mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-30 13:30:57 +08:00
better handling of internal operations
This commit is contained in:
Pierangelo Masarati
parent
96cd831f8a
commit
4538422dc9
@ -983,10 +983,18 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
|
||||
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
|
||||
struct berval binddn = slap_empty_bv;
|
||||
struct berval bindcred = slap_empty_bv;
|
||||
struct berval ndn;
|
||||
int dobind = 0;
|
||||
int msgid;
|
||||
int rc;
|
||||
|
||||
if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
ndn = op->o_conn->c_ndn;
|
||||
|
||||
} else {
|
||||
ndn = op->o_ndn;
|
||||
}
|
||||
|
||||
/*
|
||||
* FIXME: we need to let clients use proxyAuthz
|
||||
* otherwise we cannot do symmetric pools of servers;
|
||||
@ -1012,7 +1020,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
|
||||
* is authorized */
|
||||
switch ( li->li_idassert_mode ) {
|
||||
case LDAP_BACK_IDASSERT_LEGACY:
|
||||
if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) {
|
||||
if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) {
|
||||
if ( !BER_BVISNULL( &li->li_idassert_authcDN ) && !BER_BVISEMPTY( &li->li_idassert_authcDN ) )
|
||||
{
|
||||
binddn = li->li_idassert_authcDN;
|
||||
@ -1027,11 +1035,11 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
|
||||
if ( li->li_idassert_authz && !be_isroot( op ) ) {
|
||||
struct berval authcDN;
|
||||
|
||||
if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
if ( BER_BVISNULL( &ndn ) ) {
|
||||
authcDN = slap_empty_bv;
|
||||
|
||||
} else {
|
||||
authcDN = op->o_conn->c_ndn;
|
||||
authcDN = ndn;
|
||||
}
|
||||
rs->sr_err = slap_sasl_matches( op, li->li_idassert_authz,
|
||||
&authcDN, &authcDN );
|
||||
@ -1078,16 +1086,16 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
|
||||
break;
|
||||
|
||||
case LDAP_BACK_IDASSERT_SELF:
|
||||
if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
if ( BER_BVISNULL( &ndn ) ) {
|
||||
/* connection is not authc'd, so don't idassert */
|
||||
BER_BVSTR( &authzID, "dn:" );
|
||||
break;
|
||||
}
|
||||
authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len;
|
||||
authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
|
||||
authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
|
||||
AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
|
||||
AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
|
||||
op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 );
|
||||
ndn.bv_val, ndn.bv_len + 1 );
|
||||
freeauthz = 1;
|
||||
break;
|
||||
|
||||
@ -1202,7 +1210,8 @@ ldap_back_proxy_authz_ctrl(
|
||||
LDAPControl **ctrls = NULL;
|
||||
int i = 0,
|
||||
mode;
|
||||
struct berval assertedID;
|
||||
struct berval assertedID,
|
||||
ndn;
|
||||
|
||||
*pctrls = NULL;
|
||||
|
||||
@ -1221,6 +1230,13 @@ ldap_back_proxy_authz_ctrl(
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
ndn = op->o_conn->c_ndn;
|
||||
|
||||
} else {
|
||||
ndn = op->o_ndn;
|
||||
}
|
||||
|
||||
if ( li->li_idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) {
|
||||
if ( op->o_proxy_authz ) {
|
||||
/*
|
||||
@ -1244,7 +1260,7 @@ ldap_back_proxy_authz_ctrl(
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
if ( BER_BVISNULL( &ndn ) ) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
@ -1254,13 +1270,13 @@ ldap_back_proxy_authz_ctrl(
|
||||
|
||||
} else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) {
|
||||
if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
|
||||
/* && ( !BER_BVISNULL( &op->o_conn->c_ndn )
|
||||
/* && ( !BER_BVISNULL( &ndn )
|
||||
|| LDAP_BACK_CONN_ISBOUND( lc ) ) */ )
|
||||
{
|
||||
/* already asserted in SASL via native authz */
|
||||
/* NOTE: the test on lc->lc_bound is used to trap
|
||||
* native authorization of anonymous users,
|
||||
* since in that case op->o_conn->c_ndn is NULL */
|
||||
* since in that case ndn is NULL */
|
||||
goto done;
|
||||
}
|
||||
|
||||
@ -1268,17 +1284,17 @@ ldap_back_proxy_authz_ctrl(
|
||||
int rc;
|
||||
struct berval authcDN;
|
||||
|
||||
if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
if ( BER_BVISNULL( &ndn ) ) {
|
||||
authcDN = slap_empty_bv;
|
||||
} else {
|
||||
authcDN = op->o_conn->c_ndn;
|
||||
authcDN = ndn;
|
||||
}
|
||||
rc = slap_sasl_matches( op, li->li_idassert_authz,
|
||||
&authcDN, & authcDN );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE )
|
||||
{
|
||||
/* op->o_conn->c_ndn is not authorized
|
||||
/* ndn is not authorized
|
||||
* to use idassert */
|
||||
return rc;
|
||||
}
|
||||
@ -1320,10 +1336,10 @@ ldap_back_proxy_authz_ctrl(
|
||||
case LDAP_BACK_IDASSERT_SELF:
|
||||
/* original behavior:
|
||||
* assert the client's identity */
|
||||
if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
|
||||
if ( BER_BVISNULL( &ndn ) ) {
|
||||
assertedID = slap_empty_bv;
|
||||
} else {
|
||||
assertedID = op->o_conn->c_ndn;
|
||||
assertedID = ndn;
|
||||
}
|
||||
break;
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user