X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=fb4764d71b98c2d1cb319039e2cb88893b2aa2c1;hb=7fe91339dfd08d6c4168c8493f5c1f0faca6ba54;hp=66bd6a6bae13ba06d1f3a639e8f745eee467d72d;hpb=4df4d4f46cbd1b25b7d47f35e4ed54eea58b071c;p=openldap

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 66bd6a6bae..fb4764d71b 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2006 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
  * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
  * All rights reserved.
  *
@@ -458,20 +458,6 @@ done:
 	return( rc );
 }
 
-#if 0
-int
-authzMatch(
-	int		*matchp,
-	slap_mask_t	flags,
-	Syntax		*syntax,
-	MatchingRule	*mr,
-	struct berval	*value,
-	void		*assertedValue )
-{
-	return octetStringMatch( matchp, flags, syntax, mr, value, assertedValue );
-}
-#endif
-
 static int
 authzPrettyNormal(
 	struct berval	*val,
@@ -1130,6 +1116,7 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
 		} else {
 			BER_BVSTR( &group_oc, SLAPD_GROUP_CLASS );
+			BER_BVSTR( &member_at, SLAPD_GROUP_ATTR );
 		}
 		group_dn.bv_val++;
 		group_dn.bv_len = uri->bv_len - ( group_dn.bv_val - uri->bv_val );
@@ -1239,7 +1226,7 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
 done:
 	if( rc != LDAP_SUCCESS ) {
-		if( *filter ) filter_free_x( op, *filter );
+		if( *filter ) filter_free_x( op, *filter, 1 );
 		BER_BVZERO( base );
 		BER_BVZERO( fstr );
 	} else {
@@ -1606,7 +1593,7 @@ static int sasl_sc_sasl2dn( Operation *op, SlapReply *rs )
 		Debug( LDAP_DEBUG_TRACE,
 			"%s: slap_sc_sasl2dn: search DN returned more than 1 entry\n",
 			op->o_log_prefix, 0, 0 );
-		return LDAP_OTHER;
+		return LDAP_UNAVAILABLE; /* short-circuit the search */
 	}
 
 	ber_dupbv_x( ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
@@ -1678,7 +1665,7 @@ slap_sasl_match( Operation *opx, struct berval *rule,
 
 	Debug( LDAP_DEBUG_TRACE,
 	   "===>slap_sasl_match: comparing DN %s to rule %s\n",
-		assertDN->bv_val, rule->bv_val, 0 );
+		assertDN->bv_len ? assertDN->bv_val : "(null)", rule->bv_val, 0 );
 
 	/* NOTE: don't normalize rule if authz syntax is enabled */
 	rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
@@ -1712,7 +1699,7 @@ exact_match:
 
 			/* leave room for at least one char of attributeType,
 			 * one for '=' and one for ',' */
-			if ( d < STRLENOF( "x=,") ) {
+			if ( d < (int) STRLENOF( "x=,") ) {
 				goto CONCLUDED;
 			}
 
@@ -1819,7 +1806,7 @@ exact_match:
 	   "slap_sasl_match: performing internal search (base=%s, scope=%d)\n",
 	   op.o_req_ndn.bv_val, op.ors_scope, 0 );
 
-	op.o_bd = select_backend( &op.o_req_ndn, 0, 1 );
+	op.o_bd = select_backend( &op.o_req_ndn, 1 );
 	if(( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL)) {
 		rc = LDAP_INAPPROPRIATE_AUTH;
 		goto CONCLUDED;
@@ -1856,7 +1843,7 @@ exact_match:
 CONCLUDED:
 	if( !BER_BVISNULL( &op.o_req_dn ) ) slap_sl_free( op.o_req_dn.bv_val, opx->o_tmpmemctx );
 	if( !BER_BVISNULL( &op.o_req_ndn ) ) slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx );
-	if( op.ors_filter ) filter_free_x( opx, op.ors_filter );
+	if( op.ors_filter ) filter_free_x( opx, op.ors_filter, 1 );
 	if( !BER_BVISNULL( &op.ors_filterstr ) ) ch_free( op.ors_filterstr.bv_val );
 
 	Debug( LDAP_DEBUG_TRACE,
@@ -1881,14 +1868,18 @@ slap_sasl_check_authz( Operation *op,
 	AttributeDescription *ad,
 	struct berval *authc )
 {
-	int rc;
-	BerVarray vals = NULL;
+	int		rc,
+			do_not_cache = op->o_do_not_cache;
+	BerVarray	vals = NULL;
 
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+	/* ITS#4760: don't cache group access */
+	op->o_do_not_cache = 1;
 	rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+	op->o_do_not_cache = do_not_cache;
 	if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
 	/* Check if the *assertDN matches any *vals */
@@ -1948,7 +1939,7 @@ slap_sasl2dn(
 	}
 
 	/* Must do an internal search */
-	op.o_bd = select_backend( &op.o_req_ndn, 0, 1 );
+	op.o_bd = select_backend( &op.o_req_ndn, 1 );
 
 	switch ( op.ors_scope ) {
 	case LDAP_X_SCOPE_EXACT:
@@ -2024,7 +2015,7 @@ FINISHED:
 		slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx );
 	}
 	if( op.ors_filter ) {
-		filter_free_x( opx, op.ors_filter );
+		filter_free_x( opx, op.ors_filter, 1 );
 	}
 	if( !BER_BVISNULL( &op.ors_filterstr ) ) {
 		ch_free( op.ors_filterstr.bv_val );
@@ -2047,11 +2038,16 @@ int slap_sasl_authorized( Operation *op,
 	int rc = LDAP_INAPPROPRIATE_AUTH;
 
 	/* User binding as anonymous */
-	if ( authzDN == NULL ) {
+	if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
 		rc = LDAP_SUCCESS;
 		goto DONE;
 	}
 
+	/* User is anonymous */
+	if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
+		goto DONE;
+	}
+
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_authorized: can %s become %s?\n",
 		authcDN->bv_len ? authcDN->bv_val : "(null)",