mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
Axe obsolete Cyrus 1.5 support
This commit is contained in:
parent
95a37bc024
commit
94db6fc9e8
@ -35,20 +35,13 @@
|
||||
#ifdef HAVE_CYRUS_SASL
|
||||
# ifdef HAVE_SASL_SASL_H
|
||||
# include <sasl/sasl.h>
|
||||
# else
|
||||
# include <sasl.h>
|
||||
# endif
|
||||
|
||||
# if SASL_VERSION_MAJOR >= 2
|
||||
# ifdef HAVE_SASL_SASL_H
|
||||
# include <sasl/saslplug.h>
|
||||
# else
|
||||
# include <sasl.h>
|
||||
# include <saslplug.h>
|
||||
# endif
|
||||
|
||||
# define SASL_CONST const
|
||||
# else
|
||||
# define SASL_CONST
|
||||
# endif
|
||||
|
||||
#define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\
|
||||
(SASL_VERSION_MINOR << 8) | SASL_VERSION_STEP)
|
||||
@ -87,7 +80,6 @@ slap_sasl_log(
|
||||
}
|
||||
|
||||
switch (priority) {
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
case SASL_LOG_NONE:
|
||||
level = LDAP_DEBUG_NONE;
|
||||
label = "None";
|
||||
@ -120,20 +112,6 @@ slap_sasl_log(
|
||||
level = LDAP_DEBUG_TRACE;
|
||||
label = "Password Trace";
|
||||
break;
|
||||
#else
|
||||
case SASL_LOG_ERR:
|
||||
level = LDAP_DEBUG_ANY;
|
||||
label = "Error";
|
||||
break;
|
||||
case SASL_LOG_WARNING:
|
||||
level = LDAP_DEBUG_TRACE;
|
||||
label = "Warning";
|
||||
break;
|
||||
case SASL_LOG_INFO:
|
||||
level = LDAP_DEBUG_TRACE;
|
||||
label = "Info";
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
return SASL_BADPARAM;
|
||||
}
|
||||
@ -146,8 +124,6 @@ slap_sasl_log(
|
||||
return SASL_OK;
|
||||
}
|
||||
|
||||
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
static const char *slap_propnames[] = {
|
||||
"*slapConn", "*slapAuthcDNlen", "*slapAuthcDN",
|
||||
"*slapAuthzDNlen", "*slapAuthzDN", NULL };
|
||||
@ -756,108 +732,6 @@ ok:
|
||||
authzDN.bv_val ? authzDN.bv_val : "", 0 );
|
||||
return SASL_OK;
|
||||
}
|
||||
#else
|
||||
static int
|
||||
slap_sasl_authorize(
|
||||
void *context,
|
||||
char *authcid,
|
||||
char *authzid,
|
||||
const char **user,
|
||||
const char **errstr)
|
||||
{
|
||||
struct berval authcDN, authzDN = BER_BVNULL;
|
||||
int rc;
|
||||
Connection *conn = context;
|
||||
char *realm;
|
||||
struct berval bvauthcid, bvauthzid;
|
||||
|
||||
*user = NULL;
|
||||
if ( conn->c_sasl_dn.bv_val ) {
|
||||
ch_free( conn->c_sasl_dn.bv_val );
|
||||
BER_BVZERO( &conn->c_sasl_dn );
|
||||
}
|
||||
|
||||
Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
|
||||
"authcid=\"%s\" authzid=\"%s\"\n",
|
||||
(long) (conn ? conn->c_connid : -1),
|
||||
authcid ? authcid : "<empty>",
|
||||
authzid ? authzid : "<empty>" );
|
||||
|
||||
/* Figure out how much data we have for the dn */
|
||||
rc = sasl_getprop( conn->c_sasl_authctx, SASL_REALM, (void **)&realm );
|
||||
if( rc != SASL_OK && rc != SASL_NOTDONE ) {
|
||||
Debug(LDAP_DEBUG_TRACE,
|
||||
"authorize: getprop(REALM) failed!\n", 0,0,0);
|
||||
*errstr = "Could not extract realm";
|
||||
return SASL_NOAUTHZ;
|
||||
}
|
||||
|
||||
/* Convert the identities to DN's. If no authzid was given, client will
|
||||
be bound as the DN matching their username */
|
||||
bvauthcid.bv_val = authcid;
|
||||
bvauthcid.bv_len = authcid ? strlen( authcid ) : 0;
|
||||
rc = slap_sasl_getdn( conn, NULL, &bvauthcid, realm,
|
||||
&authcDN, SLAP_GETDN_AUTHCID );
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
*errstr = ldap_err2string( rc );
|
||||
return SASL_NOAUTHZ;
|
||||
}
|
||||
conn->c_sasl_dn = authcDN;
|
||||
if( ( authzid == NULL ) || !strcmp( authcid, authzid ) ) {
|
||||
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
|
