mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
exploit new frontend API 2 protocol error mapping; use urldesc...
This commit is contained in:
parent
4e71b85481
commit
6a1dd9a1cd
@ -80,7 +80,8 @@ struct ldaprwmap {
|
|||||||
|
|
||||||
struct ldapinfo {
|
struct ldapinfo {
|
||||||
struct slap_backend_db *be;
|
struct slap_backend_db *be;
|
||||||
char *url;
|
char *url;
|
||||||
|
LDAPURLDesc *lud;
|
||||||
struct berval binddn;
|
struct berval binddn;
|
||||||
struct berval bindpw;
|
struct berval bindpw;
|
||||||
#ifdef LDAP_BACK_PROXY_AUTHZ
|
#ifdef LDAP_BACK_PROXY_AUTHZ
|
||||||
|
@ -248,7 +248,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
|
|||||||
rs->sr_err = ldap_initialize(&ld, li->url);
|
rs->sr_err = ldap_initialize(&ld, li->url);
|
||||||
|
|
||||||
if (rs->sr_err != LDAP_SUCCESS) {
|
if (rs->sr_err != LDAP_SUCCESS) {
|
||||||
rs->sr_err = ldap_back_map_result(rs);
|
rs->sr_err = slap_map_api2result( rs );
|
||||||
if (rs->sr_text == NULL) {
|
if (rs->sr_text == NULL) {
|
||||||
rs->sr_text = "ldap_initialize() failed";
|
rs->sr_text = "ldap_initialize() failed";
|
||||||
}
|
}
|
||||||
@ -446,10 +446,10 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
|
|||||||
return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE );
|
return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if 0 /* deprecated in favour of slap_map_api2result() */
|
||||||
/* Map API errors to protocol errors... */
|
/* Map API errors to protocol errors... */
|
||||||
|
|
||||||
int
|
int
|
||||||
ldap_back_map_result(SlapReply *rs)
|
ldap_back_map_result( SlapReply *rs )
|
||||||
{
|
{
|
||||||
switch(rs->sr_err)
|
switch(rs->sr_err)
|
||||||
{
|
{
|
||||||
@ -489,12 +489,12 @@ ldap_back_map_result(SlapReply *rs)
|
|||||||
case LDAP_REFERRAL_LIMIT_EXCEEDED:
|
case LDAP_REFERRAL_LIMIT_EXCEEDED:
|
||||||
return LDAP_LOOP_DETECT;
|
return LDAP_LOOP_DETECT;
|
||||||
default:
|
default:
|
||||||
if LDAP_API_ERROR(rs->sr_err)
|
if ( LDAP_API_ERROR(rs->sr_err) )
|
||||||
return LDAP_OTHER;
|
return LDAP_OTHER;
|
||||||
else
|
return rs->sr_err;
|
||||||
return rs->sr_err;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
int
|
int
|
||||||
ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
|
ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
|
||||||
@ -502,28 +502,43 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
|
|||||||
{
|
{
|
||||||
struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
|
struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
|
||||||
char *match = NULL;
|
char *match = NULL;
|
||||||
LDAPMessage *res;
|
LDAPMessage *res = NULL;
|
||||||
char *text = NULL;
|
char *text = NULL;
|
||||||
|
|
||||||
|
#define ERR_OK(err) ((err) == LDAP_SUCCESS || (err) == LDAP_COMPARE_FALSE || (err) == LDAP_COMPARE_TRUE)
|
||||||
|
|
||||||
rs->sr_text = NULL;
|
rs->sr_text = NULL;
|
||||||
rs->sr_matched = NULL;
|
rs->sr_matched = NULL;
|
||||||
|
|
||||||
if (rs->sr_err == LDAP_SUCCESS) {
|
/* if the error recorded in the reply corresponds
|
||||||
if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) {
|
* to a successful state, get the error from the
|
||||||
|
* remote server response */
|
||||||
|
if ( ERR_OK( rs->sr_err ) ) {
|
||||||
|
/* if result parsing fails, note the failure reason */
|
||||||
|
if ( ldap_result( lc->ld, msgid, 1, NULL, &res ) == -1 ) {
|
||||||
ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
|
ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER,
|
||||||
&rs->sr_err);
|
&rs->sr_err);
|
||||||
|
|
||||||
|
/* otherwise get the result; if it is not
|
||||||
|
* LDAP_SUCCESS, record it in the reply
|
||||||
|
* structure (this includes
|
||||||
|
* LDAP_COMPARE_{TRUE|FALSE}) */
|
||||||
} else {
|
} else {
|
||||||
int rc = ldap_parse_result(lc->ld, res, &rs->sr_err,
|
int rc = ldap_parse_result(lc->ld, res, &rs->sr_err,
|
||||||
&match, &text, NULL, NULL, 1);
|
&match, &text, NULL, NULL, 1);
|
||||||
rs->sr_text = text;
|
rs->sr_text = text;
|
||||||
if (rc != LDAP_SUCCESS) rs->sr_err = rc;
|
if ( rc != LDAP_SUCCESS ) rs->sr_err = rc;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rs->sr_err != LDAP_SUCCESS) {
|
/* if the error in the reply structure is not
|
||||||
rs->sr_err = ldap_back_map_result(rs);
|
* LDAP_SUCCESS, try to map it from client
|
||||||
|
* to server error */
|
||||||
|
if ( !ERR_OK( rs->sr_err ) ) {
|
||||||
|
rs->sr_err = slap_map_api2result( rs );
|
||||||
|
|
||||||
/* internal ops must not reply to client */
|
/* internal ops ( op->o_conn == NULL )
|
||||||
|
* must not reply to client */
|
||||||
if ( op->o_conn && !op->o_do_not_cache && match ) {
|
if ( op->o_conn && !op->o_do_not_cache && match ) {
|
||||||
struct berval dn, mdn;
|
struct berval dn, mdn;
|
||||||
dncookie dc;
|
dncookie dc;
|
||||||
@ -539,11 +554,14 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
|
|||||||
#endif
|
#endif
|
||||||
ber_str2bv(match, 0, 0, &dn);
|
ber_str2bv(match, 0, 0, &dn);
|
||||||
ldap_back_dn_massage(&dc, &dn, &mdn);
|
ldap_back_dn_massage(&dc, &dn, &mdn);
|
||||||
|
|
||||||
|
/* record the (massaged) matched
|
||||||
|
* DN into the reply structure */
|
||||||
rs->sr_matched = mdn.bv_val;
|
rs->sr_matched = mdn.bv_val;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (op->o_conn && (sendok || rs->sr_err != LDAP_SUCCESS)) {
|
if ( op->o_conn && ( sendok || rs->sr_err != LDAP_SUCCESS ) ) {
|
||||||
send_ldap_result( op, rs );
|
send_ldap_result( op, rs );
|
||||||
}
|
}
|
||||||
if ( match ) {
|
if ( match ) {
|
||||||
@ -557,7 +575,7 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
|
|||||||
ldap_memfree( text );
|
ldap_memfree( text );
|
||||||
}
|
}
|
||||||
rs->sr_text = NULL;
|
rs->sr_text = NULL;
|
||||||
return( (rs->sr_err == LDAP_SUCCESS) ? 0 : -1 );
|
return( ERR_OK( rs->sr_err ) ? 0 : -1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef LDAP_BACK_PROXY_AUTHZ
|
#ifdef LDAP_BACK_PROXY_AUTHZ
|
||||||
|
@ -70,7 +70,7 @@ ldap_back_db_config(
|
|||||||
|
|
||||||
/* URI of server to query (preferred over "server" directive) */
|
/* URI of server to query (preferred over "server" directive) */
|
||||||
} else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
|
} else if ( strcasecmp( argv[0], "uri" ) == 0 ) {
|
||||||
LDAPURLDesc *lud, tmplud;
|
LDAPURLDesc tmplud;
|
||||||
|
|
||||||
if (argc != 2) {
|
if (argc != 2) {
|
||||||
fprintf( stderr, "%s: line %d: "
|
fprintf( stderr, "%s: line %d: "
|
||||||
@ -82,8 +82,11 @@ ldap_back_db_config(
|
|||||||
if ( li->url != NULL ) {
|
if ( li->url != NULL ) {
|
||||||
ch_free( li->url );
|
ch_free( li->url );
|
||||||
}
|
}
|
||||||
|
if ( li->lud != NULL ) {
|
||||||
|
ldap_free_urldesc( li->lud );
|
||||||
|
}
|
||||||
|
|
||||||
if ( ldap_url_parse( argv[ 1 ], &lud ) != LDAP_URL_SUCCESS ) {
|
