More for ITS#5785

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index d4b47c435453ebd4ee8f68f06484701583d41c70..8a7f8e8477e4b5887d4f1253e04e1c32e31505a5 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -427,6 +427,12 @@ upon StartTLS operation receipt.
 .B tls_authc
 disallows the StartTLS operation if authenticated (see also
 .BR tls_2_anon ).
+.B proxy_authz_non_critical
+disables acceptance of the proxied authorization control (RFC4370)
+when criticality is FALSE.
+.B dontusecopy_non_critical
+disables acceptance of the dontUseCopy control (a work in progress)
+when criticality is FALSE.
 .HP
 .hy 0
 .B ditcontentrule "(\ <oid>\

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index aeba5c405d6ba527c67abb3b5e48845f515a63a0..974f2fd53fb92fb384835a46dc295c5d440194ed 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2587,6 +2587,8 @@ config_disallows(ConfigArgs *c) {
                { BER_BVC("bind_simple"),       SLAP_DISALLOW_BIND_SIMPLE },
                { BER_BVC("tls_2_anon"),                SLAP_DISALLOW_TLS_2_ANON },
                { BER_BVC("tls_authc"),         SLAP_DISALLOW_TLS_AUTHC },
+               { BER_BVC("proxy_authz_non_critical"),  SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT },
+               { BER_BVC("dontusecopy_non_critical"),  SLAP_DISALLOW_DONTUSECOPY_N_CRIT },
                { BER_BVNULL, 0 }
        };
        if (c->op == SLAP_CONFIG_EMIT) {

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index ee2a36742f91aca599ebb4f9e732a257f23d11c5..b812bf6b153c5b4637492811d5402b78cd64306c 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -960,6 +960,13 @@ static int parseDontUseCopy (
                return LDAP_PROTOCOL_ERROR;
        }
 
+       if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT )
+               && !ctrl->ldctl_iscritical )
+       {
+               rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
+               return LDAP_PROTOCOL_ERROR;
+       }
+
        op->o_dontUseCopy = ctrl->ldctl_iscritical
                ? SLAP_CONTROL_CRITICAL
                : SLAP_CONTROL_NONCRITICAL;
@@ -1029,6 +1036,13 @@ static int parseProxyAuthz (
                return LDAP_PROTOCOL_ERROR;
        }
 
+       if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT )
+               && !ctrl->ldctl_iscritical )
+       {
+               rs->sr_text = "proxied authorization criticality of FALSE not allowed";
+               return LDAP_PROTOCOL_ERROR;
+       }
+
        if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
                && BER_BVISEMPTY( &op->o_ndn ) )
        {

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index df29ec914dd908ebe0cf094c84df3ddbbbf6c3e5..d0d7c4e6d56fbfb1105ef36bb231138c4f0a0668 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1861,6 +1861,9 @@ struct BackendDB {
 #define SLAP_DISALLOW_TLS_2_ANON       0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC                0x0020U /* TLS while authenticated */
 
+#define SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT       0x0100U
+#define SLAP_DISALLOW_DONTUSECOPY_N_CRIT       0x0200U
+
 #define SLAP_DISALLOW_AUX_WO_CR                0x4000U
 
        slap_mask_t     be_requires;    /* pre-operation requirements */