X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=29bc8b24ab2c511f017d13642ad122b37c846efc;hb=65b49dd3120ac2cdd6a80b95ca216fb2cc6a2241;hp=b24c9402695afa4feee8719bfe1aec8c2bc327e8;hpb=0b6772492fb420f729536e2e6c06a4637181e2d4;p=openldap diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index b24c940269..29bc8b24ab 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -1,38 +1,24 @@ /* bind.c - ldap backend bind function */ /* $OpenLDAP$ */ -/* - * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. - * COPYING RESTRICTIONS APPLY, see COPYRIGHT file - */ -/* This is an altered version */ -/* - * Copyright 1999, Howard Chu, All rights reserved. - * - * Permission is granted to anyone to use this software for any purpose - * on any computer system, and to alter it and redistribute it, subject - * to the following restrictions: - * - * 1. The author is not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits should appear in the documentation. - * - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits should appear in the documentation. - * - * 4. This notice may not be removed or altered. +/* This work is part of OpenLDAP Software . * + * Copyright 1999-2004 The OpenLDAP Foundation. + * Portions Copyright 2000-2003 Pierangelo Masarati. + * Portions Copyright 1999-2003 Howard Chu. + * All rights reserved. * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. * - * Copyright 2000, Pierangelo Masarati, All rights reserved. - * - * This software is being modified by Pierangelo Masarati. - * The previously reported conditions apply to the modified code as well. - * Changes in the original code are highlighted where required. - * Credits for the original code go to the author, Howard Chu. + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by the Howard Chu for inclusion + * in OpenLDAP Software and subsequently enhanced by Pierangelo + * Masarati. */ #include "portable.h" @@ -53,24 +39,18 @@ static LDAP_REBIND_PROC ldap_back_rebind; int ldap_back_bind( - Backend *be, - Connection *conn, Operation *op, - struct berval *dn, - struct berval *ndn, - int method, - struct berval *cred, - struct berval *edn -) + SlapReply *rs ) { - struct ldapinfo *li = (struct ldapinfo *) be->be_private; + struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; struct ldapconn *lc; struct berval mdn = { 0, NULL }; int rc = 0; ber_int_t msgid; + dncookie dc; - lc = ldap_back_getconn(li, conn, op); + lc = ldap_back_getconn(op, rs); if ( !lc ) { return( -1 ); } @@ -78,34 +58,19 @@ ldap_back_bind( /* * Rewrite the bind dn if needed */ + dc.rwmap = &li->rwmap; #ifdef ENABLE_REWRITE - switch ( rewrite_session( li->rwinfo, "bindDn", dn->bv_val, conn, &mdn.bv_val ) ) { - case REWRITE_REGEXEC_OK: - if ( mdn.bv_val == NULL ) { - mdn.bv_val = ( char * )dn->bv_val; - } -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDAP, DETAIL1, - "[rw] bindDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn.bv_val, 0 ); -#else /* !NEW_LOGGING */ - Debug( LDAP_DEBUG_ARGS, "rw> bindDn: \"%s\" -> \"%s\"\n%s", - dn->bv_val, mdn.bv_val, "" ); -#endif /* !NEW_LOGGING */ - break; - - case REWRITE_REGEXEC_UNWILLING: - send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, - NULL, "Operation not allowed", NULL, NULL ); - return( -1 ); - - case REWRITE_REGEXEC_ERR: - send_ldap_result( conn, op, LDAP_OTHER, - NULL, "Rewrite error", NULL, NULL ); - return( -1 ); + dc.conn = op->o_conn; + dc.rs = rs; + dc.ctx = "bindDN"; +#else + dc.tofrom = 1; + dc.normalized = 0; +#endif + if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) { + send_ldap_result( op, rs ); + return -1; } -#else /* !ENABLE_REWRITE */ - ldap_back_dn_massage( li, dn, &mdn, 0, 1 ); -#endif /* !ENABLE_REWRITE */ if ( lc->bound_dn.bv_val ) { ch_free( lc->bound_dn.bv_val ); @@ -114,40 +79,50 @@ ldap_back_bind( } lc->bound = 0; /* method is always LDAP_AUTH_SIMPLE if we got here */ - rc = ldap_sasl_bind(lc->ld, mdn.bv_val, LDAP_SASL_SIMPLE, - cred, op->o_ctrls, NULL, &msgid); - rc = ldap_back_op_result( lc, conn, op, msgid, rc ); + rs->sr_err = ldap_sasl_bind(lc->ld, mdn.bv_val, LDAP_SASL_SIMPLE, + &op->oq_bind.rb_cred, op->o_ctrls, NULL, &msgid); + rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if (rc == LDAP_SUCCESS) { lc->bound = 1; - if ( mdn.bv_val != dn->bv_val ) { + if ( mdn.bv_val != op->o_req_dn.bv_val ) { lc->bound_dn = mdn; } else { - ber_dupbv( &lc->bound_dn, dn ); + ber_dupbv( &lc->bound_dn, &op->o_req_dn ); } + mdn.bv_val = NULL; + if ( li->savecred ) { - if ( lc->cred.bv_val ) + if ( lc->cred.bv_val ) { + memset( lc->cred.bv_val, 0, lc->cred.bv_len ); ch_free( lc->cred.bv_val ); - ber_dupbv( &lc->cred, cred ); + } + ber_dupbv( &lc->cred, &op->oq_bind.rb_cred ); ldap_set_rebind_proc( lc->ld, ldap_back_rebind, lc ); } } /* must re-insert if local DN changed as result of bind */ - if ( lc->bound && ber_bvcmp(ndn, &lc->local_dn ) ) { - int err; + if ( lc->bound && !bvmatch(&op->o_req_ndn, &lc->local_dn ) ) { + int lerr; + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); - lc = avl_delete( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp ); + lc = avl_delete( &li->conntree, (caddr_t)lc, + ldap_back_conn_cmp ); if ( lc->local_dn.bv_val ) ch_free( lc->local_dn.bv_val ); - ber_dupbv( &lc->local_dn, ndn ); - err = avl_insert( &li->conntree, (caddr_t)lc, + ber_dupbv( &lc->local_dn, &op->o_req_ndn ); + lerr = avl_insert( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp, ldap_back_conn_dup ); ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); - if ( err == -1 ) { + if ( lerr == -1 ) { ldap_back_conn_free( lc ); } } + if ( mdn.bv_val && mdn.bv_val != op->o_req_dn.bv_val ) { + free( mdn.bv_val ); + } + return( rc ); } @@ -174,7 +149,7 @@ ldap_back_conn_cmp( /* For shared sessions, conn is NULL. Only explicitly * bound sessions will have non-NULL conn. */ - return lc1->conn - lc2->conn; + return SLAP_PTRCMP(lc1->conn, lc2->conn); } /* @@ -214,7 +189,8 @@ static void ravl_print( Avlnode *root, int depth ) printf( " " ); lc = root->avl_data; - printf( "lc(%lx) local(%s) conn(%lx) %d\n", lc, lc->local_dn.bv_val, lc->conn, root->avl_bf ); + printf( "lc(%lx) local(%s) conn(%lx) %d\n", + lc, lc->local_dn.bv_val, lc->conn, root->avl_bf ); ravl_print( root->avl_left, depth+1 ); } @@ -234,8 +210,9 @@ static void myprint( Avlnode *root ) #endif /* PRINT_CONNTREE */ struct ldapconn * -ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) +ldap_back_getconn(Operation *op, SlapReply *rs) { + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; struct ldapconn *lc, lc_curr; LDAP *ld; int is_priv = 0; @@ -243,19 +220,23 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) /* Searches for a ldapconn in the avl tree */ /* Explicit binds must not be shared */ - if ( op->o_tag == LDAP_REQ_BIND ) { - lc_curr.conn = conn; + if ( op->o_tag == LDAP_REQ_BIND + || (op->o_conn + && (op->o_bd == op->o_conn->c_authz_backend ))) { + lc_curr.conn = op->o_conn; } else { lc_curr.conn = NULL; } - /* Internal searches are privileged. So is root. */ + /* Internal searches are privileged and shared. So is root. */ if ( op->o_do_not_cache || be_isroot( li->be, &op->o_ndn ) ) { lc_curr.local_dn = li->be->be_rootndn; + lc_curr.conn = NULL; is_priv = 1; } else { lc_curr.local_dn = op->o_ndn; } + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = (struct ldapconn *)avl_find( li->conntree, (caddr_t)&lc_curr, ldap_back_conn_cmp ); @@ -263,106 +244,89 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) /* Looks like we didn't get a bind. Open a new session... */ if (!lc) { - int vers = conn->c_protocol; - int err = ldap_initialize(&ld, li->url); + int vers = op->o_protocol; + rs->sr_err = ldap_initialize(&ld, li->url); - if (err != LDAP_SUCCESS) { - err = ldap_back_map_result(err); - send_ldap_result( conn, op, err, - NULL, "ldap_initialize() failed", NULL, NULL ); + if (rs->sr_err != LDAP_SUCCESS) { + rs->sr_err = ldap_back_map_result(rs); + if (rs->sr_text == NULL) { + rs->sr_text = "ldap_initialize() failed"; + } + if (op->o_conn) send_ldap_result( op, rs ); + rs->sr_text = NULL; return( NULL ); } /* Set LDAP version. This will always succeed: If the client * bound with a particular version, then so can we. */ - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &vers); + ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&vers); + /* FIXME: configurable? */ + ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON); lc = (struct ldapconn *)ch_malloc(sizeof(struct ldapconn)); lc->conn = lc_curr.conn; lc->ld = ld; ber_dupbv( &lc->local_dn, &lc_curr.local_dn ); - if ( is_priv ) { - ber_str2bv( li->bindpw, 0, 1, &lc->cred ); - } else { - lc->cred.bv_len = 0; - lc->cred.bv_val = NULL; - } - - ldap_pvt_thread_mutex_init( &lc->lc_mutex ); - #ifdef ENABLE_REWRITE /* * Sets a cookie for the rewrite session + * + * FIXME: the o_conn might be no longer valid, + * since we may have different entries + * for the same connection */ - ( void )rewrite_session_init( li->rwinfo, conn ); + ( void )rewrite_session_init( li->rwmap.rwm_rw, op->o_conn ); #endif /* ENABLE_REWRITE */ - if ( conn->c_dn.bv_len != 0 ) { - - /* - * Rewrite the bind dn if needed - */ -#ifdef ENABLE_REWRITE + ldap_pvt_thread_mutex_init( &lc->lc_mutex ); + + if ( is_priv ) { + ber_dupbv( &lc->cred, &li->bindpw ); + ber_dupbv( &lc->bound_dn, &li->binddn ); + } else { + lc->cred.bv_len = 0; + lc->cred.bv_val = NULL; lc->bound_dn.bv_val = NULL; lc->bound_dn.bv_len = 0; - switch ( rewrite_session( li->rwinfo, "bindDn", - conn->c_dn.bv_val, conn, - &lc->bound_dn.bv_val ) ) { - case REWRITE_REGEXEC_OK: - if ( lc->bound_dn.bv_val == NULL ) { - ber_dupbv( &lc->bound_dn, - &conn->c_dn ); - } -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDAP, DETAIL1, - "[rw] bindDn: \"%s\" ->" - " \"%s\"\n%s", - conn->c_dn.bv_val, - lc->bound_dn.bv_val, "" ); -#else /* !NEW_LOGGING */ - Debug( LDAP_DEBUG_ARGS, - "rw> bindDn: \"%s\" ->" - " \"%s\"\n%s", - conn->c_dn.bv_val, - lc->bound_dn.bv_val, "" ); -#endif /* !NEW_LOGGING */ - break; - - case REWRITE_REGEXEC_UNWILLING: - send_ldap_result( conn, op, - LDAP_UNWILLING_TO_PERFORM, - NULL, "Operation not allowed", - NULL, NULL ); - return( NULL ); + if ( op->o_conn && op->o_conn->c_dn.bv_len != 0 + && ( op->o_bd == op->o_conn->c_authz_backend ) ) { - case REWRITE_REGEXEC_ERR: - send_ldap_result( conn, op, - LDAP_OTHER, - NULL, "Rewrite error", - NULL, NULL ); - return( NULL ); - } + dncookie