mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-02-18 18:18:06 -05:00
Import ITS#2871 from HEAD - always set mech, don't parse realms.
This commit is contained in:
Howard Chu
parent
c2285943bc
commit
ee333c45c2
3 changed files with 48 additions and 35 deletions
|
|
@ -987,7 +987,7 @@ backend_check_restrictions(
|
|||
if( requires & SLAP_REQUIRE_STRONG ) {
|
||||
/* should check mechanism */
|
||||
if( ( op->o_transport_ssf < ssf->sss_transport
|
||||
&& op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 )
|
||||
&& op->o_authtype == LDAP_AUTH_SIMPLE ) || op->o_dn.bv_len == 0 )
|
||||
{
|
||||
*text = "strong authentication required";
|
||||
return LDAP_STRONG_AUTH_REQUIRED;
|
||||
|
|
@ -995,7 +995,7 @@ backend_check_restrictions(
|
|||
}
|
||||
|
||||
if( requires & SLAP_REQUIRE_SASL ) {
|
||||
if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) {
|
||||
if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) {
|
||||
*text = "SASL authentication required";
|
||||
return LDAP_STRONG_AUTH_REQUIRED;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ do_bind(
|
|||
tag = ber_scanf( ber, /*{*/ "m}", &cred );
|
||||
|
||||
} else {
|
||||
tag = ber_scanf( ber, "{o" /*}*/, &mech );
|
||||
tag = ber_scanf( ber, "{m" /*}*/, &mech );
|
||||
|
||||
if ( tag != LBER_ERROR ) {
|
||||
ber_len_t len;
|
||||
|
|
@ -298,9 +298,7 @@ do_bind(
|
|||
slap_sasl_reset(conn);
|
||||
}
|
||||
} else {
|
||||
conn->c_sasl_bind_mech = mech;
|
||||
mech.bv_val = NULL;
|
||||
mech.bv_len = 0;
|
||||
ber_dupbv( &conn->c_sasl_bind_mech, &mech );
|
||||
}
|
||||
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
|
||||
|
||||
|
|
@ -383,6 +381,7 @@ do_bind(
|
|||
}
|
||||
|
||||
if ( method == LDAP_AUTH_SIMPLE ) {
|
||||
ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech );
|
||||
/* accept "anonymous" binds */
|
||||
if ( cred.bv_len == 0 || ndn.bv_len == 0 ) {
|
||||
rc = LDAP_SUCCESS;
|
||||
|
|
@ -465,6 +464,7 @@ do_bind(
|
|||
#endif
|
||||
goto cleanup;
|
||||
}
|
||||
ber_str2bv( "KRBV4", sizeof("KRBV4")-1, 0, &mech );
|
||||
#endif
|
||||
|
||||
} else {
|
||||
|
|
@ -564,9 +564,9 @@ do_bind(
|
|||
}
|
||||
/* log authorization identity */
|
||||
Statslog( LDAP_DEBUG_STATS,
|
||||
"conn=%lu op=%lu BIND dn=\"%s\" mech=simple (SLAPI) ssf=0\n",
|
||||
"conn=%lu op=%lu BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n",
|
||||
op->o_connid, op->o_opid,
|
||||
conn->c_dn.bv_val, 0, 0 );
|
||||
conn->c_dn.bv_val, mech.bv_val, 0 );
|
||||
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
|
||||
}
|
||||
#ifdef NEW_LOGGING
|
||||
|
|
@ -614,9 +614,9 @@ do_bind(
|
|||
|
||||
/* log authorization identity */
|
||||
Statslog( LDAP_DEBUG_STATS,
|
||||
"conn=%lu op=%lu BIND dn=\"%s\" mech=simple ssf=0\n",
|
||||
"conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=0\n",
|
||||
op->o_connid, op->o_opid,
|
||||
conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 );
|
||||
conn->c_dn.bv_val, mech.bv_val, 0 );
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( OPERATION, DETAIL1,
|
||||
|
|
@ -657,6 +657,13 @@ do_bind(
|
|||
#endif /* defined( LDAP_SLAPI ) */
|
||||
|
||||
cleanup:
|
||||
if ( rc == LDAP_SUCCESS ) {
|
||||
if ( method != LDAP_AUTH_SASL ) {
|
||||
ber_dupbv( &conn->c_authmech, &mech );
|
||||
}
|
||||
conn->c_authtype = method;
|
||||
}
|
||||
|
||||
conn->c_sasl_bindop = NULL;
|
||||
|
||||
if( pdn.bv_val != NULL ) {
|
||||
|
|
@ -665,9 +672,6 @@ cleanup:
|
|||
if( ndn.bv_val != NULL ) {
|
||||
free( ndn.bv_val );
|
||||
}
|
||||
if ( mech.bv_val != NULL ) {
|
||||
free( mech.bv_val );
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1548,9 +1548,8 @@ static struct berval ext_bv = BER_BVC( "EXTERNAL" );
|
|||
int slap_sasl_getdn( Connection *conn, char *id, int len,
|
||||
char *user_realm, struct berval *dn, int flags )
|
||||
{
|
||||
char *c1;
|
||||
int rc, is_dn = SET_NONE, do_norm = 1;
|
||||
struct berval dn2;
|
||||
struct berval dn2, *mech;
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( TRANSPORT, ENTRY,
|
||||
|
|
@ -1576,14 +1575,20 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
|
|||
len = 0;
|
||||
}
|
||||
|
||||
if ( conn->c_sasl_bind_mech.bv_len ) {
|
||||
mech = &conn->c_sasl_bind_mech;
|
||||
} else {
|
||||
mech = &conn->c_authmech;
|
||||
}
|
||||
|
||||
/* An authcID needs to be converted to authzID form. Set the
|
||||
* values directly into *dn; they will be normalized later. (and
|
||||
* normalizing always makes a new copy.) An ID from a TLS certificate
|
||||
* is already normalized, so copy it and skip normalization.
