parse_idassert( BackendDB *be, const char *fname, int lineno,
int argc, char **argv );
+static int
+parse_acl_auth( BackendDB *be, const char *fname, int lineno,
+ int argc, char **argv );
+
int
ldap_back_db_config(
BackendDB *be,
li->url = ch_strdup( argv[ 1 ] );
#endif
- /* name to use for ldap_back_group */
- } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
- || strcasecmp( argv[0], "binddn" ) == 0 ) {
+ } else if ( strcasecmp( argv[0], "tls" ) == 0 ) {
if ( argc != 2 ) {
fprintf( stderr,
- "%s: line %d: missing name in \"%s <name>\" line\n",
- fname, lineno, argv[0] );
+ "%s: line %d: \"tls <what>\" needs 1 argument.\n",
+ fname, lineno );
return( 1 );
}
- ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
- /* password to use for ldap_back_group */
- } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
- || strcasecmp( argv[0], "bindpw" ) == 0 ) {
- if ( argc != 2 ) {
+ /* start */
+ if ( strcasecmp( argv[1], "start" ) == 0 ) {
+ li->flags |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+
+ /* try start tls */
+ } else if ( strcasecmp( argv[1], "try-start" ) == 0 ) {
+ li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+ li->flags |= LDAP_BACK_F_USE_TLS;
+
+ /* propagate start tls */
+ } else if ( strcasecmp( argv[1], "propagate" ) == 0 ) {
+ li->flags |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+
+ /* try start tls */
+ } else if ( strcasecmp( argv[1], "try-propagate" ) == 0 ) {
+ li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+ li->flags |= LDAP_BACK_F_PROPAGATE_TLS;
+
+ } else {
fprintf( stderr,
- "%s: line %d: missing password in \"%s <password>\" line\n",
- fname, lineno, argv[0] );
+ "%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
+ fname, lineno, argv[1] );
return( 1 );
}
- ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
+
+ /* remote ACL stuff... */
+ } else if ( strncasecmp( argv[0], "acl-", STRLENOF( "acl-" ) ) == 0
+ || strncasecmp( argv[0], "bind", STRLENOF( "bind" ) ) == 0 )
+ {
+ /* NOTE: "bind{DN,pw}" was initially used; it's now
+ * deprected and undocumented, it can be dropped at some
+ * point, since nobody should be really using it */
+ return parse_acl_auth( be, fname, lineno, argc, argv );
-#ifdef LDAP_BACK_PROXY_AUTHZ
/* identity assertion stuff... */
} else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0
- || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) {
+ || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 )
+ {
+ /* NOTE: "proxyauthz{DN,pw}" was initially used; it's now
+ * deprected and undocumented, it can be dropped at some
+ * point, since nobody should be really using it */
return parse_idassert( be, fname, lineno, argc, argv );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
/* save bind creds for referral rebinds? */
} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
if ( argc != 1 ) {
fprintf( stderr,
- "%s: line %d: rebind-as-user takes no arguments\n",
+ "%s: line %d: \"rebind-as-user\" takes no arguments\n",
+ fname, lineno );
+ return( 1 );
+ }
+ li->flags |= LDAP_BACK_F_SAVECRED;
+
+ } else if ( strcasecmp( argv[0], "chase-referrals" ) == 0 ) {
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: \"chase-referrals\" needs 1 argument.\n",
fname, lineno );
return( 1 );
}
- li->savecred = 1;
+
+ /* this is the default; we add it because the default might change... */
+ if ( strcasecmp( argv[1], "yes" ) == 0 ) {
+ li->flags |= LDAP_BACK_F_CHASE_REFERRALS;
+
+ } else if ( strcasecmp( argv[1], "no" ) == 0 ) {
+ li->flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
+
+ } else {
+ fprintf( stderr,
+ "%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n",
+ fname, lineno, argv[1] );
+ return( 1 );
+ }
+ } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n",
+ fname, lineno );
+ return( 1 );
+ }
+
+ if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) {
