openldap/servers/slapd/sasl.c
Kurt Zeilenga d0555fffe6 Error handling changes including separation of client v. server
SASL to LDAP translation.  plus comments and other minor changes
2000-05-03 18:59:58 +00:00

310 lines
6.9 KiB
C

/* $OpenLDAP$ */
/*
* Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
#include "portable.h"
#include <ac/stdlib.h>
#include <stdio.h>
#include "slap.h"
#include "proto-slap.h"
#include <lber.h>
#include <ldap_log.h>
char **supportedSASLMechanisms = NULL;
char *sasl_host = NULL;
#ifdef HAVE_CYRUS_SASL
static void *slap_sasl_mutex_new(void)
{
ldap_pvt_thread_mutex_t *mutex;
mutex = (ldap_pvt_thread_mutex_t *) ch_malloc( sizeof(ldap_pvt_thread_mutex_t) );
if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
return mutex;
}
return NULL;
}
static int slap_sasl_mutex_lock(void *mutex)
{
return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex );
}
static int slap_sasl_mutex_unlock(void *mutex)
{
return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex );
}
static void slap_sasl_mutex_dispose(void *mutex)
{
(void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
free( mutex );
}
static int
slap_sasl_err2ldap( int saslerr )
{
int rc;
switch (saslerr) {
case SASL_CONTINUE:
rc = LDAP_SASL_BIND_IN_PROGRESS;
break;
case SASL_OK:
rc = LDAP_SUCCESS;
break;
case SASL_FAIL:
rc = LDAP_OTHER;
break;
case SASL_NOMEM:
rc = LDAP_OTHER;
break;
case SASL_NOMECH:
rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
break;
case SASL_BADAUTH:
rc = LDAP_INVALID_CREDENTIALS;
break;
case SASL_NOAUTHZ:
rc = LDAP_INSUFFICIENT_ACCESS;
break;
case SASL_TOOWEAK:
case SASL_ENCRYPT:
rc = LDAP_INAPPROPRIATE_AUTH;
break;
default:
rc = LDAP_OTHER;
break;
}
return rc;
}
int sasl_init( void )
{
int rc;
char *mechs;
sasl_conn_t *server = NULL;
sasl_set_alloc( ch_malloc, ch_calloc, ch_realloc, ch_free );
sasl_set_mutex(
slap_sasl_mutex_new,
slap_sasl_mutex_lock,
slap_sasl_mutex_unlock,
slap_sasl_mutex_dispose );
rc = sasl_server_init( NULL, "slapd" );
if( rc != SASL_OK ) {
Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
0, 0, 0 );
return -1;
}
if( sasl_host == NULL ) {
char hostname[MAXHOSTNAMELEN+1];
if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) {
hostname[MAXHOSTNAMELEN] = '\0';
sasl_host = hostname;
}
}
rc = sasl_server_new( "ldap", sasl_host, NULL, NULL,
SASL_SECURITY_LAYER,
&server );
if( rc != SASL_OK ) {
Debug( LDAP_DEBUG_ANY, "sasl_server_new failed\n",
0, 0, 0 );
return -1;
}
#ifdef RESTRICT_SASL
{
sasl_security_properties_t secprops;
memset(&secprops, 0, sizeof(secprops));
secprops.security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS;
secprops.property_names = NULL;
secprops.property_values = NULL;
rc = sasl_setprop( server, SASL_SEC_PROPS, &secprops );
if( rc != SASL_OK ) {
Debug( LDAP_DEBUG_ANY, "sasl_setprop failed\n",
0, 0, 0 );
return -1;
}
}
#endif
rc = sasl_listmech( server, NULL, NULL, ",", NULL,
&mechs, NULL, NULL);
if( rc != SASL_OK ) {
Debug( LDAP_DEBUG_ANY, "sasl_listmech failed: %d\n",
rc, 0, 0 );
return -1;
}
Debug( LDAP_DEBUG_TRACE, "SASL mechanisms: %s\n",
mechs, 0, 0 );
supportedSASLMechanisms = str2charray( mechs, "," );
sasl_dispose( &server );
return 0;
}
int sasl_destroy( void )
{
charray_free( supportedSASLMechanisms );
