--- /tmp/jabberd-2.1.24.1/c2s/c2s.c 2008-04-27 02:57:20.000000000 -0700 +++ ./jabberd2/c2s/c2s.c 2009-05-26 11:50:12.000000000 -0700 @@ -449,6 +449,28 @@ static int _c2s_client_sx_callback(sx_t /* they sasl auth'd, so we only want the new-style session start */ else { log_write(sess->c2s->log, LOG_NOTICE, "[%d] SASL authentication succeeded: mechanism=%s; authzid=%s%s", sess->s->tag, &sess->s->auth_method[5], sess->s->auth_id, sess->s->ssf ? ", TLS negotiated" : ""); + + /* Apple SACL check */ +#ifdef APPLE_ENABLE_OD_AUTH + jid_t jid; + jid = jid_new(sess->c2s->pc, sess->s->auth_id, -1); + if (NULL == jid) { + log_debug(ZONE, "jid_new returned NULL for userid %s", sess->s->auth_id); + sx_error(s, stream_err_INTERNAL_SERVER_ERROR, "failure during authorization"); + sx_close(s); + jid_free(jid); + break; + } + int iErr = od_auth_check_service_membership(jid->node, APPLE_CHAT_SACL_NAME); + log_debug(ZONE, "_ar_od_check_password(): od_auth_check_service_membership returned %d for %s", iErr, jid->node); + if (iErr != 1) { + sx_error(s, stream_err_NOT_AUTHORIZED, "Authorization failed"); + sx_close(s); + jid_free(jid); + break; + } + jid_free(jid); +#endif sess->sasl_authd = 1; } @@ -768,7 +790,7 @@ int c2s_router_sx_callback(sx_t s, sx_ev if(ns >= 0) { elem = nad_find_elem(nad, 0, ns, "starttls", 1); if(elem >= 0) { - if(sx_ssl_client_starttls(c2s->sx_ssl, s, c2s->router_pemfile) == 0) { + if(sx_ssl_client_starttls(c2s->sx_ssl, s, c2s->router_pemfile, c2s->router_private_key_password) == 0) { nad_free(nad); return 0; }