X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fconfig.c;h=3b71971e74f63b8b314084be62458f00989032f5;hb=2d5ec082dd51535e7766fb34903ae307819a53bf;hp=13e49922d3dda8685e3b13895ad8031cb5b4e628;hpb=6a51371fc57e6f3023ee855cef55c783bb463c78;p=openldap diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 13e49922d3..3b71971e74 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -1,38 +1,24 @@ /* config.c - ldap backend configuration file routine */ /* $OpenLDAP$ */ -/* - * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. - * COPYING RESTRICTIONS APPLY, see COPYRIGHT file - */ -/* This is an altered version */ -/* - * Copyright 1999, Howard Chu, All rights reserved. - * - * Permission is granted to anyone to use this software for any purpose - * on any computer system, and to alter it and redistribute it, subject - * to the following restrictions: - * - * 1. The author is not responsible for the consequences of use of this - * software, no matter how awful, even if they arise from flaws in it. - * - * 2. The origin of this software must not be misrepresented, either by - * explicit claim or by omission. Since few users ever read sources, - * credits should appear in the documentation. - * - * 3. Altered versions must be plainly marked as such, and must not be - * misrepresented as being the original software. Since few users - * ever read sources, credits should appear in the documentation. - * - * 4. This notice may not be removed or altered. +/* This work is part of OpenLDAP Software . * + * Copyright 2003-2004 The OpenLDAP Foundation. + * Portions Copyright 1999-2003 Howard Chu. + * Portions Copyright 2000-2003 Pierangelo Masarati. + * All rights reserved. * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. * - * Copyright 2000, Pierangelo Masarati, All rights reserved. - * - * This software is being modified by Pierangelo Masarati. - * The previously reported conditions apply to the modified code as well. - * Changes in the original code are highlighted where required. - * Credits for the original code go to the author, Howard Chu. + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by the Howard Chu for inclusion + * in OpenLDAP Software and subsequently enhanced by Pierangelo + * Masarati. */ #include "portable.h" @@ -45,467 +31,659 @@ #include "slap.h" #include "back-ldap.h" #include "lutil.h" +#undef ldap_debug +/* for advanced URL parsing */ +#include "../../../libraries/libldap/ldap-int.h" + +static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami; + +static int +parse_idassert( BackendDB *be, const char *fname, int lineno, + int argc, char **argv ); int ldap_back_db_config( - BackendDB *be, - const char *fname, - int lineno, - int argc, - char **argv -) + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv ) { struct ldapinfo *li = (struct ldapinfo *) be->be_private; if ( li == NULL ) { fprintf( stderr, "%s: line %d: ldap backend info is null!\n", - fname, lineno ); - return( 1 ); + fname, lineno ); + return 1; } /* server address to query (depricated, use "uri" directive) */ if ( strcasecmp( argv[0], "server" ) == 0 ) { - if (argc != 2) { + ber_len_t l; + + fprintf( stderr, + "%s: line %d: \"server
\" directive is deprecated\n", + fname, lineno ); + + if ( argc != 2 ) { fprintf( stderr, "%s: line %d: missing address in \"server
\" line\n", - fname, lineno ); - return( 1 ); + fname, lineno ); + return 1; + } + if ( li->url != NULL ) { + ch_free( li->url ); } - if (li->url != NULL) - ch_free(li->url); - li->url = ch_calloc(strlen(argv[1]) + 9, sizeof(char)); - if (li->url != NULL) { - strcpy(li->url, "ldap://"); - strcat(li->url, argv[1]); - strcat(li->url, "/"); + l = strlen( argv[1] ) + STRLENOF( "ldap:///") + 1; + li->url = ch_calloc( l, sizeof( char ) ); + if ( li->url == NULL ) { + fprintf( stderr, "%s: line %d: malloc failed\n" ); + return 1; } + snprintf( li->url, l, "ldap://%s/", argv[1] ); + /* URI of server to query (preferred over "server" directive) */ } else if ( strcasecmp( argv[0], "uri" ) == 0 ) { - if (argc != 2) { - fprintf( stderr, - "%s: line %d: missing address in \"uri
\" line\n", - fname, lineno ); - return( 1 ); + LDAPURLDesc *tmpludp; + int urlrc; + + if ( argc != 2 ) { + fprintf( stderr, "%s: line %d: " + "missing uri " + "in \"uri \" line\n", + fname, lineno ); + return 1; + } + if ( li->url != NULL ) { + ch_free( li->url ); + } + if ( li->lud != NULL ) { + ldap_free_urllist( li->lud ); } - if (li->url != NULL) - ch_free(li->url); - li->url = ch_strdup(argv[1]); + +#if 0 + /* PARANOID: DN and more are not required nor allowed */ + urlrc = ldap_url_parselist_ext( &li->lud, argv[ 1 ], "\t" ); +#else + urlrc = ldap_url_parselist( &li->lud, argv[ 1 ] ); +#endif + if ( urlrc != LDAP_URL_SUCCESS ) { + char *why; + + switch ( urlrc ) { + case LDAP_URL_ERR_MEM: + why = "no memory"; + break; + case LDAP_URL_ERR_PARAM: + why = "parameter is bad"; + break; + case LDAP_URL_ERR_BADSCHEME: + why = "URL doesn't begin with \"[c]ldap[si]://\""; + break; + case LDAP_URL_ERR_BADENCLOSURE: + why = "URL is missing trailing \">\""; + break; + case LDAP_URL_ERR_BADURL: + why = "URL is bad"; + case LDAP_URL_ERR_BADHOST: + why = "host/port is bad"; + break; + case LDAP_URL_ERR_BADATTRS: + why = "bad (or missing) attributes"; + break; + case LDAP_URL_ERR_BADSCOPE: + why = "scope string is invalid (or missing)"; + break; + case LDAP_URL_ERR_BADFILTER: + why = "bad or missing filter"; + break; + case LDAP_URL_ERR_BADEXTS: + why = "bad or missing extensions"; + break; + default: + why = "unknown reason"; + break; + } + fprintf( stderr, "%s: line %d: " + "unable to parse uri \"%s\" " + "in \"uri \" line: %s\n", + fname, lineno, argv[ 1 ], why ); + return 1; + } + + for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) { + if ( ( tmpludp->lud_dn != NULL + && tmpludp->lud_dn[0] != '\0' ) + || tmpludp->lud_attrs != NULL + || tmpludp->lud_filter != NULL + || tmpludp->lud_exts != NULL ) + { + fprintf( stderr, "%s: line %d: " + "warning, only protocol, " + "host and port allowed " + "in \"uri \" statement " + "for \"%s\"\n", + fname, lineno, argv[1] ); + } + } + +#if 0 + for ( tmpludp = li->lud; tmpludp; tmpludp = tmpludp->lud_next ) { + LDAPURLDesc tmplud; + char *tmpurl; + ber_len_t oldlen = 0, len; + + tmplud = *tmpludp; + tmplud.lud_dn = ""; + tmplud.lud_attrs = NULL; + tmplud.lud_filter = NULL; + if ( !ldap_is_ldapi_url( argv[ 1 ] ) ) { + tmplud.lud_exts = NULL; + tmplud.lud_crit_exts = 0; + } + + tmpurl = ldap_url_desc2str( &tmplud ); + + if ( tmpurl == NULL ) { + fprintf( stderr, "%s: line %d: " + "unable to rebuild uri " + "in \"uri \" statement " + "for \"%s\"\n", + fname, lineno, argv[ 1 ] ); + return 1; + } + + len = strlen( tmpurl ); + if ( li->url ) { + oldlen = strlen( li->url ) + STRLENOF( " " ); + } + li->url = ch_realloc( li->url, oldlen + len + 1); + if ( oldlen ) { + li->url[oldlen - 1] = " "; + } + AC_MEMCPY( &li->url[oldlen], tmpurl, len + 1 ); + ch_free( tmpurl ); + } +#else + li->url = ch_strdup( argv[ 1 ] ); +#endif /* name to use for ldap_back_group */ - } else if ( strcasecmp( argv[0], "binddn" ) == 0 ) { - if (argc != 2) { + } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0 + || strcasecmp( argv[0], "binddn" ) == 0 ) { + if ( argc != 2 ) { fprintf( stderr, - "%s: line %d: missing name in \"binddn \" line\n", - fname, lineno ); + "%s: line %d: missing name in \"%s \" line\n", + fname, lineno, argv[0] ); return( 