mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
clean up unnecessary checks; don't use SASL native authz if authz ID is not static, because back-ldap pools connections...
This commit is contained in:
parent
eca48b6f20
commit
1f70ad82f2
@ -403,8 +403,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
|
||||
* control to every operation with the dn bound
|
||||
* to the connection as control value.
|
||||
*/
|
||||
if ( op->o_conn != NULL && ( ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) )
|
||||
{
|
||||
if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) {
|
||||
struct berval binddn = slap_empty_bv;
|
||||
struct berval bindcred = slap_empty_bv;
|
||||
int dobind = 0;
|
||||
@ -464,6 +463,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
|
||||
case LDAP_BACK_IDASSERT_SELF:
|
||||
if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
|
||||
/* connection is not authc'd, so don't idassert */
|
||||
BER_BVSTR( &authzID, "dn:" );
|
||||
break;
|
||||
}
|
||||
authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
|
||||
@ -772,23 +772,26 @@ ldap_back_proxy_authz_ctrl(
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
|
||||
if ( !BER_BVISNULL( &lc->bound_dn ) ) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
|
||||
if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) {
|
||||
if ( BER_BVISNULL( &li->idassert_authcDN ) ) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
|
||||
if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
|
||||
&& !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) )
|
||||
/* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ )
|
||||
{
|
||||
/* already asserted in SASL via native authz */
|
||||
/* NOTE: the test on lc->bound is used to trap
|
||||
* native authorization of anonymous users,
|
||||
* since in that case op->o_conn->c_dn is NULL */
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -29,6 +29,7 @@ extern BI_close ldap_back_close;
|
||||
extern BI_destroy ldap_back_destroy;
|
||||
|
||||
extern BI_db_init ldap_back_db_init;
|
||||
extern BI_db_open ldap_back_db_open;
|
||||
extern BI_db_destroy ldap_back_db_destroy;
|
||||
|
||||
extern BI_db_config ldap_back_db_config;
|
||||
|
@ -60,7 +60,7 @@ ldap_back_initialize(
|
||||
|
||||
bi->bi_db_init = ldap_back_db_init;
|
||||
bi->bi_db_config = ldap_back_db_config;
|
||||
bi->bi_db_open = 0;
|
||||
bi->bi_db_open = ldap_back_db_open;
|
||||
bi->bi_db_close = 0;
|
||||
bi->bi_db_destroy = ldap_back_db_destroy;
|
||||
|
||||
@ -162,6 +162,29 @@ ldap_back_db_init(
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ldap_back_db_open( BackendDB *be )
|
||||
{
|
||||
struct ldapinfo *li = (struct ldapinfo *)be->be_private;
|
||||
|
||||
#ifdef LDAP_BACK_PROXY_AUTHZ
|
||||
/* by default, use proxyAuthz control on each operation */
|
||||
switch ( li->idassert_mode ) {
|
||||
case LDAP_BACK_IDASSERT_LEGACY:
|
||||
case LDAP_BACK_IDASSERT_SELF:
|
||||
/* however, since admin connections are pooled and shared,
|
||||
* only static authzIDs can be native */
|
||||
li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
#endif /* LDAP_BACK_PROXY_AUTHZ */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
ldap_back_conn_free(
|
||||
void *v_lc
|
||||
|
Loading…
Reference in New Issue
Block a user