better handling of internal operations

author Pierangelo Masarati <ando@openldap.org>

Thu, 15 Dec 2005 13:47:25 +0000 (13:47 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Thu, 15 Dec 2005 13:47:25 +0000 (13:47 +0000)
author Pierangelo Masarati <ando@openldap.org>
Thu, 15 Dec 2005 13:47:25 +0000 (13:47 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Thu, 15 Dec 2005 13:47:25 +0000 (13:47 +0000)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c

index 0531d46f5933cefd1c49b783aab5fa1720d2178c..ac5cef995d92b8d15b342df4ae17846d7e1180ac 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -983,10 +983,18 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
         ldapinfo_t      *li = (ldapinfo_t *)op->o_bd->be_private;
         struct berval   binddn = slap_empty_bv;
         struct berval   bindcred = slap_empty_bv;
+       struct berval   ndn;
         int             dobind = 0;
         int             msgid;
         int             rc;
  
+       if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+               ndn = op->o_conn->c_ndn;
+
+       } else {
+               ndn = op->o_ndn;
+       }
+
         /*
          * FIXME: we need to let clients use proxyAuthz
          * otherwise we cannot do symmetric pools of servers;
@@ -1012,7 +1020,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
          * is authorized */
         switch ( li->li_idassert_mode ) {
         case LDAP_BACK_IDASSERT_LEGACY:
-               if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) {
+               if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) {
                         if ( !BER_BVISNULL( &li->li_idassert_authcDN ) && !BER_BVISEMPTY( &li->li_idassert_authcDN ) )
                         {
                                 binddn = li->li_idassert_authcDN;
@@ -1027,11 +1035,11 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
                 if ( li->li_idassert_authz && !be_isroot( op ) ) {
                         struct berval authcDN;
  
-                       if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+                       if ( BER_BVISNULL( &ndn ) ) {
                                 authcDN = slap_empty_bv;
  
                         } else {
-                               authcDN = op->o_conn->c_ndn;
+                               authcDN = ndn;
                         }       
                         rs->sr_err = slap_sasl_matches( op, li->li_idassert_authz,
                                         &authcDN, &authcDN );
@@ -1078,16 +1086,16 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
                                 break;
  
                         case LDAP_BACK_IDASSERT_SELF:
-                               if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+                               if ( BER_BVISNULL( &ndn ) ) {
                                         /* connection is not authc'd, so don't idassert */
                                         BER_BVSTR( &authzID, "dn:" );
                                         break;
                                 }
-                               authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len;
+                               authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
                                 authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
                                 AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
                                 AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
-                                               op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 );
+                                               ndn.bv_val, ndn.bv_len + 1 );
                                 freeauthz = 1;
                                 break;
  
@@ -1202,7 +1210,8 @@ ldap_back_proxy_authz_ctrl(
         LDAPControl     **ctrls = NULL;
         int             i = 0,
                         mode;
-       struct berval   assertedID;
+       struct berval   assertedID,
+                       ndn;
  
         *pctrls = NULL;
  
@@ -1221,6 +1230,13 @@ ldap_back_proxy_authz_ctrl(
                 goto done;
         }
  
+       if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+               ndn = op->o_conn->c_ndn;
+
+       } else {
+               ndn = op->o_ndn;
+       }
+
         if ( li->li_idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) {
                 if ( op->o_proxy_authz ) {
                         /*
@@ -1244,7 +1260,7 @@ ldap_back_proxy_authz_ctrl(
                         goto done;
                 }
  
-               if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+               if ( BER_BVISNULL( &ndn ) ) {
                         goto done;
                 }
  
@@ -1254,13 +1270,13 @@ ldap_back_proxy_authz_ctrl(
  
         } else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) {
                 if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
-                               /* && ( !BER_BVISNULL( &op->o_conn->c_ndn )
+                               /* && ( !BER_BVISNULL( &ndn )
                                         || LDAP_BACK_CONN_ISBOUND( lc ) ) */ )
                 {
                         /* already asserted in SASL via native authz */
                         /* NOTE: the test on lc->lc_bound is used to trap
                          * native authorization of anonymous users,
-                        * since in that case op->o_conn->c_ndn is NULL */
+                        * since in that case ndn is NULL */
                         goto done;
                 }
  
@@ -1268,17 +1284,17 @@ ldap_back_proxy_authz_ctrl(
                 int             rc;
                 struct berval authcDN;
  
-               if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+               if ( BER_BVISNULL( &ndn ) ) {
                         authcDN = slap_empty_bv;
                 } else {
-                       authcDN = op->o_conn->c_ndn;
+                       authcDN = ndn;
                 }
                 rc = slap_sasl_matches( op, li->li_idassert_authz,
                                 &authcDN, & authcDN );
                 if ( rc != LDAP_SUCCESS ) {
                         if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE )
                         {
-                               /* op->o_conn->c_ndn is not authorized
+                               /* ndn is not authorized
                                  * to use idassert */
                                 return rc;
                         }
@@ -1320,10 +1336,10 @@ ldap_back_proxy_authz_ctrl(
         case LDAP_BACK_IDASSERT_SELF:
                 /* original behavior:
                  * assert the client's identity */
-               if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+               if ( BER_BVISNULL( &ndn ) ) {
                         assertedID = slap_empty_bv;
                 } else {
-                       assertedID = op->o_conn->c_ndn;
+                       assertedID = ndn;
                 }
                 break;
author	Pierangelo Masarati <ando@openldap.org>
	Thu, 15 Dec 2005 13:47:25 +0000 (13:47 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Thu, 15 Dec 2005 13:47:25 +0000 (13:47 +0000)