/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
* Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
* All rights reserved.
*
* u[.mech[/realm]]:user
*/
- user->bv_val = strchr( id->bv_val, ':' );
+ user->bv_val = ber_bvchr( id, ':' );
if ( BER_BVISNULL( user ) ) {
return LDAP_PROTOCOL_ERROR;
}
user->bv_val++;
user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
- mech->bv_val = strchr( id->bv_val, '.' );
+ mech->bv_val = ber_bvchr( id, '.' );
if ( !BER_BVISNULL( mech ) ) {
mech->bv_val[ 0 ] = '\0';
mech->bv_val++;
+ mech->bv_len = user->bv_val - mech->bv_val - 1;
- realm->bv_val = strchr( mech->bv_val, '/' );
+ realm->bv_val = ber_bvchr( mech, '/' );
if ( !BER_BVISNULL( realm ) ) {
realm->bv_val[ 0 ] = '\0';
realm->bv_val++;
mech->bv_len = realm->bv_val - mech->bv_val - 1;
realm->bv_len = user->bv_val - realm->bv_val - 1;
- } else {
- mech->bv_len = user->bv_val - mech->bv_val - 1;
}
} else {
member_at = BER_BVNULL;
bv.bv_val = in->bv_val + STRLENOF( "group" );
- group_dn.bv_val = strchr( bv.bv_val, ':' );
+ bv.bv_len = in->bv_len - STRLENOF( "group" );
+ group_dn.bv_val = ber_bvchr( &bv, ':' );
if ( group_dn.bv_val == NULL ) {
/* last chance: assume it's a(n exact) DN ... */
bv.bv_val = in->bv_val;
*/
if ( bv.bv_val[ 0 ] == '/' ) {
group_oc.bv_val = &bv.bv_val[ 1 ];
+ group_oc.bv_len = group_dn.bv_val - group_oc.bv_val;
- member_at.bv_val = strchr( group_oc.bv_val, '/' );
+ member_at.bv_val = ber_bvchr( &group_oc, '/' );
if ( member_at.bv_val ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
if ( rc != LDAP_SUCCESS ) {
return rc;
}
+ }
- } else {
- group_oc.bv_len = group_dn.bv_val - group_oc.bv_val;
-
- if ( oc_bvfind( &group_oc ) == NULL ) {
- return LDAP_INVALID_SYNTAX;
- }
+ if ( oc_bvfind( &group_oc ) == NULL ) {
+ return LDAP_INVALID_SYNTAX;
}
}
char *ptr;
bv.bv_val = val->bv_val + STRLENOF( "group" );
- group_dn.bv_val = strchr( bv.bv_val, ':' );
+ bv.bv_len = val->bv_len - STRLENOF( "group" );
+ group_dn.bv_val = ber_bvchr( &bv, ':' );
if ( group_dn.bv_val == NULL ) {
/* last chance: assume it's a(n exact) DN ... */
bv.bv_val = val->bv_val;
* are present in schema...
*/
if ( bv.bv_val[ 0 ] == '/' ) {
+ ObjectClass *oc = NULL;
+
group_oc.bv_val = &bv.bv_val[ 1 ];
+ group_oc.bv_len = group_dn.bv_val - group_oc.bv_val;
- member_at.bv_val = strchr( group_oc.bv_val, '/' );
+ member_at.bv_val = ber_bvchr( &group_oc, '/' );
if ( member_at.bv_val ) {
AttributeDescription *ad = NULL;
const char *text = NULL;
member_at = ad->ad_cname;
- } else {
- ObjectClass *oc = NULL;
-
- group_oc.bv_len = group_dn.bv_val - group_oc.bv_val;
-
- oc = oc_bvfind( &group_oc );
- if ( oc == NULL ) {
- return LDAP_INVALID_SYNTAX;
- }
+ }
- group_oc = oc->soc_cname;
+ oc = oc_bvfind( &group_oc );
+ if ( oc == NULL ) {
+ return LDAP_INVALID_SYNTAX;
}
+
+ group_oc = oc->soc_cname;
}
group_dn.bv_val++;
if ( idx.bv_val[ 0 ] == '{' ) {
char *ptr;
- ptr = strchr( idx.bv_val, '}' ) + 1;
+ ptr = ber_bvchr( &idx, '}' ) + 1;
assert( ptr != (void *)1 );
char *tmp;
bv.bv_val = uri->bv_val + STRLENOF( "group" );
- group_dn.bv_val = strchr( bv.bv_val, ':' );
+ bv.bv_len = uri->bv_len - STRLENOF( "group" );
+ group_dn.bv_val = ber_bvchr( &bv, ':' );
if ( group_dn.bv_val == NULL ) {
/* last chance: assume it's a(n exact) DN ... */
bv.bv_val = uri->bv_val;
if ( bv.bv_val[ 0 ] == '/' ) {
group_oc.bv_val = &bv.bv_val[ 1 ];
+ group_oc.bv_len = group_dn.bv_val - group_oc.bv_val;
- member_at.bv_val = strchr( group_oc.bv_val, '/' );