||||
"Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
|
||||
|
||||
goto ok;
|
||||
}
|
||||
|
||||
bvauthzid.bv_val = authzid;
|
||||
bvauthzid.bv_len = authzid ? strlen( authzid ) : 0;
|
||||
rc = slap_sasl_getdn( conn, NULL, &bvauthzid, realm,
|
||||
&authzDN, SLAP_GETDN_AUTHZID );
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
*errstr = ldap_err2string( rc );
|
||||
return SASL_NOAUTHZ;
|
||||
}
|
||||
|
||||
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
|
||||
if( rc ) {
|
||||
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
|
||||
"proxy authorization disallowed (%d)\n",
|
||||
(long) (conn ? conn->c_connid : -1), rc, 0 );
|
||||
|
||||
*errstr = "not authorized";
|
||||
ch_free( authzDN.bv_val );
|
||||
return SASL_NOAUTHZ;
|
||||
}
|
||||
|
||||
/* FIXME: we need yet another dup because slap_sasl_getdn()
|
||||
* is using the bind operation slab */
|
||||
if ( conn->c_sasl_bindop ) {
|
||||
ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
|
||||
slap_sl_free( authzDN.bv_val,
|
||||
conn->c_sasl_bindop->o_tmpmemctx );
|
||||
|
||||
} else {
|
||||
conn->c_sasl_authz_dn = authzDN;
|
||||
}
|
||||
|
||||
ok:
|
||||
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
|
||||
" authorization allowed authzDN=\"%s\"\n",
|
||||
(long) (conn ? conn->c_connid : -1),
|
||||
authzDN.bv_val ? authzDN.bv_val : "", 0 );
|
||||
|
||||
if ( conn->c_sasl_bindop ) {
|
||||
Statslog( LDAP_DEBUG_STATS,
|
||||
"%s BIND authcid=\"%s\" authzid=\"%s\"\n",
|
||||
conn->c_sasl_bindop->o_log_prefix,
|
||||
authcid, authzid ? authzid : "", 0, 0 );
|
||||
}
|
||||
|
||||
*errstr = NULL;
|
||||
return SASL_OK;
|
||||
}
|
||||
#endif /* SASL_VERSION_MAJOR >= 2 */
|
||||
|
||||
static int
|
||||
slap_sasl_err2ldap( int saslerr )
|
||||
@ -959,16 +833,9 @@ static int chk_sasl(
|
||||
|
||||
if( sconn != NULL ) {
|
||||
int sc;
|
||||
# if SASL_VERSION_MAJOR < 2
|
||||
sc = sasl_checkpass( sconn,
|
||||
passwd->bv_val, passwd->bv_len,
|
||||
cred->bv_val, cred->bv_len,
|
||||
text );
|
||||
# else
|
||||
sc = sasl_checkpass( sconn,
|
||||
passwd->bv_val, passwd->bv_len,
|
||||
cred->bv_val, cred->bv_len );
|
||||
# endif
|
||||
rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
|
||||
}
|
||||
|
||||
@ -1239,22 +1106,12 @@ int slap_sasl_init( void )
|
||||
}
|
||||
#endif
|
||||
|
||||
/* SASL 2 does its own memory management internally */
|
||||
#if SASL_VERSION_MAJOR < 2
|
||||
sasl_set_alloc(
|
||||
ber_memalloc,
|
||||
ber_memcalloc,
|
||||
ber_memrealloc,
|
||||
ber_memfree );
|
||||
#endif
|
||||
|
||||
sasl_set_mutex(
|
||||
ldap_pvt_sasl_mutex_new,
|
||||
ldap_pvt_sasl_mutex_lock,
|
||||
ldap_pvt_sasl_mutex_unlock,
|
||||
ldap_pvt_sasl_mutex_dispose );
|
||||
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
generic_filter.f_desc = slap_schema.si_ad_objectClass;
|
||||
|
||||
rc = sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
|
||||
@ -1263,7 +1120,7 @@ int slap_sasl_init( void )
|
||||
0, 0, 0 );
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* should provide callbacks for logging */
|
||||
/* server name should be configurable */
|
||||
rc = sasl_server_init( server_callbacks, "slapd" );
|
||||
@ -1271,10 +1128,6 @@ int slap_sasl_init( void )
|
||||
if( rc != SASL_OK ) {
|
||||
Debug( LDAP_DEBUG_ANY, "slap_sasl_init: server init failed\n",
|
||||
0, 0, 0 );
|
||||
#if SASL_VERSION_MAJOR < 2
|
||||
/* A no-op used to make sure we linked with Cyrus 1.5 */
|
||||
sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL );
|
||||
#endif
|
||||
|
||||
return -1;
|
||||
}
|
||||
