Change slap_sasl_authorized to take an Operation instead of a Connection,

for compatibility with proxyAuthz control

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index d7ad0d14985ef391ec128872f8177910b033c248..20c4545c01c20f90efe6c40fcb6319845658a221 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -740,7 +740,7 @@ static int parseProxyAuthz (
                dn.bv_len ? dn.bv_val : "(NULL)", 0 );
 #endif
 
-       rc = slap_sasl_authorized( op->o_conn, &op->o_ndn, &dn );
+       rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
 
        if( rc ) {
                ch_free( dn.bv_val );

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 1516f379a94812c5ec705ff677a1b5aea77ec500..f8103f4f9e6e38aab6e35c472f06b437fa1355f8 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -869,7 +869,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
        struct berval *saslname,
        struct berval *dn ));
 LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
-       Connection *conn,
+       Operation *op,
        struct berval *authcid,
        struct berval *authzid ));
 LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index eb8f337cf3a09d7cf0d351f49f76893442b61dd5..a8f3eca30ff548d4bc4300941ebc93a9bd18a2c3 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -752,7 +752,7 @@ slap_sasl_authorize(
        
        AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
 
-       rc = slap_sasl_authorized( conn, &authcDN, &authzDN );
+       rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
        ch_free( authcDN.bv_val );
        if ( rc != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
@@ -867,7 +867,7 @@ slap_sasl_authorize(
                return SASL_NOAUTHZ;
        }
 
-       rc = slap_sasl_authorized(conn, &authcDN, &authzDN );
+       rc = slap_sasl_authorized(conn->c_sasl_bindop, &authcDN, &authzDN );
        ch_free( authcDN.bv_val );
        if( rc ) {
 #ifdef NEW_LOGGING

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 77da7cdd587b63721fd225144685b0767588797c..56cfc60021fe579e148e55aa9b00c25d0cc065ab 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -490,7 +490,7 @@ CONCLUDED:
  * The DNs should not have the dn: prefix
  */
 static int
-slap_sasl_check_authz( Connection *conn,
+slap_sasl_check_authz( Operation *op,
        struct berval *searchDN,
        struct berval *assertDN,
        AttributeDescription *ad,
@@ -509,19 +509,19 @@ slap_sasl_check_authz( Connection *conn,
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif
 
-       rc = backend_attribute( conn->c_sasl_bindop, NULL,
+       rc = backend_attribute( op, NULL,
                searchDN, ad, &vals );
        if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
        /* Check if the *assertDN matches any **vals */
        for( i=0; vals[i].bv_val != NULL; i++ ) {
-               rc = slap_sasl_match( conn->c_sasl_bindop, &vals[i], assertDN, authc );
+               rc = slap_sasl_match( op, &vals[i], assertDN, authc );
                if ( rc == LDAP_SUCCESS ) goto COMPLETE;
        }
        rc = LDAP_INAPPROPRIATE_AUTH;
 
 COMPLETE:
-       if( vals ) ber_bvarray_free_x( vals, conn->c_sasl_bindop->o_tmpmemctx );
+       if( vals ) ber_bvarray_free_x( vals, op->o_tmpmemctx );
 
 #ifdef NEW_LOGGING
        LDAP_LOG( TRANSPORT, RESULTS, 
@@ -645,7 +645,7 @@ FINISHED:
  * The DNs should not have the dn: prefix
  */
 
-int slap_sasl_authorized( Connection *conn,
+int slap_sasl_authorized( Operation *op,
        struct berval *authcDN, struct berval *authzDN )
 {
        int rc = LDAP_INAPPROPRIATE_AUTH;
@@ -673,14 +673,14 @@ int slap_sasl_authorized( Connection *conn,
        }
 
        /* Allow the manager to authorize as any DN. */
-       if( conn->c_authz_backend && be_isroot( conn->c_authz_backend, authcDN )) {
+       if( op->o_conn->c_authz_backend && be_isroot( op->o_conn->c_authz_backend, authcDN )) {
                rc = LDAP_SUCCESS;
                goto DONE;
        }
 
        /* Check source rules */
        if( authz_policy & SASL_AUTHZ_TO ) {
-               rc = slap_sasl_check_authz( conn, authcDN, authzDN,
+               rc = slap_sasl_check_authz( op, authcDN, authzDN,
                        slap_schema.si_ad_saslAuthzTo, authcDN );
                if( rc == LDAP_SUCCESS ) {
                        goto DONE;
@@ -689,7 +689,7 @@ int slap_sasl_authorized( Connection *conn,
 
        /* Check destination rules */
        if( authz_policy & SASL_AUTHZ_FROM ) {
-               rc = slap_sasl_check_authz( conn, authzDN, authcDN,
+               rc = slap_sasl_check_authz( op, authzDN, authcDN,
                        slap_schema.si_ad_saslAuthzFrom, authcDN );
                if( rc == LDAP_SUCCESS ) {
                        goto DONE;

diff --git a/servers/slapd/tools/mimic.c b/servers/slapd/tools/mimic.c
index bebe7f9dd518ccd89591210ec351054f8e00d657..2b45be055ac9573c6bf799cb7f23b6a2c72d2b6e 100644 (file)
--- a/servers/slapd/tools/mimic.c
+++ b/servers/slapd/tools/mimic.c
@@ -227,7 +227,7 @@ int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
        return -1;
 }
 
-int slap_sasl_authorized( Connection *conn,
+int slap_sasl_authorized( Operation *op,
        struct berval *authcDN, struct berval *authzDN )
 {
        return -1;