X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=630e627d9cc8b06e914776bfd05b014ad7a88cb7;hb=fb2e448e877a8a387084dde517362c9f7bf1b6b7;hp=d408252bce72f563ccfafc9291f5fbc8dddd0d41;hpb=1ab4c624ed272554c84092f8ceb03219ed1b1dcf;p=openldap diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index d408252bce..630e627d9c 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1999-2006 The OpenLDAP Foundation. + * Copyright 1999-2007 The OpenLDAP Foundation. * Portions Copyright 2000-2003 Pierangelo Masarati. * Portions Copyright 1999-2003 Howard Chu. * All rights reserved. @@ -32,18 +32,16 @@ #define AVL_INTERNAL #include "slap.h" #include "back-ldap.h" +#undef ldap_debug /* silence a warning in ldap-int.h */ +#include "../../../libraries/libldap/ldap-int.h" #include "lutil_ldap.h" -#ifndef PRINT_CONNTREE -#define PRINT_CONNTREE 0 -#endif /* !PRINT_CONNTREE */ - #define LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ "2.16.840.1.113730.3.4.12" -#if PRINT_CONNTREE > 0 +#if LDAP_BACK_PRINT_CONNTREE > 0 static void -ravl_print( Avlnode *root, int depth ) +ldap_back_ravl_print( Avlnode *root, int depth ) { int i; ldapconn_t *lc; @@ -52,86 +50,179 @@ ravl_print( Avlnode *root, int depth ) return; } - ravl_print( root->avl_right, depth+1 ); + ldap_back_ravl_print( root->avl_right, depth+1 ); for ( i = 0; i < depth; i++ ) { fprintf( stderr, "-" ); } lc = root->avl_data; - fprintf( stderr, "lc=%p local=\"%s\" conn=%p %s refcnt=%d\n", + fprintf( stderr, "lc=%p local=\"%s\" conn=%p %s refcnt=%d flags=0x%08x\n", (void *)lc, lc->lc_local_ndn.bv_val ? lc->lc_local_ndn.bv_val : "", (void *)lc->lc_conn, - avl_bf2str( root->avl_bf ), lc->lc_refcnt ); + avl_bf2str( root->avl_bf ), lc->lc_refcnt, lc->lc_lcflags ); - ravl_print( root->avl_left, depth+1 ); + ldap_back_ravl_print( root->avl_left, depth+1 ); } -static void -myprint( Avlnode *root, char *msg ) +static char* priv2str[] = { + "privileged", + "privileged/TLS", + "anonymous", + "anonymous/TLS", + "bind", + "bind/TLS", + NULL +}; + +void +ldap_back_print_conntree( ldapinfo_t *li, char *msg ) { + int c; + fprintf( stderr, "========> %s\n", msg ); + + for ( c = LDAP_BACK_PCONN_FIRST; c < LDAP_BACK_PCONN_LAST; c++ ) { + int i = 0; + ldapconn_t *lc; + + fprintf( stderr, " %s[%d]\n", priv2str[ c ], li->li_conn_priv[ c ].lic_num ); + + LDAP_TAILQ_FOREACH( lc, &li->li_conn_priv[ c ].lic_priv, lc_q ) + { + fprintf( stderr, " [%d] lc=%p local=\"%s\" conn=%p refcnt=%d flags=0x%08x\n", + i, + (void *)lc, + lc->lc_local_ndn.bv_val ? lc->lc_local_ndn.bv_val : "", + (void *)lc->lc_conn, lc->lc_refcnt, lc->lc_lcflags ); + i++; + } + } - if ( root == 0 ) { - fprintf( stderr, "\tNULL\n" ); + if ( li->li_conninfo.lai_tree == 0 ) { + fprintf( stderr, "\t(empty)\n" ); } else { - ravl_print( root, 0 ); + ldap_back_ravl_print( li->li_conninfo.lai_tree, 0 ); } fprintf( stderr, "<======== %s\n", msg ); } -#endif /* PRINT_CONNTREE */ +#endif /* LDAP_BACK_PRINT_CONNTREE */ + +static int +ldap_back_freeconn( ldapinfo_t *li, ldapconn_t *lc, int dolock ); + +static ldapconn_t * +ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok, + struct berval *binddn, struct berval *bindcred ); static int -ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ); +ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok, + struct berval *binddn, struct berval *bindcred ); static int -ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ); +ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, + ldap_back_send_t sendok, struct berval *binddn, struct berval *bindcred ); + +static int +ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, + ldap_back_send_t sendok ); static int ldap_back_conndnlc_cmp( const void *c1, const void *c2 ); +ldapconn_t * +ldap_back_conn_delete( ldapinfo_t *li, ldapconn_t *lc ) +{ + if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { + if ( LDAP_BACK_CONN_CACHED( lc ) ) { + assert( lc->lc_q.tqe_prev != NULL ); + assert( li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num > 0 ); + li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num--; + LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); + LDAP_TAILQ_ENTRY_INIT( lc, lc_q ); + LDAP_BACK_CONN_CACHED_CLEAR( lc ); + + } else { + assert( LDAP_BACK_CONN_TAINTED( lc ) ); + assert( lc->lc_q.tqe_prev == NULL ); + } + + } else { + ldapconn_t *tmplc = NULL; + + if ( LDAP_BACK_CONN_CACHED( lc ) ) { + assert( !LDAP_BACK_CONN_TAINTED( lc ) ); + tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, + ldap_back_conndnlc_cmp ); + assert( tmplc == lc ); + LDAP_BACK_CONN_CACHED_CLEAR( lc ); + } + + assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc ); + } + + return lc; +} + int ldap_back_bind( Operation *op, SlapReply *rs ) { - ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private; - ldapconn_t *lc; + ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private; + ldapconn_t *lc; - int rc = 0; - ber_int_t msgid; + int rc = 0; + ber_int_t msgid; + ldap_back_send_t retrying = LDAP_BACK_RETRYING; - lc = ldap_back_getconn( op, rs, LDAP_BACK_BIND_SERR ); + lc = ldap_back_getconn( op, rs, LDAP_BACK_BIND_SERR, NULL, NULL ); if ( !lc ) { return rs->sr_err; } + /* we can do (almost) whatever we want with this conn, + * because either it's temporary, or it's marked as binding */ if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) { ch_free( lc->lc_bound_ndn.bv_val ); BER_BVZERO( &lc->lc_bound_ndn ); } + if ( !BER_BVISNULL( &lc->lc_cred ) ) { + memset( lc->lc_cred.bv_val, 0, lc->lc_cred.bv_len ); + ch_free( lc->lc_cred.bv_val ); + BER_BVZERO( &lc->lc_cred ); + } LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); +retry:; /* method is always LDAP_AUTH_SIMPLE if we got here */ rs->sr_err = ldap_sasl_bind( lc->lc_ld, op->o_req_dn.bv_val, LDAP_SASL_SIMPLE, &op->orb_cred, op->o_ctrls, NULL, &msgid ); + /* FIXME: should we always retry, or only when piping the bind + * in the "override" connection pool? */ rc = ldap_back_op_result( lc, op, rs, msgid, li->li_timeout[ SLAP_OP_BIND ], - LDAP_BACK_BIND_SERR ); + LDAP_BACK_BIND_SERR | retrying ); + if ( rc == LDAP_UNAVAILABLE && retrying ) { + retrying &= ~LDAP_BACK_RETRYING; + if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_BIND_SERR ) ) { + goto retry; + } + } + if ( rc == LDAP_SUCCESS ) { /* If defined, proxyAuthz will be used also when * back-ldap is the authorizing backend; for this - * purpose, a successful bind is followed by a - * bind with the configured identity assertion */ + * purpose, after a successful bind the connection + * is left for further binds, and further operations + * on this client connection will use a default + * connection with identity assertion */ /* NOTE: use with care */ if ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { - ldap_back_proxy_authz_bind( lc, op, rs, LDAP_BACK_SENDERR ); - if ( !LDAP_BACK_CONN_ISBOUND( lc ) ) { - rc = 1; - } - goto done; + ldap_back_release_conn( li, lc ); + return( rc ); } /* rebind is now done inside ldap_back_proxy_authz_bind() @@ -139,24 +230,24 @@ ldap_back_bind( Operation *op, SlapReply *rs ) LDAP_BACK_CONN_ISBOUND_SET( lc ); ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn ); + if ( !BER_BVISNULL( &lc->lc_cred ) ) { + memset( lc->lc_cred.bv_val, 0, + lc->lc_cred.bv_len ); + } + if ( LDAP_BACK_SAVECRED( li ) ) { - if ( !BER_BVISNULL( &lc->lc_cred ) ) { - memset( lc->lc_cred.bv_val, 0, - lc->lc_cred.bv_len ); - } ber_bvreplace( &lc->lc_cred, &op->orb_cred ); ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc ); + + } else { + lc->lc_cred.bv_len = 0; } } -done:; - - assert( lc->lc_binding == 1 ); - lc->lc_binding = 0; /* must re-insert if local DN changed as result of bind */ if ( !LDAP_BACK_CONN_ISBOUND( lc ) - || ( LDAP_BACK_CONN_ISBOUND( lc ) - && !dn_match( &op->o_req_ndn, &lc->lc_local_ndn ) ) ) + || ( !dn_match( &op->o_req_ndn, &lc->lc_local_ndn ) + && !LDAP_BACK_PCONN_ISPRIV( lc ) ) ) { int lerr = -1; ldapconn_t *tmplc; @@ -170,10 +261,12 @@ retry_lock:; goto retry_lock; } +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, ">>> ldap_back_bind" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + assert( lc->lc_refcnt == 1 ); - tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - assert( tmplc == NULL || lc == tmplc ); + ldap_back_conn_delete( li, lc ); /* delete all cached connections with the current connection */ if ( LDAP_BACK_SINGLECONN( li ) ) { @@ -181,11 +274,12 @@ retry_lock:; { Debug( LDAP_DEBUG_TRACE, "=>ldap_back_bind: destroying conn %ld (refcnt=%u)\n", - LDAP_BACK_PCONN_ID( lc->lc_conn ), lc->lc_refcnt, 0 ); + LDAP_BACK_PCONN_ID( lc ), lc->lc_refcnt, 0 ); if ( tmplc->lc_refcnt != 0 ) { /* taint it */ LDAP_BACK_CONN_TAINTED_SET( tmplc ); + LDAP_BACK_CONN_CACHED_CLEAR( tmplc ); } else { /* @@ -201,19 +295,20 @@ retry_lock:; if ( LDAP_BACK_CONN_ISBOUND( lc ) ) { ber_bvreplace( &lc->lc_local_ndn, &op->o_req_ndn ); if ( be_isroot_dn( op->o_bd, &op->o_req_ndn ) ) { - lc->lc_conn = LDAP_BACK_PCONN_SET( op ); + LDAP_BACK_PCONN_ROOTDN_SET( lc, op ); } lerr = avl_insert( &li->li_conninfo.lai_tree, (caddr_t)lc, ldap_back_conndn_cmp, ldap_back_conndn_dup ); } -#if PRINT_CONNTREE > 0 - myprint( li->li_conninfo.lai_tree, "ldap_back_bind" ); -#endif /* PRINT_CONNTREE */ +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, "<<< ldap_back_bind" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); switch ( lerr ) { case 0: + LDAP_BACK_CONN_CACHED_SET( lc ); break; case -1: @@ -226,7 +321,7 @@ retry_lock:; } if ( lc != NULL ) { - ldap_back_release_conn( op, rs, lc ); + ldap_back_release_conn( li, lc ); } return( rc ); @@ -327,23 +422,27 @@ ldap_back_conndn_dup( void *c1, void *c2 ) return 0; } -int -ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock ) +static int +ldap_back_freeconn( ldapinfo_t *li, ldapconn_t *lc, int dolock ) { - ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private; - ldapconn_t *tmplc; - if ( dolock ) { ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); } - tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc ); +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, ">>> ldap_back_freeconn" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + + (void)ldap_back_conn_delete( li, lc ); + if ( lc->lc_refcnt == 0 ) { ldap_back_conn_free( (void *)lc ); } +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, "<<< ldap_back_freeconn" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + if ( dolock ) { ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } @@ -363,13 +462,9 @@ ldap_back_start_tls( const char **text ) { int rc = LDAP_SUCCESS; - ldapinfo_t dummy; - - /* this is ridiculous... */ - dummy.li_flags = flags; /* start TLS ("tls-[try-]{start,propagate}" statements) */ - if ( ( LDAP_BACK_USE_TLS( &dummy ) || ( *is_tls && LDAP_BACK_PROPAGATE_TLS( &dummy ) ) ) + if ( ( LDAP_BACK_USE_TLS_F( flags ) || ( *is_tls && LDAP_BACK_PROPAGATE_TLS_F( flags ) ) ) && !ldap_is_ldaps_url( url ) ) { #ifdef SLAP_STARTTLS_ASYNCHRONOUS @@ -478,7 +573,7 @@ retry:; break; default: - if ( LDAP_BACK_TLS_CRITICAL( &dummy ) ) { + if ( LDAP_BACK_TLS_CRITICAL_F( flags ) ) { *text = "could not start TLS"; break; } @@ -498,17 +593,16 @@ retry:; #endif /* HAVE_TLS */ static int -ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; int version; LDAP *ld = NULL; #ifdef HAVE_TLS int is_tls = op->o_conn->c_is_tls; -#endif /* HAVE_TLS */ time_t lc_time = (time_t)(-1); - - assert( lcp != NULL ); + slap_bindconf *sb; +#endif /* HAVE_TLS */ ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); rs->sr_err = ldap_initialize( &ld, li->li_uri ); @@ -549,6 +643,22 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac } #ifdef HAVE_TLS + if ( LDAP_BACK_CONN_ISPRIV( lc ) ) { + sb = &li->li_acl; + + } else if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { + sb = &li->li_idassert.si_bc; + + } else { + sb = &li->li_tls; + } + + if ( sb->sb_tls_do_init ) { + bindconf_tls_set( sb, ld ); + } else if ( sb->sb_tls_ctx ) { + ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); + } + ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls, li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text ); @@ -563,21 +673,16 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac } #endif /* HAVE_TLS */ - if ( *lcp == NULL ) { - *lcp = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); - (*lcp)->lc_flags = li->li_flags; - } - (*lcp)->lc_ld = ld; - (*lcp)->lc_refcnt = 1; - (*lcp)->lc_binding = 1; + lc->lc_ld = ld; + lc->lc_refcnt = 1; #ifdef HAVE_TLS if ( is_tls ) { - LDAP_BACK_CONN_ISTLS_SET( *lcp ); + LDAP_BACK_CONN_ISTLS_SET( lc ); } else { - LDAP_BACK_CONN_ISTLS_CLEAR( *lcp ); + LDAP_BACK_CONN_ISTLS_CLEAR( lc ); } if ( lc_time != (time_t)(-1) ) { - (*lcp)->lc_time = lc_time; + lc->lc_time = lc_time; } #endif /* HAVE_TLS */ @@ -594,20 +699,26 @@ error_return:; } else { if ( li->li_conn_ttl > 0 ) { - (*lcp)->lc_create_time = op->o_time; + lc->lc_create_time = op->o_time; } } return rs->sr_err; } -ldapconn_t * -ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +static ldapconn_t * +ldap_back_getconn( + Operation *op, + SlapReply *rs, + ldap_back_send_t sendok, + struct berval *binddn, + struct berval *bindcred ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; ldapconn_t *lc = NULL, lc_curr = { 0 }; - int refcnt = 1, binding = 1; + int refcnt = 1, + lookupconn = !( sendok & LDAP_BACK_BINDING ); /* if the server is quarantined, and * - the current interval did not expire yet, or @@ -617,19 +728,21 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) slap_retry_info_t *ri = &li->li_quarantine; int dont_retry = 1; - ldap_pvt_thread_mutex_lock( &li->li_quarantine_mutex ); - if ( li->li_isquarantined == LDAP_BACK_FQ_YES ) { - dont_retry = ( ri->ri_num[ ri->ri_idx ] == SLAP_RETRYNUM_TAIL - || slap_get_time() < ri->ri_last + ri->ri_interval[ ri->ri_idx ] ); - if ( !dont_retry ) { - Debug( LDAP_DEBUG_ANY, - "%s: ldap_back_getconn quarantine " - "retry block #%d try #%d.\n", - op->o_log_prefix, ri->ri_idx, ri->ri_count ); - li->li_isquarantined = LDAP_BACK_FQ_RETRYING; + if ( li->li_quarantine.ri_interval ) { + ldap_pvt_thread_mutex_lock( &li->li_quarantine_mutex ); + if ( li->li_isquarantined == LDAP_BACK_FQ_YES ) { + dont_retry = ( ri->ri_num[ ri->ri_idx ] == SLAP_RETRYNUM_TAIL + || slap_get_time() < ri->ri_last + ri->ri_interval[ ri->ri_idx ] ); + if ( !dont_retry ) { + Debug( LDAP_DEBUG_ANY, + "%s: ldap_back_getconn quarantine " + "retry block #%d try #%d.\n", + op->o_log_prefix, ri->ri_idx, ri->ri_count ); + li->li_isquarantined = LDAP_BACK_FQ_RETRYING; + } } + ldap_pvt_thread_mutex_unlock( &li->li_quarantine_mutex ); } - ldap_pvt_thread_mutex_unlock( &li->li_quarantine_mutex ); if ( dont_retry ) { rs->sr_err = LDAP_UNAVAILABLE; @@ -644,57 +757,176 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) if ( op->o_do_not_cache || be_isroot( op ) ) { LDAP_BACK_CONN_ISPRIV_SET( &lc_curr ); lc_curr.lc_local_ndn = op->o_bd->be_rootndn; - lc_curr.lc_conn = LDAP_BACK_PCONN_SET( op ); + LDAP_BACK_PCONN_ROOTDN_SET( &lc_curr, op ); } else { + struct berval tmpbinddn, + tmpbindcred, + save_o_dn, + save_o_ndn; + int isproxyauthz; + + /* need cleanup */ + if ( binddn == NULL ) { + binddn = &tmpbinddn; + } + if ( bindcred == NULL ) { + bindcred = &tmpbindcred; + } + if ( op->o_tag == LDAP_REQ_BIND ) { + save_o_dn = op->o_dn; + save_o_ndn = op->o_ndn; + op->o_dn = op->o_req_dn; + op->o_ndn = op->o_req_ndn; + } + isproxyauthz = ldap_back_is_proxy_authz( op, rs, sendok, binddn, bindcred ); + if ( isproxyauthz == -1 ) { + return NULL; + } + if ( op->o_tag == LDAP_REQ_BIND ) { + op->o_dn = save_o_dn; + op->o_ndn = save_o_ndn; + } + lc_curr.lc_local_ndn = op->o_ndn; - /* Explicit binds must not be shared */ - if ( op->o_tag == LDAP_REQ_BIND || SLAP_IS_AUTHZ_BACKEND( op ) ) { + /* Explicit binds must not be shared; + * however, explicit binds are piped in a special connection + * when idassert is to occur with "override" set */ + if ( op->o_tag == LDAP_REQ_BIND && !isproxyauthz ) { lc_curr.lc_conn = op->o_conn; - + } else { - lc_curr.lc_conn = LDAP_BACK_PCONN_SET( op ); + if ( isproxyauthz && !( sendok & LDAP_BACK_BINDING ) ) { + lc_curr.lc_local_ndn = *binddn; + LDAP_BACK_PCONN_ROOTDN_SET( &lc_curr, op ); + LDAP_BACK_CONN_ISIDASSERT_SET( &lc_curr ); + + } else if ( isproxyauthz && ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) { + lc_curr.lc_local_ndn = slap_empty_bv; + LDAP_BACK_PCONN_BIND_SET( &lc_curr, op ); + LDAP_BACK_CONN_ISIDASSERT_SET( &lc_curr ); + lookupconn = 1; + + } else if ( SLAP_IS_AUTHZ_BACKEND( op ) ) { + lc_curr.lc_conn = op->o_conn; + + } else { + LDAP_BACK_PCONN_ANON_SET( &lc_curr, op ); + } } } /* Explicit Bind requests always get their own conn */ - if ( !( sendok & LDAP_BACK_BINDING ) ) { - /* Searches for a ldapconn in the avl tree */ + if ( lookupconn ) { retry_lock: ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); + if ( LDAP_BACK_PCONN_ISPRIV( &lc_curr ) ) { + /* lookup a conn that's not binding */ + LDAP_TAILQ_FOREACH( lc, + &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( &lc_curr ) ].lic_priv, + lc_q ) + { + if ( !LDAP_BACK_CONN_BINDING( lc ) && lc->lc_refcnt == 0 ) { + break; + } + } + + if ( lc != NULL ) { + if ( lc != LDAP_TAILQ_LAST( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, + ldapconn_t, lc_q ) ) + { + LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, + lc, lc_q ); + LDAP_TAILQ_ENTRY_INIT( lc, lc_q ); + LDAP_TAILQ_INSERT_TAIL( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, + lc, lc_q ); + } + + } else if ( !LDAP_BACK_USE_TEMPORARIES( li ) + && li->li_conn_priv[ LDAP_BACK_CONN2PRIV( &lc_curr ) ].lic_num == li->li_conn_priv_max ) + { + lc = LDAP_TAILQ_FIRST( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( &lc_curr ) ].lic_priv ); + } + + } else { + + /* Searches for a ldapconn in the avl tree */ + lc = (ldapconn_t *)avl_find( li->li_conninfo.lai_tree, + (caddr_t)&lc_curr, ldap_back_conndn_cmp ); + } - lc = (ldapconn_t *)avl_find( li->li_conninfo.lai_tree, - (caddr_t)&lc_curr, ldap_back_conndn_cmp ); if ( lc != NULL ) { /* Don't reuse connections while they're still binding */ if ( LDAP_BACK_CONN_BINDING( lc ) ) { - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - ldap_pvt_thread_yield(); - goto retry_lock; + if ( !LDAP_BACK_USE_TEMPORARIES( li ) ) { + ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); + + ldap_pvt_thread_yield(); + goto retry_lock; + } + lc = NULL; } - refcnt = ++lc->lc_refcnt; - binding = ++lc->lc_binding; + if ( lc != NULL ) { + if ( op->o_tag == LDAP_REQ_BIND ) { + /* right now, this is the only possible case */ + assert( ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ); + LDAP_BACK_CONN_BINDING_SET( lc ); + } + + refcnt = ++lc->lc_refcnt; + } } ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } /* Looks like we didn't get a bind. Open a new session... */ if ( lc == NULL ) { - if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) { + lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); + lc->lc_flags = li->li_flags; + lc->lc_lcflags = lc_curr.lc_lcflags; + if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) { + ch_free( lc ); return NULL; } + if ( sendok & LDAP_BACK_BINDING ) { LDAP_BACK_CONN_BINDING_SET( lc ); } + lc->lc_conn = lc_curr.lc_conn; ber_dupbv( &lc->lc_local_ndn, &lc_curr.lc_local_ndn ); + /* + * the rationale is: connections as the rootdn are privileged, + * so acl_authcDN is to be used; however, in some cases + * one already configured identity assertion with a highly + * privileged idassert_authcDN, so if acl_authcDN is NULL + * and idassert_authcDN is not, use the second instead. + * + * might change in the future, because it's preferable + * to make clear what identity is being used, since + * the only drawback is that one risks to configure + * the same identity twice... + */ if ( LDAP_BACK_CONN_ISPRIV( &lc_curr ) ) { - ber_dupbv( &lc->lc_cred, &li->li_acl_passwd ); - ber_dupbv( &lc->lc_bound_ndn, &li->li_acl_authcDN ); + if ( BER_BVISNULL( &li->li_acl_authcDN ) && !BER_BVISNULL( &li->li_idassert_authcDN ) ) { + ber_dupbv( &lc->lc_bound_ndn, &li->li_idassert_authcDN ); + ber_dupbv( &lc->lc_cred, &li->li_idassert_passwd ); + + } else { + ber_dupbv( &lc->lc_bound_ndn, &li->li_acl_authcDN ); + ber_dupbv( &lc->lc_cred, &li->li_acl_passwd ); + } LDAP_BACK_CONN_ISPRIV_SET( lc ); + } else if ( LDAP_BACK_CONN_ISIDASSERT( &lc_curr ) ) { + if ( !LDAP_BACK_PCONN_ISBIND( &lc_curr ) ) { + ber_dupbv( &lc->lc_bound_ndn, &li->li_idassert_authcDN ); + ber_dupbv( &lc->lc_cred, &li->li_idassert_passwd ); + } + LDAP_BACK_CONN_ISIDASSERT_SET( lc ); + } else { BER_BVZERO( &lc->lc_cred ); BER_BVZERO( &lc->lc_bound_ndn ); @@ -710,18 +942,24 @@ retry_lock: * check if the non-TLS connection was already * in cache; in case, destroy the newly created * connection and use the existing one */ - if ( lc->lc_conn == LDAP_BACK_PCONN_TLS + if ( LDAP_BACK_PCONN_ISTLS( lc ) && !ldap_tls_inplace( lc->lc_ld ) ) { - ldapconn_t *tmplc; + ldapconn_t *tmplc = NULL; + int idx = LDAP_BACK_CONN2PRIV( &lc_curr ) - 1; - lc_curr.lc_conn = LDAP_BACK_PCONN; ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); - tmplc = (ldapconn_t *)avl_find( li->li_conninfo.lai_tree, - (caddr_t)&lc_curr, ldap_back_conndn_cmp ); + LDAP_TAILQ_FOREACH( tmplc, + &li->li_conn_priv[ idx ].lic_priv, + lc_q ) + { + if ( !LDAP_BACK_CONN_BINDING( tmplc ) ) { + break; + } + } + if ( tmplc != NULL ) { refcnt = ++tmplc->lc_refcnt; - binding = ++tmplc->lc_binding; ldap_back_conn_free( lc ); lc = tmplc; } @@ -733,53 +971,82 @@ retry_lock: } #endif /* HAVE_TLS */ - LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); - /* Inserts the newly created ldapconn in the avl tree */ ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); + LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); + assert( lc->lc_refcnt == 1 ); - assert( lc->lc_binding == 1 ); - rs->sr_err = avl_insert( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndn_cmp, ldap_back_conndn_dup ); -#if PRINT_CONNTREE > 0 - myprint( li->li_conninfo.lai_tree, "ldap_back_getconn" ); -#endif /* PRINT_CONNTREE */ +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, ">>> ldap_back_getconn(insert)" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + + if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { + if ( li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num < li->li_conn_priv_max ) { + LDAP_TAILQ_INSERT_TAIL( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); + li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num++; + LDAP_BACK_CONN_CACHED_SET( lc ); + + } else { + LDAP_BACK_CONN_TAINTED_SET( lc ); + } + rs->sr_err = 0; + + } else { + rs->sr_err = avl_insert( &li->li_conninfo.lai_tree, (caddr_t)lc, + ldap_back_conndn_cmp, ldap_back_conndn_dup ); + LDAP_BACK_CONN_CACHED_SET( lc ); + } + +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, "<<< ldap_back_getconn(insert)" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %p inserted refcnt=%u binding=%u\n", - (void *)lc, refcnt, binding ); + if ( LogTest( LDAP_DEBUG_TRACE ) ) { + char buf[ SLAP_TEXT_BUFLEN ]; + + snprintf( buf, sizeof( buf ), + "lc=%p inserted refcnt=%u rc=%d", + (void *)lc, refcnt, rs->sr_err ); + + Debug( LDAP_DEBUG_TRACE, + "=>ldap_back_getconn: %s: %s\n", + op->o_log_prefix, buf, 0 ); + } - /* Err could be -1 in case a duplicate ldapconn is inserted */ - switch ( rs->sr_err ) { - case 0: - break; + if ( !LDAP_BACK_PCONN_ISPRIV( lc ) ) { + /* Err could be -1 in case a duplicate ldapconn is inserted */ + switch ( rs->sr_err ) { + case 0: + break; - case -1: - if ( !( sendok & LDAP_BACK_BINDING ) ) { - /* duplicate: free and try to get the newly created one */ - goto retry_lock; - } - /* taint connection, so that it'll be freed when released */ - ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); - (void *)avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - LDAP_BACK_CONN_TAINTED_SET( lc ); - break; + case -1: + LDAP_BACK_CONN_CACHED_CLEAR( lc ); + if ( !( sendok & LDAP_BACK_BINDING ) && !LDAP_BACK_USE_TEMPORARIES( li ) ) { + /* duplicate: free and try to get the newly created one */ + ldap_back_conn_free( lc ); + lc = NULL; + goto retry_lock; + } - default: - ldap_back_conn_free( lc ); - rs->sr_err = LDAP_OTHER; - rs->sr_text = "proxy bind collision"; - if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { - send_ldap_result( op, rs ); - rs->sr_text = NULL; + /* taint connection, so that it'll be freed when released */ + LDAP_BACK_CONN_TAINTED_SET( lc ); + break; + + default: + LDAP_BACK_CONN_CACHED_CLEAR( lc ); + ldap_back_conn_free( lc ); + rs->sr_err = LDAP_OTHER; + rs->sr_text = "proxy bind collision"; + if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { + send_ldap_result( op, rs ); + rs->sr_text = NULL; + } + return NULL; } - return NULL; } } else { @@ -793,18 +1060,27 @@ retry_lock: /* let it be used, but taint/delete it so that * no-one else can look it up any further */ ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); - (void *)avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); + +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, ">>> ldap_back_getconn(timeout)" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + + (void)ldap_back_conn_delete( li, lc ); LDAP_BACK_CONN_TAINTED_SET( lc ); + +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, "<<< ldap_back_getconn(timeout)" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + + ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } if ( LogTest( LDAP_DEBUG_TRACE ) ) { char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), - "conn %p fetched refcnt=%u binding=%u%s", - (void *)lc, refcnt, binding, expiring ? " expiring" : "" ); + "conn %p fetched refcnt=%u%s", + (void *)lc, refcnt, expiring ? " expiring" : "" ); Debug( LDAP_DEBUG_TRACE, "=>ldap_back_getconn: %s.