+/*
+ * ldap_back_proxy_authz_ctrl() prepends a proxyAuthz control
+ * to existing server-side controls if required; if not,
+ * the existing server-side controls are placed in *pctrls.
+ * The caller, after using the controls in client API
+ * operations, if ( *pctrls != op->o_ctrls ), should
+ * free( (*pctrls)[ 0 ] ) and free( *pctrls ).
+ * The function returns success if the control could
+ * be added if required, or if it did nothing; in the future,
+ * it might return some error if it failed.
+ *
+ * if no bind took place yet, but the connection is bound
+ * and the "proxyauthzdn" is set, then bind as "proxyauthzdn"
+ * and explicitly add proxyAuthz the control to every operation
+ * with the dn bound to the connection as control value.
+ *
+ * If no server-side controls are defined for the operation,
+ * simply add the proxyAuthz control; otherwise, if the
+ * proxyAuthz control is not already set, add it as
+ * the first one
+ *
+ * FIXME: is controls order significant for security?
+ * ANSWER: controls ordering and interoperability
+ * must be indicated by the specs of each control; if none
+ * is specified, the order is irrelevant.
+ */
+int
+ldap_back_proxy_authz_ctrl(
+ struct ldapconn *lc,
+ Operation *op,
+ SlapReply *rs,
+ LDAPControl ***pctrls )
+{
+ struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
+ LDAPControl **ctrls = NULL;
+ int i = 0,
+ mode;
+ struct berval assertedID;
+
+ *pctrls = NULL;
+
+ rs->sr_err = LDAP_SUCCESS;
+
+ /* FIXME: SASL/EXTERNAL over ldapi:// doesn't honor the authcID,
+ * but if it is not set this test fails. We need a different
+ * means to detect if idassert is enabled */
+ if ( ( BER_BVISNULL( &li->idassert_authcID ) || BER_BVISEMPTY( &li->idassert_authcID ) )
+ && ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) )
+ {
+ goto done;
+ }
+
+ if ( !op->o_conn || op->o_do_not_cache || be_isroot( op ) ) {
+ goto done;
+ }
+
+ if ( li->idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) {
+ if ( op->o_proxy_authz ) {
+ /*
+ * FIXME: we do not want to perform proxyAuthz
+ * on behalf of the client, because this would
+ * be performed with "proxyauthzdn" privileges.
+ *
+ * This might actually be too strict, since
+ * the "proxyauthzdn" authzTo, and each entry's
+ * authzFrom attributes may be crafted
+ * to avoid unwanted proxyAuthz to take place.
+ */
+#if 0
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "proxyAuthz not allowed within namingContext";
+#endif
+ goto done;
+ }
+
+ if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
+ goto done;
+ }
+
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ goto done;
+ }
+
+ if ( BER_BVISNULL( &li->idassert_authcDN ) ) {
+ goto done;
+ }
+
+ } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
+ if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
+ /* && ( !BER_BVISNULL( &op->o_conn->c_ndn ) || lc->lc_bound ) */ )
+ {
+ /* already asserted in SASL via native authz */
+ /* NOTE: the test on lc->lc_bound is used to trap
+ * native authorization of anonymous users,
+ * since in that case op->o_conn->c_ndn is NULL */
+ goto done;
+ }
+
+ } else if ( li->idassert_authz && !be_isroot( op ) ) {
+ int rc;
+ struct berval authcDN;
+
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ authcDN = slap_empty_bv;
+ } else {
+ authcDN = op->o_conn->c_ndn;
+ }
+ rc = slap_sasl_matches( op, li->idassert_authz,
+ &authcDN, & authcDN );
+ if ( rc != LDAP_SUCCESS ) {
+ if ( li->idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE )
+ {
+ /* op->o_conn->c_ndn is not authorized
+ * to use idassert */
+ return rc;
+ }
+ return rs->sr_err;
+ }
+ }
+
+ if ( op->o_proxy_authz ) {
+ /*
+ * FIXME: we can:
+ * 1) ignore the already set proxyAuthz control
+ * 2) leave it in place, and don't set ours
+ * 3) add both
+ * 4) reject the operation
+ *
+ * option (4) is very drastic
+ * option (3) will make the remote server reject
+ * the operation, thus being equivalent to (4)
+ * option (2) will likely break the idassert
+ * assumptions, so we cannot accept it;
+ * option (1) means that we are contradicting
+ * the client's reques.
