From: Pierangelo Masarati Date: Fri, 23 Jul 2004 00:11:05 +0000 (+0000) Subject: assert administrative identity instead of the required one if doing auth check in... X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~31 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=a7b55f4f44e406dc9ea1d0301851e11dbf6c2ed9;p=openldap assert administrative identity instead of the required one if doing auth check in non-caching mode --- diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 5d21a3c581..ccfdedc484 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -143,7 +143,7 @@ ldap_back_conn_cmp( int rc; /* If local DNs don't match, it is definitely not a match */ - if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn )) ) + if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) ) return rc; /* For shared sessions, conn is NULL. Only explicitly @@ -226,17 +226,16 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc ) struct ldapconn * ldap_back_getconn(Operation *op, SlapReply *rs) { - struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - struct ldapconn *lc, lc_curr; - LDAP *ld; - int is_priv = 0; + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + struct ldapconn *lc, lc_curr; + LDAP *ld; + int is_priv = 0; /* Searches for a ldapconn in the avl tree */ /* Explicit binds must not be shared */ if ( op->o_tag == LDAP_REQ_BIND - || (op->o_conn - && (op->o_bd == op->o_conn->c_authz_backend ))) { + || ( op->o_conn && op->o_bd == op->o_conn->c_authz_backend ) ) { lc_curr.conn = op->o_conn; } else { @@ -463,7 +462,9 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) int freeauthz = 0; /* if SASL supports native authz, prepare for it */ - if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) { + if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) && + ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) ) + { switch ( li->idassert_mode ) { case LDAP_BACK_IDASSERT_OTHERID: case LDAP_BACK_IDASSERT_OTHERDN: @@ -753,7 +754,8 @@ ldap_back_proxy_authz_ctrl( { struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; LDAPControl **ctrls = NULL; - int i = 0; + int i = 0, + mode; struct berval assertedID; *pctrls = NULL; @@ -845,7 +847,14 @@ ldap_back_proxy_authz_ctrl( rs->sr_text = "proxyAuthz not allowed within namingContext"; } - switch ( li->idassert_mode ) { + if ( op->o_do_not_cache && op->o_is_auth_check ) { + mode = LDAP_BACK_IDASSERT_NOASSERT; + + } else { + mode = li->idassert_mode; + } + + switch ( mode ) { case LDAP_BACK_IDASSERT_LEGACY: case LDAP_BACK_IDASSERT_SELF: /* original behavior: diff --git a/tests/data/slapd-ldapgluepeople.conf b/tests/data/slapd-ldapgluepeople.conf index 879a9d16d4..818b65e015 100644 --- a/tests/data/slapd-ldapgluepeople.conf +++ b/tests/data/slapd-ldapgluepeople.conf @@ -41,6 +41,7 @@ authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com" # access to attr=userpassword + by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read by self =wx by anonymous =x diff --git a/tests/scripts/test029-ldapglue b/tests/scripts/test029-ldapglue index 1f8201ff8b..50051cda97 100755 --- a/tests/scripts/test029-ldapglue +++ b/tests/scripts/test029-ldapglue @@ -185,33 +185,33 @@ if test $? != 0 ; then fi # FIXME: this cannot work as is, because SASL bind cannot be proxied! -#if test $USE_SASL != "no" ; then -# ID="bjorn" -# BASE="dc=example,dc=com" -# echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." -# $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ -# -Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1 -# -# RC=$? -# if test $RC != 0 ; then -# echo "ldapsearch failed ($RC)!" -# test $KILLSERVERS != no && kill -HUP $KILLPIDS -# exit $RC -# fi -# -# echo "Filtering ldapsearch results..." -# . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT -# echo "Filtering original ldif used to create database..." -# . $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT -# echo "Comparing filter output..." -# $CMP $SEARCHFLT $LDIFFLT > $CMPOUT -# -# if test $? != 0 ; then -# echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed" -# test $KILLSERVERS != no && kill -HUP $KILLPIDS -# exit 1 -# fi -#fi +if test $USE_SASL != "no" ; then + ID="bjorn" + BASE="dc=example,dc=com" + echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." + $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ + -Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1 + + RC=$? + if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo "Filtering ldapsearch results..." + . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT + echo "Filtering original ldif used to create database..." + . $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT + echo "Comparing filter output..." + $CMP $SEARCHFLT $LDIFFLT > $CMPOUT + + if test $? != 0 ; then + echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi +fi test $KILLSERVERS != no && kill -HUP $KILLPIDS