From: Pierangelo Masarati Date: Mon, 9 Jan 2006 23:06:18 +0000 (+0000) Subject: add experimental, non-advertised support for obsolete version of proxyAuthz X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~367 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=32a33fe678cda1f7415c29ba414ffe19a7833492;p=openldap add experimental, non-advertised support for obsolete version of proxyAuthz --- diff --git a/clients/tools/common.c b/clients/tools/common.c index 88f3430ebf..9424be15f9 100644 --- a/clients/tools/common.c +++ b/clients/tools/common.c @@ -104,6 +104,11 @@ char *sasl_secprops = NULL; int assertctl; char *assertion = NULL; char *authzid = NULL; +/* support deprecated early version of proxyAuthz */ +#define LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ "2.16.840.1.113730.3.4.12" +#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ +char *proxydn = NULL; +#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */ int manageDIT = 0; int manageDSAit = 0; int noop = 0; @@ -184,6 +189,9 @@ N_(" -D binddn bind DN\n"), N_(" -e [!][=] general extensions (! indicates criticality)\n") N_(" [!]assert= (an RFC 2254 Filter)\n") N_(" [!]authzid= (\"dn:\" or \"u:\")\n") +/* do not advertize support for proxyDN +N_(" [!]proxydn= (an RFC 2253 DN)\n") +*/ #ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR N_(" [!]chaining[=[/]]\n") N_(" one of \"chainingPreferred\", \"chainingRequired\",\n") @@ -331,6 +339,12 @@ tool_args( int argc, char **argv ) fprintf( stderr, "authzid control previously specified\n"); exit( EXIT_FAILURE ); } +#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ + if( proxydn != NULL ) { + fprintf( stderr, "authzid control incompatible with proxydn\n"); + exit( EXIT_FAILURE ); + } +#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */ if( cvalue == NULL ) { fprintf( stderr, "authzid: control value expected\n" ); usage(); @@ -343,6 +357,29 @@ tool_args( int argc, char **argv ) assert( authzid == NULL ); authzid = cvalue; +#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ + } else if ( strcasecmp( control, "proxydn" ) == 0 ) { + if( proxydn != NULL ) { + fprintf( stderr, "proxydn control previously specified\n"); + exit( EXIT_FAILURE ); + } + if( authzid != NULL ) { + fprintf( stderr, "proxydn control incompatible with authzid\n"); + exit( EXIT_FAILURE ); + } + if( cvalue == NULL ) { + fprintf( stderr, "proxydn: control value expected\n" ); + usage(); + } + if( !crit ) { + fprintf( stderr, "proxydn: must be marked critical\n" ); + usage(); + } + + assert( proxydn == NULL ); + proxydn = cvalue; +#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */ + } else if ( strcasecmp( control, "manageDIT" ) == 0 ) { if( manageDIT ) { fprintf( stderr, @@ -826,6 +863,9 @@ tool_args( int argc, char **argv ) if( protocol == LDAP_VERSION2 ) { if( assertctl || authzid || manageDIT || manageDSAit || +#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ + proxydn || +#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */ #ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR chaining || #endif @@ -1121,6 +1161,9 @@ tool_server_controls( LDAP *ld, LDAPControl *extra_c, int count ) if ( ! ( assertctl || authzid +#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ + || proxydn +#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */ || manageDIT || manageDSAit || noop @@ -1170,13 +1213,37 @@ tool_server_controls( LDAP *ld, LDAPControl *extra_c, int count ) } if ( authzid ) { - c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; c[i].ldctl_value.bv_val = authzid; c[i].ldctl_value.bv_len = strlen( authzid ); + c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; + c[i].ldctl_iscritical = 1; + ctrls[i] = &c[i]; + i++; + } + +#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ + /* NOTE: doesn't need an extra count because it's incompatible + * with authzid */ + if ( proxydn ) { + BerElementBuffer berbuf; + BerElement *ber = (BerElement *)&berbuf; + + ber_init2( ber, NULL, LBER_USE_DER ); + + if ( ber_printf( ber, "s", proxydn ) == LBER_ERROR ) { + exit( EXIT_FAILURE ); + } + + if ( ber_flatten2( ber, &c[i].ldctl_value, 0 ) == -1 ) { + exit( EXIT_FAILURE ); + } + + c[i].ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ; c[i].ldctl_iscritical = 1; ctrls[i] = &c[i]; i++; } +#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */ if ( manageDIT ) { c[i].ldctl_oid = LDAP_CONTROL_MANAGEDIT;