From: <svn...@op...> - 2009-08-09 20:32:19
|
Author: scriptor Date: Sun Aug 9 22:32:06 2009 New Revision: 5710 URL: http://www.opensync.org/changeset/5710 Log: AUTH: I have fixed (resp. added) the support for "realms" and "authzid". Both of them now be configured, as required by certain authentication mechanisms. "authzid" is relevant for proxy authentication. Besides, I have fixed wrong return values in ldap_plugin_encrypt_connection(). This belongs to SSL/TLS. Moreover, I've done some cosmetics. For people playing with SSL/TLS, be it for encryption only, or for authentication purposes (= SASL/EXTERNAL), libopenldap-2.4.15, as it ships with Fedora 11, has a bug: See: http://www.openldap.org/lists/openldap-commit/200903/msg00006.html http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.6&r2=1.7&hideattic=1&sortbydate=0&f=h http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.5.2.2&r2=1.5.2.3&hideattic=1&sortbydate=0&f=h Modified: plugins/ldap-sync/src/ldap-sync plugins/ldap-sync/src/ldap_connect.c plugins/ldap-sync/src/ldap_plugin.c plugins/ldap-sync/src/ldap_plugin.h plugins/ldap-sync/src/ldap_sasl.c Modified: plugins/ldap-sync/src/ldap-sync ============================================================================== --- plugins/ldap-sync/src/ldap-sync Sun Aug 2 20:37:34 2009 (r5709) +++ plugins/ldap-sync/src/ldap-sync Sun Aug 9 22:32:06 2009 (r5710) @@ -26,6 +26,12 @@ <Value>secret</Value> </AdvancedOption> + <AdvancedOption> + <Name>realm</Name> + <Type>string</Type> + <Value></Value> + </AdvancedOption> + <AdvancedOption> <!-- Anonymous bind --> <Name>anonymous</Name> Modified: plugins/ldap-sync/src/ldap_connect.c ============================================================================== --- plugins/ldap-sync/src/ldap_connect.c Sun Aug 2 20:37:34 2009 (r5709) +++ plugins/ldap-sync/src/ldap_connect.c Sun Aug 9 22:32:06 2009 (r5710) @@ -609,7 +609,6 @@ } - osync_trace(TRACE_EXIT, "%s", __func__); return TRUE; @@ -784,7 +783,7 @@ * @param sinkenv The object type specific environment. * @param error The libopensync error pointer. * - * @returns LDAP_SUCCESS on success, LDAP_PARAM_ERROR otherwise. + * @returns TRUE on success, FALSE in case of any error. */ osync_bool ldap_plugin_encrypt_connection (OSyncContext *ctx, sink_environment *sinkenv, OSyncError **error) @@ -823,14 +822,14 @@ osync_trace(TRACE_EXIT, "%s", __func__); - return LDAP_SUCCESS; + return TRUE; error: if (!osync_error_is_set(error)) osync_error_set(error, OSYNC_ERROR_GENERIC, "Unknown reason.\n"); - osync_context_report_osyncwarning(ctx, *error); + osync_context_report_osyncerror(ctx, *error); osync_trace(TRACE_EXIT_ERROR, "%s: %s", __func__, osync_error_print(error)); return FALSE; } @@ -869,8 +868,8 @@ unsigned sasl_flags = LDAP_SASL_AUTOMATIC; struct berval passwd = { 0, NULL }; lutilSASLdefaults *defaults = NULL; - const char *authmech = NULL, *binddn = NULL, *bindpwd = NULL, *authcid = NULL; - char *tmp_authmech = NULL, *tmp_binddn = NULL, *tmp_authcid = NULL; + const char *authmech = NULL, *binddn = NULL, *bindpwd = NULL, *authcid = NULL, *authzid = NULL, *realm = NULL; + char *tmp_authmech = NULL, *tmp_binddn = NULL, *tmp_authcid = NULL, *tmp_authzid = NULL, *tmp_realm = NULL; osync_bool rv = TRUE; int ldap_errno = 0; @@ -900,7 +899,8 @@ bindpwd = sinkenv->bindpwd; authmech = sinkenv->authmech; authcid = sinkenv->authcid; - + authzid = sinkenv->authzid; + realm = sinkenv->realm; } else { #ifdef DEBUG_auth @@ -911,6 +911,8 @@ bindpwd = ""; authmech = "SIMPLE"; authcid = ""; + authzid = ""; + realm = ""; } @@ -958,10 +960,12 @@ passwd.bv_len = strlen( passwd.bv_val ); tmp_authmech = g_strdup(authmech); tmp_authcid = g_strdup(authcid); + tmp_authzid = g_strdup(authzid); + tmp_realm = g_strdup(realm); // Load default parameters into a libldap specific struct - defaults = ldap_plugin_lutil_sasl_defaults(sinkenv->ld, tmp_authmech, NULL, tmp_authcid, passwd.bv_val, NULL); + defaults = ldap_plugin_lutil_sasl_defaults(sinkenv->ld, tmp_authmech, tmp_realm, tmp_authcid, passwd.bv_val, tmp_authzid); if (defaults == NULL) { osync_error_set(error, OSYNC_ERROR_NO_CONNECTION, "%s:%i: ERROR: defaults = NULL. ldap_plugin_lutil_sasl_defaults() has failed.