From: Kurt Zeilenga Date: Wed, 7 Jul 1999 18:47:51 +0000 (+0000) Subject: Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2. X-Git-Tag: OPENLDAP_REL_ENG_2_BP~184 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=b8edef2b2cc79d38d332c8561ce189e6895dc16d;p=openldap Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2. --- diff --git a/servers/slapd/back-bdb2/bind.c b/servers/slapd/back-bdb2/bind.c index c2137fd0f9..db0cf7bf62 100644 --- a/servers/slapd/back-bdb2/bind.c +++ b/servers/slapd/back-bdb2/bind.c @@ -65,6 +65,7 @@ bdb2i_back_bind_internal( Operation *op, char *dn, int method, + char *mech, struct berval *cred, char** edn ) @@ -86,17 +87,33 @@ bdb2i_back_bind_internal( /* get entry with reader lock */ if ( (e = bdb2i_dn2entry_r( be, dn, &matched )) == NULL ) { /* allow noauth binds */ - if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) { - /* - * bind successful, but return 1 so we don't - * authorize based on noauth credentials - */ - send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL ); - rc = 1; - } else if ( be_isroot_pw( be, dn, cred ) ) { - /* front end will send result */ - *edn = ch_strdup( be_root_dn( be ) ); - rc = 0; + rc = 1; + if ( method == LDAP_AUTH_SIMPLE ) { + if( cred->bv_len == 0 ) { + /* SUCCESS */ + send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL ); + + } else if ( be_isroot_pw( be, dn, cred ) ) { + /* front end will send result */ + *edn = ch_strdup( be_root_dn( be ) ); + rc = 0; + + } else { + send_ldap_result( conn, op, + LDAP_NO_SUCH_OBJECT, matched, NULL ); + } + + } else if ( method == LDAP_AUTH_SASL ) { + if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) { + /* insert DIGEST calls here */ + send_ldap_result( conn, op, + LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL ); + + } else { + send_ldap_result( conn, op, + LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL ); + } + } else { send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL ); rc = 1; @@ -111,6 +128,14 @@ bdb2i_back_bind_internal( /* check for deleted */ + if ( ! access_allowed( be, conn, op, e, + "entry", NULL, ACL_AUTH ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" ); + rc = 1; + goto return_results; + } + switch ( method ) { case LDAP_AUTH_SIMPLE: if ( cred->bv_len == 0 ) { @@ -130,6 +155,14 @@ bdb2i_back_bind_internal( goto return_results; } + if ( ! access_allowed( be, conn, op, e, + "userpassword", NULL, ACL_AUTH ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" ); + rc = 1; + goto return_results; + } + if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) { send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL ); @@ -155,11 +188,21 @@ bdb2i_back_bind_internal( if ( bdb2i_krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) { send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS, NULL, NULL ); - rc = 0; + rc = 1; goto return_results; } + + if ( ! access_allowed( be, conn, op, e, + "krbname", NULL, ACL_AUTH ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" ); + rc = 1; + goto return_results; + } + sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "." : "", ad.pinst, ad.prealm ); + if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) { /* * no krbName values present: check against DN @@ -195,6 +238,9 @@ bdb2i_back_bind_internal( goto return_results; #endif + case LDAP_AUTH_SASL: + /* insert sasl code here */ + default: send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED, NULL, "auth method not supported" ); @@ -237,7 +283,7 @@ bdb2_back_bind( } - ret = bdb2i_back_bind_internal( be, conn, op, dn, method, cred, edn ); + ret = bdb2i_back_bind_internal( be, conn, op, dn, method, mech, cred, edn ); (void) bdb2i_leave_backend_r( lock ); diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c index 270250bbb8..1821c9b4cc 100644 --- a/servers/slapd/back-ldbm/bind.c +++ b/servers/slapd/back-ldbm/bind.c @@ -98,16 +98,19 @@ ldbm_back_bind( rc = 0; /* front end will send result */ } else { - send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL ); + send_ldap_result( conn, op, + LDAP_NO_SUCH_OBJECT, matched, NULL ); } } else if ( method == LDAP_AUTH_SASL ) { - if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") ) { + if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) { /* insert DIGEST calls here */ - send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL ); + send_ldap_result( conn, op, + LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL ); } else { - send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL ); + send_ldap_result( conn, op, + LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL ); } } else { @@ -193,13 +196,22 @@ ldbm_back_bind( if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) { send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS, NULL, NULL ); - rc = 0; + rc = 1; + goto return_results; + } + + if ( ! access_allowed( be, conn, op, e, + "krbname", NULL, ACL_AUTH ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" ); + rc = 1; goto return_results; } sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "." : "", ad.pinst, ad.prealm ); + if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) { /* * no krbName values present: check against DN @@ -236,6 +248,9 @@ ldbm_back_bind( goto return_results; #endif + case LDAP_AUTH_SASL: + /* insert SASL code here */ + default: send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED, NULL, "auth method not supported" ); diff --git a/tests/data/slapd-bdb2-acl.conf b/tests/data/slapd-bdb2-acl.conf index 8560ffb347..4e0e9b9e2b 100644 --- a/tests/data/slapd-bdb2-acl.conf +++ b/tests/data/slapd-bdb2-acl.conf @@ -24,19 +24,26 @@ index cn,sn,uid pres,eq,approx index default none lastmod on defaultaccess none + access to attr=objectclass by * read -access to attr=userpassword + +access to filter="objectclass=person" attr=userpassword by self write - by * compare + by anonymous auth + by * none + access to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US" - by dn=".*,o=University of Michigan,c=US" - read + by dn=".*,o=University of Michigan,c=US" read + by anonymous auth by * none + access to attr=member by dnattr=member selfwrite by * read + access to filter="objectclass=rfc822mailgroup" by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write by * read + access to * by * read