/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2003-2008 The OpenLDAP Foundation.
+ * Copyright 2003-2010 The OpenLDAP Foundation.
* Portions Copyright 1999-2003 Howard Chu.
* Portions Copyright 2000-2003 Pierangelo Masarati.
* All rights reserved.
static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
static ConfigDriver ldap_back_cf_gen;
+static ConfigDriver ldap_pbind_cf_gen;
enum {
LDAP_BACK_CFG_URI = 1,
LDAP_BACK_CFG_IDASSERT_AUTHCDN,
LDAP_BACK_CFG_IDASSERT_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
+ LDAP_BACK_CFG_IDASSERT_PASSTHRU,
LDAP_BACK_CFG_IDASSERT_METHOD,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_REBIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
"NAME 'olcDbIDAssertAuthzFrom' "
"DESC 'Remote Identity Assertion authz rules' "
+ "EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString "
"X-ORDERED 'VALUES' )",
NULL, NULL },
"SYNTAX OMsBoolean "
"SINGLE-VALUE )",
NULL, NULL },
+ { "idassert-passThru", "authzRule", 2, 2, 0,
+ ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSTHRU,
+ ldap_back_cf_gen, "( OLcfgDbAt:3.27 "
+ "NAME 'olcDbIDAssertPassThru' "
+ "DESC 'Remote Identity Assertion passthru rules' "
+ "EQUALITY caseIgnoreMatch "
+ "SYNTAX OMsDirectoryString "
+ "X-ORDERED 'VALUES' )",
+ NULL, NULL },
+
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
"$ olcDbIDAssertBind "
"$ olcDbIDAssertMode "
"$ olcDbIDAssertAuthzFrom "
+ "$ olcDbIDAssertPassThru "
"$ olcDbRebindAsUser "
"$ olcDbChaseReferrals "
"$ olcDbTFSupport "
"$ olcDbProxyWhoAmI "
"$ olcDbTimeout "
"$ olcDbIdleTimeout "
+ "$ olcDbConnTtl "
+ "$ olcDbNetworkTimeout "
+ "$ olcDbProtocolVersion "
"$ olcDbSingleConn "
"$ olcDbCancel "
"$ olcDbQuarantine "
{ NULL, 0, NULL }
};
+static ConfigTable pbindcfg[] = {
+ { "uri", "uri", 2, 2, 0,
+ ARG_MAGIC|LDAP_BACK_CFG_URI,
+ ldap_pbind_cf_gen, "( OLcfgDbAt:0.14 "
+ "NAME 'olcDbURI' "
+ "DESC 'URI (list) for remote DSA' "
+ "SYNTAX OMsDirectoryString "
+ "SINGLE-VALUE )",
+ NULL, NULL },
+ { "tls", "what", 2, 0, 0,
+ ARG_MAGIC|LDAP_BACK_CFG_TLS,
+ ldap_pbind_cf_gen, "( OLcfgDbAt:3.1 "
+ "NAME 'olcDbStartTLS' "
+ "DESC 'StartTLS' "
+ "SYNTAX OMsDirectoryString "
+ "SINGLE-VALUE )",
+ NULL, NULL },
+ { "network-timeout", "timeout", 2, 2, 0,
+ ARG_MAGIC|LDAP_BACK_CFG_NETWORK_TIMEOUT,
+ ldap_pbind_cf_gen, "( OLcfgDbAt:3.17 "
+ "NAME 'olcDbNetworkTimeout' "
+ "DESC 'connection network timeout' "
+ "SYNTAX OMsDirectoryString "
+ "SINGLE-VALUE )",
+ NULL, NULL },
+ { "quarantine", "retrylist", 2, 2, 0,
+ ARG_MAGIC|LDAP_BACK_CFG_QUARANTINE,
+ ldap_pbind_cf_gen, "( OLcfgDbAt:3.21 "
+ "NAME 'olcDbQuarantine' "
+ "DESC 'Quarantine database if connection fails and retry according to rule' "
+ "SYNTAX OMsDirectoryString "
+ "SINGLE-VALUE )",
+ NULL, NULL },
+ { NULL, NULL, 0, 0, 0, ARG_IGNORED,
+ NULL, NULL, NULL, NULL }
+};
+
+static ConfigOCs pbindocs[] = {
+ { "( OLcfgOvOc:3.3 "
+ "NAME 'olcPBindConfig' "
+ "DESC 'Proxy Bind configuration' "
+ "SUP olcOverlayConfig "
+ "MUST olcDbURI "
+ "MAY ( olcDbStartTLS "
+ "$ olcDbNetworkTimeout "
+ "$ olcDbQuarantine "
+ ") )",
+ Cft_Overlay, pbindcfg},
+ { NULL, 0, NULL }
+};
+
static slap_verbmasks idassert_mode[] = {
{ BER_BVC("self"), LDAP_BACK_IDASSERT_SELF },
{ BER_BVC("anonymous"), LDAP_BACK_IDASSERT_ANONYMOUS },
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
return 1;
}
+
+ if ( c->valx == -1 ) {
+ ber_bvarray_add( &si->si_authz, &bv );
+
+ } else {
+ int i = 0;
+ if ( si->si_authz != NULL ) {
+ for ( ; !BER_BVISNULL( &si->si_authz[ i ] ); i++ )
+ ;
+ }
+
+ if ( i <= c->valx ) {
+ ber_bvarray_add( &si->si_authz, &bv );
+
+ } else {
+ BerVarray tmp = ber_memrealloc( si->si_authz,
