From ae0f47b063cc67037f4e8d75e86eac9933642fe3 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 22 Jan 2005 18:48:03 +0000 Subject: [PATCH] improve parsing of acl-authcDN/acl-passwd --- doc/man/man5/slapd-ldap.5 | 9 ++++++--- doc/man/man5/slapd-meta.5 | 19 +++++++++++-------- servers/slapd/back-ldap/config.c | 24 ++++++++++++++++++++++-- servers/slapd/back-meta/config.c | 25 +++++++++++++++++++++++-- 4 files changed, 62 insertions(+), 15 deletions(-) diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index e345281e53..893861c504 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -79,8 +79,8 @@ The URI list is space- or comma-separated. .TP .B acl-authcDN "" DN which is used to query the target server for acl checking; it -should have read access on the target server to attributes used on the -proxy for acl checking. +is supposed to have read access on the target server to attributes used +on the proxy for acl checking. There is no risk of giving away such values; they are only used to check permissions. .B The acl-authcDN identity is by no means implicitly used by the proxy @@ -90,7 +90,10 @@ See the feature instead. .TP .B acl-passwd -Password used with the bind DN above. +Password used with the +.B +acl-authcDN +above. .TP .B idassert-authcdn "" DN which is used to propagate the client's identity to the target diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index c063ab2247..4b796d3760 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -134,17 +134,20 @@ The optional number marks target as the default one, starting from 1. Target must be defined. .TP -.B binddn "" -This directive, as in the LDAP backend, allows to define the DN that is -used to query the target server for acl checking; it should have read -access on the target server to attributes used on the proxy for acl -checking. +.B acl-authcDN "" +DN which is used to query the target server for acl checking, +as in the LDAP backend; it is supposed to have read access +on the target server to attributes used on the proxy for acl checking. There is no risk of giving away such values; they are only used to check permissions. +.B The acl-authcDN identity is by no means implicitly used by the proxy +.B when the client connects anonymously. .TP -.B bindpw -This directive sets the password for acl checking in conjunction -with the above mentioned "binddn" directive. +.B acl-passwd +Password used with the +.B +acl-authcDN +above. .TP .B rebind-as-user If this option is given, the client's bind credentials are remembered diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index bdbdc698ce..fd85eecea3 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -215,24 +215,44 @@ ldap_back_db_config( /* name to use for ldap_back_group */ } else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0 - || strcasecmp( argv[0], "binddn" ) == 0 ) { + || strcasecmp( argv[0], "binddn" ) == 0 ) + { if ( argc != 2 ) { fprintf( stderr, "%s: line %d: missing name in \"%s \" line\n", fname, lineno, argv[0] ); return( 1 ); } + + if ( strcasecmp( argv[0], "binddn" ) == 0 ) { + fprintf( stderr, "%s: line %d: " + "\"binddn\" statement is deprecated; " + "use \"acl-authcDN\" instead\n", + fname, lineno ); + /* FIXME: some day we'll need to throw an error */ + } + ber_str2bv( argv[1], 0, 1, &li->acl_authcDN ); /* password to use for ldap_back_group */ } else if ( strcasecmp( argv[0], "acl-passwd" ) == 0 - || strcasecmp( argv[0], "bindpw" ) == 0 ) { + || strcasecmp( argv[0], "bindpw" ) == 0 ) + { if ( argc != 2 ) { fprintf( stderr, "%s: line %d: missing password in \"%s \" line\n", fname, lineno, argv[0] ); return( 1 ); } + + if ( strcasecmp( argv[0], "bindpw" ) == 0 ) { + fprintf( stderr, "%s: line %d: " + "\"bindpw\" statement is deprecated; " + "use \"acl-passwd\" instead\n", + fname, lineno ); + /* FIXME: some day we'll need to throw an error */ + } + ber_str2bv( argv[1], 0, 1, &li->acl_passwd ); /* identity assertion stuff... */ diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index 1459cef1a6..9682b2d7af 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -302,7 +302,9 @@ meta_back_db_config( li->network_timeout = atol(argv[ 1 ]); /* name to use for meta_back_group */ - } else if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) { + } else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0 + || strcasecmp( argv[ 0 ], "binddn" ) == 0 ) + { int i = li->ntargets-1; struct berval dn; @@ -320,6 +322,14 @@ meta_back_db_config( return 1; } + if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) { + fprintf( stderr, "%s: line %d: " + "\"binddn\" statement is deprecated; " + "use \"acl-authcDN\" instead\n", + fname, lineno ); + /* FIXME: some day we'll need to throw an error */ + } + dn.bv_val = argv[ 1 ]; dn.bv_len = strlen( argv[ 1 ] ); if ( dnNormalize( 0, NULL, NULL, &dn, &li->targets[ i ]->mt_binddn, @@ -332,7 +342,9 @@ meta_back_db_config( } /* password to use for meta_back_group */ - } else if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) { + } else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0 + || strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) + { int i = li->ntargets-1; if ( i < 0 ) { @@ -348,6 +360,15 @@ meta_back_db_config( fname, lineno ); return 1; } + + if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) { + fprintf( stderr, "%s: line %d: " + "\"bindpw\" statement is deprecated; " + "use \"acl-passwd\" instead\n", + fname, lineno ); + /* FIXME: some day we'll need to throw an error */ + } + ber_str2bv( argv[ 1 ], 0L, 1, &li->targets[ i ]->mt_bindpw ); /* save bind creds for referral rebinds? */