From: Kurt Zeilenga Date: Mon, 1 Dec 2003 21:49:52 +0000 (+0000) Subject: Don't search for proxy authz control unnecessarily. X-Git-Tag: OPENLDAP_REL_ENG_2_1_MP~303 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ed369e02af625a5e16b5cc858454f63cd37b9684;p=openldap Don't search for proxy authz control unnecessarily. Add note regarding control use with the Bind operation. --- diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 483f0771f5..5a7f133430 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -413,8 +413,6 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) #ifdef LDAP_BACK_PROXY_AUTHZ int gotit = 0; #if 0 - int i; - /* * FIXME: we need to let clients use proxyAuthz * otherwise we cannot do symmetric pools of servers; @@ -422,12 +420,12 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) * authorize itself as any ID that is allowed * by the saslAuthzTo directive of the "binddn". */ - for ( i = 0; op->o_ctrls && op->o_ctrls[ i ]; i++ ) { - if ( strcmp( op->o_ctrls[i]->ldctl_oid, LDAP_CONTROL_PROXY_AUTHZ ) == 0 ) { - gotit = 1; - break; - } - } + /* + * NOTE: current Proxy Authorization specification + * and implementation do not allow proxy authorization + * control to be provided with Bind requests + */ + gotit = op->o_proxy_authz; #endif /* @@ -627,18 +625,9 @@ ldap_back_proxy_authz_ctrl( if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 ) && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 ) && ( li->binddn.bv_val != NULL && li->binddn.bv_len != 0 ) ) { - int i = 0, gotit = 0; - - if ( op->o_ctrls ) { - for ( i = 0; op->o_ctrls[i]; i++ ) { - if ( strcmp( op->o_ctrls[i]->ldctl_oid, LDAP_CONTROL_PROXY_AUTHZ ) == 0 ) { - gotit = 1; - break; - } - } - } + int i = 0; - if ( ! gotit ) { + if ( !op->o_proxy_authz ) { ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) ); ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );