X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=28044d69936965f608feceb5e7a586688e5306a8;hb=62b6b326338d5162b0f570eaeb8a227fbc5a9c62;hp=382ef1b4980c7a1e0a34a60bb18b3ea5190ac1a5;hpb=3eebd5bb21a66c1675913d53641e6f6f8d23ba89;p=openldap diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 382ef1b498..28044d6993 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -26,7 +26,6 @@ #include -#include #include "lutil.h" #define SASLREGEX_REPLACE 10 @@ -37,6 +36,7 @@ #define LDAP_X_SCOPE_SUBTREE ((ber_int_t) 0x0040) #define LDAP_X_SCOPE_ONELEVEL ((ber_int_t) 0x0050) #define LDAP_X_SCOPE_GROUP ((ber_int_t) 0x0060) +#define LDAP_X_SCOPE_USERS ((ber_int_t) 0x0070) /* * IDs in DNauthzid form can now have a type specifier, that @@ -205,13 +205,8 @@ static int slap_parseURI( Operation *op, struct berval *uri, *scope = -1; *filter = NULL; -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_parseURI: parsing %s\n", uri->bv_val, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "slap_parseURI: parsing %s\n", uri->bv_val, 0, 0 ); -#endif rc = LDAP_PROTOCOL_ERROR; /* @@ -252,8 +247,9 @@ static int slap_parseURI( Operation *op, struct berval *uri, } } else { - if ( bv.bv_val[ 0 ] != ':' ) + if ( bv.bv_val[ 0 ] != ':' ) { return LDAP_PROTOCOL_ERROR; + } *scope = LDAP_X_SCOPE_EXACT; bv.bv_val++; } @@ -263,6 +259,11 @@ static int slap_parseURI( Operation *op, struct berval *uri, * and uri was not an URI... HEADS-UP: assuming EXACT */ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); + /* a single '*' means any DN without using regexes */ + if ( ber_bvccmp( &bv, '*' ) ) { + *scope = LDAP_X_SCOPE_USERS; + } + switch ( *scope ) { case LDAP_X_SCOPE_EXACT: case LDAP_X_SCOPE_CHILDREN: @@ -276,6 +277,8 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); case LDAP_X_SCOPE_REGEX: ber_dupbv_x( nbase, &bv, op->o_tmpmemctx ); + + case LDAP_X_SCOPE_USERS: rc = LDAP_SUCCESS; break; @@ -477,16 +480,10 @@ static int slap_sasl_rx_off(char *rep, int *off) } if ( *c == '$' ) { if ( n == SASLREGEX_REPLACE ) { -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ERR, - "slap_sasl_rx_off: \"%s\" has too many $n " - "placeholders (max %d)\n", rep, SASLREGEX_REPLACE, 0 ); -#else Debug( LDAP_DEBUG_ANY, "SASL replace pattern %s has too many $n " "placeholders (max %d)\n", rep, SASLREGEX_REPLACE, 0 ); -#endif return( LDAP_OTHER ); } @@ -545,8 +542,7 @@ int slap_sasl_regexp_rewrite_config( const char *context ) { int rc; - char *newreplace, *p; - char *argvRule[] = { "rewriteRule", NULL, NULL, "@", NULL }; + char *argvRule[] = { "rewriteRule", NULL, NULL, ":@", NULL }; /* init at first call */ if ( sasl_rwinfo == NULL ) { @@ -570,20 +566,9 @@ int slap_sasl_regexp_rewrite_config( } } - newreplace = ch_strdup( replace ); - - for (p = strchr( newreplace, '$' ); p; p = strchr( p + 1, '$' ) ) { - if ( isdigit( p[1] ) ) { - p[0] = '%'; - } else { - p++; - } - } - argvRule[1] = (char *)match; - argvRule[2] = newreplace; + argvRule[2] = (char *)replace; rc = rewrite_parse( sasl_rwinfo, fname, lineno, 4, argvRule ); - ch_free( newreplace ); return rc; } @@ -609,15 +594,9 @@ int slap_sasl_regexp_config( const char *match, const char *replace ) /* Precompile matching pattern */ rc = regcomp( ®->sr_workspace, reg->sr_match, REG_EXTENDED|REG_ICASE ); if ( rc ) { -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ERR, - "slap_sasl_regexp_config: \"%s\" could not be compiled.\n", - reg->sr_match, 0, 0 ); -#else Debug( LDAP_DEBUG_ANY, "SASL match pattern %s could not be compiled by regexp engine\n", reg->sr_match, 0, 0 ); -#endif return( LDAP_OTHER ); } @@ -709,15 +688,9 @@ static int slap_authz_regexp( struct berval *in, struct berval *out, } else { ber_dupbv_x( out, in, ctx ); } -#ifdef NEW_LOGGING - LDAP_LOG( BACK_LDAP, DETAIL1, - "[rw] %s: \"%s\" -> \"%s\"\n", - context, in->bv_val, out->bv_val ); -#else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "[rw] %s: \"%s\" -> \"%s\"\n", context, in->bv_val, out->bv_val ); -#endif /* !NEW_LOGGING */ return 1; case REWRITE_REGEXEC_UNWILLING: @@ -734,13 +707,8 @@ static int slap_authz_regexp( struct berval *in, struct berval *out, memset( out, 0, sizeof( *out ) ); -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_authz_regexp: converting SASL name %s\n", saslname, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "slap_authz_regexp: converting SASL name %s\n", saslname, 0, 0 ); -#endif if (( saslname == NULL ) || ( nSaslRegexp == 0 )) { return( 0 ); @@ -763,15 +731,9 @@ static int slap_authz_regexp( struct berval *in, struct berval *out, slap_sasl_rx_exp( reg->sr_replace, reg->sr_offset, sr_strings, saslname, out, ctx ); -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_authz_regexp: converted SASL name to %s\n", - BER_BVISEMPTY( out ) ? "" : out->bv_val, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "slap_authz_regexp: converted SASL name to %s\n", BER_BVISEMPTY( out ) ? "" : out->bv_val, 0, 0 ); -#endif return( 1 ); #endif /* ! SLAP_AUTH_REWRITE */ @@ -789,13 +751,8 @@ static int sasl_sc_sasl2dn( Operation *o, SlapReply *rs ) o->o_tmpfree(ndn->bv_val, o->o_tmpmemctx); BER_BVZERO( ndn ); -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, DETAIL1, - "slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 ); -#endif return -1; } @@ -877,24 +834,16 @@ int slap_sasl_match( Operation *opx, struct berval *rule, sm.match = 0; cb.sc_private = &sm; -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_match: comparing DN %s to rule %s\n", - assertDN->bv_val, rule->bv_val,0 ); -#else Debug( LDAP_DEBUG_TRACE, "===>slap_sasl_match: comparing DN %s to rule %s\n", assertDN->bv_val, rule->bv_val, 0 ); -#endif rc = slap_parseURI( opx, rule, &op.o_req_dn, - &op.o_req_ndn, &op.oq_search.rs_scope, &op.oq_search.rs_filter, + &op.o_req_ndn, &op.ors_scope, &op.ors_filter, &op.ors_filterstr ); if( rc != LDAP_SUCCESS ) goto CONCLUDED; - /* Massive shortcut: search scope == base */ - switch ( op.oq_search.rs_scope ) { - case LDAP_SCOPE_BASE: + switch ( op.ors_scope ) { case LDAP_X_SCOPE_EXACT: exact_match: if ( dn_match( &op.o_req_ndn, assertDN ) ) { @@ -912,7 +861,7 @@ exact_match: rc = LDAP_INAPPROPRIATE_AUTH; - if ( d == 0 && op.oq_search.rs_scope == LDAP_X_SCOPE_SUBTREE ) { + if ( d == 0 && op.ors_scope == LDAP_X_SCOPE_SUBTREE ) { goto exact_match; } else if ( d > 0 ) { @@ -928,7 +877,7 @@ exact_match: bv.bv_val = assertDN->bv_val + d; if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) { - switch ( op.oq_search.rs_scope ) { + switch ( op.ors_scope ) { case LDAP_X_SCOPE_SUBTREE: case LDAP_X_SCOPE_CHILDREN: rc = LDAP_SUCCESS; @@ -978,16 +927,16 @@ exact_match: * we need to append the so that the is searched * with scope "base", and the filter ensures that is * member of the group */ - tmp = ch_realloc( op.ors_filterstr.bv_val, - op.ors_filterstr.bv_len + assertDN->bv_len + STRLENOF( /* (( */ "))" ) + 1 ); + tmp = ch_realloc( op.ors_filterstr.bv_val, op.ors_filterstr.bv_len + + assertDN->bv_len + STRLENOF( /*"(("*/ "))" ) + 1 ); if ( tmp == NULL ) { rc = LDAP_NO_MEMORY; goto CONCLUDED; } op.ors_filterstr.bv_val = tmp; - tmp = lutil_strcopy( &tmp[ op.ors_filterstr.bv_len ], assertDN->bv_val ); - tmp = lutil_strcopy( tmp, /* (( */ "))" ); + tmp = lutil_strcopy( &tmp[op.ors_filterstr.bv_len], assertDN->bv_val ); + tmp = lutil_strcopy( tmp, /*"(("*/ "))" ); /* pass opx because str2filter_x may (and does) use o_tmpmfuncs */ op.ors_filter = str2filter_x( opx, op.ors_filterstr.bv_val ); @@ -1005,25 +954,27 @@ exact_match: break; } + case LDAP_X_SCOPE_USERS: + if ( !BER_BVISEMPTY( assertDN ) ) { + rc = LDAP_SUCCESS; + } else { + rc = LDAP_INAPPROPRIATE_AUTH; + } + goto CONCLUDED; + default: break; } /* Must run an internal search. */ - if ( op.oq_search.rs_filter == NULL ) { + if ( op.ors_filter == NULL ) { rc = LDAP_FILTER_ERROR; goto CONCLUDED; } -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, DETAIL1, - "slap_sasl_match: performing internal search (base=%s, scope=%d)\n", - op.o_req_ndn.bv_val, op.oq_search.rs_scope, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "slap_sasl_match: performing internal search (base=%s, scope=%d)\n", - op.o_req_ndn.bv_val, op.oq_search.rs_scope, 0 ); -#endif + op.o_req_ndn.bv_val, op.ors_scope, 0 ); op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); if(( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL)) { @@ -1049,8 +1000,10 @@ exact_match: /* use req_ndn as req_dn instead of non-pretty base of uri */ if( !BER_BVISNULL( &op.o_req_dn ) ) ch_free( op.o_req_dn.bv_val ); ber_dupbv_x( &op.o_req_dn, &op.o_req_ndn, op.o_tmpmemctx ); - op.oq_search.rs_slimit = 1; - op.oq_search.rs_tlimit = -1; + op.ors_slimit = 1; + op.ors_tlimit = SLAP_NO_LIMIT; + op.ors_attrs = slap_anlist_no_attrs; + op.ors_attrsonly = 1; op.o_sync_slog_size = -1; op.o_bd->be_search( &op, &rs ); @@ -1064,16 +1017,11 @@ exact_match: CONCLUDED: if( !BER_BVISNULL( &op.o_req_dn ) ) slap_sl_free( op.o_req_dn.bv_val, opx->o_tmpmemctx ); if( !BER_BVISNULL( &op.o_req_ndn ) ) slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx ); - if( op.oq_search.rs_filter ) filter_free_x( opx, op.oq_search.rs_filter ); + if( op.ors_filter ) filter_free_x( opx, op.ors_filter ); if( !BER_BVISNULL( &op.ors_filterstr ) ) ch_free( op.ors_filterstr.bv_val ); -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_match: comparison returned %d\n", rc, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "<===slap_sasl_match: comparison returned %d\n", rc, 0, 0); -#endif return( rc ); } @@ -1097,17 +1045,11 @@ slap_sasl_check_authz( Operation *op, int i, rc; BerVarray vals = NULL; -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_check_authz: does %s match %s rule in %s?\n", - assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); -#else Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_check_authz: does %s match %s rule in %s?\n", assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); -#endif - rc = backend_attribute( op, NULL, searchDN, ad, &vals ); + rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH ); if( rc != LDAP_SUCCESS ) goto COMPLETE; /* Check if the *assertDN matches any *vals */ @@ -1116,15 +1058,9 @@ slap_sasl_check_authz( Operation *op, COMPLETE: if( vals ) ber_bvarray_free_x( vals, op->o_tmpmemctx ); -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, RESULTS, - "slap_sasl_check_authz: %s check returning %s\n", - ad->ad_cname.bv_val, rc, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "<==slap_sasl_check_authz: %s check returning %d\n", ad->ad_cname.bv_val, rc, 0); -#endif return( rc ); } @@ -1146,15 +1082,9 @@ void slap_sasl2dn( Operation *opx, SlapReply rs = {REP_RESULT}; struct berval regout = BER_BVNULL; -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl2dn: converting SASL name %s to DN.