From: Pierangelo Masarati Date: Wed, 26 Jan 2005 20:01:02 +0000 (+0000) Subject: allow proxyAuthz of users authenticated via SASL X-Git-Tag: OPENLDAP_REL_ENG_2_3_BP~240 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3dd2f4150b55ed4c868e76aed6f590323c5a8515;p=openldap allow proxyAuthz of users authenticated via SASL --- diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 998ce24537..bdf8078e2f 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -404,6 +404,8 @@ ldap_back_dobind_int( ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); if ( !lc->lc_bound ) { + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + /* * FIXME: we need to let clients use proxyAuthz * otherwise we cannot do symmetric pools of servers; @@ -419,11 +421,17 @@ ldap_back_dobind_int( /* * if no bind took place yet, but the connection is bound * and the "idassert-authcDN" (or other ID) is set, - * then bind as the asserting ideintity and explicitly + * then bind as the asserting identity and explicitly * add the proxyAuthz control to every operation with the * dn bound to the connection as control value. + * This is done also if this is the authrizing backend, + * but the "override" flag is given to idassert. + * It allows to use SASL bind and yet proxyAuthz users */ - if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) { + if ( op->o_conn != NULL && + ( BER_BVISNULL( &lc->lc_bound_ndn ) || + ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) + { (void)ldap_back_proxy_authz_bind( lc, op, rs ); goto done; }