scan all results for multiple entries; fail in case more than one entry is returned...

author Pierangelo Masarati <ando@openldap.org>

Mon, 26 Apr 2004 22:47:08 +0000 (22:47 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Mon, 26 Apr 2004 22:47:08 +0000 (22:47 +0000)
author Pierangelo Masarati <ando@openldap.org>
Mon, 26 Apr 2004 22:47:08 +0000 (22:47 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Mon, 26 Apr 2004 22:47:08 +0000 (22:47 +0000)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c

index 239c5116294a1c52e362b0f465483c9feae97d94..520ef9b1a3b05d8bf996d7aba466c7ab72a61bd2 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -210,6 +210,13 @@ static int slap_parseURI( Operation *op, struct berval *uri,
  #endif
  
         rc = LDAP_PROTOCOL_ERROR;
+       /*
+        * dn[.<dnstyle>]:<dnpattern>
+        * <dnstyle> ::= {exact|regex|children|subtree|onelevel}
+        *
+        * <dnstyle> defaults to "exact"
+        * if <dnstyle> is not "regex", <dnpattern> must pass DN normalization
+        */
         if ( !strncasecmp( uri->bv_val, "dn", STRLENOF( "dn" ) ) ) {
                 bv.bv_val = uri->bv_val + STRLENOF( "dn" );
  
@@ -224,7 +231,7 @@ static int slap_parseURI( Operation *op, struct berval *uri,
                                 bv.bv_val += STRLENOF( "regex:" );
                                 *scope = LDAP_X_SCOPE_REGEX;
  
-                       } else if ( !strncasecmp( bv.bv_val, "children:", STRLENOF( "chldren:" ) ) ) {
+                       } else if ( !strncasecmp( bv.bv_val, "children:", STRLENOF( "children:" ) ) ) {
                                 bv.bv_val += STRLENOF( "children:" );
                                 *scope = LDAP_X_SCOPE_CHILDREN;
  
@@ -248,7 +255,7 @@ static int slap_parseURI( Operation *op, struct berval *uri,
  
                 bv.bv_val += strspn( bv.bv_val, " " );
                 /* jump here in case no type specification was present
-                * and uir was not an URI... HEADS-UP: assuming EXACT */
+                * and uri was not an URI... HEADS-UP: assuming EXACT */
  is_dn:         bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
  
                 switch ( *scope ) {
@@ -274,6 +281,9 @@ is_dn:              bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
  
                 return rc;
  
+       /*
+        * u:<uid>
+        */
         } else if ( ( uri->bv_val[ 0 ] == 'u' || uri->bv_val[ 0 ] == 'U' )
                         && ( uri->bv_val[ 1 ] == ':' 
                                 || uri->bv_val[ 1 ] == '/' 
@@ -314,6 +324,14 @@ is_dn:             bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
  
                 return rc;
  
+       /*
+        * group[/<groupoc>[/<groupat>]]:<groupdn>
+        *
+        * groupoc defaults to "groupOfNames"
+        * groupat defaults to "member"
+        * 
+        * <groupdn> must pass DN normalization
+        */
         } else if ( strncasecmp( uri->bv_val, "group", STRLENOF( "group" ) ) == 0 )
         {
                 struct berval   group_dn = BER_BVNULL,
@@ -367,10 +385,22 @@ is_dn:            bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
                 }
                 return rc;
         }
-               
+
+       /*
+        * ldap:///<base>??<scope>?<filter>
+        * <scope> ::= {base|one|subtree}
+        *
+        * <scope> defaults to "base"
+        * <base> must pass DN normalization
+        * <filter> must pass str2filter()
+        */
         rc = ldap_url_parse( uri->bv_val, &ludp );
         if ( rc == LDAP_URL_ERR_BADSCHEME ) {
-               /* last chance: assume it's a(n exact) DN ... */
+               /*
+                * last chance: assume it's a(n exact) DN ...
+                *
+                * NOTE: must pass DN normalization
+                */
                 bv.bv_val = uri->bv_val;
                 *scope = LDAP_X_SCOPE_EXACT;
                 goto is_dn;
@@ -772,14 +802,26 @@ static int sasl_sc_smatch( Operation *o, SlapReply *rs )
  {
         smatch_info *sm = o->o_callback->sc_private;
  
-       if (rs->sr_type != REP_SEARCH) return 0;
+       if ( rs->sr_type != REP_SEARCH ) {
+               if ( rs->sr_err != LDAP_SUCCESS ) {
+                       sm->match = -1;
+               }
+               return 0;
+       }
+
+       if ( sm->match == 1 ) {
+               sm->match = -1;
+               return 0;
+       }
  
         if (dn_match(sm->dn, &rs->sr_entry->e_nname)) {
                 sm->match = 1;
-               return -1;      /* short-circuit the search */
+
+       } else {
+               sm->match = -1;
         }
  
-       return 1;
+       return 0;
  }
  
  /*
@@ -984,7 +1026,7 @@ exact_match:
  
         op.o_bd->be_search( &op, &rs );
  
-       if (sm.match) {
+       if (sm.match == 1) {
                 rc = LDAP_SUCCESS;
         } else {
                 rc = LDAP_INAPPROPRIATE_AUTH;
author	Pierangelo Masarati <ando@openldap.org>
	Mon, 26 Apr 2004 22:47:08 +0000 (22:47 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Mon, 26 Apr 2004 22:47:08 +0000 (22:47 +0000)