#endif
int use_tls = 0;
+char *assertion = NULL;
char *authzid = NULL;
int manageDSAit = 0;
int noop = 0;
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n")
+N_(" [!]assert=<filter> (an RFC 2254 Filter)\n")
N_(" [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n")
N_(" [!]manageDSAit (alternate form, see -M)\n")
N_(" [!]noop\n"),
*cvalue++ = '\0';
}
- if ( strcasecmp( control, "authzid" ) == 0 ) {
+ if ( strcasecmp( control, "assert" ) == 0 ) {
+ if( assertion != NULL ) {
+ fprintf( stderr, "assert control previously specified\n");
+ exit( EXIT_FAILURE );
+ }
+ if( cvalue == NULL ) {
+ fprintf( stderr, "assert: control value expected\n" );
+ usage();
+ }
+
+ assert( assertion == NULL );
+ assertion = cvalue;
+
+ } else if ( strcasecmp( control, "authzid" ) == 0 ) {
if( authzid != NULL ) {
fprintf( stderr, "authzid control previously specified\n");
exit( EXIT_FAILURE );
tool_server_controls( LDAP *ld, LDAPControl *extra_c, int count )
{
int i = 0, j, crit = 0, err;
- LDAPControl c[3], **ctrls;
+ LDAPControl c[4], **ctrls;
ctrls = (LDAPControl**) malloc(sizeof(c) + (count+1)*sizeof(LDAPControl*));
if ( ctrls == NULL ) {
exit( EXIT_FAILURE );
}
+ if ( assertion ) {
+ char berbuf[LBER_ELEMENT_SIZEOF];
+ BerElement *ber = (BerElement *)berbuf;
+
+ if( *assertion == '\0' ) {
+ fprintf( stderr, "Assertion=<empty>\n" );
+ exit( EXIT_FAILURE );
+ }
+
+ ber_init2( ber, NULL, LBER_USE_DER );
+
+ err = ldap_pvt_put_filter( ber, assertion );
+ if( err < 0 ) {
+ fprintf( stderr, "assertion encode failed (%d)\n", err );
+ exit( EXIT_FAILURE );
+ }
+
+ err = ber_flatten2( ber, &c[i].ldctl_value, 0 );
+ if( err < 0 ) {
+ fprintf( stderr, "assertion flatten failed (%d)\n", err );
+ exit( EXIT_FAILURE );
+ }
+
+ c[i].ldctl_oid = LDAP_CONTROL_ASSERT;
+ c[i].ldctl_iscritical = 1;
+ ctrls[i] = &c[i];
+ i++;
+ }
+
if ( authzid ) {
c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
c[i].ldctl_value.bv_val = authzid;
#include "../../libraries/liblber/lber-int.h"
+static SLAP_CTRL_PARSE_FN parseAssert;
static SLAP_CTRL_PARSE_FN parseProxyAuthz;
static SLAP_CTRL_PARSE_FN parseManageDSAit;
static SLAP_CTRL_PARSE_FN parseNoOp;
#undef sc_mask /* avoid conflict with Irix 6.5 <sys/signal.h> */
-static char *proxy_authz_extops[] = {
- LDAP_EXOP_MODIFY_PASSWD,
- LDAP_EXOP_X_WHO_AM_I,
- NULL
-};
-
struct slap_control {
- /*
- * Control OID
- */
+ /* Control OID */
char *sc_oid;
- /*
- * Operations supported by control
- */
+ /* Operations supported by control */
slap_mask_t sc_mask;
- /*
- * Extended operations supported by control
- */
+ /* Extended operations supported by control */
char **sc_extendedops;
- /*
- * Control parsing callback
- */
+ /* Control parsing callback */
SLAP_CTRL_PARSE_FN *sc_parse;
LDAP_SLIST_ENTRY(slap_control) sc_next;
*/
char **slap_known_controls = NULL;
+static char *proxy_authz_extops[] = {
+ LDAP_EXOP_MODIFY_PASSWD,
+ LDAP_EXOP_X_WHO_AM_I,
+ NULL
+};
+
static struct slap_control control_defs[] = {
+ { LDAP_CONTROL_ASSERT,
+ SLAP_CTRL_ACCESS, NULL,
+ parseAssert, LDAP_SLIST_ENTRY_INITIALIZER(next) },
{ LDAP_CONTROL_VALUESRETURNFILTER,
SLAP_CTRL_SEARCH, NULL,
parseValuesReturnFilter, LDAP_SLIST_ENTRY_INITIALIZER(next) },
}
#endif
+static int parseAssert (
+ Operation *op,
+ SlapReply *rs,
+ LDAPControl *ctrl )
+{
+ BerElement *ber;
+ struct berval fstr = { 0, NULL };
+ const char *err_msg = "";
+
+ if ( op->o_assert != SLAP_NO_CONTROL ) {
+ rs->sr_text = "assert control specified multiple times";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ if ( ctrl->ldctl_value.bv_len == 0 ) {
+ rs->sr_text = "assert control value is empty (or absent)";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ ber = ber_init( &(ctrl->ldctl_value) );
+ if (ber == NULL) {
+ rs->sr_text = "internal error";
+ return LDAP_OTHER;
+ }
+
+ rs->sr_err = get_filter( op, ber, &(op->o_assertion), &rs->sr_text);
+
+ if( rs->sr_err != LDAP_SUCCESS ) {
+ if( rs->sr_err == SLAPD_DISCONNECT ) {
+ rs->sr_err = LDAP_PROTOCOL_ERROR;
+ send_ldap_disconnect( op, rs );
+ rs->sr_err = SLAPD_DISCONNECT;
+ } else {
+ send_ldap_result( op, rs );
+ }
+ if( op->o_assertion != NULL) {
+ filter_free_x( op, op->o_assertion );
+ }
+ }
+#ifdef LDAP_DEBUG
+ else {
+ filter2bv_x( op, op->o_assertion, &fstr );
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( OPERATION, ARGS,
+ "parseAssert: conn %d assert: %s\n",
+ op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
+#else
+ Debug( LDAP_DEBUG_ARGS, "parseAssert: conn %d assert: %s\n",
+ op->o_connid, fstr.bv_len ? fstr.bv_val : "empty" , 0 );
+#endif
+ op->o_tmpfree( fstr.bv_val, op->o_tmpmemctx );
+#endif
+
+ op->o_assert = ctrl->ldctl_iscritical
+ ? SLAP_CRITICAL_CONTROL
+ : SLAP_NONCRITICAL_CONTROL;
+
+ rs->sr_err = LDAP_SUCCESS;
+ return LDAP_SUCCESS;
+}
+
int parseValuesReturnFilter (
Operation *op,
SlapReply *rs,
return LDAP_OTHER;
}
- rs->sr_err = get_vrFilter( op, ber, &(op->vrFilter), &rs->sr_text);
+ rs->sr_err = get_vrFilter( op, ber, &(op->o_vrFilter), &rs->sr_text);
if( rs->sr_err != LDAP_SUCCESS ) {
if( rs->sr_err == SLAPD_DISCONNECT ) {
} else {
send_ldap_result( op, rs );
}
- if( op->vrFilter != NULL) vrFilter_free( op, op->vrFilter );
+ if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
}
#ifdef LDAP_DEBUG
else {
- vrFilter2bv( op, op->vrFilter, &fstr );
+ vrFilter2bv( op, op->o_vrFilter, &fstr );
}
#ifdef NEW_LOGGING
projects / openldap / commitdiff