From 63d617a96471ebc4a6b064a573d3cdcc294054e5 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Mon, 10 Nov 2008 23:07:07 +0000 Subject: [PATCH] More for ITS#5785 --- doc/man/man5/slapd.conf.5 | 6 ++++++ servers/slapd/bconfig.c | 2 ++ servers/slapd/controls.c | 14 ++++++++++++++ servers/slapd/slap.h | 3 +++ 4 files changed, 25 insertions(+) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index d4b47c4354..8a7f8e8477 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -427,6 +427,12 @@ upon StartTLS operation receipt. .B tls_authc disallows the StartTLS operation if authenticated (see also .BR tls_2_anon ). +.B proxy_authz_non_critical +disables acceptance of the proxied authorization control (RFC4370) +when criticality is FALSE. +.B dontusecopy_non_critical +disables acceptance of the dontUseCopy control (a work in progress) +when criticality is FALSE. .HP .hy 0 .B ditcontentrule "(\ \ diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index aeba5c405d..974f2fd53f 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -2587,6 +2587,8 @@ config_disallows(ConfigArgs *c) { { BER_BVC("bind_simple"), SLAP_DISALLOW_BIND_SIMPLE }, { BER_BVC("tls_2_anon"), SLAP_DISALLOW_TLS_2_ANON }, { BER_BVC("tls_authc"), SLAP_DISALLOW_TLS_AUTHC }, + { BER_BVC("proxy_authz_non_critical"), SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT }, + { BER_BVC("dontusecopy_non_critical"), SLAP_DISALLOW_DONTUSECOPY_N_CRIT }, { BER_BVNULL, 0 } }; if (c->op == SLAP_CONFIG_EMIT) { diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index ee2a36742f..b812bf6b15 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -960,6 +960,13 @@ static int parseDontUseCopy ( return LDAP_PROTOCOL_ERROR; } + if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT ) + && !ctrl->ldctl_iscritical ) + { + rs->sr_text = "dontUseCopy criticality of FALSE not allowed"; + return LDAP_PROTOCOL_ERROR; + } + op->o_dontUseCopy = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL; @@ -1029,6 +1036,13 @@ static int parseProxyAuthz ( return LDAP_PROTOCOL_ERROR; } + if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT ) + && !ctrl->ldctl_iscritical ) + { + rs->sr_text = "proxied authorization criticality of FALSE not allowed"; + return LDAP_PROTOCOL_ERROR; + } + if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON ) && BER_BVISEMPTY( &op->o_ndn ) ) { diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index df29ec914d..d0d7c4e6d5 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1861,6 +1861,9 @@ struct BackendDB { #define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */ #define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */ +#define SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT 0x0100U +#define SLAP_DISALLOW_DONTUSECOPY_N_CRIT 0x0200U + #define SLAP_DISALLOW_AUX_WO_CR 0x4000U slap_mask_t be_requires; /* pre-operation requirements */ -- 2.39.5