Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external

https://bugzilla.redhat.com/show_bug.cgi?id=554573
Resolves: bug 554573
Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
Reviewed by: ???
Branch: HEAD
Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
default is off - when set to on, a SIMPLE bind on a connection that has set
a DN from a cert will be changed to be a SASL/EXTERNAL bind.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: yes - new attribute to document

Note: This commit is for reapplying the patch I accidentally reverted
by the previous revert (031e725dce895bf2382ca7801cef772fe6b24c61).
(see commit f4b90ed5e43fa06ea6185cf17073b7a32db6ef4c, as well)
  commit 031e725dce895bf2382ca7801cef772fe6b24c61
  Author: Noriko Hosoi <[email protected]>
  Date:   Fri Mar 5 16:09:28 2010 -0800
    Revert "Merge branch '547503'"
	This reverts commit f2a04fdc45cc8a408267019990504354282c4303, reversing
			    changes made to 0b95451c7e50cb6b2d0cb310dddca18336e1b2ac.

.gitignore

@@ -1,2 +1,3 @@
 autom4te.cache
 *~
+*.patch

ldap/servers/slapd/bind.c

@@ -305,7 +305,8 @@ do_bind( Slapi_PBlock *pb )
     switch ( version ) {
     case LDAP_VERSION2:
         if (method == LDAP_AUTH_SIMPLE
-            && (dn == NULL || *dn == '\0') && cred.bv_len == 0
+            && (config_get_force_sasl_external() ||
+                ((dn == NULL || *dn == '\0') && cred.bv_len == 0))
             && pb->pb_conn->c_external_dn != NULL) {
             /* Treat this like a SASL EXTERNAL Bind: */
             method = LDAP_AUTH_SASL;
@@ -317,6 +318,17 @@ do_bind( Slapi_PBlock *pb )
         }
         break;
     case LDAP_VERSION3:
+        if ((method == LDAP_AUTH_SIMPLE) &&
+            config_get_force_sasl_external() &&
+            (pb->pb_conn->c_external_dn != NULL)) {
+            /* Treat this like a SASL EXTERNAL Bind: */
+            method = LDAP_AUTH_SASL;
+            saslmech = slapi_ch_strdup (LDAP_SASL_EXTERNAL);
+            /* This enables a client to establish an identity by sending
+             * a certificate in the SSL handshake, and also use LDAPv2
+             * (by sending this type of Bind request).
+             */
+        }
         break;
     default:
         LDAPDebug( LDAP_DEBUG_TRACE, "bind: unknown LDAP protocol version %d\n",

ldap/servers/slapd/libglobs.c

@@ -620,7 +620,11 @@ static struct config_get_and_set {
 		(ConfigGetFunc)config_get_anon_access_switch},
 	{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,
 		NULL, 0,
-		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL}
+		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL},
+	{CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE, config_set_force_sasl_external,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.force_sasl_external, CONFIG_ON_OFF,
+		(ConfigGetFunc)config_get_force_sasl_external}
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -921,6 +925,7 @@ FrontendConfig_init () {
   cfg->rewrite_rfc1274 = LDAP_OFF;
   cfg->schemareplace = slapi_ch_strdup( CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY );
   cfg->schema_ignore_trailing_spaces = SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES;
+  cfg->force_sasl_external = LDAP_OFF; /* do not force sasl external by default - let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind if that's what they want to do */
 
   cfg->pwpolicy_local = LDAP_OFF;
   cfg->pw_policy.pw_change = LDAP_ON;
@@ -5491,6 +5496,34 @@ config_set_anon_access_switch( const char *attrname, char *value,
 	return retVal;
 }
 
+int
+config_get_force_sasl_external(void)
+{
+	int retVal;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = slapdFrontendConfig->force_sasl_external;
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
+}
+
+int
+config_set_force_sasl_external( const char *attrname, char *value,
+		char *errorbuf, int apply )
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	retVal = config_set_onoff(attrname,
+		value,
+		&(slapdFrontendConfig->force_sasl_external),
+		errorbuf,
+		apply);
+
+	return retVal;
+}
+
 
 /*
  * This function is intended to be used from the dse code modify callback.  It

ldap/servers/slapd/proto-slap.h

@@ -370,6 +370,7 @@ int config_set_anon_access_switch(const char *attrname, char *value, char *error
 int config_set_minssf(const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -507,6 +508,7 @@ int config_get_mempool_maxfreelist();
 long config_get_system_page_size();
 int config_get_system_page_bits();
 #endif
+int config_get_force_sasl_external();
 
 int is_abspath(const char *);
 char* rel2abspath( char * );

ldap/servers/slapd/slap.h

@@ -1869,6 +1869,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
 #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
+#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2084,6 +2085,7 @@ typedef struct _slapdFrontendConfig {
   long system_page_size;		/* system page size */
   int system_page_bits;			/* bit count to shift the system page size */
 #endif /* MEMPOOL_EXPERIMENTAL */
+  int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */