[Fedora-directory-commits] ldapserver/ldap/servers/slapd saslbind.c, 1.9.2.4, 1.9.2.5
Noriko Hosoi (nhosoi)
fedora-directory-commits at redhat.com
Thu Jan 10 01:12:21 UTC 2008
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/admin/src create_instance.c, 1.18.2.1, 1.18.2.2
- Next message (by thread): [Fedora-directory-commits] dsgw autogen.sh, NONE, 1.1 compile, NONE, 1.1 config.guess, NONE, 1.1 config.sub, NONE, 1.1 ltmain.sh, NONE, 1.1 Makefile.am, 1.2, 1.3 Makefile.in, 1.2, 1.3 aclocal.m4, 1.1.1.1, 1.2 config.c, 1.1.1.1, 1.2 config.h.in, 1.1.1.1, 1.2 configure, 1.2, 1.3 configure.ac, 1.2, 1.3 dsgw.h, 1.1.1.1, 1.2 dsgwgetlang.c, 1.1.1.1, 1.2 dsgwutil.c, 1.1.1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25575/servers/slapd
Modified Files:
Tag: Directory71RtmBranch
saslbind.c
Log Message:
Resolves: #311851
Summary: Remove hard-coded SASL mappings and replace with regex mappings
Description: applied the patch to Directory71RtmBranch
Index: saslbind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v
retrieving revision 1.9.2.4
retrieving revision 1.9.2.5
diff -u -r1.9.2.4 -r1.9.2.5
--- saslbind.c 14 Mar 2006 19:36:23 -0000 1.9.2.4
+++ saslbind.c 10 Jan 2008 01:12:18 -0000 1.9.2.5
@@ -300,115 +300,56 @@
)
{
int found = 0;
- unsigned fsize = 0, ulen, rlen = 0;
int attrsonly = 0, scope = LDAP_SCOPE_SUBTREE;
- char filter[1024], *fptr = filter;
LDAPControl **ctrls = NULL;
Slapi_Entry *entry = NULL;
Slapi_DN *sdn;
char **attrs = NULL;
- char *userattr = "uid", *realmattr = NULL, *ufilter = NULL;
- void *node;
int regexmatch = 0;
- char *regex_ldap_search_base = NULL;
- char *regex_ldap_search_filter = NULL;
+ char *base = NULL;
+ char *filter = NULL;
- /* TODO: userattr & realmattr should be configurable */
- /*
- * Check for dn: prefix. See RFC 2829 section 9.
- */
- if (strncasecmp(user, "dn:", 3) == 0) {
- sprintf(fptr, "(objectclass=*)");
- scope = LDAP_SCOPE_BASE;
- ids_sasl_user_search((char*)user+3, scope, filter,
+ /* Check for wildcards in the authid and realm. If we encounter one,
+ * just fail the mapping without performing a costly internal search. */
+ if (user && strchr(user, '*')) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search encountered a wildcard in "
+ "the authid. Not attempting to map to entry. (authid=%s)\n", user, 0, 0);
+ return NULL;
+ } else if (user_realm && strchr(user_realm, '*')) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search encountered a wildcard in "
+ "the realm. Not attempting to map to entry. (realm=%s)\n", user_realm, 0, 0);
+ return NULL;
+ }
+
+ /* New regex-based identity mapping */
+ regexmatch = sasl_map_domap((char*)user, (char*)user_realm, &base, &filter);
+ if (regexmatch) {
+ ids_sasl_user_search(base, scope, filter,
ctrls, attrs, attrsonly,
&entry, &found);
- } else {
- int offset = 0;
- if (strncasecmp(user,"u:",2) == 0 )
- offset = 2;
- /* TODO: quote the filter values */
-
- /* New regex-based identity mapping : we call it here before the old code.
- * If there's a match, we skip the old way, otherwise we plow ahead for backwards compatibility reasons
- */
- regexmatch = sasl_map_domap((char*)user, (char*)user_realm, ®ex_ldap_search_base, ®ex_ldap_search_filter);
- if (regexmatch) {
-
- ids_sasl_user_search(regex_ldap_search_base, scope, regex_ldap_search_filter,
- ctrls, attrs, attrsonly,
- &entry, &found);
-
- /* Free the filter etc */
- slapi_ch_free((void**)®ex_ldap_search_base);
- slapi_ch_free((void**)®ex_ldap_search_filter);
- } else {
-
- /* Ensure no buffer overflow. */
- /* We don't know what the upper limits on username and
- * realm lengths are. There don't seem to be any defined
- * in the relevant standards. We may find in the future
- * that a 1K buffer is insufficient for some mechanism,
- * but it seems unlikely given that the values are exposed
- * to the end user.
- */
- ulen = strlen(user+offset);
- fsize += strlen(userattr) + ulen;
- if (realmattr && user_realm) {
- rlen = strlen(user_realm);
- fsize += strlen(realmattr) + rlen;
- }
- if (ufilter) fsize += strlen(ufilter);
- fsize += 100; /* includes a good safety margin */
- if (fsize > 1024) {
- LDAPDebug(LDAP_DEBUG_ANY, "sasl user name and/or realm too long"
- " (ulen=%u, rlen=%u)\n", ulen, rlen, 0);
- return NULL;
- }
-
- /* now we can safely write the filter */
- sprintf(fptr, "(&(%s=%s)", userattr, user+offset);
- fptr += strlen(fptr);
- if (realmattr && user_realm) {
- sprintf(fptr, "(%s=%s)", realmattr, user_realm);
- fptr += strlen(fptr);
- }
- if (ufilter) {
- if (*ufilter == '(') {
- sprintf(fptr, "%s", ufilter);
- } else {
- sprintf(fptr, "(%s)", ufilter);
- }
- fptr += strlen(fptr);
- }
- sprintf(fptr, ")");
-
- /* iterate through the naming contexts */
- for (sdn = slapi_get_first_suffix(&node, 0); sdn != NULL;
- sdn = slapi_get_next_suffix(&node, 0)) {
-
- ids_sasl_user_search((char*)slapi_sdn_get_dn(sdn), scope, filter,
- ctrls, attrs, attrsonly,
- &entry, &found);
+ if (found == 1) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found this entry: dn:%s, "
+ "matching filter=%s\n", entry->e_sdn.dn, filter, 0);
+ } else if (found == 0) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries matching "
+ "filter=%s\n", filter, 0, 0);
+ } else {
+ LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found more than one entry "
+ "matching filter=%s\n", filter, 0, 0);
+ if (entry) {
+ slapi_entry_free(entry);
+ entry = NULL;
}
}
- }
- if (found == 1) {
- LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found this entry: dn:%s, matching filter=%s\n", entry->e_sdn.dn, filter, 0);
- return entry;
- }
-
- if (found == 0) {
- LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries matching filter=%s\n", filter, 0, 0);
- } else {
- LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found more than one entry matching filter=%s\n", filter, 0, 0);
+ /* Free the filter etc */
+ slapi_ch_free_string(&base);
+ slapi_ch_free_string(&filter);
}
- if (entry) slapi_entry_free(entry);
- return NULL;
+ return entry;
}
static char *buf2str(const char *buf, unsigned buflen)
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/admin/src create_instance.c, 1.18.2.1, 1.18.2.2
- Next message (by thread): [Fedora-directory-commits] dsgw autogen.sh, NONE, 1.1 compile, NONE, 1.1 config.guess, NONE, 1.1 config.sub, NONE, 1.1 ltmain.sh, NONE, 1.1 Makefile.am, 1.2, 1.3 Makefile.in, 1.2, 1.3 aclocal.m4, 1.1.1.1, 1.2 config.c, 1.1.1.1, 1.2 config.h.in, 1.1.1.1, 1.2 configure, 1.2, 1.3 configure.ac, 1.2, 1.3 dsgw.h, 1.1.1.1, 1.2 dsgwgetlang.c, 1.1.1.1, 1.2 dsgwutil.c, 1.1.1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list