mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
allow proxyAuthz of users authenticated via SASL
This commit is contained in:
parent
ab455a5ec7
commit
3dd2f4150b
@ -404,6 +404,8 @@ ldap_back_dobind_int(
|
||||
|
||||
ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
|
||||
if ( !lc->lc_bound ) {
|
||||
struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
|
||||
|
||||
/*
|
||||
* FIXME: we need to let clients use proxyAuthz
|
||||
* otherwise we cannot do symmetric pools of servers;
|
||||
@ -419,11 +421,17 @@ ldap_back_dobind_int(
|
||||
/*
|
||||
* if no bind took place yet, but the connection is bound
|
||||
* and the "idassert-authcDN" (or other ID) is set,
|
||||
* then bind as the asserting ideintity and explicitly
|
||||
* then bind as the asserting identity and explicitly
|
||||
* add the proxyAuthz control to every operation with the
|
||||
* dn bound to the connection as control value.
|
||||
* This is done also if this is the authrizing backend,
|
||||
* but the "override" flag is given to idassert.
|
||||
* It allows to use SASL bind and yet proxyAuthz users
|
||||
*/
|
||||
if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) {
|
||||
if ( op->o_conn != NULL &&
|
||||
( BER_BVISNULL( &lc->lc_bound_ndn ) ||
|
||||
( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) )
|
||||
{
|
||||
(void)ldap_back_proxy_authz_bind( lc, op, rs );
|
||||
goto done;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user