]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/back-ldap/config.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix previous commit: don't loop on undefined; return success with no data in case...
[openldap] / servers / slapd / back-ldap / config.c
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index bdbdc698ce279663b27bd6847b3ecd1a0a6cbb40..e570e3b0e4f922588c1d4277a10d12576e9c4652 100644 (file)
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -41,6 +41,10 @@ static int
 parse_idassert( BackendDB *be, const char *fname, int lineno,
                int argc, char **argv );
 
+static int
+parse_acl_auth( BackendDB *be, const char *fname, int lineno,
+               int argc, char **argv );
+
 int
 ldap_back_db_config(
                BackendDB       *be,
@@ -213,27 +217,47 @@ ldap_back_db_config(
                li->url = ch_strdup( argv[ 1 ] );
 #endif
 
-       /* name to use for ldap_back_group */
-       } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
-                       || strcasecmp( argv[0], "binddn" ) == 0 ) {
+       } else if ( strcasecmp( argv[0], "tls" ) == 0 ) {
                if ( argc != 2 ) {
                        fprintf( stderr,
-       "%s: line %d: missing name in \"%s <name>\" line\n",
-                                       fname, lineno, argv[0] );
+               "%s: line %d: \"tls <what>\" needs 1 argument.\n",
+                                       fname, lineno );
                        return( 1 );
                }
-               ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
 
-       /* password to use for ldap_back_group */
-       } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
-                       || strcasecmp( argv[0], "bindpw" ) == 0 ) {
-               if ( argc != 2 ) {
+               /* start */
+               if ( strcasecmp( argv[1], "start" ) == 0 ) {
+                       li->flags |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+       
+               /* try start tls */
+               } else if ( strcasecmp( argv[1], "try-start" ) == 0 ) {
+                       li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+                       li->flags |= LDAP_BACK_F_USE_TLS;
+       
+               /* propagate start tls */
+               } else if ( strcasecmp( argv[1], "propagate" ) == 0 ) {
+                       li->flags |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
+               
+               /* try start tls */
+               } else if ( strcasecmp( argv[1], "try-propagate" ) == 0 ) {
+                       li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
+                       li->flags |= LDAP_BACK_F_PROPAGATE_TLS;
+
+               } else {
                        fprintf( stderr,
-       "%s: line %d: missing password in \"%s <password>\" line\n",
-                                       fname, lineno, argv[0] );
+               "%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
+                                       fname, lineno, argv[1] );
                        return( 1 );
                }
-               ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
+       
+       /* remote ACL stuff... */
+       } else if ( strncasecmp( argv[0], "acl-", STRLENOF( "acl-" ) ) == 0
+                       || strncasecmp( argv[0], "bind", STRLENOF( "bind" ) ) == 0 )
+       {
+               /* NOTE: "bind{DN,pw}" was initially used; it's now
+                * deprected and undocumented, it can be dropped at some
+                * point, since nobody should be really using it */
+               return parse_acl_auth( be, fname, lineno, argc, argv );
 
        /* identity assertion stuff... */
        } else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0
@@ -248,12 +272,58 @@ ldap_back_db_config(
        } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
                if ( argc != 1 ) {
                        fprintf( stderr,
-       "%s: line %d: rebind-as-user takes no arguments\n",
+       "%s: line %d: \"rebind-as-user\" takes no arguments\n",
                                        fname, lineno );
                        return( 1 );
                }
-               li->savecred = 1;
+               li->flags |= LDAP_BACK_F_SAVECRED;
+
+       } else if ( strcasecmp( argv[0], "chase-referrals" ) == 0 ) {
+               if ( argc != 2 ) {
+                       fprintf( stderr,
+       "%s: line %d: \"chase-referrals\" needs 1 argument.\n",
+                                       fname, lineno );
+                       return( 1 );
+               }
+
+               /* this is the default; we add it because the default might change... */
+               if ( strcasecmp( argv[1], "yes" ) == 0 ) {
+                       li->flags |= LDAP_BACK_F_CHASE_REFERRALS;
+
+               } else if ( strcasecmp( argv[1], "no" ) == 0 ) {
+                       li->flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
+
+               } else {
+                       fprintf( stderr,
+               "%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n",
+                                       fname, lineno, argv[1] );
+                       return( 1 );
+               }
        
