Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket 580 - Wrong error code return when using EXTERNAL SASL and no client certificate

Bug Description:  When doing a SASL EXTERNAL bind, and no client certificate is provided,
                  the bind succeeds(as anonymous).  However, the bind should fail with
                  an error 48.

Fix Description:  Check for the missing client certificate and return the appropriate
                  error.

https://fedorahosted.org/389/ticket/580

Reviewed by: Noriko(Thanks!)
Mark Reynolds 12 years ago
parent
1a35074669
commit
2a81336e58
1 changed files with 19 additions and 7 deletions
Split View Show Diff Stats
  1. 19 7
      ldap/servers/slapd/bind.c

+ 19 - 7
ldap/servers/slapd/bind.c
View File 

@@ -403,10 +403,12 @@ do_bind( Slapi_PBlock *pb )
 
         supported = slapi_get_supported_saslmechanisms_copy();
 
         if ( (pmech = supported) != NULL ) while (1) {
 
             if (*pmech == NULL) {
 
-		/* As we call the safe function, we receive a strdup'd saslmechanisms
 
-		   charray. Therefore, we need to remove it instead of NULLing it */
 
-		charray_free(supported); 
-		pmech = supported = NULL;
 
+                /*
 
+                 * As we call the safe function, we receive a strdup'd saslmechanisms
 
+                 * charray. Therefore, we need to remove it instead of NULLing it
 
+                 */
 
+                charray_free(supported);
 
+                pmech = supported = NULL;
 
                 break;
 
             }
 
             if (!strcasecmp (saslmech, *pmech)) break;
 
@@ -449,12 +451,22 @@ do_bind( Slapi_PBlock *pb )
 
                 goto free_and_return;
 
             }
 
 
+            /*
 
+             * Check for the client certificate.
 
+             */
 
+            if( NULL == pb->pb_conn->c_client_cert){
 
+                send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
 
+                                  "missing client certificate", 0, NULL );
 
+                /* call postop plugins */
 
+                plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
 
+                goto free_and_return;
 
+            }
 
+
 
             /*
 
              * if the client sent us a certificate but we could not map it
 
              * to an LDAP DN, fail and return an invalidCredentials error.
 
              */
 
-            if ( NULL != pb->pb_conn->c_client_cert &&
 
-                 NULL == pb->pb_conn->c_external_dn ) {
 
+            if ( NULL == pb->pb_conn->c_external_dn ) {
 
                 send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,
 
                                   "client certificate mapping failed", 0, NULL );
 
                 /* call postop plugins */
 
@@ -463,7 +475,7 @@ do_bind( Slapi_PBlock *pb )
 
             }
 
 
             if (!isroot ) {
 
-            /* check if the account is locked */
 
+                /* check if the account is locked */
 
                 bind_target_entry = get_entry(pb, pb->pb_conn->c_external_dn);
 
                 if ( bind_target_entry != NULL && slapi_check_account_lock(pb, bind_target_entry,
 
                      pw_response_requested, 1 /*check password policy*/, 1 /*send ldap result*/) == 1) {