|
|
61f723 |
From 22f1ff8d87a7daf9fbbe2ddfbd195a6bfdae1cd6 Mon Sep 17 00:00:00 2001
|
|
|
61f723 |
From: William Brown <firstyear@redhat.com>
|
|
|
61f723 |
Date: Tue, 14 Mar 2017 14:01:33 +1000
|
|
|
61f723 |
Subject: [PATCH 3/5] Ticket 49165 pw_verify did not handle external auth
|
|
|
61f723 |
|
|
|
61f723 |
Bug Description: During the change to improve sasl and simple bind,
|
|
|
61f723 |
we externalised the backend selection outside of do_bind. In an
|
|
|
61f723 |
auto_bind scenario however, this mean the be was null, causing the
|
|
|
61f723 |
dn to always be invalidated.
|
|
|
61f723 |
|
|
|
61f723 |
Fix Description: Add a pw_validate_be_dn function, that correctly
|
|
|
61f723 |
checks if we are anonymous, a real be dn, or rootdn. This then allows
|
|
|
61f723 |
the correct authentication of autobinds.
|
|
|
61f723 |
|
|
|
61f723 |
https://pagure.io/389-ds-base/issue/49165
|
|
|
61f723 |
|
|
|
61f723 |
Author: wibrown
|
|
|
61f723 |
|
|
|
61f723 |
Review by: mreynolds (Thanks!)
|
|
|
61f723 |
|
|
|
61f723 |
(cherry picked from commit 8dbfff1ff4152afb018490886a612c448ea2a1b0)
|
|
|
61f723 |
---
|
|
|
61f723 |
ldap/servers/slapd/bind.c | 9 +++++--
|
|
|
61f723 |
ldap/servers/slapd/dn.c | 5 ++++
|
|
|
61f723 |
ldap/servers/slapd/pw_verify.c | 57 +++++++++++++++++++++++++++++++++++++--
|
|
|
61f723 |
ldap/servers/slapd/pw_verify.h | 1 +
|
|
|
61f723 |
ldap/servers/slapd/slapi-plugin.h | 9 +++++++
|
|
|
61f723 |
5 files changed, 77 insertions(+), 4 deletions(-)
|
|
|
61f723 |
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
|
|
|
61f723 |
index b4bb363..5c4fada 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/bind.c
|
|
|
61f723 |
+++ b/ldap/servers/slapd/bind.c
|
|
|
61f723 |
@@ -656,7 +656,12 @@ do_bind( Slapi_PBlock *pb )
|
|
|
61f723 |
/* We could be serving multiple database backends. Select the appropriate one */
|
|
|
61f723 |
/* pw_verify_be_dn will select the backend we need for us. */
|
|
|
61f723 |
|
|
|
61f723 |
- rc = pw_verify_be_dn(pb, &referral);
|
|
|
61f723 |
+ if (auto_bind) {
|
|
|
61f723 |
+ /* We have no password material. We should just check who we are binding as. */
|
|
|
61f723 |
+ rc = pw_validate_be_dn(pb, &referral);
|
|
|
61f723 |
+ } else {
|
|
|
61f723 |
+ rc = pw_verify_be_dn(pb, &referral);
|
|
|
61f723 |
+ }
|
|
|
61f723 |
|
|
|
61f723 |
if (rc == SLAPI_BIND_NO_BACKEND) {
|
|
|
61f723 |
send_nobackend_ldap_result( pb );
|
|
|
61f723 |
@@ -715,7 +720,7 @@ do_bind( Slapi_PBlock *pb )
|
|
|
61f723 |
*
|
|
|
61f723 |
*/
|
|
|
61f723 |
slapi_pblock_get(pb, SLAPI_BACKEND, &be);
|
|
|
61f723 |
- if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
|
|
|
61f723 |
+ if (!isroot && !slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
|
|
|
61f723 |
bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
|
|
|
61f723 |
myrc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
|
|
|
61f723 |
if (1 == myrc) { /* account is locked */
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
|
|
|
61f723 |
index d043f2a..fa3909f 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/dn.c
|
|
|
61f723 |
+++ b/ldap/servers/slapd/dn.c
|
|
|
61f723 |
@@ -1738,6 +1738,11 @@ slapi_dn_isroot( const char *dn )
|
|
|
61f723 |
return( rc );
|
|
|
61f723 |
}
|
|
|
61f723 |
|
|
|
61f723 |
+int32_t
|
|
|
61f723 |
+slapi_sdn_isroot(const Slapi_DN *sdn) {
|
|
|
61f723 |
+ return slapi_dn_isroot(slapi_sdn_get_ndn(sdn));
|
|
|
61f723 |
+}
|
|
|
61f723 |
+
|
|
|
61f723 |
int
|
|
|
61f723 |
slapi_is_rootdse( const char *dn )
|
|
|
61f723 |
{
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c
|
|
|
61f723 |
index 93e5ff3..529bb83 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/pw_verify.c
|
|
|
61f723 |
+++ b/ldap/servers/slapd/pw_verify.c
|
|
|
61f723 |
@@ -88,8 +88,61 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
|
|
|
61f723 |
return rc;
|
|
|
61f723 |
}
|
|
|
61f723 |
|
|
|
61f723 |
+/*
|
|
|
61f723 |
+ * Resolve the dn we have been requested to bind with and verify it's
|
|
|
61f723 |
+ * valid, and has a backend.
|
|
|
61f723 |
+ *
|
|
|
61f723 |
+ * We are checking:
|
|
|
61f723 |
+ * * is this anonymous?
|
|
|
61f723 |
+ * * is this the rootdn?
|
|
|
61f723 |
+ * * is this a real dn, which associates to a real backend.
|
|
|
61f723 |
+ *
|
|
|
61f723 |
+ * This is used in SASL autobinds, so we need to handle this validation.
|
|
|
61f723 |
+ */
|
|
|
61f723 |
+
|
|
|
61f723 |
int
|
|
|
61f723 |
-pw_verify_dn()
|
|
|
61f723 |
+pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
|
|
|
61f723 |
{
|
|
|
61f723 |
- return LDAP_OPERATIONS_ERROR;
|
|
|
61f723 |
+ int rc = 0;
|
|
|
61f723 |
+ Slapi_Backend *be = NULL;
|
|
|
61f723 |
+ Slapi_DN *pb_sdn;
|
|
|
61f723 |
+ struct berval *cred;
|
|
|
61f723 |
+ ber_tag_t method;
|
|
|
61f723 |
+
|
|
|
61f723 |
+
|
|
|
61f723 |
+ slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn);
|
|
|
61f723 |
+ slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred);
|
|
|
61f723 |
+ slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
|
|
|
61f723 |
+
|
|
|
61f723 |
+ if (pb_sdn != NULL || cred != NULL) {
|
|
|
61f723 |
+ return LDAP_OPERATIONS_ERROR;
|
|
|
61f723 |
+ }
|
|
|
61f723 |
+
|
|
|
61f723 |
+ if (*referral) {
|
|
|
61f723 |
+ return SLAPI_BIND_REFERRAL;
|
|
|
61f723 |
+ }
|
|
|
61f723 |
+
|
|
|
61f723 |
+ /* We need a slapi_sdn_isanon? */
|
|
|
61f723 |
+ if (method == LDAP_AUTH_SIMPLE && cred->bv_len == 0) {
|
|
|
61f723 |
+ return SLAPI_BIND_ANONYMOUS;
|
|
|
61f723 |
+ }
|
|
|
61f723 |
+
|
|
|
61f723 |
+ if (slapi_sdn_isroot(pb_sdn)) {
|
|
|
61f723 |
+ /* This is a real identity */
|
|
|
61f723 |
+ return SLAPI_BIND_SUCCESS;
|
|
|
61f723 |
+ }
|
|
|
61f723 |
+
|
|
|
61f723 |
+ if (slapi_mapping_tree_select(pb, &be, referral, NULL, 0) != LDAP_SUCCESS) {
|
|
|
61f723 |
+ return SLAPI_BIND_NO_BACKEND;
|
|
|
61f723 |
+ }
|
|
|
61f723 |
+ slapi_be_Unlock(be);
|
|
|
61f723 |
+
|
|
|
61f723 |
+ slapi_pblock_set(pb, SLAPI_BACKEND, be);
|
|
|
61f723 |
+ slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
|
|
|
61f723 |
+ /* Make sure the result handlers are setup */
|
|
|
61f723 |
+ set_db_default_result_handlers(pb);
|
|
|
61f723 |
+
|
|
|
61f723 |
+ /* The backend associated with this identity is real. */
|
|
|
61f723 |
+
|
|
|
61f723 |
+ return SLAPI_BIND_SUCCESS;
|
|
|
61f723 |
}
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/pw_verify.h b/ldap/servers/slapd/pw_verify.h
|
|
|
61f723 |
index fc34fd1..5137027 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/pw_verify.h
|
|
|
61f723 |
+++ b/ldap/servers/slapd/pw_verify.h
|
|
|
61f723 |
@@ -11,5 +11,6 @@
|
|
|
61f723 |
|
|
|
61f723 |
int pw_verify_root_dn(const char *dn, const Slapi_Value *cred);
|
|
|
61f723 |
int pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral);
|
|
|
61f723 |
+int pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral);
|
|
|
61f723 |
|
|
|
61f723 |
#endif /* _SLAPD_PW_VERIFY_H_ */
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
|
|
|
61f723 |
index b223f65..1bd8fc8 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/slapi-plugin.h
|
|
|
61f723 |
+++ b/ldap/servers/slapd/slapi-plugin.h
|
|
|
61f723 |
@@ -3800,6 +3800,15 @@ int slapi_dn_isparent( const char *parentdn, const char *childdn );
|
|
|
61f723 |
int slapi_dn_isroot( const char *dn );
|
|
|
61f723 |
|
|
|
61f723 |
/**
|
|
|
61f723 |
+ * Determines if an SDN is the root DN.
|
|
|
61f723 |
+ *
|
|
|
61f723 |
+ * \param sdn The DN to check
|
|
|
61f723 |
+ * \return \c 1 if the DN is the root DN.
|
|
|
61f723 |
+ * \return \c 0 if the DN is not the root DN.
|
|
|
61f723 |
+ */
|
|
|
61f723 |
+int32_t slapi_sdn_isroot( const Slapi_DN *sdn );
|
|
|
61f723 |
+
|
|
|
61f723 |
+/**
|
|
|
61f723 |
* Checks if a DN is the backend suffix.
|
|
|
61f723 |
*
|
|
|
61f723 |
* \param pb A parameter block with the backend set.
|
|
|
61f723 |
--
|
|
|
61f723 |
2.9.3
|
|
|
61f723 |
|