}
/* Count number of attributes in entry */
- for (i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next)
+ for ( i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next )
/* just count attrs */ ;
/* Create array of LDAPMods for ldap_add() */
attrs[ i ] = NULL;
ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rc = -1;
goto cleanup;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs,
}
cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( attrs ) {
for ( --i; i >= 0; --i ) {
#ifndef SLAPD_LDAP_H
#define SLAPD_LDAP_H
-#include "proto-ldap.h"
-
-#ifdef LDAP_DEVEL
-#define LDAP_BACK_PROXY_AUTHZ
-#endif
-
LDAP_BEGIN_DECL
struct slap_conn;
#define acl_authcDN acl_la.la_authcDN
#define acl_passwd acl_la.la_passwd
-#ifdef LDAP_BACK_PROXY_AUTHZ
/* ID assert stuff */
int idassert_mode;
#define LDAP_BACK_IDASSERT_LEGACY 0
int idassert_ppolicy;
/* end of ID assert stuff */
-#endif /* LDAP_BACK_PROXY_AUTHZ */
ldap_pvt_thread_mutex_t conn_mutex;
int savecred;
int rwm_started;
};
-int ldap_back_freeconn( Operation *op, struct ldapconn *lc );
-struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs);
-int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs);
-int ldap_back_retry(struct ldapconn *lc, Operation *op, SlapReply *rs);
-int ldap_back_map_result(SlapReply *rs);
-int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
- ber_int_t msgid, int sendok);
-int back_ldap_LTX_init_module(int argc, char *argv[]);
-
-extern int ldap_back_conn_cmp( const void *c1, const void *c2);
-extern int ldap_back_conn_dup( void *c1, void *c2 );
-extern void ldap_back_conn_free( void *c );
-
-#ifdef LDAP_BACK_PROXY_AUTHZ
-extern int
-ldap_back_proxy_authz_ctrl(
- struct ldapconn *lc,
- Operation *op,
- SlapReply *rs,
- LDAPControl ***pctrls );
-
-extern int
-ldap_back_proxy_authz_ctrl_free(
- Operation *op,
- LDAPControl ***pctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
-
LDAP_END_DECL
+#include "proto-ldap.h"
+
#endif /* SLAPD_LDAP_H */
static LDAP_REBIND_PROC ldap_back_rebind;
-#ifdef LDAP_BACK_PROXY_AUTHZ
static int
ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
int
ldap_back_bind( Operation *op, SlapReply *rs )
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rc == LDAP_SUCCESS ) {
-#if defined(LDAP_BACK_PROXY_AUTHZ)
+ /* If defined, proxyAuthz will be used also when
+ * back-ldap is the authorizing backend; for this
+ * purpose, a successful bind is followed by a
+ * bind with the configured identity assertion */
+ /* NOTE: use with care */
if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
ldap_back_proxy_authz_bind( lc, op, rs );
if ( lc->lc_bound == 0 ) {
goto done;
}
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
lc->lc_bound = 1;
ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn );
ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
if ( !lc->lc_bound ) {
-#ifdef LDAP_BACK_PROXY_AUTHZ
/*
* FIXME: we need to let clients use proxyAuthz
* otherwise we cannot do symmetric pools of servers;
*/
/*
* if no bind took place yet, but the connection is bound
- * and the "proxyauthzdn" is set, then bind as
- * "proxyauthzdn" and explicitly add the proxyAuthz
- * control to every operation with the dn bound
- * to the connection as control value.
+ * and the "idassert-authcDN" (or other ID) is set,
+ * then bind as the asserting ideintity and explicitly
+ * add the proxyAuthz control to every operation with the
+ * dn bound to the connection as control value.
