exploit new isroot_dn helper

This commit is contained in:
Pierangelo Masarati 2004-04-05 17:31:27 +00:00
parent b89c894eff
commit e516247068
12 changed files with 94 additions and 48 deletions

View File

@ -1568,7 +1568,7 @@ acl_check_modlist(
assert( be != NULL ); assert( be != NULL );
/* short circuit root database access */ /* short circuit root database access */
if ( be_isroot( op->o_bd, &op->o_ndn ) ) { if ( be_isroot_dn( op ) ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG( ACL, DETAIL1, LDAP_LOG( ACL, DETAIL1,
"acl_check_modlist: conn %lu access granted to root user\n", "acl_check_modlist: conn %lu access granted to root user\n",

View File

@ -298,7 +298,7 @@ retry: /* transaction retry */
* no parent! * no parent!
* if not attempting to add entry at suffix or with parent "" * if not attempting to add entry at suffix or with parent ""
*/ */
if (( !be_isroot( op->o_bd, &op->o_ndn ) || pdn.bv_len > 0 ) if (( !be_isroot_dn( op ) || pdn.bv_len > 0 )
&& !is_entry_glue( op->oq_add.rs_e )) && !is_entry_glue( op->oq_add.rs_e ))
{ {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING

View File

@ -244,7 +244,7 @@ retry: /* transaction retry */
} else { } else {
/* no parent, must be root to delete */ /* no parent, must be root to delete */
if( ! be_isroot( op->o_bd, &op->o_ndn ) ) { if( ! be_isroot_dn( op ) ) {
if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
|| be_isupdate( op->o_bd, &op->o_ndn ) ) { || be_isupdate( op->o_bd, &op->o_ndn ) ) {
p = (Entry *)&slap_entry_root; p = (Entry *)&slap_entry_root;

View File

@ -390,7 +390,7 @@ retry: /* transaction retry */
} else { } else {
/* no parent, modrdn entry directly under root */ /* no parent, modrdn entry directly under root */
isroot = be_isroot( op->o_bd, &op->o_ndn ); isroot = be_isroot_dn( op );
if ( ! isroot ) { if ( ! isroot ) {
if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
|| be_isupdate( op->o_bd, &op->o_ndn ) ) { || be_isupdate( op->o_bd, &op->o_ndn ) ) {
@ -600,7 +600,7 @@ retry: /* transaction retry */
} else { } else {
if ( isroot == -1 ) { if ( isroot == -1 ) {
isroot = be_isroot( op->o_bd, &op->o_ndn ); isroot = be_isroot_dn( op );
} }
np_dn = NULL; np_dn = NULL;

View File

@ -150,7 +150,7 @@ dn2entry_retry:
rs->sr_matched = e->e_name.bv_val; rs->sr_matched = e->e_name.bv_val;
if( rs->sr_ref != NULL ) { if( rs->sr_ref != NULL ) {
rs->sr_err = LDAP_REFERRAL; rc = rs->sr_err = LDAP_REFERRAL;
send_ldap_result( op, rs ); send_ldap_result( op, rs );
ber_bvarray_free( rs->sr_ref ); ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL; rs->sr_ref = NULL;

View File

@ -247,7 +247,7 @@ ldbm_back_add(
} else { } else {
assert( pdn.bv_val == NULL || *pdn.bv_val == '\0' ); assert( pdn.bv_val == NULL || *pdn.bv_val == '\0' );
if ( !be_isroot( op->o_bd, &op->o_ndn ) if ( !be_isroot_dn( op )
&& !is_entry_glue( op->oq_add.rs_e )) && !is_entry_glue( op->oq_add.rs_e ))
{ {
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock); ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);

View File

@ -194,7 +194,7 @@ ldbm_back_delete(
} else { } else {
/* no parent, must be root to delete */ /* no parent, must be root to delete */
if( ! be_isroot( op->o_bd, &op->o_ndn ) ) { if( ! be_isroot_dn( op ) ) {
if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) || be_isupdate( op->o_bd, &op->o_ndn ) ) { if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) || be_isupdate( op->o_bd, &op->o_ndn ) ) {
p = (Entry *)&slap_entry_root; p = (Entry *)&slap_entry_root;