+       } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
+               if ( argc != 2 ) {
+                       fprintf( stderr,
+               "%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n",
+                                       fname, lineno );
+                       return( 1 );
+               }
+
+               if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) {
+                       li->flags &= ~(LDAP_BACK_F_SUPPORT_T_F|LDAP_BACK_F_SUPPORT_T_F_DISCOVER);
+
+               } else if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+                       li->flags |= LDAP_BACK_F_SUPPORT_T_F;
+
+               } else if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
+                       li->flags |= LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
+
+               } else {
+                       fprintf( stderr,
+       "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
+                               fname, lineno, argv[ 1 ] );
+                       return 1;
+               }
+
        /* intercept exop_who_am_i? */
        } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
                if ( argc != 1 ) {
@@ -296,6 +366,7 @@ ldap_back_db_config(
                                "triggered by \"%s\" directive.\n",
                                fname, lineno, argv[ 0 ] );
 
+               /* this is the default; we add it because the default might change... */
                        li->rwm_started = 1;
 
                        return ( *be->bd_info->bi_db_config )( be, fname, lineno, argc, argv );
@@ -340,8 +411,8 @@ ldap_back_exop_whoami(
 
                ctrls[0] = &c;
                op2.o_ndn = op->o_conn->c_ndn;
-               lc = ldap_back_getconn(&op2, rs);
-               if (!lc || !ldap_back_dobind( lc, op, rs )) {
+               lc = ldap_back_getconn(&op2, rs, LDAP_BACK_SENDERR);
+               if (!lc || !ldap_back_dobind( lc, op, rs, LDAP_BACK_SENDERR )) {
                        return -1;
                }
                c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
@@ -359,7 +430,7 @@ retry:
                                        &rs->sr_err);
                                if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
                                        do_retry = 0;
-                                       if ( ldap_back_retry( lc, op, rs ) )
+                                       if ( ldap_back_retry( lc, op, rs, LDAP_BACK_SENDERR ) )
                                                goto retry;
                                }
                                ldap_back_freeconn( op, lc );
@@ -550,6 +621,8 @@ parse_idassert(
                ber_bvarray_add( &li->idassert_authz, &rule );
 
        } else if ( strcasecmp( argv[0], "idassert-method" ) == 0 ) {
+               char    *argv1;
+
                if ( argc < 2 ) {
                        fprintf( stderr,
        "%s: line %d: missing method in \"%s <method>\" line\n",
@@ -557,7 +630,12 @@ parse_idassert(
                        return( 1 );
                }
 
-               if ( strcasecmp( argv[1], "none" ) == 0 ) {
+               argv1 = argv[1];
+               if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
+                       argv1 += STRLENOF( "bindmethod=" );
+               }
+
+               if ( strcasecmp( argv1, "none" ) == 0 ) {
                        /* FIXME: is this at all useful? */
                        li->idassert_authmethod = LDAP_AUTH_NONE;
 
@@ -567,7 +645,7 @@ parse_idassert(
                                        fname, lineno, argv[0], argv[1] );
                        }
 
-               } else if ( strcasecmp( argv[1], "simple" ) == 0 ) {
+               } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
                        li->idassert_authmethod = LDAP_AUTH_SIMPLE;
 
                        if ( argc != 2 ) {
@@ -576,7 +654,7 @@ parse_idassert(
                                        fname, lineno, argv[0], argv[1] );
                        }
 
-               } else if ( strcasecmp( argv[1], "sasl" ) == 0 ) {
+               } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
 #ifdef HAVE_CYRUS_SASL
                        int     arg;
 
