* otherwise we cannot do symmetric pools of servers;
* we have to live with the fact that a user can
* authorize itself as any ID that is allowed
- * by the saslAuthzTo directive of the "proxyauthzdn".
+ * by the authzTo directive of the "proxyauthzdn".
*/
/*
* NOTE: current Proxy Authorization specification
* control to every operation with the dn bound
* to the connection as control value.
*/
- if ( op->o_conn != NULL
- && ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) {
+ if ( op->o_conn != NULL && ( ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) )
+ {
struct berval binddn = slap_empty_bv;
struct berval bindcred = slap_empty_bv;
int dobind = 0;
- /* bind as proxyauthzdn only if no idassert mode is requested,
- * or if the client's identity is authorized */
+ /* bind as proxyauthzdn only if no idassert mode
+ * is requested, or if the client's identity
+ * is authorized */
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_LEGACY:
if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
struct berval authzID = BER_BVNULL;
int freeauthz = 0;
-#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
/* if SASL supports native authz, prepare for it */
if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
-#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_OTHERID:
case LDAP_BACK_IDASSERT_OTHERDN:
break;
case LDAP_BACK_IDASSERT_SELF:
+ if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
+ /* connection is not authc'd, so don't idassert */
+ /* FIXME: cyrus-sasl doesn't honor empty authzID!
+ * i.e. NULL is equivalent to ""! */
+ break;
+ }
authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
default:
break;
}
-#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
}
-#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
#if 0 /* will deal with this later... */
if ( sasl_secprops != NULL ) {
* be performed with "proxyauthzdn" privileges.
*
* This might actually be too strict, since
- * the "proxyauthzdn" saslAuthzTo, and each entry's
- * saslAuthzFrom attributes may be crafted
+ * the "proxyauthzdn" authzTo, and each entry's
+ * authzFrom attributes may be crafted
* to avoid unwanted proxyAuthz to take place.
*/
#if 0
}
} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
-#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
- if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
-#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+ if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
+ && !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) )
+ {
/* already asserted in SASL via native authz */
goto done;
-#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
}
-#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
} else if ( li->idassert_authz ) {
int rc;
}
}
+ if ( op->o_proxy_authz ) {
+ /*
+ * FIXME: we can:
+ * 1) ignore the already set proxyAuthz control
+ * 2) leave it in place, and don't set ours
+ * 3) add both
+ * 4) reject the operation
+ *
+ * option (4) is very drastic
+ * option (3) will make the remote server reject
+ * the operation, thus being equivalent to (4)
+ * option (2) will likely break the idassert
+ * assumptions, so we cannot accept it;
+ * option (1) means that we are contradicting
+ * the client's reques.
+ *
+ * I think (4) is the only correct choice.
+ */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_text = "proxyAuthz not allowed within namingContext";
+ }
+
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_LEGACY:
case LDAP_BACK_IDASSERT_SELF:
/* original behavior:
* assert the client's identity */
- assertedID = op->o_conn->c_dn;
+ /* FIXME: we may get here if binding anonymously,
+ * because cyrus sasl doesn't honor empty (i.e. "")
+ * authzID */
+ assertedID = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
break;
case LDAP_BACK_IDASSERT_ANONYMOUS:
/* name to use for proxyAuthz propagation */
} else if ( strcasecmp( argv[0], "idassert-authcdn" ) == 0
- || strcasecmp( argv[0], "proxyauthzdn" ) == 0 ) {
+ || strcasecmp( argv[0], "proxyauthzdn" ) == 0 )
+ {
struct berval dn;
int rc;
+ /* FIXME: "proxyauthzdn" is no longer documented, and
+ * temporarily supported for backwards compatibility */
+
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing name in \"%s <name>\" line\n",
/* password to use for proxyAuthz propagation */
} else if ( strcasecmp( argv[0], "idassert-passwd" ) == 0
- || strcasecmp( argv[0], "proxyauthzpw" ) == 0 ) {
+ || strcasecmp( argv[0], "proxyauthzpw" ) == 0 )
+ {
+ /* FIXME: "proxyauthzpw" is no longer documented, and
+ * temporarily supported for backwards compatibility */
+
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing password in \"%s <password>\" line\n",
ber_str2bv( argv[1], 0, 1, &li->idassert_passwd );
/* rules to accept identity assertion... */
- } else if ( strcasecmp( argv[0], "idassert-authz" ) == 0 ) {
+ } else if ( strcasecmp( argv[0], "idassert-authzFrom" ) == 0 ) {
struct berval rule;
ber_str2bv( argv[1], 0, 1, &rule );
}
ber_str2bv( val, 0, 1, &li->idassert_sasl_mech );
-#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
- /* mechs that are known to support native authz... */
- if ( strcasecmp( li->idassert_sasl_mech.bv_val, "DIGEST-MD5" ) == 0 ) {
- li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
- }
-#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
-
} else if ( strncasecmp( argv[arg], "realm=", STRLENOF( "realm=" ) ) == 0 ) {
char *val = argv[arg] + STRLENOF( "realm=" );
}
ber_str2bv( val, 0, 1, &li->idassert_passwd );
-#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
} else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
char *val = argv[arg] + STRLENOF( "authz=" );
- if ( strcasecmp( val, "native" ) == 0 ) {
+ if ( strcasecmp( val, "proxyauthz" ) == 0 ) {
+ li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
+
+ } else if ( strcasecmp( val, "native" ) == 0 ) {
li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else {
fprintf( stderr, "%s: line %s: "
- "unknown SASL flag \"%s\"\n",
+ "unknown authz mode \"%s\"\n",
fname, lineno, val );
return 1;
}
-#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
} else {
fprintf( stderr, "%s: line %d: "
projects / openldap / commitdiff