+ *
+ * I think (4) is the only correct choice.
+ */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "proxyAuthz not allowed within namingContext";
+ }
+
+ if ( op->o_do_not_cache && op->o_is_auth_check ) {
+ mode = LDAP_BACK_IDASSERT_NOASSERT;
+
+ } else {
+ mode = li->idassert_mode;
+ }
+
+ switch ( mode ) {
+ case LDAP_BACK_IDASSERT_LEGACY:
+ case LDAP_BACK_IDASSERT_SELF:
+ /* original behavior:
+ * assert the client's identity */
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ assertedID = slap_empty_bv;
+ } else {
+ assertedID = op->o_conn->c_ndn;
+ }
+ break;
+
+ case LDAP_BACK_IDASSERT_ANONYMOUS:
+ /* assert "anonymous" */
+ assertedID = slap_empty_bv;
+ break;
+
+ case LDAP_BACK_IDASSERT_NOASSERT:
+ /* don't assert; bind as proxyauthzdn */
+ goto done;
+
+ case LDAP_BACK_IDASSERT_OTHERID:
+ case LDAP_BACK_IDASSERT_OTHERDN:
+ /* assert idassert DN */
+ assertedID = li->idassert_authzID;
+ break;
+
+ default:
+ assert( 0 );
+ }
+
+ if ( BER_BVISNULL( &assertedID ) ) {
+ assertedID = slap_empty_bv;
+ }
+
+ if ( op->o_ctrls ) {
+ for ( i = 0; op->o_ctrls[ i ]; i++ )
+ /* just count ctrls */ ;
+ }
+
+ ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
+ ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
+
+ ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ ctrls[ 0 ]->ldctl_iscritical = 1;
+
+ switch ( li->idassert_mode ) {
+ /* already in u:ID or dn:DN form */
+ case LDAP_BACK_IDASSERT_OTHERID:
+ case LDAP_BACK_IDASSERT_OTHERDN:
+ ber_dupbv( &ctrls[ 0 ]->ldctl_value, &assertedID );
+ break;
+
+ /* needs the dn: prefix */
+ default:
+ ctrls[ 0 ]->ldctl_value.bv_len = assertedID.bv_len + STRLENOF( "dn:" );
+ ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
+ AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
+ AC_MEMCPY( &ctrls[ 0 ]->ldctl_value.bv_val[ STRLENOF( "dn:" ) ],
+ assertedID.bv_val, assertedID.bv_len + 1 );
+ break;
+ }
+
+ if ( op->o_ctrls ) {
+ for ( i = 0; op->o_ctrls[ i ]; i++ ) {
+ ctrls[ i + 1 ] = op->o_ctrls[ i ];
+ }
+ }
+ ctrls[ i + 1 ] = NULL;
+
+done:;
+ if ( ctrls == NULL ) {
+ ctrls = op->o_ctrls;
+ }
+
+ *pctrls = ctrls;
+
+ return rs->sr_err;
+}
+
+int
+ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls )
+{
+ LDAPControl **ctrls = *pctrls;
+
+ /* we assume that the first control is the proxyAuthz
+ * added by back-ldap, so it's the only one we explicitly
+ * free */
+ if ( ctrls && ctrls != op->o_ctrls ) {
+ assert( ctrls[ 0 ] != NULL );
+
+ if ( !BER_BVISNULL( &ctrls[ 0 ]->ldctl_value ) ) {
+ free( ctrls[ 0 ]->ldctl_value.bv_val );
+ }
+
+ free( ctrls[ 0 ] );
+ free( ctrls );
+ }
+
+ *pctrls = NULL;
+
+ return 0;
+}