From d6e7f0f630ca0a113c45f4ff22d1ded036d06d31 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 11 Jun 2002 22:56:47 +0000 Subject: [PATCH] Rework c_authzid_backend in preparation for sasl_setpass() support --- servers/slapd/backglue.c | 9 ++++++++- servers/slapd/bind.c | 6 ++++-- servers/slapd/connection.c | 40 ++++++++++++++++++------------------- servers/slapd/passwd.c | 23 ++++++++++++++------- servers/slapd/saslauthz.c | 41 +++++++++++++++++++++----------------- 5 files changed, 70 insertions(+), 49 deletions(-) diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c index e2afd09156..af3949325d 100644 --- a/servers/slapd/backglue.c +++ b/servers/slapd/backglue.c @@ -413,8 +413,15 @@ glue_back_bind ( be = glue_back_select (b0, ndn->bv_val); if (be && be->be_bind) { - conn->c_authz_backend = be; rc = be->be_bind (be, conn, op, dn, ndn, method, cred, edn); + + if( rc == LDAP_SUCCESS ) { + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + if( conn->c_authz_backend == NULL ) { + conn->c_authz_backend = be; + } + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + } } else { rc = LDAP_UNWILLING_TO_PERFORM; send_ldap_result (conn, op, rc, NULL, "No bind target found", diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index cbbb1383f6..677d7dea1e 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -478,8 +478,6 @@ do_bind( goto cleanup; } - conn->c_authz_backend = be; - if ( be->be_bind ) { int ret; @@ -492,6 +490,10 @@ do_bind( if ( ret == 0 ) { ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + if( conn->c_authz_backend == NULL ) { + conn->c_authz_backend = be; + } + if(edn.bv_len) { conn->c_dn = edn; } else { diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index a93af0d116..037f4c759b 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -573,8 +573,8 @@ long connection_init( void connection2anonymous( Connection *c ) { - assert( connections != NULL ); - assert( c != NULL ); + assert( connections != NULL ); + assert( c != NULL ); { ber_len_t max = sockbuf_max_incoming; @@ -587,16 +587,16 @@ void connection2anonymous( Connection *c ) } c->c_authmech.bv_len = 0; - if(c->c_dn.bv_val != NULL) { - free(c->c_dn.bv_val); - c->c_dn.bv_val = NULL; - } - c->c_dn.bv_len = 0; - if(c->c_ndn.bv_val != NULL) { - free(c->c_ndn.bv_val); - c->c_ndn.bv_val = NULL; - } - c->c_ndn.bv_len = 0; + if(c->c_dn.bv_val != NULL) { + free(c->c_dn.bv_val); + c->c_dn.bv_val = NULL; + } + c->c_dn.bv_len = 0; + if(c->c_ndn.bv_val != NULL) { + free(c->c_ndn.bv_val); + c->c_ndn.bv_val = NULL; + } + c->c_ndn.bv_len = 0; if(c->c_cdn.bv_val != NULL) { free(c->c_cdn.bv_val); @@ -605,17 +605,15 @@ void connection2anonymous( Connection *c ) c->c_cdn.bv_len = 0; c->c_authz_backend = NULL; - - { - GroupAssertion *g, *n; - for (g = c->c_groups; g; g=n) + { - n = g->ga_next; - free(g); + GroupAssertion *g, *n; + for (g = c->c_groups; g; g=n) { + n = g->ga_next; + free(g); + } + c->c_groups = NULL; } - c->c_groups = NULL; - } - } static void diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index 4bc064a0ad..7f2a4cdfcc 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -29,6 +29,7 @@ int passwd_extop( const char **text, BerVarray *refs ) { + Backend *be; int rc; assert( reqoid != NULL ); @@ -39,7 +40,16 @@ int passwd_extop( return LDAP_STRONG_AUTH_REQUIRED; } - if( conn->c_authz_backend == NULL || !conn->c_authz_backend->be_extended ) { + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + be = conn->c_authz_backend; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + + if( be == NULL ) { + *text = "operation not supported for SASL user"; + return LDAP_UNWILLING_TO_PERFORM; + } + + if( !be->be_extended ) { *text = "operation not supported for current user"; return LDAP_UNWILLING_TO_PERFORM; } @@ -47,23 +57,22 @@ int passwd_extop( { struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD ); - rc = backend_check_restrictions( conn->c_authz_backend, - conn, op, &passwd, text ); + rc = backend_check_restrictions( be, conn, op, &passwd, text ); } if( rc != LDAP_SUCCESS ) { return rc; } - if( conn->c_authz_backend->be_update_ndn.bv_len ) { + if( be->be_update_ndn.bv_len ) { /* we SHOULD return a referral in this case */ - *refs = referral_rewrite( conn->c_authz_backend->be_update_refs, + *refs = referral_rewrite( be->be_update_refs, NULL, NULL, LDAP_SCOPE_DEFAULT ); rc = LDAP_REFERRAL; } else { - rc = conn->c_authz_backend->be_extended( - conn->c_authz_backend, conn, op, + rc = be->be_extended( + be, conn, op, reqoid, reqdata, rspoid, rspdata, rspctrls, text, refs ); diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index d196a4f084..8efc6d6713 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -357,21 +357,22 @@ static int sasl_sc_sasl2dn( BackendDB *be, Connection *conn, Operation *o, struct berval *ndn = o->o_callback->sc_private; /* We only want to be called once */ - if (ndn->bv_val) { + if( ndn->bv_val ) { free(ndn->bv_val); ndn->bv_val = NULL; + #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1, - "slap_sasl2dn: search DN returned more than 1 entry\n" )); + LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1, + "slap_sasl2dn: search DN returned more than 1 entry\n" )); #else - Debug( LDAP_DEBUG_TRACE, - "slap_sasl2dn: search DN returned more than 1 entry\n", 0,0,0 ); + Debug( LDAP_DEBUG_TRACE, + "slap_sasl2dn: search DN returned more than 1 entry\n", 0,0,0 ); #endif return -1; - } else { - ber_dupbv(ndn, &e->e_nname); - return 0; } + + ber_dupbv(ndn, &e->e_nname); + return 0; } /* @@ -396,9 +397,10 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl2dn: converting SASL name %s to DN.\n", saslname->bv_val )); #else - Debug( LDAP_DEBUG_TRACE, - "==>slap_sasl2dn: Converting SASL name %s to a DN\n", saslname->bv_val, 0,0 ); + Debug( LDAP_DEBUG_TRACE, "==>slap_sasl2dn: " + "converting SASL name %s to a DN\n", saslname->bv_val, 0,0 ); #endif + dn->bv_val = NULL; dn->bv_len = 0; cb.sc_private = dn; @@ -414,8 +416,6 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn be = select_backend( &uri.dn, 0, 1 ); - conn->c_authz_backend = be; - /* Massive shortcut: search scope == base */ if( uri.scope == LDAP_SCOPE_BASE ) { *dn = uri.dn; @@ -426,16 +426,17 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1, - "slap_sasl2dn: performing internal search (base=%s, scope=%d)\n", - uri.dn.bv_val, uri.scope )); + "slap_sasl2dn: performing internal search (base=%s, scope=%d)\n", + uri.dn.bv_val, uri.scope )); #else Debug( LDAP_DEBUG_TRACE, "slap_sasl2dn: performing internal search (base=%s, scope=%d)\n", uri.dn.bv_val, uri.scope, 0 ); #endif - if(( be == NULL ) || ( be->be_search == NULL)) + if(( be == NULL ) || ( be->be_search == NULL)) { goto FINISHED; + } suffix_alias( be, &uri.dn ); op.o_tag = LDAP_REQ_SEARCH; @@ -444,10 +445,14 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn op.o_callback = &cb; op.o_time = slap_get_time(); - (*be->be_search)( be, /*conn*/NULL, &op, /*base*/NULL, &uri.dn, - uri.scope, /*deref=*/1, /*sizelimit=*/1, /*time=*/0, filter, /*fstr=*/NULL, - /*attrs=*/NULL, /*attrsonly=*/0 ); + (*be->be_search)( be, NULL, &op, NULL, &uri.dn, + uri.scope, LDAP_DEREF_NEVER, 1, 0, + filter, NULL, NULL, 1 ); + if( dn->bv_len ) { + conn->c_authz_backend = be; + } + FINISHED: if( uri.dn.bv_len ) ch_free( uri.dn.bv_val ); if( uri.filter.bv_len ) ch_free( uri.filter.bv_val ); -- 2.39.5