3 files changed, 82 insertions, 30 deletions
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 920b5b8..9b26093 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -81,8 +81,11 @@ static void cfg_defaults(struct ldap_config *cfg)
 #endif /* not LDAP_VERSION3 */
   cfg->ldc_binddn=NULL;
   cfg->ldc_bindpw=NULL;
-  cfg->ldc_saslid=NULL;
+  cfg->ldc_sasl_authcid=NULL;
+  cfg->ldc_sasl_authzid=NULL;
   cfg->ldc_sasl_secprops=NULL;
+  cfg->ldc_sasl_mech=NULL;
+  cfg->ldc_sasl_realm=NULL;
   cfg->ldc_usesasl=0;
   cfg->ldc_base=NULL;
   cfg->ldc_scope=LDAP_SCOPE_SUBTREE;
@@ -694,21 +697,39 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
       get_restdup(filename,lnr,keyword,&line,&cfg->ldc_bindpw);
     }
     /* SASL authentication options */
-    else if (strcasecmp(keyword,"sasl_authid")==0)
+    else if (strcasecmp(keyword,"sasl_authcid")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_saslid);
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_authcid);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_authzid")==0)
+    {
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_authzid);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_mech")==0)
+    {
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_mech);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_realm")==0)
+    {
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_realm);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"sasl_secprops")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_secprops);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"use_sasl")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
       get_boolean(filename,lnr,keyword,&line,&cfg->ldc_usesasl);
       get_eol(filename,lnr,keyword,&line);
     }
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 981af28..a6edb47 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -87,10 +87,16 @@ struct ldap_config
   char *ldc_binddn;
   /* bind cred */
   char *ldc_bindpw;
-  /* sasl auth id */
-  char *ldc_saslid;
+  /* sasl authentication id */
+  char *ldc_sasl_authcid;
+  /* sasl authorization id */
+  char *ldc_sasl_authzid;
   /* sasl security */
   char *ldc_sasl_secprops;
+  /* sasl mech */
+  char *ldc_sasl_mech;
+  /* sasl realm */
+  char *ldc_sasl_realm;
   /* do we use sasl when binding? */
   int ldc_usesasl;
   /* base DN, eg. dc=gnu,dc=org */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index f2c8062..6a05b53 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -310,26 +310,43 @@ PURE static inline int is_valid_entry(MYLDAP_ENTRY *entry)
 /* this is registered with ldap_sasl_interactive_bind_s() in do_bind() */
 static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaults,void *_interact)
 {
-  char *authzid=(char *)defaults;
-  sasl_interact_t *interact=(sasl_interact_t *)_interact;
+  struct ldap_config *cfg=defaults;
+  sasl_interact_t *interact=_interact;
   while (interact->id!=SASL_CB_LIST_END)
   {
-    if (interact->id!=SASL_CB_USER)
-      return LDAP_PARAM_ERROR;
-    if (authzid!=NULL)
+    switch(interact->id)
     {
-      interact->result=authzid;
-      interact->len=strlen(authzid);
-    }
-    else if (interact->defresult!=NULL)
-    {
-      interact->result=interact->defresult;
-      interact->len=strlen(interact->defresult);
-    }
-    else
-    {
-      interact->result="";
-      interact->len=0;
+      case SASL_CB_GETREALM:
+        if (cfg->ldc_sasl_realm)
+        {
+          interact->result=cfg->ldc_sasl_realm;
+          interact->len=strlen(cfg->ldc_sasl_realm);
+        }
+        break;
+      case SASL_CB_AUTHNAME:
+        if (cfg->ldc_sasl_authcid)
+        {
+          interact->result=cfg->ldc_sasl_authcid;
+          interact->len=strlen(cfg->ldc_sasl_authcid);
+        }
+        break;
+      case SASL_CB_USER:
+        if (cfg->ldc_sasl_authzid)
+        {
+          interact->result=cfg->ldc_sasl_authzid;
+          interact->len=strlen(cfg->ldc_sasl_authzid);
+        }
+        break;
+      case SASL_CB_PASS:
+        if (cfg->ldc_bindpw)
+        {
+          interact->result=cfg->ldc_bindpw;
+          interact->len=strlen(cfg->ldc_bindpw);
+        }
+        break;
+      default:
+        /* just ignore */
+        break;
     }
     interact++;
   }
@@ -388,13 +405,21 @@ static int do_bind(MYLDAP_SESSION *session,const char *uri)
       LDAP_SET_OPTION(session->ld,LDAP_OPT_X_SASL_SECPROPS,(void *)nslcd_cfg->ldc_sasl_secprops);
     }
 #ifdef HAVE_SASL_INTERACT_T
-    return ldap_sasl_interactive_bind_s(session->ld,nslcd_cfg->ldc_binddn,"GSSAPI",NULL,NULL,
+    return ldap_sasl_interactive_bind_s(session->ld,nslcd_cfg->ldc_binddn,nslcd_cfg->ldc_sasl_mech,NULL,NULL,
                                     LDAP_SASL_QUIET,
-                                    do_sasl_interact,(void *)nslcd_cfg->ldc_saslid);
+                                    do_sasl_interact,(void *)nslcd_cfg);
 #else /* HAVE_SASL_INTERACT_T */
-    cred.bv_val=nslcd_cfg->ldc_saslid;
-    cred.bv_len=strlen(nslcd_cfg->ldc_saslid);
-    return ldap_sasl_bind_s(session->ld,nslcd_cfg->ldc_binddn,"GSSAPI",&cred,NULL,NULL,NULL);
+    if (nslcd_cfg->ldc_bindpw!=NULL)
+    {
+      cred.bv_val=nslcd_cfg->ldc_bindpw;
+      cred.bv_len=strlen(nslcd_cfg->ldc_bindpw);
+    }
+    else
+    {
+      cred.bv_val="";
+      cred.bv_len=0;
+    }
+    return ldap_sasl_bind_s(session->ld,NULL,nslcd_cfg->ldc_sasl_mech,&cred,NULL,NULL,NULL);
 #endif /* not HAVE_SASL_INTERACT_T */
   }
 #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */