X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=b96b27256d52420827ba1e1a91e8059585cb2f1a;hb=c3960b98d3b5fbd6ebeb200ca7799ece7b766d50;hp=c31b9314381e5c6d1576daae24667c852d1131c6;hpb=d1bc820b2fe1eba80123a62b38cc252a14298265;p=openldap

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index c31b931438..b96b27256d 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
  * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
  * All rights reserved.
  *
@@ -202,7 +202,6 @@ int slap_parse_user( struct berval *id, struct berval *user,
 	return LDAP_SUCCESS;
 }
 
-#ifdef SLAP_AUTHZ_SYNTAX
 int
 authzValidate(
 	Syntax *syntax,
@@ -919,7 +918,6 @@ authzPretty(
 	return rc;
 }
 
-#endif /* SLAP_AUTHZ_SYNTAX */
 
 static int
 slap_parseURI(
@@ -936,9 +934,7 @@ slap_parseURI(
 	int		rc;
 	LDAPURLDesc	*ludp;
 
-#ifdef SLAP_ORDERED_PRETTYNORM
 	struct berval	idx;
-#endif /* SLAP_ORDERED_PRETTYNORM */
 
 	assert( uri != NULL && !BER_BVISNULL( uri ) );
 	BER_BVZERO( base );
@@ -952,7 +948,6 @@ slap_parseURI(
 
 	rc = LDAP_PROTOCOL_ERROR;
 
-#ifdef SLAP_ORDERED_PRETTYNORM
 	idx = *uri;
 	if ( idx.bv_val[ 0 ] == '{' ) {
 		char	*ptr;
@@ -965,7 +960,6 @@ slap_parseURI(
 		idx.bv_val = ptr;
 		uri = &idx;
 	}
-#endif /* SLAP_ORDERED_PRETTYNORM */
 
 	/*
 	 * dn[.<dnstyle>]:<dnpattern>
@@ -1136,6 +1130,7 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
 		} else {
 			BER_BVSTR( &group_oc, SLAPD_GROUP_CLASS );
+			BER_BVSTR( &member_at, SLAPD_GROUP_ATTR );
 		}
 		group_dn.bv_val++;
 		group_dn.bv_len = uri->bv_len - ( group_dn.bv_val - uri->bv_val );
@@ -1319,7 +1314,8 @@ int slap_sasl_rewrite_config(
 	return rc;
 }
 
-int slap_sasl_rewrite_destroy( void )
+static int
+slap_sasl_rewrite_destroy( void )
 {
 	if ( sasl_rwinfo ) {
 		rewrite_info_delete( &sasl_rwinfo );
@@ -1379,38 +1375,59 @@ int slap_sasl_regexp_config( const char *match, const char *replace )
 
 	reg = &SaslRegexp[nSaslRegexp];
 
-	reg->sr_match = ch_strdup( match );
-	reg->sr_replace = ch_strdup( replace );
-
 #ifdef SLAP_AUTH_REWRITE
 	rc = slap_sasl_regexp_rewrite_config( "sasl-regexp", 0,
 			match, replace, AUTHID_CONTEXT );
-	if ( rc == LDAP_SUCCESS ) nSaslRegexp++;
-	return rc;
 #else /* ! SLAP_AUTH_REWRITE */
 
 	/* Precompile matching pattern */
-	rc = regcomp( &reg->sr_workspace, reg->sr_match, REG_EXTENDED|REG_ICASE );
+	rc = regcomp( &reg->sr_workspace, match, REG_EXTENDED|REG_ICASE );
 	if ( rc ) {
 		Debug( LDAP_DEBUG_ANY,
-		"SASL match pattern %s could not be compiled by regexp engine\n",
-		reg->sr_match, 0, 0 );
+			"SASL match pattern %s could not be compiled by regexp engine\n",
+			match, 0, 0 );
 
 #ifdef ENABLE_REWRITE
-	/* Dummy block to force symbol references in librewrite */
-	if ( slapMode == ( SLAP_SERVER_MODE|SLAP_TOOL_MODE )) {
-		rewrite_info_init( 0 );
-	}
+		/* Dummy block to force symbol references in librewrite */
+		if ( slapMode == ( SLAP_SERVER_MODE|SLAP_TOOL_MODE )) {
+			rewrite_info_init( 0 );
+		}
 #endif
 		return( LDAP_OTHER );
 	}
 