1 ); } - li->binddn = ch_strdup(argv[1]); + ber_str2bv( argv[1], 0, 1, &li->acl_authcDN ); /* password to use for ldap_back_group */ - } else if ( strcasecmp( argv[0], "bindpw" ) == 0 ) { - if (argc != 2) { + } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0 + || strcasecmp( argv[0], "bindpw" ) == 0 ) { + if ( argc != 2 ) { fprintf( stderr, - "%s: line %d: missing password in \"bindpw \" line\n", - fname, lineno ); + "%s: line %d: missing password in \"%s \" line\n", + fname, lineno, argv[0] ); return( 1 ); } - li->bindpw = ch_strdup(argv[1]); - + ber_str2bv( argv[1], 0, 1, &li->acl_passwd ); + +#ifdef LDAP_BACK_PROXY_AUTHZ + /* identity assertion stuff... */ + } else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0 + || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) { + return parse_idassert( be, fname, lineno, argc, argv ); +#endif /* LDAP_BACK_PROXY_AUTHZ */ + /* save bind creds for referral rebinds? */ } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) { - if (argc != 1) { + if ( argc != 1 ) { fprintf( stderr, "%s: line %d: rebind-as-user takes no arguments\n", - fname, lineno ); + fname, lineno ); return( 1 ); } li->savecred = 1; - /* dn massaging */ - } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) { - BackendDB *tmp_be; - struct berval bvnc, nvnc, pvnc, brnc, nrnc, prnc; -#ifdef ENABLE_REWRITE - int rc; -#endif /* ENABLE_REWRITE */ - - /* - * syntax: - * - * suffixmassage - * - * the field must be defined as a valid suffix - * (or suffixAlias?) for the current database; - * the shouldn't have already been - * defined as a valid suffix or suffixAlias for the - * current server - */ - if ( argc != 3 ) { - fprintf( stderr, "%s: line %d: syntax is" - " \"suffixMassage " - " \"\n", - fname, lineno ); - return( 1 ); - } - - ber_str2bv( argv[1], 0, 0, &bvnc ); - if ( dnPrettyNormal( NULL, &bvnc, &pvnc, &nvnc ) != LDAP_SUCCESS ) { - fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n", - fname, lineno, bvnc.bv_val ); - return( 1 ); - } - tmp_be = select_backend( &nvnc, 0, 0 ); - if ( tmp_be != NULL && tmp_be != be ) { - fprintf( stderr, "%s: line %d: suffix already in use" - " by another backend in" - " \"suffixMassage " - " \"\n", - fname, lineno ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); + /* intercept exop_who_am_i? */ + } else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) { + if ( argc != 1 ) { + fprintf( stderr, + "%s: line %d: proxy-whoami takes no arguments\n", + fname, lineno ); return( 1 ); } + load_extop( (struct berval *)&slap_EXOP_WHOAMI, + 0, ldap_back_exop_whoami ); + + /* FIXME: legacy: intercept old rewrite/remap directives + * and try to start the rwm overlay */ + } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 + || strcasecmp( argv[0], "map" ) == 0 + || strncasecmp( argv[0], "rewrite", STRLENOF( "rewrite" ) ) == 0 ) + { + if ( li->rwm_started == 0 ) { + if ( overlay_config( be, "rwm" ) ) { + fprintf( stderr, "%s: line %d: " + "unable to configure the \"rwm\" " + "overlay, required by directive " + "\"%s\".\n", + fname, lineno, argv[0] ); +#if SLAPD_OVER_RWM == SLAPD_MOD_DYNAMIC + fprintf( stderr, "\thint: try loading the \"rwm.la\" dynamic module.\n" ); +#endif /* SLAPD_OVER_RWM == SLAPD_MOD_DYNAMIC */ + return( 1 ); + } - ber_str2bv( argv[2], 0, 0, &brnc ); - if ( dnPrettyNormal( NULL, &brnc, &prnc, &nrnc ) != LDAP_SUCCESS ) { - fprintf( stderr, "%s: line %d: suffix DN %s is invalid\n", - fname, lineno, brnc.bv_val ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - return( 1 ); + fprintf( stderr, "%s: line %d: back-ldap: " + "automatically starting \"rwm\" overlay, " + "triggered by \"%s\" directive.\n", + fname, lineno, argv[ 0 ] ); + + li->rwm_started = 1; + + return ( *be->bd_info->bi_db_config )( be, fname, lineno, argc, argv ); } -#if 0 - tmp_be = select_backend( &nrnc, 0, 0 ); - if ( tmp_be != NULL ) { - fprintf( stderr, "%s: line %d: massaged suffix" - " already in use by another backend in" - " \"suffixMassage " - " \"\n", - fname, lineno ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - free( nrnc.bv_val ); - free( prnc.bv_val ); - return( 1 ); + return SLAP_CONF_UNKNOWN; + + /* anything else */ + } else { + return SLAP_CONF_UNKNOWN; + } + + return 0; +} + +static int +ldap_back_exop_whoami( + Operation *op, + SlapReply *rs ) +{ + struct berval *bv = NULL; + + if ( op->oq_extended.rs_reqdata != NULL ) { + /* no request data should be provided */ + rs->sr_text = "no request data expected"; + return rs->sr_err = LDAP_PROTOCOL_ERROR; + } + + rs->sr_err = backend_check_restrictions( op, rs, + (struct berval *)&slap_EXOP_WHOAMI ); + if( rs->sr_err != LDAP_SUCCESS ) return rs->sr_err; + + /* if auth'd by back-ldap and request is proxied, forward it */ + if ( op->o_conn->c_authz_backend && !strcmp(op->o_conn->c_authz_backend->be_type, "ldap" ) && !dn_match(&op->o_ndn, &op->o_conn->c_ndn)) { + struct ldapconn *lc; + + LDAPControl c, *ctrls[2] = {NULL, NULL}; + LDAPMessage *res; + Operation op2 = *op; + ber_int_t msgid; + int do_retry = 1; + + ctrls[0] = &c; + op2.o_ndn = op->o_conn->c_ndn; + lc = ldap_back_getconn(&op2, rs); + if (!lc || !ldap_back_dobind( lc, op, rs )) { + return -1; } -#endif + c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; + c.ldctl_iscritical = 1; + c.ldctl_value.bv_val = ch_malloc(op->o_ndn.bv_len+4); + c.ldctl_value.bv_len = op->o_ndn.bv_len + 3; + strcpy(c.ldctl_value.bv_val, "dn:"); + strcpy(c.ldctl_value.bv_val+3, op->o_ndn.bv_val); + +retry: + rs->sr_err = ldap_whoami(lc->lc_ld, ctrls, NULL, &msgid); + if (rs->sr_err == LDAP_SUCCESS) { + if (ldap_result(lc->lc_ld, msgid, 1, NULL, &res) == -1) { + ldap_get_option(lc->lc_ld, LDAP_OPT_ERROR_NUMBER, + &rs->sr_err); + if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) { + do_retry = 0; + if ( ldap_back_retry( lc, op, rs ) ) + goto retry; + } + ldap_back_freeconn( op, lc ); + lc = NULL; + + } else { + rs->sr_err = ldap_parse_whoami(lc->lc_ld, res, &bv); + ldap_msgfree(res); + } + } + ch_free(c.ldctl_value.bv_val); + if (rs->sr_err != LDAP_SUCCESS) { + rs->sr_err = slap_map_api2result( rs ); + } + } else { + /* else just do the same as before */ + bv = (struct berval *) ch_malloc( sizeof(struct berval) ); + if ( !BER_BVISEMPTY( &op->o_dn ) ) { + bv->bv_len = op->o_dn.bv_len + sizeof("dn:") - 1; + bv->bv_val = ch_malloc( bv->bv_len + 1 ); + AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:") - 1 ); + AC_MEMCPY( &bv->bv_val[sizeof("dn:") - 1], op->o_dn.bv_val, + op->o_dn.bv_len ); + bv->bv_val[bv->bv_len] = '\0'; + } else { + bv->bv_len = 0; + bv->bv_val = NULL; + } + } -#ifdef ENABLE_REWRITE - /* - * The suffix massaging is emulated by means of the - * rewrite capabilities - * FIXME: no extra rewrite capabilities should be added - * to the database - */ - rc = suffix_massage_config( li->rwinfo, &pvnc, &nvnc, &prnc, &nrnc ); - free( nvnc.bv_val ); - free( pvnc.bv_val ); - free( nrnc.bv_val ); - free( prnc.bv_val ); - - return( rc ); - -#else /* !ENABLE_REWRITE */ - ber_bvarray_add( &li->suffix_massage, &pvnc ); - ber_bvarray_add( &li->suffix_massage, &nvnc ); - - ber_bvarray_add( &li->suffix_massage, &prnc ); - ber_bvarray_add( &li->suffix_massage, &nrnc ); -#endif /* !ENABLE_REWRITE */ - - /* rewrite stuff ... */ - } else if ( strncasecmp( argv[0], "rewrite", 7 ) == 0 ) { -#ifdef ENABLE_REWRITE - return rewrite_parse( li->rwinfo, fname, lineno, argc, argv ); - -#else /* !ENABLE_REWRITE */ - fprintf( stderr, "%s: line %d: rewrite capabilities " - "are not enabled\n", fname, lineno ); -#endif /* !ENABLE_REWRITE */ - - /* objectclass/attribute mapping */ - } else if ( strcasecmp( argv[0], "map" ) == 0 ) { - struct ldapmap *map; - struct ldapmapping *mapping; - char *src, *dst; + rs->sr_rspdata = bv; + return rs->sr_err; +} - if ( argc < 3 || argc > 4 ) { - fprintf( stderr, - "%s: line %d: syntax is \"map {objectclass | attribute} [ | *] { | *}\"\n", - fname, lineno ); - return( 1 ); + +#ifdef LDAP_BACK_PROXY_AUTHZ +static int +parse_idassert( + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv +) +{ + struct ldapinfo *li = (struct ldapinfo *) be->be_private; + + /* identity assertion mode */ + if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) { + if ( argc < 2 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: illegal args number %d in \"idassert-mode [ [...]]\" line.\n", + fname, lineno, argc ); + return 1; } - if ( strcasecmp( argv[1], "objectclass" ) == 0 ) { - map = &li->oc_map; - } else if ( strcasecmp( argv[1], "attribute" ) == 0 ) { - map = &li->at_map; + if ( strcasecmp( argv[1], "legacy" ) == 0 ) { + /* will proxyAuthz as client's identity only if bound */ + li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY; + + } else if ( strcasecmp( argv[1], "self" ) == 0 ) { + /* will proxyAuthz as client's identity */ + li->idassert_mode = LDAP_BACK_IDASSERT_SELF; + + } else if ( strcasecmp( argv[1], "anonymous" ) == 0 ) { + /* will proxyAuthz as anonymous */ + li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS; + + } else if ( strcasecmp( argv[1], "none" ) == 0 ) { + /* will not proxyAuthz */ + li->idassert_mode = LDAP_BACK_IDASSERT_NOASSERT; + } else { - fprintf( stderr, "%s: line %d: syntax is " - "\"map {objectclass | attribute} [ | *] " - "{ | *}\"\n", - fname, lineno ); - return( 1 ); + struct berval id; + int rc; + + /* will proxyAuthz as argv[1] */ + ber_str2bv( argv[1], 0, 0, &id ); + + if ( strncasecmp( id.bv_val, "u:", STRLENOF( "u:" ) ) == 0 ) { + /* force lowercase... */ + id.bv_val[0] = 'u'; + li->idassert_mode = LDAP_BACK_IDASSERT_OTHERID; + ber_dupbv( &li->idassert_authzID, &id ); + + } else { + struct berval dn; + + /* default is DN? */ + if ( strncasecmp( id.bv_val, "dn:", STRLENOF( "dn:" ) ) == 0 ) { + id.bv_val += STRLENOF( "dn:" ); + id.bv_len -= STRLENOF( "dn:" ); + } + + rc = dnNormalize( 0, NULL, NULL, &id, &dn, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: idassert ID \"%s\" is not a valid DN\n", + fname, lineno, argv[1] ); + return 1; + } + + li->idassert_authzID.bv_len = STRLENOF( "dn:" ) + dn.bv_len; + li->idassert_authzID.bv_val = ch_malloc( li->idassert_authzID.bv_len + 1 ); + AC_MEMCPY( li->idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( &li->idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], dn.bv_val, dn.bv_len + 1 ); + ch_free( dn.bv_val ); + + li->idassert_mode = LDAP_BACK_IDASSERT_OTHERDN; + } } - if ( strcmp( argv[2], "*" ) == 0 ) { - if ( argc < 4 || strcmp( argv[3], "*" ) == 0 ) { - map->drop_missing = ( argc < 4 ); - return 0; + for ( argc -= 2, argv += 2; argc--; argv++ ) { + if ( strcasecmp( argv[0], "override" ) == 0 ) { + li->idassert_flags |= LDAP_BACK_AUTH_OVERRIDE; + + } else { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown flag \"%s\" " + "in \"idassert-mode " + "[]\" line.