dc; + struct berval bv; -#else /* !ENABLE_REWRITE */ - struct berval bv; - ldap_back_dn_massage( li, &conn->c_dn, &bv, 0, 1 ); - if ( bv.bv_val == conn->c_dn.bv_val ) { - ber_dupbv( &lc->bound_dn, &bv ); - } else { - lc->bound_dn = bv; - } -#endif /* !ENABLE_REWRITE */ + /* + * Rewrite the bind dn if needed + */ + dc.rwmap = &li->rwmap; +#ifdef ENABLE_REWRITE + dc.conn = op->o_conn; + dc.rs = rs; + dc.ctx = "bindDN"; +#else + dc.tofrom = 1; + dc.normalized = 0; +#endif + + if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn, &bv ) ) { + send_ldap_result( op, rs ); + return NULL; + } - } else { - lc->bound_dn.bv_val = NULL; - lc->bound_dn.bv_len = 0; + if ( bv.bv_val == op->o_conn->c_dn.bv_val ) { + ber_dupbv( &lc->bound_dn, &bv ); + } else { + lc->bound_dn = bv; + } + } } + lc->bound = 0; /* Inserts the newly created ldapconn in the avl tree */ ldap_pvt_thread_mutex_lock( &li->conn_mutex ); - err = avl_insert( &li->conntree, (caddr_t)lc, + rs->sr_err = avl_insert( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp, ldap_back_conn_dup ); #if PRINT_CONNTREE > 0 @@ -373,29 +337,29 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) #ifdef NEW_LOGGING LDAP_LOG( BACK_LDAP, INFO, - "ldap_back_getconn: conn %lx inserted\n", lc, 0, 0); + "ldap_back_getconn: conn %p inserted\n", (void *) lc, 0, 0); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %lx inserted\n%s%s", - lc, "", "" ); + "=>ldap_back_getconn: conn %p inserted\n", (void *) lc, 0, 0 ); #endif /* !NEW_LOGGING */ /* Err could be -1 in case a duplicate ldapconn is inserted */ - if ( err != 0 ) { + if ( rs->sr_err != 0 ) { ldap_back_conn_free( lc ); - send_ldap_result( conn, op, LDAP_OTHER, - NULL, "internal server error", NULL, NULL ); + if (op->o_conn) { + send_ldap_error( op, rs, LDAP_OTHER, + "internal server error" ); + } return( NULL ); } } else { #ifdef NEW_LOGGING LDAP_LOG( BACK_LDAP, INFO, - "ldap_back_getconn: conn %lx fetched\n", - lc, 0, 0 ); + "ldap_back_getconn: conn %p fetched\n", + (void *) lc, 0, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %lx fetched%s%s\n", - lc, "", "" ); + "=>ldap_back_getconn: conn %p fetched\n", (void *) lc, 0, 0 ); #endif /* !NEW_LOGGING */ } @@ -410,16 +374,54 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) * it can be used to simplify the check. */ int -ldap_back_dobind( struct ldapconn *lc, Connection *conn, Operation *op ) +ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) { + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; int rc; ber_int_t msgid; ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); if ( !lc->bound ) { - rc = ldap_sasl_bind(lc->ld, lc->bound_dn.bv_val, - LDAP_SASL_SIMPLE, &lc->cred, NULL, NULL, &msgid); - rc = ldap_back_op_result( lc, conn, op, msgid, rc ); +#ifdef LDAP_BACK_PROXY_AUTHZ + int gotit = 0; +#if 0 + /* + * FIXME: we need to let clients use proxyAuthz + * otherwise we cannot do symmetric pools of servers; + * we have to live with the fact that a user can + * authorize itself as any ID that is allowed + * by the saslAuthzTo directive of the "proxyauthzdn". + */ + /* + * NOTE: current Proxy Authorization specification + * and implementation do not allow proxy authorization + * control to be provided with Bind requests + */ + gotit = op->o_proxy_authz; +#endif + + /* + * if no bind took place yet, but the connection is bound + * and the "proxyauthzdn" is set, then bind as + * "proxyauthzdn" and explicitly add the proxyAuthz + * control