-	rc = slap_sasl_rx_off( reg->sr_replace, reg->sr_offset );
-	if ( rc != LDAP_SUCCESS ) return rc;
-
-	nSaslRegexp++;
-	return( LDAP_SUCCESS );
+	rc = slap_sasl_rx_off( replace, reg->sr_offset );
 #endif /* ! SLAP_AUTH_REWRITE */
+	if ( rc == LDAP_SUCCESS ) {
+		reg->sr_match = ch_strdup( match );
+		reg->sr_replace = ch_strdup( replace );
+
+		nSaslRegexp++;
+	}
+
+	return rc;
+}
+
+void
+slap_sasl_regexp_destroy( void )
+{
+	if ( SaslRegexp ) {
+		int	n;
+
+		for ( n = 0; n < nSaslRegexp; n++ ) {
+			ch_free( SaslRegexp[ n ].sr_match );
+			ch_free( SaslRegexp[ n ].sr_replace );
+#ifndef SLAP_AUTH_REWRITE
+			regfree( &SaslRegexp[ n ].sr_workspace );
+#endif /* SLAP_AUTH_REWRITE */
+		}
+
+		ch_free( SaslRegexp );
+	}
+
+#ifdef SLAP_AUTH_REWRITE
+	slap_sasl_rewrite_destroy();
+#endif /* SLAP_AUTH_REWRITE */
 }
 
 void slap_sasl_regexp_unparse( BerVarray *out )
@@ -1576,24 +1593,25 @@ static int slap_authz_regexp( struct berval *in, struct berval *out,
 }
 
 /* This callback actually does some work...*/
-static int sasl_sc_sasl2dn( Operation *o, SlapReply *rs )
+static int sasl_sc_sasl2dn( Operation *op, SlapReply *rs )
 {
-	struct berval *ndn = o->o_callback->sc_private;
+	struct berval *ndn = op->o_callback->sc_private;
 
-	if (rs->sr_type != REP_SEARCH) return 0;
+	if ( rs->sr_type != REP_SEARCH ) return LDAP_SUCCESS;
 
 	/* We only want to be called once */
 	if ( !BER_BVISNULL( ndn ) ) {
-		o->o_tmpfree(ndn->bv_val, o->o_tmpmemctx);
+		op->o_tmpfree( ndn->bv_val, op->o_tmpmemctx );
 		BER_BVZERO( ndn );
 
 		Debug( LDAP_DEBUG_TRACE,
-			"slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
-		return -1;
+			"%s: slap_sc_sasl2dn: search DN returned more than 1 entry\n",
+			op->o_log_prefix, 0, 0 );
+		return LDAP_UNAVAILABLE; /* short-circuit the search */
 	}
 
-	ber_dupbv_x(ndn, &rs->sr_entry->e_nname, o->o_tmpmemctx);
-	return 0;
+	ber_dupbv_x( ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
+	return LDAP_SUCCESS;
 }
 
 
@@ -1606,23 +1624,11 @@ static int sasl_sc_smatch( Operation *o, SlapReply *rs )
 {
 	smatch_info *sm = o->o_callback->sc_private;
 
-	if ( rs->sr_type != REP_SEARCH ) {
-		if ( rs->sr_err != LDAP_SUCCESS ) {
-			sm->match = -1;
-		}
-		return 0;
-	}
-
-	if ( sm->match == 1 ) {
-		sm->match = -1;
-		return 0;
-	}
+	if (rs->sr_type != REP_SEARCH) return 0;
 
 	if (dn_match(sm->dn, &rs->sr_entry->e_nname)) {
 		sm->match = 1;
-
-	} else {
-		sm->match = -1;
+		return LDAP_UNAVAILABLE;	/* short-circuit the search */
 	}
 
 	return 0;
@@ -1677,13 +1683,7 @@ slap_sasl_match( Operation *opx, struct berval *rule,
 
 	/* NOTE: don't normalize rule if authz syntax is enabled */
 	rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
-		&op.ors_scope, &op.ors_filter, &op.ors_filterstr, 
-#ifdef SLAP_AUTHZ_SYNTAX
-		0
-#else /* ! SLAP_AUTHZ_SYNTAX */
-		1
-#endif /* ! SLAP_AUTHZ_SYNTAX */
-		);
+		&op.ors_scope, &op.ors_filter, &op.ors_filterstr, 0 );
 
 	if( rc != LDAP_SUCCESS ) goto CONCLUDED;
 
@@ -1848,7 +1848,7 @@ exact_match:
 
 	op.o_bd->be_search( &op, &rs );
 
-	if (sm.match == 1) {
+	if (sm.match) {
 		rc = LDAP_SUCCESS;
 	} else {
 		rc = LDAP_INAPPROPRIATE_AUTH;
@@ -1882,14 +1882,18 @@ slap_sasl_check_authz( Operation *op,
 	AttributeDescription *ad,
 	struct berval *authc )
 {
-	int rc;
-	BerVarray vals = NULL;
+	int		rc,
+			do_not_cache = op->o_do_not_cache;
+	BerVarray	vals = NULL;
 
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+	/* ITS#4760: don't cache group access */
+	op->o_do_not_cache = 1;
 	rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+	op->o_do_not_cache = do_not_cache;
 	if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
 	/* Check if the *assertDN matches any *vals */