diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 61a1b64c11..723baecdc6 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -184,6 +184,8 @@ do_bind( ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); if ( method == LDAP_AUTH_SASL ) { + char *edn; + if ( version < LDAP_VERSION3 ) { Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n", (unsigned long) version, 0, 0 ); @@ -238,6 +240,16 @@ do_bind( } ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + edn = NULL; + rc = sasl_bind( conn, op, dn, ndn, mech, &cred, &edn ); + + if( rc == LDAP_SUCCESS && edn != NULL ) { + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + conn->c_dn = edn; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + } + goto cleanup; + } else { /* Not SASL, cancel any in-progress bind */ ldap_pvt_thread_mutex_lock( &conn->c_mutex ); diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 54dedfb3c0..4afec31af0 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -817,16 +817,12 @@ operations_error: break; case LDAP_REQ_BIND: + conn->c_sasl_bind_in_progress = + rc == LDAP_SASL_BIND_IN_PROGRESS ? 1 : 0; + if( conn->c_conn_state == SLAP_C_BINDING) { conn->c_conn_state = SLAP_C_ACTIVE; } - /* - * Is this ever the case? For now, rely on - * the backend to set this. - */ - if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) { - conn->c_sasl_bind_in_progress = 1; - } } ldap_pvt_thread_mutex_lock( &active_threads_mutex ); diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 74beabd4e3..ce04d94fc2 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -134,7 +134,7 @@ int sasl_bind( char *ndn, char *mech, struct berval *cred, - char **edn) + char **edn ) { struct berval response; const char *errstr; @@ -180,7 +180,7 @@ int sasl_bind( callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_bind_context ); if( sc != SASL_OK ) { - send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED, + send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL, NULL, NULL ); } else { conn->c_authmech = ch_strdup( mech ); @@ -188,7 +188,7 @@ int sasl_bind( cred->bv_val, cred->bv_len, (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr ); if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) { - send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ), + send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ), NULL, errstr, NULL, NULL ); } } @@ -196,7 +196,7 @@ int sasl_bind( sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len, (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr ); if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) { - send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ), + send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ), NULL, errstr, NULL, NULL ); } } @@ -206,30 +206,30 @@ int sasl_bind( if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME, (void **)&authzid ) ) != SASL_OK ) { - send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ), + send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ), NULL, NULL, NULL, NULL ); + } else { - if ( *edn != NULL ) { - free( *edn ); - } - if ( strcasecmp( authzid, "anonymous" ) == 0 ) { - *edn = ch_strdup( "" ); - } else { + if( strncasecmp( authzid, "anonymous", sizeof("anonyous")-1 ) && + ( ( authzid[sizeof("anonymous")] == '\0' ) || + ( authzid[sizeof("anonymous")] == '@' ) ) ) + { *edn = ch_malloc( sizeof( "authzid=" ) + strlen( authzid ) ); strcpy( *edn, "authzid=" ); strcat( *edn, authzid ); } - /* let FE send result */ - rc = 0; + + send_ldap_result( conn, op, rc = LDAP_SUCCESS, + NULL, NULL, NULL, NULL ); } + } else if ( sc == SASL_CONTINUE ) { /* * We set c_sasl_bind_in_progress because it doesn't appear * that connection.c sets this (unless do_bind() itself * returns LDAP_SASL_BIND_IN_PROGRESS). */ - conn->c_sasl_bind_in_progress = 1; - send_ldap_sasl( conn, op, LDAP_SASL_BIND_IN_PROGRESS, + send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, NULL, NULL, NULL, NULL, &response ); }