Add experimental code to check simple bind passwords

against Cyrus SASLdb. Like other cleartext mechanisms, should be protected from eavesdropping.
2025-12-27 10:09:43 -05:00 · 2000-05-10 04:29:51 +00:00 · 2000-05-10 04:29:51 +00:00 · f224e69558
commit f224e69558
parent b9e7d777f1
6 changed files with 834 additions and 674 deletions
--- a/1405
+++ b/1405
--- a/configure.in
+++ b/configure.in
@ -135,6 +135,8 @@ OL_ARG_ENABLE(slapd,[  --enable-slapd	enable building slapd], yes)dnl
 OL_ARG_ENABLE(cleartext,[    --enable-cleartext	enable cleartext passwords], yes)dnl
 OL_ARG_ENABLE(crypt,[    --enable-crypt	enable crypt(3) passwords], auto)dnl
 OL_ARG_ENABLE(kpasswd,[    --enable-kpasswd	enable kerberos password verification], no)dnl
+OL_ARG_ENABLE(spasswd,[    --enable-spasswd	enable (Cyrus) SASL password verification], no)dnl
+OL_ARG_ENABLE(modules,[    --enable-modules	enable dynamic module support], no)dnl
 OL_ARG_ENABLE(modules,[    --enable-modules	enable dynamic module support], no)dnl
 OL_ARG_ENABLE(multimaster,[    --enable-multimaster	enable multimaster replication], no)dnl
 OL_ARG_ENABLE(phonetic,[    --enable-phonetic	enable phonetic/soundex], no)dnl
@ -401,6 +403,13 @@ elif test $ol_enable_kbind = no -o $ol_enable_kpasswd = no ; then
 	fi
 fi

+if test $ol_enable_spasswd = yes ; then
+	if test $ol_with_cyrus_sasl = no ; then
+		AC_MSG_ERROR([options require --with-cyrus-sasl])
+	fi
+	ol_with_cyrus_sasl=yes
+fi
+
 AC_MSG_RESULT(done)

 dnl ----------------------------------------------------------------
@ -2208,6 +2217,9 @@ fi
 if test "$ol_link_kpasswd" != no ; then
 	AC_DEFINE(SLAPD_KPASSWD,1,[define to support Kerberos passwords])
 fi
+if test "$ol_link_spasswd" != no ; then
+	AC_DEFINE(SLAPD_SPASSWD,1,[define to support SASL passwords])
+fi
 if test "$ol_enable_multimaster" != no ; then
 	AC_DEFINE(SLAPD_MULTIMASTER,1,[define to support multimaster replication])
 fi
--- a/include/lutil.h
+++ b/include/lutil.h
@ -71,6 +71,11 @@ lutil_authpasswd_hash LDAP_P((
 	struct berval **salt,	/* salt to store */
 	const char *method ));

+#if defined( SLAPD_SPASSWD ) && defined( HAVE_CYRUS_SASL )
+	/* cheat to avoid pulling in <sasl.h> */
+LIBLUTIL_F( struct sasl_conn * ) lutil_passwd_sasl_conn;
+#endif
+
 LIBLUTIL_F( int )
 lutil_passwd LDAP_P((
 	const struct berval *passwd,	/* stored password */
--- a/include/portable.h.in
+++ b/include/portable.h.in
@ -874,6 +874,9 @@
 /* define to support Kerberos passwords */
 #undef SLAPD_KPASSWD

+/* define to support SASL passwords */
+#undef SLAPD_SPASSWD
+
 /* define to support multimaster replication */
 #undef SLAPD_MULTIMASTER

--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@ -22,6 +22,10 @@
 #include <ac/stdlib.h>
 #include <ac/string.h>

+#ifdef SLAPD_SPASSWD
+#	include <sasl.h>
+#endif
+
 #ifdef SLAPD_KPASSWD
 #	include <ac/krb.h>
 #	include <ac/krb5.h>
@ -86,10 +90,19 @@ static int chk_sha1(
 	const struct berval *passwd,
 	const struct berval *cred );

