.I saslAuthzTo
attribute of the authentication DN.
The
-.B both
-flag will allow both of the above. The rules are simply regular expressions
-specifying which DNs are allowed to perform proxy authorization. The
+.B any
+flag, an alias for the deprecated value of
+.BR both ,
+will allow any of the above, whatever succeeds first (checked in
+.BR to ,
+.B from
+sequence.
+The
+.B all
+flag requires both authorizations to succeed.
+The rules are simply regular expressions specifying which DNs are allowed
+to perform proxy authorization.
+The
.I saslAuthzFrom
attribute in an entry specifies which other users
are allowed to proxy login to this entry. The
static SaslRegexp_t *SaslRegexp = NULL;
/* What SASL proxy authorization policies are allowed? */
-#define SASL_AUTHZ_NONE 0
-#define SASL_AUTHZ_FROM 1
-#define SASL_AUTHZ_TO 2
+#define SASL_AUTHZ_NONE 0x00
+#define SASL_AUTHZ_FROM 0x01
+#define SASL_AUTHZ_TO 0x02
+#define SASL_AUTHZ_AND 0x10
static int authz_policy = SASL_AUTHZ_NONE;
authz_policy = SASL_AUTHZ_FROM;
} else if ( strcasecmp( arg, "to" ) == 0 ) {
authz_policy = SASL_AUTHZ_TO;
- } else if ( strcasecmp( arg, "both" ) == 0 ) {
+ } else if ( strcasecmp( arg, "both" ) == 0 || strcasecmp( arg, "any" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
+ } else if ( strcasecmp( arg, "all" ) == 0 ) {
+ authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND;
} else {
rc = LDAP_OTHER;
}
if( authz_policy & SASL_AUTHZ_TO ) {
rc = slap_sasl_check_authz( op, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
- if( rc == LDAP_SUCCESS ) {
+ if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
goto DONE;
}
}
projects / openldap / commitdiff