From: Pierangelo Masarati Date: Tue, 10 Jan 2006 02:05:54 +0000 (+0000) Subject: refine fix to ITS#4320 X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~364 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9bcb37b5c19bddb488560c9cc74232634871c41b;p=openldap refine fix to ITS#4320 --- diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index dbad1a97d2..0a4de7b915 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -100,8 +100,11 @@ when DN is empty). .B bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. .B update_anon -allow unauthenticated (anonymous) update operations to be processed +allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits). +.B proxy_authz_anon +allows unauthenticated (anonymous) proxy authorization control to be processed +(subject to access controls, authorization and other administrative limits). .TP .B argsfile The ( absolute ) name of a file that will hold the diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 9392830613..1014ec7fed 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -1996,6 +1996,7 @@ config_allows(ConfigArgs *c) { { BER_BVC("bind_anon_cred"), SLAP_ALLOW_BIND_ANON_CRED }, { BER_BVC("bind_anon_dn"), SLAP_ALLOW_BIND_ANON_DN }, { BER_BVC("update_anon"), SLAP_ALLOW_UPDATE_ANON }, + { BER_BVC("proxy_authz_anon"), SLAP_ALLOW_PROXY_AUTHZ_ANON }, { BER_BVNULL, 0 } }; if (c->op == SLAP_CONFIG_EMIT) { diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index 0ed668bd80..1931dd14ae 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -877,6 +877,13 @@ static int parseProxyAuthz ( return LDAP_PROTOCOL_ERROR; } + if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON ) + && BER_BVISEMPTY( &op->o_ndn ) ) + { + rs->sr_text = "anonymous proxyAuthz not allowed"; + return LDAP_PROXY_AUTHZ_FAILURE; + } + op->o_proxy_authz = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index f2a37db1c0..6c18cb88bb 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1771,11 +1771,12 @@ struct slap_backend_db { | SLAP_RESTRICT_OP_BIND \ | SLAP_RESTRICT_OP_EXTENDED ) -#define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ +#define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ #define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */ #define SLAP_ALLOW_BIND_ANON_DN 0x0004U /* dn should be empty */ #define SLAP_ALLOW_UPDATE_ANON 0x0008U /* allow anonymous updates */ +#define SLAP_ALLOW_PROXY_AUTHZ_ANON 0x0010U /* allow anonymous proxyAuthz */ #define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */ #define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */