int la_sasl_flags;
struct berval la_sasl_mech;
struct berval la_sasl_realm;
+
+/* FIXME: required until I find a nice way to determine
+ * whether a SASL mechanism is able to authz natively */
+#define LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+#define LDAP_BACK_AUTH_NONE 0x00
+#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01
+ int la_flags;
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
};
struct ldapinfo {
#define idassert_sasl_flags idassert_la.la_sasl_flags
#define idassert_sasl_mech idassert_la.la_sasl_mech
#define idassert_sasl_realm idassert_la.la_sasl_realm
+#define idassert_flags idassert_la.la_flags
BerVarray idassert_authz;
int idassert_ppolicy;
struct berval authzID = BER_BVNULL;
int freeauthz = 0;
- switch ( li->idassert_mode ) {
- case LDAP_BACK_IDASSERT_OTHERID:
- case LDAP_BACK_IDASSERT_OTHERDN:
- authzID = li->idassert_authzID;
- break;
-
- case LDAP_BACK_IDASSERT_ANONYMOUS:
- BER_BVSTR( &authzID, "dn:" );
- break;
-
- case LDAP_BACK_IDASSERT_SELF:
- authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
- authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
- AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
- AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
- op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
- freeauthz = 1;
- break;
-
- default:
- break;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+ /* if SASL supports native authz, prepare for it */
+ if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+ switch ( li->idassert_mode ) {
+ case LDAP_BACK_IDASSERT_OTHERID:
+ case LDAP_BACK_IDASSERT_OTHERDN:
+ authzID = li->idassert_authzID;
+ break;
+
+ case LDAP_BACK_IDASSERT_ANONYMOUS:
+ BER_BVSTR( &authzID, "dn:" );
+ break;
+
+ case LDAP_BACK_IDASSERT_SELF:
+ authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
+ authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
+ AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+ AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
+ op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
+ freeauthz = 1;
+ break;
+
+ default:
+ break;
+ }
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
#if 0 /* will deal with this later... */
if ( sasl_secprops != NULL ) {
}
} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
- /* already asserted in SASL */
- goto done;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+ if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+ /* already asserted in SASL via native authz */
+ goto done;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+ }
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
} else if ( li->idassert_authz ) {
int rc;
}
ber_str2bv( val, 0, 1, &li->idassert_passwd );
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+ } else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
+ char *val = argv[arg] + STRLENOF( "authz=" );
+
+ if ( strcasecmp( val, "native" ) == 0 ) {
+ li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
+
+ } else {
+ fprintf( stderr, "%s: line %s: "
+ "unknown SASL flag \"%s\"\n",
+ fname, lineno, val );
+ return 1;
+ }
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+
} else {
fprintf( stderr, "%s: line %d: "
"unknown SASL parameter %s\n",
projects / openldap / commitdiff