From fab52fa4abcb74f4b9730924b1fac8813b47b343 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Sat, 3 Feb 2001 04:54:09 +0000
Subject: [PATCH] Update backend "restrictions"

---
 servers/slapd/backend.c    | 44 ++++++++++++++++++++++++--------------
 servers/slapd/bind.c       | 13 ++++++++++-
 servers/slapd/proto-slap.h |  3 ++-
 servers/slapd/search.c     | 42 +++++++++++++++++++++++++++++++-----
 4 files changed, 79 insertions(+), 23 deletions(-)

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 60ed9eb142..bbcfdea56b 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -637,7 +637,7 @@ backend_check_restrictions(
 	Backend *be,
 	Connection *conn,
 	Operation *op,
-	const char *extoid,
+	const void *opdata,
 	const char **text )
 {
 	int rc;
@@ -701,7 +701,9 @@ backend_check_restrictions(
 		return LDAP_OTHER;
 	}
 
-	if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) ) {
+	if ( op->o_tag != LDAP_REQ_EXTENDED
+		|| strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) )
+	{
 		/* these checks don't apply to StartTLS */
 
 		if( op->o_tag == LDAP_REQ_EXTENDED ) {
@@ -709,47 +711,57 @@ backend_check_restrictions(
 			updateop++;
 		}
 
-		if( op->o_ssf < ssf->sss_ssf ) {
-			*text = "confidentiality required";
-			return LDAP_CONFIDENTIALITY_REQUIRED;
-		}
 		if( op->o_transport_ssf < ssf->sss_transport ) {
 			*text = "transport confidentiality required";
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
+
 		if( op->o_tls_ssf < ssf->sss_tls ) {
 			*text = "TLS confidentiality required";
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
-		if( op->o_sasl_ssf < ssf->sss_sasl ) {
-			*text = "SASL confidentiality required";
-			return LDAP_CONFIDENTIALITY_REQUIRED;
-		}
 
-		if( updateop ) {
-			if( op->o_ssf < ssf->sss_update_ssf ) {
-				*text = "update confidentiality required";
+		if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
+			/* these checks don't apply to SASL bind */
+
+			if( op->o_sasl_ssf < ssf->sss_sasl ) {
+				*text = "SASL confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
+			if( op->o_ssf < ssf->sss_ssf ) {
+				*text = "confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+		}
+
+		if( updateop ) {
 			if( op->o_transport_ssf < ssf->sss_update_transport ) {
 				*text = "transport update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
 			if( op->o_tls_ssf < ssf->sss_update_tls ) {
 				*text = "TLS update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
 			if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
 				*text = "SASL update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
+			if( op->o_ssf < ssf->sss_update_ssf ) {
+				*text = "update confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
 		}
 	}
 
-	if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) )
-		|| op->o_tag == LDAP_REQ_BIND )
+	if ( op->o_tag != LDAP_REQ_BIND && ( op->o_tag != LDAP_REQ_EXTENDED ||
+		strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
 	{
-		/* these checks don't apply to StartTLS or Bind */
+		/* these checks don't apply to Bind or StartTLS */
 
 		if( requires & SLAP_REQUIRE_STRONG ) {
 			/* should check mechanism */
diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 460883b88e..b7c4315ed1 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -203,6 +203,14 @@ do_bind(
 			goto cleanup;
 		}
 
+		/* check restrictions */
+		rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+		if( rc != LDAP_SUCCESS ) {
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			goto cleanup;
+		}
+
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
 		if ( conn->c_sasl_bind_mech != NULL ) {
@@ -290,6 +298,9 @@ do_bind(
 				/* disallow */
 				rc = LDAP_INAPPROPRIATE_AUTH;
 				text = "anonymous bind disallowed";
+
+			} else {
+				rc = backend_check_restrictions( NULL, conn, op, mech, &text );
 			}
 
 			/*
@@ -363,7 +374,7 @@ do_bind(
 	}
 
 	/* check restrictions */
-	rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
+	rc = backend_check_restrictions( be, conn, op, NULL, &text );
 	if( rc != LDAP_SUCCESS ) {
 		send_ldap_result( conn, op, rc,
 			NULL, text, NULL, NULL );
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 043e55baa4..ecdaaf2dfe 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -166,7 +166,7 @@ LDAP_SLAPD_F( int )	backend_check_restrictions LDAP_P((
 	Backend *be,
 	Connection *conn,
 	Operation *op,
-	const char *extoid,
+	const void *opdata,
 	const char **text ));
 
