mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
ITS#3419: values in built auth DNs may need DN escaping, so build them via ldap_dn2bv
This commit is contained in:
parent
810abc1419
commit
cc78fb525b
@ -8,6 +8,8 @@ slapauth \- Check a list of string-represented IDs for authc/authz.
|
||||
.B [\-v]
|
||||
.B [\-d level]
|
||||
.B [\-f slapd.conf]
|
||||
.B [\-M mech]
|
||||
.B [\-R realm]
|
||||
.B [\-U authcID]
|
||||
.B [\-X authzID]
|
||||
.B ID [...]
|
||||
@ -42,6 +44,12 @@ specify an alternative
|
||||
.BR slapd.conf (5)
|
||||
file.
|
||||
.TP
|
||||
.BI \-M " mech"
|
||||
specify a mechanism.
|
||||
.TP
|
||||
.BI \-R " realm"
|
||||
specify a realm.
|
||||
.TP
|
||||
.BI \-U " authcID"
|
||||
specify an ID to be used as
|
||||
.I authcID
|
||||
|
@ -1600,44 +1600,63 @@ int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id,
|
||||
|
||||
/* Username strings */
|
||||
if( is_dn == SET_U ) {
|
||||
char *p;
|
||||
struct berval realm = BER_BVNULL, c1 = *dn;
|
||||
ber_len_t len;
|
||||
/* ITS#3419: values may need escape */
|
||||
LDAPRDN DN[ 5 ];
|
||||
LDAPAVA *RDNs[ 4 ][ 2 ];
|
||||
LDAPAVA AVAs[ 4 ];
|
||||
int irdn;
|
||||
|
||||
len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" );
|
||||
irdn = 0;
|
||||
DN[ irdn ] = RDNs[ irdn ];
|
||||
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
|
||||
BER_BVSTR( &AVAs[ irdn ].la_attr, "uid" );
|
||||
AVAs[ irdn ].la_value = *dn;
|
||||
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
|
||||
AVAs[ irdn ].la_private = NULL;
|
||||
RDNs[ irdn ][ 1 ] = NULL;
|
||||
|
||||
if( user_realm && *user_realm ) {
|
||||
ber_str2bv( user_realm, 0, 0, &realm );
|
||||
len += realm.bv_len + STRLENOF( ",cn=" );
|
||||
if ( user_realm && *user_realm ) {
|
||||
irdn++;
|
||||
DN[ irdn ] = RDNs[ irdn ];
|
||||
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
|
||||
BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
|
||||
ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value );
|
||||
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
|
||||
AVAs[ irdn ].la_private = NULL;
|
||||
RDNs[ irdn ][ 1 ] = NULL;
|
||||
}
|
||||
|
||||
if( mech->bv_len ) {
|
||||
len += mech->bv_len + STRLENOF( ",cn=" );
|
||||
if ( !BER_BVISNULL( mech ) ) {
|
||||
irdn++;
|
||||
DN[ irdn ] = RDNs[ irdn ];
|
||||
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
|
||||
BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
|
||||
AVAs[ irdn ].la_value = *mech;
|
||||
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
|
||||
AVAs[ irdn ].la_private = NULL;
|
||||
RDNs[ irdn ][ 1 ] = NULL;
|
||||
}
|
||||
|
||||
/* Build the new dn */
|
||||
dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx );
|
||||
if( dn->bv_val == NULL ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
p = lutil_strcopy( dn->bv_val, "uid=" );
|
||||
p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
|
||||
irdn++;
|
||||
DN[ irdn ] = RDNs[ irdn ];
|
||||
RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
|
||||
BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
|
||||
BER_BVSTR( &AVAs[ irdn ].la_value, "auth" );
