.I saslAuthzTo
attribute must be protected with ACLs such that
only privileged users can modify it.
+The value of
+.I saslAuthzFrom
+and
+.I saslAuthzTo
+describes an
+.B identity
+or a set of identities; it can take three forms:
+.RS
+.RS
+.TP
+.B ldap:///<base>??[<scope>]?<filter>
+.RE
+.RS
+.B dn[.<dnstyle>]:<pattern>
+.RE
+.RS
+.B u[<mech>[<realm>]]:<pattern>
+.RE
+.RS
+.B <pattern>
+.RE
+.RS
+
+.B <dnstyle>:={exact|onelevel|children|subtree|regex}
+
+.RE
+The first form is a valid LDAP
+.B uri
+where the
+.IR <host>:<port> ,
+the
+.I <attrs>
+and the
+.I <extensions>
+portions must be absent, so that the search occurs locally on either
+.I saslAuthzFrom
+or
+.IR saslAuthzTo .
+The second form is a
+.BR DN ,
+with the optional style modifiers
+.IR exact ,
+.IR onelevel ,
+.IR children ,
+and
+.I subtree
+for exact, onelevel, children and subtree matches, which cause
+.I <pattern>
+to be normalized according to the DN normalization rules, or the special
+.I regex
+style, which causes
+.I <pattern>
+to be compiled according to
+.BR regex (7).
+The third form is a SASL
+.BR id ,
+with the optional fields
+.I <mech>
+and
+.I <realm>
+that allow to specify a SASL
+.BR mechanism ,
+and eventually a SASL
+.BR realm ,
+for those mechanisms that support one.
+The need to allow the specification of a mechanism is still debated,
+and users are strongly discouraged to rely on this possibility.
+For backwards compatibility, if no identity type is provided, i.e. only
+.B <pattern>
+is present, an
+.I exact DN
+is assumed; as a consequence,
+.B <pattern>
+is subjected to DN normalization.
+Since the interpretation of
+.I saslAuthzFrom
+and
+.I saslAuthzTo
+can impact security, users are strongly encouraged
+to explicitly set the type of identity specification that is being used.
+.RE
.TP
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
#define LDAP_X_SCOPE_REGEX ((ber_int_t) 0x0020)
#define LDAP_X_SCOPE_CHILDREN ((ber_int_t) 0x0030)
#define LDAP_X_SCOPE_SUBTREE ((ber_int_t) 0x0040)
+#define LDAP_X_SCOPE_ONELEVEL ((ber_int_t) 0x0050)
/*
* IDs in DNauthzid form can now have a type specifier, that
bv.bv_val += sizeof( "subtree" ) - 1;
*scope = LDAP_X_SCOPE_SUBTREE;
+ } else if ( !strncasecmp( bv.bv_val, "onelevel:", sizeof( "onelevel:" ) - 1 ) ) {
+ bv.bv_val += sizeof( "onelevel" ) - 1;
+ *scope = LDAP_X_SCOPE_ONELEVEL;
+
} else {
return LDAP_PROTOCOL_ERROR;
}
case LDAP_X_SCOPE_EXACT:
case LDAP_X_SCOPE_CHILDREN:
case LDAP_X_SCOPE_SUBTREE:
+ case LDAP_X_SCOPE_ONELEVEL:
rc = dnNormalize( 0, NULL, NULL, &bv, nbase, op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) {
*scope = -1;
case LDAP_X_SCOPE_CHILDREN:
case LDAP_X_SCOPE_SUBTREE:
+ case LDAP_X_SCOPE_ONELEVEL:
{
int d = assertDN->bv_len - op.o_req_ndn.bv_len;
bv.bv_val = assertDN->bv_val + d;
if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
- rc = LDAP_SUCCESS;
+ switch ( op.oq_search.rs_scope ) {
+ case LDAP_X_SCOPE_CHILDREN:
+ rc = LDAP_SUCCESS;
+ break;
+
+ case LDAP_X_SCOPE_ONELEVEL:
+ {
+ struct berval pdn;
+
+ dnParent( assertDN, &pdn );
+ /* the common portion of the DN
+ * already matches, so only check
+ * if parent DN of assertedDN
+ * is all the pattern */
+ if ( pdn.bv_len == op.o_req_ndn.bv_len ) {
+ rc = LDAP_SUCCESS;
+ }
+ break;
+ }
+ default:
+ /* at present, impossible */
+ assert( 0 );
+ }
}
}
goto CONCLUDED;
case LDAP_X_SCOPE_REGEX:
case LDAP_X_SCOPE_SUBTREE:
case LDAP_X_SCOPE_CHILDREN:
+ case LDAP_X_SCOPE_ONELEVEL:
/* correctly parsed, but illegal */
goto FINISHED;
projects / openldap / commitdiff