From: Pierangelo Masarati Date: Sat, 10 Jun 2006 16:33:26 +0000 (+0000) Subject: cleanup identity assertion; ready for porting to back-meta X-Git-Tag: OPENLDAP_REL_ENG_2_4_3ALPHA~9^2~152 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=31a004840dbe8e06d5a608a03e345a4ccbebecbf;p=openldap cleanup identity assertion; ready for porting to back-meta --- diff --git a/servers/slapd/back-ldap/add.c b/servers/slapd/back-ldap/add.c index 94cab8eda6..260b57aea7 100644 --- a/servers/slapd/back-ldap/add.c +++ b/servers/slapd/back-ldap/add.c @@ -93,7 +93,7 @@ ldap_back_add( attrs[ i ] = NULL; ctrls = op->o_ctrls; - rs->sr_err = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); + rs->sr_err = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index ca304aa165..c05e0ee777 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -33,7 +33,7 @@ #include "slap.h" #include "back-ldap.h" -#include +#include "lutil_ldap.h" #ifndef PRINT_CONNTREE #define PRINT_CONNTREE 0 @@ -1478,6 +1478,11 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b /* fall thru */ default: + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + if ( sendok & LDAP_BACK_SENDERR ) { + send_ldap_result( op, rs ); + } + LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); goto done; } @@ -1737,7 +1742,7 @@ done:; */ int ldap_back_proxy_authz_ctrl( - ldapconn_t *lc, + struct berval *bound_ndn, Operation *op, SlapReply *rs, LDAPControl ***pctrls ) @@ -1810,7 +1815,7 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) { + if ( !BER_BVISNULL( bound_ndn ) ) { goto done; } @@ -1823,14 +1828,9 @@ ldap_back_proxy_authz_ctrl( } } else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) { - if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) - /* && ( !BER_BVISNULL( &ndn ) - || LDAP_BACK_CONN_ISBOUND( lc ) ) */ ) + if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) ) { /* already asserted in SASL via native authz */ - /* NOTE: the test on lc->lc_bound is used to trap - * native authorization of anonymous users, - * since in that case ndn is NULL */ goto done; } @@ -1927,7 +1927,7 @@ ldap_back_proxy_authz_ctrl( } /* don't idassert the bound DN (ITS#4497) */ - if ( dn_match( &assertedID, &lc->lc_bound_ndn ) ) { + if ( dn_match( &assertedID, bound_ndn ) ) { goto done; } diff --git a/servers/slapd/back-ldap/compare.c b/servers/slapd/back-ldap/compare.c index 8d31acabb8..e37e986bc3 100644 --- a/servers/slapd/back-ldap/compare.c +++ b/servers/slapd/back-ldap/compare.c @@ -49,7 +49,7 @@ ldap_back_compare( } ctrls = op->o_ctrls; - rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); + rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto cleanup; diff --git a/servers/slapd/back-ldap/delete.c b/servers/slapd/back-ldap/delete.c index e0f7c67905..3394a5aeba 100644 --- a/servers/slapd/back-ldap/delete.c +++ b/servers/slapd/back-ldap/delete.c @@ -51,7 +51,7 @@ ldap_back_delete( } ctrls = op->o_ctrls; - rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); + rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = rs->sr_err; diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c index 0651ffe685..2bf37c49e3 100644 --- a/servers/slapd/back-ldap/extended.c +++ b/servers/slapd/back-ldap/extended.c @@ -56,7 +56,7 @@ ldap_back_extended_one( Operation *op, SlapReply *rs, BI_op_extended exop ) } oldctrls = op->o_ctrls; - if ( ldap_back_proxy_authz_ctrl( lc, op, rs, &op->o_ctrls ) ) { + if ( ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &op->o_ctrls ) ) { op->o_ctrls = oldctrls; send_ldap_extended( op, rs ); rs->sr_text = NULL; diff --git a/servers/slapd/back-ldap/modify.c b/servers/slapd/back-ldap/modify.c index 6b75ef74f7..e3ad3d5aba 100644 --- a/servers/slapd/back-ldap/modify.c +++ b/servers/slapd/back-ldap/modify.c @@ -99,7 +99,7 @@ ldap_back_modify( modv[ i ] = 0; ctrls = op->o_ctrls; - rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); + rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c index eb5690ce6c..304482922f 100644 --- a/servers/slapd/back-ldap/modrdn.c +++ b/servers/slapd/back-ldap/modrdn.c @@ -74,7 +74,7 @@ ldap_back_modrdn( } ctrls = op->o_ctrls; - rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); + rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { send_ldap_result( op, rs ); rc = -1; diff --git a/servers/slapd/back-ldap/proto-ldap.h b/servers/slapd/back-ldap/proto-ldap.h index bb4baf2924..72dd5f359b 100644 --- a/servers/slapd/back-ldap/proto-ldap.h +++ b/servers/slapd/back-ldap/proto-ldap.h @@ -67,7 +67,7 @@ extern void ldap_back_conn_free( void *c ); extern int ldap_back_proxy_authz_ctrl( - ldapconn_t *lc, + struct berval *bound_ndn, Operation *op, SlapReply *rs, LDAPControl ***pctrls ); diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index 4d95374f1e..f7e1667e2c 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -203,7 +203,7 @@ ldap_back_search( } ctrls = op->o_ctrls; - rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); + rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { goto finish; } @@ -762,7 +762,7 @@ ldap_back_entry_get( } ctrls = op->o_ctrls; - rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls ); + rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, &rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { goto cleanup; }