Resolves: 217796

Summary: Fix inconsistent clear password storage and ensure that SASL authentication uses passwords properly.
author: Nathan Kinder <nkinder@redhat.com> 2006-12-05 21:22:09 +0000
committer: Nathan Kinder <nkinder@redhat.com> 2006-12-05 21:22:09 +0000
commit: ac8acf7645f37ca9027157a3eb697c15f106f81f (patch)
tree: c28141b14a699dc4642d9a2f9bd7b67fb5e19656
parent: 0d0cc2374ec0c63864b752eae72a5bcf294aa54e (diff)
download: ds-ac8acf7645f37ca9027157a3eb697c15f106f81f.tar.gz
ds-ac8acf7645f37ca9027157a3eb697c15f106f81f.tar.xz
ds-ac8acf7645f37ca9027157a3eb697c15f106f81f.zip
3 files changed, 51 insertions, 10 deletions
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index a2e5920a..fd8ab46b 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -60,5 +60,16 @@ clear_pw_cmp( char *userpwd, char *dbpwd )
 char *
 clear_pw_enc( char *pwd )
 {
-    return( slapi_ch_strdup( pwd ));
+    /* Just return NULL if pwd is NULL */
+    if (!pwd)
+        return NULL;
+
+    /* If the modify operation specified the "{clear}" storage scheme
+     * prefix, we should strip it off.
+     */
+    if ((*pwd == PWD_HASH_PREFIX_START) && (pwd == PL_strcasestr( pwd, "{clear}" ))) {
+        return( slapi_ch_strdup( pwd + 7 ));
+    } else {
+        return( slapi_ch_strdup( pwd ));
+    }
 }
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 4e3c0d8c..a2b42c47 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -319,7 +319,7 @@ int
 pw_encodevals( Slapi_Value **vals )
 {
 	int	i;
-	char	*enc;
+	char	*enc = NULL;
 	slapdFrontendConfig_t * slapdFrontendConfig = getFrontendConfig();
 
 
@@ -331,11 +331,17 @@ pw_encodevals( Slapi_Value **vals )
 	for ( i = 0; vals[ i ] != NULL; ++i ) {
 		struct pw_scheme    *pwsp;
 		if ( (pwsp=pw_val2scheme( (char*)slapi_value_get_string(vals[ i ]), NULL, 0)) != NULL ) { /* JCM Innards */
-			free_pw_scheme( pwsp );
-			continue;	/* don't touch pre-encoded values */
+			/* If the value already specifies clear storage, call the
+			 * clear storage plug-in */
+			if (strcasecmp( pwsp->pws_name, "clear" ) == 0) {
+				enc = (*pwsp->pws_enc)( (char*)slapi_value_get_string(vals[ i ]) );
+			} else {
+				free_pw_scheme( pwsp );
+				continue;	/* don't touch pre-encoded values */
+			}
 		}
-		if (( enc = (*slapdFrontendConfig->pw_storagescheme->pws_enc)( (char*)slapi_value_get_string(vals[ i ]) )) /* JCM Innards */
-		    == NULL ) {
+		if ((!enc) && (( enc = (*slapdFrontendConfig->pw_storagescheme->pws_enc)( (char*)slapi_value_get_string(vals[ i ]) )) /* JCM Innards */
+		    == NULL )) {
 			free_pw_scheme( pwsp );
 			return( -1 );
 		}
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 15bd506f..53375292 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -183,8 +183,8 @@ static int ids_sasl_log(
 {
     switch (level) {
     case SASL_LOG_ERR:          /* log unusual errors (default) */
-    slapi_log_error(SLAPI_LOG_FATAL, "sasl", "%s\n", message);
-    break;
+        slapi_log_error(SLAPI_LOG_FATAL, "sasl", "%s\n", message);
+        break;
 
     case SASL_LOG_FAIL:         /* log all authentication failures */
     case SASL_LOG_WARN:         /* log non-fatal warnings */
@@ -193,7 +193,7 @@ static int ids_sasl_log(
     case SASL_LOG_TRACE:        /* traces of internal protocols */
     case SASL_LOG_PASS:         /* traces of internal protocols, including
                                  * passwords */
-        LDAPDebug(LDAP_DEBUG_ANY, "sasl(%d): %s\n", level, message, 0);
+        LDAPDebug(LDAP_DEBUG_TRACE, "sasl(%d): %s\n", level, message, 0);
         break;
 
     case SASL_LOG_NONE:         /* don't log anything */
@@ -472,7 +472,31 @@ static int ids_sasl_canon_user(
         goto fail;
     }
 
-    clear = pw;
+    /* We need to check if the first character of pw is an opening
+     * brace since strstr will simply return it's first argument if
+     * it is an empty string. */
+    if (pw && (*pw == '{')) {
+        if (strchr( pw, '}' )) {
+            /* This password is stored in a non-cleartext format.
+             * Any SASL mechanism that actually needs the
+             * password is going to fail.  We should print a warning
+             * to aid in troubleshooting. */
+            LDAPDebug(LDAP_DEBUG_TRACE, "Warning: Detected a sasl bind attempt by an "
+                      "entry whose password is stored in a non-cleartext format.  This "
+                      "will not work for mechanisms which require a cleartext password "
+                      "such as DIGEST-MD5 and CRAM-MD5.\n", 0, 0, 0);
+        } else {
+            /* This password doesn't have a storage prefix but
+             * just happens to start with the '{' character.  We'll
+             * assume that it's just a cleartext password without
+             * the proper storage prefix. */
+            clear = pw;
+        }
+    } else {
+        /* This password has no storage prefix, or the password is empty */
+        clear = pw;
+    }
+
     if (clear) {
 /* older versions of sasl do not have SASL_AUX_PASSWORD_PROP, so omit it */
 #ifdef SASL_AUX_PASSWORD_PROP
author	Nathan Kinder <nkinder@redhat.com>	2006-12-05 21:22:09 +0000
committer	Nathan Kinder <nkinder@redhat.com>	2006-12-05 21:22:09 +0000
commit	ac8acf7645f37ca9027157a3eb697c15f106f81f (patch)
tree	c28141b14a699dc4642d9a2f9bd7b67fb5e19656
parent	0d0cc2374ec0c63864b752eae72a5bcf294aa54e (diff)
download	ds-ac8acf7645f37ca9027157a3eb697c15f106f81f.tar.gz ds-ac8acf7645f37ca9027157a3eb697c15f106f81f.tar.xz ds-ac8acf7645f37ca9027157a3eb697c15f106f81f.zip