Ticket 395 - RFE: 389-ds shouldn't advertise in the rootDSE that we can handle a sasl mech if we really can't

Bug Description:  The root DSE lists all the mechanisms the SASL library can handle (sasl_listmech), but that's
                  not necessarily what the server/co-products can support (e.g. communicating with IPA).

Fix Description:  Added new config setting to specifiy the SASL mechanisms that are allowed.  If none are specified,
                  than all are allowed.  This setting now impacts the SASL callback SASL_CB_GETOPT(ids_sasl_getopt), so
                  it applies to all SASL operations.  So, the root DSE information is correct, and you can now control
                  what mechanisms the server actually allows.

https://fedorahosted.org/389/ticket/395

Reviewed by: richm(Thanks!)

ldap/servers/slapd/configdse.c

@@ -81,6 +81,7 @@ static const char *requires_restart[] = {
 #endif
     "cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE,
     "cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,
+    "cn=config:nsslapd-allowed-sasl-mechanisms",
     "cn=config,cn=ldbm:nsslapd-idlistscanlimit",
     "cn=config,cn=ldbm:nsslapd-parentcheck",
     "cn=config,cn=ldbm:nsslapd-dbcachesize",

ldap/servers/slapd/libglobs.c

@@ -1006,6 +1006,10 @@ static struct config_get_and_set {
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.ndn_cache_max_size,
 		CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, DEFAULT_NDN_SIZE},
+	{CONFIG_ALLOWED_SASL_MECHS, config_set_allowed_sasl_mechs,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.allowed_sasl_mechs,
+		CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, DEFAULT_ALLOWED_TO_DELETE_ATTRS},
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -1423,6 +1427,7 @@ FrontendConfig_init () {
   cfg->entryusn_import_init = slapi_ch_strdup(ENTRYUSN_IMPORT_INIT); 
   cfg->allowed_to_delete_attrs = slapi_ch_strdup("nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext");
   cfg->default_naming_context = NULL; /* store normalized dn */
+  cfg->allowed_sasl_mechs = NULL;
 
   init_disk_monitoring = cfg->disk_monitoring = LDAP_OFF;
   cfg->disk_threshold = 2097152;  /* 2 mb */
@@ -6555,6 +6560,37 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
     return retVal;
 }
 
+char *
+config_get_allowed_sasl_mechs()
+{
+    char *retVal;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+    CFG_LOCK_READ(slapdFrontendConfig);
+    retVal = slapdFrontendConfig->allowed_sasl_mechs;
+    CFG_UNLOCK_READ(slapdFrontendConfig);
+
+    return retVal;
+}
+
+/* separated list of sasl mechs to allow */
+int
+config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply )
+{
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+    if(!apply || slapdFrontendConfig->allowed_sasl_mechs){
+        /* we only set this at startup, if we try again just return SUCCESS */
+        return LDAP_SUCCESS;
+    }
+
+    CFG_LOCK_WRITE(slapdFrontendConfig);
+    slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+    CFG_UNLOCK_WRITE(slapdFrontendConfig);
+
+    return LDAP_SUCCESS;
+}
+
 char *
 config_get_default_naming_context(void)
 {

ldap/servers/slapd/proto-slap.h

@@ -549,6 +549,8 @@ int config_get_disk_logging_critical();
 int config_get_ndn_cache_count();
 size_t config_get_ndn_cache_size();
 int config_get_ndn_cache_enabled();
+char *config_get_allowed_sasl_mechs();
+int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply);
 PLHashNumber hashNocaseString(const void *key);
 PRIntn hashNocaseCompare(const void *v1, const void *v2);
 

ldap/servers/slapd/saslbind.c

@@ -184,6 +184,8 @@ static int ids_sasl_getopt(
         }
     } else if (strcasecmp(option, "auxprop_plugin") == 0) {
         *result = "iDS";
+    } else if (strcasecmp(option, "mech_list") == 0){
+        *result = config_get_allowed_sasl_mechs();
     }
 
     if (*result) *len = strlen(*result);

ldap/servers/slapd/slap.h

@@ -2048,6 +2048,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_DISK_LOGGING_CRITICAL "nsslapd-disk-monitoring-logging-critical"
 #define CONFIG_NDN_CACHE "nsslapd-ndn-cache-enabled"
 #define CONFIG_NDN_CACHE_SIZE "nsslapd-ndn-cache-max-size"
+#define CONFIG_ALLOWED_SASL_MECHS "nsslapd-allowed-sasl-mechanisms"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2258,6 +2259,7 @@ typedef struct _slapdFrontendConfig {
   char *entryusn_import_init;   /* Entry USN: determine the initital value of import */
   int pagedsizelimit;
   char *default_naming_context; /* Default naming context (normalized) */
+  char *allowed_sasl_mechs;     /* comma/space separated list of allowed sasl mechs */
 
   /* disk monitoring */
   int disk_monitoring;