return 0;
}
#ifdef HAVE_CYRUS_SASL
int sasl_bind(
Connection *conn,
Operation *op,
char *dn,
char *ndn,
char *mech,
struct berval *cred,
char **edn )
{
struct berval response;
const char *errstr;
int sc;
int rc = 1;
Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=%s, mech=%s, cred->bv_len=%d\n",
dn, mech, cred ? cred->bv_len : 0 );
if ( conn->c_sasl_bind_context == NULL ) {
sasl_callback_t callbacks[4];
int cbnum = 0;
#if 0
if (be->be_sasl_authorize) {
callbacks[cbnum].id = SASL_CB_PROXY_POLICY;
callbacks[cbnum].proc = be->be_sasl_authorize;
callbacks[cbnum].context = be;
++cbnum;
}
if (be->be_sasl_getsecret) {
callbacks[cbnum].id = SASL_CB_SERVER_GETSECRET;
callbacks[cbnum].proc = be->be_sasl_getsecret;
callbacks[cbnum].context = be;
++cbnum;
}
if (be->be_sasl_putsecret) {
callbacks[cbnum].id = SASL_CB_SERVER_PUTSECRET;
callbacks[cbnum].proc = be->be_sasl_putsecret;
callbacks[cbnum].context = be;
++cbnum;
}
#endif
callbacks[cbnum].id = SASL_CB_LIST_END;
callbacks[cbnum].proc = NULL;
callbacks[cbnum].context = NULL;
/* create new SASL context */
sc = sasl_server_new( "ldap", sasl_host, global_realm,
callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_bind_context );
if( sc != SASL_OK ) {
send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
NULL, NULL, NULL, NULL );
} else {
conn->c_authmech = ch_strdup( mech );
sc = sasl_server_start( conn->c_sasl_bind_context, conn->c_authmech,
cred->bv_val, cred->bv_len, (char **)&response.bv_val,
(unsigned *)&response.bv_len, &errstr );
if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
NULL, errstr, NULL, NULL );
}
}
} else {
sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len,
(char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr );
if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
NULL, errstr, NULL, NULL );
}
}
if ( sc == SASL_OK ) {
char *authzid;
if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME,
(void **)&authzid ) ) != SASL_OK ) {
send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
NULL, NULL, NULL, NULL );
} else {
Debug(LDAP_DEBUG_TRACE, "<== sasl_bind: username=%s\n",
authzid, 0, 0);
if( strncasecmp( authzid, "anonymous", sizeof("anonyous")-1 ) &&
( ( authzid[sizeof("anonymous")] == '\0' ) ||
( authzid[sizeof("anonymous")] == '@' ) ) )
{
*edn = ch_malloc( sizeof( "authzid=" ) + strlen( authzid ) );
strcpy( *edn, "authzid=" );
strcat( *edn, authzid );
}
send_ldap_result( conn, op, rc = LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
}
} else if ( sc == SASL_CONTINUE ) {
send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
NULL, NULL, NULL, NULL, &response );
}
if ( sc != SASL_CONTINUE && conn->c_sasl_bind_context != NULL ) {
sasl_dispose( &conn->c_sasl_bind_context );
conn->c_sasl_bind_context = NULL;
}
Debug(LDAP_DEBUG_TRACE, "<== sasl_bind: rc=%d\n", rc, 0, 0);
return rc;
}
#endif /* HAVE_CYRUS_SASL */
#else
/* no SASL support */
int sasl_bind(
Connection *conn,
Operation *op,
char *dn,
char *ndn,
char *mech,
struct berval *cred,
char **edn )
{
int rc;
send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
NULL, "SASL unavailable", NULL, NULL );
return rc;
}
int sasl_init( void ) { return 0; }
int sasl_destroy( void ) { return 0; }
#endif