From 184fc4878ac32b671eba8441947371fca7fba017 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 16 Nov 2004 18:57:40 +0000 Subject: [PATCH] more on ITS#3396: note that the filter is mandatory, and that the protocol must be ldap:// --- doc/man/man5/slapd.conf.5 | 11 ++++++++--- servers/slapd/saslauthz.c | 17 +++++++++++++---- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 41992bd822..f3c666768c 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -357,16 +357,21 @@ string, e.g. .B UID=$1,OU=Accounts,DC=example,DC=com .RE -The replaced name can be either a DN or an LDAP URI. If the -latter, the server will use the URI to search its own database(s) +The replaced name can be either a DN, i.e. a string prefixed by "dn:", +or an LDAP URI. +If the latter, the server will use the URI to search its own database(s) and, if the search returns exactly one entry, the name is replaced by the DN of that entry. The LDAP URI must have no -hostport, attrs, or extensions components, e.g. +hostport, attrs, or extensions components, but the filter is mandatory, +e.g. .RS .TP .B ldap:///OU=Accounts,DC=example,DC=com??one?(UID=$1) .RE +The protocol portion of the URI must be strictly +.BR ldap . + Multiple .B authz-regexp options can be given in the configuration file to allow for multiple matching diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 561ffa6219..0b882904e0 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -409,7 +409,17 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); * must pass str2filter() */ rc = ldap_url_parse( uri->bv_val, &ludp ); - if ( rc == LDAP_URL_ERR_BADSCHEME ) { + switch ( rc ) { + case LDAP_URL_SUCCESS: + if ( strcasecmp( ludp->lud_scheme, "ldap" ) != 0 ) { + /* + * must be ldap:/// + */ + return LDAP_PROTOCOL_ERROR; + } + break; + + case LDAP_URL_ERR_BADSCHEME: /* * last chance: assume it's a(n exact) DN ... * @@ -418,13 +428,12 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val); bv.bv_val = uri->bv_val; *scope = LDAP_X_SCOPE_EXACT; goto is_dn; - } - if ( rc != LDAP_URL_SUCCESS ) { + default: return LDAP_PROTOCOL_ERROR; } - if (( ludp->lud_host && *ludp->lud_host ) + if ( ( ludp->lud_host && *ludp->lud_host ) || ludp->lud_attrs || ludp->lud_exts ) { /* host part must be empty */ -- 2.39.5