external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 9dde9d2a | patch | commit | ignore whitespace

Update the server's DIGEST-MD5 SASL mechanism handler so that it provides s...

neil_a_wilson

11.52.2007 3576aae09ea6a0d594c71d27b0edd3f7e2abd157

Update the server's DIGEST-MD5 SASL mechanism handler so that it provides
support for parsing the digest-uri element of the request.  By default, no
parsing is performed and any digest-uri value will be accepted.  However, if
the DIGEST-MD5 SASL mechanism handler is configured with the ds-cfg-server-fqdn
attribute, then the digest-uri value will be expected to be "ldap/" followed by
the value of that configuration attribute.

OpenDS Issue Number:  1238

4 files modified

	opends/resource/schema/02-config.ldif	3 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml	32 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java	19 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/messages/ExtensionsMessages.java	14 ●●●●● patch \| view \| raw \| blame \| history

 opends/resource/schema/02-config.ldif

@@ -1709,7 +1709,8 @@
objectClasses: ( 1.3.6.1.4.1.26027.1.2.47
  NAME 'ds-cfg-digest-md5-sasl-mechanism-handler'
  SUP ds-cfg-sasl-mechanism-handler MUST ds-cfg-identity-mapper-dn
  MAY ds-cfg-realm X-ORIGIN 'OpenDS Directory Server' )
  MAY ( ds-cfg-realm $ ds-cfg-server-fqdn )
  X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.48
  NAME 'ds-cfg-gssapi-sasl-mechanism-handler'
  SUP ds-cfg-sasl-mechanism-handler MAY ( ds-cfg-identity-mapper-dn $

 opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml

@@ -60,7 +60,7 @@
    <adm:description>
      Specifies the realm that should be used by the server for DIGEST-MD5
      authentication.  If this is not provided, then the server will default
      to using a set of realm names that correspond to the defined suffixes. 
      to using a set of realm names that correspond to the defined suffixes.
      Changes to this configuration attribute will take effect immediately.
    </adm:description>
    <adm:default-behavior>
@@ -102,5 +102,35 @@
      </ldap:attribute>
    </adm:profile>
  </adm:property>
  <adm:property name="server-fqdn" mandatory="false">
    <adm:synopsis>
      Specifies the fully-qualified domain name for the system.  This is the
      value expected to be present in the host field of the digest-uri-value
      element.
    </adm:synopsis>
    <adm:description>
      Specifies the DNS-resolvable fully-qualified domain name for the system.
      If this is not provided, then the server will attempt to determine this
      dynamically.  Changes to this configuration attribute will take effect
      immediately.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will attempt to dynamically determine the fully-qualified
          domain name.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:oid>1.3.6.1.4.1.26027.1.1.115</ldap:oid>
        <ldap:name>ds-cfg-server-fqdn</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
</adm:managed-object>


 opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java

@@ -594,8 +594,23 @@
      {
        responseDigestURI = tokenValue;

        // FIXME -- Add the ability to validate this URI, at least to check the
        // hostname.
        String serverFQDN = config.getServerFqdn();
        if ((serverFQDN != null) && (serverFQDN.length() > 0))
        {
          // If a server FQDN is populated, then we'll use it to validate the
          // digest-uri, which should be in the form "ldap/serverfqdn".
          String expectedDigestURI = "ldap/" + serverFQDN;
          if (! expectedDigestURI.equalsIgnoreCase(responseDigestURI))
          {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);

            int    msgID   = MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI;
            String message = getMessage(msgID, responseDigestURI,
                                        expectedDigestURI);
            bindOperation.setAuthFailureReason(msgID, message);
            return;
          }
        }
      }
      else if (tokenName.equals("response"))
      {

 opends/src/server/org/opends/server/messages/ExtensionsMessages.java

@@ -5492,6 +5492,16 @@


  /**
   * The message ID for the message that will be used if the client request
   * included an invalid digest URI.  This takes two arguments, which are the
   * provided digest URI and the expected digest URI.
   */
  public static final int MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI =
       CATEGORY_MASK_EXTENSIONS | SEVERITY_MASK_MILD_ERROR | 529;



