reflect Kurt's comments on ID assertion

2025-01-06 10:46:21 +08:00 · 2004-05-14 10:01:22 +00:00 · 2004-05-14 10:01:22 +00:00 · 8b954144d6
commit 8b954144d6
parent 9da35acf44
5 changed files with 138 additions and 64 deletions
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@ -98,29 +98,81 @@ their usage.
 .B proxyauthzpw <password>
 Password used with the proxy authzDN above.
 .TP
-.B idassert-mode {none|anonymous|self|proxyid|<dn>}
+.B idassert-mode <mode>
-defines what type of identity assertion is used.
+defines what type of
 .I identity assertion
 is used.
 The supported modes are:
 .RS
 .RS
 .TP
 .B <mode>={legacy|anonymous|self|none|<id>}
 .RE
 .RS
 .B <id>={u:<ID>|[dn:]<DN>}
 .RE
 The default is 
-.BR none ,
+.BR legacy ,
-which implies that the proxy will bind as itself and assert the user's
+which implies that the proxy will bind as
-identity only when a user is bound.
+.I proxyauthzdn
-Other values are
+and assert the client's identity when it is not anonymous.
 Direct binds are always proxied.
 The other modes imply that the proxy will always bind as 
 .IR proxyauthzdn ,
 unless restricted by
 .BR idassert-authz
 rules (see below), in which case the operation will fail;
 eventually, it will assert some other identity according to
 .BR <mode> .
 Other identity assertion modes are
 .BR anonymous
 and
 .BR self ,
-which respectively mean that the empty or the client's identity
+which respectively mean that the 
-will be asserted,
+.I empty 
-.BR proxyid ,
+or the 
-which means that no proxyAuthz control will be used, so the proxyauthzdn
+.IR client 's 
 identity
 will be asserted;
 .BR none ,
 which means that no proxyAuthz control will be used, so the
 .I proxyauthzdn
 identity will be asserted.
-Moreover, if a valid DN is used as 
+Moreover, if a string prefixed with
 .B u:
 or 
 .B dn:
 is used as 
 .BR <mode> ,
 that identity will be asserted.
 Ths string is also treated as a DN if it is not prefixed
 by any recognized type indicator.  Whether or not the 
 .B dn: 
 prefix is present, the string must pass DN validation and normalization.
 For all modes that require the use of the
 .I proxyAuthz 
 control, on the remote server the proxy identity must have appropriate 
 .I authzTo
 permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
 .TP
 .B idassert-authz <authz>
 if defined, selects what
 .I local
 identities are authorized to exploit the identity assertion feature.
 The string
 .B authz 
 follows the rules defined for the
 .I authzFrom
 attribute.
 See 
 .BR slapd.conf (5),
 section related to
 .BR authz-policy ,
 for details on the supported syntaxes.
 .TP
 .B proxy-whoami
 Turns on proxying of the WhoAmI extended operation. If this option is
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@ -94,12 +94,13 @@ struct ldapinfo {
 	/* ID assert stuff */
 	int		idassert_mode;
-#define	LDAP_BACK_IDASSERT_NONE		0
+#define	LDAP_BACK_IDASSERT_LEGACY	0
-#define	LDAP_BACK_IDASSERT_PROXYID	1
+#define	LDAP_BACK_IDASSERT_NOASSERT	1
 #define	LDAP_BACK_IDASSERT_ANONYMOUS	2
 #define	LDAP_BACK_IDASSERT_SELF		3
-#define	LDAP_BACK_IDASSERT_OTHER	4
+#define	LDAP_BACK_IDASSERT_OTHERDN	4
-	struct berval	idassert_dn;
+#define	LDAP_BACK_IDASSERT_OTHERID	5
 	struct berval	idassert_id;
 	BerVarray	idassert_authz;
 	/* end of ID assert stuff */
 #endif /* LDAP_BACK_PROXY_AUTHZ */
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@ -380,8 +380,6 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 	ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
 	if ( !lc->bound ) {
 #ifdef LDAP_BACK_PROXY_AUTHZ
 		int	gotit = 0;
 #if 0
 		/*
 		 * FIXME: we need to let clients use proxyAuthz
 		 * otherwise we cannot do symmetric pools of servers;
@ -394,9 +392,6 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 		 * and implementation do not allow proxy authorization
 		 * control to be provided with Bind requests
 		 */
 		gotit = op->o_proxy_authz;
 #endif
 		/*
 		 * if no bind took place yet, but the connection is bound
 		 * and the "proxyauthzdn" is set, then bind as 
@ -412,10 +407,10 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 			/* bind as proxyauthzdn only if no idassert mode is requested,
 			 * or if the client's identity is authorized */
 			switch ( li->idassert_mode ) {
-			case LDAP_BACK_IDASSERT_NONE:
+			case LDAP_BACK_IDASSERT_LEGACY:
 	      			if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn )
-	      					&& !BER_BVISNULL( &li->proxyauthzdn ) && !BER_BVISEMPTY( &li->proxyauthzdn )
+	      					&& !BER_BVISNULL( &li->proxyauthzdn ) && !BER_BVISEMPTY( &li->proxyauthzdn ) )
-	      					&& !gotit ) {
+				{
 					binddn = li->proxyauthzdn;
 					bindcred = li->proxyauthzpw;
 				}
@ -425,10 +420,12 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 				if ( li->idassert_authz ) {
 					struct berval	authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
-					rc = slap_sasl_matches( op, li->idassert_authz,
+					rs->sr_err = slap_sasl_matches( op, li->idassert_authz,
 							&authcDN, &authcDN );
-					if ( rc != LDAP_SUCCESS ) {
+					if ( rs->sr_err != LDAP_SUCCESS ) {
-						break;
+						send_ldap_result( op, rs );
 						lc->bound = 0;
 						goto done;
 					}
 				}
 				binddn = li->proxyauthzdn;
@ -451,6 +448,8 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 			lc->bound = 1;
 		}
 	}
 done:;
 	rc = lc->bound;
 	ldap_pvt_thread_mutex_unlock( &lc->lc_mutex );
 	return rc;
@ -636,7 +635,7 @@ ldap_back_proxy_authz_ctrl(
 	struct ldapinfo	*li = (struct ldapinfo *) op->o_bd->be_private;
 	LDAPControl	**ctrls = NULL;
 	int		i = 0;
-	struct berval	assertedDN;
+	struct berval	assertedID;
 	*pctrls = NULL;
@ -648,7 +647,7 @@ ldap_back_proxy_authz_ctrl(
 		goto done;
 	}
-	if ( li->idassert_mode == LDAP_BACK_IDASSERT_NONE ) {
+	if ( li->idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) {
 		if ( op->o_proxy_authz ) {
 			/*
 			 * FIXME: we do not want to perform proxyAuthz
@ -694,33 +693,34 @@ ldap_back_proxy_authz_ctrl(
 	}
 	switch ( li->idassert_mode ) {
-	case LDAP_BACK_IDASSERT_NONE:
+	case LDAP_BACK_IDASSERT_LEGACY:
 	case LDAP_BACK_IDASSERT_SELF:
 		/* original behavior:
 		 * assert the client's identity */
-		assertedDN = op->o_conn->c_dn;
+		assertedID = op->o_conn->c_dn;
 		break;
 	case LDAP_BACK_IDASSERT_ANONYMOUS:
 		/* assert "anonymous" */
-		assertedDN = slap_empty_bv;
+		assertedID = slap_empty_bv;
 		break;
-	case LDAP_BACK_IDASSERT_PROXYID:
+	case LDAP_BACK_IDASSERT_NOASSERT:
 		/* don't assert; bind as proxyauthzdn */
 		goto done;
-	case LDAP_BACK_IDASSERT_OTHER:
+	case LDAP_BACK_IDASSERT_OTHERID:
 	case LDAP_BACK_IDASSERT_OTHERDN:
 		/* assert idassert DN */
-		assertedDN = li->idassert_dn;
+		assertedID = li->idassert_id;
 		break;
 	default:
 		assert( 0 );
 	}
-	if ( BER_BVISNULL( &assertedDN ) ) {
+	if ( BER_BVISNULL( &assertedID ) ) {
-		assertedDN = slap_empty_bv;
+		assertedID = slap_empty_bv;
 	}
 	ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
@ -728,12 +728,19 @@ ldap_back_proxy_authz_ctrl(
 	ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
 	ctrls[ 0 ]->ldctl_iscritical = 1;
-	ctrls[ 0 ]->ldctl_value.bv_len = assertedDN.bv_len + STRLENOF( "dn:" );
+
-	ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
+	/* already in u:ID form */
-	AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
+	if ( li->idassert_mode == LDAP_BACK_IDASSERT_OTHERID ) {
-	AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ),
+		ber_dupbv( &ctrls[ 0 ]->ldctl_value, &assertedID );
