From: Pierangelo Masarati Date: Tue, 16 Nov 2004 21:12:59 +0000 (+0000) Subject: import fix to ITS#3396 X-Git-Tag: OPENLDAP_REL_ENG_2_2_19~14 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f59cf6698755c2cb689a09c17d2134a267dafbdc;hp=79766910707979b7e8dce96980d37ccc12bd9799;p=openldap import fix to ITS#3396 --- diff --git a/CHANGES b/CHANGES index 7d3235eae7..85eb4d25fa 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,7 @@ OpenLDAP 2.2 Change Log OpenLDAP 2.2.19 Engineering + Fixed slapd check for mandatory filter in authz-regexp URI (ITS#3396) Build Environment Updated BDB mismatch messages diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 16decea045..b3342cf44c 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -669,7 +669,8 @@ The replaced SASL name can be either a DN or an LDAP URI. If the latter, the server will use the URI to search its own database(s) and, if the search returns exactly one entry, the SASL name is replaced by the DN of that entry. The LDAP URI must have no -hostport, attrs, or extensions components, e.g. +hostport, attrs, or extensions components, but the filter is mandatory, +e.g. .RS .TP .B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index dfae18f99e..c42a7eb8a1 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -312,18 +312,27 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); } rc = ldap_url_parse( uri->bv_val, &ludp ); - if ( rc == LDAP_URL_ERR_BADSCHEME ) { + switch ( rc ) { + case LDAP_URL_SUCCESS: + if ( strcasecmp( ludp->lud_scheme, "ldap" ) != 0 ) { + /* + * must be ldap:/// + */ + return LDAP_PROTOCOL_ERROR; + } + break; + + case LDAP_URL_ERR_BADSCHEME: /* last chance: assume it's a(n exact) DN ... */ bv.bv_val = uri->bv_val; *scope = LDAP_X_SCOPE_EXACT; goto is_dn; - } - if ( rc != LDAP_URL_SUCCESS ) { + default: return LDAP_PROTOCOL_ERROR; } - if (( ludp->lud_host && *ludp->lud_host ) + if ( ( ludp->lud_host && *ludp->lud_host ) || ludp->lud_attrs || ludp->lud_exts ) { /* host part must be empty */ @@ -923,7 +932,13 @@ void slap_sasl2dn( Operation *opx, op.o_req_ndn.bv_val, op.oq_search.rs_scope, 0 ); #endif - if(( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL)) { + if ( ( op.o_bd == NULL ) || ( op.o_bd->be_search == NULL) ) { + goto FINISHED; + } + + /* Must run an internal search. */ + if ( op.ors_filter == NULL ) { + rc = LDAP_FILTER_ERROR; goto FINISHED; }