+ sizeof( struct berval )*( i + 2 ) );
+ if ( tmp == NULL ) {
+ return -1;
+ }
+ si->si_authz = tmp;
+ for ( ; i > c->valx; i-- ) {
+ si->si_authz[ i ] = si->si_authz[ i - 1 ];
+ }
+ si->si_authz[ c->valx ] = bv;
+ }
+ }
+
+ return 0;
+}
+
+static int
+slap_idassert_passthru_parse( ConfigArgs *c, slap_idassert_t *si )
+{
+ struct berval bv;
+ struct berval in;
+ int rc;
+
+ ber_str2bv( c->argv[ 1 ], 0, 0, &in );
+ rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ "\"idassert-passThru <authz>\": "
+ "invalid syntax" );
+ Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
+ return 1;
+ }
- ber_bvarray_add( &si->si_authz, &bv );
+ if ( c->valx == -1 ) {
+ ber_bvarray_add( &si->si_passthru, &bv );
+
+ } else {
+ int i = 0;
+ if ( si->si_passthru != NULL ) {
+ for ( ; !BER_BVISNULL( &si->si_passthru[ i ] ); i++ )
+ ;
+ }
+
+ if ( i <= c->valx ) {
+ ber_bvarray_add( &si->si_passthru, &bv );
+
+ } else {
+ BerVarray tmp = ber_memrealloc( si->si_passthru,
+ sizeof( struct berval )*( i + 2 ) );
+ if ( tmp == NULL ) {
+ return -1;
+ }
+ si->si_passthru = tmp;
+ for ( ; i > c->valx; i-- ) {
+ si->si_passthru[ i ] = si->si_passthru[ i - 1 ];
+ }
+ si->si_passthru[ c->valx ] = bv;
+ }
+ }
return 0;
}
si->si_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
}
+ } else if ( strcasecmp( flags[ j ], "proxy-authz-critical" ) == 0 ) {
+ si->si_flags |= LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
+
+ } else if ( strcasecmp( flags[ j ], "proxy-authz-non-critical" ) == 0 ) {
+ si->si_flags &= ~LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
+
} else {
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-bind <args>\": "
}
} else if ( bindconf_parse( c->argv[ i ], &si->si_bc ) ) {
+ snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ "\"idassert-bind <args>\": "
+ "unable to parse field \"%s\"",
+ c->argv[ i ] );
+ Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
return 1;
}
}
+
+ if ( si->si_bc.sb_method == LDAP_AUTH_SIMPLE ) {
+ if ( BER_BVISNULL( &si->si_bc.sb_binddn )
+ || BER_BVISNULL( &si->si_bc.sb_cred ) )
+ {
+ snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ "\"idassert-bind <args>\": "
+ "SIMPLE needs \"binddn\" and \"credentials\"" );
+ Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
+ return 1;
+ }
+ }
+
bindconf_tls_defaults( &si->si_bc );
return 0;
return slap_idassert_authzfrom_parse( &c, si );
}
+int
+slap_idassert_passthru_parse_cf( const char *fname, int lineno, const char *arg, slap_idassert_t *si )
+{
+ ConfigArgs c = { 0 };
+ char *argv[ 3 ];
+
+ snprintf( c.log, sizeof( c.log ), "%s: line %d", fname, lineno );
+ c.argc = 2;
+ c.argv = argv;
+ argv[ 0 ] = "idassert-passThru";
+ argv[ 1 ] = (char *)arg;
+ argv[ 2 ] = NULL;
+
+ return slap_idassert_passthru_parse( &c, si );
+}
+
int
slap_idassert_parse_cf( const char *fname, int lineno, int argc, char *argv[], slap_idassert_t *si )
{
rc = 1;
break;
- case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
+ case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
+ case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
+ BerVarray *bvp;
int i;
+ struct berval bv = BER_BVNULL;
+ char buf[SLAP_TEXT_BUFLEN];
- if ( li->li_idassert_authz == NULL ) {
- if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) {
+ switch ( c->type ) {
+ case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: bvp = &li->li_idassert_authz; break;
+ case LDAP_BACK_CFG_IDASSERT_PASSTHRU: bvp = &li->li_idassert_passthru; break;
+ default: assert( 0 ); break;
+ }
+
+ if ( *bvp == NULL ) {
+ if ( bvp == &li->li_idassert_authz
+ && ( li->li_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
