diff options
Diffstat (limited to 'nslcd')
-rw-r--r-- | nslcd/cfg.c | 33 | ||||
-rw-r--r-- | nslcd/cfg.h | 10 | ||||
-rw-r--r-- | nslcd/myldap.c | 69 |
3 files changed, 82 insertions, 30 deletions
diff --git a/nslcd/cfg.c b/nslcd/cfg.c index 920b5b8..9b26093 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -81,8 +81,11 @@ static void cfg_defaults(struct ldap_config *cfg) #endif /* not LDAP_VERSION3 */ cfg->ldc_binddn=NULL; cfg->ldc_bindpw=NULL; - cfg->ldc_saslid=NULL; + cfg->ldc_sasl_authcid=NULL; + cfg->ldc_sasl_authzid=NULL; cfg->ldc_sasl_secprops=NULL; + cfg->ldc_sasl_mech=NULL; + cfg->ldc_sasl_realm=NULL; cfg->ldc_usesasl=0; cfg->ldc_base=NULL; cfg->ldc_scope=LDAP_SCOPE_SUBTREE; @@ -694,21 +697,39 @@ static void cfg_read(const char *filename,struct ldap_config *cfg) get_restdup(filename,lnr,keyword,&line,&cfg->ldc_bindpw); } /* SASL authentication options */ - else if (strcasecmp(keyword,"sasl_authid")==0) + else if (strcasecmp(keyword,"sasl_authcid")==0) { - log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword); - get_strdup(filename,lnr,keyword,&line,&cfg->ldc_saslid); + log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword); + get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_authcid); + get_eol(filename,lnr,keyword,&line); + } + else if (strcasecmp(keyword,"sasl_authzid")==0) + { + log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword); + get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_authzid); + get_eol(filename,lnr,keyword,&line); + } + else if (strcasecmp(keyword,"sasl_mech")==0) + { + log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword); + get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_mech); + get_eol(filename,lnr,keyword,&line); + } + else if (strcasecmp(keyword,"sasl_realm")==0) + { + log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword); + get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_realm); get_eol(filename,lnr,keyword,&line); } else if (strcasecmp(keyword,"sasl_secprops")==0) { - log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword); + log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword); get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_secprops); get_eol(filename,lnr,keyword,&line); } else if (strcasecmp(keyword,"use_sasl")==0) { - log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword); + log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword); get_boolean(filename,lnr,keyword,&line,&cfg->ldc_usesasl); get_eol(filename,lnr,keyword,&line); } diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 981af28..a6edb47 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -87,10 +87,16 @@ struct ldap_config char *ldc_binddn; /* bind cred */ char *ldc_bindpw; - /* sasl auth id */ - char *ldc_saslid; + /* sasl authentication id */ + char *ldc_sasl_authcid; + /* sasl authorization id */ + char *ldc_sasl_authzid; /* sasl security */ char *ldc_sasl_secprops; + /* sasl mech */ + char *ldc_sasl_mech; + /* sasl realm */ + char *ldc_sasl_realm; /* do we use sasl when binding? */ int ldc_usesasl; /* base DN, eg. dc=gnu,dc=org */ diff --git a/nslcd/myldap.c b/nslcd/myldap.c index f2c8062..6a05b53 100644 --- a/nslcd/myldap.c +++ b/nslcd/myldap.c @@ -310,26 +310,43 @@ PURE static inline int is_valid_entry(MYLDAP_ENTRY *entry) /* this is registered with ldap_sasl_interactive_bind_s() in do_bind() */ static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaults,void *_interact) { - char *authzid=(char *)defaults; - sasl_interact_t *interact=(sasl_interact_t *)_interact; + struct ldap_config *cfg=defaults; + sasl_interact_t *interact=_interact; while (interact->id!=SASL_CB_LIST_END) { - if (interact->id!=SASL_CB_USER) - return LDAP_PARAM_ERROR; - if (authzid!=NULL) + switch(interact->id) { - interact->result=authzid; - interact->len=strlen(authzid); - } - else if (interact->defresult!=NULL) - { - interact->result=interact->defresult; - interact->len=strlen(interact->defresult); - } - else - { - interact->result=""; - interact->len=0; + case SASL_CB_GETREALM: + if (cfg->ldc_sasl_realm) + { + interact->result=cfg->ldc_sasl_realm; + interact->len=strlen(cfg->ldc_sasl_realm); + } + break; + case SASL_CB_AUTHNAME: + if (cfg->ldc_sasl_authcid) + { + interact->result=cfg->ldc_sasl_authcid; + interact->len=strlen(cfg->ldc_sasl_authcid); + } + break; + case SASL_CB_USER: + if (cfg->ldc_sasl_authzid) + { + interact->result=cfg->ldc_sasl_authzid; + interact->len=strlen(cfg->ldc_sasl_authzid); + } + break; + case SASL_CB_PASS: + if (cfg->ldc_bindpw) + { + interact->result=cfg->ldc_bindpw; + interact->len=strlen(cfg->ldc_bindpw); + } + break; + default: + /* just ignore */ + break; } interact++; } @@ -388,13 +405,21 @@ static int do_bind(MYLDAP_SESSION *session,const char *uri) LDAP_SET_OPTION(session->ld,LDAP_OPT_X_SASL_SECPROPS,(void *)nslcd_cfg->ldc_sasl_secprops); } #ifdef HAVE_SASL_INTERACT_T - return ldap_sasl_interactive_bind_s(session->ld,nslcd_cfg->ldc_binddn,"GSSAPI",NULL,NULL, + return ldap_sasl_interactive_bind_s(session->ld,nslcd_cfg->ldc_binddn,nslcd_cfg->ldc_sasl_mech,NULL,NULL, LDAP_SASL_QUIET, - do_sasl_interact,(void *)nslcd_cfg->ldc_saslid); + do_sasl_interact,(void *)nslcd_cfg); #else /* HAVE_SASL_INTERACT_T */ - cred.bv_val=nslcd_cfg->ldc_saslid; - cred.bv_len=strlen(nslcd_cfg->ldc_saslid); - return ldap_sasl_bind_s(session->ld,nslcd_cfg->ldc_binddn,"GSSAPI",&cred,NULL,NULL,NULL); + if (nslcd_cfg->ldc_bindpw!=NULL) + { + cred.bv_val=nslcd_cfg->ldc_bindpw; + cred.bv_len=strlen(nslcd_cfg->ldc_bindpw); + } + else + { + cred.bv_val=""; + cred.bv_len=0; + } + return ldap_sasl_bind_s(session->ld,NULL,nslcd_cfg->ldc_sasl_mech,&cred,NULL,NULL,NULL); #endif /* not HAVE_SASL_INTERACT_T */ } #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */ |