From: Thomas Reim <reimth@xxxxxxxxx>
Please find in the following how the provide patch would be changed
after review:
---
modules/cyrus-sasl.c | 70 +++++++++++++++++++++++--------------------
modules/lookup_ldap.c | 57 ++++++++++++++++++++++++-----------
2 files changed, 77 insertions(+), 50 deletions(-)
diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c
index 0c4ee58..ee350be 100644
--- a/modules/cyrus-sasl.c
+++ b/modules/cyrus-sasl.c
@@ -243,35 +243,40 @@ typedef struct autofs_ldap_sasl_defaults_s {
} ldapSASLdefaults;
-void
-autofs_ldap_sasl_freedefs(void *defaults)
+void autofs_ldap_sasl_freedefs(void *defaults)
{
ldapSASLdefaults *defs = defaults;
assert(defs != NULL);
- if (defs->mech) ber_memfree(defs->mech);
- if (defs->realm) ber_memfree(defs->realm);
- if (defs->authcid) ber_memfree(defs->authcid);
- if (defs->passwd) ber_memfree(defs->passwd);
- if (defs->authzid) ber_memfree(defs->authzid);
+ if (defs->mech)
+ ber_memfree(defs->mech);
+ if (defs->realm)
+ ber_memfree(defs->realm);
+ if (defs->authcid)
+ ber_memfree(defs->authcid);
+ if (defs->passwd)
+ ber_memfree(defs->passwd);
+ if (defs->authzid)
+ ber_memfree(defs->authzid);
ber_memfree(defs);
}
void *
autofs_ldap_sasl_defaults(LDAP *ld,
- char *mech,
- char *realm,
- char *authcid,
- char *passwd,
- char *authzid)
+ char *mech,
+ char *realm,
+ char *authcid,
+ char *passwd,
+ char *authzid)
{
ldapSASLdefaults *defaults;
defaults = ber_memalloc(sizeof(ldapSASLdefaults));
- if (defaults == NULL) return NULL;
+ if (defaults == NULL)
+ return NULL;
defaults->mech = mech ? ber_strdup(mech) : NULL;
defaults->realm = realm ? ber_strdup(realm) : NULL;
@@ -279,26 +284,22 @@ autofs_ldap_sasl_defaults(LDAP *ld,
defaults->passwd = passwd ? ber_strdup(passwd) : NULL;
defaults->authzid = authzid ? ber_strdup(authzid) : NULL;
- if (defaults->mech == NULL) {
+ if (defaults->mech == NULL)
ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech);
- }
- if (defaults->realm == NULL) {
- ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
- }
- if (defaults->authcid == NULL) {
+ if (defaults->realm == NULL)
+ ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
+ if (defaults->authcid == NULL)
ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid);
- }
- if (defaults->authzid == NULL) {
+ if (defaults->authzid == NULL)
ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid);
- }
return defaults;
}
static int
interaction(unsigned flags,
- sasl_interact_t *interact,
- ldapSASLdefaults *defaults)
+ sasl_interact_t *interact,
+ ldapSASLdefaults *defaults)
{
switch (interact->id) {
case SASL_CB_GETREALM:
@@ -346,14 +347,15 @@ interaction(unsigned flags,
return LDAP_SUCCESS;
}
-int autofs_ldap_sasl_interact(LDAP *ld,
- unsigned flags,
- void *defaults,
- void *interact)
+int
+autofs_ldap_sasl_interact(LDAP *ld,
+ unsigned flags,
+ void *defaults,
+ void *interact)
{
- int rc = LDAP_SUCCESS;
- sasl_interact_t *in = (sasl_interact_t*) interact;
ldapSASLdefaults *deflts = (ldapSASLdefaults*) defaults;
+ sasl_interact_t *in = (sasl_interact_t*) interact;
+ int rc = LDAP_SUCCESS;
if (!ld)
return LDAP_PARAM_ERROR;
@@ -364,14 +366,15 @@ int autofs_ldap_sasl_interact(LDAP *ld,
case SASL_CB_ECHOPROMPT:
return LDAP_UNAVAILABLE;
default:
- int rc = interaction(flags, in, deflts);
- if (rc) return rc;
+ rc = interaction(flags, in, deflts);
+ if (rc)
+ return rc;
break;
}
in++;
}
- return LDAP_SUCCESS;
+ return rc;
}
#endif
@@ -1131,6 +1134,7 @@ void autofs_sasl_dispose(struct ldap_conn *conn, struct lookup_context *ctxt)
fatal(status);
return;
}
+
#ifndef WITH_LDAP_CYRUS_SASL
if (conn && conn->sasl_conn) {
sasl_dispose(&conn->sasl_conn);
diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
index 68b42d4..5f10498 100644
--- a/modules/lookup_ldap.c
+++ b/modules/lookup_ldap.c
@@ -580,14 +580,18 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
#ifdef WITH_SASL
#ifdef WITH_LDAP_CYRUS_SASL
+ unsigned int sasl_flags = LDAP_SASL_AUTOMATIC;
LDAP_SASL_INTERACT_PROC *proc = NULL;
LDAPMessage *ldap_res = NULL;
- void *defaults;
const char *chosen_mech = NULL;
const char *rmech = NULL;
- unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
- int msgid, err;
+ char *part_dn = NULL;
char *info = NULL;
+ int msgid, err;
+ void *defaults;
+ char *data;
+ ber_len_t *ssf;
+
#endif
debug(logopt, MODPREFIX "auth_required: %d, sasl_mech %s",
ctxt->auth_required, ctxt->sasl_mech);
@@ -620,11 +624,15 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
* auth mechanism.
