Resolves: 214238

Summary: Added new config parameter for setting the SASL plug-in path.

ldap/admin/src/create_instance.c

@@ -2700,6 +2700,10 @@ char *ds_gen_confs(char *sroot, server_config_s *cf, char *cs_path)
     fprintf(f, "nsslapd-lockdir: %s\n", cf->lock_dir);
     fprintf(f, "nsslapd-tmpdir: %s\n", cf->tmp_dir);
     fprintf(f, "nsslapd-certdir: %s\n", cf->cert_dir);
+/* We use the system SASL by default on Linux, so we don't need to set sasl path */
+#if !defined( LINUX )
+    fprintf(f, "nsslapd-saslpath: %s\n", cf->sasl_path);
+#endif
     fprintf(f, "nsslapd-accesslog-logging-enabled: on\n");
     fprintf(f, "nsslapd-accesslog-maxlogsperdir: 10\n");
     fprintf(f, "nsslapd-accesslog-mode: 600\n");
@@ -4293,6 +4297,7 @@ set_path_attribute(char *attr, char *defaultval, char *prefix)
  * cf->tmp_dir: <localstatedir>/tmp/slapd-<servid>
  * cf->ldif_dir: <datadir>/<brand-ds>/ldif
  * cf->cert_dir: <sysconfdir>/BRAND_DS/slapd-<servid>
+ * cf->sasl_path: <sroot>/sasl2
  * cf->plugin_dir: <sroot>/plugins
  *
  * NOTES: 
@@ -4342,6 +4347,7 @@ int parse_form(server_config_s *cf)
 
     cf->sroot = PR_smprintf("%s%cusr%clib%c%s",
                 prefix, FILE_PATHSEP, FILE_PATHSEP, FILE_PATHSEP, cf->brand_ds);
+    cf->sasl_path = PR_smprintf("%s%csasl2", cf->sroot, FILE_PATHSEP);
     cf->plugin_dir = PR_smprintf("%s%cplugins", cf->sroot, FILE_PATHSEP);
 
     if (!(cf->servname = ds_a_get_cgi_var("servname", "Server Name",

ldap/admin/src/create_instance.h

@@ -136,6 +136,7 @@ typedef struct {
     char *plugin_dir;
     char *tmp_dir;
     char *cert_dir;
+    char *sasl_path;
     char *prefix;
 } server_config_s;
 

ldap/servers/slapd/config.c

@@ -358,6 +358,19 @@ slapd_bootstrap_config(const char *configdir)
 					}
 				}
 
+				/* set the sasl path; needed in main */
+				 workpath[0] = '\0';
+				if (entry_has_attr_and_value(e, CONFIG_SASLPATH_ATTRIBUTE,
+						workpath, sizeof(workpath)))
+				{
+					if (config_set_saslpath(CONFIG_SASLPATH_ATTRIBUTE,
+							workpath, errorbuf, CONFIG_APPLY) != LDAP_SUCCESS)
+					{
+						LDAPDebug(LDAP_DEBUG_ANY, "%s: %s: %s. \n", configfile,
+									  CONFIG_SASLPATH_ATTRIBUTE, errorbuf);
+					}
+				}
+
 				/* see if the entry is a child of the plugin base dn */
 				if (slapi_sdn_isparent(&plug_dn,
 									   slapi_entry_get_sdn_const(e)))

ldap/servers/slapd/libglobs.c

@@ -529,6 +529,10 @@ static struct config_get_and_set {
 	{CONFIG_CERTDIR_ATTRIBUTE, config_set_certdir,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.certdir, CONFIG_STRING, config_get_certdir},
+	/* parameterizing sasl plugin path */
+	{CONFIG_SASLPATH_ATTRIBUTE, config_set_saslpath,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.saslpath, CONFIG_STRING, config_get_saslpath},
 	{CONFIG_REWRITE_RFC1274_ATTRIBUTE, config_set_rewrite_rfc1274,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.rewrite_rfc1274, CONFIG_ON_OFF, NULL},
@@ -4305,6 +4309,42 @@ config_set_certdir(const char *attrname, char *value, char *errorbuf, int apply)
 	return retVal;
 }
 
