1 /* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005-2011 The OpenLDAP Foundation.
6 * Portions Copyright 2005 by Howard Chu, Symas Corp.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
28 /* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot
29 * of holes in that draft, it doesn't specify that the control is legal
30 * for Add operations, and it makes no mention of Extended operations.
31 * It also doesn't specify whether an empty LDAPDN is allowed in the
34 * For usability purposes, we're copying the op / exop behavior from the
37 #define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12"
39 static char *proxyOld_extops[] = {
40 LDAP_EXOP_MODIFY_PASSWD,
54 struct berval dn = BER_BVNULL;
55 struct berval authzDN = BER_BVNULL;
58 /* We hijack the flag for the new control. Clearly only one or the
59 * other can be used at any given time.
61 if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) {
62 rs->sr_text = "proxy authorization control specified multiple times";
63 return LDAP_PROTOCOL_ERROR;
66 op->o_proxy_authz = ctrl->ldctl_iscritical
67 ? SLAP_CONTROL_CRITICAL
68 : SLAP_CONTROL_NONCRITICAL;
70 /* Parse the control value
71 * proxyAuthzControlValue ::= SEQUENCE {
75 ber = ber_init( &ctrl->ldctl_value );
77 rs->sr_text = "ber_init failed";
81 tag = ber_scanf( ber, "{m}", &dn );
83 if ( tag == LBER_ERROR ) {
84 rs->sr_text = "proxyOld control could not be decoded";
88 if ( BER_BVISEMPTY( &dn )) {
89 Debug( LDAP_DEBUG_TRACE,
90 "proxyOld_parse: conn=%lu anonymous\n",
92 authzDN.bv_val = ch_strdup("");
94 Debug( LDAP_DEBUG_ARGS,
95 "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n",
96 op->o_connid, dn.bv_val, 0 );
97 rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx );
98 if ( rc != LDAP_SUCCESS ) {
101 rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN );
103 op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx );
104 rs->sr_text = "not authorized to assume identity";
105 /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */
106 rc = LDAP_INSUFFICIENT_ACCESS;
110 free( op->o_ndn.bv_val );
111 free( op->o_dn.bv_val );
113 ber_dupbv( &op->o_dn, &authzDN );
115 Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n",
116 op->o_connid, op->o_opid,
117 authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 );
124 int init_module(int argc, char *argv[]) {
125 return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05,
126 SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops,
127 proxyOld_parse, NULL );