From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 10 Nov 2008 23:07:07 +0000 (+0000)
Subject: More for ITS#5785
X-Git-Tag: OPENLDAP_REL_ENG_2_4_13~61
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=63d617a96471ebc4a6b064a573d3cdcc294054e5;p=openldap

More for ITS#5785
---

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index d4b47c4354..8a7f8e8477 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -427,6 +427,12 @@ upon StartTLS operation receipt.
 .B tls_authc
 disallows the StartTLS operation if authenticated (see also
 .BR tls_2_anon ).
+.B proxy_authz_non_critical
+disables acceptance of the proxied authorization control (RFC4370)
+when criticality is FALSE.
+.B dontusecopy_non_critical
+disables acceptance of the dontUseCopy control (a work in progress)
+when criticality is FALSE.
 .HP
 .hy 0
 .B ditcontentrule "(\ <oid>\
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index aeba5c405d..974f2fd53f 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2587,6 +2587,8 @@ config_disallows(ConfigArgs *c) {
 		{ BER_BVC("bind_simple"),	SLAP_DISALLOW_BIND_SIMPLE },
 		{ BER_BVC("tls_2_anon"),		SLAP_DISALLOW_TLS_2_ANON },
 		{ BER_BVC("tls_authc"),		SLAP_DISALLOW_TLS_AUTHC },
+		{ BER_BVC("proxy_authz_non_critical"),	SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT },
+		{ BER_BVC("dontusecopy_non_critical"),	SLAP_DISALLOW_DONTUSECOPY_N_CRIT },
 		{ BER_BVNULL, 0 }
 	};
 	if (c->op == SLAP_CONFIG_EMIT) {
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index ee2a36742f..b812bf6b15 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -960,6 +960,13 @@ static int parseDontUseCopy (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT )
+		&& !ctrl->ldctl_iscritical )
+	{
+		rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	op->o_dontUseCopy = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;
@@ -1029,6 +1036,13 @@ static int parseProxyAuthz (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT )
+		&& !ctrl->ldctl_iscritical )
+	{
+		rs->sr_text = "proxied authorization criticality of FALSE not allowed";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
 		&& BER_BVISEMPTY( &op->o_ndn ) )
 	{
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index df29ec914d..d0d7c4e6d5 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1861,6 +1861,9 @@ struct BackendDB {
 #define SLAP_DISALLOW_TLS_2_ANON	0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC		0x0020U	/* TLS while authenticated */
 
+#define SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT	0x0100U
+#define SLAP_DISALLOW_DONTUSECOPY_N_CRIT	0x0200U
+
 #define SLAP_DISALLOW_AUX_WO_CR		0x4000U
 
 	slap_mask_t	be_requires;	/* pre-operation requirements */