cleanup identity assertion; ready for porting to back-meta

diff --git a/servers/slapd/back-ldap/add.c b/servers/slapd/back-ldap/add.c
index 94cab8eda6edebd2aa79c43b614116041ccddbdb..260b57aea721b6c4cfbcd6211fcc64f0492ea29e 100644 (file)
--- a/servers/slapd/back-ldap/add.c
+++ b/servers/slapd/back-ldap/add.c
@@ -93,7 +93,7 @@ ldap_back_add(
        attrs[ i ] = NULL;
 
        ctrls = op->o_ctrls;
-       rs->sr_err = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+       rs->sr_err = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
        if ( rs->sr_err != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
                goto cleanup;

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index ca304aa165ab504088167dabc6e122d1793c679c..c05e0ee77713e960c92f6de7b3772cf33d4c8dec 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -33,7 +33,7 @@
 #include "slap.h"
 #include "back-ldap.h"
 
-#include <lutil_ldap.h>
+#include "lutil_ldap.h"
 
 #ifndef PRINT_CONNTREE
 #define PRINT_CONNTREE 0
@@ -1478,6 +1478,11 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b
                /* fall thru */
 
        default:
+               rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+               if ( sendok & LDAP_BACK_SENDERR ) {
+                       send_ldap_result( op, rs );
+               }
+               LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
                goto done;
        }
 
@@ -1737,7 +1742,7 @@ done:;
  */
 int
 ldap_back_proxy_authz_ctrl(
-               ldapconn_t      *lc,
+               struct berval   *bound_ndn,
                Operation       *op,
                SlapReply       *rs,
                LDAPControl     ***pctrls )
@@ -1810,7 +1815,7 @@ ldap_back_proxy_authz_ctrl(
                        goto done;
                }
 
-               if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) {
+               if ( !BER_BVISNULL( bound_ndn ) ) {
                        goto done;
                }
 
@@ -1823,14 +1828,9 @@ ldap_back_proxy_authz_ctrl(
                }
 
        } else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) {
-               if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
-                               /* && ( !BER_BVISNULL( &ndn )
-                                       || LDAP_BACK_CONN_ISBOUND( lc ) ) */ )
+               if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
                {
                        /* already asserted in SASL via native authz */
-                       /* NOTE: the test on lc->lc_bound is used to trap
-                        * native authorization of anonymous users,
-                        * since in that case ndn is NULL */
                        goto done;
                }
 
@@ -1927,7 +1927,7 @@ ldap_back_proxy_authz_ctrl(
        }
 
        /* don't idassert the bound DN (ITS#4497) */
-       if ( dn_match( &assertedID, &lc->lc_bound_ndn ) ) {
+       if ( dn_match( &assertedID, bound_ndn ) ) {
                goto done;
        }
 

diff --git a/servers/slapd/back-ldap/compare.c b/servers/slapd/back-ldap/compare.c
index 8d31acabb898265d20096740c7c26f5f22eadd51..e37e986bc39d5a588b1e46d82f98d87ffae6aada 100644 (file)
--- a/servers/slapd/back-ldap/compare.c
+++ b/servers/slapd/back-ldap/compare.c
@@ -49,7 +49,7 @@ ldap_back_compare(
        }
 
        ctrls = op->o_ctrls;
-       rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+       rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
        if ( rc != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
                goto cleanup;

diff --git a/servers/slapd/back-ldap/delete.c b/servers/slapd/back-ldap/delete.c
index e0f7c67905935758f3ac5af59ac23d509bb21f98..3394a5aeba6b0e1c96f16fcb86d14dfe6b7f39d2 100644 (file)
--- a/servers/slapd/back-ldap/delete.c
+++ b/servers/slapd/back-ldap/delete.c
@@ -51,7 +51,7 @@ ldap_back_delete(
        }
 
        ctrls = op->o_ctrls;
-       rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+       rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
        if ( rc != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
                rc = rs->sr_err;

diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c
index 0651ffe6851394272c6d32332a289fe85e2f587b..2bf37c49e35ec4041ceaca4b67896dae7e7457c9 100644 (file)
--- a/servers/slapd/back-ldap/extended.c
+++ b/servers/slapd/back-ldap/extended.c
@@ -56,7 +56,7 @@ ldap_back_extended_one( Operation *op, SlapReply *rs, BI_op_extended exop )
        }
 
        oldctrls = op->o_ctrls;
-       if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) {
+       if ( ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &op->o_ctrls ) ) {
                op->o_ctrls = oldctrls;
                send_ldap_extended( op, rs );
                rs->sr_text = NULL;

diff --git a/servers/slapd/back-ldap/modify.c b/servers/slapd/back-ldap/modify.c
index 6b75ef74f7ab2c5a6584f5d157281ed22b607502..e3ad3d5abaf5145f6b22ab4d133f18166258f116 100644 (file)
--- a/servers/slapd/back-ldap/modify.c
+++ b/servers/slapd/back-ldap/modify.c
@@ -99,7 +99,7 @@ ldap_back_modify(
        modv[ i ] = 0;
 
        ctrls = op->o_ctrls;
-       rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+       rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
        if ( rc != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
                rc = -1;

diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c
index eb5690ce6c1b9b0d040144d48f501c2b33713c74..304482922f4e6dd970bf6af1adaf96a4b02e429a 100644 (file)
--- a/servers/slapd/back-ldap/modrdn.c
+++ b/servers/slapd/back-ldap/modrdn.c
@@ -74,7 +74,7 @@ ldap_back_modrdn(
        }
 
        ctrls = op->o_ctrls;
-       rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+       rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
        if ( rc != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
                rc = -1;

diff --git a/servers/slapd/back-ldap/proto-ldap.h b/servers/slapd/back-ldap/proto-ldap.h
index bb4baf29248cdfb1818cf28c8898f1f439d2ef35..72dd5f359bad85236ae982ef5ba67beabbcc6992 100644 (file)
--- a/servers/slapd/back-ldap/proto-ldap.h
+++ b/servers/slapd/back-ldap/proto-ldap.h
@@ -67,7 +67,7 @@ extern void ldap_back_conn_free( void *c );
 
 extern int
 ldap_back_proxy_authz_ctrl(
-               ldapconn_t      *lc,
+               struct berval   *bound_ndn,
                Operation       *op,
                SlapReply       *rs,
                LDAPControl     ***pctrls );

diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index 4d95374f1e11e47df7a9d816c3e9445468e27d41..f7e1667e2c761c1719c387de0b4d76ffff705204 100644 (file)
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -203,7 +203,7 @@ ldap_back_search(
        }
 
        ctrls = op->o_ctrls;
-       rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
+       rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
        if ( rc != LDAP_SUCCESS ) {
                goto finish;
        }
@@ -762,7 +762,7 @@ ldap_back_entry_get(
        }
 
        ctrls = op->o_ctrls;
-       rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls );
+       rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, &rs, &ctrls );
        if ( rc != LDAP_SUCCESS ) {
                goto cleanup;
        }