/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1999-2003 The OpenLDAP Foundation.
+ * Copyright 1999-2004 The OpenLDAP Foundation.
+ * Portions Copyright 2000-2003 Pierangelo Masarati.
+ * Portions Copyright 1999-2003 Howard Chu.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* in OpenLDAP Software and subsequently enhanced by Pierangelo
* Masarati.
*/
-/* This is an altered version */
-/*
- * Copyright 1999, Howard Chu, All rights reserved. <hyc@highlandsun.com>
- *
- * Permission is granted to anyone to use this software for any purpose
- * on any computer system, and to alter it and redistribute it, subject
- * to the following restrictions:
- *
- * 1. The author is not responsible for the consequences of use of this
- * software, no matter how awful, even if they arise from flaws in it.
- *
- * 2. The origin of this software must not be misrepresented, either by
- * explicit claim or by omission. Since few users ever read sources,
- * credits should appear in the documentation.
- *
- * 3. Altered versions must be plainly marked as such, and must not be
- * misrepresented as being the original software. Since few users
- * ever read sources, credits should appear in the documentation.
- *
- * 4. This notice may not be removed or altered.
- *
- *
- *
- * Copyright 2000, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
- *
- * This software is being modified by Pierangelo Masarati.
- * The previously reported conditions apply to the modified code as well.
- * Changes in the original code are highlighted where required.
- * Credits for the original code go to the author, Howard Chu.
- */
#include "portable.h"
#ifdef LDAP_BACK_PROXY_AUTHZ
int gotit = 0;
#if 0
- int i;
-
/*
* FIXME: we need to let clients use proxyAuthz
* otherwise we cannot do symmetric pools of servers;
* we have to live with the fact that a user can
* authorize itself as any ID that is allowed
- * by the saslAuthzTo directive of the "binddn".
+ * by the saslAuthzTo directive of the "proxyauthzdn".
*/
- for ( i = 0; op->o_ctrls && op->o_ctrls[ i ]; i++ ) {
- if ( strcmp( op->o_ctrls[i]->ldctl_oid, LDAP_CONTROL_PROXY_AUTHZ ) == 0 ) {
- gotit = 1;
- break;
- }
- }
+ /*
+ * NOTE: current Proxy Authorization specification
+ * and implementation do not allow proxy authorization
+ * control to be provided with Bind requests
+ */
+ gotit = op->o_proxy_authz;
#endif
/*
* if no bind took place yet, but the connection is bound
- * and the binddn is set, then bind with binddn and
- * explicitly add proxyAuthz control to every operation
- * with the dn bound to the connection as control value.
+ * and the "proxyauthzdn" is set, then bind as
+ * "proxyauthzdn" and explicitly add the proxyAuthz
+ * control to every operation with the dn bound
+ * to the connection as control value.
*/
if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
&& ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
- && ( li->binddn.bv_val != NULL && li->binddn.bv_len != 0 )
+ && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 )
&& ! gotit ) {
- rs->sr_err = ldap_sasl_bind(lc->ld, li->binddn.bv_val,
- LDAP_SASL_SIMPLE, &li->bindpw, NULL, NULL, &msgid);
+ rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val,
+ LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid);
} else
#endif /* LDAP_BACK_PROXY_AUTHZ */
* it might return some error if it failed.
*
* if no bind took place yet, but the connection is bound
- * and the binddn is set, then bind with binddn and
- * explicitly add proxyAuthz control to every operation
+ * and the "proxyauthzdn" is set, then bind as "proxyauthzdn"
+ * and explicitly add proxyAuthz the control to every operation
* with the dn bound to the connection as control value.
*
* If no server-side controls are defined for the operation,
if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
&& ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
- && ( li->binddn.bv_val != NULL && li->binddn.bv_len != 0 ) ) {
- int i = 0, gotit = 0;
-
- if ( op->o_ctrls ) {
- for ( i = 0; op->o_ctrls[i]; i++ ) {
- if ( strcmp( op->o_ctrls[i]->ldctl_oid, LDAP_CONTROL_PROXY_AUTHZ ) == 0 ) {
- gotit = 1;
- break;
- }
- }
- }
+ && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) {
+ int i = 0;
- if ( ! gotit ) {
+ if ( !op->o_proxy_authz ) {
ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
/*
* FIXME: we do not want to perform proxyAuthz
* on behalf of the client, because this would
- * be performed with "binddn" privileges.
+ * be performed with "proxyauthzdn" privileges.
*
* This might actually be too strict, since
- * the "binddn" saslAuthzTo, and each entry's
+ * the "proxyauthzdn" saslAuthzTo, and each entry's
* saslAuthzFrom attributes may be crafted
* to avoid unwanted proxyAuthz to take place.
*/