mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
fix previous commit in case of access to non existent backend (e.g. rootDSE); add (and document) authzID/DN support
This commit is contained in:
parent
387864a9f2
commit
e9ab146a41
@ -11,6 +11,7 @@ slapacl \- Check access to a list of attributes.
|
||||
.B [\-D authcDN | \-U authcID]
|
||||
.B \-b DN
|
||||
.B [\-u]
|
||||
.B [\-X authzID | \-o authzDN=DN]
|
||||
.B [attr[/access][:value]] [...]
|
||||
.LP
|
||||
.SH DESCRIPTION
|
||||
@ -63,6 +64,36 @@ rules (see
|
||||
for details); mutually exclusive with
|
||||
.BR \-D .
|
||||
.TP
|
||||
.BI \-X " authzID"
|
||||
specify an authorization ID to be mapped to a
|
||||
.B DN
|
||||
as by means of
|
||||
.B authz-regexp
|
||||
or
|
||||
.B authz-rewrite
|
||||
rules (see
|
||||
.BR slapd.conf (5)
|
||||
for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
|
||||
.TP
|
||||
.BI \-o " option[=value]"
|
||||
Specify an
|
||||
.BR option
|
||||
with a(n optional)
|
||||
.BR value .
|
||||
Possible options/values are:
|
||||
.LP
|
||||
.nf
|
||||
sockurl
|
||||
domain
|
||||
peername
|
||||
sockname
|
||||
ssf
|
||||
transport_ssf
|
||||
tls_ssf
|
||||
sasl_ssf
|
||||
authzDN
|
||||
.fi
|
||||
.TP
|
||||
.BI \-b " DN"
|
||||
specify the
|
||||
.B DN
|
||||
|
@ -90,10 +90,18 @@ slapacl( int argc, char **argv )
|
||||
op->o_sasl_ssf = sasl_ssf;
|
||||
|
||||
if ( !BER_BVISNULL( &authcID ) ) {
|
||||
if ( !BER_BVISNULL( &authcDN ) ) {
|
||||
fprintf( stderr, "both authcID=\"%s\" "
|
||||
"and authcDN=\"%s\" provided\n",
|
||||
authcID.bv_val, authcDN.bv_val );
|
||||
rc = 1;
|
||||
goto destroy;
|
||||
}
|
||||
|
||||
rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
|
||||
&authcDN, SLAP_GETDN_AUTHCID );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
|
||||
fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
|
||||
authcID.bv_val, rc,
|
||||
ldap_err2string( rc ) );
|
||||
rc = 1;
|
||||
@ -115,9 +123,47 @@ slapacl( int argc, char **argv )
|
||||
authcDN = ndn;
|
||||
}
|
||||
|
||||
if ( !BER_BVISNULL( &authzID ) ) {
|
||||
if ( !BER_BVISNULL( &authzDN ) ) {
|
||||
fprintf( stderr, "both authzID=\"%s\" "
|
||||
"and authzDN=\"%s\" provided\n",
|
||||
authzID.bv_val, authzDN.bv_val );
|
||||
rc = 1;
|
||||
goto destroy;
|
||||
}
|
||||
|
||||
rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
|
||||
&authzDN, SLAP_GETDN_AUTHZID );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
|
||||
authzID.bv_val, rc,
|
||||
ldap_err2string( rc ) );
|
||||
rc = 1;
|
||||
goto destroy;
|
||||
}
|
||||
|
||||
} else if ( !BER_BVISNULL( &authzDN ) ) {
|
||||
struct berval ndn;
|
||||
|
||||
rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
|
||||
authzDN.bv_val, rc,
|
||||
ldap_err2string( rc ) );
|
||||
rc = 1;
|
||||
goto destroy;
|
||||
}
|
||||
ch_free( authzDN.bv_val );
|
||||
authzDN = ndn;
|
||||
}
|
||||
|
||||
|
||||
if ( !BER_BVISNULL( &authcDN ) ) {
|
||||
fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