\n", buf, 0, 0 ); } @@ -819,12 +1095,12 @@ done:; void ldap_back_release_conn_lock( - Operation *op, - SlapReply *rs, - ldapconn_t *lc, + ldapinfo_t *li, + ldapconn_t **lcp, int dolock ) { - ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; + + ldapconn_t *lc = *lcp; if ( dolock ) { ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); @@ -833,7 +1109,8 @@ ldap_back_release_conn_lock( LDAP_BACK_CONN_BINDING_CLEAR( lc ); lc->lc_refcnt--; if ( LDAP_BACK_CONN_TAINTED( lc ) ) { - ldap_back_freeconn( op, lc, 0 ); + ldap_back_freeconn( li, lc, 0 ); + *lcp = NULL; } if ( dolock ) { ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); @@ -845,7 +1122,7 @@ ldap_back_quarantine( Operation *op, SlapReply *rs ) { - ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; + ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; slap_retry_info_t *ri = &li->li_quarantine; @@ -890,9 +1167,13 @@ ldap_back_quarantine( ri->ri_last = new_last; } else if ( li->li_isquarantined != LDAP_BACK_FQ_NO ) { + if ( ri->ri_last == slap_get_time() ) { + goto done; + } + Debug( LDAP_DEBUG_ANY, - "%s: ldap_back_quarantine exit.\n", - op->o_log_prefix, ri->ri_idx, ri->ri_count ); + "%s: ldap_back_quarantine exit (%d) err=%d.\n", + op->o_log_prefix, li->li_isquarantined, rs->sr_err ); if ( li->li_quarantine_f ) { (void)li->li_quarantine_f( li, li->li_quarantine_p ); @@ -908,17 +1189,13 @@ done:; } /* - * ldap_back_dobind - * - * Note: as the check for the value of lc->lc_bound was already here, I removed - * it from all the callers, and I made the function return the flag, so - * it can be used to simplify the check. + * ldap_back_dobind_int * * Note: dolock indicates whether li->li_conninfo.lai_mutex must be locked or not */ static int ldap_back_dobind_int( - ldapconn_t *lc, + ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok, @@ -927,13 +1204,33 @@ ldap_back_dobind_int( { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; - int rc, + ldapconn_t *lc; + struct berval binddn = slap_empty_bv, + bindcred = slap_empty_bv; + + int rc = 0, isbound, binding = 0; ber_int_t msgid; + assert( lcp != NULL ); assert( retries >= 0 ); + if ( sendok & LDAP_BACK_GETCONN ) { + assert( *lcp == NULL ); + + lc = ldap_back_getconn( op, rs, sendok, &binddn, &bindcred ); + if ( lc == NULL ) { + return 0; + } + *lcp = lc; + + } else { + lc = *lcp; + } + + assert( lc != NULL ); + retry_lock:; if ( dolock ) { ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); @@ -943,7 +1240,6 @@ retry_lock:; /* check if already bound */ rc = isbound = LDAP_BACK_CONN_ISBOUND( lc ); if ( isbound ) { - lc->lc_binding--; if ( dolock ) { ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } @@ -965,16 +1261,6 @@ retry_lock:; } } - /* wait for pending operations to finish */ - /* FIXME: may become a bottleneck! */ - if ( lc->lc_refcnt != lc->lc_binding ) { - if ( dolock ) { - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - } - ldap_pvt_thread_yield(); - goto retry_lock; - } - if ( dolock ) { ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } @@ -1001,11 +1287,14 @@ retry_lock:; * but the "override" flag is given to idassert. * It allows to use SASL bind and yet proxyAuthz users */ - if ( op->o_conn != NULL && !op->o_do_not_cache && - ( !LDAP_BACK_CONN_ISPRIV( lc ) || BER_BVISEMPTY( &lc->lc_bound_ndn )) && - ( !isbound || ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) - { - (void)ldap_back_proxy_authz_bind( lc, op, rs, sendok ); + if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { + if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { + /* if we got here, it shouldn't return result */ + rc = ldap_back_is_proxy_authz( op, rs, + LDAP_BACK_DONTSEND, &binddn, &bindcred ); + assert( rc == 1 ); + } + rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred ); goto done; } @@ -1045,7 +1334,9 @@ retry_lock:; rs->sr_err = slap_map_api2result( rs ); if ( rs->sr_err != LDAP_SUCCESS ) { LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); - send_ldap_result( op, rs ); + if ( sendok & LDAP_BACK_SENDERR ) { + send_ldap_result( op, rs ); + } } else { LDAP_BACK_CONN_ISBOUND_SET( lc ); @@ -1077,9 +1368,8 @@ retry:; lc->lc_ld = NULL; /* lc here must be the regular lc, reset and ready for init */ - rs->sr_err = ldap_back_prepare_conn( &lc, op, rs, sendok ); + rs->sr_err = ldap_back_prepare_conn( lc, op, rs, sendok ); if ( rs->sr_err != LDAP_SUCCESS ) { - lc->lc_binding--; lc->lc_refcnt = 0; } } @@ -1094,26 +1384,24 @@ retry:; } goto retry; } - - } else { - if ( dolock ) { - ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); - } - lc->lc_binding--; - if ( dolock ) { - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - } } - /* FIXME: one binding-- too many? */ - lc->lc_binding--; - ldap_back_freeconn( op, lc, dolock ); + assert( lc->lc_refcnt == 1 ); + lc->lc_refcnt = 0; + ldap_back_freeconn( li, lc, dolock ); + *lcp = NULL; rs->sr_err = slap_map_api2result( rs ); if ( LDAP_BACK_QUARANTINE( li ) ) { ldap_back_quarantine( op, rs ); } + if ( rs->sr_err != LDAP_SUCCESS && + ( sendok & LDAP_BACK_SENDERR ) ) + { + send_ldap_result( op, rs ); + } + return 0; } @@ -1124,22 +1412,30 @@ retry:; } done:; - lc->lc_binding--; LDAP_BACK_CONN_BINDING_CLEAR( lc ); rc = LDAP_BACK_CONN_ISBOUND( lc ); if ( !rc ) { - ldap_back_release_conn_lock( op, rs, lc, dolock ); + ldap_back_release_conn_lock( li, lcp, dolock ); + + } else if ( LDAP_BACK_SAVECRED( li ) ) { + ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc ); } return rc; } +/* + * ldap_back_dobind + * + * Note: dolock indicates whether li->li_conninfo.lai_mutex must be locked or not + */ int -ldap_back_dobind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +ldap_back_dobind( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; - return ldap_back_dobind_int( lc, op, rs, sendok, li->li_nretries, 1 ); + return ldap_back_dobind_int( lcp, op, rs, + ( sendok | LDAP_BACK_GETCONN ), li->li_nretries, 1 ); } /* @@ -1229,7 +1525,7 @@ ldap_back_cancel( } if ( LDAP_BACK_IGNORE( li ) ) { - return LDAP_SUCCESS; + return ldap_pvt_discard( lc->lc_ld, msgid ); } if ( LDAP_BACK_CANCEL( li ) ) { @@ -1443,8 +1739,9 @@ retry:; int ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { - int rc = 0; ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; + int rc = 0, + binding; assert( lcp != NULL ); assert( *lcp != NULL ); @@ -1452,6 +1749,8 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); if ( (*lcp)->lc_refcnt == 1 ) { + binding = LDAP_BACK_CONN_BINDING( *lcp ); + ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); Debug( LDAP_DEBUG_ANY, "%s ldap_back_retry: retrying URI=\"%s\" DN=\"%s\"\n", @@ -1465,21 +1764,27 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ LDAP_BACK_CONN_ISBOUND_CLEAR( (*lcp) ); /* lc here must be the regular lc, reset and ready for init */ - rc = ldap_back_prepare_conn( lcp, op, rs, sendok ); + rc = ldap_back_prepare_conn( *lcp, op, rs, sendok ); if ( rc != LDAP_SUCCESS ) { /* freeit, because lc_refcnt == 1 */ (*lcp)->lc_refcnt = 0; - (void)ldap_back_freeconn( op, *lcp, 0 ); + (void)ldap_back_freeconn( li, *lcp, 0 ); *lcp = NULL; rc = 0; + } else if ( ( sendok & LDAP_BACK_BINDING ) ) { + if ( binding ) { + LDAP_BACK_CONN_BINDING_SET( *lcp ); + } + rc = 1; + } else { - rc = ldap_back_dobind_int( *lcp, op, rs, sendok, 0, 0 ); + rc = ldap_back_dobind_int( lcp, op, rs, sendok, 0, 0 ); if ( rc == 0 && *lcp != NULL ) { /* freeit, because lc_refcnt == 1 */ (*lcp)->lc_refcnt = 0; LDAP_BACK_CONN_TAINTED_SET( *lcp ); - (void)ldap_back_freeconn( op, *lcp, 0 ); + (void)ldap_back_freeconn( li, *lcp, 0 ); *lcp = NULL; } } @@ -1490,8 +1795,8 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ (void *)(*lcp), (*lcp)->lc_refcnt, 0 ); LDAP_BACK_CONN_TAINTED_SET( *lcp ); - ldap_back_release_conn_lock( op, rs, *lcp, 0 ); - *lcp = NULL; + ldap_back_release_conn_lock( li, lcp, 0 ); + assert( *lcp == NULL ); if ( sendok ) { rs->sr_err = LDAP_UNAVAILABLE; @@ -1506,15 +1811,16 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ } static int -ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok, + struct berval *binddn, struct berval *bindcred ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; - struct berval binddn = slap_empty_bv; - struct berval bindcred = slap_empty_bv; struct berval ndn; int dobind = 0; - int msgid; - int rc; + + if ( op->o_conn == NULL || op->o_do_not_cache ) { + goto done; + } /* don't proxyAuthz if protocol is not LDAPv3 */ switch ( li->li_version ) { @@ -1531,51 +1837,29 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b rs->sr_err = LDAP_UNWILLING_TO_PERFORM; if ( sendok & LDAP_BACK_SENDERR ) { send_ldap_result( op, rs ); + dobind = -1; } - LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); goto done; } - if ( op->o_tag == LDAP_REQ_BIND ) { - ndn = op->o_req_ndn; + /* safe default */ + *binddn = slap_empty_bv; + *bindcred = slap_empty_bv; - } else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { ndn = op->o_conn->c_ndn; } else { ndn = op->o_ndn; } - /* - * FIXME: we need to let clients use proxyAuthz - * otherwise we cannot do symmetric pools of servers; - * we have to live with the fact that a user can - * authorize itself as any ID that is allowed - * by the authzTo directive of the "proxyauthzdn". - */ - /* - * NOTE: current Proxy Authorization specification - * and implementation do not allow proxy authorization - * control to be provided with Bind requests - */ - /* - * if no bind took place yet, but the connection is bound - * and the "proxyauthzdn" is set, then bind as - * "proxyauthzdn" and explicitly add the proxyAuthz - * control to every operation with the dn bound - * to the connection as control value. - */ - - /* bind as proxyauthzdn only if no idassert mode - * is requested, or if the client's identity - * is authorized */ switch ( li->li_idassert_mode ) { case LDAP_BACK_IDASSERT_LEGACY: if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) { if ( !BER_BVISNULL( &li->li_idassert_authcDN ) && !BER_BVISEMPTY( &li->li_idassert_authcDN ) ) { - binddn = li->li_idassert_authcDN; - bindcred = li->li_idassert_passwd; + *binddn = li->li_idassert_authcDN; + *bindcred = li->li_idassert_passwd; dobind = 1; } } @@ -1583,18 +1867,21 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b default: /* NOTE: rootdn can always idassert */ - if ( BER_BVISNULL( &ndn ) && li->li_idassert_authz == NULL ) { + if ( BER_BVISNULL( &ndn ) + && li->li_idassert_authz == NULL + && !