978
987
* the rationale is: connections as the rootdn are privileged,
979
* so acl_authcDN is to be used; however, in some cases
988
* so li_acl is to be used; however, in some cases
980
989
* one already configured identity assertion with a highly
981
* privileged idassert_authcDN, so if acl_authcDN is NULL
982
* and idassert_authcDN is not, use the second instead.
990
* privileged idassert_authcDN, so if li_acl is not configured
991
* and idassert is, use idassert instead.
984
993
* might change in the future, because it's preferable
985
994
* to make clear what identity is being used, since
1400
1410
#ifdef HAVE_CYRUS_SASL
1401
if ( LDAP_BACK_CONN_ISPRIV( lc )
1402
&& li->li_acl_authmethod == LDAP_AUTH_SASL )
1411
if ( LDAP_BACK_CONN_ISPRIV( lc )) {
1413
if ( li->li_acl_authmethod != LDAP_AUTH_NONE )
1416
sb = &li->li_idassert.si_bc;
1418
if ( sb->sb_method == LDAP_AUTH_SASL ) {
1404
1419
void *defaults = NULL;
1406
if ( li->li_acl_secprops != NULL ) {
1421
if ( sb->sb_secprops != NULL ) {
1407
1422
rc = ldap_set_option( lc->lc_ld,
1408
LDAP_OPT_X_SASL_SECPROPS, li->li_acl_secprops );
1423
LDAP_OPT_X_SASL_SECPROPS, sb->sb_secprops );
1410
1425
if ( rc != LDAP_OPT_SUCCESS ) {
1411
1426
Debug( LDAP_DEBUG_ANY, "Error: ldap_set_option "
1412
1427
"(SECPROPS,\"%s\") failed!\n",
1413
li->li_acl_secprops, 0, 0 );
1428
sb->sb_secprops, 0, 0 );
1418
1433
defaults = lutil_sasl_defaults( lc->lc_ld,
1419
li->li_acl_sasl_mech.bv_val,
1420
li->li_acl_sasl_realm.bv_val,
1421
li->li_acl_authcID.bv_val,
1422
li->li_acl_passwd.bv_val,
1434
sb->sb_saslmech.bv_val,
1435
sb->sb_realm.bv_val,
1436
sb->sb_authcId.bv_val,
1424
1439
if ( defaults == NULL ) {
1425
1440
rs->sr_err = LDAP_OTHER;
2260
rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn->bv_val,
2261
li->li_idassert_sasl_mech.bv_val, NULL, NULL,
2262
LDAP_SASL_QUIET, lutil_sasl_interact,
2286
if ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_AUTHZID ) {
2287
assert( BER_BVISNULL( binddn ) );
2289
ctrl.ldctl_oid = LDAP_CONTROL_AUTHZID_REQUEST;
2290
ctrl.ldctl_iscritical = 0;
2291
BER_BVZERO( &ctrl.ldctl_value );
2296
#endif /* SLAP_AUTH_DN */
2299
rs->sr_err = ldap_sasl_interactive_bind( lc->lc_ld, binddn->bv_val,
2300
li->li_idassert_sasl_mech.bv_val,
2301
ctrlsp, NULL, LDAP_SASL_QUIET, lutil_sasl_interact, defaults,
2302
result, &rmech, &msgid );
2304
if ( rs->sr_err != LDAP_SASL_BIND_IN_PROGRESS )
2307
ldap_msgfree( result );
2309
if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &result ) == -1 || !result ) {
2310
ldap_get_option( lc->lc_ld, LDAP_OPT_RESULT_CODE, (void*)&rs->sr_err );
2311
ldap_get_option( lc->lc_ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&rs->sr_text );
2314
} while ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS );
2265
2316
switch ( rs->sr_err ) {
2266
2317
case LDAP_SUCCESS:
2319
/* FIXME: right now, the only reason to check
2320
* response controls is RFC 3829 authzid */
2321
if ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_AUTHZID ) {
2323
rc = ldap_parse_result( lc->lc_ld, result, NULL, NULL, NULL, NULL,
2325
if ( rc == LDAP_SUCCESS && ctrlsp ) {
2328
ctrl = ldap_control_find( LDAP_CONTROL_AUTHZID_RESPONSE,
2331
Debug( LDAP_DEBUG_TRACE, "%s: ldap_back_proxy_authz_bind: authzID=\"%s\" (authzid)\n",
2332
op->o_log_prefix, ctrl->ldctl_value.bv_val, 0 );
2333
if ( ctrl->ldctl_value.bv_len > STRLENOF("dn:") &&
2334
strncasecmp( ctrl->ldctl_value.bv_val, "dn:", STRLENOF("dn:") ) == 0 )
2337
bv.bv_val = &ctrl->ldctl_value.bv_val[STRLENOF("dn:")];
2338
bv.bv_len = ctrl->ldctl_value.bv_len - STRLENOF("dn:");
2339
ber_bvreplace( &lc->lc_bound_ndn, &bv );
2344
ldap_controls_free( ctrlsp );
2346
} else if ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_WHOAMI ) {
2347
struct berval *val = NULL;
2348
rc = ldap_whoami_s( lc->lc_ld, &val, NULL, NULL );
2349
if ( rc == LDAP_SUCCESS && val != NULL ) {
2350
Debug( LDAP_DEBUG_TRACE, "%s: ldap_back_proxy_authz_bind: authzID=\"%s\" (whoami)\n",
2351
op->o_log_prefix, val->bv_val, 0 );
2352
if ( val->bv_len > STRLENOF("dn:") &&
2353
strncasecmp( val->bv_val, "dn:", STRLENOF("dn:") ) == 0 )
2356
bv.bv_val = &val->bv_val[STRLENOF("dn:")];
2357
bv.bv_len = val->bv_len - STRLENOF("dn:");
2358
ber_bvreplace( &lc->lc_bound_ndn, &bv );
2364
if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) &&
2365
BER_BVISNULL( &lc->lc_bound_ndn ) )
2367
/* all in all, we only need it to be non-null */
2368
/* FIXME: should this be configurable? */
2369
static struct berval bv = BER_BVC("cn=authzdn");
2370
ber_bvreplace( &lc->lc_bound_ndn, &bv );
2372
#endif /* SLAP_AUTH_DN */
2373
op->o_conn->c_authz_cookie = op->o_bd->be_private;
2267
2374
LDAP_BACK_CONN_ISBOUND_SET( lc );