From: Pierangelo Masarati Date: Wed, 19 Jan 2005 19:11:35 +0000 (+0000) Subject: use idassert for proxyAuthz with the chain overlay X-Git-Tag: OPENLDAP_REL_ENG_2_3_BP~327 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=5f178fd3d17aaf316c02d8dc1927cf7326674f83;p=openldap use idassert for proxyAuthz with the chain overlay --- diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c index b8659d93a7..58b6106cf0 100644 --- a/servers/slapd/back-ldap/chain.c +++ b/servers/slapd/back-ldap/chain.c @@ -93,9 +93,7 @@ ldap_chain_response( Operation *op, SlapReply *rs ) slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; void *private = op->o_bd->be_private; slap_callback *sc = op->o_callback; - LDAPControl **prev = op->o_ctrls; - LDAPControl **ctrls = NULL, *c[ 2 ], authz; - int i, nctrls = 0, rc = 0; + int rc = 0; int cache = op->o_do_not_cache; char *authzid = NULL; BerVarray ref; @@ -157,42 +155,11 @@ ldap_chain_response( Operation *op, SlapReply *rs ) op->o_bd->be_private = on->on_bi.bi_private; } - /* Chaining is performed by a privileged user on behalf - * of a normal user, using the ProxyAuthz control. However, - * Binds are done separately, on an anonymous session. + /* Chaining can be performed by a privileged user on behalf + * of normal users, using the ProxyAuthz control, by exploiting + * the identity assertion feature of back-ldap; see idassert-* + * directives in slapd-ldap(5). */ - if ( op->o_tag != LDAP_REQ_BIND ) { - if ( prev ) { - for ( i = 0; prev[i]; i++ ) - /* count and set prev to the last one */ ; - nctrls = i; - - ctrls = op->o_tmpalloc((i + 1)*sizeof(LDAPControl *), - op->o_tmpmemctx); - for ( i = 0; i < nctrls; i++ ) { - ctrls[i] = prev[i]; - } - - } else { - ctrls = c; - } - - ctrls[nctrls] = &authz; - ctrls[nctrls + 1] = NULL; - authz.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; - authz.ldctl_iscritical = 1; - authz.ldctl_value = op->o_dn; - if ( !BER_BVISEMPTY( &op->o_dn ) ) { - authzid = op->o_tmpalloc( op->o_dn.bv_len + STRLENOF("dn:"), - op->o_tmpmemctx ); - strcpy(authzid, "dn:"); - strcpy(authzid + STRLENOF("dn:"), op->o_dn.bv_val); - authz.ldctl_value.bv_len = op->o_dn.bv_len + STRLENOF("dn:"); - authz.ldctl_value.bv_val = authzid; - } - op->o_ctrls = ctrls; - op->o_ndn = op->o_bd->be_rootndn; - } switch ( op->o_tag ) { case LDAP_REQ_BIND: { @@ -374,13 +341,9 @@ end_of_searchref:; break; } op->o_do_not_cache = cache; - op->o_ctrls = prev; op->o_bd->be_private = private; op->o_callback = sc; op->o_ndn = ndn; - if ( ctrls && ctrls != c ) { - op->o_tmpfree( ctrls, op->o_tmpmemctx ); - } if ( authzid ) { op->o_tmpfree( authzid, op->o_tmpmemctx ); } diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf index b48710b399..648ac31320 100644 --- a/tests/data/slapd-idassert.conf +++ b/tests/data/slapd-idassert.conf @@ -39,7 +39,7 @@ argsfile ./testrun/slapd.1.args authz-policy both authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)" authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)" -authz-regexp "^uid=(us/)*([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)" +authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)" # # normal installations should protect root dse, diff --git a/tests/data/slapd-repl-slave.conf b/tests/data/slapd-repl-slave.conf index 90be98119b..a033232867 100644 --- a/tests/data/slapd-repl-slave.conf +++ b/tests/data/slapd-repl-slave.conf @@ -32,12 +32,16 @@ argsfile ./testrun/slapd.2.args #ldapyes#overlay chain #ldapyes#chain-uri @URI1@ -#ldapyes#chain-acl-authcDN "cn=Manager,dc=example,dc=com" -#ldapyes#chain-acl-passwd secret +#ldapyes#chain-idassert-method "simple" +#ldapyes#chain-idassert-authcDN "cn=Manager,dc=example,dc=com" +#ldapyes#chain-idassert-passwd secret +#ldapyes#chain-idassert-mode self #ldapmod#overlay chain #ldapmod#chain-uri @URI1@ -#ldapmod#chain-acl-authcDN "cn=Manager,dc=example,dc=com" -#ldapmod#chain-acl-passwd secret +#ldapmod#chain-idassert-method "simple" +#ldapmod#chain-idassert-authcDN "cn=Manager,dc=example,dc=com" +#ldapmod#chain-idassert-passwd secret +#ldapmod#chain-idassert-mode self ####################################################################### # database definitions diff --git a/tests/data/slapd-syncrepl-slave-refresh1.conf b/tests/data/slapd-syncrepl-slave-refresh1.conf index 8cb862d314..84fe5c2344 100644 --- a/tests/data/slapd-syncrepl-slave-refresh1.conf +++ b/tests/data/slapd-syncrepl-slave-refresh1.conf @@ -34,12 +34,16 @@ argsfile ./testrun/slapd.2.args #ldapyes#overlay chain #ldapyes#chain-uri @URI1@ -#ldapyes#chain-acl-authcDN "cn=Manager,dc=example,dc=com" -#ldapyes#chain-acl-passwd secret +#ldapyes#chain-idassert-method "simple" +#ldapyes#chain-idassert-authcDN "cn=Manager,dc=example,dc=com" +#ldapyes#chain-idassert-passwd secret +#ldapyes#chain-idassert-mode self #ldapmod#overlay chain #ldapmod#chain-uri @URI1@ -#ldapmod#chain-acl-authcDN "cn=Manager,dc=example,dc=com" -#ldapmod#chain-acl-passwd secret +#ldapmod#chain-idassert-method "simple" +#ldapmod#chain-idassert-authcDN "cn=Manager,dc=example,dc=com" +#ldapmod#chain-idassert-passwd secret +#ldapmod#chain-idassert-mode self ####################################################################### # consumer database definitions