From 363be335610467952a572ca0898a7b9f77db7a01 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Wed, 17 Feb 2010 10:56:40 -0800
Subject: Bug 434735 - Allow SASL ANONYMOUS mech to work

The SASL ANONYMOUS mechanism was broken since the SASL mapping code
was invoked to map anonymous to a real user entry.  This adds a
special case to the canonify user callback that sets the bind DN
to "" if the ANONYMOUS mechanism is being used.

I also added a check to see if anonymous access is disabled when
we set up the SASL secprops for a connection.  If anonymous access
is disabled, we set a SASL security flag to disallow mechanisms
that would allow anonymous access.
---
 ldap/servers/slapd/saslbind.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 0892c670..42d289a8 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -397,6 +397,7 @@ static int ids_sasl_canon_user(
     Slapi_DN *sdn = NULL;
     char *pw = NULL;
     char *user = NULL;
+    char *mech = NULL;
     const char *dn;
     int isroot = 0;
     char *clear = NULL;
@@ -410,6 +411,13 @@ static int ids_sasl_canon_user(
               "ids_sasl_canon_user(user=%s, realm=%s)\n", 
               user, user_realm ? user_realm : "", 0);
 
+    sasl_getprop(conn, SASL_MECHNAME, (const void**)&mech);
+    if (mech == NULL) {
+        LDAPDebug0Args(LDAP_DEBUG_TRACE, "Unable to read SASL mechanism while "
+              "canonifying user.\n")
+        goto fail;
+    }
+
     if (strncasecmp(user, "dn:", 3) == 0) {
         sdn = slapi_sdn_new();
         slapi_sdn_set_dn_byval(sdn, user+3);
@@ -420,6 +428,10 @@ static int ids_sasl_canon_user(
         /* special case directory manager */
         dn = slapi_sdn_get_ndn(sdn);
         pw = config_get_rootpw();
+    } else if (strcasecmp(mech, "ANONYMOUS") == 0) {
+        /* SASL doesn't allow us to set the username to an empty string,
+	 * so we just set it to anonymous. */
+        dn = "anonymous";
     } else {
         /* map the sasl username into an entry */
         entry = ids_sasl_user_to_entry(conn, context, user, user_realm);
@@ -433,7 +445,14 @@ static int ids_sasl_canon_user(
         pw = slapi_entry_attr_get_charptr(entry, "userpassword");
     }
 
-    if (prop_set(propctx, "dn", dn, -1) != 0) {
+    /* Need to set dn property to an empty string for the ANONYMOUS mechanism.  This
+     * property determines what the bind identity will be if authentication succeeds. */
+    if (strcasecmp(mech, "ANONYMOUS") == 0) {
+        if (prop_set(propctx, "dn", "", -1) != 0) {
+            LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0);
+            goto fail;
+        }
+    } else if (prop_set(propctx, "dn", dn, -1) != 0) {
         LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0);
         goto fail;
     }
@@ -643,7 +662,13 @@ void ids_sasl_server_new(Connection *conn)
     secprops.maxbufsize = 2048; /* DBDB: hack */
     secprops.max_ssf = 0xffffffff;
     secprops.min_ssf = config_get_minssf();
+    /* If anonymous access is disabled, set the appropriate flag */
+    if (!config_get_anon_access_switch()) {
+        secprops.security_flags = SASL_SEC_NOANONYMOUS;
+    }
+
     rc = sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
+
     if (rc != SASL_OK) {
         LDAPDebug(LDAP_DEBUG_ANY, "sasl_setprop: %s\n",
                   sasl_errstring(rc, NULL, NULL), 0, 0);
-- 
cgit