clean up unnecessary checks; don't use SASL native authz if authz ID is not static, because back-ldap pools connections...

This commit is contained in:
Pierangelo Masarati 2004-06-21 00:57:12 +00:00
parent eca48b6f20
commit 1f70ad82f2
3 changed files with 34 additions and 7 deletions

View File

@ -403,8 +403,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
* control to every operation with the dn bound
* to the connection as control value.
*/
if ( op->o_conn != NULL && ( ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) )
{
if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) {
struct berval binddn = slap_empty_bv;
struct berval bindcred = slap_empty_bv;
int dobind = 0;
@ -464,6 +463,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
case LDAP_BACK_IDASSERT_SELF:
if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
/* connection is not authc'd, so don't idassert */
BER_BVSTR( &authzID, "dn:" );
break;
}
authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
@ -772,23 +772,26 @@ ldap_back_proxy_authz_ctrl(
goto done;
}
if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
if ( !BER_BVISNULL( &lc->bound_dn ) ) {
goto done;
}
if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
goto done;
}
if ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) {
if ( BER_BVISNULL( &li->idassert_authcDN ) ) {
goto done;
}
} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
&& !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) )
/* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ )
{
/* already asserted in SASL via native authz */
/* NOTE: the test on lc->bound is used to trap
* native authorization of anonymous users,
* since in that case op->o_conn->c_dn is NULL */
goto done;
}

View File

@ -29,6 +29,7 @@ extern BI_close ldap_back_close;
extern BI_destroy ldap_back_destroy;
extern BI_db_init ldap_back_db_init;
extern BI_db_open ldap_back_db_open;
extern BI_db_destroy ldap_back_db_destroy;
extern BI_db_config ldap_back_db_config;

View File

@ -60,7 +60,7 @@ ldap_back_initialize(
bi->bi_db_init = ldap_back_db_init;
bi->bi_db_config = ldap_back_db_config;
bi->bi_db_open = 0;
bi->bi_db_open = ldap_back_db_open;
bi->bi_db_close = 0;
bi->bi_db_destroy = ldap_back_db_destroy;
@ -162,6 +162,29 @@ ldap_back_db_init(
return 0;
}
int
ldap_back_db_open( BackendDB *be )
{
struct ldapinfo *li = (struct ldapinfo *)be->be_private;
#ifdef LDAP_BACK_PROXY_AUTHZ
/* by default, use proxyAuthz control on each operation */
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_LEGACY:
case LDAP_BACK_IDASSERT_SELF:
/* however, since admin connections are pooled and shared,
* only static authzIDs can be native */
li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
break;
default:
break;
}
#endif /* LDAP_BACK_PROXY_AUTHZ */
return 0;
}
void
ldap_back_conn_free(
void *v_lc