ber_int_t msgid;
dncookie dc;
int isupdate;
-#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
}
attrs[i] = NULL;
+ ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs,
-#ifdef LDAP_BACK_PROXY_AUTHZ
- ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
- NULL, &msgid);
+ ctrls, NULL, &msgid);
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
#include "rewrite.h"
#endif /* ENABLE_REWRITE */
+#ifdef LDAP_DEVEL
+#define LDAP_BACK_PROXY_AUTHZ
+#endif
+
LDAP_BEGIN_DECL
struct slap_conn;
#ifdef LDAP_BACK_PROXY_AUTHZ
struct berval proxyauthzdn;
struct berval proxyauthzpw;
+
+ /* ID assert stuff */
+ int idassert_mode;
+#define LDAP_BACK_IDASSERT_NONE 0
+#define LDAP_BACK_IDASSERT_PROXYID 1
+#define LDAP_BACK_IDASSERT_ANONYMOUS 2
+#define LDAP_BACK_IDASSERT_SELF 3
+#define LDAP_BACK_IDASSERT_OTHER 4
+ struct berval idassert_dn;
+ BerVarray idassert_authz;
+ /* end of ID assert stuff */
#endif /* LDAP_BACK_PROXY_AUTHZ */
+
ldap_pvt_thread_mutex_t conn_mutex;
int savecred;
Avlnode *conntree;
return -1;
}
- if ( lc->bound_dn.bv_val ) {
+ if ( !BER_BVISNULL( &lc->bound_dn ) ) {
ch_free( lc->bound_dn.bv_val );
- lc->bound_dn.bv_len = 0;
- lc->bound_dn.bv_val = NULL;
+ BER_BVZERO( &lc->bound_dn );
}
lc->bound = 0;
/* method is always LDAP_AUTH_SIMPLE if we got here */
} else {
ber_dupbv( &lc->bound_dn, &op->o_req_dn );
}
- mdn.bv_val = NULL;
+ BER_BVZERO( &mdn );
if ( li->savecred ) {
- if ( lc->cred.bv_val ) {
+ if ( !BER_BVISNULL( &lc->cred ) ) {
memset( lc->cred.bv_val, 0, lc->cred.bv_len );
ch_free( lc->cred.bv_val );
}
ldap_pvt_thread_mutex_lock( &li->conn_mutex );
lc = avl_delete( &li->conntree, (caddr_t)lc,
ldap_back_conn_cmp );
- if ( lc->local_dn.bv_val )
+ if ( !BER_BVISNULL( &lc->local_dn ) )
ch_free( lc->local_dn.bv_val );
ber_dupbv( &lc->local_dn, &op->o_req_ndn );
lerr = avl_insert( &li->conntree, (caddr_t)lc,
}
}
- if ( mdn.bv_val && mdn.bv_val != op->o_req_dn.bv_val ) {
+ if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
ber_dupbv( &lc->cred, &li->bindpw );
ber_dupbv( &lc->bound_dn, &li->binddn );
} else {
- lc->cred.bv_len = 0;
- lc->cred.bv_val = NULL;
- lc->bound_dn.bv_val = NULL;
- lc->bound_dn.bv_len = 0;
- if ( op->o_conn && op->o_conn->c_dn.bv_len != 0
+ BER_BVZERO( &lc->cred );
+ BER_BVZERO( &lc->bound_dn );
+ if ( op->o_conn && !BER_BVISEMPTY( &op->o_conn->c_dn )
&& ( op->o_bd == op->o_conn->c_authz_backend ) ) {
dncookie dc;
* control to every operation with the dn bound
* to the connection as control value.
