diff options
author | Nathan Kinder <nkinder@redhat.com> | 2010-02-17 10:56:40 -0800 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2010-02-17 10:56:40 -0800 |
commit | 363be335610467952a572ca0898a7b9f77db7a01 (patch) | |
tree | c126237fed172c2880b0544f88e9f8029488c29e | |
parent | a7d0c3dd59a1f04eb3987b521d67a0a36c719896 (diff) | |
download | ds-363be335610467952a572ca0898a7b9f77db7a01.tar.gz ds-363be335610467952a572ca0898a7b9f77db7a01.tar.xz ds-363be335610467952a572ca0898a7b9f77db7a01.zip |
Bug 434735 - Allow SASL ANONYMOUS mech to work
The SASL ANONYMOUS mechanism was broken since the SASL mapping code
was invoked to map anonymous to a real user entry. This adds a
special case to the canonify user callback that sets the bind DN
to "" if the ANONYMOUS mechanism is being used.
I also added a check to see if anonymous access is disabled when
we set up the SASL secprops for a connection. If anonymous access
is disabled, we set a SASL security flag to disallow mechanisms
that would allow anonymous access.
-rw-r--r-- | ldap/servers/slapd/saslbind.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index 0892c670..42d289a8 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -397,6 +397,7 @@ static int ids_sasl_canon_user( Slapi_DN *sdn = NULL; char *pw = NULL; char *user = NULL; + char *mech = NULL; const char *dn; int isroot = 0; char *clear = NULL; @@ -410,6 +411,13 @@ static int ids_sasl_canon_user( "ids_sasl_canon_user(user=%s, realm=%s)\n", user, user_realm ? user_realm : "", 0); + sasl_getprop(conn, SASL_MECHNAME, (const void**)&mech); + if (mech == NULL) { + LDAPDebug0Args(LDAP_DEBUG_TRACE, "Unable to read SASL mechanism while " + "canonifying user.\n") + goto fail; + } + if (strncasecmp(user, "dn:", 3) == 0) { sdn = slapi_sdn_new(); slapi_sdn_set_dn_byval(sdn, user+3); @@ -420,6 +428,10 @@ static int ids_sasl_canon_user( /* special case directory manager */ dn = slapi_sdn_get_ndn(sdn); pw = config_get_rootpw(); + } else if (strcasecmp(mech, "ANONYMOUS") == 0) { + /* SASL doesn't allow us to set the username to an empty string, + * so we just set it to anonymous. */ + dn = "anonymous"; } else { /* map the sasl username into an entry */ entry = ids_sasl_user_to_entry(conn, context, user, user_realm); @@ -433,7 +445,14 @@ static int ids_sasl_canon_user( pw = slapi_entry_attr_get_charptr(entry, "userpassword"); } - if (prop_set(propctx, "dn", dn, -1) != 0) { + /* Need to set dn property to an empty string for the ANONYMOUS mechanism. This + * property determines what the bind identity will be if authentication succeeds. */ + if (strcasecmp(mech, "ANONYMOUS") == 0) { + if (prop_set(propctx, "dn", "", -1) != 0) { + LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0); + goto fail; + } + } else if (prop_set(propctx, "dn", dn, -1) != 0) { LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0); goto fail; } @@ -643,7 +662,13 @@ void ids_sasl_server_new(Connection *conn) secprops.maxbufsize = 2048; /* DBDB: hack */ secprops.max_ssf = 0xffffffff; secprops.min_ssf = config_get_minssf(); + /* If anonymous access is disabled, set the appropriate flag */ + if (!config_get_anon_access_switch()) { + secprops.security_flags = SASL_SEC_NOANONYMOUS; + } + rc = sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops); + if (rc != SASL_OK) { LDAPDebug(LDAP_DEBUG_ANY, "sasl_setprop: %s\n", sasl_errstring(rc, NULL, NULL), 0, 0); |