Add VC support for ppolicy and authzid inner controls

diff --git a/clients/tools/common.c b/clients/tools/common.c
index 31ea8b972f55a2ec000267f567513162a23d7653..e68a3421af7ad5863d2ae3b1c449a621998d571c 100644 (file)
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -137,6 +137,9 @@ typedef int (*print_ctrl_fn)( LDAP *ld, LDAPControl *ctrl );
 static int print_preread( LDAP *ld, LDAPControl *ctrl );
 static int print_postread( LDAP *ld, LDAPControl *ctrl );
 static int print_paged_results( LDAP *ld, LDAPControl *ctrl );
+#ifdef LDAP_CONTROL_AUTHZID_RESPONSE
+static int print_authzid( LDAP *ld, LDAPControl *ctrl );
+#endif
 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
 static int print_ppolicy( LDAP *ld, LDAPControl *ctrl );
 #endif
@@ -157,6 +160,10 @@ static struct tool_ctrls_t {
        { LDAP_CONTROL_PRE_READ,                        TOOL_ALL,       print_preread },
        { LDAP_CONTROL_POST_READ,                       TOOL_ALL,       print_postread },
        { LDAP_CONTROL_PAGEDRESULTS,                    TOOL_SEARCH,    print_paged_results },
+#ifdef LDAP_CONTROL_AUTHZID_RESPONSE
+       /* this is generally deprecated in favor of LDAP WhoAmI? operation, hence only supported as a VC inner control */
+       { LDAP_CONTROL_PASSWORDPOLICYRESPONSE,          TOOL_VC,        print_authzid },
+#endif
 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
        { LDAP_CONTROL_PASSWORDPOLICYRESPONSE,          TOOL_ALL,       print_ppolicy },
 #endif
@@ -2168,6 +2175,20 @@ print_whatfailed( LDAP *ld, LDAPControl *ctrl )
 }
 #endif
 
+#ifdef LDAP_CONTROL_AUTHZID_RESPONSE
+static int
+print_authzid( LDAP *ld, LDAPControl *ctrl )
+{
+    if (ctrl->ldctl_value.bv_len) {
+           tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
+                   "authzid", ctrl->ldctl_value.bv_val,  ctrl->ldctl_value.bv_len );
+       } else {
+           tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
+                   "authzid", "anonymous",  sizeof("anonymous")-1);
+       }
+}
+#endif
+
 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
 static int
 print_ppolicy( LDAP *ld, LDAPControl *ctrl )

diff --git a/clients/tools/ldapvc.c b/clients/tools/ldapvc.c
index c6ca58578bc38a578b495de93ed5c3fd4a4991fb..e3ac98f6f53169e6cd99756e79360f18e419da5c 100644 (file)
--- a/clients/tools/ldapvc.c
+++ b/clients/tools/ldapvc.c
@@ -48,6 +48,9 @@
 
 #include "common.h"
 
+static int req_authzid = 0;
+static int req_pp = 0;
+
 static char * mech = NULL;
 static char * dn = NULL;
 static struct berval cred = {0, NULL};
@@ -61,13 +64,15 @@ usage( void )
        fprintf( stderr, _("    DN\tDistinguished Name\n"));
        fprintf( stderr, _("    cred\tCredentials (prompt if not present)\n"));
        fprintf( stderr, _("options:\n"));
+       fprintf( stderr, _("    -a\tRequest AuthzId\n"));
+       fprintf( stderr, _("    -b\tRequest Password Policy Information\n"));
        fprintf( stderr, _("    -S mech\tSASL mechanism (default "" e.g. Simple)\n"));
        tool_common_usage();
        exit( EXIT_FAILURE );
 }
 
 
-const char options[] = "S"
+const char options[] = "abS:"
        "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
@@ -104,6 +109,14 @@ handle_private_option( int i )
                usage();
 #endif
 
