From 66ddf62922f2c8f5842bb041fb94d299f2114bcf Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Thu, 13 May 2004 20:25:53 +0000 Subject: [PATCH] add idassert code (undocumented yet) --- servers/slapd/back-ldap/add.c | 10 +- servers/slapd/back-ldap/back-ldap.h | 16 +++ servers/slapd/back-ldap/bind.c | 172 +++++++++++++++++++++------- servers/slapd/back-ldap/compare.c | 10 +- servers/slapd/back-ldap/config.c | 85 ++++++++++++++ servers/slapd/back-ldap/delete.c | 10 +- servers/slapd/back-ldap/init.c | 43 +++---- servers/slapd/back-ldap/modify.c | 10 +- servers/slapd/back-ldap/modrdn.c | 7 +- servers/slapd/back-ldap/search.c | 10 +- 10 files changed, 269 insertions(+), 104 deletions(-) diff --git a/servers/slapd/back-ldap/add.c b/servers/slapd/back-ldap/add.c index 837f4d3a3a..699503aca8 100644 --- a/servers/slapd/back-ldap/add.c +++ b/servers/slapd/back-ldap/add.c @@ -46,8 +46,8 @@ ldap_back_add( ber_int_t msgid; dncookie dc; int isupdate; -#ifdef LDAP_BACK_PROXY_AUTHZ LDAPControl **ctrls = NULL; +#ifdef LDAP_BACK_PROXY_AUTHZ int rc = LDAP_SUCCESS; #endif /* LDAP_BACK_PROXY_AUTHZ */ @@ -128,6 +128,7 @@ ldap_back_add( } attrs[i] = NULL; + ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { @@ -136,12 +137,7 @@ ldap_back_add( #endif /* LDAP_BACK_PROXY_AUTHZ */ rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs, -#ifdef LDAP_BACK_PROXY_AUTHZ - ctrls, -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - op->o_ctrls, -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ - NULL, &msgid); + ctrls, NULL, &msgid); #ifdef LDAP_BACK_PROXY_AUTHZ cleanup: diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 2c1c2ce07f..11ce343af4 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -31,6 +31,10 @@ #include "rewrite.h" #endif /* ENABLE_REWRITE */ +#ifdef LDAP_DEVEL +#define LDAP_BACK_PROXY_AUTHZ +#endif + LDAP_BEGIN_DECL struct slap_conn; @@ -87,7 +91,19 @@ struct ldapinfo { #ifdef LDAP_BACK_PROXY_AUTHZ struct berval proxyauthzdn; struct berval proxyauthzpw; + + /* ID assert stuff */ + int idassert_mode; +#define LDAP_BACK_IDASSERT_NONE 0 +#define LDAP_BACK_IDASSERT_PROXYID 1 +#define LDAP_BACK_IDASSERT_ANONYMOUS 2 +#define LDAP_BACK_IDASSERT_SELF 3 +#define LDAP_BACK_IDASSERT_OTHER 4 + struct berval idassert_dn; + BerVarray idassert_authz; + /* end of ID assert stuff */ #endif /* LDAP_BACK_PROXY_AUTHZ */ + ldap_pvt_thread_mutex_t conn_mutex; int savecred; Avlnode *conntree; diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 41580063e6..a4ea5e9092 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -72,10 +72,9 @@ ldap_back_bind( return -1; } - if ( lc->bound_dn.bv_val ) { + if ( !BER_BVISNULL( &lc->bound_dn ) ) { ch_free( lc->bound_dn.bv_val ); - lc->bound_dn.bv_len = 0; - lc->bound_dn.bv_val = NULL; + BER_BVZERO( &lc->bound_dn ); } lc->bound = 0; /* method is always LDAP_AUTH_SIMPLE if we got here */ @@ -89,10 +88,10 @@ ldap_back_bind( } else { ber_dupbv( &lc->bound_dn, &op->o_req_dn ); } - mdn.bv_val = NULL; + BER_BVZERO( &mdn ); if ( li->savecred ) { - if ( lc->cred.bv_val ) { + if ( !BER_BVISNULL( &lc->cred ) ) { memset( lc->cred.bv_val, 0, lc->cred.bv_len ); ch_free( lc->cred.bv_val ); } @@ -108,7 +107,7 @@ ldap_back_bind( ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = avl_delete( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp ); - if ( lc->local_dn.bv_val ) + if ( !BER_BVISNULL( &lc->local_dn ) ) ch_free( lc->local_dn.bv_val ); ber_dupbv( &lc->local_dn, &op->o_req_ndn ); lerr = avl_insert( &li->conntree, (caddr_t)lc, @@ -119,7 +118,7 @@ ldap_back_bind( } } - if ( mdn.bv_val && mdn.bv_val != op->o_req_dn.bv_val ) { + if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != op->o_req_dn.bv_val ) { free( mdn.bv_val ); } @@ -286,11 +285,9 @@ ldap_back_getconn(Operation *op, SlapReply *rs) ber_dupbv( &lc->cred, &li->bindpw ); ber_dupbv( &lc->bound_dn, &li->binddn ); } else { - lc->cred.bv_len = 0; - lc->cred.bv_val = NULL; - lc->bound_dn.bv_val = NULL; - lc->bound_dn.bv_len = 0; - if ( op->o_conn && op->o_conn->c_dn.bv_len != 0 + BER_BVZERO( &lc->cred ); + BER_BVZERO( &lc->bound_dn ); + if ( op->o_conn && !BER_BVISEMPTY( &op->o_conn->c_dn ) && ( op->o_bd == op->o_conn->c_authz_backend ) ) { dncookie dc; @@ -407,12 +404,40 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) * control to every operation with the dn bound * to the connection as control value. */ - if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 ) - && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 ) - && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) - && ! gotit ) { - rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val, - LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid); + if ( op->o_conn != NULL + && ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) { + struct berval binddn = slap_empty_bv; + struct berval bindcred = slap_empty_bv; + + /* bind as proxyauthzdn only if no idassert mode is requested, + * or if the client's identity is authorized */ + switch ( li->idassert_mode ) { + case LDAP_BACK_IDASSERT_NONE: + if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) + && !BER_BVISNULL( &li->proxyauthzdn ) && !BER_BVISEMPTY( &li->proxyauthzdn ) + && !gotit ) { + binddn = li->proxyauthzdn; + bindcred = li->proxyauthzpw; + } + break; + + default: + if ( li->idassert_authz ) { + struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn; + + rc = slap_sasl_matches( op, li->idassert_authz, + &authcDN, &authcDN ); + if ( rc != LDAP_SUCCESS ) { + break; + } + } + binddn = li->proxyauthzdn; + bindcred = li->proxyauthzpw; + break; + } + + rs->sr_err = ldap_sasl_bind(lc->ld, binddn.bv_val, + LDAP_SASL_SIMPLE, &bindcred, NULL, NULL, &msgid); } else #endif /* LDAP_BACK_PROXY_AUTHZ */ @@ -610,34 +635,21 @@ ldap_back_proxy_authz_ctrl( { struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; LDAPControl **ctrls = NULL; + int i = 0; + struct berval assertedDN; *pctrls = NULL; - if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 ) - && ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 ) - && ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) { - int i = 0; - - if ( !op->o_proxy_authz ) { - ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) ); - ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) ); - - ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; - ctrls[ 0 ]->ldctl_iscritical = 1; - ctrls[ 0 ]->ldctl_value.bv_len = op->o_conn->c_dn.bv_len + 3; - ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 ); - AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", sizeof( "dn:" ) - 1 ); - AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + sizeof( "dn:") - 1, - op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 ); - - if ( op->o_ctrls ) { - for ( i = 0; op->o_ctrls[ i ]; i++ ) { - ctrls[ i + 1 ] = op->o_ctrls[ i ]; - } - } - ctrls[ i + 1 ] = NULL; + if ( BER_BVISNULL( &li->proxyauthzdn ) ) { + goto done; + } - } else { + if ( !op->o_conn ) { + goto done; + } + + if ( li->idassert_mode == LDAP_BACK_IDASSERT_NONE ) { + if ( op->o_proxy_authz ) { /* * FIXME: we do not want to perform proxyAuthz * on behalf of the client, because this would @@ -652,9 +664,85 @@ ldap_back_proxy_authz_ctrl( rs->sr_err = LDAP_UNWILLING_TO_PERFORM; rs->sr_text = "proxyAuthz not allowed within namingContext"; #endif + goto