mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#7403 fix idassert non-override mode

Browse Source
This commit is contained in:
Howard Chu 2012-09-26 09:29:57 -07:00
parent d426cafaca
commit d7c964fedb
2 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/man/man5/slapd-ldap.5
View File

@ -40,7 +40,7 @@ for details.
The proxy instance of
.BR slapd (8)
must contain schema information for the attributes and objectClasses
used in filters, request DN and request-related data in general.
used in filters, request DNs and request-related data in general.
It should also contain schema information for the data returned
by the proxied server.
It is the responsibility of the proxy administrator to keep the schema
@ -92,7 +92,7 @@ so its use is redundant and should be omitted.
LDAP server to use. Multiple URIs can be set in a single
.B ldapurl
argument, resulting in the underlying library automatically
call the first server of the list that responds, e.g.
calling the first server of the list that responds, e.g.
\fBuri "ldap://host/ ldap://backup\-host/"\fP
@ -100,7 +100,7 @@ The URI list is space- or comma-separated.
Whenever the server that responds is not the first one in the list,
the list is rearranged and the responsive server is moved to the head,
so that it will be first contacted the next time a connection
needs be created.
needs to be created.
.HP
.hy 0
.B acl\-bind
@ -138,7 +138,7 @@ The connection between the proxy database and the remote server
associated to this identity is cached regardless of the lifespan
of the client-proxy connection that first established it.
.B This identity is by no means implicitly used by the proxy
.B This identity is not implicitly used by the proxy
.B when the client connects anonymously.
The
.B idassert\-bind
@ -193,7 +193,7 @@ underlying libldap, with rebinding eventually performed if the
.TP
.B conn\-ttl <time>
This directive causes a cached connection to be dropped an recreated
This directive causes a cached connection to be dropped and recreated
after a given ttl, regardless of being idle or not.
.TP
@ -232,6 +232,8 @@ for details on the syntax of this field.
Allows to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases.
Direct binds are always proxied without any idassert handling.
The identity defined by this directive, according to the properties
associated to the authentication method, is supposed to have auth access
on the target server to attributes used on the proxy for authentication
@ -303,7 +305,6 @@ which implies that the proxy will either perform a simple bind as the
or a SASL bind as the
.I authcID
and assert the client's identity when it is not anonymous.
Direct binds are always proxied.
The other modes imply that the proxy will always either perform a simple bind
as the
.IR authcDN

12
servers/slapd/back-ldap/bind.c
View File

@ -2116,6 +2116,18 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
ndn = op->o_ndn;
}
if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) {
if ( op->o_tag == LDAP_REQ_BIND ) {
if ( !BER_BVISEMPTY( &ndn )) {
dobind = 0;
goto done;
}
} else if ( SLAP_IS_AUTHZ_BACKEND( op )) {
dobind = 0;
goto done;
}
}
switch ( li->li_idassert_mode ) {
case LDAP_BACK_IDASSERT_LEGACY:
if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) {