diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index ec28ea3cb3..52701bab78 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -163,6 +163,8 @@ typedef struct lookup_info { static slap_response sasl_ap_lookup; +static struct berval sc_cleartext = BER_BVC("{CLEARTEXT}"); + static int sasl_ap_lookup( Operation *op, SlapReply *rs ) { @@ -210,6 +212,34 @@ sasl_ap_lookup( Operation *op, SlapReply *rs ) sl->list[i].name ); } for ( bv = a->a_vals; bv->bv_val; bv++ ) { + /* ITS#3846 don't give hashed passwords to SASL */ + if ( ad == slap_schema.si_ad_userPassword && + bv->bv_val[0] == '{' ) { + rc = lutil_passwd_scheme( bv->bv_val ); + if ( rc ) { + /* If it's not a recognized scheme, just assume it's + * a cleartext password that happened to include brackets. + * + * If it's a recognized scheme, skip this value, unless the + * scheme is {CLEARTEXT}. In that case, skip over the + * scheme name and use the remainder. If there is nothing + * past the scheme name, skip this value. + */ +#ifdef SLAPD_CLEARTEXT + if ( !strncasecmp( bv->bv_val, sc_cleartext.bv_val, + sc_cleartext.bv_len )) { + struct berval cbv; + cbv.bv_len = bv->bv_len - sc_cleartext.bv_len; + if ( cbv.bv_len ) { + cbv.bv_val = bv->bv_val + sc_cleartext.bv_len; + sl->sparams->utils->prop_set( sl->sparams->propctx, + sl->list[i].name, cbv.bv_val, cbv.bv_len ); + } + } +#endif + continue; + } + } sl->sparams->utils->prop_set( sl->sparams->propctx, sl->list[i].name, bv->bv_val, bv->bv_len ); }