/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
* Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
* All rights reserved.
*
#include "portable.h"
#include <stdio.h>
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
#include <ac/stdlib.h>
#include <ac/string.h>
#include "slap.h"
-#include <limits.h>
-
#include "lutil.h"
#define SASLREGEX_REPLACE 10
#define SASL_AUTHZ_TO 0x02
#define SASL_AUTHZ_AND 0x10
+static const char *policy_txt[] = {
+ "none", "from", "to", "any"
+};
+
static int authz_policy = SASL_AUTHZ_NONE;
static
return rc;
}
+const char * slap_sasl_getpolicy()
+{
+ if ( authz_policy == (SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND) )
+ return "all";
+ else
+ return policy_txt[authz_policy];
+}
+
int slap_parse_user( struct berval *id, struct berval *user,
struct berval *realm, struct berval *mech )
{
* <filter> must pass str2filter()
*/
rc = ldap_url_parse( uri->bv_val, &ludp );
- if ( rc == LDAP_URL_ERR_BADSCHEME ) {
+ switch ( rc ) {
+ case LDAP_URL_SUCCESS:
+ /* FIXME: the check is pedantic, but I think it's necessary,
+ * because people tend to use things like ldaps:// which
+ * gives the idea SSL is being used. Maybe we could
+ * accept ldapi:// as well, but the point is that we use
+ * an URL as an easy means to define bits of a search with
+ * little parsing.
+ */
+ if ( strcasecmp( ludp->lud_scheme, "ldap" ) != 0 ) {
+ /*
+ * must be ldap:///
+ */
+ return LDAP_PROTOCOL_ERROR;
+ }
+ break;
+
+ case LDAP_URL_ERR_BADSCHEME:
/*
* last chance: assume it's a(n exact) DN ...
*
bv.bv_val = uri->bv_val;
*scope = LDAP_X_SCOPE_EXACT;
goto is_dn;
- }
- if ( rc != LDAP_URL_SUCCESS ) {
+ default:
return LDAP_PROTOCOL_ERROR;
}
- if (( ludp->lud_host && *ludp->lud_host )
+ if ( ( ludp->lud_host && *ludp->lud_host )
|| ludp->lud_attrs || ludp->lud_exts )
{
/* host part must be empty */
int slap_sasl_regexp_config( const char *match, const char *replace )
{
-#ifdef SLAP_AUTH_REWRITE
- return slap_sasl_regexp_rewrite_config( "sasl-regexp", 0,
- match, replace, AUTHID_CONTEXT );
-#else /* ! SLAP_AUTH_REWRITE */
int rc;
SaslRegexp_t *reg;
reg->sr_match = ch_strdup( match );
reg->sr_replace = ch_strdup( replace );
+#ifdef SLAP_AUTH_REWRITE
+ rc = slap_sasl_regexp_rewrite_config( "sasl-regexp", 0,
+ match, replace, AUTHID_CONTEXT );
+ if ( rc == LDAP_SUCCESS ) nSaslRegexp++;
+ return rc;
+#else /* ! SLAP_AUTH_REWRITE */
+
/* Precompile matching pattern */
rc = regcomp( ®->sr_workspace, reg->sr_match, REG_EXTENDED|REG_ICASE );
if ( rc ) {
#endif /* ! SLAP_AUTH_REWRITE */
}
+void slap_sasl_regexp_unparse( BerVarray *out )
+{
+ int i;
+ struct berval bv;
+ BerVarray bva = NULL;
+ char ibuf[32], *ptr;
+ struct berval idx;
+
+ if ( !nSaslRegexp ) return;
+
+ idx.bv_val = ibuf;
+ bva = ch_malloc( (nSaslRegexp+1) * sizeof(struct berval) );
+ BER_BVZERO(bva+nSaslRegexp);
+ for ( i=0; i<nSaslRegexp; i++ ) {
