+ /* if SASL supports native authz, prepare for it */
+ if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
+ ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
+ {
+ switch ( li->idassert_mode ) {
+ case LDAP_BACK_IDASSERT_OTHERID:
+ case LDAP_BACK_IDASSERT_OTHERDN:
+ authzID = li->idassert_authzID;
+ break;
+
+ case LDAP_BACK_IDASSERT_ANONYMOUS:
+ BER_BVSTR( &authzID, "dn:" );
+ break;
+
+ case LDAP_BACK_IDASSERT_SELF:
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ /* connection is not authc'd, so don't idassert */
+ BER_BVSTR( &authzID, "dn:" );
+ break;
+ }
+ authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len;
+ authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
+ AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+ AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
+ op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 );
+ freeauthz = 1;
+ break;
+
+ default:
+ break;
+ }
+ }
+
+#if 0 /* will deal with this later... */
+ if ( sasl_secprops != NULL ) {
+ rs->sr_err = ldap_set_option( lc->lc_ld, LDAP_OPT_X_SASL_SECPROPS,
+ (void *) sasl_secprops );
+
+ if ( rs->sr_err != LDAP_OPT_SUCCESS ) {
+ send_ldap_result( op, rs );
+ lc->lc_bound = 0;
+ goto done;
+ }
+ }
+#endif
+
+ defaults = lutil_sasl_defaults( lc->lc_ld,
+ li->idassert_sasl_mech.bv_val,
+ li->idassert_sasl_realm.bv_val,
+ li->idassert_authcID.bv_val,
+ li->idassert_passwd.bv_val,
+ authzID.bv_val );
+
+ rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn.bv_val,
+ li->idassert_sasl_mech.bv_val, NULL, NULL,
+ LDAP_SASL_QUIET, lutil_sasl_interact,
+ defaults );
+
+ lutil_sasl_freedefs( defaults );
+ if ( freeauthz ) {
+ slap_sl_free( authzID.bv_val, op->o_tmpmemctx );
+ }
+
+ rs->sr_err = slap_map_api2result( rs );
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+ lc->lc_bound = 0;
+ send_ldap_result( op, rs );
+
+ } else {
+ lc->lc_bound = 1;
+ }
+ goto done;
+#endif /* HAVE_CYRUS_SASL */
+ }
+
+ switch ( li->idassert_authmethod ) {
+ case LDAP_AUTH_SIMPLE:
+ rs->sr_err = ldap_sasl_bind( lc->lc_ld,
+ binddn.bv_val, LDAP_SASL_SIMPLE,
+ &bindcred, NULL, NULL, &msgid );
+ break;
+
+ case LDAP_AUTH_NONE:
+ lc->lc_bound = 1;
+ goto done;
+
+ default:
+ /* unsupported! */
+ lc->lc_bound = 0;
+ rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+ send_ldap_result( op, rs );
+ goto done;
+ }
+
+ rc = ldap_back_op_result( lc, op, rs, msgid, LDAP_BACK_SENDERR );
+ if ( rc == LDAP_SUCCESS ) {
+ lc->lc_bound = 1;
+ }
+done:;
+ return lc->lc_bound;
+}
+
+/*
+ * ldap_back_proxy_authz_ctrl() prepends a proxyAuthz control
+ * to existing server-side controls if required; if not,
+ * the existing server-side controls are placed in *pctrls.
+ * The caller, after using the controls in client API
+ * operations, if ( *pctrls != op->o_ctrls ), should
+ * free( (*pctrls)[ 0 ] ) and free( *pctrls ).
+ * The function returns success if the control could
+ * be added if required, or if it did nothing; in the future,
+ * it might return some error if it failed.
+ *
+ * if no bind took place yet, but the connection is bound
+ * and the "proxyauthzdn" is set, then bind as "proxyauthzdn"
+ * and explicitly add proxyAuthz the control to every operation
+ * with the dn bound to the connection as control value.
+ *
+ * If no server-side controls are defined for the operation,
+ * simply add the proxyAuthz control; otherwise, if the
+ * proxyAuthz control is not already set, add it as
+ * the first one
+ *
+ * FIXME: is controls order significant for security?
+ * ANSWER: controls ordering and interoperability
+ * must be indicated by the specs of each control; if none
+ * is specified, the order is irrelevant.
+ */
+int
+ldap_back_proxy_authz_ctrl(
+ struct ldapconn *lc,
+ Operation *op,
+ SlapReply *rs,
+ LDAPControl ***pctrls )
+{
+ struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
+ LDAPControl **ctrls = NULL;
+ int i = 0,
+ mode;
+ struct berval assertedID;
+
+ *pctrls = NULL;
+
+ rs->sr_err = LDAP_SUCCESS;
+
+ /* FIXME: SASL/EXTERNAL over ldapi:// doesn't honor the authcID,
+ * but if it is not set this test fails. We need a different
+ * means to detect if idassert is enabled */
+ if ( ( BER_BVISNULL( &li->idassert_authcID ) || BER_BVISEMPTY( &li->idassert_authcID ) )
+ && ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) )
+ {
+ goto done;
+ }
+
+ if ( !op->o_conn || op->o_do_not_cache || be_isroot( op ) ) {
+ goto done;
+ }
+
+ if ( li->idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) {
+ if ( op->o_proxy_authz ) {
+ /*
+ * FIXME: we do not want to perform proxyAuthz
+ * on behalf of the client, because this would
+ * be performed with "proxyauthzdn" privileges.
+ *
+ * This might actually be too strict, since
+ * the "proxyauthzdn" authzTo, and each entry's
+ * authzFrom attributes may be crafted
+ * to avoid unwanted proxyAuthz to take place.
+ */
+#if 0
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "proxyAuthz not allowed within namingContext";
+#endif
+ goto done;
+ }
+
+ if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
+ goto done;
+ }
+
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ goto done;
+ }
+
+ if ( BER_BVISNULL( &li->idassert_authcDN ) ) {
+ goto done;
+ }
+
+ } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
+ if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
+ /* && ( !BER_BVISNULL( &op->o_conn->c_ndn ) || lc->lc_bound ) */ )
+ {
+ /* already asserted in SASL via native authz */
+ /* NOTE: the test on lc->lc_bound is used to trap
+ * native authorization of anonymous users,
+ * since in that case op->o_conn->c_ndn is NULL */
+ goto done;
+ }
+
+ } else if ( li->idassert_authz && !be_isroot( op ) ) {
+ int rc;
+ struct berval authcDN;
+
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ authcDN = slap_empty_bv;
+ } else {
+ authcDN = op->o_conn->c_ndn;
+ }
+ rc = slap_sasl_matches( op, li->idassert_authz,
+ &authcDN, & authcDN );
+ if ( rc != LDAP_SUCCESS ) {
+ if ( li->idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE )
+ {
+ /* op->o_conn->c_ndn is not authorized
+ * to use idassert */
+ return rc;
+ }
+ return rs->sr_err;
+ }
+ }
+
+ if ( op->o_proxy_authz ) {
+ /*
+ * FIXME: we can:
+ * 1) ignore the already set proxyAuthz control
+ * 2) leave it in place, and don't set ours
+ * 3) add both
+ * 4) reject the operation
+ *
+ * option (4) is very drastic
+ * option (3) will make the remote server reject
+ * the operation, thus being equivalent to (4)
+ * option (2) will likely break the idassert
+ * assumptions, so we cannot accept it;
+ * option (1) means that we are contradicting
+ * the client's reques.
+ *
+ * I think (4) is the only correct choice.
+ */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "proxyAuthz not allowed within namingContext";