From: Pierangelo Masarati Date: Thu, 20 Jan 2005 09:04:37 +0000 (+0000) Subject: remove #ifdef's for identity assertion X-Git-Tag: OPENLDAP_REL_ENG_2_3_BP~308 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=1d919d35a537ca1a0f3ade0d9527e8d0f6cb5397;p=openldap remove #ifdef's for identity assertion --- diff --git a/servers/slapd/back-ldap/add.c b/servers/slapd/back-ldap/add.c index 5ef9403dde..1805a31b3e 100644 --- a/servers/slapd/back-ldap/add.c +++ b/servers/slapd/back-ldap/add.c @@ -58,7 +58,7 @@ ldap_back_add( } /* Count number of attributes in entry */ - for (i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next) + for ( i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next ) /* just count attrs */ ; /* Create array of LDAPMods for ldap_add() */ @@ -89,14 +89,12 @@ ldap_back_add( attrs[ i ] = NULL; ctrls = op->o_ctrls; -#ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; goto cleanup; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs, @@ -110,9 +108,7 @@ retry: } cleanup: -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ if ( attrs ) { for ( --i; i >= 0; --i ) { diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 8ecbd4ffd7..3f5b109d37 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -24,12 +24,6 @@ #ifndef SLAPD_LDAP_H #define SLAPD_LDAP_H -#include "proto-ldap.h" - -#ifdef LDAP_DEVEL -#define LDAP_BACK_PROXY_AUTHZ -#endif - LDAP_BEGIN_DECL struct slap_conn; @@ -71,7 +65,6 @@ struct ldapinfo { #define acl_authcDN acl_la.la_authcDN #define acl_passwd acl_la.la_passwd -#ifdef LDAP_BACK_PROXY_AUTHZ /* ID assert stuff */ int idassert_mode; #define LDAP_BACK_IDASSERT_LEGACY 0 @@ -95,7 +88,6 @@ struct ldapinfo { int idassert_ppolicy; /* end of ID assert stuff */ -#endif /* LDAP_BACK_PROXY_AUTHZ */ ldap_pvt_thread_mutex_t conn_mutex; int savecred; @@ -104,33 +96,8 @@ struct ldapinfo { int rwm_started; }; -int ldap_back_freeconn( Operation *op, struct ldapconn *lc ); -struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs); -int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs); -int ldap_back_retry(struct ldapconn *lc, Operation *op, SlapReply *rs); -int ldap_back_map_result(SlapReply *rs); -int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, - ber_int_t msgid, int sendok); -int back_ldap_LTX_init_module(int argc, char *argv[]); - -extern int ldap_back_conn_cmp( const void *c1, const void *c2); -extern int ldap_back_conn_dup( void *c1, void *c2 ); -extern void ldap_back_conn_free( void *c ); - -#ifdef LDAP_BACK_PROXY_AUTHZ -extern int -ldap_back_proxy_authz_ctrl( - struct ldapconn *lc, - Operation *op, - SlapReply *rs, - LDAPControl ***pctrls ); - -extern int -ldap_back_proxy_authz_ctrl_free( - Operation *op, - LDAPControl ***pctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ - LDAP_END_DECL +#include "proto-ldap.h" + #endif /* SLAPD_LDAP_H */ diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index eedc66cfb8..f7446f35c9 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -38,10 +38,8 @@ static LDAP_REBIND_PROC ldap_back_rebind; -#ifdef LDAP_BACK_PROXY_AUTHZ static int ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ int ldap_back_bind( Operation *op, SlapReply *rs ) @@ -70,7 +68,11 @@ ldap_back_bind( Operation *op, SlapReply *rs ) rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rc == LDAP_SUCCESS ) { -#if defined(LDAP_BACK_PROXY_AUTHZ) + /* If defined, proxyAuthz will be used also when + * back-ldap is the authorizing backend; for this + * purpose, a successful bind is followed by a + * bind with the configured identity assertion */ + /* NOTE: use with care */ if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { ldap_back_proxy_authz_bind( lc, op, rs ); if ( lc->lc_bound == 0 ) { @@ -78,7 +80,6 @@ ldap_back_bind( Operation *op, SlapReply *rs ) goto done; } } -#endif /* LDAP_BACK_PROXY_AUTHZ */ lc->lc_bound = 1; ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn ); @@ -348,7 +349,6 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); if ( !lc->lc_bound ) { -#ifdef LDAP_BACK_PROXY_AUTHZ /* * FIXME: we need to let clients use proxyAuthz * otherwise we cannot do symmetric pools of servers; @@ -363,16 +363,15 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) */ /* * if no bind took place yet, but the connection is bound - * and the "proxyauthzdn" is set, then bind as - * "proxyauthzdn" and explicitly add the proxyAuthz - * control to every operation with the dn bound - * to the connection as control value. + * and the "idassert-authcDN" (or other ID) is set, + * then bind as the asserting ideintity and explicitly + * add the proxyAuthz control to every operation with the + * dn bound to the