diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index c71e1df78c..a54225e6bb 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -910,7 +910,9 @@ backend_check_restrictions( return LDAP_CONFIDENTIALITY_REQUIRED; } - if( op->o_ndn.bv_len == 0 ) { + if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) && + op->o_ndn.bv_len == 0 ) + { *text = "modifications require authentication"; return LDAP_STRONG_AUTH_REQUIRED; } diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 44c410fac1..ec59972183 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1257,16 +1257,18 @@ read_config( const char *fname, int depth ) } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) { allows |= SLAP_ALLOW_BIND_ANON_DN; + } else if( strcasecmp( cargv[i], "update_anon" ) == 0 ) { + allows |= SLAP_ALLOW_UPDATE_ANON; + } else if( strcasecmp( cargv[i], "none" ) != 0 ) { #ifdef NEW_LOGGING - LDAP_LOG( CONFIG, CRIT, - "%s: line %d: unknown feature %s in " - "\"allow \" line.\n", - fname, lineno, cargv[1] ); + LDAP_LOG( CONFIG, CRIT, "%s: line %d: " + "unknown feature %s in \"allow \" line.\n", + fname, lineno, cargv[1] ); #else - Debug( LDAP_DEBUG_ANY, - "%s: line %d: unknown feature %s in \"allow \" line\n", - fname, lineno, cargv[i] ); + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "unknown feature %s in \"allow \" line\n", + fname, lineno, cargv[i] ); #endif return( 1 ); diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c index 128fe16119..c514fcb672 100644 --- a/servers/slapd/daemon.c +++ b/servers/slapd/daemon.c @@ -672,13 +672,16 @@ static int slap_open_listener( } } -#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD) +#ifdef LDAP_PF_LOCAL +#ifdef SLAP_X_LISTENER_MOD if ( lud->lud_exts ) { err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit ); - } else { + } else +#endif /* SLAP_X_LISTENER_MOD */ + { l.sl_perms = S_IRWXU; } -#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */ +#endif /* LDAP_PF_LOCAL */ ldap_free_urldesc( lud ); if ( err ) { diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index eac214f3e2..bb611b8fc8 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1261,7 +1261,9 @@ struct slap_backend_db { #define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ #define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */ -#define SLAP_ALLOW_BIND_ANON_DN 0x0003U /* dn should be empty */ +#define SLAP_ALLOW_BIND_ANON_DN 0x0004U /* dn should be empty */ + +#define SLAP_ALLOW_UPDATE_ANON 0x0008U /* allow anonymous updates */ #define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */ #define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */ @@ -1767,9 +1769,7 @@ typedef struct slap_conn { struct slap_listener { struct berval sl_url; struct berval sl_name; -#ifdef SLAP_X_LISTENER_MOD - mode_t sl_perms; -#endif /* SLAP_X_LISTENER_MOD */ + mode_t sl_perms; #ifdef HAVE_TLS int sl_is_tls; #endif