X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=001c0ecdb0935eb941f20a96f72d5526e673cad9;hb=4a107089d82ecdaca788fc6ecdef34d3d4fc19df;hp=3faedc8ff1e75cdcbdc55e8132edcec83f45d3c3;hpb=3a5bde98ba61a853f4305d6c844f4aad439c8a4a;p=openldap

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 3faedc8ff1..001c0ecdb0 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
  * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
  * All rights reserved.
  *
@@ -17,6 +17,9 @@
 #include "portable.h"
 
 #include <stdio.h>
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
 
 #include <ac/stdlib.h>
 #include <ac/string.h>
@@ -24,8 +27,6 @@
 
 #include "slap.h"
 
-#include <limits.h>
-
 #include "lutil.h"
 
 #define SASLREGEX_REPLACE 10
@@ -87,6 +88,10 @@ struct rewrite_info	*sasl_rwinfo = NULL;
 #define	SASL_AUTHZ_TO	0x02
 #define SASL_AUTHZ_AND	0x10
 
+static const char *policy_txt[] = {
+	"none", "from", "to", "any"
+};
+
 static int authz_policy = SASL_AUTHZ_NONE;
 
 static
@@ -113,6 +118,14 @@ int slap_sasl_setpolicy( const char *arg )
 	return rc;
 }
 
+const char * slap_sasl_getpolicy()
+{
+	if ( authz_policy == (SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND) )
+		return "all";
+	else
+		return policy_txt[authz_policy];
+}
+
 int slap_parse_user( struct berval *id, struct berval *user,
 		struct berval *realm, struct berval *mech )
 {
@@ -411,6 +424,13 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 	rc = ldap_url_parse( uri->bv_val, &ludp );
 	switch ( rc ) {
 	case LDAP_URL_SUCCESS:
+		/* FIXME: the check is pedantic, but I think it's necessary,
+		 * because people tend to use things like ldaps:// which
+		 * gives the idea SSL is being used.  Maybe we could
+		 * accept ldapi:// as well, but the point is that we use
+		 * an URL as an easy means to define bits of a search with
+		 * little parsing.
+		 */
 		if ( strcasecmp( ludp->lud_scheme, "ldap" ) != 0 ) {
 			/*
 			 * must be ldap:///
@@ -585,10 +605,6 @@ int slap_sasl_regexp_rewrite_config(
 
 int slap_sasl_regexp_config( const char *match, const char *replace )
 {
-#ifdef SLAP_AUTH_REWRITE
-	return slap_sasl_regexp_rewrite_config( "sasl-regexp", 0,
-			match, replace, AUTHID_CONTEXT );
-#else /* ! SLAP_AUTH_REWRITE */
 	int rc;
 	SaslRegexp_t *reg;
 
@@ -600,6 +616,13 @@ int slap_sasl_regexp_config( const char *match, const char *replace )
 	reg->sr_match = ch_strdup( match );
 	reg->sr_replace = ch_strdup( replace );
 
+#ifdef SLAP_AUTH_REWRITE
+	rc = slap_sasl_regexp_rewrite_config( "sasl-regexp", 0,
+			match, replace, AUTHID_CONTEXT );
+	if ( rc == LDAP_SUCCESS ) nSaslRegexp++;
+	return rc;
+#else /* ! SLAP_AUTH_REWRITE */
+
 	/* Precompile matching pattern */
 	rc = regcomp( &reg->sr_workspace, reg->sr_match, REG_EXTENDED|REG_ICASE );
 	if ( rc ) {
@@ -618,6 +641,35 @@ int slap_sasl_regexp_config( const char *match, const char *replace )
 #endif /* ! SLAP_AUTH_REWRITE */
 }
 
