Hello,
Validate authentication settings strictly.
- auth_method 'SASL' do not accept bind_dn and password options
- auth_method 'simple' do not accept sasl_* and krb5_* options
- auth_method 'none' do not accept any of options above
--
Petr^2 Spacek
From 6866c4e1edb5633b5a82c2d28f603f9660994d6a Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Wed, 29 May 2013 15:01:30 +0200
Subject: [PATCH] Validate authentication settings strictly.
- auth_method 'SASL' do not accept bind_dn and password options
- auth_method 'simple' do not accept sasl_* and krb5_* options
- auth_method 'none' do not accept any of options above
Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
src/ldap_helper.c | 42 +++++++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 4d22f2803ba4e9f5658b086dc7bb53579c5a3b92..46d2dccf8df57759da6b1282eff4aa56c50f0d37 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -362,7 +362,11 @@ validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
isc_uint32_t uint;
const char *sasl_mech = NULL;
const char *sasl_user = NULL;
+ const char *sasl_realm = NULL;
+ const char *sasl_password = NULL;
const char *krb5_principal = NULL;
+ const char *bind_dn = NULL;
+ const char *password = NULL;
ld_string_t *buff = NULL;
char print_buff[PRINT_BUFF_SIZE];
@@ -427,6 +431,33 @@ validate_local_instance_settings(ldap_instance_t *inst, settings_set_t *set) {
CHECK(setting_get_str("sasl_mech", set, &sasl_mech));
CHECK(setting_get_str("krb5_principal", set, &krb5_principal));
CHECK(setting_get_str("sasl_user", set, &sasl_user));
+ CHECK(setting_get_str("sasl_realm", set, &sasl_realm));
+ CHECK(setting_get_str("sasl_password", set, &sasl_password));
+ CHECK(setting_get_str("bind_dn", set, &bind_dn));
+ CHECK(setting_get_str("password", set, &password));
+
+ if (auth_method_enum != AUTH_SIMPLE &&
+ (strlen(bind_dn) != 0 || strlen(password) != 0)) {
+ log_error("options 'bind_dn' and 'password' are allowed only "
+ "for auth_method 'simple'");
+ CLEANUP_WITH(ISC_R_FAILURE);
+ }
+
+ if (auth_method_enum == AUTH_SIMPLE &&
+ (strlen(bind_dn) == 0 || strlen(password) == 0)) {
+ log_error("auth_method 'simple' requires 'bind_dn' and 'password'");
+ log_info("for anonymous bind please use auth_method 'none'");
+ CLEANUP_WITH(ISC_R_FAILURE);
+ }
+
+ if (auth_method_enum != AUTH_SASL &&
+ (strlen(sasl_realm) != 0 || strlen(sasl_user) != 0 ||
+ strlen(sasl_password) != 0 || strlen(krb5_principal) != 0)) {
+ log_error("options 'sasl_realm', 'sasl_user', 'sasl_password' "
+ "and 'krb5_principal' are effective only with "
+ "auth_method 'sasl'");
+ CLEANUP_WITH(ISC_R_FAILURE);
+ }
if ((auth_method_enum == AUTH_SASL) &&
(strcasecmp(sasl_mech, "GSSAPI") == 0)) {
@@ -2487,15 +2518,6 @@ ldap_reconnect(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn,
return ISC_R_SOFTQUOTA;
}
- /* If either bind_dn or the password is not set, we will use
- * password-less bind. */
- CHECK(setting_get_str("bind_dn", ldap_inst->global_settings, &bind_dn));
- CHECK(setting_get_str("password", ldap_inst->global_settings, &password));
- if (strlen(bind_dn) == 0 || strlen(password) == 0) {
- bind_dn = NULL;
- password = NULL;
- }
-
/* Set the next possible reconnect time. */
{
isc_interval_t delay;
@@ -2525,6 +2547,8 @@ force_reconnect:
ret = ldap_simple_bind_s(ldap_conn->handle, NULL, NULL);
break;
case AUTH_SIMPLE:
+ CHECK(setting_get_str("bind_dn", ldap_inst->global_settings, &bind_dn));
+ CHECK(setting_get_str("password", ldap_inst->global_settings, &password));
ret = ldap_simple_bind_s(ldap_conn->handle, bind_dn, password);
break;
case AUTH_SASL:
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