+ member_at.bv_val = ber_bvchr( &group_oc, '/' );
if ( member_at.bv_val ) {
group_oc.bv_len = member_at.bv_val - group_oc.bv_val;
member_at.bv_val++;
member_at.bv_len = group_dn.bv_val - member_at.bv_val;
} else {
- group_oc.bv_len = group_dn.bv_val - group_oc.bv_val;
BER_BVSTR( &member_at, SLAPD_GROUP_ATTR );
}
} else {
BER_BVSTR( &group_oc, SLAPD_GROUP_CLASS );
+ BER_BVSTR( &member_at, SLAPD_GROUP_ATTR );
}
group_dn.bv_val++;
group_dn.bv_len = uri->bv_len - ( group_dn.bv_val - uri->bv_val );
}
/* This callback actually does some work...*/
-static int sasl_sc_sasl2dn( Operation *o, SlapReply *rs )
+static int sasl_sc_sasl2dn( Operation *op, SlapReply *rs )
{
- struct berval *ndn = o->o_callback->sc_private;
+ struct berval *ndn = op->o_callback->sc_private;
- if (rs->sr_type != REP_SEARCH) return 0;
+ if ( rs->sr_type != REP_SEARCH ) return LDAP_SUCCESS;
/* We only want to be called once */
if ( !BER_BVISNULL( ndn ) ) {
- o->o_tmpfree(ndn->bv_val, o->o_tmpmemctx);
+ op->o_tmpfree( ndn->bv_val, op->o_tmpmemctx );
BER_BVZERO( ndn );
Debug( LDAP_DEBUG_TRACE,
- "slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
- return -1;
+ "%s: slap_sc_sasl2dn: search DN returned more than 1 entry\n",
+ op->o_log_prefix, 0, 0 );
+ return LDAP_UNAVAILABLE; /* short-circuit the search */
}
- ber_dupbv_x(ndn, &rs->sr_entry->e_nname, o->o_tmpmemctx);
- return 0;
+ ber_dupbv_x( ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
+ return LDAP_SUCCESS;
}
{
smatch_info *sm = o->o_callback->sc_private;
- if ( rs->sr_type != REP_SEARCH ) {
- if ( rs->sr_err != LDAP_SUCCESS ) {
- sm->match = -1;
- }
- return 0;
- }
-
- if ( sm->match == 1 ) {
- sm->match = -1;
- return 0;
- }
+ if (rs->sr_type != REP_SEARCH) return 0;
if (dn_match(sm->dn, &rs->sr_entry->e_nname)) {
sm->match = 1;
-
- } else {
- sm->match = -1;
+ return LDAP_UNAVAILABLE; /* short-circuit the search */
}
return 0;
op.o_tag = LDAP_REQ_SEARCH;
op.o_ndn = *authc;
op.o_callback = &cb;
- op.o_time = slap_get_time();
+ slap_op_time( &op.o_time, &op.o_tincr );
op.o_do_not_cache = 1;
op.o_is_auth_check = 1;
/* use req_ndn as req_dn instead of non-pretty base of uri */
op.o_bd->be_search( &op, &rs );
- if (sm.match == 1) {
+ if (sm.match) {
rc = LDAP_SUCCESS;
} else {
rc = LDAP_INAPPROPRIATE_AUTH;
AttributeDescription *ad,
struct berval *authc )
{
- int rc;
- BerVarray vals = NULL;
+ int rc,
+ do_not_cache = op->o_do_not_cache;
+ BerVarray vals = NULL;
Debug( LDAP_DEBUG_TRACE,
"==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
+ /* ITS#4760: don't cache group access */
+ op->o_do_not_cache = 1;
rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+ op->o_do_not_cache = do_not_cache;
if( rc != LDAP_SUCCESS ) goto COMPLETE;
/* Check if the *assertDN matches any *vals */
case LDAP_SCOPE_BASE:
case LDAP_SCOPE_ONELEVEL:
case LDAP_SCOPE_SUBTREE:
-#ifdef LDAP_SCOPE_SUBORDINATE
case LDAP_SCOPE_SUBORDINATE:
-#endif
/* do a search */
break;
op.o_tag = LDAP_REQ_SEARCH;
op.o_ndn = opx->o_conn->c_ndn;
op.o_callback = &cb;
- op.o_time = slap_get_time();
+ slap_op_time( &op.o_time, &op.o_tincr );
op.o_do_not_cache = 1;
op.o_is_auth_check = 1;
op.ors_deref = LDAP_DEREF_NEVER;
Debug( LDAP_DEBUG_TRACE,
"==>slap_sasl_authorized: can %s become %s?\n",
- authcDN->bv_val, authzDN->bv_val, 0 );
+ authcDN->bv_len ? authcDN->bv_val : "(null)",
+ authzDN->bv_len ? authzDN->bv_val : "(null)", 0 );
/* If person is authorizing to self, succeed */
if ( dn_match( authcDN, authzDN ) ) {
projects / openldap / blobdiff