-static int
-parse_idassert(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
-{
- struct ldapinfo *li = (struct ldapinfo *) be->be_private;
-
- /* identity assertion mode */
- if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) {
- if ( argc < 2 ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: illegal args number %d in \"idassert-mode <args> [<flag> [...]]\" line.\n",
- fname, lineno, argc );
- return 1;
- }
-
- if ( strcasecmp( argv[1], "legacy" ) == 0 ) {
- /* will proxyAuthz as client's identity only if bound */
- li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
-
- } else if ( strcasecmp( argv[1], "self" ) == 0 ) {
- /* will proxyAuthz as client's identity */
- li->idassert_mode = LDAP_BACK_IDASSERT_SELF;
-
- } else if ( strcasecmp( argv[1], "anonymous" ) == 0 ) {
- /* will proxyAuthz as anonymous */
- li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS;
-
- } else if ( strcasecmp( argv[1], "none" ) == 0 ) {
- /* will not proxyAuthz */
- li->idassert_mode = LDAP_BACK_IDASSERT_NOASSERT;
-
- } else {
- struct berval id;
- int rc;
-
- /* will proxyAuthz as argv[1] */
- ber_str2bv( argv[1], 0, 0, &id );
-
- if ( strncasecmp( id.bv_val, "u:", STRLENOF( "u:" ) ) == 0 ) {
- /* force lowercase... */
- id.bv_val[0] = 'u';
- li->idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
- ber_dupbv( &li->idassert_authzID, &id );
-
- } else {
- struct berval dn;
-
- /* default is DN? */
- if ( strncasecmp( id.bv_val, "dn:", STRLENOF( "dn:" ) ) == 0 ) {
- id.bv_val += STRLENOF( "dn:" );
- id.bv_len -= STRLENOF( "dn:" );
- }
-
- rc = dnNormalize( 0, NULL, NULL, &id, &dn, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: idassert ID \"%s\" is not a valid DN\n",
- fname, lineno, argv[1] );
- return 1;
- }
-
- li->idassert_authzID.bv_len = STRLENOF( "dn:" ) + dn.bv_len;
- li->idassert_authzID.bv_val = ch_malloc( li->idassert_authzID.bv_len + 1 );
- AC_MEMCPY( li->idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
- AC_MEMCPY( &li->idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], dn.bv_val, dn.bv_len + 1 );
- ch_free( dn.bv_val );
-
- li->idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
- }
- }
-
- for ( argc -= 2, argv += 2; argc--; argv++ ) {
- if ( strcasecmp( argv[0], "override" ) == 0 ) {
- li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
-
- } else {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: unknown flag \"%s\" "
- "in \"idassert-mode <args> "
- "[<flags>]\" line.\n",
- fname, lineno, argv[0] );
- return 1;
- }
- }
-
- /* name to use for proxyAuthz propagation */
- } else if ( strcasecmp( argv[0], "idassert-authcdn" ) == 0
- || strcasecmp( argv[0], "proxyauthzdn" ) == 0 )
- {
- struct berval dn;
- int rc;
-
- /* FIXME: "proxyauthzdn" is no longer documented, and
- * temporarily supported for backwards compatibility */
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: missing name in \"%s <name>\" line\n",
- fname, lineno, argv[0] );
- return( 1 );
- }
-
- if ( !BER_BVISNULL( &li->idassert_authcDN ) ) {
- fprintf( stderr, "%s: line %d: "
- "authcDN already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_authcDN.bv_val );
- }
-
- ber_str2bv( argv[1], 0, 0, &dn );
- rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_authcDN, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: idassert ID \"%s\" is not a valid DN\n",
- fname, lineno, argv[1] );
- return 1;
- }
-
- /* password to use for proxyAuthz propagation */
- } else if ( strcasecmp( argv[0], "idassert-passwd" ) == 0
- || strcasecmp( argv[0], "proxyauthzpw" ) == 0 )
- {
- /* FIXME: "proxyauthzpw" is no longer documented, and
- * temporarily supported for backwards compatibility */
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: missing password in \"%s <password>\" line\n",
- fname, lineno, argv[0] );
- return( 1 );
- }
-
- if ( !BER_BVISNULL( &li->idassert_passwd ) ) {
- fprintf( stderr, "%s: line %d: "
- "passwd already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_passwd.bv_val );
- }
-
- ber_str2bv( argv[1], 0, 1, &li->idassert_passwd );
-
- /* rules to accept identity assertion... */
- } else if ( strcasecmp( argv[0], "idassert-authzFrom" ) == 0 ) {
- struct berval rule;
-
- ber_str2bv( argv[1], 0, 1, &rule );
-
- ber_bvarray_add( &li->idassert_authz, &rule );
-
- } else if ( strcasecmp( argv[0], "idassert-method" ) == 0 ) {
- char *argv1;
-
- if ( argc < 2 ) {
- fprintf( stderr,
- "%s: line %d: missing method in \"%s <method>\" line\n",
- fname, lineno, argv[0] );
- return( 1 );
- }
-
- argv1 = argv[1];
- if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
- argv1 += STRLENOF( "bindmethod=" );
- }
-
- if ( strcasecmp( argv1, "none" ) == 0 ) {
- /* FIXME: is this at all useful? */
- li->idassert_authmethod = LDAP_AUTH_NONE;
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
- fname, lineno, argv[0], argv[1] );
