[389-commits] .gitignore ldap/servers

Richard Allen Megginson rmeggins at fedoraproject.org
Fri Mar 5 20:13:15 UTC 2010 

 .gitignore                      |    1 +
 ldap/servers/slapd/bind.c       |   14 +++++++++++++-
 ldap/servers/slapd/libglobs.c   |   35 ++++++++++++++++++++++++++++++++++-
 ldap/servers/slapd/proto-slap.h |    2 ++
 ldap/servers/slapd/slap.h       |    2 ++
 5 files changed, 52 insertions(+), 2 deletions(-)

New commits:
commit f4b90ed5e43fa06ea6185cf17073b7a32db6ef4c
Author: Rich Megginson <rmeggins at redhat.com>
Date:   Fri Mar 5 12:13:08 2010 -0700

    Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
    
    https://bugzilla.redhat.com/show_bug.cgi?id=554573
    Resolves: bug 554573
    Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
    Reviewed by: nhosoi (Thanks!)
    Branch: HEAD
    Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
    default is off - when set to on, a SIMPLE bind on a connection that has set
    a DN from a cert will be changed to be a SASL/EXTERNAL bind.
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: yes - new attribute to document

diff --git a/.gitignore b/.gitignore
index 4e68831..c1ba6bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 autom4te.cache
 *~
+*.patch
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 3458ff6..d3e9009 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -305,7 +305,8 @@ do_bind( Slapi_PBlock *pb )
     switch ( version ) {
     case LDAP_VERSION2:
         if (method == LDAP_AUTH_SIMPLE
-            && (dn == NULL || *dn == '\0') && cred.bv_len == 0
+            && (config_get_force_sasl_external() ||
+                ((dn == NULL || *dn == '\0') && cred.bv_len == 0))
             && pb->pb_conn->c_external_dn != NULL) {
             /* Treat this like a SASL EXTERNAL Bind: */
             method = LDAP_AUTH_SASL;
@@ -317,6 +318,17 @@ do_bind( Slapi_PBlock *pb )
         }
         break;
     case LDAP_VERSION3:
+        if ((method == LDAP_AUTH_SIMPLE) &&
+            config_get_force_sasl_external() &&
+            (pb->pb_conn->c_external_dn != NULL)) {
+            /* Treat this like a SASL EXTERNAL Bind: */
+            method = LDAP_AUTH_SASL;
+            saslmech = slapi_ch_strdup (LDAP_SASL_EXTERNAL);
+            /* This enables a client to establish an identity by sending
+             * a certificate in the SSL handshake, and also use LDAPv2
+             * (by sending this type of Bind request).
+             */
+        }
         break;
     default:
         LDAPDebug( LDAP_DEBUG_TRACE, "bind: unknown LDAP protocol version %d\n",
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index c4026ac..89a3c79 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -620,7 +620,11 @@ static struct config_get_and_set {
 		(ConfigGetFunc)config_get_anon_access_switch},
 	{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,
 		NULL, 0,
-		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL}
+		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL},
+	{CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE, config_set_force_sasl_external,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.force_sasl_external, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_force_sasl_external}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -921,6 +925,7 @@ FrontendConfig_init () {
   cfg->rewrite_rfc1274 = LDAP_OFF;
   cfg->schemareplace = slapi_ch_strdup( CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY );
   cfg->schema_ignore_trailing_spaces = SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES;
+  cfg->force_sasl_external = LDAP_OFF; /* do not force sasl external by default - let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind if that's what they want to do */
 
   cfg->pwpolicy_local = LDAP_OFF;
   cfg->pw_policy.pw_change = LDAP_ON;
@@ -5491,6 +5496,34 @@ config_set_anon_access_switch( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_get_force_sasl_external(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->force_sasl_external;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
+}
+
+int
+config_set_force_sasl_external( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->force_sasl_external),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
 
 /*
  * This function is intended to be used from the dse code modify callback.  It
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 9133958..be3b9dd 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -370,6 +370,7 @@ int config_set_anon_access_switch(const char *attrname, char *value, char *error
 int config_set_minssf(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -507,6 +508,7 @@ int config_get_mempool_maxfreelist();
 long config_get_system_page_size();
 int config_get_system_page_bits();
 #endif
+int config_get_force_sasl_external();
 
 int is_abspath(const char *);
 char* rel2abspath( char * );
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index adef7a8..589756f 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1869,6 +1869,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
 #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
+#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2084,6 +2085,7 @@ typedef struct _slapdFrontendConfig {
   long system_page_size;		/* system page size */
   int system_page_bits;			/* bit count to shift the system page size */
 #endif /* MEMPOOL_EXPERIMENTAL */
+  int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */

More information about the 389-commits mailing list