@ -1307,7 +1160,6 @@ int slap_sasl_destroy( void )
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
static char *
|
||||
slap_sasl_peer2ipport( struct berval *peer )
|
||||
{
|
||||
@ -1341,7 +1193,6 @@ slap_sasl_peer2ipport( struct berval *peer )
|
||||
|
||||
return ipport;
|
||||
}
|
||||
#endif
|
||||
|
||||
int slap_sasl_open( Connection *conn, int reopen )
|
||||
{
|
||||
@ -1351,10 +1202,7 @@ int slap_sasl_open( Connection *conn, int reopen )
|
||||
|
||||
sasl_conn_t *ctx = NULL;
|
||||
sasl_callback_t *session_callbacks;
|
||||
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
char *ipremoteport = NULL, *iplocalport = NULL;
|
||||
#endif
|
||||
|
||||
assert( conn->c_sasl_authctx == NULL );
|
||||
|
||||
@ -1362,11 +1210,7 @@ int slap_sasl_open( Connection *conn, int reopen )
|
||||
assert( conn->c_sasl_extra == NULL );
|
||||
|
||||
session_callbacks =
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
SLAP_CALLOC( 5, sizeof(sasl_callback_t));
|
||||
#else
|
||||
SLAP_CALLOC( 3, sizeof(sasl_callback_t));
|
||||
#endif
|
||||
if( session_callbacks == NULL ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"slap_sasl_open: SLAP_MALLOC failed", 0, 0, 0 );
|
||||
@ -1382,11 +1226,9 @@ int slap_sasl_open( Connection *conn, int reopen )
|
||||
session_callbacks[cb].proc = &slap_sasl_authorize;
|
||||
session_callbacks[cb++].context = conn;
|
||||
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
session_callbacks[cb].id = SASL_CB_CANON_USER;
|
||||
session_callbacks[cb].proc = &slap_sasl_canonicalize;
|
||||
session_callbacks[cb++].context = conn;
|
||||
#endif
|
||||
|
||||
session_callbacks[cb].id = SASL_CB_LIST_END;
|
||||
session_callbacks[cb].proc = NULL;
|
||||
@ -1398,7 +1240,6 @@ int slap_sasl_open( Connection *conn, int reopen )
|
||||
conn->c_sasl_layers = 0;
|
||||
|
||||
/* create new SASL context */
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
if ( conn->c_sock_name.bv_len != 0 &&
|
||||
strncmp( conn->c_sock_name.bv_val, "IP=", STRLENOF( "IP=" ) ) == 0 )
|
||||
{
|
||||
@ -1419,10 +1260,6 @@ int slap_sasl_open( Connection *conn, int reopen )
|
||||
if ( ipremoteport != NULL ) {
|
||||
ch_free( ipremoteport );
|
||||
}
|
||||
#else
|
||||
sc = sasl_server_new( "ldap", sasl_host, global_realm,
|
||||
session_callbacks, SASL_SECURITY_LAYER, &ctx );
|
||||
#endif
|
||||
|
||||
if( sc != SASL_OK ) {
|
||||
Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
|
||||
@ -1467,7 +1304,7 @@ int slap_sasl_external(
|
||||
slap_ssf_t ssf,
|
||||
struct berval *auth_id )
|
||||
{
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
#ifdef HAVE_CYRUS_SASL
|
||||
int sc;
|
||||
sasl_conn_t *ctx = conn->c_sasl_authctx;
|
||||
sasl_ssf_t sasl_ssf = ssf;
|
||||
@ -1488,26 +1325,6 @@ int slap_sasl_external(
|
||||
if ( sc != SASL_OK ) {
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
|
||||
#elif defined(HAVE_CYRUS_SASL)
|
||||
int sc;
|
||||
sasl_conn_t *ctx = conn->c_sasl_authctx;
|
||||
sasl_external_properties_t extprops;
|
||||
|
||||
if ( ctx == NULL ) {
|
||||
return LDAP_UNAVAILABLE;
|
||||
}
|
||||
|
||||
memset( &extprops, '\0', sizeof(extprops) );
|
||||
extprops.ssf = ssf;
|
||||
extprops.auth_id = auth_id ? auth_id->bv_val : NULL;
|
||||
|
||||
sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
|
||||
(void *) &extprops );
|
||||
|
||||
if ( sc != SASL_OK ) {
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
#elif defined(SLAP_BUILTIN_SASL)
|
||||
/* built-in SASL implementation */
|
||||
SASL_CTX *ctx = conn->c_sasl_authctx;
|
||||