  /**
   * Associates a set of generic messages with the message IDs defined in this
   * class.
   */
@@ -6775,6 +6785,10 @@
                    "The DIGEST-MD5 credentials provided by the client " +
                    "requested an invalid quality of protection mechanism of " +
                    "%s");
    registerMessage(MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI,
                    "The DIGEST-MD5 credentials provided by the client " +
                    "requested an invalid digest URI of %s.  The expected " +
                    "digest URI was %s");
    registerMessage(MSGID_SASLDIGESTMD5_CANNOT_PARSE_RESPONSE_DIGEST,
                    "The DIGEST-MD5 credentials provided by the client " +
                    "included a digest that could not be decoded as a " +

			@@ -1709,7 +1709,8 @@
			objectClasses: ( 1.3.6.1.4.1.26027.1.2.47
			NAME 'ds-cfg-digest-md5-sasl-mechanism-handler'
			SUP ds-cfg-sasl-mechanism-handler MUST ds-cfg-identity-mapper-dn
			MAY ds-cfg-realm X-ORIGIN 'OpenDS Directory Server' )
			MAY ( ds-cfg-realm $ ds-cfg-server-fqdn )
			X-ORIGIN 'OpenDS Directory Server' )
			objectClasses: ( 1.3.6.1.4.1.26027.1.2.48
			NAME 'ds-cfg-gssapi-sasl-mechanism-handler'
			SUP ds-cfg-sasl-mechanism-handler MAY ( ds-cfg-identity-mapper-dn $

			@@ -60,7 +60,7 @@
			<adm:description>
			Specifies the realm that should be used by the server for DIGEST-MD5
			authentication. If this is not provided, then the server will default
			to using a set of realm names that correspond to the defined suffixes.
			to using a set of realm names that correspond to the defined suffixes.
			Changes to this configuration attribute will take effect immediately.
			</adm:description>
			<adm:default-behavior>
			@@ -102,5 +102,35 @@
			</ldap:attribute>
			</adm:profile>
			</adm:property>
			<adm:property name="server-fqdn" mandatory="false">
			<adm:synopsis>
			Specifies the fully-qualified domain name for the system. This is the
			value expected to be present in the host field of the digest-uri-value
			element.
			</adm:synopsis>
			<adm:description>
			Specifies the DNS-resolvable fully-qualified domain name for the system.
			If this is not provided, then the server will attempt to determine this
			dynamically. Changes to this configuration attribute will take effect
			immediately.
			</adm:description>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will attempt to dynamically determine the fully-qualified
			domain name.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			<adm:syntax>
			<adm:string />
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:oid>1.3.6.1.4.1.26027.1.1.115</ldap:oid>
			<ldap:name>ds-cfg-server-fqdn</ldap:name>
			</ldap:attribute>
			</adm:profile>
			</adm:property>
			</adm:managed-object>

			@@ -594,8 +594,23 @@
			{
			responseDigestURI = tokenValue;

			// FIXME -- Add the ability to validate this URI, at least to check the
			// hostname.
			String serverFQDN = config.getServerFqdn();
			if ((serverFQDN != null) && (serverFQDN.length() > 0))
			{
			// If a server FQDN is populated, then we'll use it to validate the
			// digest-uri, which should be in the form "ldap/serverfqdn".
			String expectedDigestURI = "ldap/" + serverFQDN;
			if (! expectedDigestURI.equalsIgnoreCase(responseDigestURI))
			{
			bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);

			int msgID = MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI;
			String message = getMessage(msgID, responseDigestURI,
			expectedDigestURI);
			bindOperation.setAuthFailureReason(msgID, message);
			return;
			}
			}
			}
			else if (tokenName.equals("response"))
			{

			@@ -5492,6 +5492,16 @@


			/**
			* The message ID for the message that will be used if the client request
			* included an invalid digest URI. This takes two arguments, which are the
			* provided digest URI and the expected digest URI.
			*/
			public static final int MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI =
			CATEGORY_MASK_EXTENSIONS \| SEVERITY_MASK_MILD_ERROR \| 529;



			/**
			* Associates a set of generic messages with the message IDs defined in this
			* class.
			*/
			@@ -6775,6 +6785,10 @@
			"The DIGEST-MD5 credentials provided by the client " +
			"requested an invalid quality of protection mechanism of " +
			"%s");
			registerMessage(MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI,
			"The DIGEST-MD5 credentials provided by the client " +
			"requested an invalid digest URI of %s. The expected " +
			"digest URI was %s");
			registerMessage(MSGID_SASLDIGESTMD5_CANNOT_PARSE_RESPONSE_DIGEST,
			"The DIGEST-MD5 credentials provided by the client " +
			"included a digest that could not be decoded as a " +