summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathan Kinder <nkinder@redhat.com>2006-03-14 19:18:03 +0000
committerNathan Kinder <nkinder@redhat.com>2006-03-14 19:18:03 +0000
commitcd994fd6ad2eaf25e6cf4f8654e9c245f76404a3 (patch)
treeb737a51d4e6a852dffbe997d1b235eed378bd85f
parent30f0cf2a817f9ae95d056b6217689a1a1f4987de (diff)
downloadds-cd994fd6ad2eaf25e6cf4f8654e9c245f76404a3.tar.gz
ds-cd994fd6ad2eaf25e6cf4f8654e9c245f76404a3.tar.xz
ds-cd994fd6ad2eaf25e6cf4f8654e9c245f76404a3.zip
184585 - SASL context needs to be disposed of and a new one created when re-binding
Diffstat
-rw-r--r--ldap/servers/slapd/saslbind.c32
-rw-r--r--ldap/servers/slapd/slap.h3
2 files changed, 35 insertions, 0 deletions
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 640ccbfb..5f899685 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -881,6 +881,36 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
sasl_start:
+ /* Check if we are already authenticated via sasl. If so,
+ * dispose of the current sasl_conn and create a new one
+ * using the new mechanism. We also need to do this if the
+ * mechanism changed in the middle of the SASL authentication
+ * process. */
+ if ((pb->pb_conn->c_flags & CONN_FLAG_SASL_COMPLETE) || continuing) {
+ /* Lock the connection mutex */
+ PR_Lock(pb->pb_conn->c_mutex);
+
+ /* reset flag */
+ pb->pb_conn->c_flags &= ~CONN_FLAG_SASL_COMPLETE;
+
+ /* remove any SASL I/O from the connection */
+ sasl_io_cleanup(pb->pb_conn);
+
+ /* dispose of sasl_conn and create a new sasl_conn */
+ sasl_dispose(&sasl_conn);
+ ids_sasl_server_new(pb->pb_conn);
+ sasl_conn = (sasl_conn_t*)pb->pb_conn->c_sasl_conn;
+
+ /* Unlock the connection mutex */
+ PR_Unlock(pb->pb_conn->c_mutex);
+
+ if (sasl_conn == NULL) {
+ send_ldap_result( pb, LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL,
+ "sasl library unavailable", 0, NULL );
+ return;
+ }
+ }
+
rc = sasl_server_start(sasl_conn, mech,
cred->bv_val, cred->bv_len,
&sdata, &slen);
@@ -889,6 +919,8 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
switch (rc) {
case SASL_OK: /* complete */
+ /* Set a flag to signify that sasl bind is complete */
+ pb->pb_conn->c_flags |= CONN_FLAG_SASL_COMPLETE;
/* retrieve the authenticated username */
if (sasl_getprop(sasl_conn, SASL_USERNAME,
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 1e957f4c..2fc89acb 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1271,6 +1271,9 @@ typedef struct conn {
* Start TLS request operation.
*/
+#define CONN_FLAG_SASL_COMPLETE 32 /* Flag set when a sasl bind has been
+ * successfully completed.
+ */
#define START_TLS_OID "1.3.6.1.4.1.1466.20037"
generated by cgit (git 2.34.1) at 2024-12-29 05:16:41 +0000