From: Pierangelo Masarati <ando@openldap.org>
Date: Thu, 13 Aug 2009 19:30:37 +0000 (+0000)
Subject: honor per-target tls/chase referrals/rebind as user (ITS#6190)
X-Git-Tag: ACLCHECK_0~343
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=efabe1d279c8a541f3b9dd9fc8c62446a1ab2810;p=openldap

honor per-target tls/chase referrals/rebind as user (ITS#6190)
---

diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h
index 3c0395200e..898b6f2c77 100644
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@@ -301,6 +301,14 @@ typedef struct metatarget_t {
 #define	META_BACK_TGT_ISSET(mt,f)		( ( (mt)->mt_flags & (f) ) == (f) )
 #define	META_BACK_TGT_ISMASK(mt,m,f)		( ( (mt)->mt_flags & (m) ) == (f) )
 
+#define META_BACK_TGT_SAVECRED(mt)		META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_SAVECRED )
+
+#define META_BACK_TGT_USE_TLS(mt)		META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_USE_TLS )
+#define META_BACK_TGT_PROPAGATE_TLS(mt)		META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_PROPAGATE_TLS )
+#define META_BACK_TGT_TLS_CRITICAL(mt)		META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_TLS_CRITICAL )
+
+#define META_BACK_TGT_CHASE_REFERRALS(mt)	META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_CHASE_REFERRALS )
+
 #define	META_BACK_TGT_T_F(mt)			META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
 #define	META_BACK_TGT_T_F_DISCOVER(mt)		META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
 
diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c
index 3b3f520736..9c97290252 100644
--- a/servers/slapd/back-meta/bind.c
+++ b/servers/slapd/back-meta/bind.c
@@ -538,7 +538,7 @@ meta_back_single_bind(
 	LDAP_BACK_CONN_ISBOUND_SET( msc );
 	mc->mc_authz_target = candidate;
 
-	if ( LDAP_BACK_SAVECRED( mi ) ) {
+	if ( META_BACK_TGT_SAVECRED( mt ) ) {
 		if ( !BER_BVISNULL( &msc->msc_cred ) ) {
 			memset( msc->msc_cred.bv_val, 0,
 				msc->msc_cred.bv_len );
@@ -1539,7 +1539,7 @@ meta_back_proxy_authz_bind( metaconn_t *mc, int candidate, Operation *op, SlapRe
 				LDAP_BACK_CONN_ISBOUND_SET( msc );
 				ber_bvreplace( &msc->msc_bound_ndn, &binddn );
 
-				if ( LDAP_BACK_SAVECRED( mi ) ) {
+				if ( META_BACK_TGT_SAVECRED( mt ) ) {
 					if ( !BER_BVISNULL( &msc->msc_cred ) ) {
 						memset( msc->msc_cred.bv_val, 0,
 							msc->msc_cred.bv_len );
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index eb62e26759..de6114dffa 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -640,6 +640,10 @@ meta_back_db_config(
 		
 	/* save bind creds for referral rebinds? */
 	} else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
+		unsigned	*flagsp = mi->mi_ntargets ?
+				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
+				: &mi->mi_flags;
+
 		if ( argc > 2 ) {
 			Debug( LDAP_DEBUG_ANY,
 	"%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
@@ -651,16 +655,16 @@ meta_back_db_config(
 			Debug( LDAP_DEBUG_ANY,
 	"%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
 			    fname, lineno, 0 );
-			mi->mi_flags |= LDAP_BACK_F_SAVECRED;
+			*flagsp |= LDAP_BACK_F_SAVECRED;
 
 		} else {
 			switch ( check_true_false( argv[ 1 ] ) ) {
 			case 0:
-				mi->mi_flags &= ~LDAP_BACK_F_SAVECRED;
+				*flagsp &= ~LDAP_BACK_F_SAVECRED;
 				break;
 
 			case 1:
-				mi->mi_flags |= LDAP_BACK_F_SAVECRED;
+				*flagsp |= LDAP_BACK_F_SAVECRED;
 				break;
 
 			default:
diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c
index be59cd3ea8..09f918956b 100644
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -418,13 +418,13 @@ retry_lock:;
 
 	/* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
 	ldap_set_option( msc->msc_ld, LDAP_OPT_REFERRALS,
-		LDAP_BACK_CHASE_REFERRALS( mi ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
+		META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
 
 #ifdef HAVE_TLS
 	/* start TLS ("tls [try-]{start|propagate}" statement) */
-	if ( ( LDAP_BACK_USE_TLS( mi )
+	if ( ( META_BACK_TGT_USE_TLS( mt )
 		|| ( op->o_conn->c_is_tls
-			&& LDAP_BACK_PROPAGATE_TLS( mi ) ) )
+			&& META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
 		&& !is_ldaps )
 	{
 #ifdef SLAP_STARTTLS_ASYNCHRONOUS
@@ -526,7 +526,7 @@ retry:;
 		 * overlay, where the "uri" can be parsed out of a referral */
 		if ( rs->sr_err == LDAP_SERVER_DOWN
 			|| ( rs->sr_err != LDAP_SUCCESS
-				&& LDAP_BACK_TLS_CRITICAL( mi ) ) )
+				&& META_BACK_TGT_TLS_CRITICAL( mt ) ) )
 		{
 
 #ifdef DEBUG_205
diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 171221421d..c729ea2922 100644
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -199,7 +199,7 @@ meta_search_dobind_init(
 		 * because the connection is not shared until bind is over */
 		if ( !BER_BVISNULL( &binddn ) ) {
 			ber_bvreplace( &msc->msc_bound_ndn, &binddn );
-			if ( LDAP_BACK_SAVECRED( mi ) && !BER_BVISNULL( &cred ) ) {
+			if ( META_BACK_TGT_SAVECRED( mt ) && !BER_BVISNULL( &cred ) ) {
 				if ( !BER_BVISNULL( &msc->msc_cred ) ) {
 					memset( msc->msc_cred.bv_val, 0,
 						msc->msc_cred.bv_len );