li->url = ch_strdup( argv[ 1 ] );
#endif
+ } else if ( strncasecmp( argv[0], "tls-", STRLENOF( "tls-" ) ) == 0 ) {
+
+ /* start tls */
+ if ( strcasecmp( argv[0], "tls-start" ) == 0 ) {
+ if ( argc != 1 ) {
+ fprintf( stderr,
+ "%s: line %d: tls-start takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+ li->flags |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+
+ /* try start tls */
+ } else if ( strcasecmp( argv[0], "tls-try-start" ) == 0 ) {
+ if ( argc != 1 ) {
+ fprintf( stderr,
+ "%s: line %d: tls-try-start takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+ li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+ li->flags |= LDAP_BACK_F_USE_TLS;
+
+ /* propagate start tls */
+ } else if ( strcasecmp( argv[0], "tls-propagate" ) == 0 ) {
+ if ( argc != 1 ) {
+ fprintf( stderr,
+ "%s: line %d: tls-propagate takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+ li->flags |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+
+ /* try start tls */
+ } else if ( strcasecmp( argv[0], "tls-try-propagate" ) == 0 ) {
+ if ( argc != 1 ) {
+ fprintf( stderr,
+ "%s: line %d: tls-try-propagate takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+ li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+ li->flags |= LDAP_BACK_F_PROPAGATE_TLS;
+ }
+
/* name to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
- || strcasecmp( argv[0], "binddn" ) == 0 ) {
+ || strcasecmp( argv[0], "binddn" ) == 0 )
+ {
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing name in \"%s <name>\" line\n",
fname, lineno, argv[0] );
return( 1 );
}
+
+ if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
+ fprintf( stderr, "%s: line %d: "
+ "\"binddn\" statement is deprecated; "
+ "use \"acl-authcDN\" instead\n",
+ fname, lineno );
+ /* FIXME: some day we'll need to throw an error */
+ }
+
ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
/* password to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
- || strcasecmp( argv[0], "bindpw" ) == 0 ) {
+ || strcasecmp( argv[0], "bindpw" ) == 0 )
+ {
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing password in \"%s <password>\" line\n",
fname, lineno, argv[0] );
return( 1 );
}
+
+ if ( strcasecmp( argv[0], "bindpw" ) == 0 ) {
+ fprintf( stderr, "%s: line %d: "
+ "\"bindpw\" statement is deprecated; "
+ "use \"acl-passwd\" instead\n",
+ fname, lineno );
+ /* FIXME: some day we'll need to throw an error */
+ }
+
ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
-#ifdef LDAP_BACK_PROXY_AUTHZ
/* identity assertion stuff... */
} else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0
- || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) {
+ || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 )
+ {
+ /* NOTE: "proxyauthz{DN,pw}" was initially used; it's now
+ * deprected and undocumented, it can be dropped at some
+ * point, since nobody should be really using it */
return parse_idassert( be, fname, lineno, argc, argv );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
/* save bind creds for referral rebinds? */
} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
if ( argc != 1 ) {
fprintf( stderr,
- "%s: line %d: rebind-as-user takes no arguments\n",
+ "%s: line %d: \"rebind-as-user\" takes no arguments\n",
fname, lineno );
return( 1 );
}
- li->savecred = 1;
-
+ li->flags |= LDAP_BACK_F_SAVECRED;
+
+ } else if ( strcasecmp( argv[0], "chase-referrals" ) == 0 ) {
+ if ( argc != 1 ) {
+ fprintf( stderr,
+ "%s: line %d: \"chase-referrals\" takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+
+ li->flags |= LDAP_BACK_F_CHASE_REFERRALS;
+
+ } else if ( strcasecmp( argv[0], "dont-chase-referrals" ) == 0 ) {
+ if ( argc != 1 ) {
+ fprintf( stderr,
+ "%s: line %d: \"dont-chase-referrals\" takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+
+ li->flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
+
/* intercept exop_who_am_i? */
} else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
if ( argc != 1 ) {
ctrls[0] = &c;
op2.o_ndn = op->o_conn->c_ndn;
- lc = ldap_back_getconn(&op2, rs);
- if (!lc || !ldap_back_dobind( lc, op, rs )) {
+ lc = ldap_back_getconn(&op2, rs, LDAP_BACK_SENDERR);
+ if (!lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR )) {
return -1;
}
c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
&rs->sr_err);
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
do_retry = 0;
- if ( ldap_back_retry( lc, op, rs ) )
+ if ( ldap_back_retry( lc, op, rs, LDAP_BACK_SENDERR ) )
goto retry;
}
ldap_back_freeconn( op, lc );
}
-#ifdef LDAP_BACK_PROXY_AUTHZ
static int
parse_idassert(
BackendDB *be,
}
if ( strcasecmp( argv[1], "none" ) == 0 ) {
- /* FIXME: is this useful? */
+ /* FIXME: is this at all useful? */
li->idassert_authmethod = LDAP_AUTH_NONE;
if ( argc != 2 ) {
li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else {
- fprintf( stderr, "%s: line %s: "
+ fprintf( stderr, "%s: line %d: "
"unknown authz mode \"%s\"\n",
fname, lineno, val );
return 1;
return 0;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
projects / openldap / blobdiff