-			assertedDN.bv_val, assertedDN.bv_len );
+
-	ctrls[ 0 ]->ldctl_value.bv_val[ ctrls[ 0 ]->ldctl_value.bv_len ] = '\0';
+	/* needs the dn: prefix */
 	} else {
 		ctrls[ 0 ]->ldctl_value.bv_len = assertedID.bv_len + STRLENOF( "dn:" );
 		ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
 		AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
 		AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ),
 				assertedID.bv_val, assertedID.bv_len + 1 );
 	}
 	if ( op->o_ctrls ) {
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@ -687,9 +687,9 @@ parse_idassert(
 			return 1;
 		}
-		if ( strcasecmp( argv[1], "none" ) == 0 ) {
+		if ( strcasecmp( argv[1], "legacy" ) == 0 ) {
 			/* will proxyAuthz as client's identity only if bound */
-			li->idassert_mode = LDAP_BACK_IDASSERT_NONE;
+			li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
 		} else if ( strcasecmp( argv[1], "self" ) == 0 ) {
 			/* will proxyAuthz as client's identity */
@ -699,31 +699,45 @@ parse_idassert(
 			/* will proxyAuthz as anonymous */
 			li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS;
-		} else if ( strcasecmp( argv[1], "proxyid" ) == 0 ) {
+		} else if ( strcasecmp( argv[1], "none" ) == 0 ) {
 			/* will not proxyAuthz */
-			li->idassert_mode = LDAP_BACK_IDASSERT_PROXYID;
+			li->idassert_mode = LDAP_BACK_IDASSERT_NOASSERT;
 		} else {
-			struct berval	dn;
+			struct berval	id;
 			int		rc;
 			/* will proxyAuthz as argv[1] */
-			li->idassert_mode = LDAP_BACK_IDASSERT_OTHER;
+			ber_str2bv( argv[1], 0, 0, &id );
 			ber_str2bv( argv[1], 0, 0, &dn );
-			rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_dn, NULL );
+			if ( strncasecmp( id.bv_val, "u:", STRLENOF( "u:" ) ) == 0 ) {
-			if ( rc != LDAP_SUCCESS ) {
+				/* force lowercase... */
 				id.bv_val[0] = 'u';
 				li->idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
 				ber_dupbv( &li->idassert_id, &id );
 			} else {
 				/* default is DN? */
 				if ( strncasecmp( id.bv_val, "dn:", STRLENOF( "dn:" ) ) == 0 ) {
 					id.bv_val += STRLENOF( "dn:" );
 					id.bv_len -= STRLENOF( "dn:" );
 				}
 				rc = dnNormalize( 0, NULL, NULL, &id, &li->idassert_id, NULL );
 				if ( rc != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
-				LDAP_LOG( CONFIG, CRIT, 
+					LDAP_LOG( CONFIG, CRIT, 
-					"%s: line %d: idassert DN \"%s\" is invalid.\n",
+						"%s: line %d: idassert ID \"%s\" is not a valid DN.\n",
-					fname, lineno, argv[1] );
+						fname, lineno, argv[1] );
 #else
-				Debug( LDAP_DEBUG_ANY,
+					Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: idassert DN \"%s\" is invalid\n",
+						"%s: line %d: idassert ID \"%s\" is not a valid DN\n",
-					fname, lineno, argv[1] );
+						fname, lineno, argv[1] );
 #endif
-				return 1;
+					return 1;
 				}
 				li->idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
 			}
 		}
--- a/servers/slapd/back-ldap/init.c
+++ b/servers/slapd/back-ldap/init.c
@ -105,8 +105,8 @@ ldap_back_db_init(
 	BER_BVZERO( &li->proxyauthzdn );
 	BER_BVZERO( &li->proxyauthzpw );
-	li->idassert_mode = LDAP_BACK_IDASSERT_NONE;
+	li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
-	BER_BVZERO( &li->idassert_dn );
+	BER_BVZERO( &li->idassert_id );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 #ifdef ENABLE_REWRITE
@ -217,9 +217,9 @@ ldap_back_db_destroy(
 			ch_free( li->proxyauthzpw.bv_val );
 			BER_BVZERO( &li->proxyauthzpw );
 		}
-		if ( !BER_BVISNULL( &li->idassert_dn ) ) {
+		if ( !BER_BVISNULL( &li->idassert_id ) ) {
-			ch_free( li->idassert_dn.bv_val );
+			ch_free( li->idassert_id.bv_val );
-			BER_BVZERO( &li->idassert_dn );
+			BER_BVZERO( &li->idassert_id );
 		}
 #endif /* LDAP_BACK_PROXY_AUTHZ */
                if (li->conntree) {