done; + } + + if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) { + goto done; + } + + if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) { + goto done; + } + + if ( BER_BVISEMPTY( &li->proxyauthzdn ) ) { + goto done; + } + + } else if ( li->idassert_authz ) { + int rc; + struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn; + + + rc = slap_sasl_matches( op, li->idassert_authz, + &authcDN, & authcDN ); + if ( rc != LDAP_SUCCESS ) { + /* op->o_conn->c_dn is not authorized + * to use idassert */ + return rc; + } + } + + switch ( li->idassert_mode ) { + case LDAP_BACK_IDASSERT_NONE: + case LDAP_BACK_IDASSERT_SELF: + /* original behavior: + * assert the client's identity */ + assertedDN = op->o_conn->c_dn; + break; + + case LDAP_BACK_IDASSERT_ANONYMOUS: + /* assert "anonymous" */ + assertedDN = slap_empty_bv; + break; + + case LDAP_BACK_IDASSERT_PROXYID: + /* don't assert; bind as proxyauthzdn */ + goto done; + + case LDAP_BACK_IDASSERT_OTHER: + /* assert idassert DN */ + assertedDN = li->idassert_dn; + break; + + default: + assert( 0 ); + } + + if ( BER_BVISNULL( &assertedDN ) ) { + assertedDN = slap_empty_bv; + } + + ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) ); + ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) ); + + ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; + ctrls[ 0 ]->ldctl_iscritical = 1; + ctrls[ 0 ]->ldctl_value.bv_len = assertedDN.bv_len + STRLENOF( "dn:" ); + ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 ); + AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ), + assertedDN.bv_val, assertedDN.bv_len ); + ctrls[ 0 ]->ldctl_value.bv_val[ ctrls[ 0 ]->ldctl_value.bv_len ] = '\0'; + + if ( op->o_ctrls ) { + for ( i = 0; op->o_ctrls[ i ]; i++ ) { + ctrls[ i + 1 ] = op->o_ctrls[ i ]; } } + ctrls[ i + 1 ] = NULL; +done:; if ( ctrls == NULL ) { ctrls = op->o_ctrls; } diff --git a/servers/slapd/back-ldap/compare.c b/servers/slapd/back-ldap/compare.c index f8d04d71ce..6684c49846 100644 --- a/servers/slapd/back-ldap/compare.c +++ b/servers/slapd/back-ldap/compare.c @@ -43,8 +43,8 @@ ldap_back_compare( ber_int_t msgid; int freeval = 0; dncookie dc; -#ifdef LDAP_BACK_PROXY_AUTHZ LDAPControl **ctrls = NULL; +#ifdef LDAP_BACK_PROXY_AUTHZ int rc = LDAP_SUCCESS; #endif /* LDAP_BACK_PROXY_AUTHZ */ @@ -100,6 +100,7 @@ ldap_back_compare( } } + ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { @@ -109,12 +110,7 @@ ldap_back_compare( rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val, mapped_at.bv_val, &mapped_val, -#ifdef LDAP_BACK_PROXY_AUTHZ - ctrls, -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - op->o_ctrls, -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ - NULL, &msgid ); + ctrls, NULL, &msgid ); #ifdef LDAP_BACK_PROXY_AUTHZ cleanup: diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 4ba0036665..0a2df2379d 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -34,6 +34,10 @@ static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami; +static int +parse_idassert( BackendDB *be, const char *fname, int lineno, + int argc, char **argv ); + int ldap_back_db_config( BackendDB *be, @@ -168,6 +172,10 @@ ldap_back_db_config( return( 1 ); } ber_str2bv( argv[1], 0, 1, &li->proxyauthzpw ); + + /* identity assertion stuff... */ + } else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0 ) { + return parse_idassert( be, fname, lineno, argc, argv ); #endif /* LDAP_BACK_PROXY_AUTHZ */ /* save bind creds for referral rebinds? */ @@ -652,3 +660,80 @@ suffix_massage_config( return 0; } #endif /* ENABLE_REWRITE */ + +#ifdef LDAP_BACK_PROXY_AUTHZ +static int +parse_idassert( + BackendDB *be, + const char *fname, + int lineno, + int argc, + char **argv +) +{ + struct ldapinfo *li = (struct ldapinfo *) be->be_private; + + if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) { + if ( argc != 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: illegal args number %d in \"idassert-mode \" line.