*/
- if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
- && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
- && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 )
- && ! gotit ) {
- rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val,
- LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid);
+ if ( op->o_conn != NULL
+ && ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) {
+ struct berval binddn = slap_empty_bv;
+ struct berval bindcred = slap_empty_bv;
+
+ /* bind as proxyauthzdn only if no idassert mode is requested,
+ * or if the client's identity is authorized */
+ switch ( li->idassert_mode ) {
+ case LDAP_BACK_IDASSERT_NONE:
+ if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn )
+ && !BER_BVISNULL( &li->proxyauthzdn ) && !BER_BVISEMPTY( &li->proxyauthzdn )
+ && !gotit ) {
+ binddn = li->proxyauthzdn;
+ bindcred = li->proxyauthzpw;
+ }
+ break;
+
+ default:
+ if ( li->idassert_authz ) {
+ struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
+
+ rc = slap_sasl_matches( op, li->idassert_authz,
+ &authcDN, &authcDN );
+ if ( rc != LDAP_SUCCESS ) {
+ break;
+ }
+ }
+ binddn = li->proxyauthzdn;
+ bindcred = li->proxyauthzpw;
+ break;
+ }
+
+ rs->sr_err = ldap_sasl_bind(lc->ld, binddn.bv_val,
+ LDAP_SASL_SIMPLE, &bindcred, NULL, NULL, &msgid);
} else
#endif /* LDAP_BACK_PROXY_AUTHZ */
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
LDAPControl **ctrls = NULL;
+ int i = 0;
+ struct berval assertedDN;
*pctrls = NULL;
- if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
- && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
- && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) {
- int i = 0;
-
- if ( !op->o_proxy_authz ) {
- ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
- ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
-
- ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
- ctrls[ 0 ]->ldctl_iscritical = 1;
- ctrls[ 0 ]->ldctl_value.bv_len = op->o_conn->c_dn.bv_len + 3;
- ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
- AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", sizeof( "dn:" ) - 1 );
- AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + sizeof( "dn:") - 1,
- op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
-
- if ( op->o_ctrls ) {
- for ( i = 0; op->o_ctrls[ i ]; i++ ) {
- ctrls[ i + 1 ] = op->o_ctrls[ i ];
- }
- }
- ctrls[ i + 1 ] = NULL;
+ if ( BER_BVISNULL( &li->proxyauthzdn ) ) {
+ goto done;
+ }
- } else {
+ if ( !op->o_conn ) {
+ goto done;
+ }
+
+ if ( li->idassert_mode == LDAP_BACK_IDASSERT_NONE ) {
+ if ( op->o_proxy_authz ) {
/*
* FIXME: we do not want to perform proxyAuthz
* on behalf of the client, because this would
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "proxyAuthz not allowed within namingContext";
#endif
+ goto done;
+ }
+
+ if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
+ goto done;
+ }
+
+ if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
+ goto done;
+ }
+
+ if ( BER_BVISEMPTY( &li->proxyauthzdn ) ) {
+ goto done;
+ }
+
+ } else if ( li->idassert_authz ) {
+ int rc;
+ struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
+
+
+ rc = slap_sasl_matches( op, li->idassert_authz,
+ &authcDN, & authcDN );
+ if ( rc != LDAP_SUCCESS ) {
+ /* op->o_conn->c_dn is not authorized
+ * to use idassert */
+ return rc;
+ }
+ }
+
+ switch ( li->idassert_mode ) {
+ case LDAP_BACK_IDASSERT_NONE:
+ case LDAP_BACK_IDASSERT_SELF:
+ /* original behavior:
+ * assert the client's identity */
+ assertedDN = op->o_conn->c_dn;
+ break;
+
+ case LDAP_BACK_IDASSERT_ANONYMOUS:
+ /* assert "anonymous" */
+ assertedDN = slap_empty_bv;
+ break;
+
+ case LDAP_BACK_IDASSERT_PROXYID:
+ /* don't assert; bind as proxyauthzdn */
+ goto done;
+
+ case LDAP_BACK_IDASSERT_OTHER:
+ /* assert idassert DN */
+ assertedDN = li->idassert_dn;
+ break;
+
+ default:
+ assert( 0 );
+ }
+
+ if ( BER_BVISNULL( &assertedDN ) ) {
+ assertedDN = slap_empty_bv;
+ }
+
+ ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
+ ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
+
+ ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ ctrls[ 0 ]->ldctl_iscritical = 1;
+ ctrls[ 0 ]->ldctl_value.bv_len = assertedDN.bv_len + STRLENOF( "dn:" );
+ ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
+ AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
+ AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ),
+ assertedDN.bv_val, assertedDN.bv_len );
+ ctrls[ 0 ]->ldctl_value.bv_val[ ctrls[ 0 ]->ldctl_value.bv_len ] = '\0';
+
+ if ( op->o_ctrls ) {
+ for ( i = 0; op->o_ctrls[ i ]; i++ ) {
+ ctrls[ i + 1 ] = op->o_ctrls[ i ];
}
}
+ ctrls[ i + 1 ] = NULL;
+done:;
if ( ctrls == NULL ) {
ctrls = op->o_ctrls;
}
ber_int_t msgid;
int freeval = 0;
dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
}
}
+ ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val,
mapped_at.bv_val, &mapped_val,
-#ifdef LDAP_BACK_PROXY_AUTHZ
- ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
- NULL, &msgid );
+ ctrls, NULL, &msgid );
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
+static int
+parse_idassert( BackendDB *be, const char *fname, int lineno,
+ int argc, char **argv );
+
int
ldap_back_db_config(
BackendDB *be,
return( 1 );
}
ber_str2bv( argv[1], 0, 1, &li->proxyauthzpw );
+
+ /* identity assertion stuff... */
+ } else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0 ) {
+ return parse_idassert( be, fname, lineno, argc, argv );
#endif /* LDAP_BACK_PROXY_AUTHZ */
/* save bind creds for referral rebinds? */
return 0;
}
#endif /* ENABLE_REWRITE */
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+static int
+parse_idassert(
+ BackendDB *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv
+)
+{
+ struct ldapinfo *li = (struct ldapinfo *) be->be_private;
+
+ if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) {
+ if ( argc != 2 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( CONFIG, CRIT,
+ "%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
+ fname, lineno, argc );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
+ fname, lineno, argc );
+#endif
+ return 1;
+ }
+
+ if ( strcasecmp( argv[1], "self" ) == 0 ) {
+ /* will proxyAuthz as (rewritten) client's identity */
+ li->idassert_mode = LDAP_BACK_IDASSERT_SELF;
+
+ } else if ( strcasecmp( argv[1], "anonymous" ) == 0 ) {
+ /* will proxyAuthz as anonymous */
+ li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS;
+
+ } else if ( strcasecmp( argv[1], "proxyid" ) == 0 ) {
+ /* will not proxyAuthz */
+ li->idassert_mode = LDAP_BACK_IDASSERT_PROXYID;
+
+ } else {
+ struct berval dn;
+ int rc;
+
+ /* will proxyAuthz as argv[1] */
+ li->idassert_mode = LDAP_BACK_IDASSERT_OTHER;
+
+ ber_str2bv( argv[1], 0, 0, &dn );
+
+ rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_dn, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( CONFIG, CRIT,
+ "%s: line %d: idassert DN \"%s\" is invalid.\n",
+ fname, lineno, argv[1] );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: idassert DN \"%s\" is invalid\n",
+ fname, lineno, argv[1] );
+#endif
+ return 1;
+ }
+ }
+
+ } else if ( strcasecmp( argv[0], "idassert-authz" ) == 0 ) {
+ struct berval rule;
+
+ ber_str2bv( argv[1], 0, 1, &rule );
+
+ ber_bvarray_add( &li->idassert_authz, &rule );
+
+ } else {
+ return SLAP_CONF_UNKNOWN;
+ }
+
+ return 0;
+}
+#endif /* LDAP_BACK_PROXY_AUTHZ */
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
}
#ifdef LDAP_BACK_PROXY_AUTHZ
+ ctrls = op->o_ctrls;
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
goto cleanup;
#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val,
-#ifdef LDAP_BACK_PROXY_AUTHZ
- ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
- NULL, &msgid );
+ ctrls, NULL, &msgid );
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
return -1;
}
- li->binddn.bv_val = NULL;
- li->binddn.bv_len = 0;
- li->bindpw.bv_val = NULL;
- li->bindpw.bv_len = 0;
+ BER_BVZERO( &li->binddn );
+ BER_BVZERO( &li->bindpw );
#ifdef LDAP_BACK_PROXY_AUTHZ
- li->proxyauthzdn.bv_val = NULL;
- li->proxyauthzdn.bv_len = 0;
- li->proxyauthzpw.bv_val = NULL;
- li->proxyauthzpw.bv_len = 0;
+ BER_BVZERO( &li->proxyauthzdn );
+ BER_BVZERO( &li->proxyauthzpw );
+
+ li->idassert_mode = LDAP_BACK_IDASSERT_NONE;
+ BER_BVZERO( &li->idassert_dn );
#endif /* LDAP_BACK_PROXY_AUTHZ */
#ifdef ENABLE_REWRITE
ldap_free_urldesc( li->lud );
li->lud = NULL;
}
- if (li->binddn.bv_val) {
- ch_free(li->binddn.bv_val);
- li->binddn.bv_val = NULL;
+ if ( !BER_BVISNULL( &li->binddn ) ) {
+ ch_free( li->binddn.bv_val );
+ BER_BVZERO( &li->binddn );
}
- if (li->bindpw.bv_val) {
- ch_free(li->bindpw.bv_val);
- li->bindpw.bv_val = NULL;
+ if ( !BER_BVISNULL( &li->bindpw ) ) {
+ ch_free( li->bindpw.bv_val );
+ BER_BVZERO( &li->bindpw );
}
#ifdef LDAP_BACK_PROXY_AUTHZ
- if (li->proxyauthzdn.bv_val) {
- ch_free(li->proxyauthzdn.bv_val);
- li->proxyauthzdn.bv_val = NULL;
+ if ( !BER_BVISNULL( &li->proxyauthzdn ) ) {
+ ch_free( li->proxyauthzdn.bv_val );
+ BER_BVZERO( &li->proxyauthzdn );
+ }
+ if ( !BER_BVISNULL( &li->proxyauthzpw ) ) {
+ ch_free( li->proxyauthzpw.bv_val );
+ BER_BVZERO( &li->proxyauthzpw );
}
- if (li->proxyauthzpw.bv_val) {
- ch_free(li->proxyauthzpw.bv_val);
- li->proxyauthzpw.bv_val = NULL;
+ if ( !BER_BVISNULL( &li->idassert_dn ) ) {
+ ch_free( li->idassert_dn.bv_val );
+ BER_BVZERO( &li->idassert_dn );
}
#endif /* LDAP_BACK_PROXY_AUTHZ */
if (li->conntree) {
ber_int_t msgid;
dncookie dc;
int isupdate;
-#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
-#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
}
modv[i] = 0;
+ ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv,
-#ifdef LDAP_BACK_PROXY_AUTHZ
- ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
- NULL, &msgid );
+ ctrls, NULL, &msgid );
cleanup:;
#ifdef LDAP_BACK_PROXY_AUTHZ
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
return -1;
}
+ ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = ldap_rename( lc->ld, mdn.bv_val,
op->orr_newrdn.bv_val, mnewSuperior.bv_val,
op->orr_deleteoldrdn,
-#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
#ifdef LDAP_BACK_PROXY_AUTHZ
struct berval mfilter = BER_BVNULL;
int dontfreetext = 0;
dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
-#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if ( !lc ) {
goto finish;
}
+ ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = ldap_search_ext(lc->ld, mbase.bv_val,
op->ors_scope, mfilter.bv_val,
mapped_attrs, op->ors_attrsonly,
-#ifdef LDAP_BACK_PROXY_AUTHZ
- ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
- op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
- NULL,
+ ctrls, NULL,
tv.tv_sec ? &tv : NULL, op->ors_slimit,
&msgid );
projects / openldap / commitdiff