#define LDAP_BACK_FCONN_ISTLS (0x00000008U)
#define LDAP_BACK_FCONN_BINDING (0x00000010U)
#define LDAP_BACK_FCONN_TAINTED (0x00000020U)
+#define LDAP_BACK_FCONN_ISIDASR (0x00000040U)
/* 0x00FF0000 are reserved for back-meta */
#define LDAP_BACK_CONN_TAINTED(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_TAINTED)
#define LDAP_BACK_CONN_TAINTED_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_TAINTED)
#define LDAP_BACK_CONN_TAINTED_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_TAINTED)
+#define LDAP_BACK_CONN_ISIDASSERT(lc) LDAP_BACK_CONN_ISSET((lc), LDAP_BACK_FCONN_ISIDASR)
+#define LDAP_BACK_CONN_ISIDASSERT_SET(lc) LDAP_BACK_CONN_SET((lc), LDAP_BACK_FCONN_ISIDASR)
+#define LDAP_BACK_CONN_ISIDASSERT_CLEAR(lc) LDAP_BACK_CONN_CLEAR((lc), LDAP_BACK_FCONN_ISIDASR)
+#define LDAP_BACK_CONN_ISIDASSERT_CPY(lc, mlc) LDAP_BACK_CONN_CPY((lc), LDAP_BACK_FCONN_ISIDASR, (mlc))
unsigned lc_refcnt;
unsigned lc_binding;
if ( rc == LDAP_SUCCESS ) {
/* If defined, proxyAuthz will be used also when
* back-ldap is the authorizing backend; for this
- * purpose, a successful bind is followed by a
- * bind with the configured identity assertion */
+ * purpose, after a successful bind the connection
+ * is trashed and further operations will use
+ * a default connections with identity assertion */
/* NOTE: use with care */
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
- ldap_back_proxy_authz_bind( lc, op, rs, LDAP_BACK_SENDERR );
- if ( !LDAP_BACK_CONN_ISBOUND( lc ) ) {
- rc = 1;
- }
- goto done;
+ LDAP_BACK_CONN_TAINTED_SET( lc );
+ ldap_back_release_conn( op, rs, lc );
+
+ return( rc );
}
/* rebind is now done inside ldap_back_proxy_authz_bind()
ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc );
}
}
-done:;
assert( lc->lc_binding == 1 );
lc->lc_binding = 0;
LDAP *ld = NULL;
#ifdef HAVE_TLS
int is_tls = op->o_conn->c_is_tls;
-#endif /* HAVE_TLS */
time_t lc_time = (time_t)(-1);
+#endif /* HAVE_TLS */
assert( lcp != NULL );
* It allows to use SASL bind and yet proxyAuthz users
*/
if ( op->o_conn != NULL && !op->o_do_not_cache &&
- ( !LDAP_BACK_CONN_ISPRIV( lc ) || BER_BVISEMPTY( &lc->lc_bound_ndn )) &&
+ ( !LDAP_BACK_CONN_ISPRIV( lc ) ||
+ LDAP_BACK_CONN_ISIDASSERT( lc ) ||
+ BER_BVISEMPTY( &lc->lc_bound_ndn ) ) &&
( !isbound || ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) )
{
(void)ldap_back_proxy_authz_bind( lc, op, rs, sendok );
goto done;
}
+ LDAP_BACK_CONN_ISIDASSERT_SET( lc );
+
if ( op->o_tag == LDAP_REQ_BIND ) {
ndn = op->o_req_ndn;
* control to every operation with the dn bound
* to the connection as control value.
*/
-
/* bind as proxyauthzdn only if no idassert mode
* is requested, or if the client's identity
* is authorized */
projects / openldap / commitdiff