+ li->flags &= ~(LDAP_BACK_F_SUPPORT_T_F|LDAP_BACK_F_SUPPORT_T_F_DISCOVER);
+
+ } else if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+ li->flags |= LDAP_BACK_F_SUPPORT_T_F;
+
+ } else if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
+ li->flags |= LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
+
+ } else {
+ fprintf( stderr,
+ "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+
/* intercept exop_who_am_i? */
} else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
if ( argc != 1 ) {
"triggered by \"%s\" directive.\n",
fname, lineno, argv[ 0 ] );
+ /* this is the default; we add it because the default might change... */
li->rwm_started = 1;
return ( *be->bd_info->bi_db_config )( be, fname, lineno, argc, argv );
ctrls[0] = &c;
op2.o_ndn = op->o_conn->c_ndn;
- lc = ldap_back_getconn(&op2, rs);
- if (!lc || !ldap_back_dobind( lc, op, rs )) {
+ lc = ldap_back_getconn(&op2, rs, LDAP_BACK_SENDERR);
+ if (!lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR )) {
return -1;
}
c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
&rs->sr_err);
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
do_retry = 0;
- if ( ldap_back_retry( lc, op, rs ) )
+ if ( ldap_back_retry( lc, op, rs, LDAP_BACK_SENDERR ) )
goto retry;
}
ldap_back_freeconn( op, lc );
}
-#ifdef LDAP_BACK_PROXY_AUTHZ
static int
parse_idassert(
BackendDB *be,
ber_bvarray_add( &li->idassert_authz, &rule );
} else if ( strcasecmp( argv[0], "idassert-method" ) == 0 ) {
+ char *argv1;
+
if ( argc < 2 ) {
fprintf( stderr,
"%s: line %d: missing method in \"%s <method>\" line\n",
return( 1 );
}
- if ( strcasecmp( argv[1], "none" ) == 0 ) {
- /* FIXME: is this useful? */
+ argv1 = argv[1];
+ if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
+ argv1 += STRLENOF( "bindmethod=" );
+ }
+
+ if ( strcasecmp( argv1, "none" ) == 0 ) {
+ /* FIXME: is this at all useful? */
li->idassert_authmethod = LDAP_AUTH_NONE;
if ( argc != 2 ) {
fname, lineno, argv[0], argv[1] );
}
- } else if ( strcasecmp( argv[1], "simple" ) == 0 ) {
+ } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
li->idassert_authmethod = LDAP_AUTH_SIMPLE;
if ( argc != 2 ) {
fname, lineno, argv[0], argv[1] );
}
- } else if ( strcasecmp( argv[1], "sasl" ) == 0 ) {
+ } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
#ifdef HAVE_CYRUS_SASL
int arg;
li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else {
- fprintf( stderr, "%s: line %s: "
+ fprintf( stderr, "%s: line %d: "
"unknown authz mode \"%s\"\n",
fname, lineno, val );
return 1;
return 0;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+static int
+parse_acl_auth(
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv
+)
+{
+ struct ldapinfo *li = (struct ldapinfo *) be->be_private;
+
+ /* name to use for remote ACL access */
+ if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
+ || strcasecmp( argv[0], "binddn" ) == 0 )
+ {
+ struct berval dn;
+ int rc;
+
+ /* FIXME: "binddn" is no longer documented, and
+ * temporarily supported for backwards compatibility */
+
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: missing name in \"%s <name>\" line\n",
+ fname, lineno, argv[0] );
+ return( 1 );
+ }
+
+ if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "authcDN already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_authcDN.bv_val );
+ }
+
+ ber_str2bv( argv[1], 0, 0, &dn );
+ rc = dnNormalize( 0, NULL, NULL, &dn, &li->acl_authcDN, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: acl ID \"%s\" is not a valid DN\n",
+ fname, lineno, argv[1] );
+ return 1;
+ }
+
+ /* password to use for remote ACL access */
+ } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
+ || strcasecmp( argv[0], "bindpw" ) == 0 )
+ {
+ /* FIXME: "bindpw" is no longer documented, and
+ * temporarily supported for backwards compatibility */
+
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: missing password in \"%s <password>\" line\n",
