SASL code without backend support. Should work with

external store, but not yet tested.  [Intent is to support
both in same server... may not be doable]

servers/slapd/bind.c

@@ -213,25 +213,27 @@ do_bind(
 
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-		if ( conn->c_authmech != NULL ) {
-			assert( conn->c_bind_in_progress );
+		if ( conn->c_sasl_bind_mech != NULL ) {
+			assert( conn->c_sasl_bind_in_progress );
 
-			if((strcmp(conn->c_authmech, mech) != 0)) {
+			if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
 				/* mechanism changed, cancel in progress bind */
-				conn->c_bind_in_progress = 0;
-				if( conn->c_authstate != NULL ) {
-					free(conn->c_authstate);
-					conn->c_authstate = NULL;
-				}
-				free(conn->c_authmech);
-				conn->c_authmech = NULL;
+				conn->c_sasl_bind_in_progress = 0;
+				free( conn->c_sasl_bind_mech );
+				conn->c_sasl_bind_mech = NULL;
+#ifdef HAVE_CYRUS_SASL
+				sasl_dispose(&conn->c_sasl_bind_context);
+				conn->c_sasl_bind_context = NULL;
+#endif
 			}
 
 #ifdef LDAP_DEBUG
 		} else {
-			assert( !conn->c_bind_in_progress );
-			assert( conn->c_authmech == NULL );
-			assert( conn->c_authstate == NULL );
+			assert( !conn->c_sasl_bind_in_progress );
+			assert( conn->c_sasl_bind_mech == NULL );
+#ifdef HAVE_CYRUS_SASL
+			assert( conn->c_sasl_bind_context == NULL );
+#endif
 #endif
 		}
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
@@ -240,19 +242,19 @@ do_bind(
 		/* Not SASL, cancel any in-progress bind */
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-		if ( conn->c_authmech != NULL ) {
-			assert( conn->c_bind_in_progress );
+		if ( conn->c_sasl_bind_mech != NULL ) {
+			assert( conn->c_sasl_bind_in_progress );
 
 			/* cancel in progress bind */
-			conn->c_bind_in_progress = 0;
+			conn->c_sasl_bind_in_progress = 0;
 
-			if( conn->c_authstate != NULL ) {
-				free(conn->c_authstate);
-				conn->c_authstate = NULL;
-			}
+			free(conn->c_sasl_bind_mech);
+			conn->c_sasl_bind_mech = NULL;
 
-			free(conn->c_authmech);
-			conn->c_authmech = NULL;
+#ifdef HAVE_CYRUS_SASL
+			sasl_dispose(&conn->c_sasl_bind_context);
+			conn->c_sasl_bind_context = NULL;
+#endif
 		}
 
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );

servers/slapd/connection.c

@@ -353,6 +353,7 @@ long connection_init(
     assert( c != NULL );
 
     if( c->c_struct_state == SLAP_C_UNINITIALIZED ) {
+		c->c_authmech = NULL;
         c->c_dn = NULL;
         c->c_cdn = NULL;
 
@@ -363,12 +364,11 @@ long connection_init(
 
         c->c_ops = NULL;
         c->c_pending_ops = NULL;
-		c->c_authmech = NULL;
-		c->c_authstate = NULL;
 
+		c->c_sasl_bind_mech = NULL;
 #ifdef HAVE_CYRUS_SASL
-		c->c_sasl_context = NULL;
-#endif /* HAVE_CYRUS_SASL */
+		c->c_sasl_bind_context = NULL;
+#endif
 
         c->c_sb = ber_sockbuf_alloc( );
 		c->c_currentber = NULL;
@@ -384,6 +384,7 @@ long connection_init(
     ldap_pvt_thread_mutex_lock( &c->c_mutex );
 
     assert( c->c_struct_state == SLAP_C_UNUSED );
+	assert( c->c_authmech == NULL );
     assert(	c->c_dn == NULL );
     assert(	c->c_cdn == NULL );
     assert( c->c_listener_url == NULL );
@@ -392,10 +393,9 @@ long connection_init(
     assert( c->c_sock_name == NULL );
     assert( c->c_ops == NULL );
     assert( c->c_pending_ops == NULL );
-	assert( c->c_authmech == NULL );
-	assert( c->c_authstate == NULL );
+	assert( c->c_sasl_bind_mech == NULL );
 #ifdef HAVE_CYRUS_SASL
-	assert( c->c_sasl_context == NULL );
+	assert( c->c_sasl_bind_context == NULL );
 #endif
 	assert( c->c_currentber == NULL );
 