\n", + fname, lineno, argc ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: illegal args number %d in \"idassert-mode \" line.\n", + fname, lineno, argc ); +#endif + return 1; + } + + if ( strcasecmp( argv[1], "self" ) == 0 ) { + /* will proxyAuthz as (rewritten) client's identity */ + li->idassert_mode = LDAP_BACK_IDASSERT_SELF; + + } else if ( strcasecmp( argv[1], "anonymous" ) == 0 ) { + /* will proxyAuthz as anonymous */ + li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS; + + } else if ( strcasecmp( argv[1], "proxyid" ) == 0 ) { + /* will not proxyAuthz */ + li->idassert_mode = LDAP_BACK_IDASSERT_PROXYID; + + } else { + struct berval dn; + int rc; + + /* will proxyAuthz as argv[1] */ + li->idassert_mode = LDAP_BACK_IDASSERT_OTHER; + + ber_str2bv( argv[1], 0, 0, &dn ); + + rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_dn, NULL ); + if ( rc != LDAP_SUCCESS ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: idassert DN \"%s\" is invalid.\n", + fname, lineno, argv[1] ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: idassert DN \"%s\" is invalid\n", + fname, lineno, argv[1] ); +#endif + return 1; + } + } + + } else if ( strcasecmp( argv[0], "idassert-authz" ) == 0 ) { + struct berval rule; + + ber_str2bv( argv[1], 0, 1, &rule ); + + ber_bvarray_add( &li->idassert_authz, &rule ); + + } else { + return SLAP_CONF_UNKNOWN; + } + + return 0; +} +#endif /* LDAP_BACK_PROXY_AUTHZ */ diff --git a/servers/slapd/back-ldap/delete.c b/servers/slapd/back-ldap/delete.c index f7837f45f4..9ae7dd45b5 100644 --- a/servers/slapd/back-ldap/delete.c +++ b/servers/slapd/back-ldap/delete.c @@ -40,8 +40,8 @@ ldap_back_delete( struct ldapconn *lc; ber_int_t msgid; dncookie dc; -#ifdef LDAP_BACK_PROXY_AUTHZ LDAPControl **ctrls = NULL; +#ifdef LDAP_BACK_PROXY_AUTHZ int rc = LDAP_SUCCESS; #endif /* LDAP_BACK_PROXY_AUTHZ */ @@ -71,6 +71,7 @@ ldap_back_delete( } #ifdef LDAP_BACK_PROXY_AUTHZ + ctrls = op->o_ctrls; rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { goto cleanup; @@ -78,12 +79,7 @@ ldap_back_delete( #endif /* LDAP_BACK_PROXY_AUTHZ */ rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val, -#ifdef LDAP_BACK_PROXY_AUTHZ - ctrls, -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - op->o_ctrls, -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ - NULL, &msgid ); + ctrls, NULL, &msgid ); #ifdef LDAP_BACK_PROXY_AUTHZ cleanup: diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index 385d05bd1d..a5492e954a 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -98,16 +98,15 @@ ldap_back_db_init( return -1; } - li->binddn.bv_val = NULL; - li->binddn.bv_len = 0; - li->bindpw.bv_val = NULL; - li->bindpw.bv_len = 0; + BER_BVZERO( &li->binddn ); + BER_BVZERO( &li->bindpw ); #ifdef LDAP_BACK_PROXY_AUTHZ - li->proxyauthzdn.bv_val = NULL; - li->proxyauthzdn.bv_len = 0; - li->proxyauthzpw.bv_val = NULL; - li->proxyauthzpw.bv_len = 0; + BER_BVZERO( &li->proxyauthzdn ); + BER_BVZERO( &li->proxyauthzpw ); + + li->idassert_mode = LDAP_BACK_IDASSERT_NONE; + BER_BVZERO( &li->idassert_dn ); #endif /* LDAP_BACK_PROXY_AUTHZ */ #ifdef ENABLE_REWRITE @@ -201,22 +200,26 @@ ldap_back_db_destroy( ldap_free_urldesc( li->lud ); li->lud = NULL; } - if (li->binddn.bv_val) { - ch_free(li->binddn.bv_val); - li->binddn.bv_val = NULL; + if ( !BER_BVISNULL( &li->binddn ) ) { + ch_free( li->binddn.bv_val ); + BER_BVZERO( &li->binddn ); } - if (li->bindpw.bv_val) { - ch_free(li->bindpw.bv_val); - li->bindpw.bv_val = NULL; + if ( !BER_BVISNULL( &li->bindpw ) ) { + ch_free( li->bindpw.bv_val ); + BER_BVZERO( &li->bindpw ); } #ifdef LDAP_BACK_PROXY_AUTHZ - if (li->proxyauthzdn.bv_val) { - ch_free(li->proxyauthzdn.bv_val); - li->proxyauthzdn.bv_val = NULL; + if ( !BER_BVISNULL( &li->proxyauthzdn ) ) { + ch_free( li->proxyauthzdn.bv_val ); + BER_BVZERO( &li->proxyauthzdn ); + } + if ( !BER_BVISNULL( &li->proxyauthzpw ) ) { + ch_free( li->proxyauthzpw.bv_val ); + BER_BVZERO( &li->proxyauthzpw ); } - if (li->proxyauthzpw.bv_val) { - ch_free(li->proxyauthzpw.bv_val); - li->proxyauthzpw.bv_val = NULL; + if ( !BER_BVISNULL( &li->idassert_dn ) ) { + ch_free( li->idassert_dn.bv_val ); + BER_BVZERO( &li->idassert_dn ); } #endif /* LDAP_BACK_PROXY_AUTHZ */ if (li->conntree) { diff --git a/servers/slapd/back-ldap/modify.c b/servers/slapd/back-ldap/modify.c index 24b7617d60..71384ec924 100644 --- a/servers/slapd/back-ldap/modify.c +++ b/servers/slapd/back-ldap/modify.c @@ -47,9 +47,7 @@ ldap_back_modify( ber_int_t msgid; dncookie dc; int isupdate; -#ifdef LDAP_BACK_PROXY_AUTHZ LDAPControl **ctrls = NULL; -#endif /* LDAP_BACK_PROXY_AUTHZ */ lc = ldap_back_getconn(op, rs); if ( !lc || !ldap_back_dobind( lc, op, rs ) ) { @@ -159,6 +157,7 @@ ldap_back_modify( } modv[i] = 0; + ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { @@ -167,12 +166,7 @@ ldap_back_modify( #endif /* LDAP_BACK_PROXY_AUTHZ */ rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv, -#ifdef LDAP_BACK_PROXY_AUTHZ - ctrls, -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - op->o_ctrls, -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ - NULL, &msgid ); + ctrls, NULL, &msgid ); cleanup:; #ifdef LDAP_BACK_PROXY_AUTHZ diff --git a/servers/slapd/back-ldap/modrdn.c b/servers/slapd/back-ldap/modrdn.c index 5a75d9d4b4..8c76a6bcb3 100644 --- a/servers/slapd/back-ldap/modrdn.c +++ b/servers/slapd/back-ldap/modrdn.c @@ -40,8 +40,8 @@ ldap_back_modrdn( struct ldapconn *lc; ber_int_t msgid; dncookie dc; -#ifdef LDAP_BACK_PROXY_AUTHZ LDAPControl **ctrls = NULL; +#ifdef LDAP_BACK_PROXY_AUTHZ int rc = LDAP_SUCCESS; #endif /* LDAP_BACK_PROXY_AUTHZ */ @@ -88,6 +88,7 @@ ldap_back_modrdn( return -1; } + ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { @@ -98,11 +99,7 @@ ldap_back_modrdn( rs->sr_err = ldap_rename( lc->ld, mdn.bv_val, op->orr_newrdn.bv_val, mnewSuperior.bv_val, op->orr_deleteoldrdn, -#ifdef LDAP_BACK_PROXY_AUTHZ ctrls, -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - op->o_ctrls, -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ NULL, &msgid ); #ifdef LDAP_BACK_PROXY_AUTHZ diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index a652863997..8e2ea171a8 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -60,9 +60,7 @@ ldap_back_search( struct berval mfilter = BER_BVNULL; int dontfreetext = 0; dncookie dc; -#ifdef LDAP_BACK_PROXY_AUTHZ LDAPControl **ctrls = NULL; -#endif /* LDAP_BACK_PROXY_AUTHZ */ lc = ldap_back_getconn(op, rs); if ( !lc ) { @@ -133,6 +131,7 @@ ldap_back_search( goto finish; } + ctrls = op->o_ctrls; #ifdef LDAP_BACK_PROXY_AUTHZ rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls ); if ( rc != LDAP_SUCCESS ) { @@ -144,12 +143,7 @@ ldap_back_search( rs->sr_err = ldap_search_ext(lc->ld, mbase.bv_val, op->ors_scope, mfilter.bv_val, mapped_attrs, op->ors_attrsonly, -#ifdef LDAP_BACK_PROXY_AUTHZ - ctrls, -#else /* ! LDAP_BACK_PROXY_AUTHZ */ - op->o_ctrls, -#endif /* ! LDAP_BACK_PROXY_AUTHZ */ - NULL, + ctrls, NULL, tv.tv_sec ? &tv : NULL, op->ors_slimit, &msgid ); -- 2.39.5