mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
LDAPv2 disallow and other flag changes
Fix compile errors
This commit is contained in:
parent
0845c0bf6f
commit
d23313a068
@ -202,7 +202,7 @@ do_bind(
|
||||
NULL, "requested protocol version not supported", NULL, NULL );
|
||||
goto cleanup;
|
||||
|
||||
} else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) &&
|
||||
} else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
|
||||
version < LDAP_VERSION3 )
|
||||
{
|
||||
send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
|
||||
@ -331,13 +331,13 @@ do_bind(
|
||||
text = NULL;
|
||||
|
||||
if( cred.bv_len &&
|
||||
( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
|
||||
!( global_allows & SLAP_ALLOW_BIND_ANON_CRED ))
|
||||
{
|
||||
/* cred is not empty, disallow */
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
|
||||
} else if ( ndn != NULL && *ndn != '\0' &&
|
||||
( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
|
||||
!( global_allows & SLAP_ALLOW_BIND_ANON_DN ))
|
||||
{
|
||||
/* DN is not empty, disallow */
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
|
@ -1266,8 +1266,14 @@ read_config( const char *fname )
|
||||
allows = 0;
|
||||
|
||||
for( i=1; i < cargc; i++ ) {
|
||||
if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
|
||||
allows |= SLAP_ALLOW_TLS_2_ANON;
|
||||
if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
|
||||
allows |= SLAP_ALLOW_BIND_V2;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
|
||||
allows |= SLAP_ALLOW_BIND_ANON_CRED;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
|
||||
allows |= SLAP_ALLOW_BIND_ANON_DN;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
|
||||
#ifdef NEW_LOGGING
|
||||
@ -1323,24 +1329,18 @@ read_config( const char *fname )
|
||||
disallows = 0;
|
||||
|
||||
for( i=1; i < cargc; i++ ) {
|
||||
if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_V2;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
|
||||
if( strcasecmp( cargv[i], "bind_anon" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_ANON;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_anon_cred" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_ANON_CRED;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_ANON_DN;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_SIMPLE;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_BIND_KRBV4;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_TLS_2_ANON;
|
||||
|
||||
} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
|
||||
disallows |= SLAP_DISALLOW_TLS_AUTHC;
|
||||
|
||||
|
@ -117,7 +117,7 @@ root_dse_info(
|
||||
|
||||
/* supportedLDAPVersion */
|
||||
for ( i=LDAP_VERSION_MIN; i<=LDAP_VERSION_MAX; i++ ) {
|
||||
if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) &&
|
||||
if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
|
||||
( i < LDAP_VERSION3 ) )
|
||||
{
|
||||
/* version 2 and lower are disallowed */
|
||||
|
@ -76,6 +76,7 @@ entry_schema_check(
|
||||
}
|
||||
}
|
||||
|
||||
/* it's a REALLY bad idea to disable schema checks */
|
||||
if( !global_schemacheck ) return LDAP_SUCCESS;
|
||||
|
||||
/* find the object class attribute - could error out here */
|
||||
@ -559,4 +560,4 @@ int mods_structural_class(
|
||||
|
||||
return structural_class( ocmod->sml_bvalues, sc,
|
||||
text, textbuf, textlen );
|
||||
}
|
||||
}
|
||||
|
@ -12,6 +12,7 @@
|
||||
|
||||
#include "ldap_defaults.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <ac/stdlib.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -953,19 +954,16 @@ struct slap_backend_db {
|
||||
| SLAP_RESTRICT_OP_MODIFY \
|
||||
| SLAP_RESTRICT_OP_RENAME )
|
||||
|
||||
#define SLAP_ALLOW_TLS_2_ANON 0x0001U /* StartTLS -> Anonymous */
|
||||
#define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
|
||||
#define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */
|
||||
#define SLAP_ALLOW_BIND_ANON_DN 0x0003U /* dn should be empty */
|
||||
|
||||
#define SLAP_DISALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
|
||||
#define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
|
||||
#define SLAP_DISALLOW_BIND_ANON_CRED \
|
||||
0x0004U /* cred should be empty */
|
||||
#define SLAP_DISALLOW_BIND_ANON_DN \
|
||||
0x0008U /* dn should be empty */
|
||||
#define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */
|
||||
#define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */
|
||||
#define SLAP_DISALLOW_BIND_KRBV4 0x0004U /* Kerberos V4 authentication */
|
||||
|
||||
#define SLAP_DISALLOW_BIND_SIMPLE 0x0010U /* simple authentication */
|
||||
#define SLAP_DISALLOW_BIND_KRBV4 0x0020U /* Kerberos V4 authentication */
|
||||
|
||||
#define SLAP_DISALLOW_TLS_AUTHC 0x0100U /* TLS while authenticated */
|
||||
#define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */
|
||||
#define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */
|
||||
|
||||
slap_mask_t be_requires; /* pre-operation requirements */
|
||||
#define SLAP_REQUIRE_BIND 0x0001U /* bind before op */
|
||||
|
@ -61,6 +61,13 @@ starttls_extop (
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
|
||||
( conn->c_dn != NULL ) )
|
||||
{
|
||||
/* force to anonymous */
|
||||
connection2anonymous( conn );
|
||||
}
|
||||
|
||||
if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
|
||||
( conn->c_dn != NULL ) )
|
||||
{
|
||||
@ -69,13 +76,6 @@ starttls_extop (
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
|
||||
( conn->c_dn != NULL ) )
|
||||
{
|
||||
/* force to anonymous */
|
||||
connection2anonymous( conn );
|
||||
}
|
||||
|
||||
/* fail if TLS could not be initialized */
|
||||
if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
|
||||
|| ctx == NULL)
|
||||
|
Loading…
Reference in New Issue
Block a user