View File

@ -246,7 +246,7 @@ ldbm_back_modrdn(
} else { } else {
/* no parent, must be root to modify rdn */ /* no parent, must be root to modify rdn */
isroot = be_isroot( op->o_bd, &op->o_ndn ); isroot = be_isroot_dn( op );
if ( ! isroot ) { if ( ! isroot ) {
if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) || be_isupdate( op->o_bd, &op->o_ndn ) ) { if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) || be_isupdate( op->o_bd, &op->o_ndn ) ) {
int can_access; int can_access;
@ -418,7 +418,7 @@ ldbm_back_modrdn(
/* no parent, must be root to modify newSuperior */ /* no parent, must be root to modify newSuperior */
if ( isroot == -1 ) { if ( isroot == -1 ) {
isroot = be_isroot( op->o_bd, &op->o_ndn ); isroot = be_isroot_dn( op );
} }
if ( ! isroot ) { if ( ! isroot ) {

View File

@ -780,7 +780,7 @@ limits_check( Operation *op, SlapReply *rs )
assert( op->o_tag == LDAP_REQ_SEARCH); assert( op->o_tag == LDAP_REQ_SEARCH);
/* allow root to set no limit */ /* allow root to set no limit */
if ( be_isroot( op->o_bd, &op->o_ndn ) ) { if ( be_isroot_dn( op ) ) {
op->ors_limit = NULL; op->ors_limit = NULL;
if ( op->ors_tlimit == 0 ) { if ( op->ors_tlimit == 0 ) {

