X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=b96b27256d52420827ba1e1a91e8059585cb2f1a;hb=c3960b98d3b5fbd6ebeb200ca7799ece7b766d50;hp=dec004141559283d05ee695bce7fb38c17f21a5f;hpb=004b69d070cd366167100a13b18e22b7c0b6c270;p=openldap diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index dec0041415..b96b27256d 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -1130,6 +1130,7 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); } else { BER_BVSTR( &group_oc, SLAPD_GROUP_CLASS ); + BER_BVSTR( &member_at, SLAPD_GROUP_ATTR ); } group_dn.bv_val++; group_dn.bv_len = uri->bv_len - ( group_dn.bv_val - uri->bv_val ); @@ -1313,7 +1314,8 @@ int slap_sasl_rewrite_config( return rc; } -int slap_sasl_rewrite_destroy( void ) +static int +slap_sasl_rewrite_destroy( void ) { if ( sasl_rwinfo ) { rewrite_info_delete( &sasl_rwinfo ); @@ -1373,38 +1375,59 @@ int slap_sasl_regexp_config( const char *match, const char *replace ) reg = &SaslRegexp[nSaslRegexp]; - reg->sr_match = ch_strdup( match ); - reg->sr_replace = ch_strdup( replace ); - #ifdef SLAP_AUTH_REWRITE rc = slap_sasl_regexp_rewrite_config( "sasl-regexp", 0, match, replace, AUTHID_CONTEXT ); - if ( rc == LDAP_SUCCESS ) nSaslRegexp++; - return rc; #else /* ! SLAP_AUTH_REWRITE */ /* Precompile matching pattern */ - rc = regcomp( ®->sr_workspace, reg->sr_match, REG_EXTENDED|REG_ICASE ); + rc = regcomp( ®->sr_workspace, match, REG_EXTENDED|REG_ICASE ); if ( rc ) { Debug( LDAP_DEBUG_ANY, - "SASL match pattern %s could not be compiled by regexp engine\n", - reg->sr_match, 0, 0 ); + "SASL match pattern %s could not be compiled by regexp engine\n", + match, 0, 0 ); #ifdef ENABLE_REWRITE - /* Dummy block to force symbol references in librewrite */ - if ( slapMode == ( SLAP_SERVER_MODE|SLAP_TOOL_MODE )) { - rewrite_info_init( 0 ); - } + /* Dummy block to force symbol references in librewrite */ + if ( slapMode == ( SLAP_SERVER_MODE|SLAP_TOOL_MODE )) { + rewrite_info_init( 0 ); + } #endif return( LDAP_OTHER ); } - rc = slap_sasl_rx_off( reg->sr_replace, reg->sr_offset ); - if ( rc != LDAP_SUCCESS ) return rc; - - nSaslRegexp++; - return( LDAP_SUCCESS ); + rc = slap_sasl_rx_off( replace, reg->sr_offset ); #endif /* ! SLAP_AUTH_REWRITE */ + if ( rc == LDAP_SUCCESS ) { + reg->sr_match = ch_strdup( match ); + reg->sr_replace = ch_strdup( replace ); + + nSaslRegexp++; + } + + return rc; +} + +void +slap_sasl_regexp_destroy( void ) +{ + if ( SaslRegexp ) { + int n; + + for ( n = 0; n < nSaslRegexp; n++ ) { + ch_free( SaslRegexp[ n ].sr_match ); + ch_free( SaslRegexp[ n ].sr_replace ); +#ifndef SLAP_AUTH_REWRITE + regfree( &SaslRegexp[ n ].sr_workspace ); +#endif /* SLAP_AUTH_REWRITE */ + } + + ch_free( SaslRegexp ); + } + +#ifdef SLAP_AUTH_REWRITE + slap_sasl_rewrite_destroy(); +#endif /* SLAP_AUTH_REWRITE */ } void slap_sasl_regexp_unparse( BerVarray *out ) @@ -1584,7 +1607,7 @@ static int sasl_sc_sasl2dn( Operation *op, SlapReply *rs ) Debug( LDAP_DEBUG_TRACE, "%s: slap_sc_sasl2dn: search DN returned more than 1 entry\n", op->o_log_prefix, 0, 0 ); - return LDAP_OTHER; + return LDAP_UNAVAILABLE; /* short-circuit the search */ } ber_dupbv_x( ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx ); @@ -1601,23 +1624,11 @@ static int sasl_sc_smatch( Operation *o, SlapReply *rs ) { smatch_info *sm = o->o_callback->sc_private; - if ( rs->sr_type != REP_SEARCH ) { - if ( rs->sr_err != LDAP_SUCCESS ) { - sm->match = -1; - } - return 0; - } - - if ( sm->match == 1 ) { - sm->match = -1; - return 0; - } + if (rs->sr_type != REP_SEARCH) return 0; if (dn_match(sm->dn, &rs->sr_entry->e_nname)) { sm->match = 1; - - } else { - sm->match = -1; + return LDAP_UNAVAILABLE; /* short-circuit the search */ } return 0; @@ -1837,7 +1848,7 @@ exact_match: op.o_bd->be_search( &op, &rs ); - if (sm.match == 1) { + if (sm.match) { rc = LDAP_SUCCESS; } else { rc = LDAP_INAPPROPRIATE_AUTH; @@ -1871,14 +1882,18 @@ slap_sasl_check_authz( Operation *op, AttributeDescription *ad, struct berval *authc ) { - int rc; - BerVarray vals = NULL; + int rc, + do_not_cache = op->o_do_not_cache; + BerVarray vals = NULL; Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_check_authz: does %s match %s rule in %s?\n", assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); + /* ITS#4760: don't cache group access */ + op->o_do_not_cache = 1; rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH ); + op->o_do_not_cache = do_not_cache; if( rc != LDAP_SUCCESS ) goto COMPLETE; /* Check if the *assertDN matches any *vals */