summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathan Kinder <nkinder@redhat.com>2010-02-17 10:56:40 -0800
committerNathan Kinder <nkinder@redhat.com>2010-02-17 10:56:40 -0800
commit363be335610467952a572ca0898a7b9f77db7a01 (patch)
treec126237fed172c2880b0544f88e9f8029488c29e
parenta7d0c3dd59a1f04eb3987b521d67a0a36c719896 (diff)
downloadds-363be335610467952a572ca0898a7b9f77db7a01.tar.gz
ds-363be335610467952a572ca0898a7b9f77db7a01.tar.xz
ds-363be335610467952a572ca0898a7b9f77db7a01.zip
Bug 434735 - Allow SASL ANONYMOUS mech to work
The SASL ANONYMOUS mechanism was broken since the SASL mapping code was invoked to map anonymous to a real user entry. This adds a special case to the canonify user callback that sets the bind DN to "" if the ANONYMOUS mechanism is being used. I also added a check to see if anonymous access is disabled when we set up the SASL secprops for a connection. If anonymous access is disabled, we set a SASL security flag to disallow mechanisms that would allow anonymous access.
-rw-r--r--ldap/servers/slapd/saslbind.c27
1 files changed, 26 insertions, 1 deletions
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 0892c670..42d289a8 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -397,6 +397,7 @@ static int ids_sasl_canon_user(
Slapi_DN *sdn = NULL;
char *pw = NULL;
char *user = NULL;
+ char *mech = NULL;
const char *dn;
int isroot = 0;
char *clear = NULL;
@@ -410,6 +411,13 @@ static int ids_sasl_canon_user(
"ids_sasl_canon_user(user=%s, realm=%s)\n",
user, user_realm ? user_realm : "", 0);
+ sasl_getprop(conn, SASL_MECHNAME, (const void**)&mech);
+ if (mech == NULL) {
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "Unable to read SASL mechanism while "
+ "canonifying user.\n")
+ goto fail;
+ }
+
if (strncasecmp(user, "dn:", 3) == 0) {
sdn = slapi_sdn_new();
slapi_sdn_set_dn_byval(sdn, user+3);
@@ -420,6 +428,10 @@ static int ids_sasl_canon_user(
/* special case directory manager */
dn = slapi_sdn_get_ndn(sdn);
pw = config_get_rootpw();
+ } else if (strcasecmp(mech, "ANONYMOUS") == 0) {
+ /* SASL doesn't allow us to set the username to an empty string,
+ * so we just set it to anonymous. */
+ dn = "anonymous";
} else {
/* map the sasl username into an entry */
entry = ids_sasl_user_to_entry(conn, context, user, user_realm);
@@ -433,7 +445,14 @@ static int ids_sasl_canon_user(
pw = slapi_entry_attr_get_charptr(entry, "userpassword");
}
- if (prop_set(propctx, "dn", dn, -1) != 0) {
+ /* Need to set dn property to an empty string for the ANONYMOUS mechanism. This
+ * property determines what the bind identity will be if authentication succeeds. */
+ if (strcasecmp(mech, "ANONYMOUS") == 0) {
+ if (prop_set(propctx, "dn", "", -1) != 0) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0);
+ goto fail;
+ }
+ } else if (prop_set(propctx, "dn", dn, -1) != 0) {
LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0);
goto fail;
}
@@ -643,7 +662,13 @@ void ids_sasl_server_new(Connection *conn)
secprops.maxbufsize = 2048; /* DBDB: hack */
secprops.max_ssf = 0xffffffff;
secprops.min_ssf = config_get_minssf();
+ /* If anonymous access is disabled, set the appropriate flag */
+ if (!config_get_anon_access_switch()) {
+ secprops.security_flags = SASL_SEC_NOANONYMOUS;
+ }
+
rc = sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
+
if (rc != SASL_OK) {
LDAPDebug(LDAP_DEBUG_ANY, "sasl_setprop: %s\n",
sasl_errstring(rc, NULL, NULL), 0, 0);