X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=fb4764d71b98c2d1cb319039e2cb88893b2aa2c1;hb=7fe91339dfd08d6c4168c8493f5c1f0faca6ba54;hp=b96b27256d52420827ba1e1a91e8059585cb2f1a;hpb=0981516abf52950914b907b1cfedb305bb2d6f90;p=openldap diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index b96b27256d..fb4764d71b 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -1,7 +1,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2006 The OpenLDAP Foundation. + * Copyright 1998-2009 The OpenLDAP Foundation. * Portions Copyright 2000 Mark Adamson, Carnegie Mellon. * All rights reserved. * @@ -458,20 +458,6 @@ done: return( rc ); } -#if 0 -int -authzMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - return octetStringMatch( matchp, flags, syntax, mr, value, assertedValue ); -} -#endif - static int authzPrettyNormal( struct berval *val, @@ -1240,7 +1226,7 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); done: if( rc != LDAP_SUCCESS ) { - if( *filter ) filter_free_x( op, *filter ); + if( *filter ) filter_free_x( op, *filter, 1 ); BER_BVZERO( base ); BER_BVZERO( fstr ); } else { @@ -1679,7 +1665,7 @@ slap_sasl_match( Operation *opx, struct berval *rule, Debug( LDAP_DEBUG_TRACE, "===>slap_sasl_match: comparing DN %s to rule %s\n", - assertDN->bv_val, rule->bv_val, 0 ); + assertDN->bv_len ? assertDN->bv_val : "(null)", rule->bv_val, 0 ); /* NOTE: don't normalize rule if authz syntax is enabled */ rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn, @@ -1713,7 +1699,7 @@ exact_match: /* leave room for at least one char of attributeType, * one for '=' and one for ',' */ - if ( d < STRLENOF( "x=,") ) { + if ( d < (int) STRLENOF( "x=,") ) { goto CONCLUDED; } @@ -1820,7 +1806,7 @@ exact_match: "slap_sasl_match: performing internal search (base=%s, scope=%d)\n", op.o_req_ndn.bv_val, op.ors_scope, 0 ); - op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); + op.o_bd = select_backend( &op.o_req_ndn, 1 ); if(( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL)) { rc = LDAP_INAPPROPRIATE_AUTH; goto CONCLUDED; @@ -1857,7 +1843,7 @@ exact_match: CONCLUDED: if( !BER_BVISNULL( &op.o_req_dn ) ) slap_sl_free( op.o_req_dn.bv_val, opx->o_tmpmemctx ); if( !BER_BVISNULL( &op.o_req_ndn ) ) slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx ); - if( op.ors_filter ) filter_free_x( opx, op.ors_filter ); + if( op.ors_filter ) filter_free_x( opx, op.ors_filter, 1 ); if( !BER_BVISNULL( &op.ors_filterstr ) ) ch_free( op.ors_filterstr.bv_val ); Debug( LDAP_DEBUG_TRACE, @@ -1953,7 +1939,7 @@ slap_sasl2dn( } /* Must do an internal search */ - op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); + op.o_bd = select_backend( &op.o_req_ndn, 1 ); switch ( op.ors_scope ) { case LDAP_X_SCOPE_EXACT: @@ -2029,7 +2015,7 @@ FINISHED: slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx ); } if( op.ors_filter ) { - filter_free_x( opx, op.ors_filter ); + filter_free_x( opx, op.ors_filter, 1 ); } if( !BER_BVISNULL( &op.ors_filterstr ) ) { ch_free( op.ors_filterstr.bv_val ); @@ -2052,11 +2038,16 @@ int slap_sasl_authorized( Operation *op, int rc = LDAP_INAPPROPRIATE_AUTH; /* User binding as anonymous */ - if ( authzDN == NULL ) { + if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) { rc = LDAP_SUCCESS; goto DONE; } + /* User is anonymous */ + if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { + goto DONE; + } + Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_len ? authcDN->bv_val : "(null)",