From cc78fb525bb64768e71e27f33fc002f168288e84 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 6 Dec 2004 15:17:23 +0000 Subject: [PATCH] ITS#3419: values in built auth DNs may need DN escaping, so build them via ldap_dn2bv --- doc/man/man8/slapauth.8 | 8 +++++ servers/slapd/sasl.c | 73 ++++++++++++++++++++++++-------------- servers/slapd/slapauth.c | 4 ++- servers/slapd/slapcommon.c | 12 +++++-- servers/slapd/slapcommon.h | 4 +++ 5 files changed, 71 insertions(+), 30 deletions(-) diff --git a/doc/man/man8/slapauth.8 b/doc/man/man8/slapauth.8 index 2575b0e174..2e838b6540 100644 --- a/doc/man/man8/slapauth.8 +++ b/doc/man/man8/slapauth.8 @@ -8,6 +8,8 @@ slapauth \- Check a list of string-represented IDs for authc/authz. .B [\-v] .B [\-d level] .B [\-f slapd.conf] +.B [\-M mech] +.B [\-R realm] .B [\-U authcID] .B [\-X authzID] .B ID [...] @@ -42,6 +44,12 @@ specify an alternative .BR slapd.conf (5) file. .TP +.BI \-M " mech" +specify a mechanism. +.TP +.BI \-R " realm" +specify a realm. +.TP .BI \-U " authcID" specify an ID to be used as .I authcID diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 61c003ac32..1dcd8bbe95 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1600,44 +1600,63 @@ int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id, /* Username strings */ if( is_dn == SET_U ) { - char *p; - struct berval realm = BER_BVNULL, c1 = *dn; - ber_len_t len; + /* ITS#3419: values may need escape */ + LDAPRDN DN[ 5 ]; + LDAPAVA *RDNs[ 4 ][ 2 ]; + LDAPAVA AVAs[ 4 ]; + int irdn; - len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" ); + irdn = 0; + DN[ irdn ] = RDNs[ irdn ]; + RDNs[ irdn ][ 0 ] = &AVAs[ irdn ]; + BER_BVSTR( &AVAs[ irdn ].la_attr, "uid" ); + AVAs[ irdn ].la_value = *dn; + AVAs[ irdn ].la_flags = LDAP_AVA_NULL; + AVAs[ irdn ].la_private = NULL; + RDNs[ irdn ][ 1 ] = NULL; - if( user_realm && *user_realm ) { - ber_str2bv( user_realm, 0, 0, &realm ); - len += realm.bv_len + STRLENOF( ",cn=" ); + if ( user_realm && *user_realm ) { + irdn++; + DN[ irdn ] = RDNs[ irdn ]; + RDNs[ irdn ][ 0 ] = &AVAs[ irdn ]; + BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" ); + ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value ); + AVAs[ irdn ].la_flags = LDAP_AVA_NULL; + AVAs[ irdn ].la_private = NULL; + RDNs[ irdn ][ 1 ] = NULL; } - if( mech->bv_len ) { - len += mech->bv_len + STRLENOF( ",cn=" ); + if ( !BER_BVISNULL( mech ) ) { + irdn++; + DN[ irdn ] = RDNs[ irdn ]; + RDNs[ irdn ][ 0 ] = &AVAs[ irdn ]; + BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" ); + AVAs[ irdn ].la_value = *mech; + AVAs[ irdn ].la_flags = LDAP_AVA_NULL; + AVAs[ irdn ].la_private = NULL; + RDNs[ irdn ][ 1 ] = NULL; } - /* Build the new dn */ - dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx ); - if( dn->bv_val == NULL ) { - Debug( LDAP_DEBUG_ANY, - "slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 ); - return LDAP_OTHER; - } - p = lutil_strcopy( dn->bv_val, "uid=" ); - p = lutil_strncopy( p, c1.bv_val, c1.bv_len ); + irdn++; + DN[ irdn ] = RDNs[ irdn ]; + RDNs[ irdn ][ 0 ] = &AVAs[ irdn ]; + BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" ); + BER_BVSTR( &AVAs[ irdn ].la_value, "auth" ); + AVAs[ irdn ].la_flags = LDAP_AVA_NULL; + AVAs[ irdn ].la_private = NULL; + RDNs[ irdn ][ 1 ] = NULL; - if( realm.bv_len ) { - p = lutil_strcopy( p, ",cn=" ); - p = lutil_strncopy( p, realm.bv_val, realm.bv_len ); - } + irdn++; + DN[ irdn ] = NULL; - if( mech->bv_len ) { - p = lutil_strcopy( p, ",cn=" ); - p = lutil_strcopy( p, mech->bv_val ); + rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx ); + if ( rc != LDAP_SUCCESS ) { + BER_BVZERO( dn ); + return rc; } - p = lutil_strcopy( p, ",cn=auth" ); - dn->bv_len = p - dn->bv_val; Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 ); + } else { /* Dup the DN in any case, so we don't risk diff --git a/servers/slapd/slapauth.c b/servers/slapd/slapauth.c index 73b2ceb93d..ec19742bd6 100644 --- a/servers/slapd/slapauth.c +++ b/servers/slapd/slapauth.c @@ -40,7 +40,7 @@ do_check( Connection *c, Operation *op, struct berval *id ) struct berval authcdn; int rc; - rc = slap_sasl_getdn( c, op, id, NULL, &authcdn, SLAP_GETDN_AUTHCID ); + rc = slap_sasl_getdn( c, op, id, realm, &authcdn, SLAP_GETDN_AUTHCID ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ID: <%s> check failed %d (%s)\n", id->bv_val, rc, @@ -91,6 +91,8 @@ slapauth( int argc, char **argv ) op = (Operation *)opbuf; connection_fake_init( &conn, op, &conn ); + conn.c_sasl_bind_mech = mech; + if ( !BER_BVISNULL( &authzID ) ) { struct berval authzdn; diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c index c185c08ef0..fbae61c2ab 100644 --- a/servers/slapd/slapcommon.c +++ b/servers/slapd/slapcommon.c @@ -72,7 +72,7 @@ usage( int tool, const char *progname ) break; case SLAPAUTH: - options = "\t[-U authcID] [-X authzID] ID [...]\n"; + options = "\t[-U authcID] [-X authzID] [-R realm] [-M mech] ID [...]\n"; break; case SLAPACL: @@ -138,7 +138,7 @@ slap_tool_init( break; case SLAPAUTH: - options = "d:f:U:vX:"; + options = "d:f:M:R:U:vX:"; mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY; break; @@ -217,6 +217,10 @@ slap_tool_init( retrieve_ctxcsn = 1; break; + case 'M': + ber_str2bv( optarg, 0, 0, &mech ); + break; + case 'n': /* which config file db to index */ dbnum = atoi( optarg ) - 1; break; @@ -229,6 +233,10 @@ slap_tool_init( replica_demotion = 1; break; + case 'R': + realm = optarg; + break; + case 's': /* dump subtree */ subtree = strdup( optarg ); break; diff --git a/servers/slapd/slapcommon.h b/servers/slapd/slapcommon.h index 9dcd3eb936..ab3d0aa0c3 100644 --- a/servers/slapd/slapcommon.h +++ b/servers/slapd/slapcommon.h @@ -57,6 +57,8 @@ typedef struct tool_vars { struct berval tv_baseDN; struct berval tv_authcID; struct berval tv_authzID; + struct berval tv_mech; + char *tv_realm; } tool_vars; extern tool_vars tool_globals; @@ -81,6 +83,8 @@ extern tool_vars tool_globals; #define baseDN tool_globals.tv_baseDN #define authcID tool_globals.tv_authcID #define authzID tool_globals.tv_authzID +#define mech tool_globals.tv_mech +#define realm tool_globals.tv_realm void slap_tool_init LDAP_P(( const char* name,