+ {
BER_BVSTR( &bv, "*" );
value_add_one( &c->rvalue_vals, &bv );
break;
}
- for ( i = 0; !BER_BVISNULL( &li->li_idassert_authz[ i ] ); i++ )
- {
- value_add_one( &c->rvalue_vals, &li->li_idassert_authz[ i ] );
+ for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ ) {
+ char *ptr;
+ int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
+ bv.bv_len = ((*bvp)[ i ]).bv_len + len;
+ bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 );
+ ptr = bv.bv_val;
+ ptr = lutil_strcopy( ptr, buf );
+ ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len );
+ value_add_one( &c->rvalue_vals, &bv );
+ }
+ if ( bv.bv_val ) {
+ ber_memfree( bv.bv_val );
}
break;
}
(void)lutil_strcopy( ptr, "authz=native" );
}
- len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround" );
+ len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical" );
/* flags */
if ( !BER_BVISEMPTY( &bv ) ) {
len += STRLENOF( " " );
ptr = lutil_strcopy( ptr, ",obsolete-encoding-workaround" );
}
+ if ( li->li_idassert_flags & LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL ) {
+ ptr = lutil_strcopy( ptr, ",proxy-authz-critical" );
+
+ } else {
+ ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
+ }
+
bv.bv_len = ( ptr - bv.bv_val );
/* end-of-flags */
}
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
- if ( li->li_idassert_authz != NULL ) {
- ber_bvarray_free( li->li_idassert_authz );
- li->li_idassert_authz = NULL;
+ case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
+ BerVarray *bvp;
+
+ switch ( c->type ) {
+ case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: bvp = &li->li_idassert_authz; break;
+ case LDAP_BACK_CFG_IDASSERT_PASSTHRU: bvp = &li->li_idassert_passthru; break;
+ default: assert( 0 ); break;
}
- break;
+
+ if ( c->valx < 0 ) {
+ if ( *bvp != NULL ) {
+ ber_bvarray_free( *bvp );
+ *bvp = NULL;
+ }
+
+ } else {
+ int i;
+
+ if ( *bvp == NULL ) {
+ rc = 1;
+ break;
+ }
+
+ for ( i = 0; !BER_BVISNULL( &((*bvp)[ i ]) ); i++ )
+ ;
+
+ if ( i >= c->valx ) {
+ rc = 1;
+ break;
+ }
+ ber_memfree( ((*bvp)[ c->valx ]).bv_val );
+ for ( i = c->valx; !BER_BVISNULL( &((*bvp)[ i + 1 ]) ); i++ ) {
+ (*bvp)[ i ] = (*bvp)[ i + 1 ];
+ }
+ BER_BVZERO( &((*bvp)[ i ]) );
+ }
+ } break;
case LDAP_BACK_CFG_IDASSERT_BIND:
bindconf_free( &li->li_idassert.si_bc );
+ memset( &li->li_idassert, 0, sizeof( slap_idassert_t ) );
break;
case LDAP_BACK_CFG_REBIND:
rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
break;
+ case LDAP_BACK_CFG_IDASSERT_PASSTHRU:
+ rc = slap_idassert_passthru_parse( c, &li->li_idassert );
+ break;
+
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* no longer supported */
snprintf( c->cr_msg, sizeof( c->cr_msg ),
return 0;
}
+static int
+ldap_pbind_cf_gen( ConfigArgs *c )
+{
+ slap_overinst *on = (slap_overinst *)c->bi;
+ void *private = c->be->be_private;
+ int rc;
+
+ c->be->be_private = on->on_bi.bi_private;
+ rc = ldap_back_cf_gen( c );
+ c->be->be_private = private;
+ return rc;
+}
+
+int
+ldap_pbind_init_cf( BackendInfo *bi )
+{
+ bi->bi_cf_ocs = pbindocs;
+
+ return config_register_schema( pbindcfg, pbindocs );
+}
static int
ldap_back_exop_whoami(
retry:
rs->sr_err = ldap_whoami( lc->lc_ld, ctrls, NULL, &msgid );
if ( rs->sr_err == LDAP_SUCCESS ) {
- if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) {
+ /* by now, make sure no timeout is used (ITS#6282) */
+ struct timeval tv;
+ tv.tv_sec = -1;
+ if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) == -1 ) {
ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
&rs->sr_err );
if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) {
projects / openldap / blobdiff