implement SASL authentication based on a patch by Dan White <dwhite@olp.net>

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@762 ef36b2f9-881f-0410-afb5-c4e39611909c
author: Arthur de Jong <arthur@arthurdejong.org> 2008-06-14 11:31:30 +0000
committer: Arthur de Jong <arthur@arthurdejong.org> 2008-06-14 11:31:30 +0000
commit: 8c589385f918cf7ef4e0d9d9982bba3865dbfee2 (patch)
tree: ed16564f974e0d3594af335747919cf95ce32d79
parent: bef987ec06c19ddb3f87c237e60b722941af568b (diff)
6 files changed, 135 insertions, 46 deletions
diff --git a/AUTHORS b/AUTHORS
index e4fe33f..2146a0e 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -74,3 +74,4 @@ Erik Schanze <eriks@debian.org>
 Bart Cornelis <cobaco@skolelinux.no>
 Rudy Godoy Guillén <rudy@debian.org>
 Petter Reinholdtsen <pere@hungry.com>
+Dan White <dwhite@olp.net>
diff --git a/configure.ac b/configure.ac
index e263c29..f06b89c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -250,7 +250,12 @@ AC_CHECK_TYPE(struct ucred,
     #include <sys/types.h>])
 
 AC_CHECK_TYPE(sasl_interact_t,
-    AC_DEFINE(HAVE_SASL_INTERACT_T,1,[Define to 1 if you have a `sasl_interact_t' definition.]))
+    AC_DEFINE(HAVE_SASL_INTERACT_T,1,[Define to 1 if you have a `sasl_interact_t' definition.]),,[
+    #ifdef HAVE_SASL_SASL_H
+    #include <sasl/sasl.h>
+    #elif defined(HAVE_SASL_H)
+    #include <sasl.h>
+    #endif])
 
 # checks for LDAP library
 save_LIBS="$LIBS"
diff --git a/man/nss-ldapd.conf.5.xml b/man/nss-ldapd.conf.5.xml
index 834029b..05661aa 100644
--- a/man/nss-ldapd.conf.5.xml
+++ b/man/nss-ldapd.conf.5.xml
@@ -176,11 +176,10 @@
       <para>
        Specifies the clear text credentials with which to bind.
        This option is only applicable when used with <option>binddn</option> above.
-      </para>
-      <para>
-       When binding to the directory using <acronym>SASL</acronym> or other
-       authentication mechanisms apart from simple binds, this option is not
-       used.
+<!-- WHEN SASL IS DOCUMENTED:
+       This option is only applicable when either the <option>binddn</option> or
+       <option>sasl_authcid</option> options are used.
+-->
       </para>
      </listitem>
     </varlistentry>
@@ -194,32 +193,64 @@
    <variablelist>
 
     <varlistentry>
-     <term><option>sasl_authid</option> <emphasis remap="I">AUTHID</emphasis></term>
+     <term><option>use_sasl</option> yes|no</term>
      <listitem>
       <para>
-       Specifies the authorization identity to be used when performing <acronym>SASL</acronym>
-       authentication.
+       Specifies whether <acronym>SASL</acronym> authentication should be used.
       </para>
      </listitem>
     </varlistentry>
 
     <varlistentry>
-     <term><option>sasl_secprops</option> <emphasis remap="I">PROPERTIES</emphasis></term>
+     <term><option>sasl_mech</option> <emphasis remap="I">MECHANISM</emphasis></term>
      <listitem>
       <para>
-       Specifies Cyrus <acronym>SASL</acronym> security properties. Allowed values are described
-       in the
-       <citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-       manual page.
+       Specifies the <acronym>SASL</acronym> mechanism to be used when
+       performing <acronym>SASL</acronym> authentication.
       </para>
      </listitem>
     </varlistentry>
 
