LDAPv2 disallow and other flag changes

Fix compile errors
2024-12-21 03:10:25 +08:00 · 2001-12-21 04:44:34 +00:00 · 2001-12-21 04:44:34 +00:00 · d23313a068
commit d23313a068
parent 0845c0bf6f
6 changed files with 34 additions and 35 deletions
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@ -202,7 +202,7 @@ do_bind(
 			NULL, "requested protocol version not supported", NULL, NULL );
 		goto cleanup;

-	} else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) &&
+	} else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
 		version < LDAP_VERSION3 )
 	{
 		send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
@ -331,13 +331,13 @@ do_bind(
 			text = NULL;

 			if( cred.bv_len &&
-				( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
+				!( global_allows & SLAP_ALLOW_BIND_ANON_CRED ))
 			{
 				/* cred is not empty, disallow */
 				rc = LDAP_INVALID_CREDENTIALS;

 			} else if ( ndn != NULL && *ndn != '\0' &&
-				( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
+				!( global_allows & SLAP_ALLOW_BIND_ANON_DN ))
 			{
 				/* DN is not empty, disallow */
 				rc = LDAP_UNWILLING_TO_PERFORM;
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -1266,8 +1266,14 @@ read_config( const char *fname )
 			allows = 0;

 			for( i=1; i < cargc; i++ ) {
-				if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
-					allows |= SLAP_ALLOW_TLS_2_ANON;
+				if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
+					allows |= SLAP_ALLOW_BIND_V2;
+
+				} else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
+					allows |= SLAP_ALLOW_BIND_ANON_CRED;
+
+				} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
+					allows |= SLAP_ALLOW_BIND_ANON_DN;

 				} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
 #ifdef NEW_LOGGING
@ -1323,24 +1329,18 @@ read_config( const char *fname )
 			disallows = 0;

 			for( i=1; i < cargc; i++ ) {
-				if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
-					disallows |= SLAP_DISALLOW_BIND_V2;
-
-				} else if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
+				if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_ANON;

-				} else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
-					disallows |= SLAP_DISALLOW_BIND_ANON_CRED;
-
-				} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
-					disallows |= SLAP_DISALLOW_BIND_ANON_DN;
-
 				} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_SIMPLE;

 				} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_KRBV4;

+				} else if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_TLS_2_ANON;
+
 				} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_TLS_AUTHC;

--- a/servers/slapd/root_dse.c
+++ b/servers/slapd/root_dse.c
@ -117,7 +117,7 @@ root_dse_info(

 	/* supportedLDAPVersion */
 	for ( i=LDAP_VERSION_MIN; i<=LDAP_VERSION_MAX; i++ ) {
-		if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) &&
+		if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
 			( i < LDAP_VERSION3 ) )
 		{
 			/* version 2 and lower are disallowed */
--- a/servers/slapd/schema_check.c
+++ b/servers/slapd/schema_check.c
@ -76,6 +76,7 @@ entry_schema_check(
 		}
 	}

+	/* it's a REALLY bad idea to disable schema checks */
 	if( !global_schemacheck ) return LDAP_SUCCESS;

 	/* find the object class attribute - could error out here */
@ -559,4 +560,4 @@ int mods_structural_class(

 	return structural_class( ocmod->sml_bvalues, sc,
 		text, textbuf, textlen );
-}
+}
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -12,6 +12,7 @@

 #include "ldap_defaults.h"

+#include <stdio.h>
 #include <ac/stdlib.h>

 #include <sys/types.h>
@ -953,19 +954,16 @@ struct slap_backend_db {
 	| SLAP_RESTRICT_OP_MODIFY \
 	| SLAP_RESTRICT_OP_RENAME )

-#define SLAP_ALLOW_TLS_2_ANON	0x0001U /* StartTLS -> Anonymous */
+#define SLAP_ALLOW_BIND_V2			0x0001U	/* LDAPv2 bind */
+#define SLAP_ALLOW_BIND_ANON_CRED	0x0002U /* cred should be empty */
+#define SLAP_ALLOW_BIND_ANON_DN		0x0003U /* dn should be empty */

-#define SLAP_DISALLOW_BIND_V2	0x0001U	/* LDAPv2 bind */
-#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
-#define SLAP_DISALLOW_BIND_ANON_CRED \
-								0x0004U /* cred should be empty */
-#define SLAP_DISALLOW_BIND_ANON_DN \
-								0x0008U /* dn should be empty */
+#define SLAP_DISALLOW_BIND_ANON		0x0001U /* no anonymous */
+#define SLAP_DISALLOW_BIND_SIMPLE	0x0002U	/* simple authentication */
+#define SLAP_DISALLOW_BIND_KRBV4	0x0004U /* Kerberos V4 authentication */

-#define SLAP_DISALLOW_BIND_SIMPLE	0x0010U	/* simple authentication */
-#define SLAP_DISALLOW_BIND_KRBV4	0x0020U /* Kerberos V4 authentication */
-
-#define SLAP_DISALLOW_TLS_AUTHC	0x0100U	/* TLS while authenticated */
+#define SLAP_DISALLOW_TLS_2_ANON	0x0010U /* StartTLS -> Anonymous */
+#define SLAP_DISALLOW_TLS_AUTHC		0x0020U	/* TLS while authenticated */

 	slap_mask_t	be_requires;	/* pre-operation requirements */
 #define SLAP_REQUIRE_BIND		0x0001U	/* bind before op */
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@ -61,6 +61,13 @@ starttls_extop (
 		goto done;
 	}

+	if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
+		( conn->c_dn != NULL ) )
+	{
+		/* force to anonymous */
+		connection2anonymous( conn );
+	}
+
 	if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
 		( conn->c_dn != NULL ) )
 	{
@ -69,13 +76,6 @@ starttls_extop (
 		goto done;
 	}

-	if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
-		( conn->c_dn != NULL ) )
-	{
-		/* force to anonymous */
-		connection2anonymous( conn );
-	}
-
 	/* fail if TLS could not be initialized */
 	if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
 		|| ctx == NULL)