*/
- defaults = autofs_ldap_sasl_defaults(conn->ldap, ctxt->sasl_mech, NULL, ctxt->user, ctxt->secret, NULL);
+ defaults = autofs_ldap_sasl_defaults(conn->ldap, ctxt->sasl_mech, NULL,
+ ctxt->user, ctxt->secret, NULL);
do {
- rv = ldap_sasl_interactive_bind(conn->ldap, NULL, ctxt->sasl_mech,
- NULL, NULL, sasl_flags, autofs_ldap_sasl_interact, defaults,
- ldap_res, &rmech, &msgid);
+ rv = ldap_sasl_interactive_bind(conn->ldap, NULL,
+ ctxt->sasl_mech, NULL, NULL,
+ sasl_flags,
+ autofs_ldap_sasl_interact,
+ defaults, ldap_res,
+ &rmech, &msgid);
if (rmech) {
chosen_mech = rmech;
}
@@ -632,6 +640,7 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
break;
ldap_msgfree(ldap_res);
+ ldap_res = NULL;
if (ldap_result(conn->ldap, msgid, LDAP_MSG_ALL, NULL, &ldap_res) == -1 || !ldap_res) {
ldap_get_option(conn->ldap, LDAP_OPT_RESULT_CODE, (void*)&err);
@@ -640,6 +649,7 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
err);
debug(logopt, "ldap_sasl_interactive_bind: %s", info);
ldap_memfree(info);
+ ldap_msgfree(ldap_res);
return 0;
}
} while ( rv == LDAP_SASL_BIND_IN_PROGRESS );
@@ -652,31 +662,44 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
rv);
debug(logopt, "ldap_sasl_interactive_bind: %s", info);
ldap_memfree(info);
+ ldap_msgfree(ldap_res);
return 0;
}
+ /* Parse the result and check for errors, then free result */
+ if (ldap_res) {
+ rv = ldap_parse_result(conn->ldap, ldap_res, &err, &part_dn, &info, NULL, NULL, 1);
+ if ( rv != LDAP_SUCCESS ) {
+ error(logopt,
+ MODPREFIX "ldap_sasl_interactive_bind parse result failed with error %d",
+ err);
+ debug(logopt, "ldap_sasl_interactive_bind matched DN: %s", part_dn);
+ debug(logopt, "ldap_sasl_interactive_bind parse result: %s", info);
+ ldap_memfree(info);
+ ldap_memfree(part_dn);
+ return 0;
+ }
+ }
+ if (info)
+ ldap_memfree(info);
+ if (part_dn)
+ ldap_memfree(part_dn);
/* Conversation was completed successfully by now */
- char *data;
- ber_len_t *ssf;
result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_USERNAME, &data);
- if (result == LDAP_OPT_SUCCESS && data && *data) {
+ if (result == LDAP_OPT_SUCCESS && data && *data)
debug(logopt, "SASL username: %s", data );
- }
data = NULL;
result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_AUTHCID, &data);
- if (result == LDAP_OPT_SUCCESS && data && *data) {
+ if (result == LDAP_OPT_SUCCESS && data && *data)
debug(logopt, "SASL authcid: %s", data);
- }
data = NULL;
result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_AUTHZID, &data);
- if (result == LDAP_OPT_SUCCESS && data && *data) {
+ if (result == LDAP_OPT_SUCCESS && data && *data)
debug(logopt, "SASL authzid: %s", data);
- }
ssf = NULL;
result = ldap_get_option(conn->ldap, LDAP_OPT_X_SASL_SSF, &ssf);
- if (result == LDAP_OPT_SUCCESS && ssf) {
+ if (result == LDAP_OPT_SUCCESS && ssf)
debug(logopt, "SASL SSF: %lu", (unsigned long) ssf);
- }
debug(logopt, "sasl bind with mechanism %s succeeded",
chosen_mech);
--
2.37.1
