From f34b11760a6568060bbda7ca2bf595126aeefa9a Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sat, 19 Jun 2004 18:18:26 +0000
Subject: [PATCH] allow a hidden parameter to instruct the proxy that the SASL
 mech can do native authz; will disappear as soon as I can detect it
 automnatically

---
 servers/slapd/back-ldap/back-ldap.h | 11 ++++++
 servers/slapd/back-ldap/bind.c      | 59 ++++++++++++++++++-----------
 servers/slapd/back-ldap/config.c    | 15 ++++++++
 servers/slapd/back-ldap/init.c      |  4 ++
 4 files changed, 66 insertions(+), 23 deletions(-)

diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index 2161a8a13f..631e4d0af1 100644
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -93,6 +93,16 @@ struct ldapauth {
 	int		la_sasl_flags;
 	struct berval	la_sasl_mech;
 	struct berval	la_sasl_realm;
+	
+/* FIXME: required until I find a nice way to determine
+ * whether a SASL mechanism is able to authz natively */
+#define LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+#define LDAP_BACK_AUTH_NONE		0x00
+#define	LDAP_BACK_AUTH_NATIVE_AUTHZ	0x01
+	int		la_flags;
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
 };
 
 struct ldapinfo {
@@ -121,6 +131,7 @@ struct ldapinfo {
 #define	idassert_sasl_flags	idassert_la.la_sasl_flags
 #define	idassert_sasl_mech	idassert_la.la_sasl_mech
 #define	idassert_sasl_realm	idassert_la.la_sasl_realm
+#define	idassert_flags		idassert_la.la_flags
 	BerVarray	idassert_authz;
 	
 	int		idassert_ppolicy;
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 028f4d3aa1..15361d60a1 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -448,28 +448,35 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 				struct berval	authzID = BER_BVNULL;
 				int		freeauthz = 0;
 
-				switch ( li->idassert_mode ) {
-				case LDAP_BACK_IDASSERT_OTHERID:
-				case LDAP_BACK_IDASSERT_OTHERDN:
-					authzID = li->idassert_authzID;
-					break;
-
-				case LDAP_BACK_IDASSERT_ANONYMOUS:
-					BER_BVSTR( &authzID, "dn:" );
-					break;
-
-				case LDAP_BACK_IDASSERT_SELF:
-					authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
-					authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
-					AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
-					AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
-							op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
-					freeauthz = 1;
-					break;
-
-				default:
-					break;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+				/* if SASL supports native authz, prepare for it */
+				if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+					switch ( li->idassert_mode ) {
+					case LDAP_BACK_IDASSERT_OTHERID:
+					case LDAP_BACK_IDASSERT_OTHERDN:
+						authzID = li->idassert_authzID;
+						break;
+
+					case LDAP_BACK_IDASSERT_ANONYMOUS:
+						BER_BVSTR( &authzID, "dn:" );
+						break;
+
+					case LDAP_BACK_IDASSERT_SELF:
+						authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
+						authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
+						AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+						AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
+								op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
+						freeauthz = 1;
+						break;
+
+					default:
+						break;
+					}
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
 				}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
 
 #if 0	/* will deal with this later... */
 				if ( sasl_secprops != NULL ) {
@@ -777,8 +784,14 @@ ldap_back_proxy_authz_ctrl(
 		}
 
 	} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
-		/* already asserted in SASL */
-		goto done;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+		if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+			/* already asserted in SASL via native authz */
+			goto done;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+		}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
 
 	} else if ( li->idassert_authz ) {
 		int		rc;
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 1b2da1c400..806516053b 100644
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -904,6 +904,21 @@ parse_idassert(
 					}
 					ber_str2bv( val, 0, 1, &li->idassert_passwd );
 
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+				} else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
+					char	*val = argv[arg] + STRLENOF( "authz=" );
+
+					if ( strcasecmp( val, "native" ) == 0 ) {
+						li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
+
+					} else {
+						fprintf( stderr, "%s: line %s: "
+							"unknown SASL flag \"%s\"\n",
+							fname, lineno, val );
+						return 1;
+					}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+
 				} else {
 					fprintf( stderr, "%s: line %d: "
 							"unknown SASL parameter %s\n",
diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c
index e274baf890..028ff3c2fd 100644
--- a/servers/slapd/back-ldap/init.c
+++ b/servers/slapd/back-ldap/init.c
@@ -117,6 +117,10 @@ ldap_back_db_init(
 	BER_BVZERO( &li->idassert_sasl_realm );
 
 	li->idassert_ppolicy = 0;
+
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+	li->idassert_flags = LDAP_BACK_AUTH_NONE;
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 #ifdef ENABLE_REWRITE
-- 
2.39.5