improve parsing of acl-authcDN/acl-passwd

This commit is contained in:
Pierangelo Masarati 2005-01-22 18:48:03 +00:00
parent 066829a870
commit ae0f47b063
4 changed files with 62 additions and 15 deletions

View File

@ -79,8 +79,8 @@ The URI list is space- or comma-separated.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it
should have read access on the target server to attributes used on the
proxy for acl checking.
is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
@ -90,7 +90,10 @@ See the
feature instead.
.TP
.B acl-passwd <password>
Password used with the bind DN above.
Password used with the
.B
acl-authcDN
above.
.TP
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target

View File

@ -134,17 +134,20 @@ The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B binddn "<administrative DN for access control purposes>"
This directive, as in the LDAP backend, allows to define the DN that is
used to query the target server for acl checking; it should have read
access on the target server to attributes used on the proxy for acl
checking.
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
as in the LDAP backend; it is supposed to have read access
on the target server to attributes used on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
.TP
.B bindpw <password for access control purposes>
This directive sets the password for acl checking in conjunction
with the above mentioned "binddn" directive.
.B acl-passwd <password>
Password used with the
.B
acl-authcDN
above.
.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered

View File

@ -215,24 +215,44 @@ ldap_back_db_config(
/* name to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
|| strcasecmp( argv[0], "binddn" ) == 0 ) {
|| strcasecmp( argv[0], "binddn" ) == 0 )
{
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing name in \"%s <name>\" line\n",
fname, lineno, argv[0] );
return( 1 );
}
if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
/* password to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
|| strcasecmp( argv[0], "bindpw" ) == 0 ) {
|| strcasecmp( argv[0], "bindpw" ) == 0 )
{
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing password in \"%s <password>\" line\n",
fname, lineno, argv[0] );
return( 1 );
}
if ( strcasecmp( argv[0], "bindpw" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
/* identity assertion stuff... */

View File

@ -302,7 +302,9 @@ meta_back_db_config(
li->network_timeout = atol(argv[ 1 ]);
/* name to use for meta_back_group */
} else if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
{
int i = li->ntargets-1;
struct berval dn;
@ -320,6 +322,14 @@ meta_back_db_config(
return 1;
}
if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
dn.bv_val = argv[ 1 ];
dn.bv_len = strlen( argv[ 1 ] );
if ( dnNormalize( 0, NULL, NULL, &dn, &li->targets[ i ]->mt_binddn,
@ -332,7 +342,9 @@ meta_back_db_config(
}
/* password to use for meta_back_group */
} else if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
} else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
|| strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
{
int i = li->ntargets-1;
if ( i < 0 ) {
@ -348,6 +360,15 @@ meta_back_db_config(
fname, lineno );
return 1;
}
if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( argv[ 1 ], 0L, 1, &li->targets[ i ]->mt_bindpw );
/* save bind creds for referral rebinds? */