From: Pierangelo Masarati Date: Sat, 19 Jun 2004 18:18:26 +0000 (+0000) Subject: allow a hidden parameter to instruct the proxy that the SASL mech can do native authz... X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~222 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f34b11760a6568060bbda7ca2bf595126aeefa9a;p=openldap allow a hidden parameter to instruct the proxy that the SASL mech can do native authz; will disappear as soon as I can detect it automnatically --- diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 2161a8a13f..631e4d0af1 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -93,6 +93,16 @@ struct ldapauth { int la_sasl_flags; struct berval la_sasl_mech; struct berval la_sasl_realm; + +/* FIXME: required until I find a nice way to determine + * whether a SASL mechanism is able to authz natively */ +#define LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ + +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ +#define LDAP_BACK_AUTH_NONE 0x00 +#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01 + int la_flags; +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ }; struct ldapinfo { @@ -121,6 +131,7 @@ struct ldapinfo { #define idassert_sasl_flags idassert_la.la_sasl_flags #define idassert_sasl_mech idassert_la.la_sasl_mech #define idassert_sasl_realm idassert_la.la_sasl_realm +#define idassert_flags idassert_la.la_flags BerVarray idassert_authz; int idassert_ppolicy; diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 028f4d3aa1..15361d60a1 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -448,28 +448,35 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) struct berval authzID = BER_BVNULL; int freeauthz = 0; - switch ( li->idassert_mode ) { - case LDAP_BACK_IDASSERT_OTHERID: - case LDAP_BACK_IDASSERT_OTHERDN: - authzID = li->idassert_authzID; - break; - - case LDAP_BACK_IDASSERT_ANONYMOUS: - BER_BVSTR( &authzID, "dn:" ); - break; - - case LDAP_BACK_IDASSERT_SELF: - authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len; - authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx ); - AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); - AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ), - op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 ); - freeauthz = 1; - break; - - default: - break; +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ + /* if SASL supports native authz, prepare for it */ + if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) { +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ + switch ( li->idassert_mode ) { + case LDAP_BACK_IDASSERT_OTHERID: + case LDAP_BACK_IDASSERT_OTHERDN: + authzID = li->idassert_authzID; + break; + + case LDAP_BACK_IDASSERT_ANONYMOUS: + BER_BVSTR( &authzID, "dn:" ); + break; + + case LDAP_BACK_IDASSERT_SELF: + authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len; + authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx ); + AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ), + op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 ); + freeauthz = 1; + break; + + default: + break; + } +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ } +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ #if 0 /* will deal with this later... */ if ( sasl_secprops != NULL ) { @@ -777,8 +784,14 @@ ldap_back_proxy_authz_ctrl( } } else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) { - /* already asserted in SASL */ - goto done; +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ + if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) { +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ + /* already asserted in SASL via native authz */ + goto done; +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ + } +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ } else if ( li->idassert_authz ) { int rc; diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 1b2da1c400..806516053b 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -904,6 +904,21 @@ parse_idassert( } ber_str2bv( val, 0, 1, &li->idassert_passwd ); +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ + } else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) { + char *val = argv[arg] + STRLENOF( "authz=" ); + + if ( strcasecmp( val, "native" ) == 0 ) { + li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ; + + } else { + fprintf( stderr, "%s: line %s: " + "unknown SASL flag \"%s\"\n", + fname, lineno, val ); + return 1; + } +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ + } else { fprintf( stderr, "%s: line %d: " "unknown SASL parameter %s\n", diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index e274baf890..028ff3c2fd 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -117,6 +117,10 @@ ldap_back_db_init( BER_BVZERO( &li->idassert_sasl_realm ); li->idassert_ppolicy = 0; + +#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ + li->idassert_flags = LDAP_BACK_AUTH_NONE; +#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */ #endif /* LDAP_BACK_PROXY_AUTHZ */ #ifdef ENABLE_REWRITE