add dontUseCopy and proxiedAuthz "non_critical" disallow switches (ITS#5785)

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 4b1c259cec04f992af4e9e3c6611bfaa1a7926f0..e0d26e70007864a94afdd53e3b49de4ad33e04ce 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2587,6 +2587,8 @@ config_disallows(ConfigArgs *c) {
                { BER_BVC("bind_simple"),       SLAP_DISALLOW_BIND_SIMPLE },
                { BER_BVC("tls_2_anon"),                SLAP_DISALLOW_TLS_2_ANON },
                { BER_BVC("tls_authc"),         SLAP_DISALLOW_TLS_AUTHC },
+               { BER_BVC("proxy_authz_non_critical"),  SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT },
+               { BER_BVC("dontusecopy_non_critical"),  SLAP_DISALLOW_DONTUSECOPY_N_CRIT },
                { BER_BVNULL, 0 }
        };
        if (c->op == SLAP_CONFIG_EMIT) {

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index ee2a36742f91aca599ebb4f9e732a257f23d11c5..b812bf6b153c5b4637492811d5402b78cd64306c 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -960,6 +960,13 @@ static int parseDontUseCopy (
                return LDAP_PROTOCOL_ERROR;
        }
 
+       if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT )
+               && !ctrl->ldctl_iscritical )
+       {
+               rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
+               return LDAP_PROTOCOL_ERROR;
+       }
+
        op->o_dontUseCopy = ctrl->ldctl_iscritical
                ? SLAP_CONTROL_CRITICAL
                : SLAP_CONTROL_NONCRITICAL;
@@ -1029,6 +1036,13 @@ static int parseProxyAuthz (
                return LDAP_PROTOCOL_ERROR;
        }
 
+       if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT )
+               && !ctrl->ldctl_iscritical )
+       {
+               rs->sr_text = "proxied authorization criticality of FALSE not allowed";
+               return LDAP_PROTOCOL_ERROR;
+       }
+
        if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
                && BER_BVISEMPTY( &op->o_ndn ) )
        {

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 6b442214e4e550b0c61dc9e6bea262bc7839b0e4..8564e3b310d3be1771c3adee83e94baf533c5a33 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1863,6 +1863,9 @@ struct BackendDB {
 #define SLAP_DISALLOW_TLS_2_ANON       0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC                0x0020U /* TLS while authenticated */
 
+#define SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT       0x0100U
+#define SLAP_DISALLOW_DONTUSECOPY_N_CRIT       0x0200U
+
 #define SLAP_DISALLOW_AUX_WO_CR                0x4000U
 
        slap_mask_t     be_requires;    /* pre-operation requirements */