Added ppolicy_hide_lockout keyword

[openldap] / servers / slapd / saslauthz.c

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index a2f7fe02219be1348cc835becc1044474356b8fe..50d9d297ddbd8c87c15cb4b06a169ef3be9d1cc4 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 1998-2004 The OpenLDAP Foundation.
  * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
  * All rights reserved.
  *
@@ -33,6 +33,7 @@
 #define LDAP_X_SCOPE_REGEX     ((ber_int_t) 0x0020)
 #define LDAP_X_SCOPE_CHILDREN  ((ber_int_t) 0x0030)
 #define LDAP_X_SCOPE_SUBTREE   ((ber_int_t) 0x0040)
+#define LDAP_X_SCOPE_ONELEVEL  ((ber_int_t) 0x0050)
 
 /*
  * IDs in DNauthzid form can now have a type specifier, that
@@ -72,9 +73,10 @@ static int nSaslRegexp = 0;
 static SaslRegexp_t *SaslRegexp = NULL;
 
 /* What SASL proxy authorization policies are allowed? */
-#define        SASL_AUTHZ_NONE 0
-#define        SASL_AUTHZ_FROM 1
-#define        SASL_AUTHZ_TO   2
+#define        SASL_AUTHZ_NONE 0x00
+#define        SASL_AUTHZ_FROM 0x01
+#define        SASL_AUTHZ_TO   0x02
+#define SASL_AUTHZ_AND 0x10
 
 static int authz_policy = SASL_AUTHZ_NONE;
 
@@ -88,8 +90,10 @@ int slap_sasl_setpolicy( const char *arg )
                authz_policy = SASL_AUTHZ_FROM;
        } else if ( strcasecmp( arg, "to" ) == 0 ) {
                authz_policy = SASL_AUTHZ_TO;
-       } else if ( strcasecmp( arg, "both" ) == 0 ) {
+       } else if ( strcasecmp( arg, "both" ) == 0 || strcasecmp( arg, "any" ) == 0 ) {
                authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
+       } else if ( strcasecmp( arg, "all" ) == 0 ) {
+               authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND;
        } else {
                rc = LDAP_OTHER;
        }
@@ -222,6 +226,10 @@ static int slap_parseURI( Operation *op, struct berval *uri,
                                bv.bv_val += sizeof( "subtree" ) - 1;
                                *scope = LDAP_X_SCOPE_SUBTREE;
 
+                       } else if ( !strncasecmp( bv.bv_val, "onelevel:", sizeof( "onelevel:" ) - 1 ) ) {
+                               bv.bv_val += sizeof( "onelevel" ) - 1;
+                               *scope = LDAP_X_SCOPE_ONELEVEL;
+
                        } else {
                                return LDAP_PROTOCOL_ERROR;
                        }
@@ -241,6 +249,7 @@ is_dn:              bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
                case LDAP_X_SCOPE_EXACT:
                case LDAP_X_SCOPE_CHILDREN:
                case LDAP_X_SCOPE_SUBTREE:
+               case LDAP_X_SCOPE_ONELEVEL:
                        rc = dnNormalize( 0, NULL, NULL, &bv, nbase, op->o_tmpmemctx );
                        if( rc != LDAP_SUCCESS ) {
                                *scope = -1;
@@ -266,7 +275,7 @@ is_dn:              bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
        {
                Connection      c = *op->o_conn;
                char            buf[ SLAP_LDAPDN_MAXLEN ];
-               struct berval   id = { uri->bv_len, (char *)buf },
+               struct berval   id,
                                user = { 0, NULL },
                                realm = { 0, NULL },
                                mech = { 0, NULL };
@@ -275,6 +284,8 @@ is_dn:              bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
                        return LDAP_INVALID_SYNTAX;
                }
 
+               id.bv_len = uri->bv_len;
+               id.bv_val = buf;
                strncpy( buf, uri->bv_val, sizeof( buf ) );
 
                rc = slap_parse_user( &id, &user, &realm, &mech );
@@ -487,7 +498,8 @@ static void slap_sasl_rx_exp(
    LDAP URI to find the matching LDAP entry, using the pattern matching
    strings given in the saslregexp config file directive(s) */
 