View File

@ -33,36 +33,72 @@
#include "slap.h" #include "slap.h"
#include "../back-ldap/back-ldap.h" #include "../back-ldap/back-ldap.h"
static int
ldap_chain_chk_referrals( Operation *op, SlapReply *rs )
{
return LDAP_SUCCESS;
}
static int static int
ldap_chain_response( Operation *op, SlapReply *rs ) ldap_chain_response( Operation *op, SlapReply *rs )
{ {
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info; slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
void *private = op->o_bd->be_private; void *private = op->o_bd->be_private;
slap_callback *sc = op->o_callback; slap_callback *sc = op->o_callback;
LDAPControl **prev = op->o_ctrls; LDAPControl **prev = op->o_ctrls;
LDAPControl **ctrls = NULL, authz; LDAPControl **ctrls = NULL, authz;
int i, nctrls, rc = 0; int i, nctrls, rc = 0;
int cache = op->o_do_not_cache; int cache = op->o_do_not_cache;
char *authzid = NULL; char *authzid = NULL;
BerVarray ref; BerVarray ref;
struct berval ndn = op->o_ndn; struct berval ndn = op->o_ndn;
struct ldapinfo li, *lip = (struct ldapinfo *)on->on_bi.bi_private;
if ( rs->sr_err != LDAP_REFERRAL && rs->sr_type != REP_SEARCHREF ) if ( rs->sr_err != LDAP_REFERRAL && rs->sr_type != REP_SEARCHREF )
return SLAP_CB_CONTINUE; return SLAP_CB_CONTINUE;
/* currently we assume only one referral destination.
* we'll have to parse this in the future.
*/
/* leave in place if result type is search reference;
* will be cleared later */
ref = rs->sr_ref; ref = rs->sr_ref;
if ( rs->sr_type != REP_SEARCHREF ) { rs->sr_ref = NULL;
rs->sr_ref = NULL;
}
op->o_bd->be_private = on->on_bi.bi_private;
op->o_callback = NULL; op->o_callback = NULL;
if ( lip->url == NULL ) {
li = *lip;
op->o_bd->be_private = &li;
if ( rs->sr_type != REP_SEARCHREF ) {
LDAPURLDesc *srv;
char *save_dn;
/* parse reference and use proto://[host][:port]/ only */
rc = ldap_url_parse_ext( ref[0].bv_val, &srv );
if ( rc != LDAP_SUCCESS) {
/* error */
return 1;
}
/* remove DN essentially because later on
* ldap_initialize() will parse the URL
* as a comma-separated URL list */
save_dn = srv->lud_dn;
srv->lud_dn = "";
li.url = ldap_url_desc2str( srv );
if ( li.url == NULL ) {
/* error */
srv->lud_dn = save_dn;
ldap_free_urldesc( srv );
return 1;
}
srv->lud_dn = save_dn;
ldap_free_urldesc( srv );
}
} else {
op->o_bd->be_private = on->on_bi.bi_private;
}
/* Chaining is performed by a privileged user on behalf /* Chaining is performed by a privileged user on behalf
* of a normal user, using the ProxyAuthz control. However, * of a normal user, using the ProxyAuthz control. However,
* Binds are done separately, on an anonymous session. * Binds are done separately, on an anonymous session.
@ -84,11 +120,11 @@ ldap_chain_response( Operation *op, SlapReply *rs )
authz.ldctl_iscritical = 1; authz.ldctl_iscritical = 1;
authz.ldctl_value = op->o_dn; authz.ldctl_value = op->o_dn;
if ( op->o_dn.bv_len ) { if ( op->o_dn.bv_len ) {
authzid = op->o_tmpalloc( op->o_dn.bv_len+4, authzid = op->o_tmpalloc( op->o_dn.bv_len + sizeof("dn:") - 1,
op->o_tmpmemctx ); op->o_tmpmemctx );
strcpy(authzid, "dn: "); strcpy(authzid, "dn:");
strcpy(authzid+4, op->o_dn.bv_val); strcpy(authzid + sizeof("dn:") - 1, op->o_dn.bv_val);
authz.ldctl_value.bv_len = op->o_dn.bv_len + 4; authz.ldctl_value.bv_len = op->o_dn.bv_len + sizeof("dn:") - 1;
authz.ldctl_value.bv_val = authzid; authz.ldctl_value.bv_val = authzid;
} }
op->o_ctrls = ctrls; op->o_ctrls = ctrls;
@ -97,9 +133,11 @@ ldap_chain_response( Operation *op, SlapReply *rs )
switch( op->o_tag ) { switch( op->o_tag ) {
case LDAP_REQ_BIND: { case LDAP_REQ_BIND: {
struct berval rndn = op->o_req_ndn; struct berval rndn = op->o_req_ndn;
Connection *conn = op->o_conn; Connection *conn = op->o_conn;
op->o_req_ndn = slap_empty_bv; op->o_req_ndn = slap_empty_bv;
op->o_conn = NULL; op->o_conn = NULL;
rc = ldap_back_bind( op, rs ); rc = ldap_back_bind( op, rs );
op->o_req_ndn = rndn; op->o_req_ndn = rndn;
@ -123,17 +161,13 @@ ldap_chain_response( Operation *op, SlapReply *rs )
break; break;
case LDAP_REQ_SEARCH: case LDAP_REQ_SEARCH:
if ( rs->sr_type == REP_SEARCHREF ) { if ( rs->sr_type == REP_SEARCHREF ) {
struct ldapinfo li; struct berval *curr = ref,
struct berval *curr = rs->sr_ref,
odn = op->o_req_dn, odn = op->o_req_dn,
ondn = op->o_req_ndn; ondn = op->o_req_ndn;
op->o_bd->be_private = &li;
rs->sr_type = REP_SEARCH; rs->sr_type = REP_SEARCH;
rs->sr_ref = NULL;
/* copy the private info because we need to modify it */ /* copy the private info because we need to modify it */
AC_MEMCPY( &li, on->on_bi.bi_private, sizeof( struct ldapinfo ) );
for ( ; curr[0].bv_val; curr++ ) { for ( ; curr[0].bv_val; curr++ ) {
LDAPURLDesc *srv; LDAPURLDesc *srv;
@ -141,7 +175,8 @@ ldap_chain_response( Operation *op, SlapReply *rs )
rc = ldap_url_parse_ext( curr[0].bv_val, &srv ); rc = ldap_url_parse_ext( curr[0].bv_val, &srv );
if ( rc != LDAP_SUCCESS) { if ( rc != LDAP_SUCCESS) {
/* error */ /* error */
continue; rc = 1;
goto end_of_searchref;
} }
ber_str2bv(srv->lud_dn, 0, 0, &op->o_req_dn); ber_str2bv(srv->lud_dn, 0, 0, &op->o_req_dn);
@ -156,7 +191,8 @@ ldap_chain_response( Operation *op, SlapReply *rs )
/* error */ /* error */
srv->lud_dn = op->o_req_dn.bv_val; srv->lud_dn = op->o_req_dn.bv_val;
ldap_free_urldesc( srv ); ldap_free_urldesc( srv );
continue; rc = 1;
goto end_of_searchref;
} }
/* FIXME: should we also copy filter and scope? /* FIXME: should we also copy filter and scope?
@ -164,19 +200,23 @@ ldap_chain_response( Operation *op, SlapReply *rs )
rc = ldap_back_search( op, rs ); rc = ldap_back_search( op, rs );
ldap_memfree( li.url );
li.url = NULL;
srv->lud_dn = op->o_req_dn.bv_val; srv->lud_dn = op->o_req_dn.bv_val;
ldap_free_urldesc( srv ); ldap_free_urldesc( srv );
if ( rc ) { if ( rc ) {
/* error */ /* error */
continue; rc = 1;
goto end_of_searchref;
} }
} }
end_of_searchref:;
op->o_req_dn = odn; op->o_req_dn = odn;
op->o_req_ndn = ondn; op->o_req_ndn = ondn;
rs->sr_type = REP_SEARCHREF; rs->sr_type = REP_SEARCHREF;
op->o_bd->be_private = on->on_bi.bi_private;
} else { } else {
rc = ldap_back_search( op, rs ); rc = ldap_back_search( op, rs );
@ -197,6 +237,9 @@ ldap_chain_response( Operation *op, SlapReply *rs )
if ( ctrls ) op->o_tmpfree( ctrls, op->o_tmpmemctx ); if ( ctrls ) op->o_tmpfree( ctrls, op->o_tmpmemctx );
if ( authzid ) op->o_tmpfree( authzid, op->o_tmpmemctx ); if ( authzid ) op->o_tmpfree( authzid, op->o_tmpmemctx );
rs->sr_ref = ref; rs->sr_ref = ref;
if ( lip->url == NULL && li.url ) {
ldap_memfree( li.url );
}
return rc; return rc;
} }
@ -240,6 +283,7 @@ static int ldap_chain_init(
rc = ldap_back_db_init( be ); rc = ldap_back_db_init( be );
on->on_bi.bi_private = be->be_private; on->on_bi.bi_private = be->be_private;
be->be_private = private; be->be_private = private;
return rc; return rc;
} }
@ -268,6 +312,8 @@ int chain_init()
ldapchain.on_bi.bi_db_destroy = ldap_chain_destroy; ldapchain.on_bi.bi_db_destroy = ldap_chain_destroy;
ldapchain.on_response = ldap_chain_response; ldapchain.on_response = ldap_chain_response;
ldapchain.on_bi.bi_chk_referrals = ldap_chain_chk_referrals;
return overlay_register( &ldapchain ); return overlay_register( &ldapchain );
} }

