From: Pierangelo Masarati Date: Thu, 3 Feb 2011 23:35:56 +0000 (+0000) Subject: use (noncritical) whoami extop during SASL bind (ITS#6817) X-Git-Tag: MIGRATION_CVS2GIT~119 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=5d9baf3e85908ae9a0f14b1e146c9c89daba72d2;p=openldap use (noncritical) whoami extop during SASL bind (ITS#6817) --- diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 0530c0f716..c9f20abdec 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -2322,17 +2322,17 @@ ldap_back_proxy_authz_bind( #ifdef SLAP_AUTH_DN /* FIXME: right now, the only reason to check * response controls is RFC 3829 authzid */ - ctrlsp = NULL; - rc = ldap_parse_result( lc->lc_ld, result, NULL, NULL, NULL, NULL, - &ctrlsp, 0 ); - if ( rc == LDAP_SUCCESS && ctrlsp ) { - if ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_AUTHZID ) { + if ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_AUTHZID ) { + ctrlsp = NULL; + rc = ldap_parse_result( lc->lc_ld, result, NULL, NULL, NULL, NULL, + &ctrlsp, 0 ); + if ( rc == LDAP_SUCCESS && ctrlsp ) { LDAPControl *ctrl; ctrl = ldap_control_find( LDAP_CONTROL_AUTHZID_RESPONSE, ctrlsp, NULL ); if ( ctrl ) { - Debug( LDAP_DEBUG_TRACE, "%s: ldap_back_proxy_authz_bind: authzID=\"%s\"\n", + Debug( LDAP_DEBUG_TRACE, "%s: ldap_back_proxy_authz_bind: authzID=\"%s\" (authzid)\n", op->o_log_prefix, ctrl->ldctl_value.bv_val, 0 ); if ( ctrl->ldctl_value.bv_len > STRLENOF("dn:") && strncasecmp( ctrl->ldctl_value.bv_val, "dn:", STRLENOF("dn:") ) == 0 ) @@ -2346,9 +2346,28 @@ ldap_back_proxy_authz_bind( } ldap_controls_free( ctrlsp ); + + } else if ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_WHOAMI ) { + struct berval *val = NULL; + rc = ldap_whoami_s( lc->lc_ld, &val, NULL, NULL ); + if ( rc == LDAP_SUCCESS && val != NULL ) { + Debug( LDAP_DEBUG_TRACE, "%s: ldap_back_proxy_authz_bind: authzID=\"%s\" (whoami)\n", + op->o_log_prefix, val->bv_val, 0 ); + if ( val->bv_len > STRLENOF("dn:") && + strncasecmp( val->bv_val, "dn:", STRLENOF("dn:") ) == 0 ) + { + struct berval bv; + bv.bv_val = &val->bv_val[STRLENOF("dn:")]; + bv.bv_len = val->bv_len - STRLENOF("dn:"); + ber_bvreplace( &lc->lc_bound_ndn, &bv ); + } + ber_bvfree( val ); + } } - if ( BER_BVISNULL( &lc->lc_bound_ndn ) ) { + if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) && + BER_BVISNULL( &lc->lc_bound_ndn ) ) + { /* all in all, we only need it to be non-null */ /* FIXME: should this be configurable? */ static struct berval bv = BER_BVC("cn=authzdn");