     <varlistentry>
-     <term><option>use_sasl</option> yes|no</term>
+     <term><option>sasl_realm</option> <emphasis remap="I">REALM</emphasis></term>
      <listitem>
       <para>
-       Specifies whether <acronym>SASL</acronym> authentication should be used.
+       Specifies the <acronym>SASL</acronym> realm to be used when performing
+       <acronym>SASL</acronym> authentication.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>sasl_authcid</option> <emphasis remap="I">AUTHCID</emphasis></term>
+     <listitem>
+      <para>
+       Specifies the authentication identity to be used when performing
+       <acronym>SASL</acronym> authentication.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>sasl_authzid</option> <emphasis remap="I">AUTHZID</emphasis></term>
+     <listitem>
+      <para>
+       Specifies the authorization identity to be used when performing
+       <acronym>SASL</acronym> authentication.
+       Must be specified in one of the formats: dn:&lt;distinguished name&gt;
+       or u:&lt;username&gt;.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>sasl_secprops</option> <emphasis remap="I">PROPERTIES</emphasis></term>
+     <listitem>
+      <para>
+       Specifies Cyrus <acronym>SASL</acronym> security properties.
+       Allowed values are described in the
+       <citerefentry><refentrytitle>ldap.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+       manual page.
       </para>
      </listitem>
     </varlistentry>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 920b5b8..9b26093 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -81,8 +81,11 @@ static void cfg_defaults(struct ldap_config *cfg)
 #endif /* not LDAP_VERSION3 */
   cfg->ldc_binddn=NULL;
   cfg->ldc_bindpw=NULL;
-  cfg->ldc_saslid=NULL;
+  cfg->ldc_sasl_authcid=NULL;
+  cfg->ldc_sasl_authzid=NULL;
   cfg->ldc_sasl_secprops=NULL;
+  cfg->ldc_sasl_mech=NULL;
+  cfg->ldc_sasl_realm=NULL;
   cfg->ldc_usesasl=0;
   cfg->ldc_base=NULL;
   cfg->ldc_scope=LDAP_SCOPE_SUBTREE;
@@ -694,21 +697,39 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
       get_restdup(filename,lnr,keyword,&line,&cfg->ldc_bindpw);
     }
     /* SASL authentication options */
-    else if (strcasecmp(keyword,"sasl_authid")==0)
+    else if (strcasecmp(keyword,"sasl_authcid")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_saslid);
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_authcid);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_authzid")==0)
+    {
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_authzid);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_mech")==0)
+    {
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_mech);
+      get_eol(filename,lnr,keyword,&line);
+    }
+    else if (strcasecmp(keyword,"sasl_realm")==0)
+    {
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
+      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_realm);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"sasl_secprops")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&cfg->ldc_sasl_secprops);
       get_eol(filename,lnr,keyword,&line);
     }
     else if (strcasecmp(keyword,"use_sasl")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
+      log_log(LOG_WARNING,"%s:%d: option %s is currently not fully supported (please report any successes)",filename,lnr,keyword);
       get_boolean(filename,lnr,keyword,&line,&cfg->ldc_usesasl);
       get_eol(filename,lnr,keyword,&line);
     }
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 981af28..a6edb47 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -87,10 +87,16 @@ struct ldap_config
   char *ldc_binddn;
   /* bind cred */
   char *ldc_bindpw;
-  /* sasl auth id */
-  char *ldc_saslid;
+  /* sasl authentication id */
