LDAPv2 disallow and other flag changes

Fix compile errors
This commit is contained in:
Kurt Zeilenga 2001-12-21 04:44:34 +00:00
parent 0845c0bf6f
commit d23313a068
6 changed files with 34 additions and 35 deletions

View File

@ -202,7 +202,7 @@ do_bind(
NULL, "requested protocol version not supported", NULL, NULL ); NULL, "requested protocol version not supported", NULL, NULL );
goto cleanup; goto cleanup;
} else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) && } else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
version < LDAP_VERSION3 ) version < LDAP_VERSION3 )
{ {
send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
@ -331,13 +331,13 @@ do_bind(
text = NULL; text = NULL;
if( cred.bv_len && if( cred.bv_len &&
( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED )) !( global_allows & SLAP_ALLOW_BIND_ANON_CRED ))
{ {
/* cred is not empty, disallow */ /* cred is not empty, disallow */
rc = LDAP_INVALID_CREDENTIALS; rc = LDAP_INVALID_CREDENTIALS;
} else if ( ndn != NULL && *ndn != '\0' && } else if ( ndn != NULL && *ndn != '\0' &&
( global_disallows & SLAP_DISALLOW_BIND_ANON_DN )) !( global_allows & SLAP_ALLOW_BIND_ANON_DN ))
{ {
/* DN is not empty, disallow */ /* DN is not empty, disallow */
rc = LDAP_UNWILLING_TO_PERFORM; rc = LDAP_UNWILLING_TO_PERFORM;

View File

@ -1266,8 +1266,14 @@ read_config( const char *fname )
allows = 0; allows = 0;
for( i=1; i < cargc; i++ ) { for( i=1; i < cargc; i++ ) {
if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) { if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
allows |= SLAP_ALLOW_TLS_2_ANON; allows |= SLAP_ALLOW_BIND_V2;
} else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
allows |= SLAP_ALLOW_BIND_ANON_CRED;
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
allows |= SLAP_ALLOW_BIND_ANON_DN;
} else if( strcasecmp( cargv[i], "none" ) != 0 ) { } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
@ -1323,24 +1329,18 @@ read_config( const char *fname )
disallows = 0; disallows = 0;
for( i=1; i < cargc; i++ ) { for( i=1; i < cargc; i++ ) {
if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) { if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_V2;
} else if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_ANON; disallows |= SLAP_DISALLOW_BIND_ANON;
} else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_ANON_CRED;
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_ANON_DN;
} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) { } else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_SIMPLE; disallows |= SLAP_DISALLOW_BIND_SIMPLE;
} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) { } else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
disallows |= SLAP_DISALLOW_BIND_KRBV4; disallows |= SLAP_DISALLOW_BIND_KRBV4;
} else if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
disallows |= SLAP_DISALLOW_TLS_2_ANON;
} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) { } else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
disallows |= SLAP_DISALLOW_TLS_AUTHC; disallows |= SLAP_DISALLOW_TLS_AUTHC;

View File

@ -117,7 +117,7 @@ root_dse_info(
/* supportedLDAPVersion */ /* supportedLDAPVersion */
for ( i=LDAP_VERSION_MIN; i<=LDAP_VERSION_MAX; i++ ) { for ( i=LDAP_VERSION_MIN; i<=LDAP_VERSION_MAX; i++ ) {
if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) && if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
( i < LDAP_VERSION3 ) ) ( i < LDAP_VERSION3 ) )
{ {
/* version 2 and lower are disallowed */ /* version 2 and lower are disallowed */

View File

@ -76,6 +76,7 @@ entry_schema_check(
} }
} }
/* it's a REALLY bad idea to disable schema checks */
if( !global_schemacheck ) return LDAP_SUCCESS; if( !global_schemacheck ) return LDAP_SUCCESS;
/* find the object class attribute - could error out here */ /* find the object class attribute - could error out here */
@ -559,4 +560,4 @@ int mods_structural_class(
return structural_class( ocmod->sml_bvalues, sc, return structural_class( ocmod->sml_bvalues, sc,
text, textbuf, textlen ); text, textbuf, textlen );
} }

View File

@ -12,6 +12,7 @@
#include "ldap_defaults.h" #include "ldap_defaults.h"
#include <stdio.h>
#include <ac/stdlib.h> #include <ac/stdlib.h>
#include <sys/types.h> #include <sys/types.h>
@ -953,19 +954,16 @@ struct slap_backend_db {
| SLAP_RESTRICT_OP_MODIFY \ | SLAP_RESTRICT_OP_MODIFY \
| SLAP_RESTRICT_OP_RENAME ) | SLAP_RESTRICT_OP_RENAME )
#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */ #define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
#define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */
#define SLAP_ALLOW_BIND_ANON_DN 0x0003U /* dn should be empty */
#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */ #define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */
#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */ #define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */
#define SLAP_DISALLOW_BIND_ANON_CRED \ #define SLAP_DISALLOW_BIND_KRBV4 0x0004U /* Kerberos V4 authentication */
0x0004U /* cred should be empty */
#define SLAP_DISALLOW_BIND_ANON_DN \
0x0008U /* dn should be empty */
#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */ #define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */
#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */ #define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */
#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
slap_mask_t be_requires; /* pre-operation requirements */ slap_mask_t be_requires; /* pre-operation requirements */
#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */ #define SLAP_REQUIRE_BIND 0x0001U /* bind before op */

View File

@ -61,6 +61,13 @@ starttls_extop (
goto done; goto done;
} }
if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
( conn->c_dn != NULL ) )
{
/* force to anonymous */
connection2anonymous( conn );
}
if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
( conn->c_dn != NULL ) ) ( conn->c_dn != NULL ) )
{ {
@ -69,13 +76,6 @@ starttls_extop (
goto done; goto done;
} }
if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
( conn->c_dn != NULL ) )
{
/* force to anonymous */
connection2anonymous( conn );
}
/* fail if TLS could not be initialized */ /* fail if TLS could not be initialized */
if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0 if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
|| ctx == NULL) || ctx == NULL)