From: Pierangelo Masarati <ando@openldap.org>
Date: Sun, 2 Nov 2008 21:38:10 +0000 (+0000)
Subject: add dontUseCopy and proxiedAuthz "non_critical" disallow switches (ITS#5785)
X-Git-Tag: ACLCHECK_0~1165
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=52e28a9ece6d45420680e0f89c7397536134085a;p=openldap

add dontUseCopy and proxiedAuthz "non_critical" disallow switches (ITS#5785)
---

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 4b1c259cec..e0d26e7000 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2587,6 +2587,8 @@ config_disallows(ConfigArgs *c) {
 		{ BER_BVC("bind_simple"),	SLAP_DISALLOW_BIND_SIMPLE },
 		{ BER_BVC("tls_2_anon"),		SLAP_DISALLOW_TLS_2_ANON },
 		{ BER_BVC("tls_authc"),		SLAP_DISALLOW_TLS_AUTHC },
+		{ BER_BVC("proxy_authz_non_critical"),	SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT },
+		{ BER_BVC("dontusecopy_non_critical"),	SLAP_DISALLOW_DONTUSECOPY_N_CRIT },
 		{ BER_BVNULL, 0 }
 	};
 	if (c->op == SLAP_CONFIG_EMIT) {
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index ee2a36742f..b812bf6b15 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -960,6 +960,13 @@ static int parseDontUseCopy (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT )
+		&& !ctrl->ldctl_iscritical )
+	{
+		rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	op->o_dontUseCopy = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;
@@ -1029,6 +1036,13 @@ static int parseProxyAuthz (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT )
+		&& !ctrl->ldctl_iscritical )
+	{
+		rs->sr_text = "proxied authorization criticality of FALSE not allowed";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
 		&& BER_BVISEMPTY( &op->o_ndn ) )
 	{
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 6b442214e4..8564e3b310 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1863,6 +1863,9 @@ struct BackendDB {
 #define SLAP_DISALLOW_TLS_2_ANON	0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC		0x0020U	/* TLS while authenticated */
 
+#define SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT	0x0100U
+#define SLAP_DISALLOW_DONTUSECOPY_N_CRIT	0x0200U
+
 #define SLAP_DISALLOW_AUX_WO_CR		0x4000U
 
 	slap_mask_t	be_requires;	/* pre-operation requirements */