/*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
/*
{
int rc = LDAP_SUCCESS;
- if ( strcasecmp( arg, "none" ) == 0 )
+ if ( strcasecmp( arg, "none" ) == 0 ) {
authz_policy = SASL_AUTHZ_NONE;
- else if ( strcasecmp( arg, "from" ) == 0 )
+ } else if ( strcasecmp( arg, "from" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM;
- else if ( strcasecmp( arg, "to" ) == 0 )
+ } else if ( strcasecmp( arg, "to" ) == 0 ) {
authz_policy = SASL_AUTHZ_TO;
- else if ( strcasecmp( arg, "both" ) == 0 )
+ } else if ( strcasecmp( arg, "both" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
- else
+ } else {
rc = LDAP_OTHER;
+ }
return rc;
}
saslname, 0, 0 );
#endif
- if (( saslname == NULL ) || ( nSaslRegexp == 0 ))
+ if (( saslname == NULL ) || ( nSaslRegexp == 0 )) {
return( 0 );
+ }
/* Match the normalized SASL name to the saslregexp patterns */
for( reg = SaslRegexp,i=0; i<nSaslRegexp; i++,reg++ ) {
break;
}
- if( i >= nSaslRegexp )
- return( 0 );
+ if( i >= nSaslRegexp ) return( 0 );
/*
* The match pattern may have been of the form "a(b.*)c(d.*)e" and the
{
}
+int slap_cb_null_sreference( BackendDB *db, Connection *conn, Operation *o,
+ Entry *e, BerVarray r, LDAPControl **c, BerVarray *v2)
+{
+ return 0;
+}
+
/* This callback actually does some work...*/
static int sasl_sc_sasl2dn( BackendDB *be, Connection *conn, Operation *o,
Entry *e, AttributeName *an, int ao, LDAPControl **c)
ndn->bv_val = NULL;
#ifdef NEW_LOGGING
- LDAP_LOG( TRANSPORT, DETAIL1,
- "slap_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
+ LDAP_LOG( TRANSPORT, DETAIL1,
+ "slap_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"slap_sasl2dn: search DN returned more than 1 entry\n", 0,0,0 );
if (dn_match(sm->dn, &e->e_nname)) {
sm->match = 1;
return -1; /* short-circuit the search */
- } else {
- return 1;
}
+
+ return 1;
}
/*
Filter *filter=NULL;
regex_t reg;
smatch_info sm;
- slap_callback cb = { slap_cb_null_response, slap_cb_null_sresult, sasl_sc_smatch, NULL };
+ slap_callback cb = {
+ slap_cb_null_response,
+ slap_cb_null_sresult,
+ sasl_sc_smatch,
+ NULL
+ };
Operation op = {0};
#ifdef NEW_LOGGING
assertDN->bv_val, rule->bv_val,0 );
#else
Debug( LDAP_DEBUG_TRACE,
- "===>slap_sasl_match: comparing DN %s to rule %s\n", assertDN->bv_val, rule->bv_val, 0 );
+ "===>slap_sasl_match: comparing DN %s to rule %s\n",
+ assertDN->bv_val, rule->bv_val, 0 );
#endif
rc = slap_parseURI( rule, &searchbase, &scope, &filter );
- if( rc != LDAP_SUCCESS )
- goto CONCLUDED;
+ if( rc != LDAP_SUCCESS ) goto CONCLUDED;
/* Massive shortcut: search scope == base */
if( scope == LDAP_SCOPE_BASE ) {
rc = regexec(®, assertDN->bv_val, 0, NULL, 0);
regfree( ® );
}
- if ( rc == 0 )
+ if ( rc == 0 ) {
rc = LDAP_SUCCESS;
- else
+ } else {
rc = LDAP_INAPPROPRIATE_AUTH;
+ }
goto CONCLUDED;
}
rc = LDAP_INAPPROPRIATE_AUTH;
goto CONCLUDED;
}
- suffix_alias( be, &searchbase );
sm.dn = assertDN;
sm.match = 0;
op.o_callback = &cb;
op.o_time = slap_get_time();
op.o_do_not_cache = 1;
+ op.o_is_auth_check = 1;
op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
(*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
/*attrs=*/NULL, /*attrsonly=*/0 );
- if (sm.match)
+ if (sm.match) {
rc = LDAP_SUCCESS;
- else
+ } else {
rc = LDAP_INAPPROPRIATE_AUTH;
+ }
CONCLUDED:
if( searchbase.bv_len ) ch_free( searchbase.bv_val );
if( filter ) filter_free( filter );
+
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_match: comparison returned %d\n", rc, 0, 0 );
rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
searchDN, ad, &vals );
- if( rc != LDAP_SUCCESS )
- goto COMPLETE;
+ if( rc != LDAP_SUCCESS ) goto COMPLETE;
/* Check if the *assertDN matches any **vals */
for( i=0; vals[i].bv_val != NULL; i++ ) {
rc = slap_sasl_match( conn, &vals[i], assertDN, authc );
- if ( rc == LDAP_SUCCESS )
- goto COMPLETE;
+ if ( rc == LDAP_SUCCESS ) goto COMPLETE;
}
rc = LDAP_INAPPROPRIATE_AUTH;
int scope = LDAP_SCOPE_BASE;
Filter *filter = NULL;
slap_callback cb = { slap_cb_null_response,
- slap_cb_null_sresult, sasl_sc_sasl2dn, NULL};
+ slap_cb_null_sresult, sasl_sc_sasl2dn, slap_cb_null_sreference, NULL};
Operation op = {0};
struct berval regout = { 0, NULL };
}
rc = slap_parseURI( ®out, &dn, &scope, &filter );
+ if( regout.bv_val ) ch_free( regout.bv_val );
if( rc != LDAP_SUCCESS ) {
goto FINISHED;
}
if(( be == NULL ) || ( be->be_search == NULL)) {
goto FINISHED;
}
- suffix_alias( be, &dn );
op.o_tag = LDAP_REQ_SEARCH;
op.o_protocol = LDAP_VERSION3;
op.o_callback = &cb;
op.o_time = slap_get_time();
op.o_do_not_cache = 1;
- op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
+ op.o_is_auth_check = 1;
+ op.o_threadctx = conn->c_sasl_bindop ? conn->c_sasl_bindop->o_threadctx:
+ ldap_pvt_thread_pool_context( &connection_pool );
(*be->be_search)( be, conn, &op, NULL, &dn,
scope, LDAP_DEREF_NEVER, 1, 0,
goto DONE;
}
+ /* Allow the manager to authorize as any DN. */
+ if( conn->c_authz_backend && be_isroot( conn->c_authz_backend, authcDN )) {
+ rc = LDAP_SUCCESS;
+ goto DONE;
+ }
+
/* Check source rules */
if( authz_policy & SASL_AUTHZ_TO ) {
rc = slap_sasl_check_authz( conn, authcDN, authzDN,