diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2008-12-17 20:47:36 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2008-12-17 20:47:36 +0000 |
| commit | ff132b866b1637e53737d3bac8ae98a77425e847 (patch) | |
| tree | 898c15b670298473d671ad64610f54ba80b5d267 /ldap/servers/slapd/util.c | |
| parent | 211962858aef9dfc1ae8b5fa16919a94310b3d47 (diff) | |
| download | ds-ff132b866b1637e53737d3bac8ae98a77425e847.tar.gz ds-ff132b866b1637e53737d3bac8ae98a77425e847.tar.xz ds-ff132b866b1637e53737d3bac8ae98a77425e847.zip | |
Resolves: bug 476891
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Diffstat (limited to 'ldap/servers/slapd/util.c')
| -rw-r--r-- | ldap/servers/slapd/util.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c index 64877506..2b6ac7d6 100644 --- a/ldap/servers/slapd/util.c +++ b/ldap/servers/slapd/util.c @@ -1247,6 +1247,7 @@ ldap_sasl_set_interact_vals(LDAP *ld, const char *mech, const char *authid, const char *realm) { ldapSaslInteractVals *vals = NULL; + char *idprefix = ""; vals = (ldapSaslInteractVals *) slapi_ch_calloc(1, sizeof(ldapSaslInteractVals)); @@ -1261,8 +1262,12 @@ ldap_sasl_set_interact_vals(LDAP *ld, const char *mech, const char *authid, ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &vals->mech); } + if (vals->mech && !strcasecmp(vals->mech, "DIGEST-MD5")) { + idprefix = "dn:"; /* prefix name and id with this string */ + } + if (authid) { /* use explicit passed in value */ - vals->authid = slapi_ch_strdup(authid); + vals->authid = slapi_ch_smprintf("%s%s", idprefix, authid); } else { /* use option value if any */ ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &vals->authid); if (!vals->authid) { @@ -1272,7 +1277,7 @@ ldap_sasl_set_interact_vals(LDAP *ld, const char *mech, const char *authid, } if (username) { /* use explicit passed in value */ - vals->username = slapi_ch_strdup(username); + vals->username = slapi_ch_smprintf("%s%s", idprefix, username); } else { /* use option value if any */ ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &vals->username); if (!vals->username) { /* use default sasl value */ @@ -1413,7 +1418,7 @@ slapd_ldap_sasl_interactive_bind( int tries = 0; while (tries < 2) { - void *defaults = ldap_sasl_set_interact_vals(ld, mech, NULL, bindid, + void *defaults = ldap_sasl_set_interact_vals(ld, mech, bindid, bindid, creds, NULL); /* have to first set the defaults used by the callback function */ /* call the bind function */ @@ -1941,8 +1946,9 @@ set_krb5_creds( cc_env_name); } - /* use NULL as username */ + /* use NULL as username and authid */ slapi_ch_free_string(&vals->username); + slapi_ch_free_string(&vals->authid); cleanup: krb5_free_unparsed_name(ctx, princ_name); |