Should resolve ITS#1781.
#include "slap.h"
#include "lutil.h"
+#include "lber_pvt.h"
/*
* If a module is configured as dynamic, its header should not
Backend *be,
Connection *conn,
Operation *op,
- const void *opdata,
+ struct berval *opdata,
const char **text )
{
int rc;
slap_mask_t opflag;
slap_ssf_set_t *ssf;
int updateop = 0;
+ int starttls = 0;
+ int session = 0;
if( be ) {
rc = backend_check_controls( be, conn, op, text );
break;
case LDAP_REQ_BIND:
opflag = SLAP_RESTRICT_OP_BIND;
+ session++;
break;
case LDAP_REQ_COMPARE:
opflag = SLAP_RESTRICT_OP_COMPARE;
break;
case LDAP_REQ_EXTENDED:
opflag = SLAP_RESTRICT_OP_EXTENDED;
+
+ if( !opdata ) {
+ /* treat unspecified as a modify */
+ opflag = SLAP_RESTRICT_OP_MODIFY;
+ updateop++;
+ break;
+ }
+
+ {
+ struct berval bv = BER_BVC( LDAP_EXOP_START_TLS );
+ if( ber_bvcmp( opdata, &bv ) == 0 ) {
+ session++;
+ starttls++;
+ break;
+ }
+ }
+
+ {
+ struct berval bv = BER_BVC( LDAP_EXOP_X_WHO_AM_I );
+ if( ber_bvcmp( opdata, &bv ) == 0 ) {
+ break;
+ }
+ }
+
+ /* treat everything else as a modify */
+ opflag = SLAP_RESTRICT_OP_MODIFY;
+ updateop++;
break;
+
case LDAP_REQ_MODIFY:
updateop++;
opflag = SLAP_RESTRICT_OP_MODIFY;
opflag = SLAP_RESTRICT_OP_SEARCH;
break;
case LDAP_REQ_UNBIND:
+ session++;
opflag = 0;
break;
default:
return LDAP_OTHER;
}
- if ( op->o_tag != LDAP_REQ_EXTENDED
- || strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) )
- {
+ if ( !starttls ) {
/* these checks don't apply to StartTLS */
- if( op->o_tag == LDAP_REQ_EXTENDED ) {
- /* threat other extended operations as update ops */
- updateop++;
- }
-
if( op->o_transport_ssf < ssf->sss_transport ) {
*text = "transport confidentiality required";
return LDAP_CONFIDENTIALITY_REQUIRED;
}
}
- if ( op->o_tag != LDAP_REQ_BIND && ( op->o_tag != LDAP_REQ_EXTENDED ||
- strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
- {
- /* these checks don't apply to Bind or StartTLS */
+ if ( !session ) {
+ /* these checks don't apply to Bind, StartTLS, or Unbind */
if( requires & SLAP_REQUIRE_STRONG ) {
/* should check mechanism */
}
/* check restrictions */
- rc = backend_check_restrictions( NULL, conn, op, mech.bv_val, &text );
+ rc = backend_check_restrictions( NULL, conn, op, &mech, &text );
if( rc != LDAP_SUCCESS ) {
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
text = "anonymous bind disallowed";
} else {
- rc = backend_check_restrictions( NULL, conn, op, mech.bv_val, &text );
+ rc = backend_check_restrictions( NULL, conn, op,
+ &mech, &text );
}
/*
#include <ac/string.h>
#include "slap.h"
+#include "lber_pvt.h"
static struct extop_list {
struct extop_list *next;
const char ** text,
BerVarray * refs )
{
+ int rc;
struct berval *bv;
if ( reqdata != NULL ) {
return LDAP_PROTOCOL_ERROR;
}
+ {
+ int rc;
+ struct berval whoami = BER_BVC( LDAP_EXOP_X_WHO_AM_I );
+
+ rc = backend_check_restrictions( conn->c_authz_backend,
+ conn, op, &whoami, text );
+
+ if( rc != LDAP_SUCCESS ) return rc;
+ }
+
bv = (struct berval *) ch_malloc( sizeof(struct berval) );
if( op->o_dn.bv_len ) {
bv->bv_len = op->o_dn.bv_len + sizeof("dn:")-1;
#include "slap.h"
+#include <lber_pvt.h>
#include <lutil.h>
int passwd_extop(
return LDAP_STRONG_AUTH_REQUIRED;
}
- if( conn->c_authz_backend != NULL && conn->c_authz_backend->be_extended ) {
- if( conn->c_authz_backend->be_restrictops & SLAP_RESTRICT_OP_MODIFY ) {
- *text = "authorization database is read only";
- rc = LDAP_UNWILLING_TO_PERFORM;
+ if( conn->c_authz_backend == NULL || !conn->c_authz_backend->be_extended ) {
+ *text = "operation not supported for current user";
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
- } else if( conn->c_authz_backend->be_update_ndn.bv_len ) {
- /* we SHOULD return a referral in this case */
- *refs = referral_rewrite( conn->c_authz_backend->be_update_refs,
- NULL, NULL, LDAP_SCOPE_DEFAULT );
- rc = LDAP_REFERRAL;
+ {
+ struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD );
- } else {
- rc = conn->c_authz_backend->be_extended(
- conn->c_authz_backend, conn, op,
- reqoid, reqdata,
- rspoid, rspdata, rspctrls,
- text, refs );
- }
+ rc = backend_check_restrictions( conn->c_authz_backend,
+ conn, op, &passwd, text );
+ }
+
+ if( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
+
+ if( conn->c_authz_backend->be_update_ndn.bv_len ) {
+ /* we SHOULD return a referral in this case */
+ *refs = referral_rewrite( conn->c_authz_backend->be_update_refs,
+ NULL, NULL, LDAP_SCOPE_DEFAULT );
+ rc = LDAP_REFERRAL;
} else {
- *text = "operation not supported for current user";
- rc = LDAP_UNWILLING_TO_PERFORM;
+ rc = conn->c_authz_backend->be_extended(
+ conn->c_authz_backend, conn, op,
+ reqoid, reqdata,
+ rspoid, rspdata, rspctrls,
+ text, refs );
}
return rc;
BackendDB *be,
Connection *conn,
Operation *op,
- const void *opdata,
+ struct berval *opdata,
const char **text ));
LDAP_SLAPD_F( int ) backend_check_referrals LDAP_P((
projects / openldap / commitdiff