 LDAP_SLAPD_F( int )	backend_check_referrals LDAP_P((
@@ -779,6 +779,7 @@ LDAP_SLAPD_F (int)		global_idletimeout;
 LDAP_SLAPD_F (int)		global_schemacheck;
 LDAP_SLAPD_F (char)		*global_host;
 LDAP_SLAPD_F (char)		*global_realm;
+LDAP_SLAPD_F (int)		sasl_external_x509dn_convert;
 LDAP_SLAPD_F (char)		*default_passwd_hash;
 LDAP_SLAPD_F (int)		lber_debug;
 LDAP_SLAPD_F (int)		ldap_syslog;
diff --git a/servers/slapd/search.c b/servers/slapd/search.c
index a0835501f1..5c93c7944e 100644
--- a/servers/slapd/search.c
+++ b/servers/slapd/search.c
@@ -27,7 +27,7 @@
 
 int
 do_search(
-    Connection	*conn,	/* where to send results 		       */
+    Connection	*conn,	/* where to send results */
     Operation	*op	/* info about the op to which we're responding */
 ) {
 	int		i;
@@ -140,7 +140,7 @@ do_search(
 		goto return_results;
 	} 
 
-	rc = 0;
+	rc = LDAP_SUCCESS;
 
 	Debug( LDAP_DEBUG_ARGS, "    attrs:", 0, 0, 0 );
 
@@ -156,28 +156,62 @@ do_search(
 	    "conn=%ld op=%d SRCH base=\"%s\" scope=%d filter=\"%s\"\n",
 	    op->o_connid, op->o_opid, base, scope, fstr );
 
+	manageDSAit = get_manageDSAit( op );
+
 	if ( scope == LDAP_SCOPE_BASE ) {
 		Entry *entry = NULL;
 
 		if ( strcasecmp( nbase, LDAP_ROOT_DSE ) == 0 ) {
+			/* check restrictions */
+			rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
+			if( rc != LDAP_SUCCESS ) {
+				send_ldap_result( conn, op, rc,
+					NULL, text, NULL, NULL );
+				goto return_results;
+			}
+
 			rc = root_dse_info( conn, &entry, &text );
 		}
 
 #if defined( SLAPD_MONITOR_DN )
 		else if ( strcasecmp( nbase, SLAPD_MONITOR_DN ) == 0 ) {
+			/* check restrictions */
+			rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
+			if( rc != LDAP_SUCCESS ) {
+				send_ldap_result( conn, op, rc,
+					NULL, text, NULL, NULL );
+				goto return_results;
+			}
+
 			rc = monitor_info( &entry, &text );
 		}
 #endif
 
 #if defined( SLAPD_CONFIG_DN )
 		else if ( strcasecmp( nbase, SLAPD_CONFIG_DN ) == 0 ) {
+			/* check restrictions */
+			rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
+			if( rc != LDAP_SUCCESS ) {
+				send_ldap_result( conn, op, rc,
+					NULL, text, NULL, NULL );
+				goto return_results;
+			}
+
 			rc = config_info( &entry, &text );
 		}
 #endif
 
 #if defined( SLAPD_SCHEMA_DN )
 		else if ( strcasecmp( nbase, SLAPD_SCHEMA_DN ) == 0 ) {
-			rc= schema_info( &entry, &text );
+			/* check restrictions */
+			rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
+			if( rc != LDAP_SUCCESS ) {
+				send_ldap_result( conn, op, rc,
+					NULL, text, NULL, NULL );
+				goto return_results;
+			}
+
+			rc = schema_info( &entry, &text );
 		}
 #endif
 
@@ -210,8 +244,6 @@ do_search(
 		nbase = ch_strdup( default_search_nbase );
 	}
 
-	manageDSAit = get_manageDSAit( op );
-
 	/*
 	 * We could be serving multiple database backends.  Select the
 	 * appropriate one, or send a referral to our "referral server"
-- 
2.39.2