- }
-
- } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
- int arg;
-
- for ( arg = 2; arg < argc; arg++ ) {
- if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "authcdn=" );
- struct berval dn;
- int rc;
-
- if ( !BER_BVISNULL( &li->idassert_authcDN ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL authcDN already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_authcDN.bv_val );
- }
- if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
- val += STRLENOF( "dn:" );
- }
-
- ber_str2bv( val, 0, 0, &dn );
- rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_authcDN, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n",
- fname, lineno, val );
- return 1;
- }
-
- } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "cred=" );
-
- if ( !BER_BVISNULL( &li->idassert_passwd ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL cred already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_passwd.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->idassert_passwd );
-
- } else {
- fprintf( stderr, "%s: line %d: "
- "unknown parameter %s\n",
- fname, lineno, argv[arg] );
- return 1;
- }
- }
-
- li->idassert_authmethod = LDAP_AUTH_SIMPLE;
-
- } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
-#ifdef HAVE_CYRUS_SASL
- int arg;
-
- for ( arg = 2; arg < argc; arg++ ) {
- if ( strncasecmp( argv[arg], "mech=", STRLENOF( "mech=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "mech=" );
-
- if ( !BER_BVISNULL( &li->idassert_sasl_mech ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL mech already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_sasl_mech.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->idassert_sasl_mech );
-
- } else if ( strncasecmp( argv[arg], "realm=", STRLENOF( "realm=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "realm=" );
-
- if ( !BER_BVISNULL( &li->idassert_sasl_realm ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL realm already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_sasl_realm.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->idassert_sasl_realm );
-
- } else if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "authcdn=" );
- struct berval dn;
- int rc;
-
- if ( !BER_BVISNULL( &li->idassert_authcDN ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL authcDN already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_authcDN.bv_val );
- }
- if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
- val += STRLENOF( "dn:" );
- }
-
- ber_str2bv( val, 0, 0, &dn );
- rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_authcDN, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n",
- fname, lineno, val );
- return 1;
- }
-
- } else if ( strncasecmp( argv[arg], "authcid=", STRLENOF( "authcid=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "authcid=" );
-
- if ( !BER_BVISNULL( &li->idassert_authcID ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL authcID already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_authcID.bv_val );
- }
- if ( strncasecmp( argv[arg], "u:", STRLENOF( "u:" ) ) == 0 ) {
- val += STRLENOF( "u:" );
- }
- ber_str2bv( val, 0, 1, &li->idassert_authcID );
-
- } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "cred=" );
-
- if ( !BER_BVISNULL( &li->idassert_passwd ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL cred already defined; replacing...\n",
- fname, lineno );
- ch_free( li->idassert_passwd.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->idassert_passwd );
-
- } else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "authz=" );
-
- if ( strcasecmp( val, "proxyauthz" ) == 0 ) {
- li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
-
- } else if ( strcasecmp( val, "native" ) == 0 ) {
- li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
-
- } else {
- fprintf( stderr, "%s: line %d: "
- "unknown authz mode \"%s\"\n",
- fname, lineno, val );
- return 1;
- }
-
- } else {
- fprintf( stderr, "%s: line %d: "
- "unknown SASL parameter %s\n",
- fname, lineno, argv[arg] );
- return 1;
- }
- }
-
- li->idassert_authmethod = LDAP_AUTH_SASL;
-
-#else /* !HAVE_CYRUS_SASL */
- fprintf( stderr, "%s: line %d: "
- "compile --with-cyrus-sasl to enable SASL auth\n",
- fname, lineno );
- return 1;
-#endif /* !HAVE_CYRUS_SASL */
-
- } else {
- fprintf( stderr, "%s: line %d: "
- "unhandled idassert-method method %s\n",
- fname, lineno, argv[1] );
- return 1;
- }
-
- } else {
- return SLAP_CONF_UNKNOWN;
- }
-
- return 0;
-}
-
-static int
-parse_acl_auth(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
-{
- struct ldapinfo *li = (struct ldapinfo *) be->be_private;
-
- /* name to use for remote ACL access */
- if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
- || strcasecmp( argv[0], "binddn" ) == 0 )
- {
- struct berval dn;
- int rc;
-
- /* FIXME: "binddn" is no longer documented, and