+  char *ldc_sasl_authcid;
+  /* sasl authorization id */
+  char *ldc_sasl_authzid;
   /* sasl security */
   char *ldc_sasl_secprops;
+  /* sasl mech */
+  char *ldc_sasl_mech;
+  /* sasl realm */
+  char *ldc_sasl_realm;
   /* do we use sasl when binding? */
   int ldc_usesasl;
   /* base DN, eg. dc=gnu,dc=org */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index f2c8062..6a05b53 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -310,26 +310,43 @@ PURE static inline int is_valid_entry(MYLDAP_ENTRY *entry)
 /* this is registered with ldap_sasl_interactive_bind_s() in do_bind() */
 static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaults,void *_interact)
 {
-  char *authzid=(char *)defaults;
-  sasl_interact_t *interact=(sasl_interact_t *)_interact;
+  struct ldap_config *cfg=defaults;
+  sasl_interact_t *interact=_interact;
   while (interact->id!=SASL_CB_LIST_END)
   {
-    if (interact->id!=SASL_CB_USER)
-      return LDAP_PARAM_ERROR;
-    if (authzid!=NULL)
+    switch(interact->id)
     {
-      interact->result=authzid;
-      interact->len=strlen(authzid);
-    }
-    else if (interact->defresult!=NULL)
-    {
-      interact->result=interact->defresult;
-      interact->len=strlen(interact->defresult);
-    }
-    else
-    {
-      interact->result="";
-      interact->len=0;
+      case SASL_CB_GETREALM:
+        if (cfg->ldc_sasl_realm)
+        {
+          interact->result=cfg->ldc_sasl_realm;
+          interact->len=strlen(cfg->ldc_sasl_realm);
+        }
+        break;
+      case SASL_CB_AUTHNAME:
+        if (cfg->ldc_sasl_authcid)
+        {
+          interact->result=cfg->ldc_sasl_authcid;
+          interact->len=strlen(cfg->ldc_sasl_authcid);
+        }
+        break;
+      case SASL_CB_USER:
+        if (cfg->ldc_sasl_authzid)
+        {
+          interact->result=cfg->ldc_sasl_authzid;
+          interact->len=strlen(cfg->ldc_sasl_authzid);
+        }
+        break;
+      case SASL_CB_PASS:
+        if (cfg->ldc_bindpw)
+        {
+          interact->result=cfg->ldc_bindpw;
+          interact->len=strlen(cfg->ldc_bindpw);
+        }
+        break;
+      default:
+        /* just ignore */
+        break;
     }
     interact++;
   }
@@ -388,13 +405,21 @@ static int do_bind(MYLDAP_SESSION *session,const char *uri)
       LDAP_SET_OPTION(session->ld,LDAP_OPT_X_SASL_SECPROPS,(void *)nslcd_cfg->ldc_sasl_secprops);
     }
 #ifdef HAVE_SASL_INTERACT_T
-    return ldap_sasl_interactive_bind_s(session->ld,nslcd_cfg->ldc_binddn,"GSSAPI",NULL,NULL,
+    return ldap_sasl_interactive_bind_s(session->ld,nslcd_cfg->ldc_binddn,nslcd_cfg->ldc_sasl_mech,NULL,NULL,
                                     LDAP_SASL_QUIET,
-                                    do_sasl_interact,(void *)nslcd_cfg->ldc_saslid);
+                                    do_sasl_interact,(void *)nslcd_cfg);
 #else /* HAVE_SASL_INTERACT_T */
-    cred.bv_val=nslcd_cfg->ldc_saslid;
-    cred.bv_len=strlen(nslcd_cfg->ldc_saslid);
-    return ldap_sasl_bind_s(session->ld,nslcd_cfg->ldc_binddn,"GSSAPI",&cred,NULL,NULL,NULL);
+    if (nslcd_cfg->ldc_bindpw!=NULL)
+    {
+      cred.bv_val=nslcd_cfg->ldc_bindpw;
+      cred.bv_len=strlen(nslcd_cfg->ldc_bindpw);
+    }
+    else
+    {
+      cred.bv_val="";
+      cred.bv_len=0;
+    }
+    return ldap_sasl_bind_s(session->ld,NULL,nslcd_cfg->ldc_sasl_mech,&cred,NULL,NULL,NULL);
 #endif /* not HAVE_SASL_INTERACT_T */
   }
 #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
author	Arthur de Jong <arthur@arthurdejong.org>	2008-06-14 11:31:30 +0000
committer	Arthur de Jong <arthur@arthurdejong.org>	2008-06-14 11:31:30 +0000
commit	8c589385f918cf7ef4e0d9d9982bba3865dbfee2 (patch)
tree	ed16564f974e0d3594af335747919cf95ce32d79
parent	bef987ec06c19ddb3f87c237e60b722941af568b (diff)