[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ITS#3845
Howard Chu wrote:
> I've started patching HEAD but there's another issue. It's *possible*
> (though very unlikely) that SASL will be retrieving other values
> besides userPassword. So, after we stuff in the rootpw, we still have
> to fall through to the regular search operation. If an entry exists
> for the rootdn, we should return whatever other attributes are
> requested. And we have to take care not to store any userPassword that
> may exist in the entry. That is, the rootpw in slapd.conf takes
> precedence over any userPassword that might have been stored in the
> rootdn's entry. This is the way Simple Bind works. With the patch, the
> slapd.conf rootpw will override the rootdn entry. Then both Simple
> Bind and SASL Bind will have consistent behavior, which I think is the
> Right Thing.
This is now patched in HEAD, please test.
>
> Jason Townsend wrote:
>> On Aug 12, 2005, at 12:54 PM, Howard Chu wrote:
>>> Jason Townsend wrote:
>>>> On Aug 12, 2005, at 11:21 AM, Howard Chu wrote:
>>>>> I didn't have time to get this in yet, we'll probably miss the
>>>>> 2.3.5 release. Sorry about that.
>>>>
>>>> Maybe I can take a crack at a better implementation of this based
>>>> on your refinement of my other patch... how much time do I have
>>>> before the 2.3.5 release?
>>>>
>>>> -Jason
>>>>
>>> It will probably be released tomorrow, the RE23 branch is being
>>> tested now.
>>
>> I can't test this at the moment as CVS HEAD is not building for me...
>> I guess I may try grabbing the RE23 branch to see if that's any
>> better. Let me know what you think.
>>
>> -Jason
>>
>> Index: servers/slapd/sasl.c
>> ===================================================================
>> RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/sasl.c,v
>> retrieving revision 1.229
>> diff -w -u -b -r1.229 sasl.c
>> --- servers/slapd/sasl.c 1 Aug 2005 00:16:02 -0000 1.229
>> +++ servers/slapd/sasl.c 12 Aug 2005 22:44:06 -0000
>> @@ -259,6 +259,7 @@
>> int i, doit = 0;
>> Connection *conn = NULL;
>> lookup_info sl;
>> + struct berval cbv = BER_BVNULL;
>> sl.list = sparams->utils->prop_get( sparams->propctx );
>> sl.sparams = sparams;
>> @@ -318,7 +319,37 @@
>> op.o_bd = select_backend( &op.o_req_ndn, 0, 1 );
>> - if ( op.o_bd && op.o_bd->be_search ) {
>> + if ( op.o_bd && be_isroot_dn( op.o_bd, &op.o_req_ndn
>> ) && ( op.o_bd->be_rootpw.bv_len > 0 ) ) {
>> + if ( ( lutil_passwd_scheme(
>> op.o_bd->be_rootpw.bv_val )) {
>> + if ( !strncasecmp(
>> op.o_bd->be_rootpw.bv_val, sc_cleartext.bv_val,
>> + sc_cleartext.bv_len )) {
>> + cbv.bv_len =
>> op.o_bd->be_rootpw.bv_len - sc_cleartext.bv_len;
>> + if ( cbv.bv_len ) {
>> + cbv.bv_val =
>> op.o_bd->be_rootpw.bv_val + sc_cleartext.bv_len;
>> +
>> sl->sparams->utils->prop_set( sl->sparams->propctx,
>> +
>> sl->list[i].name, cbv.bv_val, cbv.bv_len );
>> + }
>> + }
>> + } else {
>> + cbv = op.o_bd->be_rootpw;
>> + }
>> + if ( cbv.bv_val ) {
>> + for( i = 0; sl.list[i].name; i++ ) {
>> + const char *name =
>> sl.list[i].name;
>> +
>> + if ( name[0] == '*' ) {
>> + if ( flags &
>> SASL_AUXPROP_AUTHZID ) continue;
>> + name++;
>> + } else if ( !(flags &
>> SASL_AUXPROP_AUTHZID ) )
>> + continue;
>> +
>> + if (
>> !strcasecmp(name,"userPassword") )
>> +
>> sl.sparams->utils->prop_set( sl.sparams->propctx,
>> +
>> sl.list[i].name, cbv.bv_val, cbv.bv_len );
>> + }
>> + }
>> + }
>> + if ( ( cbv.bv_val == NULL ) && op.o_bd &&
>> op.o_bd->be_search ) {
>> SlapReply rs = {REP_RESULT};
>> op.o_hdr = conn->c_sasl_bindop->o_hdr;
>> op.o_tag = LDAP_REQ_SEARCH;
>>
>>
>>
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/