refine fix to ITS#4320

2025-01-30 13:30:57 +08:00 · 2006-01-10 02:05:54 +00:00 · 2006-01-10 02:05:54 +00:00 · 9bcb37b5c1
commit 9bcb37b5c1
parent cc51777312
4 changed files with 14 additions and 2 deletions
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -100,8 +100,11 @@ when DN is empty).
 .B bind_anon_dn
 allows unauthenticated (anonymous) bind when DN is not empty.
 .B update_anon
-allow unauthenticated (anonymous) update operations to be processed
+allows unauthenticated (anonymous) update operations to be processed
 (subject to access controls and other administrative limits).
+.B proxy_authz_anon
+allows unauthenticated (anonymous) proxy authorization control to be processed
+(subject to access controls, authorization and other administrative limits).
 .TP
 .B argsfile <filename>
 The ( absolute ) name of a file that will hold the 
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -1996,6 +1996,7 @@ config_allows(ConfigArgs *c) {
 		{ BER_BVC("bind_anon_cred"),	SLAP_ALLOW_BIND_ANON_CRED },
 		{ BER_BVC("bind_anon_dn"),	SLAP_ALLOW_BIND_ANON_DN },
 		{ BER_BVC("update_anon"),	SLAP_ALLOW_UPDATE_ANON },
+		{ BER_BVC("proxy_authz_anon"),	SLAP_ALLOW_PROXY_AUTHZ_ANON },
 		{ BER_BVNULL,	0 }
 	};
 	if (c->op == SLAP_CONFIG_EMIT) {
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@ -877,6 +877,13 @@ static int parseProxyAuthz (
 		return LDAP_PROTOCOL_ERROR;
 	}

+	if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
+		&& BER_BVISEMPTY( &op->o_ndn ) )
+	{
+		rs->sr_text = "anonymous proxyAuthz not allowed";
+		return LDAP_PROXY_AUTHZ_FAILURE;
+	}
+
 	op->o_proxy_authz = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -1771,11 +1771,12 @@ struct slap_backend_db {
 	| SLAP_RESTRICT_OP_BIND \
 	| SLAP_RESTRICT_OP_EXTENDED )

-#define SLAP_ALLOW_BIND_V2			0x0001U	/* LDAPv2 bind */
+#define SLAP_ALLOW_BIND_V2		0x0001U	/* LDAPv2 bind */
 #define SLAP_ALLOW_BIND_ANON_CRED	0x0002U /* cred should be empty */
 #define SLAP_ALLOW_BIND_ANON_DN		0x0004U /* dn should be empty */

 #define SLAP_ALLOW_UPDATE_ANON		0x0008U /* allow anonymous updates */
+#define SLAP_ALLOW_PROXY_AUTHZ_ANON	0x0010U /* allow anonymous proxyAuthz */

 #define SLAP_DISALLOW_BIND_ANON		0x0001U /* no anonymous */
 #define SLAP_DISALLOW_BIND_SIMPLE	0x0002U	/* simple authentication */