|
||||
*/
|
||||
if( flags & SLAP_GETDN_AUTHCID ) {
|
||||
if( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len &&
|
||||
strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
|
||||
if( mech->bv_len == ext_bv.bv_len &&
|
||||
strcasecmp( ext_bv.bv_val, mech->bv_val ) == 0 )
|
||||
{
|
||||
/* EXTERNAL DNs are already normalized */
|
||||
do_norm = 0;
|
||||
|
|
@ -1618,23 +1623,32 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
|
|||
|
||||
/* Username strings */
|
||||
if( is_dn == SET_U ) {
|
||||
char *p, *realm;
|
||||
char *p;
|
||||
struct berval realm = { 0, NULL }, c1 = *dn;
|
||||
len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
|
||||
|
||||
/* username may have embedded realm name */
|
||||
#if 0
|
||||
/* userids can legally have embedded '@' chars;
|
||||
* the realm should be set by those mechanisms
|
||||
* that support it by means of the user_realm
|
||||
* variable
|
||||
*/
|
||||
if( ( realm = strchr( dn->bv_val, '@') ) ) {
|
||||
*realm++ = '\0';
|
||||
len += sizeof(",cn=")-2;
|
||||
} else if( user_realm && *user_realm ) {
|
||||
len += strlen( user_realm ) + sizeof(",cn=")-1;
|
||||
} else
|
||||
#endif
|
||||
if( user_realm && *user_realm ) {
|
||||
realm.bv_val = user_realm;
|
||||
realm.bv_len = strlen( user_realm );
|
||||
len += realm.bv_len + sizeof(",cn=")-1;
|
||||
}
|
||||
|
||||
if( conn->c_sasl_bind_mech.bv_len ) {
|
||||
len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1;
|
||||
if( mech->bv_len ) {
|
||||
len += mech->bv_len + sizeof(",cn=")-1;
|
||||
}
|
||||
|
||||
/* Build the new dn */
|
||||
c1 = dn->bv_val;
|
||||
dn->bv_val = SLAP_MALLOC( len+1 );
|
||||
if( dn->bv_val == NULL ) {
|
||||
#ifdef NEW_LOGGING
|
||||
|
|
@ -1647,21 +1661,16 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
|
|||
return LDAP_OTHER;
|
||||
}
|
||||
p = lutil_strcopy( dn->bv_val, "uid=" );
|
||||
p = lutil_strncopy( p, c1, dn->bv_len );
|
||||
p = lutil_strncopy( p, c1.bv_val, dn->bv_len );
|
||||
|
||||
if( realm ) {
|
||||
int rlen = dn->bv_len - ( realm - c1 );
|
||||
if( realm.bv_len ) {
|
||||
p = lutil_strcopy( p, ",cn=" );
|
||||
p = lutil_strncopy( p, realm, rlen );
|
||||
realm[-1] = '@';
|
||||
} else if( user_realm && *user_realm ) {
|
||||
p = lutil_strcopy( p, ",cn=" );
|
||||
p = lutil_strcopy( p, user_realm );
|
||||
p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
|
||||
}
|
||||
|
||||
if( conn->c_sasl_bind_mech.bv_len ) {
|
||||
if( mech->bv_len ) {
|
||||
p = lutil_strcopy( p, ",cn=" );
|
||||
p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val );
|
||||
p = lutil_strcopy( p, mech->bv_val );
|
||||
}
|
||||
p = lutil_strcopy( p, ",cn=auth" );
|
||||
dn->bv_len = p - dn->bv_val;
|
||||
|
|
@ -1670,7 +1679,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
|
|||
LDAP_LOG( TRANSPORT, ENTRY,
|
||||
"slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 );
|
||||
Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
|
||||
#endif
|
||||
} else {
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue