Add VC support for ppolicy and authzid inner controls

clients/tools/common.c

@@ -137,6 +137,9 @@ typedef int (*print_ctrl_fn)( LDAP *ld, LDAPControl *ctrl );
 static int print_preread( LDAP *ld, LDAPControl *ctrl );
 static int print_postread( LDAP *ld, LDAPControl *ctrl );
 static int print_paged_results( LDAP *ld, LDAPControl *ctrl );
+#ifdef LDAP_CONTROL_AUTHZID_RESPONSE
+static int print_authzid( LDAP *ld, LDAPControl *ctrl );
+#endif
 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
 static int print_ppolicy( LDAP *ld, LDAPControl *ctrl );
 #endif
@@ -157,6 +160,10 @@ static struct tool_ctrls_t {
 	{ LDAP_CONTROL_PRE_READ,			TOOL_ALL,	print_preread },
 	{ LDAP_CONTROL_POST_READ,			TOOL_ALL,	print_postread },
 	{ LDAP_CONTROL_PAGEDRESULTS,			TOOL_SEARCH,	print_paged_results },
+#ifdef LDAP_CONTROL_AUTHZID_RESPONSE
+	/* this is generally deprecated in favor of LDAP WhoAmI? operation, hence only supported as a VC inner control */
+	{ LDAP_CONTROL_PASSWORDPOLICYRESPONSE,		TOOL_VC,	print_authzid },
+#endif
 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
 	{ LDAP_CONTROL_PASSWORDPOLICYRESPONSE,		TOOL_ALL,	print_ppolicy },
 #endif
@@ -2168,6 +2175,20 @@ print_whatfailed( LDAP *ld, LDAPControl *ctrl )
 }
 #endif
 
+#ifdef LDAP_CONTROL_AUTHZID_RESPONSE
+static int
+print_authzid( LDAP *ld, LDAPControl *ctrl )
+{
+    if (ctrl->ldctl_value.bv_len) {
+	    tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
+		    "authzid", ctrl->ldctl_value.bv_val,  ctrl->ldctl_value.bv_len );
+	} else {
+	    tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
+		    "authzid", "anonymous",  sizeof("anonymous")-1);
+	}
+}
+#endif
+
 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
 static int
 print_ppolicy( LDAP *ld, LDAPControl *ctrl )

clients/tools/ldapvc.c

@@ -48,6 +48,9 @@
 
 #include "common.h"
 
+static int req_authzid = 0;
+static int req_pp = 0;
+
 static char * mech = NULL;
 static char * dn = NULL;
 static struct berval cred = {0, NULL};
@@ -61,13 +64,15 @@ usage( void )
 	fprintf( stderr, _("    DN\tDistinguished Name\n"));
 	fprintf( stderr, _("    cred\tCredentials (prompt if not present)\n"));
 	fprintf( stderr, _("options:\n"));
+	fprintf( stderr, _("    -a\tRequest AuthzId\n"));
+	fprintf( stderr, _("    -b\tRequest Password Policy Information\n"));
 	fprintf( stderr, _("    -S mech\tSASL mechanism (default "" e.g. Simple)\n"));
 	tool_common_usage();
 	exit( EXIT_FAILURE );
 }
 
 
-const char options[] = "S"
+const char options[] = "abS:"
 	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
@@ -104,6 +109,14 @@ handle_private_option( int i )
 		usage();
 #endif
 
+	case 'a':  /* request authzid */
+		req_authzid++;
+		break;
+
+	case 'b':  /* request authzid */
+		req_pp++;
+		break;
+
 	case 'S':  /* SASL mechanism */
 		mech = optarg;
 		break;
@@ -128,6 +141,8 @@ main( int argc, char *argv[] )
 	int		id, code = 0;
 	LDAPMessage	*res;
 	LDAPControl	**ctrls = NULL;
+	LDAPControl	**vcctrls = NULL;
+	int nvcctrls = 0;
 
 	tool_init( TOOL_VC );
 	prog = lutil_progname( "ldapvc", argc, argv );
@@ -176,9 +191,29 @@ main( int argc, char *argv[] )
 
 	tool_server_controls( ld, NULL, 0 );
 
+    if (req_authzid) {
+		vcctrls = (LDAPControl **) malloc(3*sizeof(LDAPControl *));
+		vcctrls[nvcctrls] = (LDAPControl *) malloc(sizeof(LDAPControl));
+		vcctrls[nvcctrls]->ldctl_oid = LDAP_CONTROL_AUTHZID_REQUEST;
+		vcctrls[nvcctrls]->ldctl_iscritical = 0;
+		vcctrls[nvcctrls]->ldctl_value.bv_val = NULL;
+		vcctrls[nvcctrls]->ldctl_value.bv_len = 0;
+		vcctrls[++nvcctrls] = NULL;
+    }
+
+    if (req_pp) {
+		if (vcctrls) vcctrls = (LDAPControl **) malloc(3*sizeof(LDAPControl *));
+		vcctrls[nvcctrls] = (LDAPControl *) malloc(sizeof(LDAPControl));
+		vcctrls[nvcctrls]->ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
+		vcctrls[nvcctrls]->ldctl_iscritical = 0;
+		vcctrls[nvcctrls]->ldctl_value.bv_val = NULL;
+		vcctrls[nvcctrls]->ldctl_value.bv_len = 0;
+		vcctrls[++nvcctrls] = NULL;
+    }
+
 	rc = ldap_verify_credentials( ld,
 		NULL,
-		dn, mech, cred.bv_val ? &cred: NULL, NULL,
+		dn, mech, cred.bv_val ? &cred: NULL, vcctrls,
 		NULL, NULL, &id ); 
 
 	if( rc != LDAP_SUCCESS ) {
@@ -187,6 +222,9 @@ main( int argc, char *argv[] )
 		goto skip;
 	}
 
+	ldap_controls_free(vcctrls);
+	vcctrls = NULL;
+
 	for ( ; ; ) {
 		struct timeval	tv;
 
@@ -221,7 +259,7 @@ main( int argc, char *argv[] )
 		goto skip;
 	}
 
-	rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, NULL );
+	rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, &vcctrls );
 	ldap_msgfree(res);
 
 	if( rc != LDAP_SUCCESS ) {
@@ -238,7 +276,9 @@ main( int argc, char *argv[] )
 	    printf(_("Diagnostic: %s\n"), diag);
 	}
 
-    /* print vc controls here (once added) */
+	if (vcctrls) {
+		tool_print_ctrls( ld, vcctrls );
+	}
 
 skip:
 	if ( verbose || ( code != LDAP_SUCCESS ) ||

include/ldap.h

@@ -264,6 +264,9 @@ typedef struct ldapcontrol {
 /*	non-standard track controls */
 #define LDAP_CONTROL_PAGEDRESULTS	"1.2.840.113556.1.4.319"   /* RFC 2696 */
 
+#define LDAP_CONTROL_AUTHZID_REQUEST	"2.16.840.1.113730.4.16"   /* RFC 3829 */
+#define LDAP_CONTROL_AUTHZID_RESPONSE   "2.16.840.1.113730.4.15"   /* RFC 3829 */
+
 /* LDAP Content Synchronization Operation -- RFC 4533 */
 #define LDAP_SYNC_OID			"1.3.6.1.4.1.4203.1.9.1"
 #define LDAP_CONTROL_SYNC		LDAP_SYNC_OID ".1"