\n", __FILE__, __LINE__); rv = FALSE; @@ -994,13 +998,20 @@ // Does not work: // ldap_plugin_list_libldap_sasl_mechanisms(ctx, sinkenv, error); } else { - ldap_plugin_printf("%s:%i: ERROR: Could not call ldap_plugin_list_sasl_mechanisms(), because both sinkenv->url and sinkenv->servername are NULL or empty.", __FILE__, __LINE__); + ldap_plugin_printf("%s:%i: ERROR: Could not call ldap_plugin_list_sasl_libsasl2_mechanisms(), because both sinkenv->url and sinkenv->servername are NULL or empty.", __FILE__, __LINE__); } } // LDAP_AUTH_METHOD_NOT_SUPPORTED, LDAP_AUTH_UNKNOWN else if (ldap_errno == LDAP_LOCAL_ERROR) { if (ldap_error && ldap_error[0] && tmp_authmech && tmp_authmech[0]) { if (!strcmp(tmp_authmech, "GSSAPI")) { if (strstr(ldap_error, "Unspecified GSS failure")) { + /* + For "gss_accept_sec_context", see: + + /root/rpmbuild/SOURCES/krb5-1.6.3/src/lib/gssapi/mechglue/g_accept_sec_context.c + + */ + if ( strstr(ldap_error, "No credentials cache found") || strstr(ldap_error, "Ticket expired") @@ -1070,6 +1081,16 @@ tmp_authcid = NULL; } + if (tmp_authzid) { + g_free(tmp_authzid); + tmp_authzid = NULL; + } + + if (tmp_realm) { + g_free(tmp_realm); + tmp_realm = NULL; + } + if (defaults) { if (defaults->mech) { g_free(defaults->mech); Modified: plugins/ldap-sync/src/ldap_plugin.c ============================================================================== --- plugins/ldap-sync/src/ldap_plugin.c Sun Aug 2 20:37:34 2009 (r5709) +++ plugins/ldap-sync/src/ldap_plugin.c Sun Aug 9 22:32:06 2009 (r5710) @@ -627,6 +627,7 @@ sinkenv->bindpwd = NULL; sinkenv->authcid = NULL; sinkenv->authzid = NULL; + sinkenv->realm = NULL; sinkenv->searchbase = NULL; sinkenv->searchfilter = NULL; sinkenv->storebase = NULL; @@ -697,6 +698,9 @@ if (!strcmp(name, "authzid")) sinkenv->authzid = g_strdup(val); + if (!strcmp(name, "realm")) + sinkenv->realm = g_strdup(val); + if (!strcmp(name, "anonymous")) { #ifdef DEBUG_auth ldap_plugin_printf("%s:%i: Previous setting of anonymous was: %i", __FILE__, __LINE__, sinkenv->anonymous); Modified: plugins/ldap-sync/src/ldap_plugin.h ============================================================================== --- plugins/ldap-sync/src/ldap_plugin.h Sun Aug 2 20:37:34 2009 (r5709) +++ plugins/ldap-sync/src/ldap_plugin.h Sun Aug 9 22:32:06 2009 (r5710) @@ -363,6 +363,8 @@ char *authzid; ///< authzid If the user wants to act on behalf of ///< someone else. Proxy authorization: Authenticate ///< as one person, act as a different person. + char *realm; ///< Name of a group of users; independend of the + ///< domain name char *bindpwd; ///< Bind password char *searchbase; ///< Base DN for any searches char *searchfilter; ///< Search filter Modified: plugins/ldap-sync/src/ldap_sasl.c ============================================================================== --- plugins/ldap-sync/src/ldap_sasl.c Sun Aug 2 20:37:34 2009 (r5709) +++ plugins/ldap-sync/src/ldap_sasl.c Sun Aug 9 22:32:06 2009 (r5710) @@ -196,11 +196,14 @@ #ifdef DEBUG_auth - ldap_plugin_printf("%s:%i: SASL defaults:", __FILE__, __LINE__); - ldap_plugin_printf("mech = %s", defaults->mech ? defaults->mech : "(null)"); - ldap_plugin_printf("realm = %s", defaults->realm ? defaults->realm : "(null)"); - ldap_plugin_printf("authcid = %s", defaults->authcid ? defaults->authcid : "(null)"); - ldap_plugin_printf("authzid = %s", defaults->authzid ? defaults->authzid : "(null)"); + ldap_plugin_printf("\n%s:%i: SASL defaults:", __FILE__, __LINE__); + ldap_plugin_printf("mech = \"%s\"", defaults->mech ? defaults->mech : "(null)"); + + ldap_plugin_printf("authcid = \"%s\"", defaults->authcid ? defaults->authcid : "(null)"); + ldap_plugin_printf("passwd = \"%s\"", defaults->passwd ? defaults->passwd : "(null)"); + ldap_plugin_printf("authzid = \"%s\"", defaults->authzid ? defaults->authzid : "(null)"); + ldap_plugin_printf("realm = \"%s\"", defaults->realm ? defaults->realm : "(null)"); + ldap_plugin_printf("\n"); #endif |