From 2a81336e582c68fe0326a76a2f156b469688cc9b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: May 03 2013 20:29:14 +0000
Subject: Ticket 580 - Wrong error code return when using EXTERNAL SASL and no client certificate


Bug Description:  When doing a SASL EXTERNAL bind, and no client certificate is provided,
                  the bind succeeds(as anonymous).  However, the bind should fail with
                  an error 48.

Fix Description:  Check for the missing client certificate and return the appropriate
                  error.

https://fedorahosted.org/389/ticket/580

Reviewed by: Noriko(Thanks!)

---

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index d4d3b49..e92add5 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -403,10 +403,12 @@ do_bind( Slapi_PBlock *pb )
         supported = slapi_get_supported_saslmechanisms_copy();
         if ( (pmech = supported) != NULL ) while (1) {
             if (*pmech == NULL) {
-		/* As we call the safe function, we receive a strdup'd saslmechanisms
-		   charray. Therefore, we need to remove it instead of NULLing it */
-		charray_free(supported); 
-		pmech = supported = NULL;
+                /*
+                 * As we call the safe function, we receive a strdup'd saslmechanisms
+                 * charray. Therefore, we need to remove it instead of NULLing it
+                 */
+                charray_free(supported);
+                pmech = supported = NULL;
                 break;
             }
             if (!strcasecmp (saslmech, *pmech)) break;
@@ -450,11 +452,21 @@ do_bind( Slapi_PBlock *pb )
             }
 
             /*
+             * Check for the client certificate.
+             */
+            if( NULL == pb->pb_conn->c_client_cert){
+                send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
+                                  "missing client certificate", 0, NULL );
+                /* call postop plugins */
+                plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
+                goto free_and_return;
+            }
+
+            /*
              * if the client sent us a certificate but we could not map it
              * to an LDAP DN, fail and return an invalidCredentials error.
              */
-            if ( NULL != pb->pb_conn->c_client_cert &&
-                 NULL == pb->pb_conn->c_external_dn ) {
+            if ( NULL == pb->pb_conn->c_external_dn ) {
                 send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,
                                   "client certificate mapping failed", 0, NULL );
                 /* call postop plugins */
@@ -463,7 +475,7 @@ do_bind( Slapi_PBlock *pb )
             }
 
             if (!isroot ) {
-            /* check if the account is locked */
+                /* check if the account is locked */
                 bind_target_entry = get_entry(pb, pb->pb_conn->c_external_dn);
                 if ( bind_target_entry != NULL && slapi_check_account_lock(pb, bind_target_entry,
                      pw_response_requested, 1 /*check password policy*/, 1 /*send ldap result*/) == 1) {