|
||||
fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
|
||||
}
|
||||
|
||||
if ( !BER_BVISNULL( &authzDN ) ) {
|
||||
fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
|
||||
}
|
||||
|
||||
assert( !BER_BVISNULL( &baseDN ) );
|
||||
@ -131,12 +177,16 @@ slapacl( int argc, char **argv )
|
||||
}
|
||||
|
||||
op->o_bd = be;
|
||||
if ( !BER_BVISNULL( &authzDN ) ) {
|
||||
op->o_dn = authzDN;
|
||||
op->o_ndn = authzDN;
|
||||
}
|
||||
if ( !BER_BVISNULL( &authcDN ) ) {
|
||||
op->o_dn = authcDN;
|
||||
op->o_ndn = authcDN;
|
||||
op->o_conn->c_dn = authcDN;
|
||||
op->o_conn->c_ndn = authcDN;
|
||||
}
|
||||
|
||||
if ( !dryrun ) {
|
||||
if ( !dryrun && be ) {
|
||||
ID id;
|
||||
|
||||
if ( !be->be_entry_open ||
|
||||
@ -264,7 +314,7 @@ slapacl( int argc, char **argv )
|
||||
destroy:;
|
||||
ber_memfree( e.e_name.bv_val );
|
||||
ber_memfree( e.e_nname.bv_val );
|
||||
if ( !dryrun ) {
|
||||
if ( !dryrun && be ) {
|
||||
if ( ep != &e ) {
|
||||
be_entry_release_r( op, ep );
|
||||
}
|
||||
|
@ -54,9 +54,8 @@ usage( int tool, const char *progname )
|
||||
|
||||
switch( tool ) {
|
||||
case SLAPACL:
|
||||
options = "\n\t[-U authcID | -D authcDN]"
|
||||
" -b DN -o <var>[=<val>] [-u]"
|
||||
"\n\t[attr[/access][:value]] [...]\n";
|
||||
options = "\n\t[-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]"
|
||||
"\n\t-b DN -o <var>[=<val>] [-u] [attr[/access][:value]] [...]\n";
|
||||
break;
|
||||
|
||||
case SLAPADD:
|
||||
@ -142,6 +141,9 @@ parse_slapacl( void )
|
||||
} else if ( strncasecmp( optarg, "sasl_ssf", len ) == 0 ) {
|
||||
sasl_ssf = atoi( p );
|
||||
|
||||
} else if ( strncasecmp( optarg, "authzDN", len ) == 0 ) {
|
||||
ber_str2bv( p, 0, 1, &authzDN );
|
||||
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
@ -214,7 +216,7 @@ slap_tool_init(
|
||||
break;
|
||||
|
||||
case SLAPACL:
|
||||
options = "b:D:d:f:F:o:uU:v";
|
||||
options = "b:D:d:f:F:o:uU:vX:";
|
||||
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
|
||||
break;
|
||||
|
||||
|
@ -42,8 +42,9 @@ typedef struct tool_vars {
|
||||
Filter *tv_filter;
|
||||
struct berval tv_sub_ndn;
|
||||
FILE *tv_ldiffp;
|
||||
struct berval tv_authcDN;
|
||||
struct berval tv_baseDN;
|
||||
struct berval tv_authcDN;
|
||||
struct berval tv_authzDN;
|
||||
struct berval tv_authcID;
|
||||
struct berval tv_authzID;
|
||||
struct berval tv_mech;
|
||||
@ -70,8 +71,9 @@ extern tool_vars tool_globals;
|
||||
#define filter tool_globals.tv_filter
|
||||
#define sub_ndn tool_globals.tv_sub_ndn
|
||||
#define ldiffp tool_globals.tv_ldiffp
|
||||
#define authcDN tool_globals.tv_authcDN
|
||||
#define baseDN tool_globals.tv_baseDN
|
||||
#define authcDN tool_globals.tv_authcDN
|
||||
#define authzDN tool_globals.tv_authzDN
|
||||
#define authcID tool_globals.tv_authcID
|
||||
#define authzID tool_globals.tv_authzID
|
||||
#define mech tool_globals.tv_mech
|
||||
|
Loading…
Reference in New Issue
Block a user