From: Pierangelo Masarati Date: Thu, 15 Dec 2005 13:47:25 +0000 (+0000) Subject: better handling of internal operations X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~597 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=4538422dc9eb7bb143f2cd5a27190540f450d750;p=openldap better handling of internal operations --- diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 0531d46f59..ac5cef995d 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -983,10 +983,18 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; struct berval binddn = slap_empty_bv; struct berval bindcred = slap_empty_bv; + struct berval ndn; int dobind = 0; int msgid; int rc; + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + ndn = op->o_conn->c_ndn; + + } else { + ndn = op->o_ndn; + } + /* * FIXME: we need to let clients use proxyAuthz * otherwise we cannot do symmetric pools of servers; @@ -1012,7 +1020,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) * is authorized */ switch ( li->li_idassert_mode ) { case LDAP_BACK_IDASSERT_LEGACY: - if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) { + if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) { if ( !BER_BVISNULL( &li->li_idassert_authcDN ) && !BER_BVISEMPTY( &li->li_idassert_authcDN ) ) { binddn = li->li_idassert_authcDN; @@ -1027,11 +1035,11 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) if ( li->li_idassert_authz && !be_isroot( op ) ) { struct berval authcDN; - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { authcDN = slap_empty_bv; } else { - authcDN = op->o_conn->c_ndn; + authcDN = ndn; } rs->sr_err = slap_sasl_matches( op, li->li_idassert_authz, &authcDN, &authcDN ); @@ -1078,16 +1086,16 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs ) break; case LDAP_BACK_IDASSERT_SELF: - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { /* connection is not authc'd, so don't idassert */ BER_BVSTR( &authzID, "dn:" ); break; } - authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len; + authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len; authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx ); AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ), - op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 ); + ndn.bv_val, ndn.bv_len + 1 ); freeauthz = 1; break; @@ -1202,7 +1210,8 @@ ldap_back_proxy_authz_ctrl( LDAPControl **ctrls = NULL; int i = 0, mode; - struct berval assertedID; + struct berval assertedID, + ndn; *pctrls = NULL; @@ -1221,6 +1230,13 @@ ldap_back_proxy_authz_ctrl( goto done; } + if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + ndn = op->o_conn->c_ndn; + + } else { + ndn = op->o_ndn; + } + if ( li->li_idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) { if ( op->o_proxy_authz ) { /* @@ -1244,7 +1260,7 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { goto done; } @@ -1254,13 +1270,13 @@ ldap_back_proxy_authz_ctrl( } else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) { if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) - /* && ( !BER_BVISNULL( &op->o_conn->c_ndn ) + /* && ( !BER_BVISNULL( &ndn ) || LDAP_BACK_CONN_ISBOUND( lc ) ) */ ) { /* already asserted in SASL via native authz */ /* NOTE: the test on lc->lc_bound is used to trap * native authorization of anonymous users, - * since in that case op->o_conn->c_ndn is NULL */ + * since in that case ndn is NULL */ goto done; } @@ -1268,17 +1284,17 @@ ldap_back_proxy_authz_ctrl( int rc; struct berval authcDN; - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { authcDN = slap_empty_bv; } else { - authcDN = op->o_conn->c_ndn; + authcDN = ndn; } rc = slap_sasl_matches( op, li->li_idassert_authz, &authcDN, & authcDN ); if ( rc != LDAP_SUCCESS ) { if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { - /* op->o_conn->c_ndn is not authorized + /* ndn is not authorized * to use idassert */ return rc; } @@ -1320,10 +1336,10 @@ ldap_back_proxy_authz_ctrl( case LDAP_BACK_IDASSERT_SELF: /* original behavior: * assert the client's identity */ - if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( BER_BVISNULL( &ndn ) ) { assertedID = slap_empty_bv; } else { - assertedID = op->o_conn->c_ndn; + assertedID = ndn; } break;