )
{ {
sasl_interact_t *interact = in; sasl_interact_t *interact = in;
@ -104,7 +188,7 @@ int lutil_sasl_interact(
fputs( "SASL Interaction\n", stderr ); fputs( "SASL Interaction\n", stderr );
while( interact->id != SASL_CB_LIST_END ) { while( interact->id != SASL_CB_LIST_END ) {
int rc = interaction( interact ); int rc = interaction( interact, defaults );
if( rc ) return rc; if( rc ) return rc;
interact++; interact++;
@ -112,5 +196,4 @@ int lutil_sasl_interact(
return LDAP_SUCCESS; return LDAP_SUCCESS;
} }
#endif #endif

2
servers/slapd/tools/slappasswd.c
View file

@ -63,7 +63,7 @@ main( int argc, char *argv[] )
char* p; char* p;
for( p = optarg; *p == '\0'; p++ ) { for( p = optarg; *p == '\0'; p++ ) {
*p = '*'; *p = '\0';
} }
} }
break; break;