From 2d635156dc464bb9efa29757b07bddd1da40075b Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 4 Jan 2011 10:57:35 +0000 Subject: [PATCH] add minimal support for RFC3829 (ITS#6771) --- contrib/slapd-modules/authzid/Makefile | 52 +++++++ contrib/slapd-modules/authzid/authzid.c | 177 ++++++++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 contrib/slapd-modules/authzid/Makefile create mode 100644 contrib/slapd-modules/authzid/authzid.c diff --git a/contrib/slapd-modules/authzid/Makefile b/contrib/slapd-modules/authzid/Makefile new file mode 100644 index 0000000000..12e7acd39a --- /dev/null +++ b/contrib/slapd-modules/authzid/Makefile @@ -0,0 +1,52 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software . +# +# Copyright 1998-2010 The OpenLDAP Foundation. +# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# . + +LIBTOOL=../../../libtool +OPT=-g -O2 +#LIBTOOL=../../../../ldap-devel/libtool +#OPT=-g -O0 +CC=gcc + +LDAP_INC=-I../../../include -I../../../servers/slapd +#LDAP_INC=-I../../../include -I../../../servers/slapd -I../../../../ldap-devel/include +INCS=$(LDAP_INC) + +LDAP_LIB=-lldap_r -llber +LIBS=$(LDAP_LIB) + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +all: authzid.la + + +authzid.lo: authzid.c + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $? + +authzid.la: authzid.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -f authzid.lo authzid.la + +install: authzid.la + mkdir -p $(DESTDIR)$(moduledir) + $(LIBTOOL) --mode=install cp authzid.la $(DESTDIR)$(moduledir) + diff --git a/contrib/slapd-modules/authzid/authzid.c b/contrib/slapd-modules/authzid/authzid.c new file mode 100644 index 0000000000..bcfff23a52 --- /dev/null +++ b/contrib/slapd-modules/authzid/authzid.c @@ -0,0 +1,177 @@ +/* vc.c - LDAP Verify Credentials extop (no spec yet) */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software . + * + * Copyright 2010 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion + * in OpenLDAP Software. + */ + +/* + * RFC 3829 Authzid + */ + +#include "portable.h" + +#include "slap.h" +#include "lutil.h" +#include "ac/string.h" + +static int authzid_cid; + +static int +authzid_response( + Operation *op, + SlapReply *rs ) +{ + if ( rs->sr_tag == LDAP_RES_BIND ) { + LDAPControl **ctrls; + ber_len_t len = 0; + int n = 0; + + /* TEMPORARY! */ + if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) { + if ( op->o_ctrlflag[ authzid_cid ] == SLAP_CONTROL_CRITICAL ) { + return rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; + } + + op->o_ctrlflag[ authzid_cid ] = SLAP_CONTROL_IGNORED; + + return SLAP_CB_CONTINUE; + } + /* end of TEMPORARY! */ + + if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) { + len = STRLENOF("dn:") + op->o_conn->c_dn.bv_len; + } + + /* save original controls in sc_private; + * will be restored by sc_cleanup + */ + if ( rs->sr_ctrls != NULL ) { + op->o_callback->sc_private = rs->sr_ctrls; + for ( ; rs->sr_ctrls[n] != NULL; n++ ) + ; + } + + ctrls = op->o_tmpalloc( sizeof( LDAPControl * )*( n + 2 ), op->o_tmpmemctx ); + n = 0; + if ( rs->sr_ctrls ) { + for ( ; rs->sr_ctrls[n] != NULL; n++ ) { + ctrls[n] = rs->sr_ctrls[n]; + } + } + + /* anonymous: "", otherwise "dn:" */ + ctrls[n] = op->o_tmpalloc( sizeof( LDAPControl ) + len + 1, op->o_tmpmemctx ); + ctrls[n]->ldctl_oid = LDAP_CONTROL_AUTHZID_RESPONSE; + ctrls[n]->ldctl_iscritical = 0; + ctrls[n]->ldctl_value.bv_len = len; + ctrls[n]->ldctl_value.bv_val = (char *)&ctrls[n][1]; + if ( len ) { + char *ptr; + + ptr = lutil_strcopy( ctrls[n]->ldctl_value.bv_val, "dn:" ); + ptr = lutil_strncopy( ptr, op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len ); + } + ctrls[n]->ldctl_value.bv_val[len] = '\0'; + ctrls[n + 1] = NULL; + + rs->sr_ctrls = ctrls; + } + + return SLAP_CB_CONTINUE; +} + +static int +authzid_cleanup( + Operation *op, + SlapReply *rs ) +{ + if ( rs->sr_ctrls ) { + LDAPControl *ctrl; + + /* if ours, cleanup */ + ctrl = ldap_control_find( LDAP_CONTROL_AUTHZID_RESPONSE, rs->sr_ctrls, NULL ); + if ( ctrl ) { + op->o_tmpfree( ctrl, op->o_tmpmemctx ); + op->o_tmpfree( rs->sr_ctrls, op->o_tmpmemctx ); + } + + if ( op->o_callback->sc_private != NULL ) { + rs->sr_ctrls = (LDAPControl **)op->o_callback->sc_private; + op->o_callback->sc_private = NULL; + } + } + + op->o_tmpfree( op->o_callback, op->o_tmpmemctx ); + op->o_callback = NULL; + + return SLAP_CB_CONTINUE; +} + +static int +parse_authzid_ctrl( + Operation *op, + SlapReply *rs, + LDAPControl *ctrl ) +{ + slap_callback *sc; + + if ( op->o_ctrlflag[ authzid_cid ] != SLAP_CONTROL_NONE ) { + rs->sr_text = "authzid control specified multiple times"; + return LDAP_PROTOCOL_ERROR; + } + + if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) { + rs->sr_text = "authzid control value not absent"; + return LDAP_PROTOCOL_ERROR; + } + + op->o_ctrlflag[ authzid_cid ] = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL; + + sc = op->o_callback; + op->o_callback = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx ); + op->o_callback->sc_response = authzid_response; + op->o_callback->sc_cleanup = authzid_cleanup; + op->o_callback->sc_private = NULL; + op->o_callback->sc_next = sc; + + return LDAP_SUCCESS; +} + +static int +authzid_initialize( void ) +{ + int rc; + + rc = register_supported_control( LDAP_CONTROL_AUTHZID_REQUEST, + SLAP_CTRL_GLOBAL|SLAP_CTRL_BIND|SLAP_CTRL_HIDE, NULL, + parse_authzid_ctrl, &authzid_cid ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "authzid_initialize: failed to register control %s (%d)\n", + LDAP_CONTROL_AUTHZID_REQUEST, rc, 0 ); + return rc; + } + + return rc; +} + +int +init_module( int argc, char *argv[] ) +{ + return authzid_initialize(); +} + -- 2.39.5