@@ -662,7 +740,7 @@ parse_idassert(
                                                li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
 
                                        } else {
-                                               fprintf( stderr, "%s: line %s: "
+                                               fprintf( stderr, "%s: line %d: "
                                                        "unknown authz mode \"%s\"\n",
                                                        fname, lineno, val );
                                                return 1;
@@ -698,3 +776,212 @@ parse_idassert(
 
        return 0;
 }
+
+static int
+parse_acl_auth(
+    BackendDB  *be,
+    const char *fname,
+    int                lineno,
+    int                argc,
+    char       **argv
+)
+{
+       struct ldapinfo *li = (struct ldapinfo *) be->be_private;
+
+       /* name to use for remote ACL access */
+       if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
+                       || strcasecmp( argv[0], "binddn" ) == 0 )
+       {
+               struct berval   dn;
+               int             rc;
+
+               /* FIXME: "binddn" is no longer documented, and
+                * temporarily supported for backwards compatibility */
+
+               if ( argc != 2 ) {
+                       fprintf( stderr,
+       "%s: line %d: missing name in \"%s <name>\" line\n",
+                           fname, lineno, argv[0] );
+                       return( 1 );
+               }
+
+               if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
+                       fprintf( stderr, "%s: line %d: "
+                                       "authcDN already defined; replacing...\n",
+                                       fname, lineno );
+                       ch_free( li->acl_authcDN.bv_val );
+               }
+               
+               ber_str2bv( argv[1], 0, 0, &dn );
+               rc = dnNormalize( 0, NULL, NULL, &dn, &li->acl_authcDN, NULL );
+               if ( rc != LDAP_SUCCESS ) {
+                       Debug( LDAP_DEBUG_ANY,
+                               "%s: line %d: acl ID \"%s\" is not a valid DN\n",
+                               fname, lineno, argv[1] );
+                       return 1;
+               }
+
+       /* password to use for remote ACL access */
+       } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
+                       || strcasecmp( argv[0], "bindpw" ) == 0 )
+       {
+               /* FIXME: "bindpw" is no longer documented, and
+                * temporarily supported for backwards compatibility */
+
+               if ( argc != 2 ) {
+                       fprintf( stderr,
+       "%s: line %d: missing password in \"%s <password>\" line\n",
+                           fname, lineno, argv[0] );
+                       return( 1 );
+               }
+
+               if ( !BER_BVISNULL( &li->acl_passwd ) ) {
+                       fprintf( stderr, "%s: line %d: "
+                                       "passwd already defined; replacing...\n",
+                                       fname, lineno );
+                       ch_free( li->acl_passwd.bv_val );
+               }
+               
+               ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
+
+       } else if ( strcasecmp( argv[0], "acl-method" ) == 0 ) {
+               char    *argv1;
+
+               if ( argc < 2 ) {
+                       fprintf( stderr,
+       "%s: line %d: missing method in \"%s <method>\" line\n",
+                           fname, lineno, argv[0] );
+                       return( 1 );
+               }
+
+               argv1 = argv[1];
+               if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
+                       argv1 += STRLENOF( "bindmethod=" );
+               }
+
+               if ( strcasecmp( argv1, "none" ) == 0 ) {
+                       /* FIXME: is this at all useful? */
+                       li->acl_authmethod = LDAP_AUTH_NONE;
+
+                       if ( argc != 2 ) {
+                               fprintf( stderr,
+       "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
+                                       fname, lineno, argv[0], argv[1] );
+                       }
+
+               } else if ( strcasecmp( argv1, "simple" ) == 0 ) {
+                       li->acl_authmethod = LDAP_AUTH_SIMPLE;
+
+                       if ( argc != 2 ) {
+                               fprintf( stderr,
+       "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n",
+                                       fname, lineno, argv[0], argv[1] );
+                       }
+
+               } else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
+#ifdef HAVE_CYRUS_SASL
+                       int     arg;
+
+                       for ( arg = 2; arg < argc; arg++ ) {
+                               if ( strncasecmp( argv[arg], "mech=", STRLENOF( "mech=" ) ) == 0 ) {
+                                       char    *val = argv[arg] + STRLENOF( "mech=" );