@ -1555,10 +1372,6 @@ char ** slap_sasl_mechs( Connection *conn )
|
||||
}
|
||||
|
||||
mechs = ldap_str2charray( mechstr, "," );
|
||||
|
||||
#if SASL_VERSION_MAJOR < 2
|
||||
ch_free( mechstr );
|
||||
#endif
|
||||
}
|
||||
#elif defined(SLAP_BUILTIN_SASL)
|
||||
/* builtin SASL implementation */
|
||||
@ -1630,28 +1443,19 @@ int slap_sasl_bind( Operation *op, SlapReply *rs )
|
||||
return rs->sr_err;
|
||||
}
|
||||
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
#define START( ctx, mech, cred, clen, resp, rlen, err ) \
|
||||
sasl_server_start( ctx, mech, cred, clen, resp, rlen )
|
||||
#define STEP( ctx, cred, clen, resp, rlen, err ) \
|
||||
sasl_server_step( ctx, cred, clen, resp, rlen )
|
||||
#else
|
||||
#define START( ctx, mech, cred, clen, resp, rlen, err ) \
|
||||
sasl_server_start( ctx, mech, cred, clen, resp, rlen, err )
|
||||
#define STEP( ctx, cred, clen, resp, rlen, err ) \
|
||||
sasl_server_step( ctx, cred, clen, resp, rlen, err )
|
||||
#endif
|
||||
|
||||
if ( !op->o_conn->c_sasl_bind_in_progress ) {
|
||||
/* If we already authenticated once, must use a new context */
|
||||
if ( op->o_conn->c_sasl_done ) {
|
||||
sasl_ssf_t ssf = 0;
|
||||
const char *authid = NULL;
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
sasl_getprop( ctx, SASL_SSF_EXTERNAL, (void *)&ssf );
|
||||
sasl_getprop( ctx, SASL_AUTH_EXTERNAL, (void *)&authid );
|
||||
if ( authid ) authid = ch_strdup( authid );
|
||||
#endif
|
||||
if ( ctx != op->o_conn->c_sasl_sockctx ) {
|
||||
sasl_dispose( &ctx );
|
||||
}
|
||||
@ -1659,13 +1463,11 @@ int slap_sasl_bind( Operation *op, SlapReply *rs )
|
||||
|
||||
slap_sasl_open( op->o_conn, 1 );
|
||||
ctx = op->o_conn->c_sasl_authctx;
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
if ( authid ) {
|
||||
sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf );
|
||||
sasl_setprop( ctx, SASL_AUTH_EXTERNAL, authid );
|
||||
ch_free( (char *)authid );
|
||||
}
|
||||
#endif
|
||||
}
|
||||
sc = START( ctx,
|
||||
op->o_conn->c_sasl_bind_mech.bv_val,
|
||||
@ -1728,25 +1530,17 @@ int slap_sasl_bind( Operation *op, SlapReply *rs )
|
||||
}
|
||||
} else if ( sc == SASL_CONTINUE ) {
|
||||
rs->sr_err = LDAP_SASL_BIND_IN_PROGRESS,
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
rs->sr_text = sasl_errdetail( ctx );
|
||||
#endif
|
||||
rs->sr_sasldata = &response;
|
||||
send_ldap_sasl( op, rs );
|
||||
|
||||
} else {
|
||||
BER_BVZERO( &op->o_conn->c_sasl_dn );
|
||||
#if SASL_VERSION_MAJOR >= 2
|
||||
rs->sr_text = sasl_errdetail( ctx );
|
||||
#endif
|
||||
rs->sr_err = slap_sasl_err2ldap( sc ),
|
||||
send_ldap_result( op, rs );
|
||||
}
|
||||
|
||||
#if SASL_VERSION_MAJOR < 2
|
||||
if( response.bv_len ) ch_free( response.bv_val );
|
||||
#endif
|
||||
|
||||
Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0);
|
||||
|
||||
#elif defined(SLAP_BUILTIN_SASL)
|
||||
@ -1843,16 +1637,11 @@ slap_sasl_setpass( Operation *op, SlapReply *rs )
|
||||
rs->sr_rspdata = slap_passwd_return( &new );
|
||||
}
|
||||
|
||||
#if SASL_VERSION_MAJOR < 2
|
||||
rs->sr_err = sasl_setpass( op->o_conn->c_sasl_authctx,
|
||||
id.bv_val, new.bv_val, new.bv_len, 0, &rs->sr_text );
|
||||
#else
|
||||
rs->sr_err = sasl_setpass( op->o_conn->c_sasl_authctx, id.bv_val,
|
||||
new.bv_val, new.bv_len, old.bv_val, old.bv_len, 0 );
|
||||
if( rs->sr_err != SASL_OK ) {
|
||||
rs->sr_text = sasl_errdetail( op->o_conn->c_sasl_authctx );
|
||||
}
|
||||
#endif
|
||||
switch(rs->sr_err) {
|
||||
case SASL_OK:
|
||||
rs->sr_err = LDAP_SUCCESS;
|
||||
|
Loading…
Reference in New Issue
Block a user