if ( ldap_url_parse( argv[ 1 ], &li->lud ) != LDAP_URL_SUCCESS ) {
|
||||||
fprintf( stderr, "%s: line %d: "
|
fprintf( stderr, "%s: line %d: "
|
||||||
"unable to parse uri \"%s\" "
|
"unable to parse uri \"%s\" "
|
||||||
"in \"uri <uri>\" line\n",
|
"in \"uri <uri>\" line\n",
|
||||||
@ -91,10 +94,10 @@ ldap_back_db_config(
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ( lud->lud_dn != NULL && lud->lud_dn[0] != '\0' )
|
if ( ( li->lud->lud_dn != NULL && li->lud->lud_dn[0] != '\0' )
|
||||||
|| lud->lud_attrs != NULL
|
|| li->lud->lud_attrs != NULL
|
||||||
|| lud->lud_filter != NULL
|
|| li->lud->lud_filter != NULL
|
||||||
|| lud->lud_exts != NULL )
|
|| li->lud->lud_exts != NULL )
|
||||||
{
|
{
|
||||||
fprintf( stderr, "%s: line %d: "
|
fprintf( stderr, "%s: line %d: "
|
||||||
"warning, only protocol, "
|
"warning, only protocol, "
|
||||||
@ -105,7 +108,7 @@ ldap_back_db_config(
|
|||||||
|
|
||||||
#if 0
|
#if 0
|
||||||
tmplud = *lud;
|
tmplud = *lud;
|
||||||
tmplud.lud_dn = NULL;
|
tmplud.lud_dn = "";
|
||||||
tmplud.lud_attrs = NULL;
|
tmplud.lud_attrs = NULL;
|
||||||
tmplud.lud_filter = NULL;
|
tmplud.lud_filter = NULL;
|
||||||
if ( !ldap_is_ldapi_url( argv[ 1 ] ) ) {
|
if ( !ldap_is_ldapi_url( argv[ 1 ] ) ) {
|
||||||
@ -125,8 +128,6 @@ ldap_back_db_config(
|
|||||||
li->url = ch_strdup( argv[ 1 ] );
|
li->url = ch_strdup( argv[ 1 ] );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
ldap_free_urldesc( lud );
|
|
||||||
|
|
||||||
/* name to use for ldap_back_group */
|
/* name to use for ldap_back_group */
|
||||||
} else if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
|
} else if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
|
||||||
if (argc != 2) {
|
if (argc != 2) {
|
||||||
@ -396,6 +397,7 @@ ldap_back_map_config(
|
|||||||
/*
|
/*
|
||||||
* FIXME: this should become an err
|
* FIXME: this should become an err
|
||||||
*/
|
*/
|
||||||
|
goto error_return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -421,6 +423,7 @@ ldap_back_map_config(
|
|||||||
/*
|
/*
|
||||||
* FIXME: this should become an err
|
* FIXME: this should become an err
|
||||||
*/
|
*/
|
||||||
|
goto error_return;
|
||||||
}
|
}
|
||||||
|
|
||||||
ad = NULL;
|
ad = NULL;
|
||||||
@ -441,7 +444,6 @@ ldap_back_map_config(
|
|||||||
fprintf( stderr,
|
fprintf( stderr,
|
||||||
"%s: line %d: duplicate mapping found (ignored)\n",
|
"%s: line %d: duplicate mapping found (ignored)\n",
|
||||||
fname, lineno );
|
fname, lineno );
|
||||||
/* FIXME: free stuff */
|
|
||||||
goto error_return;
|
goto error_return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -515,16 +517,16 @@ ldap_back_exop_whoami(
|
|||||||
}
|
}
|
||||||
ch_free(c.ldctl_value.bv_val);
|
ch_free(c.ldctl_value.bv_val);
|
||||||
if (rs->sr_err != LDAP_SUCCESS) {
|
if (rs->sr_err != LDAP_SUCCESS) {
|
||||||
rs->sr_err = ldap_back_map_result(rs);
|
rs->sr_err = slap_map_api2result( rs );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* else just do the same as before */
|
/* else just do the same as before */
|
||||||
bv = (struct berval *) ch_malloc( sizeof(struct berval) );
|
bv = (struct berval *) ch_malloc( sizeof(struct berval) );
|
||||||
if( op->o_dn.bv_len ) {
|
if( op->o_dn.bv_len ) {
|
||||||
bv->bv_len = op->o_dn.bv_len + sizeof("dn:")-1;
|
bv->bv_len = op->o_dn.bv_len + sizeof("dn:") - 1;
|
||||||
bv->bv_val = ch_malloc( bv->bv_len + 1 );