- * temporarily supported for backwards compatibility */
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: missing name in \"%s <name>\" line\n",
- fname, lineno, argv[0] );
- return( 1 );
- }
-
- if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
- fprintf( stderr, "%s: line %d: "
- "authcDN already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_authcDN.bv_val );
- }
-
- ber_str2bv( argv[1], 0, 0, &dn );
- rc = dnNormalize( 0, NULL, NULL, &dn, &li->acl_authcDN, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: acl ID \"%s\" is not a valid DN\n",
- fname, lineno, argv[1] );
- return 1;
- }
-
- /* password to use for remote ACL access */
- } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
- || strcasecmp( argv[0], "bindpw" ) == 0 )
- {
- /* FIXME: "bindpw" is no longer documented, and
- * temporarily supported for backwards compatibility */
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: missing password in \"%s <password>\" line\n",
- fname, lineno, argv[0] );
- return( 1 );
- }
-
- if ( !BER_BVISNULL( &li->acl_passwd ) ) {
- fprintf( stderr, "%s: line %d: "
- "passwd already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_passwd.bv_val );
- }
-
- ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
-
- } else if ( strcasecmp( argv[0], "acl-method" ) == 0 ) {
- char *argv1;
-
- if ( argc < 2 ) {
- fprintf( stderr,
- "%s: line %d: missing method in \"%s <method>\" line\n",
- fname, lineno, argv[0] );
- return( 1 );
- }
-
- argv1 = argv[1];
- if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
- argv1 += STRLENOF( "bindmethod=" );
- }
-
- if ( strcasecmp( argv1, "none" ) == 0 ) {
- /* FIXME: is this at all useful? */
- li->acl_authmethod = LDAP_AUTH_NONE;
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
- fname, lineno, argv[0], argv[1] );
- }
-
- } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
- li->acl_authmethod = LDAP_AUTH_SIMPLE;
-
- if ( argc != 2 ) {
- fprintf( stderr,
- "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
- fname, lineno, argv[0], argv[1] );
- }
-
- } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
-#ifdef HAVE_CYRUS_SASL
- int arg;
-
- for ( arg = 2; arg < argc; arg++ ) {
- if ( strncasecmp( argv[arg], "mech=", STRLENOF( "mech=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "mech=" );
-
- if ( !BER_BVISNULL( &li->acl_sasl_mech ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL mech already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_sasl_mech.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->acl_sasl_mech );
-
- } else if ( strncasecmp( argv[arg], "realm=", STRLENOF( "realm=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "realm=" );
-
- if ( !BER_BVISNULL( &li->acl_sasl_realm ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL realm already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_sasl_realm.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->acl_sasl_realm );
-
- } else if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "authcdn=" );
- struct berval dn;
- int rc;
-
- if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL authcDN already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_authcDN.bv_val );
- }
- if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
- val += STRLENOF( "dn:" );
- }
-
- ber_str2bv( val, 0, 0, &dn );
- rc = dnNormalize( 0, NULL, NULL, &dn, &li->acl_authcDN, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n",
- fname, lineno, val );
- return 1;
- }
-
- } else if ( strncasecmp( argv[arg], "authcid=", STRLENOF( "authcid=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "authcid=" );
-
- if ( !BER_BVISNULL( &li->acl_authcID ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL authcID already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_authcID.bv_val );
- }
- if ( strncasecmp( argv[arg], "u:", STRLENOF( "u:" ) ) == 0 ) {
- val += STRLENOF( "u:" );
- }
- ber_str2bv( val, 0, 1, &li->acl_authcID );
-
- } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) {
- char *val = argv[arg] + STRLENOF( "cred=" );
-
- if ( !BER_BVISNULL( &li->acl_passwd ) ) {
- fprintf( stderr, "%s: line %d: "
- "SASL cred already defined; replacing...\n",
- fname, lineno );
- ch_free( li->acl_passwd.bv_val );
- }
- ber_str2bv( val, 0, 1, &li->acl_passwd );
-
- } else {
- fprintf( stderr, "%s: line %d: "
- "unknown SASL parameter %s\n",
- fname, lineno, argv[arg] );
- return 1;
- }
- }
-
- li->acl_authmethod = LDAP_AUTH_SASL;
-
-#else /* !HAVE_CYRUS_SASL */
- fprintf( stderr, "%s: line %d: "
- "compile --with-cyrus-sasl to enable SASL auth\n",
- fname, lineno );
- return 1;
-#endif /* !HAVE_CYRUS_SASL */
-
- } else {
- fprintf( stderr, "%s: line %d: "
- "unhandled acl-method method %s\n",
- fname, lineno, argv[1] );
- return 1;
- }
-
- } else {
- return SLAP_CONF_UNKNOWN;
- }
-
- return 0;
-}
-