For ITS#2424, move all SASL session management to ldap_int_sasl_bind.

libraries/libldap/cyrus.c

@@ -532,6 +532,7 @@ ldap_int_sasl_bind(
 	unsigned credlen;
 	struct berval ccred;
 	ber_socket_t		sd;
+	void	*ssl;
 
 #ifdef NEW_LOGGING
 	LDAP_LOG ( TRANSPORT, ARGS, "ldap_int_sasl_bind: %s\n", 
@@ -566,9 +567,45 @@ ldap_int_sasl_bind(
 
 	ctx = ld->ld_defconn->lconn_sasl_ctx;
 
-	if( ctx == NULL ) {
-		ld->ld_errno = LDAP_LOCAL_ERROR;
-		return ld->ld_errno;
+	/* If we already have a context, shut it down */
+	if( ctx ) {
+		/* Do an anonymous bind to kill the server's context */
+		rc = ldap_simple_bind_s( ld, "", NULL );
+
+		/* dispose of the old context */
+		ldap_int_sasl_close( ld, ld->ld_defconn );
+	}
+
+	rc = ldap_int_sasl_open( ld, ld->ld_defconn,
+		ld->ld_defconn->lconn_server->lud_host ?
+		ld->ld_defconn->lconn_server->lud_host : "localhost" );
+		
+	if ( rc != LDAP_SUCCESS ) return rc;
+
+	ctx = ld->ld_defconn->lconn_sasl_ctx;
+
+	/* Check for TLS */
+	ssl = ldap_pvt_tls_sb_ctx( ld->ld_sb );
+	if ( ssl ) {
+		struct berval authid = { 0, NULL };
+		ber_len_t fac;
+
+		fac = ldap_pvt_tls_get_strength( ssl );
+		/* failure is OK, we just can't use SASL EXTERNAL */
+		(void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 );
+
+		(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
+		LDAP_FREE( authid.bv_val );
+	}
+
+	/* Check for local */
+	if ( ldap_pvt_url_scheme2proto( ld->ld_defconn->lconn_server->lud_scheme ) == LDAP_PROTO_IPC ) {
+		char authid[sizeof("uidNumber=4294967295+gidNumber=4294967295,"
+			"cn=peercred,cn=external,cn=auth")];
+		sprintf( authid, "uidNumber=%d+gidNumber=%d,"
+			"cn=peercred,cn=external,cn=auth",
+			(int) geteuid(), (int) getegid() );
+		(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid, LDAP_PVT_SASL_LOCAL_SSF );
 	}
 
 	/* (re)set security properties */

libraries/libldap/open.c

@@ -237,9 +237,6 @@ ldap_int_open_connection(
 	int async )
 {
 	int rc = -1;
-#ifdef HAVE_CYRUS_SASL
-	char *sasl_host = NULL;
-#endif
 	char *host;
 	int port, proto;
 
@@ -279,9 +276,6 @@ ldap_int_open_connection(
 			ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_tcp,
 				LBER_SBIOD_LEVEL_PROVIDER, NULL );
 
-#ifdef HAVE_CYRUS_SASL
-			sasl_host = ldap_host_connected_to( conn->lconn_sb, host );
-#endif
 			break;
 
 #ifdef LDAP_CONNECTIONLESS
@@ -326,9 +320,6 @@ ldap_int_open_connection(
 			ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_fd,
 				LBER_SBIOD_LEVEL_PROVIDER, NULL );
 
-#ifdef HAVE_CYRUS_SASL
-			sasl_host = ldap_host_connected_to( conn->lconn_sb, "localhost" );
-#endif
 			break;
 #endif /* LDAP_PF_LOCAL */
 		default:
@@ -345,25 +336,6 @@ ldap_int_open_connection(
 	if( proto == LDAP_PROTO_UDP ) return 0;
 #endif
 
-#ifdef HAVE_CYRUS_SASL
-	/* establish Cyrus SASL context prior to starting TLS so
-		that SASL EXTERNAL might be used */
-	if( sasl_host != NULL ) {
-		ldap_int_sasl_open( ld, conn, sasl_host );
-		LDAP_FREE( sasl_host );
-	}
-#ifdef LDAP_PF_LOCAL
-	if( proto == LDAP_PROTO_IPC ) {
-		char authid[sizeof("uidNumber=4294967295+gidNumber=4294967295,"
-			"cn=peercred,cn=external,cn=auth")];
-		sprintf( authid, "uidNumber=%d+gidNumber=%d,"
-			"cn=peercred,cn=external,cn=auth",
-			(int) geteuid(), (int) getegid() );
-		ldap_int_sasl_external( ld, conn, authid, LDAP_PVT_SASL_LOCAL_SSF );
-	}
-#endif
-#endif
-
 #ifdef HAVE_TLS
 	if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
 		strcmp( srv->lud_scheme, "ldaps" ) == 0 )

libraries/libldap/tls.c

@@ -1403,22 +1403,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 		}
 	}
 
-	/*
-	 * set SASL properties to TLS ssf and authid
-	 */
-	{
-		struct berval authid = { 0, NULL };
-		ber_len_t ssf;
-
-		/* we need to let SASL know */
-		ssf = ldap_pvt_tls_get_strength( ssl );
-		/* failure is OK, we just can't use SASL EXTERNAL */
-		(void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 );
-
-		(void) ldap_int_sasl_external( ld, conn, authid.bv_val, ssf );
-		LDAP_FREE( authid.bv_val );
-	}
-
 	return LDAP_SUCCESS;
 }