diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index d0d9828458..61a1b64c11 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -213,25 +213,27 @@ do_bind( ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - if ( conn->c_authmech != NULL ) { - assert( conn->c_bind_in_progress ); + if ( conn->c_sasl_bind_mech != NULL ) { + assert( conn->c_sasl_bind_in_progress ); - if((strcmp(conn->c_authmech, mech) != 0)) { + if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) { /* mechanism changed, cancel in progress bind */ - conn->c_bind_in_progress = 0; - if( conn->c_authstate != NULL ) { - free(conn->c_authstate); - conn->c_authstate = NULL; - } - free(conn->c_authmech); - conn->c_authmech = NULL; + conn->c_sasl_bind_in_progress = 0; + free( conn->c_sasl_bind_mech ); + conn->c_sasl_bind_mech = NULL; +#ifdef HAVE_CYRUS_SASL + sasl_dispose(&conn->c_sasl_bind_context); + conn->c_sasl_bind_context = NULL; +#endif } #ifdef LDAP_DEBUG } else { - assert( !conn->c_bind_in_progress ); - assert( conn->c_authmech == NULL ); - assert( conn->c_authstate == NULL ); + assert( !conn->c_sasl_bind_in_progress ); + assert( conn->c_sasl_bind_mech == NULL ); +#ifdef HAVE_CYRUS_SASL + assert( conn->c_sasl_bind_context == NULL ); +#endif #endif } ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); @@ -240,19 +242,19 @@ do_bind( /* Not SASL, cancel any in-progress bind */ ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - if ( conn->c_authmech != NULL ) { - assert( conn->c_bind_in_progress ); + if ( conn->c_sasl_bind_mech != NULL ) { + assert( conn->c_sasl_bind_in_progress ); /* cancel in progress bind */ - conn->c_bind_in_progress = 0; + conn->c_sasl_bind_in_progress = 0; - if( conn->c_authstate != NULL ) { - free(conn->c_authstate); - conn->c_authstate = NULL; - } + free(conn->c_sasl_bind_mech); + conn->c_sasl_bind_mech = NULL; - free(conn->c_authmech); - conn->c_authmech = NULL; +#ifdef HAVE_CYRUS_SASL + sasl_dispose(&conn->c_sasl_bind_context); + conn->c_sasl_bind_context = NULL; +#endif } ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index edf0db517d..54dedfb3c0 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -353,6 +353,7 @@ long connection_init( assert( c != NULL ); if( c->c_struct_state == SLAP_C_UNINITIALIZED ) { + c->c_authmech = NULL; c->c_dn = NULL; c->c_cdn = NULL; @@ -363,12 +364,11 @@ long connection_init( c->c_ops = NULL; c->c_pending_ops = NULL; - c->c_authmech = NULL; - c->c_authstate = NULL; + c->c_sasl_bind_mech = NULL; #ifdef HAVE_CYRUS_SASL - c->c_sasl_context = NULL; -#endif /* HAVE_CYRUS_SASL */ + c->c_sasl_bind_context = NULL; +#endif c->c_sb = ber_sockbuf_alloc( ); c->c_currentber = NULL; @@ -384,6 +384,7 @@ long connection_init( ldap_pvt_thread_mutex_lock( &c->c_mutex ); assert( c->c_struct_state == SLAP_C_UNUSED ); + assert( c->c_authmech == NULL ); assert( c->c_dn == NULL ); assert( c->c_cdn == NULL ); assert( c->c_listener_url == NULL ); @@ -392,10 +393,9 @@ long connection_init( assert( c->c_sock_name == NULL ); assert( c->c_ops == NULL ); assert( c->c_pending_ops == NULL ); - assert( c->c_authmech == NULL ); - assert( c->c_authstate == NULL ); + assert( c->c_sasl_bind_mech == NULL ); #ifdef HAVE_CYRUS_SASL - assert( c->c_sasl_context == NULL ); + assert( c->c_sasl_bind_context == NULL ); #endif assert( c->c_currentber == NULL ); @@ -468,6 +468,10 @@ connection_destroy( Connection *c ) c->c_activitytime = c->c_starttime = 0; + if(c->c_authmech != NULL ) { + free(c->c_authmech); + c->c_authmech = NULL; + } if(c->c_dn != NULL) { free(c->c_dn); c->c_dn = NULL; @@ -505,23 +509,18 @@ connection_destroy( Connection *c ) free(c->c_sock_name); c->c_sock_name = NULL; } - if(c->c_authmech != NULL ) { - free(c->c_authmech); - c->c_authmech = NULL; - } - if(c->c_authstate != NULL ) { - free(c->c_authstate); - c->c_authstate = NULL; - } + c->c_sasl_bind_in_progress = 0; + if(c->c_sasl_bind_mech != NULL) { + free(c->c_sasl_bind_mech); + c->c_sasl_bind_mech = NULL; + } #ifdef HAVE_CYRUS_SASL - if(c->c_sasl_context != NULL ) { - sasl_dispose( &c->c_sasl_context ); - c->c_sasl_context = NULL; + if(c->c_sasl_bind_context != NULL ) { + sasl_dispose( &c->c_sasl_bind_context ); + c->c_sasl_bind_context = NULL; } -#endif /* HAVE_CYRUS_SASL */ - - c->c_bind_in_progress = 0; +#endif if ( c->c_currentber != NULL ) { ber_free( c->c_currentber, 1 ); @@ -730,7 +729,7 @@ connection_operation( void *arg_v ) num_ops_initiated++; ldap_pvt_thread_mutex_unlock( &num_ops_mutex ); - if( conn->c_bind_in_progress && tag != LDAP_REQ_BIND ) { + if( conn->c_sasl_bind_in_progress && tag != LDAP_REQ_BIND ) { Debug( LDAP_DEBUG_ANY, "connection_operation: " "error: SASL bind in progress (tag=%ld).\n", (long) tag, 0, 0 ); @@ -826,7 +825,7 @@ operations_error: * the backend to set this. */ if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) { - conn->c_bind_in_progress = 1; + conn->c_sasl_bind_in_progress = 1; } } diff --git a/servers/slapd/monitor.c b/servers/slapd/monitor.c index 935ae28fee..9d9724e044 100644 --- a/servers/slapd/monitor.c +++ b/servers/slapd/monitor.c @@ -136,7 +136,7 @@ monitor_info( c->c_ops != NULL ? "x" : "", c->c_pending_ops != NULL ? "p" : "", connection_state2str( c->c_conn_state ), - c->c_bind_in_progress ? "S" : "", + c->c_sasl_bind_in_progress ? "S" : "", c->c_cdn ? c->c_cdn : "", diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index d25af9e3e8..78f84fb904 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -537,7 +537,7 @@ LIBSLAPD_F (int) sasl_init(void); LIBSLAPD_F (int) sasl_destroy(void); #ifdef HAVE_CYRUS_SASL LIBSLAPD_F (int) sasl_errldap LDAP_P(( int )); -LIBSLAPD_F (int) sasl_bind LDAP_P((Backend *, +LIBSLAPD_F (int) sasl_bind LDAP_P(( Connection *, Operation *, char *, char *, char *, struct berval *, char **)); #endif diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 2139080d7d..74beabd4e3 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -16,6 +16,7 @@ #include char **supportedSASLMechanisms = NULL; +char *sasl_host = NULL; #ifdef HAVE_CYRUS_SASL static void *sasl_pvt_mutex_new(void) @@ -64,7 +65,16 @@ int sasl_init( void ) return -1; } - rc = sasl_server_new( "ldap", NULL, NULL, NULL, + if( sasl_host == NULL ) { + char hostname[MAXHOSTNAMELEN+1]; + + if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) { + hostname[MAXHOSTNAMELEN] = '\0'; + sasl_host = hostname; + } + } + + rc = sasl_server_new( "ldap", sasl_host, NULL, NULL, SASL_SECURITY_LAYER, &server ); @@ -118,7 +128,6 @@ int sasl_destroy( void ) #ifdef HAVE_CYRUS_SASL int sasl_bind( - Backend *be, Connection *conn, Operation *op, char *dn, @@ -135,10 +144,11 @@ int sasl_bind( Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=%s, mech=%s, cred->bv_len=%d\n", dn, mech, cred ? cred->bv_len : 0 ); - if ( conn->c_sasl_context == NULL ) { + if ( conn->c_sasl_bind_context ) { sasl_callback_t callbacks[4]; int cbnum = 0; +#if 0 if (be->be_sasl_authorize) { callbacks[cbnum].id = SASL_CB_PROXY_POLICY; callbacks[cbnum].proc = be->be_sasl_authorize; @@ -159,18 +169,22 @@ int sasl_bind( callbacks[cbnum].context = be; ++cbnum; } +#endif + callbacks[cbnum].id = SASL_CB_LIST_END; callbacks[cbnum].proc = NULL; callbacks[cbnum].context = NULL; /* create new SASL context */ - if ( sasl_server_new( "ldap", NULL, be->be_realm, - callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_context ) != SASL_OK ) { + sc = sasl_server_new( "ldap", sasl_host, global_realm, + callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_bind_context ); + + if( sc != SASL_OK ) { send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL, NULL, NULL ); } else { conn->c_authmech = ch_strdup( mech ); - sc = sasl_server_start( conn->c_sasl_context, conn->c_authmech, + sc = sasl_server_start( conn->c_sasl_bind_context, conn->c_authmech, cred->bv_val, cred->bv_len, (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr ); if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) { @@ -179,7 +193,7 @@ int sasl_bind( } } } else { - sc = sasl_server_step( conn->c_sasl_context, cred->bv_val, cred->bv_len, + sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len, (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr ); if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) { send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ), @@ -190,7 +204,7 @@ int sasl_bind( if ( sc == SASL_OK ) { char *authzid; - if ( ( sc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME, + if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME, (void **)&authzid ) ) != SASL_OK ) { send_ldap_result( conn, op, ldap_pvt_sasl_err2ldap( sc ), NULL, NULL, NULL, NULL ); @@ -210,11 +224,11 @@ int sasl_bind( } } else if ( sc == SASL_CONTINUE ) { /* - * We set c_bind_in_progress because it doesn't appear + * We set c_sasl_bind_in_progress because it doesn't appear * that connection.c sets this (unless do_bind() itself * returns LDAP_SASL_BIND_IN_PROGRESS). */ - conn->c_bind_in_progress = 1; + conn->c_sasl_bind_in_progress = 1; send_ldap_sasl( conn, op, LDAP_SASL_BIND_IN_PROGRESS, NULL, NULL, NULL, NULL, &response ); } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index ef0b9c2afa..5e7bbf97e6 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1015,11 +1015,11 @@ typedef struct slap_conn { char *c_sock_name; /* sock name (trans=addr:port) */ /* only can be changed by binding thread */ - int c_bind_in_progress; /* multi-op bind in progress */ + int c_sasl_bind_in_progress; /* multi-op bind in progress */ + char *c_sasl_bind_mech; /* mech in progress */ #ifdef HAVE_CYRUS_SASL - sasl_conn_t *c_sasl_context; + sasl_conn_t *c_sasl_bind_context; /* Cyrus SASL state data */ #endif - void *c_authstate; /* SASL state data */ /* authentication backend */ Backend *c_authc_backend; diff --git a/servers/slapd/tools/mimic.c b/servers/slapd/tools/mimic.c index 3bb5fc93f7..182788ca7a 100644 --- a/servers/slapd/tools/mimic.c +++ b/servers/slapd/tools/mimic.c @@ -146,7 +146,6 @@ int sasl_destroy(void) { #ifdef HAVE_CYRUS_SASL int sasl_bind( - Backend *be, Connection *conn, Operation *op, char *dn,