From 4e515a8a659e00138cac33eb04b2a01eda85388c Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 3 Jan 2011 22:54:48 +0000 Subject: [PATCH] Add VC support for ppolicy and authzid inner controls --- clients/tools/common.c | 21 ++++++++++++++++++ clients/tools/ldapvc.c | 48 ++++++++++++++++++++++++++++++++++++++---- include/ldap.h | 3 +++ 3 files changed, 68 insertions(+), 4 deletions(-) diff --git a/clients/tools/common.c b/clients/tools/common.c index 31ea8b972f..e68a3421af 100644 --- a/clients/tools/common.c +++ b/clients/tools/common.c @@ -137,6 +137,9 @@ typedef int (*print_ctrl_fn)( LDAP *ld, LDAPControl *ctrl ); static int print_preread( LDAP *ld, LDAPControl *ctrl ); static int print_postread( LDAP *ld, LDAPControl *ctrl ); static int print_paged_results( LDAP *ld, LDAPControl *ctrl ); +#ifdef LDAP_CONTROL_AUTHZID_RESPONSE +static int print_authzid( LDAP *ld, LDAPControl *ctrl ); +#endif #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST static int print_ppolicy( LDAP *ld, LDAPControl *ctrl ); #endif @@ -157,6 +160,10 @@ static struct tool_ctrls_t { { LDAP_CONTROL_PRE_READ, TOOL_ALL, print_preread }, { LDAP_CONTROL_POST_READ, TOOL_ALL, print_postread }, { LDAP_CONTROL_PAGEDRESULTS, TOOL_SEARCH, print_paged_results }, +#ifdef LDAP_CONTROL_AUTHZID_RESPONSE + /* this is generally deprecated in favor of LDAP WhoAmI? operation, hence only supported as a VC inner control */ + { LDAP_CONTROL_PASSWORDPOLICYRESPONSE, TOOL_VC, print_authzid }, +#endif #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST { LDAP_CONTROL_PASSWORDPOLICYRESPONSE, TOOL_ALL, print_ppolicy }, #endif @@ -2168,6 +2175,20 @@ print_whatfailed( LDAP *ld, LDAPControl *ctrl ) } #endif +#ifdef LDAP_CONTROL_AUTHZID_RESPONSE +static int +print_authzid( LDAP *ld, LDAPControl *ctrl ) +{ + if (ctrl->ldctl_value.bv_len) { + tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE, + "authzid", ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len ); + } else { + tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE, + "authzid", "anonymous", sizeof("anonymous")-1); + } +} +#endif + #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST static int print_ppolicy( LDAP *ld, LDAPControl *ctrl ) diff --git a/clients/tools/ldapvc.c b/clients/tools/ldapvc.c index c6ca58578b..e3ac98f6f5 100644 --- a/clients/tools/ldapvc.c +++ b/clients/tools/ldapvc.c @@ -48,6 +48,9 @@ #include "common.h" +static int req_authzid = 0; +static int req_pp = 0; + static char * mech = NULL; static char * dn = NULL; static struct berval cred = {0, NULL}; @@ -61,13 +64,15 @@ usage( void ) fprintf( stderr, _(" DN\tDistinguished Name\n")); fprintf( stderr, _(" cred\tCredentials (prompt if not present)\n")); fprintf( stderr, _("options:\n")); + fprintf( stderr, _(" -a\tRequest AuthzId\n")); + fprintf( stderr, _(" -b\tRequest Password Policy Information\n")); fprintf( stderr, _(" -S mech\tSASL mechanism (default "" e.g. Simple)\n")); tool_common_usage(); exit( EXIT_FAILURE ); } -const char options[] = "S" +const char options[] = "abS:" "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; int @@ -104,6 +109,14 @@ handle_private_option( int i ) usage(); #endif + case 'a': /* request authzid */ + req_authzid++; + break; + + case 'b': /* request authzid */ + req_pp++; + break; + case 'S': /* SASL mechanism */ mech = optarg; break; @@ -128,6 +141,8 @@ main( int argc, char *argv[] ) int id, code = 0; LDAPMessage *res; LDAPControl **ctrls = NULL; + LDAPControl **vcctrls = NULL; + int nvcctrls = 0; tool_init( TOOL_VC ); prog = lutil_progname( "ldapvc", argc, argv ); @@ -176,9 +191,29 @@ main( int argc, char *argv[] ) tool_server_controls( ld, NULL, 0 ); + if (req_authzid) { + vcctrls = (LDAPControl **) malloc(3*sizeof(LDAPControl *)); + vcctrls[nvcctrls] = (LDAPControl *) malloc(sizeof(LDAPControl)); + vcctrls[nvcctrls]->ldctl_oid = LDAP_CONTROL_AUTHZID_REQUEST; + vcctrls[nvcctrls]->ldctl_iscritical = 0; + vcctrls[nvcctrls]->ldctl_value.bv_val = NULL; + vcctrls[nvcctrls]->ldctl_value.bv_len = 0; + vcctrls[++nvcctrls] = NULL; + } + + if (req_pp) { + if (vcctrls) vcctrls = (LDAPControl **) malloc(3*sizeof(LDAPControl *)); + vcctrls[nvcctrls] = (LDAPControl *) malloc(sizeof(LDAPControl)); + vcctrls[nvcctrls]->ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST; + vcctrls[nvcctrls]->ldctl_iscritical = 0; + vcctrls[nvcctrls]->ldctl_value.bv_val = NULL; + vcctrls[nvcctrls]->ldctl_value.bv_len = 0; + vcctrls[++nvcctrls] = NULL; + } + rc = ldap_verify_credentials( ld, NULL, - dn, mech, cred.bv_val ? &cred: NULL, NULL, + dn, mech, cred.bv_val ? &cred: NULL, vcctrls, NULL, NULL, &id ); if( rc != LDAP_SUCCESS ) { @@ -187,6 +222,9 @@ main( int argc, char *argv[] ) goto skip; } + ldap_controls_free(vcctrls); + vcctrls = NULL; + for ( ; ; ) { struct timeval tv; @@ -221,7 +259,7 @@ main( int argc, char *argv[] ) goto skip; } - rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, NULL ); + rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, &vcctrls ); ldap_msgfree(res); if( rc != LDAP_SUCCESS ) { @@ -238,7 +276,9 @@ main( int argc, char *argv[] ) printf(_("Diagnostic: %s\n"), diag); } - /* print vc controls here (once added) */ + if (vcctrls) { + tool_print_ctrls( ld, vcctrls ); + } skip: if ( verbose || ( code != LDAP_SUCCESS ) || diff --git a/include/ldap.h b/include/ldap.h index 6081a2ee0f..99ce060bcb 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -264,6 +264,9 @@ typedef struct ldapcontrol { /* non-standard track controls */ #define LDAP_CONTROL_PAGEDRESULTS "1.2.840.113556.1.4.319" /* RFC 2696 */ +#define LDAP_CONTROL_AUTHZID_REQUEST "2.16.840.1.113730.4.16" /* RFC 3829 */ +#define LDAP_CONTROL_AUTHZID_RESPONSE "2.16.840.1.113730.4.15" /* RFC 3829 */ + /* LDAP Content Synchronization Operation -- RFC 4533 */ #define LDAP_SYNC_OID "1.3.6.1.4.1.4203.1.9.1" #define LDAP_CONTROL_SYNC LDAP_SYNC_OID ".1" -- 2.39.5