@@ -468,6 +468,10 @@ connection_destroy( Connection *c )
 
     c->c_activitytime = c->c_starttime = 0;
 
+	if(c->c_authmech != NULL ) {
+		free(c->c_authmech);
+		c->c_authmech = NULL;
+	}
     if(c->c_dn != NULL) {
         free(c->c_dn);
         c->c_dn = NULL;
@@ -505,23 +509,18 @@ connection_destroy( Connection *c )
 		free(c->c_sock_name);
 		c->c_sock_name = NULL;
 	}
-	if(c->c_authmech != NULL ) {
-		free(c->c_authmech);
-		c->c_authmech = NULL;
-	}
-	if(c->c_authstate != NULL ) {
-		free(c->c_authstate);
-		c->c_authstate = NULL;
-	}
 
+	c->c_sasl_bind_in_progress = 0;
+	if(c->c_sasl_bind_mech != NULL) {
+		free(c->c_sasl_bind_mech);
+		c->c_sasl_bind_mech = NULL;
+	}
 #ifdef HAVE_CYRUS_SASL
-	if(c->c_sasl_context != NULL ) {
-		sasl_dispose( &c->c_sasl_context );
-		c->c_sasl_context = NULL;
+	if(c->c_sasl_bind_context != NULL ) {
+		sasl_dispose( &c->c_sasl_bind_context );
+		c->c_sasl_bind_context = NULL;
 	}
-#endif /* HAVE_CYRUS_SASL */
-
-	c->c_bind_in_progress = 0;
+#endif
 
 	if ( c->c_currentber != NULL ) {
 		ber_free( c->c_currentber, 1 );
@@ -730,7 +729,7 @@ connection_operation( void *arg_v )
 	num_ops_initiated++;
 	ldap_pvt_thread_mutex_unlock( &num_ops_mutex );
 
-	if( conn->c_bind_in_progress && tag != LDAP_REQ_BIND ) {
+	if( conn->c_sasl_bind_in_progress && tag != LDAP_REQ_BIND ) {
 		Debug( LDAP_DEBUG_ANY, "connection_operation: "
 			"error: SASL bind in progress (tag=%ld).\n",
 			(long) tag, 0, 0 );
@@ -826,7 +825,7 @@ operations_error:
 		 * the backend to set this.
 		 */
 		if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
-			conn->c_bind_in_progress = 1;
+			conn->c_sasl_bind_in_progress = 1;
 		}
 	}
 

servers/slapd/monitor.c

@@ -136,7 +136,7 @@ monitor_info(
 		    c->c_ops != NULL ? "x" : "",
 		    c->c_pending_ops != NULL ? "p" : "",
 			connection_state2str( c->c_conn_state ),
-			c->c_bind_in_progress ? "S" : "",
+			c->c_sasl_bind_in_progress ? "S" : "",
 
 		    c->c_cdn ? c->c_cdn : "<anonymous>",
 

servers/slapd/proto-slap.h

@@ -537,7 +537,7 @@ LIBSLAPD_F (int) sasl_init(void);
 LIBSLAPD_F (int) sasl_destroy(void);
 #ifdef HAVE_CYRUS_SASL
 LIBSLAPD_F (int) sasl_errldap LDAP_P(( int ));
-LIBSLAPD_F (int) sasl_bind LDAP_P((Backend *, 
+LIBSLAPD_F (int) sasl_bind LDAP_P((
 	Connection *, Operation *, 
 	char *, char *, char *, struct berval *, char **));
 #endif

servers/slapd/sasl.c

@@ -16,6 +16,7 @@
 #include <ldap_log.h>
 
 char **supportedSASLMechanisms = NULL;
+char *sasl_host = NULL;
 
 #ifdef HAVE_CYRUS_SASL
 static void *sasl_pvt_mutex_new(void)
@@ -64,7 +65,16 @@ int sasl_init( void )
 		return -1;
 	}
 
-	rc = sasl_server_new( "ldap", NULL, NULL, NULL,
+	if( sasl_host == NULL ) {
+		char hostname[MAXHOSTNAMELEN+1];
+
+		if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) {
+			hostname[MAXHOSTNAMELEN] = '\0';
+			sasl_host = hostname;
+		}
+	}
+
+	rc = sasl_server_new( "ldap", sasl_host, NULL, NULL,
 		SASL_SECURITY_LAYER, 
 		&server );
 
