deleted sasl_external_x509dn_convert; X509 DNs are always converted to

normalized LDAP DNs now.

Changed dnDCEnormalize to dnX509normalize, added dnX509peerNormalize,
based on new ldap_X509dn2bv() etc.

servers/slapd/config.c

@@ -57,7 +57,6 @@ char   *slapd_args_file = NULL;
 
 int nSaslRegexp = 0;
 SaslRegexp_t *SaslRegexp = NULL;
-int sasl_external_x509dn_convert;
 
 #ifdef SLAPD_RLOOKUPS
 int use_reverse_lookup = 1;
@@ -677,9 +676,6 @@ read_config( const char *fname )
 				return 1;
 			}
 
-		} else if ( strcasecmp( cargv[0], "sasl-external-x509dn-convert" ) == 0 ) {
-			sasl_external_x509dn_convert++;
-
 		/* set UCDATA path */
 		} else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) {
 			int err;

servers/slapd/connection.c

@@ -1201,7 +1201,7 @@ int connection_read(ber_socket_t s)
 				c->c_ssf = c->c_tls_ssf;
 			}
 
-			authid = (char *)ldap_pvt_tls_get_peer( ssl );
+			authid = dnX509peerNormalize( ssl );
 			slap_sasl_external( c, c->c_tls_ssf, authid );
 		}
 		connection_return( c );

servers/slapd/dn.c

@@ -831,38 +831,20 @@ dnIsSuffix(
 }
 
 /*
- * Convert a DN from X.500 format into a normalized DN
+ * Convert an X.509 DN into a normalized LDAP DN
  */
 int
-dnDCEnormalize( char *dce, struct berval *out )
+dnX509normalize( void *x509_name, struct berval *out )
 {
-	int rc;
-	LDAPDN *dn = NULL;
-
-	out->bv_val = NULL;
-	out->bv_len = 0;
-
-	rc = ldap_str2dn( dce, &dn, LDAP_DN_FORMAT_DCE );
-	if  ( rc != LDAP_SUCCESS )
-		return rc;
-
-	/*
-	 * Schema-aware rewrite
-	 */
-	if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) {
-		ldap_dnfree( dn );
-		return LDAP_INVALID_SYNTAX;
-	}
-
-	/*
-	 * Back to string representation
-	 */
-	rc = ldap_dn2bv( dn, out, LDAP_DN_FORMAT_LDAPV3 );
-
-	ldap_dnfree( dn );
-
-	if ( rc != LDAP_SUCCESS ) {
-		rc = LDAP_INVALID_SYNTAX;
-	}
-	return rc;
+	/* Invoke the LDAP library's converter with our schema-rewriter */
+	return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
+}
+
+/*
+ * Get the TLS session's peer's DN into a normalized LDAP DN
+ */
+char *
+dnX509peerNormalize( void *ssl )
+{
+	return ldap_pvt_tls_get_peer_dn( ssl, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );
 }

servers/slapd/proto-slap.h

@@ -404,7 +404,9 @@ LDAP_SLAPD_F (void) build_new_dn LDAP_P((
 
 LDAP_SLAPD_F (void) dnParent LDAP_P(( struct berval *dn, struct berval *pdn ));
 
-LDAP_SLAPD_F (int) dnDCEnormalize LDAP_P(( char *dce, struct berval *out ));
+LDAP_SLAPD_F (int) dnX509normalize LDAP_P(( void *x509_name, struct berval *out ));
+
+LDAP_SLAPD_F (char *) dnX509peerNormalize LDAP_P(( void *ssl ));
 
 /*
  * entry.c
@@ -999,7 +1001,6 @@ LDAP_SLAPD_V (int)		global_idletimeout;
 LDAP_SLAPD_V (int)		global_schemacheck;
 LDAP_SLAPD_V (char *)	global_host;
 LDAP_SLAPD_V (char *)	global_realm;
-LDAP_SLAPD_V (int)		sasl_external_x509dn_convert;
 LDAP_SLAPD_V (char *)	default_passwd_hash;
 LDAP_SLAPD_V (int)		lber_debug;
 LDAP_SLAPD_V (int)		ldap_syslog;

servers/slapd/sasl.c

@@ -173,22 +173,17 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
 
 	/* An authcID needs to be converted to authzID form */
 	if( flags & FLAG_GETDN_AUTHCID ) {
-		if( sasl_external_x509dn_convert
-			&& conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
-			&& ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) 
-			&& id[0] == '/' )
-		{
-			/* check SASL external for X.509 style DN and */
-			/* convert to dn:<dn> form, result is normalized */
-			dnDCEnormalize( id, dn );
+		if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+			&& ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
+			/* X.509 DN is already normalized */
 			do_norm = 0;
 			is_dn = SET_DN;
 
 		} else {
 			/* convert to u:<username> form */
-			ber_str2bv( id, len, 1, dn );
 			is_dn = SET_U;
 		}
+		ber_str2bv( id, len, 1, dn );
 	}
 	if( !is_dn ) {
 		if( !strncasecmp( id, "u:", sizeof("u:")-1 )) {
@@ -449,9 +444,8 @@ slap_sasl_authorize(
 		equal = !strcmp( auth_identity, requested_user );
 
 	/* If using SASL-EXTERNAL, don't modify the ID in any way */
-	if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
-		&& ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) 
-			&& auth_identity[0] == '/' ) {
+	if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+		&& ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
 		ext = 1;
 		realm = NULL;
 	} else {
@@ -582,9 +576,8 @@ slap_sasl_authorize(
 
 	/* Convert the identities to DN's. If no authzid was given, client will
 	   be bound as the DN matching their username */
-	if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
-		&& ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) 
-			&& authcid[0] == '/' ) {
+	if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+		&& ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
 		ext = 1;
 		xrealm = NULL;
 	} else {

servers/slapd/schema_init.c

@@ -3480,16 +3480,6 @@ asn1_integer2str(ASN1_INTEGER *a, struct berval *bv)
 	return ber_str2bv( p, 0, 1, bv );
 }
 
-/* Get a DN in RFC2253 format from a X509_NAME internal struct */
-int
-dn_openssl2ldap(X509_NAME *name, struct berval *out)
-{
-	char buf[2048], *p;
-
-	p = X509_NAME_oneline( name, buf, sizeof( buf ) );
-	return dnDCEnormalize( p, out );
-}
-
 /*
  * Given a certificate in DER format, extract the corresponding
  * assertion value for certificateExactMatch
@@ -3522,7 +3512,7 @@ certificateExactConvert(
 		X509_free(xcert);
 		return LDAP_INVALID_SYNTAX;
 	}
-	if ( dn_openssl2ldap(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) {
+	if ( dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) {
 		X509_free(xcert);
 		ber_memfree(serial.bv_val);
 		return LDAP_INVALID_SYNTAX;
@@ -3636,7 +3626,7 @@ certificateExactMatch(
 	}
 
 	asn1_integer2str(xcert->cert_info->serialNumber, &serial);
-	dn_openssl2ldap(X509_get_issuer_name(xcert), &issuer_dn);
+	dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn);
 
 	X509_free(xcert);