\n", - saslname->bv_val, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "==>slap_sasl2dn: " "converting SASL name %s to a DN\n", saslname->bv_val, 0,0 ); -#endif sasldn->bv_val = NULL; sasldn->bv_len = 0; @@ -1166,7 +1096,7 @@ void slap_sasl2dn( Operation *opx, } rc = slap_parseURI( opx, ®out, &op.o_req_dn, - &op.o_req_ndn, &op.oq_search.rs_scope, &op.oq_search.rs_filter, + &op.o_req_ndn, &op.ors_scope, &op.ors_filter, &op.ors_filterstr ); if ( !BER_BVISNULL( ®out ) ) slap_sl_free( regout.bv_val, opx->o_tmpmemctx ); if ( rc != LDAP_SUCCESS ) { @@ -1176,9 +1106,7 @@ void slap_sasl2dn( Operation *opx, /* Must do an internal search */ op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); - /* Massive shortcut: search scope == base */ - switch ( op.oq_search.rs_scope ) { - case LDAP_SCOPE_BASE: + switch ( op.ors_scope ) { case LDAP_X_SCOPE_EXACT: *sasldn = op.o_req_ndn; BER_BVZERO( &op.o_req_ndn ); @@ -1189,9 +1117,11 @@ void slap_sasl2dn( Operation *opx, case LDAP_X_SCOPE_CHILDREN: case LDAP_X_SCOPE_ONELEVEL: case LDAP_X_SCOPE_GROUP: + case LDAP_X_SCOPE_USERS: /* correctly parsed, but illegal */ goto FINISHED; + case LDAP_SCOPE_BASE: case LDAP_SCOPE_ONELEVEL: case LDAP_SCOPE_SUBTREE: #ifdef LDAP_SCOPE_SUBORDINATE @@ -1205,15 +1135,9 @@ void slap_sasl2dn( Operation *opx, assert( 0 ); } -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, DETAIL1, - "slap_sasl2dn: performing internal search (base=%s, scope=%d)\n", - op.o_req_ndn.bv_val, op.oq_search.rs_scope, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "slap_sasl2dn: performing internal search (base=%s, scope=%d)\n", - op.o_req_ndn.bv_val, op.oq_search.rs_scope, 0 ); -#endif + op.o_req_ndn.bv_val, op.ors_scope, 0 ); if(( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL)) { goto FINISHED; @@ -1234,10 +1158,12 @@ void slap_sasl2dn( Operation *opx, #ifdef LDAP_SLAPI op.o_pb = opx->o_pb; #endif - op.oq_search.rs_deref = LDAP_DEREF_NEVER; - op.oq_search.rs_slimit = 1; - op.oq_search.rs_tlimit = -1; - op.oq_search.rs_attrsonly = 1; + op.ors_deref = LDAP_DEREF_NEVER; + op.ors_slimit = 1; + op.ors_tlimit = SLAP_NO_LIMIT; + op.ors_attrs = slap_anlist_no_attrs; + op.ors_attrsonly = 1; + op.o_sync_slog_size = -1; /* use req_ndn as req_dn instead of non-pretty base of uri */ if( !BER_BVISNULL( &op.o_req_dn ) ) ch_free( op.o_req_dn.bv_val ); ber_dupbv_x( &op.o_req_dn, &op.o_req_ndn, op.o_tmpmemctx ); @@ -1248,19 +1174,21 @@ FINISHED: if( !BER_BVISEMPTY( sasldn ) ) { opx->o_conn->c_authz_backend = op.o_bd; } - if( !BER_BVISNULL( &op.o_req_dn ) ) slap_sl_free( op.o_req_dn.bv_val, opx->o_tmpmemctx ); - if( !BER_BVISNULL( &op.o_req_ndn ) ) slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx ); - if( op.oq_search.rs_filter ) filter_free_x( opx, op.oq_search.rs_filter ); - if( !BER_BVISNULL( &op.ors_filterstr ) ) ch_free( op.ors_filterstr.bv_val ); + if( !BER_BVISNULL( &op.o_req_dn ) ) { + slap_sl_free( op.o_req_dn.bv_val, opx->o_tmpmemctx ); + } + if( !BER_BVISNULL( &op.o_req_ndn ) ) { + slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx ); + } + if( op.ors_filter ) { + filter_free_x( opx, op.ors_filter ); + } + if( !BER_BVISNULL( &op.ors_filterstr ) ) { + ch_free( op.ors_filterstr.bv_val ); + } -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl2dn: Converted SASL name to %s\n", - !BER_BVISEMPTY( sasldn ) ? sasldn->bv_val : "", 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "<==slap_sasl2dn: Converted SASL name to %s\n", !BER_BVISEMPTY( sasldn ) ? sasldn->bv_val : "", 0, 0 ); -#endif return; } @@ -1281,15 +1209,9 @@ int slap_sasl_authorized( Operation *op, goto DONE; } -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_authorized: can %s become %s?\n", - authcDN->bv_val, authzDN->bv_val, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_val, authzDN->bv_val, 0 ); -#endif /* If person is authorizing to self, succeed */ if ( dn_match( authcDN, authzDN ) ) { @@ -1327,12 +1249,8 @@ int slap_sasl_authorized( Operation *op, DONE: -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_authorized: return %d\n", rc,0,0 ); -#else Debug( LDAP_DEBUG_TRACE, "<== slap_sasl_authorized: return %d\n", rc, 0, 0 ); -#endif return( rc ); }