Error handling changes including separation of client v. server

SASL to LDAP translation.  plus comments and other minor changes

include/ldap.h

@@ -102,6 +102,8 @@ LDAP_BEGIN_DECL
 
 /* 0x34 - 0x0fff not defined by current draft */
 
+#define LDAP_OPT_PRIVATE_EXTENSION_BASE 0x4000  /* to 0x7FFF inclusive */
+
 /* private and experimental options */
 #define LDAP_OPT_DNS				0x4001	/* use DN & DNS */
 
@@ -112,7 +114,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_NETWORK_TIMEOUT        0x5005  /* socket level timeout */
 #define LDAP_OPT_URI				0x5006
 
-/* TLS options */
+/* OpenLDAP TLS options */
 #define LDAP_OPT_X_TLS_CACERTFILE	0x6001
 #define LDAP_OPT_X_TLS_CACERTDIR	0x6002
 #define LDAP_OPT_X_TLS_CERT		0x6003
@@ -129,7 +131,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_ALLOW		3
 #define LDAP_OPT_X_TLS_TRY		4
 
-/* SASL options */
+/* OpenLDAP SASL options */
 #define LDAP_OPT_X_SASL_MINSSF		0x6100
 #define LDAP_OPT_X_SASL_MAXSSF		0x6101
 #define LDAP_OPT_X_SASL_ACTSSF		0x6102

include/ldap_pvt.h

@@ -113,7 +113,6 @@ LIBLDAP_F (int) ldap_pvt_unhex( int c );
 
 LIBLDAP_F (int) ldap_pvt_sasl_init LDAP_P(( void )); /* clientside init */
 LIBLDAP_F (int) ldap_pvt_sasl_install LDAP_P(( Sockbuf *, void * ));
-LIBLDAP_F (int) ldap_pvt_sasl_err2ldap LDAP_P(( int ));
 LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *,
 	LDAP_CONST char *, LDAP_CONST sasl_callback_t *, LDAPControl **,
 	LDAPControl ** ));

libraries/libldap/kbind.c

@@ -269,7 +269,7 @@ ldap_get_kerberosv4_credentials(
 		fprintf( stderr, "krb_get_tf_realm failed (%s)\n",
 		    krb_err_txt[err] );
 #endif /* LDAP_LIBUI */
-		ld->ld_errno = LDAP_INVALID_CREDENTIALS;
+		ld->ld_errno = LDAP_AUTH_UNKNOWN;
 		return( NULL );
 	}
 
@@ -287,7 +287,7 @@ ldap_get_kerberosv4_credentials(
 #ifdef LDAP_LIBUI
 		fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] );
 #endif /* LDAP_LIBUI */
-		ld->ld_errno = LDAP_INVALID_CREDENTIALS;
+		ld->ld_errno = LDAP_AUTH_UNKNOWN;
 		return( NULL );
 	}
 

libraries/libldap/libldap.dsp

@@ -355,6 +355,10 @@ SOURCE=.\string.c
 # End Source File
 # Begin Source File
 
+SOURCE=.\tls.c
+# End Source File
+# Begin Source File
+
 SOURCE=.\ufn.c
 # End Source File
 # Begin Source File

libraries/libldap/sasl.c

@@ -497,42 +497,43 @@ static int sasl_close( Sockbuf *sb )
 	(ber_pvt_sb_io_tcp.sbi_close)( sb );
 }
 
-int
-ldap_pvt_sasl_err2ldap( int saslerr )
+static int
+sasl_err2ldap( int saslerr )
 {
 	int rc;
 
 	switch (saslerr) {
 		case SASL_CONTINUE:
-			rc = LDAP_SASL_BIND_IN_PROGRESS;
+			rc = LDAP_MORE_RESULTS_TO_RETURN;
 			break;
 		case SASL_OK:
 			rc = LDAP_SUCCESS;
 			break;
 		case SASL_FAIL:
-			rc = LDAP_OPERATIONS_ERROR;
+			rc = LDAP_LOCAL_ERROR;
 			break;
 		case SASL_NOMEM:
 			rc = LDAP_NO_MEMORY;
 			break;
 		case SASL_NOMECH:
-			rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+			rc = LDAP_AUTH_UNKNOWN;
 			break;
 		case SASL_BADAUTH:
-			rc = LDAP_INVALID_CREDENTIALS;
+			rc = LDAP_AUTH_UNKNOWN;
 			break;
 		case SASL_NOAUTHZ:
-			rc = LDAP_INSUFFICIENT_ACCESS;
+			rc = LDAP_PARAM_ERROR;
 			break;
 		case SASL_TOOWEAK:
 		case SASL_ENCRYPT:
-			rc = LDAP_INAPPROPRIATE_AUTH;
+			rc = LDAP_AUTH_UNKNOWN;
 			break;
 		default:
-			rc = LDAP_OPERATIONS_ERROR;
+			rc = LDAP_LOCAL_ERROR;
 			break;
 	}
 