*/
if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) {
(void)ldap_back_proxy_authz_bind( lc, op, rs );
goto done;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_sasl_bind( lc->lc_ld,
lc->lc_bound_ndn.bv_val,
return ldap_back_dobind( lc, op, rs );
}
-#ifdef LDAP_BACK_PROXY_AUTHZ
static int
ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs )
{
{
LDAPControl **ctrls = *pctrls;
+ /* we assume that the first control is the proxyAuthz
+ * added by back-ldap, so it's the only one we explicitly
+ * free */
if ( ctrls && ctrls != op->o_ctrls ) {
assert( ctrls[ 0 ] );
return 0;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
}
ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rc = -1;
goto cleanup;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_compare_ext( lc->lc_ld, op->o_req_ndn.bv_val,
}
cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
return rc;
}
}
ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
-#ifdef LDAP_BACK_PROXY_AUTHZ
/* identity assertion stuff... */
} else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0
- || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) {
+ || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 )
+ {
+ /* NOTE: "proxyauthz{DN,pw}" was initially used; it's now
+ * deprected and undocumented, it can be dropped at some
+ * point, since nobody should be really using it */
return parse_idassert( be, fname, lineno, argc, argv );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
/* save bind creds for referral rebinds? */
} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
}
-#ifdef LDAP_BACK_PROXY_AUTHZ
static int
parse_idassert(
BackendDB *be,
}
if ( strcasecmp( argv[1], "none" ) == 0 ) {
- /* FIXME: is this useful? */
+ /* FIXME: is this at all useful? */
li->idassert_authmethod = LDAP_AUTH_NONE;
if ( argc != 2 ) {
return 0;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
goto cleanup;
}
-#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls = op->o_ctrls;
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
rc = -1;
goto cleanup;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_ndn.bv_val,
rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
do_retry = 0;
- if ( ldap_back_retry (lc, op, rs )) goto retry;
+ if ( ldap_back_retry (lc, op, rs ) ) {
+ goto retry;
+ }
}
cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
return rc;
}
for ( i = 0; exop_table[i].extended != NULL; i++ ) {
if ( bvmatch( exop_table[i].oid, &op->oq_extended.rs_reqoid ) )
{
-#ifdef LDAP_BACK_PROXY_AUTHZ
struct ldapconn *lc;
LDAPControl **oldctrls = NULL;
int rc;
op->o_ctrls = oldctrls;
return rc;
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- return ( *exop_table[i].extended )( op, rs );
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
}
}
BER_BVZERO( &li->acl_authcDN );
BER_BVZERO( &li->acl_passwd );
-#ifdef LDAP_BACK_PROXY_AUTHZ
li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
BER_BVZERO( &li->idassert_authcID );
/* by default, use proxyAuthz control on each operation */
li->idassert_flags = LDAP_BACK_AUTH_NONE;
-#endif /* LDAP_BACK_PROXY_AUTHZ */
ldap_pvt_thread_mutex_init( &li->conn_mutex );
"ldap_back_db_open: URI=%s\n",
li->url != NULL ? li->url : "", 0, 0 );
-#ifdef LDAP_BACK_PROXY_AUTHZ
/* by default, use proxyAuthz control on each operation */
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_LEGACY:
default:
break;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
#if 0 && defined(SLAPD_MONITOR)
{
+ /* FIXME: disabled because namingContexts doesn't have
+ * a matching rule, and using an MRA filter doesn't work
+ * because the normalized assertion is compared to the
+ * non-normalized value, which in general differ.
+ * See ITS#3406 */
struct berval filter,
base = BER_BVC( "cn=Databases,cn=Monitor" );
struct berval vals[ 2 ];
ch_free( li->acl_passwd.bv_val );
BER_BVZERO( &li->acl_passwd );
}
-#ifdef LDAP_BACK_PROXY_AUTHZ
if ( !BER_BVISNULL( &li->idassert_authcID ) ) {
ch_free( li->idassert_authcID.bv_val );
BER_BVZERO( &li->idassert_authcID );
ch_free( li->idassert_sasl_realm.bv_val );
BER_BVZERO( &li->idassert_sasl_realm );
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( li->conntree ) {
avl_free( li->conntree, ldap_back_conn_free );
}
modv[ i ] = 0;
ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rc = -1;
goto cleanup;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_ndn.bv_val, modv,
}
cleanup:;
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
for ( i = 0; modv[ i ]; i++ ) {
ch_free( modv[ i ]->mod_bvalues );
}
ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
rc = -1;
goto cleanup;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_ndn.bv_val,
}
cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
return rc;
}
extern BI_entry_get_rw ldap_back_entry_get;
+int ldap_back_freeconn( Operation *op, struct ldapconn *lc );
+struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs);
+int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs);
+int ldap_back_retry(struct ldapconn *lc, Operation *op, SlapReply *rs);
+int ldap_back_map_result(SlapReply *rs);
+int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
+ ber_int_t msgid, int sendok);
+int back_ldap_LTX_init_module(int argc, char *argv[]);
+
+extern int ldap_back_conn_cmp( const void *c1, const void *c2);
+extern int ldap_back_conn_dup( void *c1, void *c2 );
+extern void ldap_back_conn_free( void *c );
+
+extern int
+ldap_back_proxy_authz_ctrl(
+ struct ldapconn *lc,
+ Operation *op,
+ SlapReply *rs,
+ LDAPControl ***pctrls );
+
+extern int
+ldap_back_proxy_authz_ctrl_free(
+ Operation *op,
+ LDAPControl ***pctrls );
+
+extern int chain_init( void );
+
LDAP_END_DECL
#endif /* PROTO_LDAP_H */
}
ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
dontfreetext = 1;
goto finish;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_ndn.bv_val,
finish:;
send_ldap_result( op, rs );
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( rs->sr_ctrls ) {
ldap_controls_free( rs->sr_ctrls );
}
ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
goto cleanup;
}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
retry:
rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter,
}
cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
if ( result ) {
ldap_msgfree( result );
projects / openldap / commitdiff