clean up unnecessary checks; don't use SASL native authz if authz ID is not static...

author Pierangelo Masarati <ando@openldap.org>

Mon, 21 Jun 2004 00:57:12 +0000 (00:57 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Mon, 21 Jun 2004 00:57:12 +0000 (00:57 +0000)
author Pierangelo Masarati <ando@openldap.org>
Mon, 21 Jun 2004 00:57:12 +0000 (00:57 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Mon, 21 Jun 2004 00:57:12 +0000 (00:57 +0000)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c

index 5830528fbb0bdee380a90b8689397378f37c8365..c11d87f5a808a050ad03149dcf4d2f10cea9815e 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -403,8 +403,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
                  * control to every operation with the dn bound 
                  * to the connection as control value.
                  */
-               if ( op->o_conn != NULL && ( ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) )
-               {
+               if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) {
                         struct berval   binddn = slap_empty_bv;
                         struct berval   bindcred = slap_empty_bv;
                         int             dobind = 0;
@@ -464,6 +463,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
                                         case LDAP_BACK_IDASSERT_SELF:
                                                 if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
                                                         /* connection is not authc'd, so don't idassert */
+                                                       BER_BVSTR( &authzID, "dn:" );
                                                         break;
                                                 }
                                                 authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
@@ -772,23 +772,26 @@ ldap_back_proxy_authz_ctrl(
                         goto done;
                 }
  
-               if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
+               if ( !BER_BVISNULL( &lc->bound_dn ) ) {
                         goto done;
                 }
  
-               if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
+               if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
                         goto done;
                 }
  
-               if ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) {
+               if ( BER_BVISNULL( &li->idassert_authcDN ) ) {
                         goto done;
                 }
  
         } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
                 if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
-                               && !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) )
+                               /* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ )
                 {
                         /* already asserted in SASL via native authz */
+                       /* NOTE: the test on lc->bound is used to trap
+                        * native authorization of anonymous users,
+                        * since in that case op->o_conn->c_dn is NULL */
                         goto done;
                 }
  
diff --git a/servers/slapd/back-ldap/external.h b/servers/slapd/back-ldap/external.h

index 216ced70bb08ef4eace6021501fc069c19b7aaf0..5f72eda8ae88c10e354578da9fe0c9d384af5726 100644 (file)
--- a/servers/slapd/back-ldap/external.h
+++ b/servers/slapd/back-ldap/external.h
@@ -29,6 +29,7 @@ extern BI_close       ldap_back_close;
  extern BI_destroy      ldap_back_destroy;
  
  extern BI_db_init      ldap_back_db_init;
+extern BI_db_open      ldap_back_db_open;
  extern BI_db_destroy   ldap_back_db_destroy;
  
  extern BI_db_config    ldap_back_db_config;
diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c

index e7f2fdd42e7f1e374534d60fb84ec2107e511381..2f285fb0b32cab32126510c68e6a873e904b3f08 100644 (file)
--- a/servers/slapd/back-ldap/init.c
+++ b/servers/slapd/back-ldap/init.c
@@ -60,7 +60,7 @@ ldap_back_initialize(
  
         bi->bi_db_init = ldap_back_db_init;
         bi->bi_db_config = ldap_back_db_config;
-       bi->bi_db_open = 0;
+       bi->bi_db_open = ldap_back_db_open;
         bi->bi_db_close = 0;
         bi->bi_db_destroy = ldap_back_db_destroy;
  
@@ -162,6 +162,29 @@ ldap_back_db_init(
         return 0;
  }
  
+int
+ldap_back_db_open( BackendDB *be )
+{
+       struct ldapinfo *li = (struct ldapinfo *)be->be_private;
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+       /* by default, use proxyAuthz control on each operation */
+       switch ( li->idassert_mode ) {
+       case LDAP_BACK_IDASSERT_LEGACY:
+       case LDAP_BACK_IDASSERT_SELF:
+               /* however, since admin connections are pooled and shared,
+                * only static authzIDs can be native */
+               li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
+               break;
+
+       default:
+               break;
+       }
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+       return 0;
+}
+
  void
  ldap_back_conn_free( 
         void *v_lc
author	Pierangelo Masarati <ando@openldap.org>
	Mon, 21 Jun 2004 00:57:12 +0000 (00:57 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Mon, 21 Jun 2004 00:57:12 +0000 (00:57 +0000)
servers/slapd/back-ldap/bind.c		patch \| blob \| history
servers/slapd/back-ldap/external.h		patch \| blob \| history
servers/slapd/back-ldap/init.c		patch \| blob \| history