|
||||
AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
|
||||
AVAs[ irdn ].la_private = NULL;
|
||||
RDNs[ irdn ][ 1 ] = NULL;
|
||||
|
||||
if( realm.bv_len ) {
|
||||
p = lutil_strcopy( p, ",cn=" );
|
||||
p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
|
||||
}
|
||||
irdn++;
|
||||
DN[ irdn ] = NULL;
|
||||
|
||||
if( mech->bv_len ) {
|
||||
p = lutil_strcopy( p, ",cn=" );
|
||||
p = lutil_strcopy( p, mech->bv_val );
|
||||
rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
BER_BVZERO( dn );
|
||||
return rc;
|
||||
}
|
||||
p = lutil_strcopy( p, ",cn=auth" );
|
||||
dn->bv_len = p - dn->bv_val;
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
|
||||
|
||||
} else {
|
||||
|
||||
/* Dup the DN in any case, so we don't risk
|
||||
|
@ -40,7 +40,7 @@ do_check( Connection *c, Operation *op, struct berval *id )
|
||||
struct berval authcdn;
|
||||
int rc;
|
||||
|
||||
rc = slap_sasl_getdn( c, op, id, NULL, &authcdn, SLAP_GETDN_AUTHCID );
|
||||
rc = slap_sasl_getdn( c, op, id, realm, &authcdn, SLAP_GETDN_AUTHCID );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
|
||||
id->bv_val, rc,
|
||||
@ -91,6 +91,8 @@ slapauth( int argc, char **argv )
|
||||
op = (Operation *)opbuf;
|
||||
connection_fake_init( &conn, op, &conn );
|
||||
|
||||
conn.c_sasl_bind_mech = mech;
|
||||
|
||||
if ( !BER_BVISNULL( &authzID ) ) {
|
||||
struct berval authzdn;
|
||||
|
||||
|
@ -72,7 +72,7 @@ usage( int tool, const char *progname )
|
||||
break;
|
||||
|
||||
case SLAPAUTH:
|
||||
options = "\t[-U authcID] [-X authzID] ID [...]\n";
|
||||
options = "\t[-U authcID] [-X authzID] [-R realm] [-M mech] ID [...]\n";
|
||||
break;
|
||||
|
||||
case SLAPACL:
|
||||
@ -138,7 +138,7 @@ slap_tool_init(
|
||||
break;
|
||||
|
||||
case SLAPAUTH:
|
||||
options = "d:f:U:vX:";
|
||||
options = "d:f:M:R:U:vX:";
|
||||
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
|
||||
break;
|
||||
|
||||
@ -217,6 +217,10 @@ slap_tool_init(
|
||||
retrieve_ctxcsn = 1;
|
||||
break;
|
||||
|
||||
case 'M':
|
||||
ber_str2bv( optarg, 0, 0, &mech );
|
||||
break;
|
||||
|
||||
case 'n': /* which config file db to index */
|
||||
dbnum = atoi( optarg ) - 1;
|
||||
break;
|
||||
@ -229,6 +233,10 @@ slap_tool_init(
|
||||
replica_demotion = 1;
|
||||
break;
|
||||
|
||||
case 'R':
|
||||
realm = optarg;
|
||||
break;
|
||||
|
||||
case 's': /* dump subtree */
|
||||
subtree = strdup( optarg );
|
||||
break;
|
||||
|
@ -57,6 +57,8 @@ typedef struct tool_vars {
|
||||
struct berval tv_baseDN;
|
||||
struct berval tv_authcID;
|
||||
struct berval tv_authzID;
|
||||
struct berval tv_mech;
|
||||
char *tv_realm;
|
||||
} tool_vars;
|
||||
|
||||
extern tool_vars tool_globals;
|
||||
@ -81,6 +83,8 @@ extern tool_vars tool_globals;
|
||||
#define baseDN tool_globals.tv_baseDN
|
||||
#define authcID tool_globals.tv_authcID
|
||||
#define authzID tool_globals.tv_authzID
|
||||
#define mech tool_globals.tv_mech
|
||||
#define realm tool_globals.tv_realm
|
||||
|
||||
void slap_tool_init LDAP_P((
|
||||
const char* name,
|
||||
|
Loading…
Reference in New Issue
Block a user