slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
void *private = op->o_bd->be_private;
slap_callback *sc = op->o_callback;
- LDAPControl **prev = op->o_ctrls;
- LDAPControl **ctrls = NULL, *c[ 2 ], authz;
- int i, nctrls = 0, rc = 0;
+ int rc = 0;
int cache = op->o_do_not_cache;
char *authzid = NULL;
BerVarray ref;
op->o_bd->be_private = on->on_bi.bi_private;
}
- /* Chaining is performed by a privileged user on behalf
- * of a normal user, using the ProxyAuthz control. However,
- * Binds are done separately, on an anonymous session.
+ /* Chaining can be performed by a privileged user on behalf
+ * of normal users, using the ProxyAuthz control, by exploiting
+ * the identity assertion feature of back-ldap; see idassert-*
+ * directives in slapd-ldap(5).
*/
- if ( op->o_tag != LDAP_REQ_BIND ) {
- if ( prev ) {
- for ( i = 0; prev[i]; i++ )
- /* count and set prev to the last one */ ;
- nctrls = i;
-
- ctrls = op->o_tmpalloc((i + 1)*sizeof(LDAPControl *),
- op->o_tmpmemctx);
- for ( i = 0; i < nctrls; i++ ) {
- ctrls[i] = prev[i];
- }
-
- } else {
- ctrls = c;
- }
-
- ctrls[nctrls] = &authz;
- ctrls[nctrls + 1] = NULL;
- authz.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
- authz.ldctl_iscritical = 1;
- authz.ldctl_value = op->o_dn;
- if ( !BER_BVISEMPTY( &op->o_dn ) ) {
- authzid = op->o_tmpalloc( op->o_dn.bv_len + STRLENOF("dn:"),
- op->o_tmpmemctx );
- strcpy(authzid, "dn:");
- strcpy(authzid + STRLENOF("dn:"), op->o_dn.bv_val);
- authz.ldctl_value.bv_len = op->o_dn.bv_len + STRLENOF("dn:");
- authz.ldctl_value.bv_val = authzid;
- }
- op->o_ctrls = ctrls;
- op->o_ndn = op->o_bd->be_rootndn;
- }
switch ( op->o_tag ) {
case LDAP_REQ_BIND: {
break;
}
op->o_do_not_cache = cache;
- op->o_ctrls = prev;
op->o_bd->be_private = private;
op->o_callback = sc;
op->o_ndn = ndn;
- if ( ctrls && ctrls != c ) {
- op->o_tmpfree( ctrls, op->o_tmpmemctx );
- }
if ( authzid ) {
op->o_tmpfree( authzid, op->o_tmpmemctx );
}
authz-policy both
authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
-authz-regexp "^uid=(us/)*([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
+authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
#
# normal installations should protect root dse,
#ldapyes#overlay chain
#ldapyes#chain-uri @URI1@
-#ldapyes#chain-acl-authcDN "cn=Manager,dc=example,dc=com"
-#ldapyes#chain-acl-passwd secret
+#ldapyes#chain-idassert-method "simple"
+#ldapyes#chain-idassert-authcDN "cn=Manager,dc=example,dc=com"
+#ldapyes#chain-idassert-passwd secret
+#ldapyes#chain-idassert-mode self
#ldapmod#overlay chain
#ldapmod#chain-uri @URI1@
-#ldapmod#chain-acl-authcDN "cn=Manager,dc=example,dc=com"
-#ldapmod#chain-acl-passwd secret
+#ldapmod#chain-idassert-method "simple"
+#ldapmod#chain-idassert-authcDN "cn=Manager,dc=example,dc=com"
+#ldapmod#chain-idassert-passwd secret
+#ldapmod#chain-idassert-mode self
#######################################################################
# database definitions
#ldapyes#overlay chain
#ldapyes#chain-uri @URI1@
-#ldapyes#chain-acl-authcDN "cn=Manager,dc=example,dc=com"
-#ldapyes#chain-acl-passwd secret
+#ldapyes#chain-idassert-method "simple"
+#ldapyes#chain-idassert-authcDN "cn=Manager,dc=example,dc=com"
+#ldapyes#chain-idassert-passwd secret
+#ldapyes#chain-idassert-mode self
#ldapmod#overlay chain
#ldapmod#chain-uri @URI1@
-#ldapmod#chain-acl-authcDN "cn=Manager,dc=example,dc=com"
-#ldapmod#chain-acl-passwd secret
+#ldapmod#chain-idassert-method "simple"
+#ldapmod#chain-idassert-authcDN "cn=Manager,dc=example,dc=com"
+#ldapmod#chain-idassert-passwd secret
+#ldapmod#chain-idassert-mode self
#######################################################################
# consumer database definitions
projects / openldap / commitdiff