Resolves: 217796

Summary: Fix inconsistent clear password storage and ensure that SASL authentication uses passwords properly.

2 files changed, 39 insertions, 9 deletions

diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 4e3c0d8c..a2b42c47 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -319,7 +319,7 @@ int
 pw_encodevals( Slapi_Value **vals )
 {
 	int	i;
-	char	*enc;
+	char	*enc = NULL;
 	slapdFrontendConfig_t * slapdFrontendConfig = getFrontendConfig();
 
 
@@ -331,11 +331,17 @@ pw_encodevals( Slapi_Value **vals )
 	for ( i = 0; vals[ i ] != NULL; ++i ) {
 		struct pw_scheme    *pwsp;
 		if ( (pwsp=pw_val2scheme( (char*)slapi_value_get_string(vals[ i ]), NULL, 0)) != NULL ) { /* JCM Innards */
-			free_pw_scheme( pwsp );
-			continue;	/* don't touch pre-encoded values */
+			/* If the value already specifies clear storage, call the
+			 * clear storage plug-in */
+			if (strcasecmp( pwsp->pws_name, "clear" ) == 0) {
+				enc = (*pwsp->pws_enc)( (char*)slapi_value_get_string(vals[ i ]) );
+			} else {
+				free_pw_scheme( pwsp );
+				continue;	/* don't touch pre-encoded values */
+			}
 		}
-		if (( enc = (*slapdFrontendConfig->pw_storagescheme->pws_enc)( (char*)slapi_value_get_string(vals[ i ]) )) /* JCM Innards */
-		    == NULL ) {
+		if ((!enc) && (( enc = (*slapdFrontendConfig->pw_storagescheme->pws_enc)( (char*)slapi_value_get_string(vals[ i ]) )) /* JCM Innards */
+		    == NULL )) {
 			free_pw_scheme( pwsp );
 			return( -1 );
 		}
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 15bd506f..53375292 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -183,8 +183,8 @@ static int ids_sasl_log(
 {
     switch (level) {
     case SASL_LOG_ERR:          /* log unusual errors (default) */
-    slapi_log_error(SLAPI_LOG_FATAL, "sasl", "%s\n", message);
-    break;
+        slapi_log_error(SLAPI_LOG_FATAL, "sasl", "%s\n", message);
+        break;
 
     case SASL_LOG_FAIL:         /* log all authentication failures */
     case SASL_LOG_WARN:         /* log non-fatal warnings */
@@ -193,7 +193,7 @@ static int ids_sasl_log(
     case SASL_LOG_TRACE:        /* traces of internal protocols */
     case SASL_LOG_PASS:         /* traces of internal protocols, including
                                  * passwords */
-        LDAPDebug(LDAP_DEBUG_ANY, "sasl(%d): %s\n", level, message, 0);
+        LDAPDebug(LDAP_DEBUG_TRACE, "sasl(%d): %s\n", level, message, 0);
         break;
 
     case SASL_LOG_NONE:         /* don't log anything */
@@ -472,7 +472,31 @@ static int ids_sasl_canon_user(
         goto fail;
     }
 
-    clear = pw;
+    /* We need to check if the first character of pw is an opening
+     * brace since strstr will simply return it's first argument if
+     * it is an empty string. */
+    if (pw && (*pw == '{')) {
+        if (strchr( pw, '}' )) {
+            /* This password is stored in a non-cleartext format.
+             * Any SASL mechanism that actually needs the
+             * password is going to fail.  We should print a warning
+             * to aid in troubleshooting. */
+            LDAPDebug(LDAP_DEBUG_TRACE, "Warning: Detected a sasl bind attempt by an "
+                      "entry whose password is stored in a non-cleartext format.  This "
+                      "will not work for mechanisms which require a cleartext password "
+                      "such as DIGEST-MD5 and CRAM-MD5.\n", 0, 0, 0);
+        } else {
+            /* This password doesn't have a storage prefix but
+             * just happens to start with the '{' character.  We'll
+             * assume that it's just a cleartext password without
+             * the proper storage prefix. */
+            clear = pw;
+        }
+    } else {
+        /* This password has no storage prefix, or the password is empty */
+        clear = pw;
+    }
+
     if (clear) {
 /* older versions of sasl do not have SASL_AUX_PASSWORD_PROP, so omit it */
 #ifdef SASL_AUX_PASSWORD_PROP