+char *
+config_get_saslpath()
+{
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+	char *retVal;
+
+	CFG_LOCK_READ(slapdFrontendConfig);
+	retVal = config_copy_strval(slapdFrontendConfig->saslpath);
+	CFG_UNLOCK_READ(slapdFrontendConfig);
+
+	return retVal;
+}
+
+int
+config_set_saslpath(const char *attrname, char *value, char *errorbuf, int apply)
+{
+	int retVal = LDAP_SUCCESS;
+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+	if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+		return LDAP_OPERATIONS_ERROR;
+	}
+
+	if (!apply) {
+		return retVal;
+	}
+
+	CFG_LOCK_WRITE(slapdFrontendConfig);
+	slapi_ch_free((void **)&slapdFrontendConfig->saslpath);
+
+	slapdFrontendConfig->saslpath = slapi_ch_strdup(value);
+
+	CFG_UNLOCK_WRITE(slapdFrontendConfig);
+	return retVal;
+}
+
 char **
 config_get_errorlog_list()
 {

ldap/servers/slapd/main.c

@@ -748,7 +748,6 @@ main( int argc, char **argv)
 		 * THE FIX: Move the two calls below before a call to 
 		 * setup_internal_backends (down in this same function)
 		 */
-		init_saslmechanisms();
 		ldapi_init_extended_ops();
 
 		
@@ -777,6 +776,11 @@ main( int argc, char **argv)
 			exit(1);
 		}
 
+		/* We need to init sasl after we load the bootstrap config since
+		 * the config may be setting the sasl plugin path.
+		 */
+		init_saslmechanisms();
+
 		/* -sduloutre: must be done before any internal search */
 		/* do it before splitting off to other modes too -robey */
 		/* -richm: must be done before reading config files */

ldap/servers/slapd/proto-slap.h

@@ -304,6 +304,7 @@ int config_set_schemadir( const char *attrname, char *value, char *errorbuf, int
 int config_set_lockdir( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_tmpdir( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_certdir( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_saslpath( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_attrname_exceptions( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_hash_filters( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbuf, int apply );
@@ -404,6 +405,7 @@ char *config_get_schemadir();
 char *config_get_lockdir();
 char *config_get_tmpdir();
 char *config_get_certdir();
+char *config_get_saslpath();
 char **config_get_errorlog_list();
 char **config_get_accesslog_list();
 char **config_get_auditlog_list();

ldap/servers/slapd/saslbind.c

@@ -552,15 +552,21 @@ static int ids_sasl_canon_user(
 }
 
 #ifdef CYRUS_SASL
-#if !defined(LINUX)
 static int ids_sasl_getpluginpath(sasl_conn_t *conn, const char **path)
 {
-    static char *pluginpath = "../../../lib/sasl2";
+    /* Try to get path from config, otherwise check for SASL_PATH environment
+     * variable.  If neither of these are set, just default to /usr/lib/sasl2
+     */
+    char *pluginpath = config_get_saslpath();
+    if ((!pluginpath) || (*pluginpath == '\0')) {
+        if (!(pluginpath = getenv("SASL_PATH"))) {
+            pluginpath = "/usr/lib/sasl2";
+        }
+    }
     *path = pluginpath;
     return SASL_OK;
 }
 #endif
-#endif
 
 static sasl_callback_t ids_sasl_callbacks[] =
 {
@@ -589,17 +595,11 @@ static sasl_callback_t ids_sasl_callbacks[] =
       NULL
     },
 #ifdef CYRUS_SASL
-    /* On Linux: we use system sasl and plugins are found in the default path
-     * /usr/lib/sasl2
-     * On other platforms: we need to tell cyrus sasl where they are localted.
-     */
-#if !defined(LINUX)
     {
       SASL_CB_GETPATH,
       (IFP) ids_sasl_getpluginpath,
       NULL
     },
-#endif
 #endif
     {
       SASL_CB_LIST_END,
@@ -751,7 +751,7 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
     }
     PR_Unlock(pb->pb_conn->c_mutex);
 
-    LDAPDebug( LDAP_DEBUG_TRACE, ">= ids_sasl_listmech\n", 0, 0, 0 );
+    LDAPDebug( LDAP_DEBUG_TRACE, "<= ids_sasl_listmech\n", 0, 0, 0 );
 
     return ret;
 }

ldap/servers/slapd/slap.h

@@ -1711,6 +1711,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_LOCKDIR_ATTRIBUTE "nsslapd-lockdir"
 #define CONFIG_TMPDIR_ATTRIBUTE "nsslapd-tmpdir"
 #define CONFIG_CERTDIR_ATTRIBUTE "nsslapd-certdir"
+#define CONFIG_SASLPATH_ATTRIBUTE "nsslapd-saslpath"
 #define CONFIG_SSLCLIENTAUTH_ATTRIBUTE "nsslapd-SSLclientAuth"
 #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
 #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
@@ -1888,6 +1889,7 @@ typedef struct _slapdFrontendConfig {
   char *lockdir;    /* full path name of directory containing lock files */
   char *tmpdir;     /* full path name of directory containing tmp files */
   char *certdir;    /* full path name of directory containing cert files */
+  char *saslpath;   /* full path name of directory containing sasl plugins */
   int attrname_exceptions;  /* if true, allow questionable attribute names */
   int rewrite_rfc1274;		/* return attrs for both v2 and v3 names */
   char *schemareplace;		/* see CONFIG_SCHEMAREPLACE_* #defines below */