From c5fcabea2379d68967ae4dc09a780459d1fd301e Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Tue, 10 Jul 2007 22:52:19 +0000
Subject: [PATCH] Update the server's DIGEST-MD5 SASL mechanism handler so that it provides support for parsing the digest-uri element of the request. By default, no parsing is performed and any digest-uri value will be accepted. However, if the DIGEST-MD5 SASL mechanism handler is configured with the ds-cfg-server-fqdn attribute, then the digest-uri value will be expected to be "ldap/" followed by the value of that configuration attribute.
---
opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java | 19 +++++++++++++++++--
1 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java b/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
index 72ec9f1..bbae357 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
@@ -594,8 +594,23 @@
{
responseDigestURI = tokenValue;
- // FIXME -- Add the ability to validate this URI, at least to check the
- // hostname.
+ String serverFQDN = config.getServerFqdn();
+ if ((serverFQDN != null) && (serverFQDN.length() > 0))
+ {
+ // If a server FQDN is populated, then we'll use it to validate the
+ // digest-uri, which should be in the form "ldap/serverfqdn".
+ String expectedDigestURI = "ldap/" + serverFQDN;
+ if (! expectedDigestURI.equalsIgnoreCase(responseDigestURI))
+ {
+ bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
+
+ int msgID = MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI;
+ String message = getMessage(msgID, responseDigestURI,
+ expectedDigestURI);
+ bindOperation.setAuthFailureReason(msgID, message);
+ return;
+ }
+ }
}
else if (tokenName.equals("response"))
{
--
Gitblit v1.10.0