@@ -118,7 +128,6 @@ int sasl_destroy( void )
 
 #ifdef HAVE_CYRUS_SASL
 int sasl_bind(
-    Backend             *be,
     Connection          *conn,
     Operation           *op,  
     char                *dn,  
@@ -135,10 +144,11 @@ int sasl_bind(
 	Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=%s, mech=%s, cred->bv_len=%d\n",
 		dn, mech, cred ? cred->bv_len : 0 );
 
-	if ( conn->c_sasl_context == NULL ) {
+	if ( conn->c_sasl_bind_context ) {
 		sasl_callback_t callbacks[4];
 		int cbnum = 0;
 
+#if 0
 		if (be->be_sasl_authorize) {
 			callbacks[cbnum].id = SASL_CB_PROXY_POLICY;
 			callbacks[cbnum].proc = be->be_sasl_authorize;
@@ -159,18 +169,22 @@ int sasl_bind(
 			callbacks[cbnum].context = be;
 			++cbnum;
 		}
+#endif
+
 		callbacks[cbnum].id = SASL_CB_LIST_END;
 		callbacks[cbnum].proc = NULL;
 		callbacks[cbnum].context = NULL;
 
 		/* create new SASL context */
-		if ( sasl_server_new( "ldap", NULL, be->be_realm,
-			callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_context ) != SASL_OK ) {
+		sc = sasl_server_new( "ldap", sasl_host, global_realm,
+			callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_bind_context );
+
+		if( sc != SASL_OK ) {
 			send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
 				NULL, NULL, NULL, NULL );
 		} else {
 			conn->c_authmech = ch_strdup( mech );
-			sc = sasl_server_start( conn->c_sasl_context, conn->c_authmech,
+			sc = sasl_server_start( conn->c_sasl_bind_context, conn->c_authmech,
 				cred->bv_val, cred->bv_len, (char **)&response.bv_val,
 				(unsigned *)&response.bv_len, &errstr );
 			if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
@@ -179,7 +193,7 @@ int sasl_bind(
 			}
 		}
 	} else {
-		sc = sasl_server_step( conn->c_sasl_context, cred->bv_val, cred->bv_len,
+		sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len,
 			(char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr );
 		if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
 			send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ),
@@ -190,7 +204,7 @@ int sasl_bind(
 	if ( sc == SASL_OK ) {
 		char *authzid;
 
-		if ( ( sc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME,
+		if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME,
 			(void **)&authzid ) ) != SASL_OK ) {
 			send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ),
 				NULL, NULL, NULL, NULL );
@@ -210,11 +224,11 @@ int sasl_bind(
 		}
 	} else if ( sc == SASL_CONTINUE ) {
 		/*
-		 * We set c_bind_in_progress because it doesn't appear
+		 * We set c_sasl_bind_in_progress because it doesn't appear
 		 * that connection.c sets this (unless do_bind() itself
 		 * returns LDAP_SASL_BIND_IN_PROGRESS).
 		 */
-		conn->c_bind_in_progress = 1;
+		conn->c_sasl_bind_in_progress = 1;
 		send_ldap_sasl( conn, op, LDAP_SASL_BIND_IN_PROGRESS,
 			NULL, NULL, NULL, NULL,  &response );
 	} 

servers/slapd/slap.h

@@ -1015,11 +1015,11 @@ typedef struct slap_conn {
 	char		*c_sock_name;	/* sock name (trans=addr:port) */
 
 	/* only can be changed by binding thread */
-	int		c_bind_in_progress;	/* multi-op bind in progress */
+	int		c_sasl_bind_in_progress;	/* multi-op bind in progress */
+	char	*c_sasl_bind_mech;			/* mech in progress */
 #ifdef HAVE_CYRUS_SASL
-	sasl_conn_t	*c_sasl_context;
+	sasl_conn_t	*c_sasl_bind_context;	/* Cyrus SASL state data */
 #endif
-	void	*c_authstate;	/* SASL state data */
 
 	/* authentication backend */
 	Backend *c_authc_backend;

servers/slapd/tools/mimic.c

@@ -146,7 +146,6 @@ int sasl_destroy(void) {
 
 #ifdef HAVE_CYRUS_SASL
 int sasl_bind(
-    Backend             *be,
     Connection          *conn,
     Operation           *op,
     char                *dn,