add dontUseCopy and proxiedAuthz "non_critical" disallow switches (ITS#5785)

2025-01-30 13:30:57 +08:00 · 2008-11-02 21:38:10 +00:00 · 2008-11-02 21:38:10 +00:00 · 52e28a9ece
commit 52e28a9ece
parent 21ddf6193d
3 changed files with 19 additions and 0 deletions
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -2587,6 +2587,8 @@ config_disallows(ConfigArgs *c) {
 		{ BER_BVC("bind_simple"),	SLAP_DISALLOW_BIND_SIMPLE },
 		{ BER_BVC("tls_2_anon"),		SLAP_DISALLOW_TLS_2_ANON },
 		{ BER_BVC("tls_authc"),		SLAP_DISALLOW_TLS_AUTHC },
+		{ BER_BVC("proxy_authz_non_critical"),	SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT },
+		{ BER_BVC("dontusecopy_non_critical"),	SLAP_DISALLOW_DONTUSECOPY_N_CRIT },
 		{ BER_BVNULL, 0 }
 	};
 	if (c->op == SLAP_CONFIG_EMIT) {
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@ -960,6 +960,13 @@ static int parseDontUseCopy (
 		return LDAP_PROTOCOL_ERROR;
 	}

+	if ( ( global_disallows & SLAP_DISALLOW_DONTUSECOPY_N_CRIT )
+		&& !ctrl->ldctl_iscritical )
+	{
+		rs->sr_text = "dontUseCopy criticality of FALSE not allowed";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	op->o_dontUseCopy = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;
@ -1029,6 +1036,13 @@ static int parseProxyAuthz (
 		return LDAP_PROTOCOL_ERROR;
 	}

+	if ( ( global_disallows & SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT )
+		&& !ctrl->ldctl_iscritical )
+	{
+		rs->sr_text = "proxied authorization criticality of FALSE not allowed";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
 	if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
 		&& BER_BVISEMPTY( &op->o_ndn ) )
 	{
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -1863,6 +1863,9 @@ struct BackendDB {
 #define SLAP_DISALLOW_TLS_2_ANON	0x0010U /* StartTLS -> Anonymous */
 #define SLAP_DISALLOW_TLS_AUTHC		0x0020U	/* TLS while authenticated */

+#define SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT	0x0100U
+#define SLAP_DISALLOW_DONTUSECOPY_N_CRIT	0x0200U
+
 #define SLAP_DISALLOW_AUX_WO_CR		0x4000U

 	slap_mask_t	be_requires;	/* pre-operation requirements */