+void slap_sasl_regexp_unparse( BerVarray *out )
+{
+	int i;
+	struct berval bv;
+	BerVarray bva = NULL;
+	char ibuf[32], *ptr;
+	struct berval idx;
+
+	if ( !nSaslRegexp ) return;
+
+	idx.bv_val = ibuf;
+	bva = ch_malloc( (nSaslRegexp+1) * sizeof(struct berval) );
+	BER_BVZERO(bva+nSaslRegexp);
+	for ( i=0; i<nSaslRegexp; i++ ) {
+		idx.bv_len = sprintf( idx.bv_val, "{%d}", i);
+		bva[i].bv_len = idx.bv_len + strlen( SaslRegexp[i].sr_match ) +
+			strlen( SaslRegexp[i].sr_replace ) + 5;
+		bva[i].bv_val = ch_malloc( bva[i].bv_len+1 );
+		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, SaslRegexp[i].sr_match );
+		ptr = lutil_strcopy( ptr, "\" \"" );
+		ptr = lutil_strcopy( ptr, SaslRegexp[i].sr_replace );
+		*ptr++ = '"';
+		*ptr = '\0';
+	}
+	*out = bva;
+}
+
 /* Perform replacement on regexp matches */
 static void slap_sasl_rx_exp(
 	const char *rep,
@@ -693,7 +745,9 @@ static int slap_authz_regexp( struct berval *in, struct berval *out,
 		if ( !BER_BVISNULL( out ) ) {
 			char *val = out->bv_val;
 			ber_str2bv_x( val, 0, 1, out, ctx );
-			free( val );
+			if ( val != in->bv_val ) {
+				free( val );
+			}
 		} else {
 			ber_dupbv_x( out, in, ctx );
 		}
@@ -992,21 +1046,13 @@ exact_match:
 		goto CONCLUDED;
 	}
 
+	op.o_hdr = opx->o_hdr;
 	op.o_tag = LDAP_REQ_SEARCH;
-	op.o_protocol = LDAP_VERSION3;
 	op.o_ndn = *authc;
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
 	op.o_do_not_cache = 1;
 	op.o_is_auth_check = 1;
-	op.o_threadctx = opx->o_threadctx;
-	op.o_tmpmemctx = opx->o_tmpmemctx;
-	op.o_tmpmfuncs = opx->o_tmpmfuncs;
-#ifdef LDAP_SLAPI
-	op.o_pb = opx->o_pb;
-#endif
-	op.o_conn = opx->o_conn;
-	op.o_connid = opx->o_connid;
 	/* use req_ndn as req_dn instead of non-pretty base of uri */
 	if( !BER_BVISNULL( &base ) ) {
 		ch_free( base.bv_val );
@@ -1014,6 +1060,7 @@ exact_match:
 		BER_BVZERO( &base );
 	}
 	ber_dupbv_x( &op.o_req_dn, &op.o_req_ndn, op.o_tmpmemctx );
+	op.ors_deref = LDAP_DEREF_NEVER;
 	op.ors_slimit = 1;
 	op.ors_tlimit = SLAP_NO_LIMIT;
 	op.ors_attrs = slap_anlist_no_attrs;
@@ -1100,8 +1147,7 @@ void slap_sasl2dn( Operation *opx,
 		"converting SASL name %s to a DN\n",
 		saslname->bv_val, 0,0 );
 
-	sasldn->bv_val = NULL;
-	sasldn->bv_len = 0;
+	BER_BVZERO( sasldn );
 	cb.sc_private = sasldn;
 
 	/* Convert the SASL name into a minimal URI */
@@ -1163,21 +1209,13 @@ void slap_sasl2dn( Operation *opx,
 		goto FINISHED;
 	}
 
-	op.o_conn = opx->o_conn;
-	op.o_connid = opx->o_connid;
+	op.o_hdr = opx->o_hdr;
 	op.o_tag = LDAP_REQ_SEARCH;
-	op.o_protocol = LDAP_VERSION3;
 	op.o_ndn = opx->o_conn->c_ndn;
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
 	op.o_do_not_cache = 1;
 	op.o_is_auth_check = 1;
-	op.o_threadctx = opx->o_threadctx;
-	op.o_tmpmemctx = opx->o_tmpmemctx;
-	op.o_tmpmfuncs = opx->o_tmpmfuncs;
-#ifdef LDAP_SLAPI
-	op.o_pb = opx->o_pb;
-#endif
 	op.ors_deref = LDAP_DEREF_NEVER;
 	op.ors_slimit = 1;
 	op.ors_tlimit = SLAP_NO_LIMIT;