connection as control value. */ if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) { (void)ldap_back_proxy_authz_bind( lc, op, rs ); goto done; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ rs->sr_err = ldap_sasl_bind( lc->lc_ld, lc->lc_bound_ndn.bv_val, @@ -527,7 +526,6 @@ ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs ) return ldap_back_dobind( lc, op, rs ); } -#ifdef LDAP_BACK_PROXY_AUTHZ static int ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ) { @@ -927,6 +925,9 @@ ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls ) { LDAPControl **ctrls = *pctrls; + /* we assume that the first control is the proxyAuthz + * added by back-ldap, so it's the only one we explicitly + * free */ if ( ctrls && ctrls != op->o_ctrls ) { assert( ctrls[ 0 ] ); @@ -942,4 +943,3 @@ ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls ) return 0; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ diff --git a/servers/slapd/back-ldap/compare.c b/servers/slapd/back-ldap/compare.c index 3ce083f724..ffa9f6bf77 100644 --- a/servers/slapd/back-ldap/compare.c +++ b/servers/slapd/back-ldap/compare.c @@ -49,14 +49,12 @@ ldap_back_compare( } ctrls = op->o_ctrls; -#ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; goto cleanup; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rs->sr_err = ldap_compare_ext( lc->lc_ld, op->o_req_ndn.bv_val, @@ -72,9 +70,7 @@ retry: } cleanup: -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ return rc; } diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 81790fe933..bdbdc698ce 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -235,12 +235,14 @@ ldap_back_db_config( } ber_str2bv( argv[1], 0, 1, &li->acl_passwd ); -#ifdef LDAP_BACK_PROXY_AUTHZ /* identity assertion stuff... */ } else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0 - || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) { + || strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) + { + /* NOTE: "proxyauthz{DN,pw}" was initially used; it's now + * deprected and undocumented, it can be dropped at some + * point, since nobody should be really using it */ return parse_idassert( be, fname, lineno, argc, argv ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ /* save bind creds for referral rebinds? */ } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) { @@ -393,7 +395,6 @@ retry: } -#ifdef LDAP_BACK_PROXY_AUTHZ static int parse_idassert( BackendDB *be, @@ -557,7 +558,7 @@ parse_idassert( } if ( strcasecmp( argv[1], "none" ) == 0 ) { - /* FIXME: is this useful? */ + /* FIXME: is this at all useful? */ li->idassert_authmethod = LDAP_AUTH_NONE; if ( argc != 2 ) { @@ -697,4 +698,3 @@ parse_idassert( return 0; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ diff --git a/servers/slapd/back-ldap/delete.c b/servers/slapd/back-ldap/delete.c index 406884fd5b..4b0ce6b25c 100644 --- a/servers/slapd/back-ldap/delete.c +++ b/servers/slapd/back-ldap/delete.c @@ -49,7 +49,6 @@ ldap_back_delete( goto cleanup; } -#ifdef LDAP_BACK_PROXY_AUTHZ ctrls = op->o_ctrls; rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { @@ -57,7 +56,6 @@ ldap_back_delete( rc = -1; goto cleanup; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_ndn.bv_val, @@ -65,13 +63,13 @@ retry: rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) { do_retry = 0; - if ( ldap_back_retry (lc, op, rs )) goto retry; + if ( ldap_back_retry (lc, op, rs ) ) { + goto retry; + } } cleanup: -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ return rc; } diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c index 0b9af04fe2..d4202d4c2b 100644 --- a/servers/slapd/back-ldap/extended.c +++ b/servers/slapd/back-ldap/extended.c @@ -48,7 +48,6 @@ ldap_back_extended( for ( i = 0; exop_table[i].extended != NULL; i++ ) { if ( bvmatch( exop_table[i].oid, &op->oq_extended.rs_reqoid ) ) { -#ifdef LDAP_BACK_PROXY_AUTHZ struct ldapconn *lc; LDAPControl **oldctrls = NULL; int rc; @@ -81,9 +80,6 @@ ldap_back_extended( op->o_ctrls = oldctrls; return rc; -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - return ( *exop_table[i].extended )( op, rs ); -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ } } diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index 90604606f0..b00c579d36 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -90,7 +90,6 @@ ldap_back_db_init( Backend *be ) BER_BVZERO( &li->acl_authcDN ); BER_BVZERO( &li->acl_passwd ); -#ifdef LDAP_BACK_PROXY_AUTHZ li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY; BER_BVZERO( &li->idassert_authcID ); @@ -109,7 +108,6 @@ ldap_back_db_init( Backend *be ) /* by default, use proxyAuthz control on each operation */ li->idassert_flags = LDAP_BACK_AUTH_NONE; -#endif /* LDAP_BACK_PROXY_AUTHZ */ ldap_pvt_thread_mutex_init( &li->conn_mutex ); @@ -128,7 +126,6 @@ ldap_back_db_open( BackendDB *be ) "ldap_back_db_open: URI=%s\n", li->url != NULL ? li->url : "", 0, 0 ); -#ifdef LDAP_BACK_PROXY_AUTHZ /* by default, use proxyAuthz control on each operation */ switch ( li->idassert_mode ) { case LDAP_BACK_IDASSERT_LEGACY: @@ -141,10 +138,14 @@ ldap_back_db_open( BackendDB *be ) default: break; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ #if 0 && defined(SLAPD_MONITOR) { + /* FIXME: disabled because namingContexts doesn't have + * a matching rule, and using an MRA filter doesn't work + * because the normalized assertion is compared to the + * non-normalized value, which in general differ. + * See ITS#3406 */ struct berval filter, base = BER_BVC( "cn=Databases,cn=Monitor" ); struct berval vals[ 2 ]; @@ -221,7 +222,6 @@ ldap_back_db_destroy( ch_free( li->acl_passwd.bv_val ); BER_BVZERO( &li->acl_passwd ); } -#ifdef LDAP_BACK_PROXY_AUTHZ if ( !BER_BVISNULL( &li->idassert_authcID ) ) { ch_free( li->idassert_authcID.bv_val ); BER_BVZERO( &li->idassert_authcID ); @@ -246,7 +246,6 @@ ldap_back_db_destroy( ch_free( li->idassert_sasl_realm.bv_val ); BER_BVZERO( &li->idassert_sasl_realm ); } -#endif /* LDAP_BACK_PROXY_AUTHZ */ if ( li->conntree ) { avl_free( li->conntree, ldap_back_conn_free ); } diff --git a/servers/slapd/back-ldap/modify.c b/servers/slapd/back-ldap/modify.c index 01456c39f1..cc551243a1 100644 --- a/servers/slapd/back-ldap/modify.c +++ b/servers/slapd/back-ldap/modify.c @@ -96,14 +96,12 @@ ldap_back_modify( modv[ i ] = 0; ctrls = op->o_ctrls; -#ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; goto cleanup; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_ndn.bv_val, modv, @@ -117,9 +115,7 @@ retry: } cleanup:; -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ for ( i = 0; modv[ i ]; i++ ) { ch_free( modv[ i ]->mod_bvalues ); diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c index 7e5291e0b2..92cce0a749 100644 --- a/servers/slapd/back-ldap/modrdn.c +++ b/servers/slapd/back-ldap/modrdn.c @@ -56,14 +56,12 @@ ldap_back_modrdn( } ctrls = op->o_ctrls; -#ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; goto cleanup; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_ndn.bv_val, @@ -78,9 +76,7 @@ retry: } cleanup: -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ return rc; } diff --git a/servers/slapd/back-ldap/proto-ldap.h b/servers/slapd/back-ldap/proto-ldap.h index 04d86301f7..eadc7d3949 100644 --- a/servers/slapd/back-ldap/proto-ldap.h +++ b/servers/slapd/back-ldap/proto-ldap.h @@ -48,6 +48,33 @@ extern BI_connection_destroy ldap_back_conn_destroy; extern BI_entry_get_rw ldap_back_entry_get; +int ldap_back_freeconn( Operation *op, struct ldapconn *lc ); +struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs); +int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs); +int ldap_back_retry(struct ldapconn *lc, Operation *op, SlapReply *rs); +int ldap_back_map_result(SlapReply *rs); +int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, + ber_int_t msgid, int sendok); +int back_ldap_LTX_init_module(int argc, char *argv[]); + +extern int ldap_back_conn_cmp( const void *c1, const void *c2); +extern int ldap_back_conn_dup( void *c1, void *c2 ); +extern void ldap_back_conn_free( void *c ); + +extern int +ldap_back_proxy_authz_ctrl( + struct ldapconn *lc, + Operation *op, + SlapReply *rs, + LDAPControl ***pctrls ); + +extern int +ldap_back_proxy_authz_ctrl_free( + Operation *op, + LDAPControl ***pctrls ); + +extern int chain_init( void ); + LDAP_END_DECL #endif /* PROTO_LDAP_H */ diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index 4cf1c72b3d..bf78dec637 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -105,13 +105,11 @@ ldap_back_search( } ctrls = op->o_ctrls; -#ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { dontfreetext = 1; goto finish; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_ndn.bv_val, @@ -274,9 +272,7 @@ fail:; finish:; send_ldap_result( op, rs ); -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ if ( rs->sr_ctrls ) { ldap_controls_free( rs->sr_ctrls ); @@ -547,12 +543,10 @@ ldap_back_entry_get( } ctrls = op->o_ctrls; -#ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { goto cleanup; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ retry: rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter, @@ -583,9 +577,7 @@ retry: } cleanup: -#ifdef LDAP_BACK_PROXY_AUTHZ (void)ldap_back_proxy_authz_ctrl_free( op, &ctrls ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ if ( result ) { ldap_msgfree( result );