\n", + fname, lineno, argv[0] ); + return 1; } - src = dst = argv[3]; - } else if ( argc < 4 ) { - src = ""; - dst = argv[2]; - } else { - src = argv[2]; - dst = ( strcmp( argv[3], "*" ) == 0 ? src : argv[3] ); } - if ( ( map == &li->at_map ) - && ( strcasecmp( src, "objectclass" ) == 0 - || strcasecmp( dst, "objectclass" ) == 0 ) ) - { - fprintf( stderr, - "%s: line %d: objectclass attribute cannot be mapped\n", - fname, lineno ); - } + /* name to use for proxyAuthz propagation */ + } else if ( strcasecmp( argv[0], "idassert-authcdn" ) == 0 + || strcasecmp( argv[0], "proxyauthzdn" ) == 0 ) + { + struct berval dn; + int rc; + + /* FIXME: "proxyauthzdn" is no longer documented, and + * temporarily supported for backwards compatibility */ - mapping = (struct ldapmapping *)ch_calloc( 2, - sizeof(struct ldapmapping) ); - if ( mapping == NULL ) { + if ( argc != 2 ) { fprintf( stderr, - "%s: line %d: out of memory\n", - fname, lineno ); + "%s: line %d: missing name in \"%s \" line\n", + fname, lineno, argv[0] ); return( 1 ); } - ber_str2bv( src, 0, 1, &mapping->src ); - ber_str2bv( dst, 0, 1, &mapping->dst ); - mapping[1].src = mapping->dst; - mapping[1].dst = mapping->src; - - if ( (*src != '\0' && - avl_find( map->map, (caddr_t)mapping, mapping_cmp ) != NULL) || - avl_find( map->remap, (caddr_t)&mapping[1], mapping_cmp ) != NULL) - { - fprintf( stderr, - "%s: line %d: duplicate mapping found (ignored)\n", - fname, lineno ); - return 0; + + if ( !BER_BVISNULL( &li->idassert_authcDN ) ) { + fprintf( stderr, "%s: line %d: " + "authcDN already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_authcDN.bv_val ); + } + + ber_str2bv( argv[1], 0, 0, &dn ); + rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_authcDN, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: idassert ID \"%s\" is not a valid DN\n", + fname, lineno, argv[1] ); + return 1; } - if ( *src != '\0' ) - avl_insert( &map->map, (caddr_t)mapping, - mapping_cmp, mapping_dup ); - avl_insert( &map->remap, (caddr_t)&mapping[1], - mapping_cmp, mapping_dup ); + /* password to use for proxyAuthz propagation */ + } else if ( strcasecmp( argv[0], "idassert-passwd" ) == 0 + || strcasecmp( argv[0], "proxyauthzpw" ) == 0 ) + { + /* FIXME: "proxyauthzpw" is no longer documented, and + * temporarily supported for backwards compatibility */ - /* anything else */ - } else { - fprintf( stderr, "%s: line %d: unknown directive \"%s\" " - "in ldap database definition (ignored)\n", - fname, lineno, argv[0] ); - } - return 0; -} + if ( argc != 2 ) { + fprintf( stderr, + "%s: line %d: missing password in \"%s \" line\n", + fname, lineno, argv[0] ); + return( 1 ); + } -#ifdef ENABLE_REWRITE -static char * -suffix_massage_regexize( const char *s ) -{ - char *res, *ptr; - const char *p, *r; - int i; - - for ( i = 0, p = s; - ( r = strchr( p, ',' ) ) != NULL; - p = r + 1, i++ ) - ; - - res = ch_calloc( sizeof( char ), strlen( s ) + 4 + 4*i + 1 ); - - ptr = lutil_strcopy( res, "(.*)" ); - for ( i = 0, p = s; - ( r = strchr( p, ',' ) ) != NULL; - p = r + 1 , i++ ) { - ptr = lutil_strncopy( ptr, p, r - p + 1 ); - ptr = lutil_strcopy( ptr, "[ ]?" ); - - if ( r[ 1 ] == ' ' ) { - r++; + if ( !BER_BVISNULL( &li->idassert_passwd ) ) { + fprintf( stderr, "%s: line %d: " + "passwd already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_passwd.bv_val ); } - } - lutil_strcopy( ptr, p ); + + ber_str2bv( argv[1], 0, 1, &li->idassert_passwd ); - return res; -} + /* rules to accept identity assertion... */ + } else if ( strcasecmp( argv[0], "idassert-authzFrom" ) == 0 ) { + struct berval rule; -static char * -suffix_massage_patternize( const char *s ) -{ - ber_len_t len; - char *res; + ber_str2bv( argv[1], 0, 1, &rule ); - len = strlen( s ); + ber_bvarray_add( &li->idassert_authz, &rule ); - res = ch_calloc( sizeof( char ), len + sizeof( "%1" ) ); - if ( res == NULL ) { - return NULL; - } + } else if ( strcasecmp( argv[0], "idassert-method" ) == 0 ) { + if ( argc < 2 ) { + fprintf( stderr, + "%s: line %d: missing method in \"%s \" line\n", + fname, lineno, argv[0] ); + return( 1 ); + } - strcpy( res, "%1" ); - strcpy( res + sizeof( "%1" ) - 1, s ); + if ( strcasecmp( argv[1], "none" ) == 0 ) { + /* FIXME: is this useful? */ + li->idassert_authmethod = LDAP_AUTH_NONE; - return res; -} + if ( argc != 2 ) { + fprintf( stderr, + "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n", + fname, lineno, argv[0], argv[1] ); + } -int -suffix_massage_config( - struct rewrite_info *info, - struct berval *pvnc, - struct berval *nvnc, - struct berval *prnc, - struct berval *nrnc -) -{ - char *rargv[ 5 ]; - int line = 0; - - rargv[ 0 ] = "rewriteEngine"; - rargv[ 1 ] = "on"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "default"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val ); - rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val ); - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - ch_free( rargv[ 1 ] ); - ch_free( rargv[ 2 ] ); - - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "searchResult"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val ); - rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val ); - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - ch_free( rargv[ 1 ] ); - ch_free( rargv[ 2 ] ); - - /* - * the filter should be rewritten as - * - * rewriteRule - * "(.*)member=([^)]+),o=Foo Bar,[ ]?c=US(.*)" - * "%1member=%2,dc=example,dc=com%3" - * - * where "o=Foo Bar, c=US" is the virtual naming context, - * and "dc=example, dc=com" is the real naming context - */ - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "searchFilter"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - -#if 1 /* rewrite filters */ - { - /* - * Note: this is far more optimistic than desirable: - * for any AVA value ending with the virtual naming - * context the terminal part will be replaced by the - * real naming context; a better solution would be to - * walk the filter looking for DN-valued attributes, - * and only rewrite those that require rewriting - */ - char vbuf_[BUFSIZ], *vbuf = vbuf_, - rbuf_[BUFSIZ], *rbuf = rbuf_; - int len; - - len = snprintf( vbuf, sizeof( vbuf_ ), - "(.*)%s\\)(.*)", nvnc->bv_val ); - if ( len == -1 ) { - /* - * traditional behavior: snprintf returns -1 - * if buffer is insufficient - */ - return -1; + } else if ( strcasecmp( argv[1], "simple" ) == 0 ) { + li->idassert_authmethod = LDAP_AUTH_SIMPLE; - } else if ( len >= (int)sizeof( vbuf_ ) ) { - /* - * C99: snprintf returns the required size - */ - vbuf = ch_malloc( len + 1 ); - len = snprintf( vbuf, len, - "(.*)%s\\)(.*)", nvnc->bv_val ); - assert( len > 0 ); - } + if ( argc != 2 ) { + fprintf( stderr, + "%s: line %d: trailing args in \"%s %s ...\" line ignored\"\n", + fname, lineno, argv[0], argv[1] ); + } - len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2", - nrnc->bv_val ); - if ( len == -1 ) { - return -1; + } else if ( strcasecmp( argv[1], "sasl" ) == 0 ) { +#ifdef HAVE_CYRUS_SASL + int arg; + + for ( arg = 2; arg < argc; arg++ ) { + if ( strncasecmp( argv[arg], "mech=", STRLENOF( "mech=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "mech=" ); + + if ( !BER_BVISNULL( &li->idassert_sasl_mech ) ) { + fprintf( stderr, "%s: line %d: " + "SASL mech already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_sasl_mech.bv_val ); + } + ber_str2bv( val, 0, 1, &li->idassert_sasl_mech ); + + } else if ( strncasecmp( argv[arg], "realm=", STRLENOF( "realm=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "realm=" ); + + if ( !BER_BVISNULL( &li->idassert_sasl_realm ) ) { + fprintf( stderr, "%s: line %d: " + "SASL realm already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_sasl_realm.bv_val ); + } + ber_str2bv( val, 0, 1, &li->idassert_sasl_realm ); + + } else if ( strncasecmp( argv[arg], "authcdn=", STRLENOF( "authcdn=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "authcdn=" ); + struct berval dn; + int rc; + + if ( !BER_BVISNULL( &li->idassert_authcDN ) ) { + fprintf( stderr, "%s: line %d: " + "SASL authcDN already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_authcDN.bv_val ); + } + if ( strncasecmp( argv[arg], "dn:", STRLENOF( "dn:" ) ) == 0 ) { + val += STRLENOF( "dn:" ); + } + + ber_str2bv( val, 0, 0, &dn ); + rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_authcDN, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: SASL authcdn \"%s\" is not a valid DN\n", + fname, lineno, val ); + return 1; + } + + } else if ( strncasecmp( argv[arg], "authcid=", STRLENOF( "authcid=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "authcid=" ); + + if ( !BER_BVISNULL( &li->idassert_authcID ) ) { + fprintf( stderr, "%s: line %d: " + "SASL authcID already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_authcID.bv_val ); + } + if ( strncasecmp( argv[arg], "u:", STRLENOF( "u:" ) ) == 0 ) { + val += STRLENOF( "u:" ); + } + ber_str2bv( val, 0, 1, &li->idassert_authcID ); + + } else if ( strncasecmp( argv[arg], "cred=", STRLENOF( "cred=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "cred=" ); + + if ( !BER_BVISNULL( &li->idassert_passwd ) ) { + fprintf( stderr, "%s: line %d: " + "SASL cred already defined; replacing...\n", + fname, lineno ); + ch_free( li->idassert_passwd.bv_val ); + } + ber_str2bv( val, 0, 1, &li->idassert_passwd ); + + } else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "authz=" ); + + if ( strcasecmp( val, "proxyauthz" ) == 0 ) { + li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ; + + } else if ( strcasecmp( val, "native" ) == 0 ) { + li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ; + + } else { + fprintf( stderr, "%s: line %s: " + "unknown authz mode \"%s\"\n", + fname, lineno, val ); + return 1; + } + + } else { + fprintf( stderr, "%s: line %d: " + "unknown SASL parameter %s\n", + fname, lineno, argv[arg] ); + return 1; + } + } - } else if ( len >= (int)sizeof( rbuf_ ) ) { - rbuf = ch_malloc( len + 1 ); - len = snprintf( rbuf, sizeof( rbuf_ ), "%%1%s)%%2", - nrnc->bv_val ); - assert( len > 0 ); - } - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = vbuf; - rargv[ 2 ] = rbuf; - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - - if ( vbuf != vbuf_ ) { - ch_free( vbuf ); - } + li->idassert_authmethod = LDAP_AUTH_SASL; - if ( rbuf != rbuf_ ) { - ch_free( rbuf ); +#else /* !HAVE_CYRUS_SASL */ + fprintf( stderr, "%s: line %d: " + "compile --with-cyrus-sasl to enable SASL auth\n", + fname, lineno ); + return 1; +#endif /* !HAVE_CYRUS_SASL */ + + } else { + fprintf( stderr, "%s: line %d: " + "unhandled idassert-method method %s\n", + fname, lineno, argv[1] ); + return 1; } + + } else { + return SLAP_CONF_UNKNOWN; } -#endif /* rewrite filters */ - -#if 0 /* "matched" is not normalized */ - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "matchedDn"; - rargv[ 2 ] = "alias"; - rargv[ 3 ] = "searchResult"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); -#else /* normalize "matched" */ - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "matchedDn"; - rargv[ 2 ] = NULL; - rewrite_parse( info, "", ++line, 2, rargv ); - - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val ); - rargv[ 2 ] = suffix_massage_patternize( nvnc->bv_val ); - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - ch_free( rargv[ 1 ] ); - ch_free( rargv[ 2 ] ); -#endif /* normalize "matched" */ return 0; } -#endif /* ENABLE_REWRITE */ +#endif /* LDAP_BACK_PROXY_AUTHZ */