[Fedora-directory-commits] ldapserver/ldap/servers/slapd saslbind.c, 1.9.2.3, 1.9.2.4 slap.h, 1.9, 1.9.2.1

Nathan Kinder (nkinder) fedora-directory-commits at redhat.com
Tue Mar 14 19:36:30 UTC 2006 

Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7327

Modified Files:
      Tag: Directory71RtmBranch
	saslbind.c slap.h 
Log Message:
184585 - SASL context needs to be disposed of and a new one created when re-binding


Index: saslbind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v
retrieving revision 1.9.2.3
retrieving revision 1.9.2.4
diff -u -r1.9.2.3 -r1.9.2.4
--- saslbind.c	4 Nov 2005 18:57:48 -0000	1.9.2.3
+++ saslbind.c	14 Mar 2006 19:36:23 -0000	1.9.2.4
@@ -854,6 +854,37 @@
 
  sasl_start:
 
+    /* Check if we are already authenticated via sasl.  If so,
+     * dispose of the current sasl_conn and create a new one
+     * using the new mechanism.  We also need to do this if the
+     * mechanism changed in the middle of the SASL authentication
+     * process. */
+    if ((pb->pb_conn->c_flags & CONN_FLAG_SASL_COMPLETE) || continuing) {
+        /* reset flag */
+        pb->pb_conn->c_flags &= ~CONN_FLAG_SASL_COMPLETE;
+
+        /* Lock the connection mutex */
+        PR_Lock(pb->pb_conn->c_mutex);
+
+        /* remove any SASL I/O from the connection */
+        sasl_io_cleanup(pb->pb_conn);
+
+        /* dispose of sasl_conn and create a new sasl_conn */
+        sasl_dispose(&sasl_conn);
+        ids_sasl_server_new(pb->pb_conn);
+        sasl_conn = (sasl_conn_t*)pb->pb_conn->c_sasl_conn;
+
+        /* Unlock the connection mutex */
+        PR_Unlock(pb->pb_conn->c_mutex);
+
+        if (sasl_conn == NULL) {
+            send_ldap_result( pb, LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL,
+                          "sasl library unavailable", 0, NULL );
+            return;
+        }
+    }
+
+
     rc = sasl_server_start(sasl_conn, mech, 
                            cred->bv_val, cred->bv_len, 
                            &sdata, &slen);
@@ -862,6 +893,8 @@
 
     switch (rc) {
     case SASL_OK:               /* complete */
+        /* Set a flag to signify that sasl bind is complete */
+        pb->pb_conn->c_flags |= CONN_FLAG_SASL_COMPLETE;
 
         /* retrieve the authenticated username */
         if (sasl_getprop(sasl_conn, SASL_USERNAME,


Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.9
retrieving revision 1.9.2.1
diff -u -r1.9 -r1.9.2.1
--- slap.h	19 Apr 2005 22:07:37 -0000	1.9
+++ slap.h	14 Mar 2006 19:36:23 -0000	1.9.2.1
@@ -1268,6 +1268,10 @@
 				  * Start TLS request operation. 
 				  */
 
+#define CONN_FLAG_SASL_COMPLETE 32  /* Flag set when a sasl bind has been
+                                     * successfully completed.
+                                     */
+
 
 
 #define START_TLS_OID    "1.3.6.1.4.1.1466.20037"

More information about the Fedora-directory-commits mailing list