mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
improve parsing of acl-authcDN/acl-passwd
This commit is contained in:
parent
066829a870
commit
ae0f47b063
@ -79,8 +79,8 @@ The URI list is space- or comma-separated.
|
||||
.TP
|
||||
.B acl-authcDN "<administrative DN for access control purposes>"
|
||||
DN which is used to query the target server for acl checking; it
|
||||
should have read access on the target server to attributes used on the
|
||||
proxy for acl checking.
|
||||
is supposed to have read access on the target server to attributes used
|
||||
on the proxy for acl checking.
|
||||
There is no risk of giving away such values; they are only used to
|
||||
check permissions.
|
||||
.B The acl-authcDN identity is by no means implicitly used by the proxy
|
||||
@ -90,7 +90,10 @@ See the
|
||||
feature instead.
|
||||
.TP
|
||||
.B acl-passwd <password>
|
||||
Password used with the bind DN above.
|
||||
Password used with the
|
||||
.B
|
||||
acl-authcDN
|
||||
above.
|
||||
.TP
|
||||
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
|
||||
DN which is used to propagate the client's identity to the target
|
||||
|
@ -134,17 +134,20 @@ The optional number marks target <target> as the default one, starting
|
||||
from 1.
|
||||
Target <target> must be defined.
|
||||
.TP
|
||||
.B binddn "<administrative DN for access control purposes>"
|
||||
This directive, as in the LDAP backend, allows to define the DN that is
|
||||
used to query the target server for acl checking; it should have read
|
||||
access on the target server to attributes used on the proxy for acl
|
||||
checking.
|
||||
.B acl-authcDN "<administrative DN for access control purposes>"
|
||||
DN which is used to query the target server for acl checking,
|
||||
as in the LDAP backend; it is supposed to have read access
|
||||
on the target server to attributes used on the proxy for acl checking.
|
||||
There is no risk of giving away such values; they are only used to
|
||||
check permissions.
|
||||
.B The acl-authcDN identity is by no means implicitly used by the proxy
|
||||
.B when the client connects anonymously.
|
||||
.TP
|
||||
.B bindpw <password for access control purposes>
|
||||
This directive sets the password for acl checking in conjunction
|
||||
with the above mentioned "binddn" directive.
|
||||
.B acl-passwd <password>
|
||||
Password used with the
|
||||
.B
|
||||
acl-authcDN
|
||||
above.
|
||||
.TP
|
||||
.B rebind-as-user
|
||||
If this option is given, the client's bind credentials are remembered
|
||||
|
@ -215,24 +215,44 @@ ldap_back_db_config(
|
||||
|
||||
/* name to use for ldap_back_group */
|
||||
} else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
|
||||
|| strcasecmp( argv[0], "binddn" ) == 0 ) {
|
||||
|| strcasecmp( argv[0], "binddn" ) == 0 )
|
||||
{
|
||||
if ( argc != 2 ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing name in \"%s <name>\" line\n",
|
||||
fname, lineno, argv[0] );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"binddn\" statement is deprecated; "
|
||||
"use \"acl-authcDN\" instead\n",
|
||||
fname, lineno );
|
||||
/* FIXME: some day we'll need to throw an error */
|
||||
}
|
||||
|
||||
ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
|
||||
|
||||
/* password to use for ldap_back_group */
|
||||
} else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
|
||||
|| strcasecmp( argv[0], "bindpw" ) == 0 ) {
|
||||
|| strcasecmp( argv[0], "bindpw" ) == 0 )
|
||||
{
|
||||
if ( argc != 2 ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing password in \"%s <password>\" line\n",
|
||||
fname, lineno, argv[0] );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[0], "bindpw" ) == 0 ) {
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"bindpw\" statement is deprecated; "
|
||||
"use \"acl-passwd\" instead\n",
|
||||
fname, lineno );
|
||||
/* FIXME: some day we'll need to throw an error */
|
||||
}
|
||||
|
||||
ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
|
||||
|
||||
/* identity assertion stuff... */
|
||||
|
@ -302,7 +302,9 @@ meta_back_db_config(
|
||||
li->network_timeout = atol(argv[ 1 ]);
|
||||
|
||||
/* name to use for meta_back_group */
|
||||
} else if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
|
||||
} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
|
||||
|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
|
||||
{
|
||||
int i = li->ntargets-1;
|
||||
struct berval dn;
|
||||
|
||||
@ -320,6 +322,14 @@ meta_back_db_config(
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"binddn\" statement is deprecated; "
|
||||
"use \"acl-authcDN\" instead\n",
|
||||
fname, lineno );
|
||||
/* FIXME: some day we'll need to throw an error */
|
||||
}
|
||||
|
||||
dn.bv_val = argv[ 1 ];
|
||||
dn.bv_len = strlen( argv[ 1 ] );
|
||||
if ( dnNormalize( 0, NULL, NULL, &dn, &li->targets[ i ]->mt_binddn,
|
||||
@ -332,7 +342,9 @@ meta_back_db_config(
|
||||
}
|
||||
|
||||
/* password to use for meta_back_group */
|
||||
} else if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
|
||||
} else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
|
||||
|| strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
|
||||
{
|
||||
int i = li->ntargets-1;
|
||||
|
||||
if ( i < 0 ) {
|
||||
@ -348,6 +360,15 @@ meta_back_db_config(
|
||||
fname, lineno );
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"bindpw\" statement is deprecated; "
|
||||
"use \"acl-passwd\" instead\n",
|
||||
fname, lineno );
|
||||
/* FIXME: some day we'll need to throw an error */
|
||||
}
|
||||
|
||||
ber_str2bv( argv[ 1 ], 0L, 1, &li->targets[ i ]->mt_bindpw );
|
||||
|
||||
/* save bind creds for referral rebinds? */
|
||||
|
Loading…
Reference in New Issue
Block a user