From: Pierangelo Masarati Date: Thu, 18 Dec 2003 18:28:43 +0000 (+0000) Subject: allow 'all' vs. 'any' sasl-authz-policy X-Git-Tag: OPENLDAP_REL_ENG_2_1_MP~147 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=113727ba53c91ab6f1b0880c5908eca43b89ec4e;p=openldap allow 'all' vs. 'any' sasl-authz-policy --- diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index ba2c3981ab..81b99e7067 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -640,9 +640,19 @@ flag will use rules in the .I saslAuthzTo attribute of the authentication DN. The -.B both -flag will allow both of the above. The rules are simply regular expressions -specifying which DNs are allowed to perform proxy authorization. The +.B any +flag, an alias for the deprecated value of +.BR both , +will allow any of the above, whatever succeeds first (checked in +.BR to , +.B from +sequence. +The +.B all +flag requires both authorizations to succeed. +The rules are simply regular expressions specifying which DNs are allowed +to perform proxy authorization. +The .I saslAuthzFrom attribute in an entry specifies which other users are allowed to proxy login to this entry. The diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 1bf2af2a30..07539ef03e 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -72,9 +72,10 @@ static int nSaslRegexp = 0; static SaslRegexp_t *SaslRegexp = NULL; /* What SASL proxy authorization policies are allowed? */ -#define SASL_AUTHZ_NONE 0 -#define SASL_AUTHZ_FROM 1 -#define SASL_AUTHZ_TO 2 +#define SASL_AUTHZ_NONE 0x00 +#define SASL_AUTHZ_FROM 0x01 +#define SASL_AUTHZ_TO 0x02 +#define SASL_AUTHZ_AND 0x10 static int authz_policy = SASL_AUTHZ_NONE; @@ -88,8 +89,10 @@ int slap_sasl_setpolicy( const char *arg ) authz_policy = SASL_AUTHZ_FROM; } else if ( strcasecmp( arg, "to" ) == 0 ) { authz_policy = SASL_AUTHZ_TO; - } else if ( strcasecmp( arg, "both" ) == 0 ) { + } else if ( strcasecmp( arg, "both" ) == 0 || strcasecmp( arg, "any" ) == 0 ) { authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO; + } else if ( strcasecmp( arg, "all" ) == 0 ) { + authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND; } else { rc = LDAP_OTHER; } @@ -972,7 +975,7 @@ int slap_sasl_authorized( Operation *op, if( authz_policy & SASL_AUTHZ_TO ) { rc = slap_sasl_check_authz( op, authcDN, authzDN, slap_schema.si_ad_saslAuthzTo, authcDN ); - if( rc == LDAP_SUCCESS ) { + if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) { goto DONE; } }