From: Pierangelo Masarati Date: Mon, 21 Jun 2004 00:57:12 +0000 (+0000) Subject: clean up unnecessary checks; don't use SASL native authz if authz ID is not static... X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~211 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=1f70ad82f278fcd2e9aba816af06a6bf7b9c854b;p=openldap clean up unnecessary checks; don't use SASL native authz if authz ID is not static, because back-ldap pools connections... --- diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 5830528fbb..c11d87f5a8 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -403,8 +403,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) * control to every operation with the dn bound * to the connection as control value. */ - if ( op->o_conn != NULL && ( ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) ) - { + if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) { struct berval binddn = slap_empty_bv; struct berval bindcred = slap_empty_bv; int dobind = 0; @@ -464,6 +463,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) case LDAP_BACK_IDASSERT_SELF: if ( BER_BVISNULL( &op->o_conn->c_dn ) ) { /* connection is not authc'd, so don't idassert */ + BER_BVSTR( &authzID, "dn:" ); break; } authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len; @@ -772,23 +772,26 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) { + if ( !BER_BVISNULL( &lc->bound_dn ) ) { goto done; } - if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) { + if ( BER_BVISNULL( &op->o_conn->c_dn ) ) { goto done; } - if ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) { + if ( BER_BVISNULL( &li->idassert_authcDN ) ) { goto done; } } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) { if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) - && !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) ) + /* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ ) { /* already asserted in SASL via native authz */ + /* NOTE: the test on lc->bound is used to trap + * native authorization of anonymous users, + * since in that case op->o_conn->c_dn is NULL */ goto done; } diff --git a/servers/slapd/back-ldap/external.h b/servers/slapd/back-ldap/external.h index 216ced70bb..5f72eda8ae 100644 --- a/servers/slapd/back-ldap/external.h +++ b/servers/slapd/back-ldap/external.h @@ -29,6 +29,7 @@ extern BI_close ldap_back_close; extern BI_destroy ldap_back_destroy; extern BI_db_init ldap_back_db_init; +extern BI_db_open ldap_back_db_open; extern BI_db_destroy ldap_back_db_destroy; extern BI_db_config ldap_back_db_config; diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index e7f2fdd42e..2f285fb0b3 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -60,7 +60,7 @@ ldap_back_initialize( bi->bi_db_init = ldap_back_db_init; bi->bi_db_config = ldap_back_db_config; - bi->bi_db_open = 0; + bi->bi_db_open = ldap_back_db_open; bi->bi_db_close = 0; bi->bi_db_destroy = ldap_back_db_destroy; @@ -162,6 +162,29 @@ ldap_back_db_init( return 0; } +int +ldap_back_db_open( BackendDB *be ) +{ + struct ldapinfo *li = (struct ldapinfo *)be->be_private; + +#ifdef LDAP_BACK_PROXY_AUTHZ + /* by default, use proxyAuthz control on each operation */ + switch ( li->idassert_mode ) { + case LDAP_BACK_IDASSERT_LEGACY: + case LDAP_BACK_IDASSERT_SELF: + /* however, since admin connections are pooled and shared, + * only static authzIDs can be native */ + li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ; + break; + + default: + break; + } +#endif /* LDAP_BACK_PROXY_AUTHZ */ + + return 0; +} + void ldap_back_conn_free( void *v_lc