From 073f14ceac874af50755d814b4d7dc9f1a00bd74 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 16 May 2006 02:56:59 +0000 Subject: [PATCH] lc_bound_ndn is occasionally saved to keep track of who bound; don't use it to bind unless credentials are present as well --- servers/slapd/back-ldap/bind.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 66349e6d26..44d621d45c 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -657,15 +657,11 @@ retry_lock: } else { BER_BVZERO( &lc->lc_cred ); BER_BVZERO( &lc->lc_bound_ndn ); -#if 0 - /* FIXME: if we set lc_bound_ndn = o_ndn - * we end up with a bind with DN but no password! */ if ( !BER_BVISEMPTY( &op->o_ndn ) && SLAP_IS_AUTHZ_BACKEND( op ) ) { ber_dupbv( &lc->lc_bound_ndn, &op->o_ndn ); } -#endif } #ifdef HAVE_TLS @@ -917,9 +913,9 @@ retry_lock:; * It allows to use SASL bind and yet proxyAuthz users */ if ( op->o_conn != NULL && - !op->o_do_not_cache && - ( BER_BVISNULL( &lc->lc_bound_ndn ) || - ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) + !op->o_do_not_cache && + ( BER_BVISNULL( &lc->lc_bound_ndn ) || + ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) { (void)ldap_back_proxy_authz_bind( lc, op, rs, sendok ); goto done; @@ -972,7 +968,7 @@ retry_lock:; retry:; rs->sr_err = ldap_sasl_bind( lc->lc_ld, - lc->lc_bound_ndn.bv_val, + BER_BVISNULL( &lc->lc_cred ) ? "" : lc->lc_bound_ndn.bv_val, LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, &msgid ); @@ -1078,7 +1074,8 @@ ldap_back_default_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, /* FIXME: add checks on the URL/identity? */ - return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val, + return ldap_sasl_bind_s( ld, + BER_BVISNULL( &lc->lc_cred ) ? "" : lc->lc_bound_ndn.bv_val, LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, NULL ); } @@ -1493,13 +1490,14 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b switch ( li->li_idassert_authmethod ) { case LDAP_AUTH_NONE: - LDAP_BACK_CONN_ISBOUND_SET( lc ); - goto done; + rc = LDAP_SUCCESS; + break; case LDAP_AUTH_SIMPLE: rs->sr_err = ldap_sasl_bind( lc->lc_ld, binddn.bv_val, LDAP_SASL_SIMPLE, &bindcred, NULL, NULL, &msgid ); + rc = ldap_back_op_result( lc, op, rs, msgid, 0, sendok ); break; default: @@ -1512,7 +1510,6 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b goto done; } - rc = ldap_back_op_result( lc, op, rs, msgid, 0, sendok ); if ( rc == LDAP_SUCCESS ) { /* set rebind stuff in case of successful proxyAuthz bind, * so that referral chasing is attempted using the right -- 2.39.5