Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.

diff --git a/servers/slapd/back-bdb2/bind.c b/servers/slapd/back-bdb2/bind.c
index c2137fd0f97e43026d5f34064a6cd4558b903113..db0cf7bf62ff2f5cdba07868f6f1da414397a5f8 100644 (file)
--- a/servers/slapd/back-bdb2/bind.c
+++ b/servers/slapd/back-bdb2/bind.c
@@ -65,6 +65,7 @@ bdb2i_back_bind_internal(
     Operation          *op,
     char               *dn,
     int                        method,
+       char            *mech,
     struct berval      *cred,
        char**  edn
 )
@@ -86,17 +87,33 @@ bdb2i_back_bind_internal(
        /* get entry with reader lock */
        if ( (e = bdb2i_dn2entry_r( be, dn, &matched )) == NULL ) {
                /* allow noauth binds */
-               if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
-                       /*
-                        * bind successful, but return 1 so we don't
-                        * authorize based on noauth credentials
-                        */
-                       send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
-                       rc = 1;
-               } else if ( be_isroot_pw( be, dn, cred ) ) {
-                       /* front end will send result */
-                       *edn = ch_strdup( be_root_dn( be ) );
-                       rc = 0;
+               rc = 1;
+               if ( method == LDAP_AUTH_SIMPLE ) {
+                       if( cred->bv_len == 0 ) {
+                               /* SUCCESS */
+                               send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
+
+                       } else if ( be_isroot_pw( be, dn, cred ) ) {
+                               /* front end will send result */
+                               *edn = ch_strdup( be_root_dn( be ) );
+                               rc = 0;
+
+                       } else {
+                               send_ldap_result( conn, op,
+                                       LDAP_NO_SUCH_OBJECT, matched, NULL );
+                       }
+
+               } else if ( method == LDAP_AUTH_SASL ) {
+                       if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
+                               /* insert DIGEST calls here */
+                               send_ldap_result( conn, op,
+                                       LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
+
+                       } else {
+                               send_ldap_result( conn, op,
+                                       LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
+                       }
+
                } else {
                        send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
                        rc = 1;
@@ -111,6 +128,14 @@ bdb2i_back_bind_internal(
 
        /* check for deleted */
 
+       if ( ! access_allowed( be, conn, op, e,
+               "entry", NULL, ACL_AUTH ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+               rc = 1;
+               goto return_results;
+       }
+
        switch ( method ) {
        case LDAP_AUTH_SIMPLE:
                if ( cred->bv_len == 0 ) {
@@ -130,6 +155,14 @@ bdb2i_back_bind_internal(
                        goto return_results;
                }
 
+               if ( ! access_allowed( be, conn, op, e,
+                       "userpassword", NULL, ACL_AUTH ) )
+               {
+                       send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+                       rc = 1;
+                       goto return_results;
+               }
+
                if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
                        send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
                            NULL, NULL );
@@ -155,11 +188,21 @@ bdb2i_back_bind_internal(
                if ( bdb2i_krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
                        send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
                            NULL, NULL );
-                       rc = 0;
+                       rc = 1;
                        goto return_results;
                }
+
+               if ( ! access_allowed( be, conn, op, e,
+                       "krbname", NULL, ACL_AUTH ) )
+               {
+                       send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+                       rc = 1;
+                       goto return_results;
+               }
+
                sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
                    : "", ad.pinst, ad.prealm );
+
                if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
                        /*
                         * no krbName values present:  check against DN
@@ -195,6 +238,9 @@ bdb2i_back_bind_internal(
                goto return_results;
 #endif
 
+       case LDAP_AUTH_SASL:
+               /* insert sasl code here */
+
        default:
                send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
                    NULL, "auth method not supported" );
@@ -237,7 +283,7 @@ bdb2_back_bind(
 
        }
 
-       ret = bdb2i_back_bind_internal( be, conn, op, dn, method, cred, edn );
+       ret = bdb2i_back_bind_internal( be, conn, op, dn, method, mech, cred, edn );
 
        (void) bdb2i_leave_backend_r( lock );
 

diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c
index 270250bbb84c363f7538cc860291e268d3b152da..1821c9b4cc5f25ec71ee4fb53d75f1e08b520b13 100644 (file)
--- a/servers/slapd/back-ldbm/bind.c
+++ b/servers/slapd/back-ldbm/bind.c
@@ -98,16 +98,19 @@ ldbm_back_bind(
                                rc = 0; /* front end will send result */
 
                        } else {
-                               send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
+                               send_ldap_result( conn, op,
+                                       LDAP_NO_SUCH_OBJECT, matched, NULL );
                        }
 
                } else if ( method == LDAP_AUTH_SASL ) {
-                       if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") ) {
+                       if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
                                /* insert DIGEST calls here */
-                               send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL );
+                               send_ldap_result( conn, op,
+                                       LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
                                
                        } else {
-                               send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL );
+                               send_ldap_result( conn, op,
+                                       LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
                        }
 
                } else {
@@ -193,13 +196,22 @@ ldbm_back_bind(
                if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
                        send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
                            NULL, NULL );
-                       rc = 0;
+                       rc = 1;
+                       goto return_results;
+               }
+
+               if ( ! access_allowed( be, conn, op, e,
+                       "krbname", NULL, ACL_AUTH ) )
+               {
+                       send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+                       rc = 1;
                        goto return_results;
                }
 
                sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
                    : "", ad.pinst, ad.prealm );
 
+
                if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
                        /*
                         * no krbName values present:  check against DN
@@ -236,6 +248,9 @@ ldbm_back_bind(
                goto return_results;
 #endif
 
+       case LDAP_AUTH_SASL:
+               /* insert SASL code here */
+
        default:
                send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
                    NULL, "auth method not supported" );

diff --git a/tests/data/slapd-bdb2-acl.conf b/tests/data/slapd-bdb2-acl.conf
index 8560ffb347958c3b936c856b6786f5ec363eef4c..4e0e9b9e2b95be9d58f708d309b9f09e92371d4e 100644 (file)
--- a/tests/data/slapd-bdb2-acl.conf
+++ b/tests/data/slapd-bdb2-acl.conf
@@ -24,19 +24,26 @@ index               cn,sn,uid       pres,eq,approx
 index          default         none
 lastmod                on
 defaultaccess  none
+
 access         to attr=objectclass
                by * read
-access         to attr=userpassword
+
+access         to filter="objectclass=person" attr=userpassword
                by self write
-               by * compare
+               by anonymous auth
+               by * none
+
 access         to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US"
-               by dn=".*,o=University of Michigan,c=US"
-               read
+               by dn=".*,o=University of Michigan,c=US" read
+               by anonymous auth
                by * none
+
 access         to attr=member
                by dnattr=member selfwrite
                by * read
+
 access         to filter="objectclass=rfc822mailgroup"
                by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write
                by * read
+
 access         to * by * read