Revert to simple authzID behavior

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 97e66724ea505d3d19327d1142de3ad6826460ff..a5bdde13fc57f7b80cc017830495ce887cc318de 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -750,46 +750,17 @@ static int parseProxyAuthz (
                return LDAP_SUCCESS;
        }
 
-       /* FIXME: how can we get the realm? */
-       {
-               int     rc;
-               char            buf[ SLAP_LDAPDN_MAXLEN ];
-               struct berval   id,
-                               user = { 0, NULL },
-                               realm = { 0, NULL },
-                               mech = { 0, NULL };
-
-               if ( sizeof( buf ) <= ctrl->ldctl_value.bv_len ) {
-                       return LDAP_INVALID_SYNTAX;
-               }
-
-               id.bv_len = ctrl->ldctl_value.bv_len;
-               id.bv_val = buf;
-               strncpy( buf, ctrl->ldctl_value.bv_val, sizeof( buf ) );
+       rc = slap_sasl_getdn( op->o_conn, op,
+                       ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len,
+                       NULL, &dn, SLAP_GETDN_AUTHZID );
 
-               rc = slap_parse_user( &id, &user, &realm, &mech );
-               if ( rc == LDAP_SUCCESS ) {
-                       struct berval authz = BER_BVC( "AUTHZ" );
-
-                       if ( mech.bv_len && !bvmatch( &mech, &authz) ) {
-                               rs->sr_text = "mech not allowed in authzId";
-                               return LDAP_PROXY_AUTHZ_FAILURE;
-                       }
-               } else {
-                       user = ctrl->ldctl_value;
+       if( rc != LDAP_SUCCESS || !dn.bv_len ) {
+               if ( dn.bv_val ) {
+                       ch_free( dn.bv_val );
                }
+               rs->sr_text = "authzId mapping failed";
+               return LDAP_PROXY_AUTHZ_FAILURE;
 
-               rc = slap_sasl_getdn( op->o_conn, op,
-                               user.bv_val, user.bv_len,
-                               realm.bv_val, &dn, SLAP_GETDN_AUTHZID );
-
-               if( rc != LDAP_SUCCESS || !dn.bv_len ) {
-                       if ( dn.bv_val ) {
-                               ch_free( dn.bv_val );
-                       }
-                       rs->sr_text = "authzId mapping failed";
-                       return LDAP_PROXY_AUTHZ_FAILURE;
-               }
        }
 
 #ifdef NEW_LOGGING

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 60e9db716dde422360101cb4d508e018359c8f0f..f186eb7c0c95003c9363d7f5b67d5ce52f4ae799 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1881,29 +1881,6 @@ int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
 
                len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
 
-#if 0
-               /* username may have embedded realm name */
-               /* FIXME:
-                * userids can legally have embedded '@' chars;
-                * the realm should be set by those mechanisms
-                * that support it by means of the user_realm
-                * variable
-                */
-               if( ( realm.bv_val = strrchr( dn->bv_val, '@') ) ) {
-                       char *r = realm.bv_val;
-
-                       realm.bv_val++;
-                       realm.bv_len = dn->bv_len - ( realm.bv_val - dn->bv_val );
-                       len += sizeof( ",cn=" ) - 2;
-                       c1.bv_len -= realm.bv_len + 1;
-
-                       if ( strchr( dn->bv_val, '@') == r ) {
-                               /* FIXME: ambiguity, is it the realm 
-                                * or something else? */
-                       }       
-                       
-               } else
-#endif
                if( user_realm && *user_realm ) {
                        realm.bv_val = user_realm;
                        realm.bv_len = strlen( user_realm );