( li->li_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) + { if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { rs->sr_err = LDAP_INAPPROPRIATE_AUTH; if ( sendok & LDAP_BACK_SENDERR ) { send_ldap_result( op, rs ); + dobind = -1; } - LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); } else { rs->sr_err = LDAP_SUCCESS; - binddn = slap_empty_bv; - bindcred = slap_empty_bv; + *binddn = slap_empty_bv; + *bindcred = slap_empty_bv; break; } @@ -1615,13 +1902,13 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { if ( sendok & LDAP_BACK_SENDERR ) { send_ldap_result( op, rs ); + dobind = -1; } - LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); } else { rs->sr_err = LDAP_SUCCESS; - binddn = slap_empty_bv; - bindcred = slap_empty_bv; + *binddn = slap_empty_bv; + *bindcred = slap_empty_bv; break; } @@ -1629,13 +1916,38 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b } } - binddn = li->li_idassert_authcDN; - bindcred = li->li_idassert_passwd; + *binddn = li->li_idassert_authcDN; + *bindcred = li->li_idassert_passwd; dobind = 1; break; } - if ( dobind && li->li_idassert_authmethod == LDAP_AUTH_SASL ) { +done:; + return dobind; +} + +static int +ldap_back_proxy_authz_bind( + ldapconn_t *lc, + Operation *op, + SlapReply *rs, + ldap_back_send_t sendok, + struct berval *binddn, + struct berval *bindcred ) +{ + ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; + struct berval ndn; + int msgid; + int rc; + + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + ndn = op->o_conn->c_ndn; + + } else { + ndn = op->o_ndn; + } + + if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) { #ifdef HAVE_CYRUS_SASL void *defaults = NULL; struct berval authzID = BER_BVNULL; @@ -1696,7 +2008,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b li->li_idassert_passwd.bv_val, authzID.bv_val ); - rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn.bv_val, + rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn->bv_val, li->li_idassert_sasl_mech.bv_val, NULL, NULL, LDAP_SASL_QUIET, lutil_sasl_interact, defaults ); @@ -1723,14 +2035,15 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b switch ( li->li_idassert_authmethod ) { case LDAP_AUTH_NONE: - BER_BVSTR( &binddn, "" ); - BER_BVSTR( &bindcred, "" ); + /* FIXME: do we really need this? */ + BER_BVSTR( binddn, "" ); + BER_BVSTR( bindcred, "" ); /* fallthru */ case LDAP_AUTH_SIMPLE: rs->sr_err = ldap_sasl_bind( lc->lc_ld, - binddn.bv_val, LDAP_SASL_SIMPLE, - &bindcred, NULL, NULL, &msgid ); + binddn->bv_val, LDAP_SASL_SIMPLE, + bindcred, NULL, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, -1, (sendok|LDAP_BACK_BINDING) ); break; @@ -1750,15 +2063,19 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b * so that referral chasing is attempted using the right * identity */ LDAP_BACK_CONN_ISBOUND_SET( lc ); - ber_bvreplace( &lc->lc_bound_ndn, &binddn ); + ber_bvreplace( &lc->lc_bound_ndn, binddn ); + + if ( !BER_BVISNULL( &lc->lc_cred ) ) { + memset( lc->lc_cred.bv_val, 0, + lc->lc_cred.bv_len ); + } if ( LDAP_BACK_SAVECRED( li ) ) { - if ( !BER_BVISNULL( &lc->lc_cred ) ) { - memset( lc->lc_cred.bv_val, 0, - lc->lc_cred.bv_len ); - } - ber_bvreplace( &lc->lc_cred, &bindcred ); + ber_bvreplace( &lc->lc_cred, bindcred ); ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc ); + + } else { + lc->lc_cred.bv_len = 0; } } done:; @@ -1805,6 +2122,7 @@ ldap_back_proxy_authz_ctrl( slap_idassert_mode_t mode; struct berval assertedID, ndn; + int isroot = 0; *pctrls = NULL; @@ -1834,7 +2152,7 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( !op->o_conn || op->o_do_not_cache || be_isroot( op ) ) { + if ( !op->o_conn || op->o_do_not_cache || ( isroot = be_isroot( op ) ) ) { goto done; } @@ -1886,7 +2204,7 @@ ldap_back_proxy_authz_ctrl( goto done; } - } else if ( si->si_authz && !be_isroot( op ) ) { + } else if ( si->si_authz && !isroot ) { int rc; struct berval authcDN; @@ -1937,21 +2255,11 @@ ldap_back_proxy_authz_ctrl( } switch ( mode ) { - case LDAP_BACK_IDASSERT_SELF: - if ( BER_BVISNULL( &ndn ) ) { - goto done; - } - assertedID = ndn; - break; - case LDAP_BACK_IDASSERT_LEGACY: /* original behavior: * assert the client's identity */ - if ( BER_BVISNULL( &ndn ) ) { - assertedID = slap_empty_bv; - } else { - assertedID = ndn; - } + case LDAP_BACK_IDASSERT_SELF: + assertedID = ndn; break; case LDAP_BACK_IDASSERT_ANONYMOUS: @@ -1973,6 +2281,7 @@ ldap_back_proxy_authz_ctrl( assert( 0 ); } + /* if we got here, "" is allowed to proxyAuthz */ if ( BER_BVISNULL( &assertedID ) ) { assertedID = slap_empty_bv; }