+
+                                       if ( !BER_BVISNULL( &li->acl_sasl_mech ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL mech already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->acl_sasl_mech.bv_val );
+                                       }
+                                       ber_str2bv( val, 0, 1, &li->acl_sasl_mech );
+
+                               } else if ( strncasecmp( argv[arg], "realm=", STRLENOF( "realm=" ) ) == 0 ) {
+                                       char    *val = argv[arg] + STRLENOF( "realm=" );
+
+                                       if ( !BER_BVISNULL( &li->acl_sasl_realm ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL realm already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->acl_sasl_realm.bv_val );
+                                       }
+                                       ber_str2bv( val, 0, 1, &li->acl_sasl_realm );
+
+                               } else if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) {
+                                       char            *val = argv[arg] + STRLENOF( "authcdn=" );
+                                       struct berval   dn;
+                                       int             rc;
+
+                                       if ( !BER_BVISNULL( &li->acl_authcDN ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL authcDN already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->acl_authcDN.bv_val );
+                                       }
+                                       if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
+                                               val += STRLENOF( "dn:" );
+                                       }
+
+                                       ber_str2bv( val, 0, 0, &dn );
+                                       rc = dnNormalize( 0, NULL, NULL, &dn, &li->acl_authcDN, NULL );
+                                       if ( rc != LDAP_SUCCESS ) {
+                                               Debug( LDAP_DEBUG_ANY,
+                                                       "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n",
+                                                       fname, lineno, val );
+                                               return 1;
+                                       }
+
+                               } else if ( strncasecmp( argv[arg], "authcid=", STRLENOF( "authcid=" ) ) == 0 ) {
+                                       char    *val = argv[arg] + STRLENOF( "authcid=" );
+
+                                       if ( !BER_BVISNULL( &li->acl_authcID ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL authcID already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->acl_authcID.bv_val );
+                                       }
+                                       if ( strncasecmp( argv[arg], "u:", STRLENOF( "u:" ) ) == 0 ) {
+                                               val += STRLENOF( "u:" );
+                                       }
+                                       ber_str2bv( val, 0, 1, &li->acl_authcID );
+
+                               } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) {
+                                       char    *val = argv[arg] + STRLENOF( "cred=" );
+
+                                       if ( !BER_BVISNULL( &li->acl_passwd ) ) {
+                                               fprintf( stderr, "%s: line %d: "
+                                                               "SASL cred already defined; replacing...\n",
+                                                               fname, lineno );
+                                               ch_free( li->acl_passwd.bv_val );
+                                       }
+                                       ber_str2bv( val, 0, 1, &li->acl_passwd );
+
+                               } else {
+                                       fprintf( stderr, "%s: line %d: "
+                                                       "unknown SASL parameter %s\n",
+                                                       fname, lineno, argv[arg] );
+                                       return 1;
+                               }
+                       }
+
+                       li->acl_authmethod = LDAP_AUTH_SASL;
+
+#else /* !HAVE_CYRUS_SASL */
+                       fprintf( stderr, "%s: line %d: "
+                                       "compile --with-cyrus-sasl to enable SASL auth\n",
+                                       fname, lineno );
+                       return 1;
+#endif /* !HAVE_CYRUS_SASL */
+
+               } else {
+                       fprintf( stderr, "%s: line %d: "
+                                       "unhandled acl-method method %s\n",
+                                       fname, lineno, argv[1] );
+                       return 1;
+               }
+
+       } else {
+               return SLAP_CONF_UNKNOWN;
+       }
+
+       return 0;
+}
+
Cloned from git://git.openldap.org/openldap.git