Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

Bug 434735 - Allow SASL ANONYMOUS mech to work

The SASL ANONYMOUS mechanism was broken since the SASL mapping code
was invoked to map anonymous to a real user entry.  This adds a
special case to the canonify user callback that sets the bind DN
to "" if the ANONYMOUS mechanism is being used.

I also added a check to see if anonymous access is disabled when
we set up the SASL secprops for a connection.  If anonymous access
is disabled, we set a SASL security flag to disallow mechanisms
that would allow anonymous access.
Nathan Kinder 16 năm trước cách đây
mục cha
a7d0c3dd59
commit
363be33561
1 tập tin đã thay đổi với 26 bổ sung1 xóa
Split View Hiển thị tình trạng sai khác
  1. 26 1
      ldap/servers/slapd/saslbind.c

+ 26 - 1
ldap/servers/slapd/saslbind.c
Xem Tập Tin 

@@ -397,6 +397,7 @@ static int ids_sasl_canon_user(
 
     Slapi_DN *sdn = NULL;
 
     char *pw = NULL;
 
     char *user = NULL;
 
+    char *mech = NULL;
 
     const char *dn;
 
     int isroot = 0;
 
     char *clear = NULL;
 
@@ -410,6 +411,13 @@ static int ids_sasl_canon_user(
 
               "ids_sasl_canon_user(user=%s, realm=%s)\n", 
               user, user_realm ? user_realm : "", 0);
 
 
+    sasl_getprop(conn, SASL_MECHNAME, (const void**)&mech);
 
+    if (mech == NULL) {
 
+        LDAPDebug0Args(LDAP_DEBUG_TRACE, "Unable to read SASL mechanism while "
 
+              "canonifying user.\n")
 
+        goto fail;
 
+    }
 
+
 
     if (strncasecmp(user, "dn:", 3) == 0) {
 
         sdn = slapi_sdn_new();
 
         slapi_sdn_set_dn_byval(sdn, user+3);
 
@@ -420,6 +428,10 @@ static int ids_sasl_canon_user(
 
         /* special case directory manager */
 
         dn = slapi_sdn_get_ndn(sdn);
 
         pw = config_get_rootpw();
 
+    } else if (strcasecmp(mech, "ANONYMOUS") == 0) {
 
+        /* SASL doesn't allow us to set the username to an empty string,
 
+	 * so we just set it to anonymous. */
 
+        dn = "anonymous";
 
     } else {
 
         /* map the sasl username into an entry */
 
         entry = ids_sasl_user_to_entry(conn, context, user, user_realm);
 
@@ -433,7 +445,14 @@ static int ids_sasl_canon_user(
 
         pw = slapi_entry_attr_get_charptr(entry, "userpassword");
 
     }
 
 
-    if (prop_set(propctx, "dn", dn, -1) != 0) {
 
+    /* Need to set dn property to an empty string for the ANONYMOUS mechanism.  This
 
+     * property determines what the bind identity will be if authentication succeeds. */
 
+    if (strcasecmp(mech, "ANONYMOUS") == 0) {
 
+        if (prop_set(propctx, "dn", "", -1) != 0) {
 
+            LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0);
 
+            goto fail;
 
+        }
 
+    } else if (prop_set(propctx, "dn", dn, -1) != 0) {
 
         LDAPDebug(LDAP_DEBUG_TRACE, "prop_set(dn) failed\n", 0, 0, 0);
 
         goto fail;
 
     }
 
@@ -643,7 +662,13 @@ void ids_sasl_server_new(Connection *conn)
 
     secprops.maxbufsize = 2048; /* DBDB: hack */
 
     secprops.max_ssf = 0xffffffff;
 
     secprops.min_ssf = config_get_minssf();
 
+    /* If anonymous access is disabled, set the appropriate flag */
 
+    if (!config_get_anon_access_switch()) {
 
+        secprops.security_flags = SASL_SEC_NOANONYMOUS;
 
+    }
 
+
 
     rc = sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
 
+
 
     if (rc != SASL_OK) {
 
         LDAPDebug(LDAP_DEBUG_ANY, "sasl_setprop: %s\n",
 
                   sasl_errstring(rc, NULL, NULL), 0, 0);