diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 178d96f11b..eb9d0661d8 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -35,20 +35,13 @@ #ifdef HAVE_CYRUS_SASL # ifdef HAVE_SASL_SASL_H # include -# else -# include -# endif - -# if SASL_VERSION_MAJOR >= 2 -# ifdef HAVE_SASL_SASL_H # include # else +# include # include # endif -# define SASL_CONST const -# else -# define SASL_CONST -# endif + +# define SASL_CONST const #define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\ (SASL_VERSION_MINOR << 8) | SASL_VERSION_STEP) @@ -87,7 +80,6 @@ slap_sasl_log( } switch (priority) { -#if SASL_VERSION_MAJOR >= 2 case SASL_LOG_NONE: level = LDAP_DEBUG_NONE; label = "None"; @@ -120,20 +112,6 @@ slap_sasl_log( level = LDAP_DEBUG_TRACE; label = "Password Trace"; break; -#else - case SASL_LOG_ERR: - level = LDAP_DEBUG_ANY; - label = "Error"; - break; - case SASL_LOG_WARNING: - level = LDAP_DEBUG_TRACE; - label = "Warning"; - break; - case SASL_LOG_INFO: - level = LDAP_DEBUG_TRACE; - label = "Info"; - break; -#endif default: return SASL_BADPARAM; } @@ -146,8 +124,6 @@ slap_sasl_log( return SASL_OK; } - -#if SASL_VERSION_MAJOR >= 2 static const char *slap_propnames[] = { "*slapConn", "*slapAuthcDNlen", "*slapAuthcDN", "*slapAuthzDNlen", "*slapAuthzDN", NULL }; @@ -756,108 +732,6 @@ ok: authzDN.bv_val ? authzDN.bv_val : "", 0 ); return SASL_OK; } -#else -static int -slap_sasl_authorize( - void *context, - char *authcid, - char *authzid, - const char **user, - const char **errstr) -{ - struct berval authcDN, authzDN = BER_BVNULL; - int rc; - Connection *conn = context; - char *realm; - struct berval bvauthcid, bvauthzid; - - *user = NULL; - if ( conn->c_sasl_dn.bv_val ) { - ch_free( conn->c_sasl_dn.bv_val ); - BER_BVZERO( &conn->c_sasl_dn ); - } - - Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: " - "authcid=\"%s\" authzid=\"%s\"\n", - (long) (conn ? conn->c_connid : -1), - authcid ? authcid : "", - authzid ? authzid : "" ); - - /* Figure out how much data we have for the dn */ - rc = sasl_getprop( conn->c_sasl_authctx, SASL_REALM, (void **)&realm ); - if( rc != SASL_OK && rc != SASL_NOTDONE ) { - Debug(LDAP_DEBUG_TRACE, - "authorize: getprop(REALM) failed!\n", 0,0,0); - *errstr = "Could not extract realm"; - return SASL_NOAUTHZ; - } - - /* Convert the identities to DN's. If no authzid was given, client will - be bound as the DN matching their username */ - bvauthcid.bv_val = authcid; - bvauthcid.bv_len = authcid ? strlen( authcid ) : 0; - rc = slap_sasl_getdn( conn, NULL, &bvauthcid, realm, - &authcDN, SLAP_GETDN_AUTHCID ); - if( rc != LDAP_SUCCESS ) { - *errstr = ldap_err2string( rc ); - return SASL_NOAUTHZ; - } - conn->c_sasl_dn = authcDN; - if( ( authzid == NULL ) || !strcmp( authcid, authzid ) ) { - Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " - "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 ); - - goto ok; - } - - bvauthzid.bv_val = authzid; - bvauthzid.bv_len = authzid ? strlen( authzid ) : 0; - rc = slap_sasl_getdn( conn, NULL, &bvauthzid, realm, - &authzDN, SLAP_GETDN_AUTHZID ); - if( rc != LDAP_SUCCESS ) { - *errstr = ldap_err2string( rc ); - return SASL_NOAUTHZ; - } - - rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN ); - if( rc ) { - Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " - "proxy authorization disallowed (%d)\n", - (long) (conn ? conn->c_connid : -1), rc, 0 ); - - *errstr = "not authorized"; - ch_free( authzDN.bv_val ); - return SASL_NOAUTHZ; - } - - /* FIXME: we need yet another dup because slap_sasl_getdn() - * is using the bind operation slab */ - if ( conn->c_sasl_bindop ) { - ber_dupbv( &conn->c_sasl_authz_dn, &authzDN ); - slap_sl_free( authzDN.bv_val, - conn->c_sasl_bindop->o_tmpmemctx ); - - } else { - conn->c_sasl_authz_dn = authzDN; - } - -ok: - Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " - " authorization allowed authzDN=\"%s\"\n", - (long) (conn ? conn->c_connid : -1), - authzDN.bv_val ? authzDN.bv_val : "", 0 ); - - if ( conn->c_sasl_bindop ) { - Statslog( LDAP_DEBUG_STATS, - "%s BIND authcid=\"%s\" authzid=\"%s\"\n", - conn->c_sasl_bindop->o_log_prefix, - authcid, authzid ? authzid : "", 0, 0 ); - } - - *errstr = NULL; - return SASL_OK; -} -#endif /* SASL_VERSION_MAJOR >= 2 */ static int slap_sasl_err2ldap( int saslerr ) @@ -959,16 +833,9 @@ static int chk_sasl( if( sconn != NULL ) { int sc; -# if SASL_VERSION_MAJOR < 2 - sc = sasl_checkpass( sconn, - passwd->bv_val, passwd->bv_len, - cred->bv_val, cred->bv_len, - text ); -# else sc = sasl_checkpass( sconn, passwd->bv_val, passwd->bv_len, cred->bv_val, cred->bv_len ); -# endif rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } @@ -1239,22 +1106,12 @@ int slap_sasl_init( void ) } #endif - /* SASL 2 does its own memory management internally */ -#if SASL_VERSION_MAJOR < 2 - sasl_set_alloc( - ber_memalloc, - ber_memcalloc, - ber_memrealloc, - ber_memfree ); -#endif - sasl_set_mutex( ldap_pvt_sasl_mutex_new, ldap_pvt_sasl_mutex_lock, ldap_pvt_sasl_mutex_unlock, ldap_pvt_sasl_mutex_dispose ); -#if SASL_VERSION_MAJOR >= 2 generic_filter.f_desc = slap_schema.si_ad_objectClass; rc = sasl_auxprop_add_plugin( "slapd", slap_auxprop_init ); @@ -1263,7 +1120,7 @@ int slap_sasl_init( void ) 0, 0, 0 ); return -1; } -#endif + /* should provide callbacks for logging */ /* server name should be configurable */ rc = sasl_server_init( server_callbacks, "slapd" ); @@ -1271,10 +1128,6 @@ int slap_sasl_init( void ) if( rc != SASL_OK ) { Debug( LDAP_DEBUG_ANY, "slap_sasl_init: server init failed\n", 0, 0, 0 ); -#if SASL_VERSION_MAJOR < 2 - /* A no-op used to make sure we linked with Cyrus 1.5 */ - sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL ); -#endif return -1; } @@ -1307,7 +1160,6 @@ int slap_sasl_destroy( void ) return 0; } -#if SASL_VERSION_MAJOR >= 2 static char * slap_sasl_peer2ipport( struct berval *peer ) { @@ -1341,7 +1193,6 @@ slap_sasl_peer2ipport( struct berval *peer ) return ipport; } -#endif int slap_sasl_open( Connection *conn, int reopen ) { @@ -1351,10 +1202,7 @@ int slap_sasl_open( Connection *conn, int reopen ) sasl_conn_t *ctx = NULL; sasl_callback_t *session_callbacks; - -#if SASL_VERSION_MAJOR >= 2 char *ipremoteport = NULL, *iplocalport = NULL; -#endif assert( conn->c_sasl_authctx == NULL ); @@ -1362,11 +1210,7 @@ int slap_sasl_open( Connection *conn, int reopen ) assert( conn->c_sasl_extra == NULL ); session_callbacks = -#if SASL_VERSION_MAJOR >= 2 SLAP_CALLOC( 5, sizeof(sasl_callback_t)); -#else - SLAP_CALLOC( 3, sizeof(sasl_callback_t)); -#endif if( session_callbacks == NULL ) { Debug( LDAP_DEBUG_ANY, "slap_sasl_open: SLAP_MALLOC failed", 0, 0, 0 ); @@ -1382,11 +1226,9 @@ int slap_sasl_open( Connection *conn, int reopen ) session_callbacks[cb].proc = &slap_sasl_authorize; session_callbacks[cb++].context = conn; -#if SASL_VERSION_MAJOR >= 2 session_callbacks[cb].id = SASL_CB_CANON_USER; session_callbacks[cb].proc = &slap_sasl_canonicalize; session_callbacks[cb++].context = conn; -#endif session_callbacks[cb].id = SASL_CB_LIST_END; session_callbacks[cb].proc = NULL; @@ -1398,7 +1240,6 @@ int slap_sasl_open( Connection *conn, int reopen ) conn->c_sasl_layers = 0; /* create new SASL context */ -#if SASL_VERSION_MAJOR >= 2 if ( conn->c_sock_name.bv_len != 0 && strncmp( conn->c_sock_name.bv_val, "IP=", STRLENOF( "IP=" ) ) == 0 ) { @@ -1419,10 +1260,6 @@ int slap_sasl_open( Connection *conn, int reopen ) if ( ipremoteport != NULL ) { ch_free( ipremoteport ); } -#else - sc = sasl_server_new( "ldap", sasl_host, global_realm, - session_callbacks, SASL_SECURITY_LAYER, &ctx ); -#endif if( sc != SASL_OK ) { Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n", @@ -1467,7 +1304,7 @@ int slap_sasl_external( slap_ssf_t ssf, struct berval *auth_id ) { -#if SASL_VERSION_MAJOR >= 2 +#ifdef HAVE_CYRUS_SASL int sc; sasl_conn_t *ctx = conn->c_sasl_authctx; sasl_ssf_t sasl_ssf = ssf; @@ -1488,26 +1325,6 @@ int slap_sasl_external( if ( sc != SASL_OK ) { return LDAP_OTHER; } - -#elif defined(HAVE_CYRUS_SASL) - int sc; - sasl_conn_t *ctx = conn->c_sasl_authctx; - sasl_external_properties_t extprops; - - if ( ctx == NULL ) { - return LDAP_UNAVAILABLE; - } - - memset( &extprops, '\0', sizeof(extprops) ); - extprops.ssf = ssf; - extprops.auth_id = auth_id ? auth_id->bv_val : NULL; - - sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, - (void *) &extprops ); - - if ( sc != SASL_OK ) { - return LDAP_OTHER; - } #elif defined(SLAP_BUILTIN_SASL) /* built-in SASL implementation */ SASL_CTX *ctx = conn->c_sasl_authctx; @@ -1555,10 +1372,6 @@ char ** slap_sasl_mechs( Connection *conn ) } mechs = ldap_str2charray( mechstr, "," ); - -#if SASL_VERSION_MAJOR < 2 - ch_free( mechstr ); -#endif } #elif defined(SLAP_BUILTIN_SASL) /* builtin SASL implementation */ @@ -1630,28 +1443,19 @@ int slap_sasl_bind( Operation *op, SlapReply *rs ) return rs->sr_err; } -#if SASL_VERSION_MAJOR >= 2 #define START( ctx, mech, cred, clen, resp, rlen, err ) \ sasl_server_start( ctx, mech, cred, clen, resp, rlen ) #define STEP( ctx, cred, clen, resp, rlen, err ) \ sasl_server_step( ctx, cred, clen, resp, rlen ) -#else -#define START( ctx, mech, cred, clen, resp, rlen, err ) \ - sasl_server_start( ctx, mech, cred, clen, resp, rlen, err ) -#define STEP( ctx, cred, clen, resp, rlen, err ) \ - sasl_server_step( ctx, cred, clen, resp, rlen, err ) -#endif if ( !op->o_conn->c_sasl_bind_in_progress ) { /* If we already authenticated once, must use a new context */ if ( op->o_conn->c_sasl_done ) { sasl_ssf_t ssf = 0; const char *authid = NULL; -#if SASL_VERSION_MAJOR >= 2 sasl_getprop( ctx, SASL_SSF_EXTERNAL, (void *)&ssf ); sasl_getprop( ctx, SASL_AUTH_EXTERNAL, (void *)&authid ); if ( authid ) authid = ch_strdup( authid ); -#endif if ( ctx != op->o_conn->c_sasl_sockctx ) { sasl_dispose( &ctx ); } @@ -1659,13 +1463,11 @@ int slap_sasl_bind( Operation *op, SlapReply *rs ) slap_sasl_open( op->o_conn, 1 ); ctx = op->o_conn->c_sasl_authctx; -#if SASL_VERSION_MAJOR >= 2 if ( authid ) { sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf ); sasl_setprop( ctx, SASL_AUTH_EXTERNAL, authid ); ch_free( (char *)authid ); } -#endif } sc = START( ctx, op->o_conn->c_sasl_bind_mech.bv_val, @@ -1728,25 +1530,17 @@ int slap_sasl_bind( Operation *op, SlapReply *rs ) } } else if ( sc == SASL_CONTINUE ) { rs->sr_err = LDAP_SASL_BIND_IN_PROGRESS, -#if SASL_VERSION_MAJOR >= 2 rs->sr_text = sasl_errdetail( ctx ); -#endif rs->sr_sasldata = &response; send_ldap_sasl( op, rs ); } else { BER_BVZERO( &op->o_conn->c_sasl_dn ); -#if SASL_VERSION_MAJOR >= 2 rs->sr_text = sasl_errdetail( ctx ); -#endif rs->sr_err = slap_sasl_err2ldap( sc ), send_ldap_result( op, rs ); } -#if SASL_VERSION_MAJOR < 2 - if( response.bv_len ) ch_free( response.bv_val ); -#endif - Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0); #elif defined(SLAP_BUILTIN_SASL) @@ -1843,16 +1637,11 @@ slap_sasl_setpass( Operation *op, SlapReply *rs ) rs->sr_rspdata = slap_passwd_return( &new ); } -#if SASL_VERSION_MAJOR < 2 - rs->sr_err = sasl_setpass( op->o_conn->c_sasl_authctx, - id.bv_val, new.bv_val, new.bv_len, 0, &rs->sr_text ); -#else rs->sr_err = sasl_setpass( op->o_conn->c_sasl_authctx, id.bv_val, new.bv_val, new.bv_len, old.bv_val, old.bv_len, 0 ); if( rs->sr_err != SASL_OK ) { rs->sr_text = sasl_errdetail( op->o_conn->c_sasl_authctx ); } -#endif switch(rs->sr_err) { case SASL_OK: rs->sr_err = LDAP_SUCCESS;