+       case 'a':  /* request authzid */
+               req_authzid++;
+               break;
+
+       case 'b':  /* request authzid */
+               req_pp++;
+               break;
+
        case 'S':  /* SASL mechanism */
                mech = optarg;
                break;
@@ -128,6 +141,8 @@ main( int argc, char *argv[] )
        int             id, code = 0;
        LDAPMessage     *res;
        LDAPControl     **ctrls = NULL;
+       LDAPControl     **vcctrls = NULL;
+       int nvcctrls = 0;
 
        tool_init( TOOL_VC );
        prog = lutil_progname( "ldapvc", argc, argv );
@@ -176,9 +191,29 @@ main( int argc, char *argv[] )
 
        tool_server_controls( ld, NULL, 0 );
 
+    if (req_authzid) {
+               vcctrls = (LDAPControl **) malloc(3*sizeof(LDAPControl *));
+               vcctrls[nvcctrls] = (LDAPControl *) malloc(sizeof(LDAPControl));
+               vcctrls[nvcctrls]->ldctl_oid = LDAP_CONTROL_AUTHZID_REQUEST;
+               vcctrls[nvcctrls]->ldctl_iscritical = 0;
+               vcctrls[nvcctrls]->ldctl_value.bv_val = NULL;
+               vcctrls[nvcctrls]->ldctl_value.bv_len = 0;
+               vcctrls[++nvcctrls] = NULL;
+    }
+
+    if (req_pp) {
+               if (vcctrls) vcctrls = (LDAPControl **) malloc(3*sizeof(LDAPControl *));
+               vcctrls[nvcctrls] = (LDAPControl *) malloc(sizeof(LDAPControl));
+               vcctrls[nvcctrls]->ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
+               vcctrls[nvcctrls]->ldctl_iscritical = 0;
+               vcctrls[nvcctrls]->ldctl_value.bv_val = NULL;
+               vcctrls[nvcctrls]->ldctl_value.bv_len = 0;
+               vcctrls[++nvcctrls] = NULL;
+    }
+
        rc = ldap_verify_credentials( ld,
                NULL,
-               dn, mech, cred.bv_val ? &cred: NULL, NULL,
+               dn, mech, cred.bv_val ? &cred: NULL, vcctrls,
                NULL, NULL, &id ); 
 
        if( rc != LDAP_SUCCESS ) {
@@ -187,6 +222,9 @@ main( int argc, char *argv[] )
                goto skip;
        }
 
+       ldap_controls_free(vcctrls);
+       vcctrls = NULL;
+
        for ( ; ; ) {
                struct timeval  tv;
 
@@ -221,7 +259,7 @@ main( int argc, char *argv[] )
                goto skip;
        }
 
-       rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, NULL );
+       rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, &vcctrls );
        ldap_msgfree(res);
 
        if( rc != LDAP_SUCCESS ) {
@@ -238,7 +276,9 @@ main( int argc, char *argv[] )
            printf(_("Diagnostic: %s\n"), diag);
        }
 
-    /* print vc controls here (once added) */
+       if (vcctrls) {
+               tool_print_ctrls( ld, vcctrls );
+       }
 
 skip:
        if ( verbose || ( code != LDAP_SUCCESS ) ||

diff --git a/include/ldap.h b/include/ldap.h
index 6081a2ee0ff3b25caa908f13fe144d7441ba9e05..99ce060bcbc4ca47f13ef7a22f769df92677a23d 100644 (file)
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -264,6 +264,9 @@ typedef struct ldapcontrol {
 /*     non-standard track controls */
 #define LDAP_CONTROL_PAGEDRESULTS      "1.2.840.113556.1.4.319"   /* RFC 2696 */
 
+#define LDAP_CONTROL_AUTHZID_REQUEST   "2.16.840.1.113730.4.16"   /* RFC 3829 */
+#define LDAP_CONTROL_AUTHZID_RESPONSE   "2.16.840.1.113730.4.15"   /* RFC 3829 */
+
 /* LDAP Content Synchronization Operation -- RFC 4533 */
 #define LDAP_SYNC_OID                  "1.3.6.1.4.1.4203.1.9.1"
 #define LDAP_CONTROL_SYNC              LDAP_SYNC_OID ".1"