From d23313a06862d599f45c1bbb3160974231b39157 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 21 Dec 2001 04:44:34 +0000 Subject: [PATCH] LDAPv2 disallow and other flag changes Fix compile errors --- servers/slapd/bind.c | 6 +++--- servers/slapd/config.c | 24 ++++++++++++------------ servers/slapd/root_dse.c | 2 +- servers/slapd/schema_check.c | 3 ++- servers/slapd/slap.h | 20 +++++++++----------- servers/slapd/starttls.c | 14 +++++++------- 6 files changed, 34 insertions(+), 35 deletions(-) diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 1de3d7a72b..b570908f03 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -202,7 +202,7 @@ do_bind( NULL, "requested protocol version not supported", NULL, NULL ); goto cleanup; - } else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) && + } else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) && version < LDAP_VERSION3 ) { send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, @@ -331,13 +331,13 @@ do_bind( text = NULL; if( cred.bv_len && - ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) + !( global_allows & SLAP_ALLOW_BIND_ANON_CRED )) { /* cred is not empty, disallow */ rc = LDAP_INVALID_CREDENTIALS; } else if ( ndn != NULL && *ndn != '\0' && - ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) + !( global_allows & SLAP_ALLOW_BIND_ANON_DN )) { /* DN is not empty, disallow */ rc = LDAP_UNWILLING_TO_PERFORM; diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 5ff853b30b..bb73194aef 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1266,8 +1266,14 @@ read_config( const char *fname ) allows = 0; for( i=1; i < cargc; i++ ) { - if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) { - allows |= SLAP_ALLOW_TLS_2_ANON; + if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) { + allows |= SLAP_ALLOW_BIND_V2; + + } else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) { + allows |= SLAP_ALLOW_BIND_ANON_CRED; + + } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { + allows |= SLAP_ALLOW_BIND_ANON_DN; } else if( strcasecmp( cargv[i], "none" ) != 0 ) { #ifdef NEW_LOGGING @@ -1323,24 +1329,18 @@ read_config( const char *fname ) disallows = 0; for( i=1; i < cargc; i++ ) { - if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) { - disallows |= SLAP_DISALLOW_BIND_V2; - - } else if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) { + if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_ANON; - } else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) { - disallows |= SLAP_DISALLOW_BIND_ANON_CRED; - - } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { - disallows |= SLAP_DISALLOW_BIND_ANON_DN; - } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_SIMPLE; } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) { disallows |= SLAP_DISALLOW_BIND_KRBV4; + } else if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) { + disallows |= SLAP_DISALLOW_TLS_2_ANON; + } else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) { disallows |= SLAP_DISALLOW_TLS_AUTHC; diff --git a/servers/slapd/root_dse.c b/servers/slapd/root_dse.c index 6ed03ab09f..cd0c20c9e5 100644 --- a/servers/slapd/root_dse.c +++ b/servers/slapd/root_dse.c @@ -117,7 +117,7 @@ root_dse_info( /* supportedLDAPVersion */ for ( i=LDAP_VERSION_MIN; i<=LDAP_VERSION_MAX; i++ ) { - if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) && + if (!( global_allows & SLAP_ALLOW_BIND_V2 ) && ( i < LDAP_VERSION3 ) ) { /* version 2 and lower are disallowed */ diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c index 95fbba7f1b..c30ee24612 100644 --- a/servers/slapd/schema_check.c +++ b/servers/slapd/schema_check.c @@ -76,6 +76,7 @@ entry_schema_check( } } + /* it's a REALLY bad idea to disable schema checks */ if( !global_schemacheck ) return LDAP_SUCCESS; /* find the object class attribute - could error out here */ @@ -559,4 +560,4 @@ int mods_structural_class( return structural_class( ocmod->sml_bvalues, sc, text, textbuf, textlen ); -} \ No newline at end of file +} diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 0cdb930dea..1987230afe 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -12,6 +12,7 @@ #include "ldap_defaults.h" +#include #include #include @@ -953,19 +954,16 @@ struct slap_backend_db { | SLAP_RESTRICT_OP_MODIFY \ | SLAP_RESTRICT_OP_RENAME ) -#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */ +#define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ +#define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */ +#define SLAP_ALLOW_BIND_ANON_DN 0x0003U /* dn should be empty */ -#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ -#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ -#define SLAP_DISALLOW_BIND_ANON_CRED \ - 0x0004U /* cred should be empty */ -#define SLAP_DISALLOW_BIND_ANON_DN \ - 0x0008U /* dn should be empty */ +#define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */ +#define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */ +#define SLAP_DISALLOW_BIND_KRBV4 0x0004U /* Kerberos V4 authentication */ -#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */ -#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */ - -#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */ +#define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */ +#define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */ slap_mask_t be_requires; /* pre-operation requirements */ #define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index 335213b5af..95dc4bbd2a 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -61,19 +61,19 @@ starttls_extop ( goto done; } - if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && + if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) && ( conn->c_dn != NULL ) ) { - *text = "cannot start TLS after authentication"; - rc = LDAP_OPERATIONS_ERROR; - goto done; + /* force to anonymous */ + connection2anonymous( conn ); } - if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) && + if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && ( conn->c_dn != NULL ) ) { - /* force to anonymous */ - connection2anonymous( conn ); + *text = "cannot start TLS after authentication"; + rc = LDAP_OPERATIONS_ERROR; + goto done; } /* fail if TLS could not be initialized */ -- 2.39.5