From c7262c7599eb883d5b28a1dbf64e9883cb17a851 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 25 Apr 2002 02:05:34 +0000 Subject: [PATCH] Added rebind-as-user option; saves bind credentials and sets a rebind_proc to allow chasing referrals using the same user's credentials. --- servers/slapd/back-ldap/back-ldap.h | 2 ++ servers/slapd/back-ldap/bind.c | 35 +++++++++++++++++++++++++++-- servers/slapd/back-ldap/config.c | 10 +++++++++ servers/slapd/back-ldap/init.c | 3 +++ servers/slapd/back-ldap/unbind.c | 3 +++ 5 files changed, 51 insertions(+), 2 deletions(-) diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 3117a1cfbb..e68c3d138b 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -53,6 +53,7 @@ struct slap_op; struct ldapconn { struct slap_conn *conn; LDAP *ld; + struct berval cred; struct berval bound_dn; int bound; }; @@ -74,6 +75,7 @@ struct ldapinfo { char *binddn; char *bindpw; ldap_pvt_thread_mutex_t conn_mutex; + int savecred; Avlnode *conntree; #ifdef ENABLE_REWRITE struct rewrite_info *rwinfo; diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 064bca788e..2c1af55ef7 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -49,6 +49,8 @@ #define PRINT_CONNTREE 0 +static LDAP_REBIND_PROC ldap_back_rebind; + int ldap_back_bind( Backend *be, @@ -111,8 +113,19 @@ ldap_back_bind( lc->bound = 1; } + if ( li->savecred ) { + if ( lc->cred.bv_val ) + ch_free( lc->cred.bv_val ); + ber_dupbv( &lc->cred, cred ); + ldap_set_rebind_proc( lc->ld, ldap_back_rebind, lc ); + } + + if ( lc->bound_dn.bv_val ) + ch_free( lc->bound_dn.bv_val ); if ( mdn.bv_val != dn->bv_val ) { - free( mdn.bv_val ); + lc->bound_dn = mdn; + } else { + ber_dupbv( &lc->bound_dn, dn ); } return( rc ); @@ -219,6 +232,9 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) lc->conn = conn; lc->ld = ld; + lc->cred.bv_len = 0; + lc->cred.bv_val = NULL; + #ifdef ENABLE_REWRITE /* * Sets a cookie for the rewrite session @@ -341,7 +357,7 @@ ldap_back_dobind(struct ldapconn *lc, Operation *op) return( lc->bound ); } - if (ldap_bind_s(lc->ld, lc->bound_dn.bv_val, NULL, LDAP_AUTH_SIMPLE) != + if (ldap_bind_s(lc->ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) { ldap_back_op_result(lc, op); return( 0 ); @@ -349,6 +365,21 @@ ldap_back_dobind(struct ldapconn *lc, Operation *op) return( lc->bound = 1 ); } +/* + * ldap_back_rebind + * + * This is a callback used for chasing referrals using the same + * credentials as the original user on this session. + */ +static int +ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, + ber_int_t msgid, void *params ) +{ + struct ldapconn *lc = params; + + return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE ); +} + /* Map API errors to protocol errors... */ int diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 87e4fe40a0..f6d2f3832b 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -111,6 +111,16 @@ ldap_back_db_config( } li->bindpw = ch_strdup(argv[1]); + /* save bind creds for referral rebinds? */ + } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) { + if (argc != 1) { + fprintf( stderr, + "%s: line %d: rebind-as-user takes no arguments\n", + fname, lineno ); + return( 1 ); + } + li->savecred = 1; + /* dn massaging */ } else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) { #ifndef ENABLE_REWRITE diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index 0a15816a1e..d744a97681 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -136,6 +136,9 @@ conn_free( if ( lc->bound_dn.bv_val ) { ch_free( lc->bound_dn.bv_val ); } + if ( lc->cred.bv_val ) { + ch_free( lc->cred.bv_val ); + } ch_free( lc ); } diff --git a/servers/slapd/back-ldap/unbind.c b/servers/slapd/back-ldap/unbind.c index f3f5617d5d..a15452721a 100644 --- a/servers/slapd/back-ldap/unbind.c +++ b/servers/slapd/back-ldap/unbind.c @@ -97,6 +97,9 @@ ldap_back_conn_destroy( if ( lc->bound_dn.bv_val ) { ch_free( lc->bound_dn.bv_val ); } + if ( lc->cred.bv_val ) { + ch_free( lc->cred.bv_val ); + } ch_free( lc ); } -- 2.39.5