mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
add support for dgAuthz --- see discussion on -devel
This commit is contained in:
Pierangelo Masarati
parent
f7bda3be0a
commit
76974d412a
@ -58,7 +58,7 @@ static AttributeName anlist_no_attrs[] = {
|
|||||||
static AttributeName *slap_anlist_no_attrs = anlist_no_attrs;
|
static AttributeName *slap_anlist_no_attrs = anlist_no_attrs;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static AttributeDescription *ad_dgIdentity;
|
static AttributeDescription *ad_dgIdentity, *ad_dgAuthz;
|
||||||
|
|
||||||
typedef struct dynlist_info_t {
|
typedef struct dynlist_info_t {
|
||||||
ObjectClass *dli_oc;
|
ObjectClass *dli_oc;
|
||||||
@ -347,6 +347,26 @@ dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli )
|
|||||||
return SLAP_CB_CONTINUE;
|
return SLAP_CB_CONTINUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) {
|
||||||
|
Attribute *authz = NULL;
|
||||||
|
|
||||||
|
/* if not rootdn and dgAuthz is present,
|
||||||
|
* check if user can be authorized as dgIdentity */
|
||||||
|
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
|
||||||
|
&& ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) )
|
||||||
|
{
|
||||||
|
if ( slap_sasl_matches( op, authz->a_nvals,
|
||||||
|
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
|
||||||
|
{
|
||||||
|
return SLAP_CB_CONTINUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
o.o_dn = id->a_vals[0];
|
||||||
|
o.o_ndn = id->a_nvals[0];
|
||||||
|
o.o_groups = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) {
|
if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) {
|
||||||
e = entry_dup( rs->sr_entry );
|
e = entry_dup( rs->sr_entry );
|
||||||
} else {
|
} else {
|
||||||
@ -354,12 +374,6 @@ dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli )
|
|||||||
}
|
}
|
||||||
e_flags = rs->sr_flags | ( REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED );
|
e_flags = rs->sr_flags | ( REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED );
|
||||||
|
|
||||||
if ( ad_dgIdentity && ( id = attrs_find( e->e_attrs, ad_dgIdentity ))) {
|
|
||||||
o.o_dn = id->a_vals[0];
|
|
||||||
o.o_ndn = id->a_nvals[0];
|
|
||||||
o.o_groups = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
dlc.dlc_e = e;
|
dlc.dlc_e = e;
|
||||||
dlc.dlc_dli = dli;
|
dlc.dlc_dli = dli;
|
||||||
cb.sc_private = &dlc;
|
cb.sc_private = &dlc;
|
||||||
@ -556,16 +570,33 @@ dynlist_compare( Operation *op, SlapReply *rs )
|
|||||||
* interested in. We'll use slapd's existing dyngroup
|
* interested in. We'll use slapd's existing dyngroup
|
||||||
* evaluator to get the answer we want.
|
* evaluator to get the answer we want.
|
||||||
*/
|
*/
|
||||||
struct berval *id = NULL;
|
BerVarray id = NULL, authz = NULL;
|
||||||
|
|
||||||
o.o_do_not_cache = 1;
|
o.o_do_not_cache = 1;
|
||||||
|
|
||||||
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
|
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
|
||||||
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS ) {
|
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
|
||||||
|
{
|
||||||
|
/* if not rootdn and dgAuthz is present,
|
||||||
|
* check if user can be authorized as dgIdentity */
|
||||||
|
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
|
||||||
|
&& backend_attribute( &o, NULL, &o.o_req_ndn,
|
||||||
|
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
|
||||||
|
{
|
||||||
|
|
||||||
|
rs->sr_err = slap_sasl_matches( op, authz,
|
||||||
|
&o.o_ndn, &o.o_ndn );
|
||||||
|
ber_bvarray_free_x( authz, op->o_tmpmemctx );
|
||||||
|
if ( rs->sr_err != LDAP_SUCCESS ) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
o.o_dn = *id;
|
o.o_dn = *id;
|
||||||
o.o_ndn = *id;
|
o.o_ndn = *id;
|
||||||
o.o_groups = NULL; /* authz changed, invalidate cached groups */
|