+#ifdef SLAPD_SPASSWD
+static int chk_sasl(
+	const struct pw_scheme *scheme,
+	const struct berval *passwd,
+	const struct berval *cred );
+#endif
+
+#ifdef SLAPD_KPASSWD
 static int chk_kerberos(
 	const struct pw_scheme *scheme,
 	const struct berval *passwd,
 	const struct berval *cred );
+#endif

 static int chk_crypt(
 	const struct pw_scheme *scheme,
@ -132,6 +145,10 @@ static const struct pw_scheme pw_schemes[] =
 	{ {sizeof("{SMD5}")-1, "{SMD5}"},	chk_smd5, hash_smd5 },
 	{ {sizeof("{MD5}")-1, "{MD5}"},		chk_md5, hash_md5 },

+#ifdef SLAPD_SPASSWD
+	{ {sizeof("{SASL}")-1, "{SASL}"}, chk_sasl, NULL },
+#endif
+
 #ifdef SLAPD_KPASSWD
 	{ {sizeof("{KERBEROS}")-1, "{KERBEROS}"}, chk_kerberos, NULL },
 #endif
@ -542,6 +559,59 @@ static int chk_md5(
 	return rc ? 1 : 0;
 }

+#ifdef SLAPD_SPASSWD
+#ifdef HAVE_CYRUS_SASL
+sasl_conn_t *lutil_passwd_sasl_conn = NULL;
+#endif
+
+static int chk_sasl(
+	const struct pw_scheme *sc,
+	const struct berval * passwd,
+	const struct berval * cred )
+{
+	int i;
+	int rtn;
+
+	for( i=0; i<cred->bv_len; i++) {
+		if(cred->bv_val[i] == '\0') {
+			return 1;	/* NUL character in password */
+		}
+	}
+
+	if( cred->bv_val[i] != '\0' ) {
+		return 1;	/* cred must behave like a string */
+	}
+
+	for( i=0; i<passwd->bv_len; i++) {
+		if(passwd->bv_val[i] == '\0') {
+			return 1;	/* NUL character in password */
+		}
+	}
+
+	if( passwd->bv_val[i] != '\0' ) {
+		return 1;	/* passwd must behave like a string */
+	}
+
+	rtn = 1;
+
+#ifdef HAVE_CYRUS_SASL
+	if( lutil_passwd_sasl_conn != NULL ) {
+		const char *errstr = NULL;
+		int sc;
+
+		sc = sasl_checkpass( lutil_passwd_sasl_conn,
+			passwd->bv_val, passwd->bv_len,
+			cred->bv_val, cred->bv_len,
+			&errstr );
+
+		rtn = ( sc != SASL_OK );
+	}
+#endif
+
+	return rtn;
+}
+#endif
+
 #ifdef SLAPD_KPASSWD
 static int chk_kerberos(
 	const struct pw_scheme *sc,
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@ -19,6 +19,11 @@ char **supportedSASLMechanisms = NULL;
 char *sasl_host = NULL;

 #ifdef HAVE_CYRUS_SASL
+
+#ifdef SLAPD_SPASSWD
+#include <lutil.h>
+#endif
+
 static void *slap_sasl_mutex_new(void)
 {
 	ldap_pvt_thread_mutex_t *mutex;
@ -158,13 +163,21 @@ int sasl_init( void )
 		mechs, 0, 0 );

 	supportedSASLMechanisms = str2charray( mechs, "," );
+
+#ifdef SLAPD_SPASSWD
+	lutil_passwd_sasl_conn = server;
+#else
 	sasl_dispose( &server );
+#endif

 	return 0;
 }

 int sasl_destroy( void )
 {
+#ifdef SLAPD_SPASSWD
+	sasl_dispose( &lutil_passwd_sasl_conn );
+#endif
 	charray_free( supportedSASLMechanisms );
 	return 0;
 }