View File

@ -1176,7 +1176,7 @@ ppolicy_add(
* security policy for the new entry. * security policy for the new entry.
*/ */
ppolicy_get( op, op->oq_add.rs_e, &pp ); ppolicy_get( op, op->oq_add.rs_e, &pp );
if (pp.pwdCheckQuality > 0 && !be_isroot( op->o_bd, &op->o_ndn )) { if (pp.pwdCheckQuality > 0 && !be_isroot_dn( op )) {
struct berval *bv = &(pa->a_vals[0]); struct berval *bv = &(pa->a_vals[0]);
int rc, i, send_ctrl = 0; int rc, i, send_ctrl = 0;
LDAPPasswordPolicyError pErr = PP_noError; LDAPPasswordPolicyError pErr = PP_noError;
@ -1386,7 +1386,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
for(p=tl; p; p=p->next, hsize++); /* count history size */ for(p=tl; p; p=p->next, hsize++); /* count history size */
} }
if (be_isroot( op->o_bd, &op->o_ndn)) goto do_modify; if (be_isroot_dn( op )) goto do_modify;
/* This is a pwdModify exop that provided the old pw. /* This is a pwdModify exop that provided the old pw.
* We need to create a Delete mod for this old pw and * We need to create a Delete mod for this old pw and

View File

@ -2461,7 +2461,7 @@ int slapi_int_pblock_set_operation( Slapi_PBlock *pb, Operation *op )
char *opAuthType; char *opAuthType;
if ( op->o_bd != NULL ) { if ( op->o_bd != NULL ) {
isRoot = be_isroot( op->o_bd, &op->o_ndn ); isRoot = be_isroot_dn( op );
isUpdateDn = be_isupdate( op->o_bd, &op->o_ndn ); isUpdateDn = be_isupdate( op->o_bd, &op->o_ndn );
} }