|
bv->bv_val = ch_malloc( bv->bv_len + 1 );
|
||||||
AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:")-1 );
|
AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:") - 1 );
|
||||||
AC_MEMCPY( &bv->bv_val[sizeof("dn:")-1], op->o_dn.bv_val,
|
AC_MEMCPY( &bv->bv_val[sizeof("dn:") - 1], op->o_dn.bv_val,
|
||||||
op->o_dn.bv_len );
|
op->o_dn.bv_len );
|
||||||
bv->bv_val[bv->bv_len] = '\0';
|
bv->bv_val[bv->bv_len] = '\0';
|
||||||
} else {
|
} else {
|
||||||
@ -633,15 +635,6 @@ suffix_massage_config(
|
|||||||
ch_free( rargv[ 1 ] );
|
ch_free( rargv[ 1 ] );
|
||||||
ch_free( rargv[ 2 ] );
|
ch_free( rargv[ 2 ] );
|
||||||
|
|
||||||
#if 0 /* "matched" is not normalized */
|
|
||||||
rargv[ 0 ] = "rewriteContext";
|
|
||||||
rargv[ 1 ] = "matchedDN";
|
|
||||||
rargv[ 2 ] = "alias";
|
|
||||||
rargv[ 3 ] = "searchResult";
|
|
||||||
rargv[ 4 ] = NULL;
|
|
||||||
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
|
|
||||||
#else /* normalize "matched" */
|
|
||||||
|
|
||||||
rargv[ 0 ] = "rewriteContext";
|
rargv[ 0 ] = "rewriteContext";
|
||||||
rargv[ 1 ] = "matchedDN";
|
rargv[ 1 ] = "matchedDN";
|
||||||
rargv[ 2 ] = "alias";
|
rargv[ 2 ] = "alias";
|
||||||
@ -656,18 +649,6 @@ suffix_massage_config(
|
|||||||
rargv[ 4 ] = NULL;
|
rargv[ 4 ] = NULL;
|
||||||
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
|
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
|
||||||
|
|
||||||
#if 0
|
|
||||||
rargv[ 0 ] = "rewriteRule";
|
|
||||||
rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
|
|
||||||
rargv[ 2 ] = suffix_massage_patternize( nvnc->bv_val );
|
|
||||||
rargv[ 3 ] = ":";
|
|
||||||
rargv[ 4 ] = NULL;
|
|
||||||
rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
|
|
||||||
ch_free( rargv[ 1 ] );
|
|
||||||
ch_free( rargv[ 2 ] );
|
|
||||||
#endif /* 0 */
|
|
||||||
#endif /* normalize "matched" */
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* ENABLE_REWRITE */
|
#endif /* ENABLE_REWRITE */
|
||||||
|
@ -166,7 +166,7 @@ ldap_back_exop_passwd(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (rc != LDAP_SUCCESS) {
|
if (rc != LDAP_SUCCESS) {
|
||||||
rs->sr_err = ldap_back_map_result(rs);
|
rs->sr_err = slap_map_api2result( rs );
|
||||||
send_ldap_result(op, rs);
|
send_ldap_result(op, rs);
|
||||||
if (rs->sr_matched) free((char *)rs->sr_matched);
|
if (rs->sr_matched) free((char *)rs->sr_matched);
|
||||||
if (rs->sr_text) free((char *)rs->sr_text);
|
if (rs->sr_text) free((char *)rs->sr_text);
|
||||||
|
@ -197,6 +197,10 @@ ldap_back_db_destroy(
|
|||||||
ch_free(li->url);
|
ch_free(li->url);
|
||||||
li->url = NULL;
|
li->url = NULL;
|
||||||
}
|
}
|
||||||
|
if ( li->lud ) {
|
||||||
|
ldap_free_urldesc( li->lud );
|
||||||
|
li->lud = NULL;
|
||||||
|
}
|
||||||
if (li->binddn.bv_val) {
|
if (li->binddn.bv_val) {
|
||||||
ch_free(li->binddn.bv_val);
|
ch_free(li->binddn.bv_val);
|
||||||
li->binddn.bv_val = NULL;
|
li->binddn.bv_val = NULL;
|
||||||
|
@ -260,7 +260,7 @@ fail:;
|
|||||||
&match.bv_val, (char **)&rs->sr_text,
|
&match.bv_val, (char **)&rs->sr_text,
|
||||||
NULL, NULL, 1);
|
NULL, NULL, 1);
|
||||||
if (rc != LDAP_SUCCESS ) rs->sr_err = rc;
|
if (rc != LDAP_SUCCESS ) rs->sr_err = rc;
|
||||||
rs->sr_err = ldap_back_map_result(rs);
|
rs->sr_err = slap_map_api2result( rs );
|
||||||
rc = 0;
|
rc = 0;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user