o.o_groups = NULL; /* authz changed, invalidate cached groups */
|
||||||
}
|
}
|
||||||
|
|
||||||
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
|
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
|
||||||
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
|
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
|
||||||
switch ( rs->sr_err ) {
|
switch ( rs->sr_err ) {
|
||||||
@ -585,6 +616,7 @@ dynlist_compare( Operation *op, SlapReply *rs )
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
done:;
|
||||||
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
|
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
|
||||||
|
|
||||||
return SLAP_CB_CONTINUE;
|
return SLAP_CB_CONTINUE;
|
||||||
@ -592,17 +624,34 @@ dynlist_compare( Operation *op, SlapReply *rs )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
|
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
|
||||||
LDAP_SUCCESS || e == NULL ) {
|
LDAP_SUCCESS || e == NULL )
|
||||||
|
{
|
||||||
return SLAP_CB_CONTINUE;
|
return SLAP_CB_CONTINUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ad_dgIdentity ) {
|
if ( ad_dgIdentity ) {
|
||||||
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
|
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
|
||||||
if ( id ) {
|
if ( id ) {
|
||||||
|
Attribute *authz;
|
||||||
|
|
||||||
|
/* if not rootdn and dgAuthz is present,
|
||||||
|
* check if user can be authorized as dgIdentity */
|
||||||
|
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
|
||||||
|
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
|
||||||
|
{
|
||||||
|
if ( slap_sasl_matches( op, authz->a_nvals,
|
||||||
|
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
|
||||||
|
{
|
||||||
|
goto release;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
o.o_dn = id->a_vals[0];
|
o.o_dn = id->a_vals[0];
|
||||||
o.o_ndn = id->a_nvals[0];
|
o.o_ndn = id->a_nvals[0];
|
||||||
o.o_groups = NULL;
|
o.o_groups = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
dli = (dynlist_info_t *)on->on_bi.bi_private;
|
dli = (dynlist_info_t *)on->on_bi.bi_private;
|
||||||
for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
|
for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
|
||||||
Attribute *a;
|
Attribute *a;
|
||||||
@ -1355,6 +1404,15 @@ dynlist_db_open(
|
|||||||
/* Just a warning */
|
/* Just a warning */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rc = slap_str2ad( "dgAuthz", &ad_dgAuthz, &text );
|
||||||
|
if ( rc != LDAP_SUCCESS ) {
|
||||||
|
snprintf( cr->msg, sizeof( cr->msg),
|
||||||
|
"unable to fetch attributeDescription \"dgAuthz\": %d (%s)",
|
||||||
|
rc, text );
|
||||||
|
Debug( LDAP_DEBUG_ANY, "dynlist_db_open: %s\n", cr->msg, 0, 0 );
|
||||||
|
/* Just a warning */
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -67,6 +67,13 @@ attributetype ( DynGroupAttr:1
|
|||||||
DESC 'Identity to use when processing the memberURL'
|
DESC 'Identity to use when processing the memberURL'
|
||||||
SUP distinguishedName SINGLE-VALUE )
|
SUP distinguishedName SINGLE-VALUE )
|
||||||
|
|
||||||
|
attributeType ( DynGroupAttr:2
|
||||||
|
NAME 'dgAuthz'
|
||||||
|
DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
|
||||||
|
EQUALITY authzMatch
|
||||||
|
SYNTAX 1.3.6.1.4.1.4203.666.2.7
|
||||||
|
X-ORDERED 'VALUES' )
|
||||||
|
|
||||||
objectClass ( NetscapeLDAPobjectClass:33
|
objectClass ( NetscapeLDAPobjectClass:33
|
||||||
NAME 'groupOfURLs'
|
NAME 'groupOfURLs'
|
||||||
SUP top STRUCTURAL
|
SUP top STRUCTURAL
|
||||||
@ -79,4 +86,6 @@ objectClass ( NetscapeLDAPobjectClass:33
|
|||||||
objectClass ( DynGroupOC:1
|
objectClass ( DynGroupOC:1
|
||||||
NAME 'dgIdentityAux'
|
NAME 'dgIdentityAux'
|
||||||
SUP top AUXILIARY
|
SUP top AUXILIARY
|
||||||
MAY dgIdentity )
|
MAY ( dgIdentity $ dgAuthz ) )
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user