#include "portable.h"
#include <stdio.h>
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
#include <ac/stdlib.h>
#include <ac/string.h>
#include "slap.h"
-#include <limits.h>
-
#ifdef HAVE_CYRUS_SASL
# ifdef HAVE_SASL_SASL_H
# include <sasl/sasl.h>
rc = slap_mods_check( modlist, &text, textbuf, textlen, NULL );
if ( rc == LDAP_SUCCESS ) {
- rc = slap_mods_no_update_check( modlist, &text,
- textbuf, textlen );
+ rc = slap_mods_no_user_mod_check( &op, modlist,
+ &text, textbuf, textlen );
if ( rc == LDAP_SUCCESS ) {
rc = slap_mods_opattrs( &op, modlist, modtail,
{
Connection *conn = (Connection *)context;
struct propval auxvals[3];
- struct berval authcDN, authzDN;
+ struct berval authcDN, authzDN=BER_BVNULL;
int rc;
/* Simple Binds don't support proxy authorization, ignore it */
}
AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
+ conn->c_sasl_dn = authcDN;
/* Nothing to do if no authzID was given */
if ( !auxvals[1].name || !auxvals[1].values ) {
- conn->c_sasl_dn = authcDN;
goto ok;
}
AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
- ch_free( authcDN.bv_val );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "SASL Proxy Authorize [conn=%ld]: "
"proxy authorization disallowed (%d)\n",
return SASL_NOAUTHZ;
}
- conn->c_sasl_dn = authzDN;
+ conn->c_sasl_authz_dn = authzDN;
ok:
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND authcid=\"%s\"\n",
+ "conn=%lu op=%lu BIND authcid=\"%s\" authzid=\"%s\"\n",
conn->c_connid, conn->c_sasl_bindop->o_opid,
- auth_identity, 0, 0);
+ auth_identity, requested_user, 0);
}
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
- " proxy authorization allowed\n",
- (long) (conn ? conn->c_connid : -1), 0, 0 );
+ " proxy authorization allowed authzDN=\"%s\"\n",
+ (long) (conn ? conn->c_connid : -1),
+ authzDN.bv_val ? authzDN.bv_val : "", 0 );
return SASL_OK;
}
#else
*errstr = ldap_err2string( rc );
return SASL_NOAUTHZ;
}
+ conn->c_sasl_dn = authcDN;
if( ( authzid == NULL ) || !strcmp( authcid, authzid ) ) {
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
"Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
- conn->c_sasl_dn = authcDN;
goto ok;
}
rc = slap_sasl_getdn( conn, NULL, &bvauthzid, realm,
&authzDN, SLAP_GETDN_AUTHZID );
if( rc != LDAP_SUCCESS ) {
- ch_free( authcDN.bv_val );
*errstr = ldap_err2string( rc );
return SASL_NOAUTHZ;
}
rc = slap_sasl_authorized(conn->c_sasl_bindop, &authcDN, &authzDN );
- ch_free( authcDN.bv_val );
if( rc ) {
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
"proxy authorization disallowed (%d)\n",
ch_free( authzDN.bv_val );
return SASL_NOAUTHZ;
}
- conn->c_sasl_dn = authzDN;
+ conn->c_sasl_authz_dn = authzDN;
ok:
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
- " authorization allowed\n",
- (long) (conn ? conn->c_connid : -1), 0, 0 );
+ " authorization allowed authzDN=\"%s\"\n",
+ (long) (conn ? conn->c_connid : -1),
+ authzDN.bv_val ? authzDN.bv_val : "", 0 );
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND authcid=\"%s\"\n",
+ "conn=%lu op=%lu BIND authcid=\"%s\" authzid=\"%s\"\n",
conn->c_connid, conn->c_sasl_bindop->o_opid,
- authcid, 0, 0);
+ authcid, authzid ? authzid : "", 0);
}
*errstr = NULL;