-static int slap_sasl_regexp( struct berval *in, struct berval *out, void *ctx )
+static int slap_sasl_regexp( struct berval *in, struct berval *out,
+               int flags, void *ctx )
 {
        char *saslname = in->bv_val;
        SaslRegexp_t *reg;
@@ -633,6 +645,7 @@ exact_match:
 
        case LDAP_X_SCOPE_CHILDREN:
        case LDAP_X_SCOPE_SUBTREE:
+       case LDAP_X_SCOPE_ONELEVEL:
        {
                int     d = assertDN->bv_len - op.o_req_ndn.bv_len;
 
@@ -642,10 +655,35 @@ exact_match:
                        goto exact_match;
 
                } else if ( d > 0 ) {
-                       struct berval bv = { op.o_req_ndn.bv_len, assertDN->bv_val + d };
+                       struct berval bv;
+
+                       bv.bv_len = op.o_req_ndn.bv_len;
+                       bv.bv_val = assertDN->bv_val + d;
 
                        if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
-                               rc = LDAP_SUCCESS;
+                               switch ( op.oq_search.rs_scope ) {
+                               case LDAP_X_SCOPE_CHILDREN:
+                                       rc = LDAP_SUCCESS;
+                                       break;
+
+                               case LDAP_X_SCOPE_ONELEVEL:
+                               {
+                                       struct berval   pdn;
+
+                                       dnParent( assertDN, &pdn );
+                                       /* the common portion of the DN
+                                        * already matches, so only check
+                                        * if parent DN of assertedDN 
+                                        * is all the pattern */
+                                       if ( pdn.bv_len == op.o_req_ndn.bv_len ) {
+                                               rc = LDAP_SUCCESS;
+                                       }
+                                       break;
+                               }
+                               default:
+                                       /* at present, impossible */
+                                       assert( 0 );
+                               }
                        }
                }
                goto CONCLUDED;
@@ -804,7 +842,7 @@ COMPLETE:
  * entry, return the DN of that one entry.
  */
 void slap_sasl2dn( Operation *opx,
-       struct berval *saslname, struct berval *sasldn )
+       struct berval *saslname, struct berval *sasldn, int flags )
 {
        int rc;
        slap_callback cb = { NULL, sasl_sc_sasl2dn, NULL, NULL };
@@ -827,7 +865,7 @@ void slap_sasl2dn( Operation *opx,
        cb.sc_private = sasldn;
 
        /* Convert the SASL name into a minimal URI */
-       if( !slap_sasl_regexp( saslname, &regout, opx->o_tmpmemctx ) ) {
+       if( !slap_sasl_regexp( saslname, &regout, flags, opx->o_tmpmemctx ) ) {
                goto FINISHED;
        }
 
@@ -854,11 +892,15 @@ void slap_sasl2dn( Operation *opx,
        case LDAP_X_SCOPE_REGEX:
        case LDAP_X_SCOPE_SUBTREE:
        case LDAP_X_SCOPE_CHILDREN:
+       case LDAP_X_SCOPE_ONELEVEL:
                /* correctly parsed, but illegal */
                goto FINISHED;
 
        case LDAP_SCOPE_ONELEVEL:
        case LDAP_SCOPE_SUBTREE:
+#ifdef LDAP_SCOPE_SUBORDINATE
+       case LDAP_SCOPE_SUBORDINATE:
+#endif
                /* do a search */
                break;
 
@@ -966,7 +1008,7 @@ int slap_sasl_authorized( Operation *op,
        if( authz_policy & SASL_AUTHZ_TO ) {
                rc = slap_sasl_check_authz( op, authcDN, authzDN,
                        slap_schema.si_ad_saslAuthzTo, authcDN );
-               if( rc == LDAP_SUCCESS ) {
+               if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
                        goto DONE;
                }
        }