+ fname, lineno, argv[0] );
+ return( 1 );
+ }
+
+ if ( !BER_BVISNULL( &li->acl_passwd ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "passwd already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_passwd.bv_val );
+ }
+
+ ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
+
+ } else if ( strcasecmp( argv[0], "acl-method" ) == 0 ) {
+ char *argv1;
+
+ if ( argc < 2 ) {
+ fprintf( stderr,
+ "%s: line %d: missing method in \"%s <method>\" line\n",
+ fname, lineno, argv[0] );
+ return( 1 );
+ }
+
+ argv1 = argv[1];
+ if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
+ argv1 += STRLENOF( "bindmethod=" );
+ }
+
+ if ( strcasecmp( argv1, "none" ) == 0 ) {
+ /* FIXME: is this at all useful? */
+ li->acl_authmethod = LDAP_AUTH_NONE;
+
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
+ fname, lineno, argv[0], argv[1] );
+ }
+
+ } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
+ li->acl_authmethod = LDAP_AUTH_SIMPLE;
+
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
+ fname, lineno, argv[0], argv[1] );
+ }
+
+ } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
+#ifdef HAVE_CYRUS_SASL
+ int arg;
+
+ for ( arg = 2; arg < argc; arg++ ) {
+ if ( strncasecmp( argv[arg], "mech=", STRLENOF( "mech=" ) ) == 0 ) {
+ char *val = argv[arg] + STRLENOF( "mech=" );
+
+ if ( !BER_BVISNULL( &li->acl_sasl_mech ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "SASL mech already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_sasl_mech.bv_val );
+ }
+ ber_str2bv( val, 0, 1, &li->acl_sasl_mech );
+
+ } else if ( strncasecmp( argv[arg], "realm=", STRLENOF( "realm=" ) ) == 0 ) {
+ char *val = argv[arg] + STRLENOF( "realm=" );
+
+ if ( !BER_BVISNULL( &li->acl_sasl_realm ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "SASL realm already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_sasl_realm.bv_val );
+ }
+ ber_str2bv( val, 0, 1, &li->acl_sasl_realm );
+
+ } else if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) {
+ char *val = argv[arg] + STRLENOF( "authcdn=" );
+ struct berval dn;
+ int rc;
+
+ if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "SASL authcDN already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_authcDN.bv_val );
+ }
+ if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
+ val += STRLENOF( "dn:" );
+ }
+
+ ber_str2bv( val, 0, 0, &dn );
+ rc = dnNormalize( 0, NULL, NULL, &dn, &li->acl_authcDN, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n",
+ fname, lineno, val );
+ return 1;
+ }
+
+ } else if ( strncasecmp( argv[arg], "authcid=", STRLENOF( "authcid=" ) ) == 0 ) {
+ char *val = argv[arg] + STRLENOF( "authcid=" );
+
+ if ( !BER_BVISNULL( &li->acl_authcID ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "SASL authcID already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_authcID.bv_val );
+ }
+ if ( strncasecmp( argv[arg], "u:", STRLENOF( "u:" ) ) == 0 ) {
+ val += STRLENOF( "u:" );
+ }
+ ber_str2bv( val, 0, 1, &li->acl_authcID );
+
+ } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) {
+ char *val = argv[arg] + STRLENOF( "cred=" );
+
+ if ( !BER_BVISNULL( &li->acl_passwd ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "SASL cred already defined; replacing...\n",
+ fname, lineno );
+ ch_free( li->acl_passwd.bv_val );
+ }
+ ber_str2bv( val, 0, 1, &li->acl_passwd );
+
+ } else {
+ fprintf( stderr, "%s: line %d: "
+ "unknown SASL parameter %s\n",
+ fname, lineno, argv[arg] );
+ return 1;
+ }
+ }
+
+ li->acl_authmethod = LDAP_AUTH_SASL;
+
+#else /* !HAVE_CYRUS_SASL */
+ fprintf( stderr, "%s: line %d: "
+ "compile --with-cyrus-sasl to enable SASL auth\n",
+ fname, lineno );
+ return 1;
+#endif /* !HAVE_CYRUS_SASL */
+
+ } else {
+ fprintf( stderr, "%s: line %d: "
+ "unhandled acl-method method %s\n",
+ fname, lineno, argv[1] );
+ return 1;
+ }
+
+ } else {
+ return SLAP_CONF_UNKNOWN;
+ }
+
+ return 0;
+}
+