to every operation with the dn bound + * to the connection as control value. + */ + if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 ) + && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 ) + && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) + && ! gotit ) { + rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val, + LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid); + + } else +#endif /* LDAP_BACK_PROXY_AUTHZ */ + { + rs->sr_err = ldap_sasl_bind(lc->ld, lc->bound_dn.bv_val, + LDAP_SASL_SIMPLE, &lc->cred, NULL, NULL, &msgid); + } + + rc = ldap_back_op_result( lc, op, rs, msgid, 0 ); if (rc == LDAP_SUCCESS) { lc->bound = 1; } @@ -447,9 +449,9 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, /* Map API errors to protocol errors... */ int -ldap_back_map_result(int err) +ldap_back_map_result(SlapReply *rs) { - switch(err) + switch(rs->sr_err) { case LDAP_SERVER_DOWN: return LDAP_UNAVAILABLE; @@ -463,8 +465,10 @@ ldap_back_map_result(int err) case LDAP_AUTH_UNKNOWN: return LDAP_AUTH_METHOD_NOT_SUPPORTED; case LDAP_FILTER_ERROR: + rs->sr_text = "Filter error"; return LDAP_OTHER; case LDAP_USER_CANCELLED: + rs->sr_text = "User cancelled"; return LDAP_OTHER; case LDAP_PARAM_ERROR: return LDAP_PROTOCOL_ERROR; @@ -479,64 +483,166 @@ ldap_back_map_result(int err) case LDAP_NO_RESULTS_RETURNED: return LDAP_NO_SUCH_OBJECT; case LDAP_MORE_RESULTS_TO_RETURN: + rs->sr_text = "More results to return"; return LDAP_OTHER; case LDAP_CLIENT_LOOP: case LDAP_REFERRAL_LIMIT_EXCEEDED: return LDAP_LOOP_DETECT; default: - if LDAP_API_ERROR(err) + if LDAP_API_ERROR(rs->sr_err) return LDAP_OTHER; else - return err; + return rs->sr_err; } } int -ldap_back_op_result(struct ldapconn *lc, Connection *conn, Operation *op, - ber_int_t msgid, int err) +ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, + ber_int_t msgid, int sendok) { - char *msg = NULL; + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; char *match = NULL; LDAPMessage *res; - int rc; + char *text = NULL; + + rs->sr_text = NULL; + rs->sr_matched = NULL; - if (err == LDAP_SUCCESS) { - if (ldap_result(lc->ld, msgid, 0, NULL, &res) == -1) { - ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &err); + if (rs->sr_err == LDAP_SUCCESS) { + if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) { + ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, + &rs->sr_err); } else { - rc = ldap_parse_result(lc->ld, res, &err, &match, - &msg, NULL, NULL, 1); - if (rc != LDAP_SUCCESS) err = rc; + int rc = ldap_parse_result(lc->ld, res, &rs->sr_err, + &match, &text, NULL, NULL, 1); + rs->sr_text = text; + if (rc != LDAP_SUCCESS) rs->sr_err = rc; } } - err = ldap_back_map_result(err); - /* internal ops must not reply to client */ - if ( !conn || op->o_do_not_cache ) goto quiet; + if (rs->sr_err != LDAP_SUCCESS) { + rs->sr_err = ldap_back_map_result(rs); + /* internal ops must not reply to client */ + if ( op->o_conn && !op->o_do_not_cache && match ) { + struct berval dn, mdn; + dncookie dc; + + dc.rwmap = &li->rwmap; #ifdef ENABLE_REWRITE - - /* - * FIXME: need rewrite info for match; mmmh ... - */ - send_ldap_result( conn, op, err, match, msg, NULL, NULL ); - /* better test the pointers before freeing? */ + dc.conn = op->o_conn; + dc.rs = rs; + dc.ctx = "matchedDN"; +#else + dc.tofrom = 0; + dc.normalized = 0; +#endif + ber_str2bv(match, 0, 0, &dn); + ldap_back_dn_massage(&dc, &dn, &mdn); + rs->sr_matched = mdn.bv_val; + + } + } + if (op->o_conn && (sendok || rs->sr_err != LDAP_SUCCESS)) { + send_ldap_result( op, rs ); + } if ( match ) { - free( match ); + if ( rs->sr_matched != match ) { + free( (char *)rs->sr_matched ); + } + rs->sr_matched = NULL; + ldap_memfree( match ); + } + if ( text ) { + ldap_memfree( text ); } + rs->sr_text = NULL; + return( (rs->sr_err == LDAP_SUCCESS) ? 