From f19df0a307052a8a1f189621c0083b8e4a118121 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Wed, 5 Feb 2003 22:04:20 +0000 Subject: [PATCH] add 'rebind-as-user' according to back-ldap's implementation --- doc/man/man5/slapd-meta.5 | 4 ++++ servers/slapd/back-meta/back-meta.h | 3 +++ servers/slapd/back-meta/bind.c | 26 ++++++++++++++++++++++++++ servers/slapd/back-meta/config.c | 10 ++++++++++ 4 files changed, 43 insertions(+) diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 0de84a62a3..44cd717e60 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -140,6 +140,10 @@ check permissions. This directive sets the password for acl checking in conjunction with the above mentioned "binddn" directive. .TP +.B rebind-as-user +If this option is given, the client's bind credentials are remembered +for rebinds when chasing referrals. +.TP .B pseudorootdn "" This directive, if present, sets the DN that will be substituted to the bind DN if a bind with the backend's "rootdn" succeeds. diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h index f78efa28a4..6b02654da0 100644 --- a/servers/slapd/back-meta/back-meta.h +++ b/servers/slapd/back-meta/back-meta.h @@ -91,6 +91,7 @@ struct metasingleconn { LDAP *ld; struct berval bound_dn; + struct berval cred; int bound; #define META_UNBOUND 0 #define META_BOUND 1 @@ -149,6 +150,8 @@ struct metainfo { ldap_pvt_thread_mutex_t conn_mutex; Avlnode *conntree; + + int savecred; }; #define META_OP_ALLOW_MULTIPLE 0x00 diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c index b3e67fdeed..272ecb901a 100644 --- a/servers/slapd/back-meta/bind.c +++ b/servers/slapd/back-meta/bind.c @@ -77,6 +77,8 @@ #include "../back-ldap/back-ldap.h" #include "back-meta.h" +static LDAP_REBIND_PROC meta_back_rebind; + static int meta_back_do_single_bind( struct metainfo *li, @@ -293,6 +295,15 @@ meta_back_do_single_bind( lc->conns[ candidate ].bound = META_BOUND; lc->bound_target = candidate; + if ( li->savecred ) { + if ( lc->conns[ candidate ].cred.bv_val ) + ch_free( lc->conns[ candidate ].cred.bv_val ); + ber_dupbv( &lc->conns[ candidate ].cred, cred ); + ldap_set_rebind_proc( lc->conns[ candidate ].ld, + meta_back_rebind, + &lc->conns[ candidate ] ); + } + if ( li->cache.ttl != META_DNCACHE_DISABLED && ndn->bv_len != 0 ) { ( void )meta_dncache_update_entry( &li->cache, @@ -428,6 +439,21 @@ meta_back_is_valid( struct metaconn *lc, int candidate ) return 0; } +/* + * meta_back_rebind + * + * This is a callback used for chasing referrals using the same + * credentials as the original user on this session. + */ +static int +meta_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, + ber_int_t msgid, void *params ) +{ + struct metasingleconn *lc = params; + + return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE ); +} + /* * FIXME: error return must be handled in a cleaner way ... */ diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index 4477c2346d..e02adc8df6 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -356,6 +356,16 @@ meta_back_db_config( } ber_str2bv( argv[ 1 ], 0L, 1, &li->targets[ i ]->bindpw ); + /* save bind creds for referral rebinds? */ + } else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) { + if (argc != 1) { + fprintf( stderr, + "%s: line %d: rebind-as-user takes no arguments\n", + fname, lineno ); + return( 1 ); + } + li->savecred = 1; + /* name to use as pseudo-root dn */ } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) { int i = li->ntargets-1; -- 2.39.2