+ idx.bv_len = sprintf( idx.bv_val, "{%d}", i);
+ bva[i].bv_len = idx.bv_len + strlen( SaslRegexp[i].sr_match ) +
+ strlen( SaslRegexp[i].sr_replace ) + 5;
+ bva[i].bv_val = ch_malloc( bva[i].bv_len+1 );
+ ptr = lutil_strcopy( bva[i].bv_val, ibuf );
+ *ptr++ = '"';
+ ptr = lutil_strcopy( ptr, SaslRegexp[i].sr_match );
+ ptr = lutil_strcopy( ptr, "\" \"" );
+ ptr = lutil_strcopy( ptr, SaslRegexp[i].sr_replace );
+ *ptr++ = '"';
+ *ptr = '\0';
+ }
+ *out = bva;
+}
+
/* Perform replacement on regexp matches */
static void slap_sasl_rx_exp(
const char *rep,
if ( !BER_BVISNULL( out ) ) {
char *val = out->bv_val;
ber_str2bv_x( val, 0, 1, out, ctx );
- free( val );
+ if ( val != in->bv_val ) {
+ free( val );
+ }
} else {
ber_dupbv_x( out, in, ctx );
}
goto CONCLUDED;
}
+ op.o_hdr = opx->o_hdr;
op.o_tag = LDAP_REQ_SEARCH;
- op.o_protocol = LDAP_VERSION3;
op.o_ndn = *authc;
op.o_callback = &cb;
op.o_time = slap_get_time();
op.o_do_not_cache = 1;
op.o_is_auth_check = 1;
- op.o_threadctx = opx->o_threadctx;
- op.o_tmpmemctx = opx->o_tmpmemctx;
- op.o_tmpmfuncs = opx->o_tmpmfuncs;
-#ifdef LDAP_SLAPI
- op.o_pb = opx->o_pb;
-#endif
- op.o_conn = opx->o_conn;
- op.o_connid = opx->o_connid;
/* use req_ndn as req_dn instead of non-pretty base of uri */
if( !BER_BVISNULL( &base ) ) {
ch_free( base.bv_val );
BER_BVZERO( &base );
}
ber_dupbv_x( &op.o_req_dn, &op.o_req_ndn, op.o_tmpmemctx );
+ op.ors_deref = LDAP_DEREF_NEVER;
op.ors_slimit = 1;
op.ors_tlimit = SLAP_NO_LIMIT;
op.ors_attrs = slap_anlist_no_attrs;
op.ors_attrsonly = 1;
- op.o_sync_slog_size = -1;
op.o_bd->be_search( &op, &rs );
"converting SASL name %s to a DN\n",
saslname->bv_val, 0,0 );
- sasldn->bv_val = NULL;
- sasldn->bv_len = 0;
+ BER_BVZERO( sasldn );
cb.sc_private = sasldn;
/* Convert the SASL name into a minimal URI */
"slap_sasl2dn: performing internal search (base=%s, scope=%d)\n",
op.o_req_ndn.bv_val, op.ors_scope, 0 );
- if(( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL)) {
+ if ( ( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL) ) {
goto FINISHED;
}
- op.o_conn = opx->o_conn;
- op.o_connid = opx->o_connid;
+ /* Must run an internal search. */
+ if ( op.ors_filter == NULL ) {
+ rc = LDAP_FILTER_ERROR;
+ goto FINISHED;
+ }
+
+ op.o_hdr = opx->o_hdr;
op.o_tag = LDAP_REQ_SEARCH;
- op.o_protocol = LDAP_VERSION3;
op.o_ndn = opx->o_conn->c_ndn;
op.o_callback = &cb;
op.o_time = slap_get_time();
op.o_do_not_cache = 1;
op.o_is_auth_check = 1;
- op.o_threadctx = opx->o_threadctx;
- op.o_tmpmemctx = opx->o_tmpmemctx;
- op.o_tmpmfuncs = opx->o_tmpmfuncs;
-#ifdef LDAP_SLAPI
- op.o_pb = opx->o_pb;
-#endif
op.ors_deref = LDAP_DEREF_NEVER;
op.ors_slimit = 1;
op.ors_tlimit = SLAP_NO_LIMIT;
op.ors_attrs = slap_anlist_no_attrs;
op.ors_attrsonly = 1;
- op.o_sync_slog_size = -1;
/* use req_ndn as req_dn instead of non-pretty base of uri */
if( !BER_BVISNULL( &base ) ) {
ch_free( base.bv_val );