0 : -1 ); +} -#else /* !ENABLE_REWRITE */ +#ifdef LDAP_BACK_PROXY_AUTHZ +/* + * ldap_back_proxy_authz_ctrl() prepends a proxyAuthz control + * to existing server-side controls if required; if not, + * the existing server-side controls are placed in *pctrls. + * The caller, after using the controls in client API + * operations, if ( *pctrls != op->o_ctrls ), should + * free( (*pctrls)[ 0 ] ) and free( *pctrls ). + * The function returns success if the control could + * be added if required, or if it did nothing; in the future, + * it might return some error if it failed. + * + * if no bind took place yet, but the connection is bound + * and the "proxyauthzdn" is set, then bind as "proxyauthzdn" + * and explicitly add proxyAuthz the control to every operation + * with the dn bound to the connection as control value. + * + * If no server-side controls are defined for the operation, + * simply add the proxyAuthz control; otherwise, if the + * proxyAuthz control is not already set, add it as + * the first one (FIXME: is controls order significant + * for security?). + */ +int +ldap_back_proxy_authz_ctrl( + struct ldapconn *lc, + Operation *op, + SlapReply *rs, + LDAPControl ***pctrls ) +{ + struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; + LDAPControl **ctrls = NULL; - send_ldap_result( conn, op, err, match, msg, NULL, NULL ); - /* better test the pointers before freeing? */ - if ( match ) { - free( match ); + *pctrls = NULL; + + if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 ) + && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 ) + && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) { + int i = 0; + + if ( !op->o_proxy_authz ) { + ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) ); + ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) ); + + ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; + ctrls[ 0 ]->ldctl_iscritical = 1; + ctrls[ 0 ]->ldctl_value.bv_len = op->o_conn->c_dn.bv_len + 3; + ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 ); + AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", sizeof( "dn:" ) - 1 ); + AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + sizeof( "dn:") - 1, + op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 ); + + if ( op->o_ctrls ) { + for ( i = 0; op->o_ctrls[ i ]; i++ ) { + ctrls[ i + 1 ] = op->o_ctrls[ i ]; + } + } + ctrls[ i + 1 ] = NULL; + + } else { + /* + * FIXME: we do not want to perform proxyAuthz + * on behalf of the client, because this would + * be performed with "proxyauthzdn" privileges. + * + * This might actually be too strict, since + * the "proxyauthzdn" saslAuthzTo, and each entry's + * saslAuthzFrom attributes may be crafted + * to avoid unwanted proxyAuthz to take place. + */ +#if 0 + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + rs->sr_text = "proxyAuthz not allowed within namingContext"; +#endif + } } -#endif /* !ENABLE_REWRITE */ + if ( ctrls == NULL ) { + ctrls = op->o_ctrls; + } - if ( msg ) free( msg ); -quiet: - return( (err==LDAP_SUCCESS) ? 0 : -1 ); + *pctrls = ctrls; + + return rs->sr_err; } - +#endif /* LDAP_BACK_PROXY_AUTHZ */