+	assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) );
 	return rc;
 }
 
@@ -656,7 +657,7 @@ ldap_pvt_sasl_bind(
 
 	if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
 		LDAP_FREE( mechlist );
-		ld->ld_errno = ldap_pvt_sasl_err2ldap( rc );
+		ld->ld_errno = sasl_err2ldap( rc );
 		sasl_dispose( &ld->ld_sasl_context );
 		return ld->ld_errno;
 	}
@@ -675,7 +676,7 @@ ldap_pvt_sasl_bind(
 	LDAP_FREE( mechlist );
 
 	if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
-		ld->ld_errno = ldap_pvt_sasl_err2ldap( saslrc );
+		ld->ld_errno = sasl_err2ldap( saslrc );
 		sasl_dispose( &ld->ld_sasl_context );
 		return ld->ld_errno;
 	}
@@ -711,7 +712,7 @@ ldap_pvt_sasl_bind(
 		ber_bvfree( scred );
 
 		if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
-			ld->ld_errno = ldap_pvt_sasl_err2ldap( saslrc );
+			ld->ld_errno = sasl_err2ldap( saslrc );
 			sasl_dispose( &ld->ld_sasl_context );
 			return ld->ld_errno;
 		}

libraries/libldap_r/libldap_r.dsp

@@ -348,6 +348,10 @@ SOURCE=.\thr_stub.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\libldap\tls.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\libldap\ufn.c
 # End Source File
 # Begin Source File

servers/slapd/sasl.c

@@ -19,33 +19,73 @@ char **supportedSASLMechanisms = NULL;
 char *sasl_host = NULL;
 
 #ifdef HAVE_CYRUS_SASL
-static void *sasl_pvt_mutex_new(void)
+static void *slap_sasl_mutex_new(void)
 {
 	ldap_pvt_thread_mutex_t *mutex;
 
-	mutex = (ldap_pvt_thread_mutex_t *)ch_malloc( sizeof(ldap_pvt_thread_mutex_t) );
+	mutex = (ldap_pvt_thread_mutex_t *) ch_malloc( sizeof(ldap_pvt_thread_mutex_t) );
 	if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
 		return mutex;
 	}
 	return NULL;
 }
 
-static int sasl_pvt_mutex_lock(void *mutex)
+static int slap_sasl_mutex_lock(void *mutex)
 {
 	return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex );
 }
 
-static int sasl_pvt_mutex_unlock(void *mutex)
+static int slap_sasl_mutex_unlock(void *mutex)
 {
 	return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex );
 }
 
-static void sasl_pvt_mutex_dispose(void *mutex)
+static void slap_sasl_mutex_dispose(void *mutex)
 {
 	(void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
 	free( mutex );
 }
 
+static int
+slap_sasl_err2ldap( int saslerr )
+{
+	int rc;
+
+	switch (saslerr) {
+		case SASL_CONTINUE:
+			rc = LDAP_SASL_BIND_IN_PROGRESS;
+			break;
+		case SASL_OK:
+			rc = LDAP_SUCCESS;
+			break;
+		case SASL_FAIL:
+			rc = LDAP_OTHER;
+			break;
+		case SASL_NOMEM:
+			rc = LDAP_OTHER;
+			break;
+		case SASL_NOMECH:
+			rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+			break;
+		case SASL_BADAUTH:
+			rc = LDAP_INVALID_CREDENTIALS;
+			break;
+		case SASL_NOAUTHZ:
+			rc = LDAP_INSUFFICIENT_ACCESS;
+			break;
+		case SASL_TOOWEAK:
+		case SASL_ENCRYPT:
+			rc = LDAP_INAPPROPRIATE_AUTH;
+			break;
+		default:
+			rc = LDAP_OTHER;
+			break;
+	}
+
+	return rc;
+}
+
+
 int sasl_init( void )
 {
 	int rc;
@@ -54,8 +94,11 @@ int sasl_init( void )
 
 	sasl_set_alloc( ch_malloc, ch_calloc, ch_realloc, ch_free ); 
 
-	sasl_set_mutex( sasl_pvt_mutex_new, sasl_pvt_mutex_lock,
-		sasl_pvt_mutex_unlock, sasl_pvt_mutex_dispose );
+	sasl_set_mutex(
+		slap_sasl_mutex_new,
+		slap_sasl_mutex_lock,
+		slap_sasl_mutex_unlock,
+		slap_sasl_mutex_dispose );
 
 	rc = sasl_server_init( NULL, "slapd" );
 
@@ -188,7 +231,7 @@ int sasl_bind(
 				cred->bv_val, cred->bv_len, (char **)&response.bv_val,
 				(unsigned *)&response.bv_len, &errstr );
 			if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
-				send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ),
+				send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 					NULL, errstr, NULL, NULL );
 			}
 		}
@@ -196,7 +239,7 @@ int sasl_bind(
 		sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len,
 			(char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr );
 		if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
-			send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ),
+			send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 				NULL, errstr, NULL, NULL );
 		}
 	}
@@ -206,7 +249,7 @@ int sasl_bind(
 
 		if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME,
 			(void **)&authzid ) ) != SASL_OK ) {
-			send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ),
+			send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 				NULL, NULL, NULL, NULL );
 
 		} else {