.B bind_anon_dn
allows unauthenticated (anonymous) bind when DN is not empty.
.B update_anon
-allow unauthenticated (anonymous) update operations to be processed
+allows unauthenticated (anonymous) update operations to be processed
(subject to access controls and other administrative limits).
+.B proxy_authz_anon
+allows unauthenticated (anonymous) proxy authorization control to be processed
+(subject to access controls, authorization and other administrative limits).
.TP
.B argsfile <filename>
The ( absolute ) name of a file that will hold the
{ BER_BVC("bind_anon_cred"), SLAP_ALLOW_BIND_ANON_CRED },
{ BER_BVC("bind_anon_dn"), SLAP_ALLOW_BIND_ANON_DN },
{ BER_BVC("update_anon"), SLAP_ALLOW_UPDATE_ANON },
+ { BER_BVC("proxy_authz_anon"), SLAP_ALLOW_PROXY_AUTHZ_ANON },
{ BER_BVNULL, 0 }
};
if (c->op == SLAP_CONFIG_EMIT) {
return LDAP_PROTOCOL_ERROR;
}
+ if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
+ && BER_BVISEMPTY( &op->o_ndn ) )
+ {
+ rs->sr_text = "anonymous proxyAuthz not allowed";
+ return LDAP_PROXY_AUTHZ_FAILURE;
+ }
+
op->o_proxy_authz = ctrl->ldctl_iscritical
? SLAP_CONTROL_CRITICAL
: SLAP_CONTROL_NONCRITICAL;
| SLAP_RESTRICT_OP_BIND \
| SLAP_RESTRICT_OP_EXTENDED )
-#define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
+#define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
#define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */
#define SLAP_ALLOW_BIND_ANON_DN 0x0004U /* dn should be empty */
#define SLAP_ALLOW_UPDATE_ANON 0x0008U /* allow anonymous updates */
+#define SLAP_ALLOW_PROXY_AUTHZ_ANON 0x0010U /* allow anonymous proxyAuthz */
#define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */
#define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */
projects / openldap / commitdiff