From e9ab146a413ec67fac3666313f5783fd3bec6146 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 12 Apr 2005 19:36:56 +0000 Subject: [PATCH] fix previous commit in case of access to non existent backend (e.g. rootDSE); add (and document) authzID/DN support --- doc/man/man8/slapacl.8 | 31 +++++++++++++++++++ servers/slapd/slapacl.c | 62 ++++++++++++++++++++++++++++++++++---- servers/slapd/slapcommon.c | 10 +++--- servers/slapd/slapcommon.h | 6 ++-- 4 files changed, 97 insertions(+), 12 deletions(-) diff --git a/doc/man/man8/slapacl.8 b/doc/man/man8/slapacl.8 index 7e1900e772..fc369a3b98 100644 --- a/doc/man/man8/slapacl.8 +++ b/doc/man/man8/slapacl.8 @@ -11,6 +11,7 @@ slapacl \- Check access to a list of attributes. .B [\-D authcDN | \-U authcID] .B \-b DN .B [\-u] +.B [\-X authzID | \-o authzDN=DN] .B [attr[/access][:value]] [...] .LP .SH DESCRIPTION @@ -63,6 +64,36 @@ rules (see for details); mutually exclusive with .BR \-D . .TP +.BI \-X " authzID" +specify an authorization ID to be mapped to a +.B DN +as by means of +.B authz-regexp +or +.B authz-rewrite +rules (see +.BR slapd.conf (5) +for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP. +.TP +.BI \-o " option[=value]" +Specify an +.BR option +with a(n optional) +.BR value . +Possible options/values are: +.LP +.nf + sockurl + domain + peername + sockname + ssf + transport_ssf + tls_ssf + sasl_ssf + authzDN +.fi +.TP .BI \-b " DN" specify the .B DN diff --git a/servers/slapd/slapacl.c b/servers/slapd/slapacl.c index fdab725ab3..2b325f661a 100644 --- a/servers/slapd/slapacl.c +++ b/servers/slapd/slapacl.c @@ -90,10 +90,18 @@ slapacl( int argc, char **argv ) op->o_sasl_ssf = sasl_ssf; if ( !BER_BVISNULL( &authcID ) ) { + if ( !BER_BVISNULL( &authcDN ) ) { + fprintf( stderr, "both authcID=\"%s\" " + "and authcDN=\"%s\" provided\n", + authcID.bv_val, authcDN.bv_val ); + rc = 1; + goto destroy; + } + rc = slap_sasl_getdn( &conn, op, &authcID, NULL, &authcDN, SLAP_GETDN_AUTHCID ); if ( rc != LDAP_SUCCESS ) { - fprintf( stderr, "ID: <%s> check failed %d (%s)\n", + fprintf( stderr, "authcID: <%s> check failed %d (%s)\n", authcID.bv_val, rc, ldap_err2string( rc ) ); rc = 1; @@ -115,9 +123,47 @@ slapacl( int argc, char **argv ) authcDN = ndn; } + if ( !BER_BVISNULL( &authzID ) ) { + if ( !BER_BVISNULL( &authzDN ) ) { + fprintf( stderr, "both authzID=\"%s\" " + "and authzDN=\"%s\" provided\n", + authzID.bv_val, authzDN.bv_val ); + rc = 1; + goto destroy; + } + + rc = slap_sasl_getdn( &conn, op, &authzID, NULL, + &authzDN, SLAP_GETDN_AUTHZID ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "authzID: <%s> check failed %d (%s)\n", + authzID.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + + } else if ( !BER_BVISNULL( &authzDN ) ) { + struct berval ndn; + + rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n", + authzDN.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + ch_free( authzDN.bv_val ); + authzDN = ndn; + } + if ( !BER_BVISNULL( &authcDN ) ) { - fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val ); + fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val ); + } + + if ( !BER_BVISNULL( &authzDN ) ) { + fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val ); } assert( !BER_BVISNULL( &baseDN ) ); @@ -131,12 +177,16 @@ slapacl( int argc, char **argv ) } op->o_bd = be; + if ( !BER_BVISNULL( &authzDN ) ) { + op->o_dn = authzDN; + op->o_ndn = authzDN; + } if ( !BER_BVISNULL( &authcDN ) ) { - op->o_dn = authcDN; - op->o_ndn = authcDN; + op->o_conn->c_dn = authcDN; + op->o_conn->c_ndn = authcDN; } - if ( !dryrun ) { + if ( !dryrun && be ) { ID id; if ( !be->be_entry_open || @@ -264,7 +314,7 @@ slapacl( int argc, char **argv ) destroy:; ber_memfree( e.e_name.bv_val ); ber_memfree( e.e_nname.bv_val ); - if ( !dryrun ) { + if ( !dryrun && be ) { if ( ep != &e ) { be_entry_release_r( op, ep ); } diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c index e3f94152f3..ed2903d8e5 100644 --- a/servers/slapd/slapcommon.c +++ b/servers/slapd/slapcommon.c @@ -54,9 +54,8 @@ usage( int tool, const char *progname ) switch( tool ) { case SLAPACL: - options = "\n\t[-U authcID | -D authcDN]" - " -b DN -o [=] [-u]" - "\n\t[attr[/access][:value]] [...]\n"; + options = "\n\t[-U authcID | -D authcDN] [-X authzID | -o authzDN=]" + "\n\t-b DN -o [=] [-u] [attr[/access][:value]] [...]\n"; break; case SLAPADD: @@ -142,6 +141,9 @@ parse_slapacl( void ) } else if ( strncasecmp( optarg, "sasl_ssf", len ) == 0 ) { sasl_ssf = atoi( p ); + } else if ( strncasecmp( optarg, "authzDN", len ) == 0 ) { + ber_str2bv( p, 0, 1, &authzDN ); + } else { return -1; } @@ -214,7 +216,7 @@ slap_tool_init( break; case SLAPACL: - options = "b:D:d:f:F:o:uU:v"; + options = "b:D:d:f:F:o:uU:vX:"; mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY; break; diff --git a/servers/slapd/slapcommon.h b/servers/slapd/slapcommon.h index 423f0fbd87..4dcf7a8cbb 100644 --- a/servers/slapd/slapcommon.h +++ b/servers/slapd/slapcommon.h @@ -42,8 +42,9 @@ typedef struct tool_vars { Filter *tv_filter; struct berval tv_sub_ndn; FILE *tv_ldiffp; - struct berval tv_authcDN; struct berval tv_baseDN; + struct berval tv_authcDN; + struct berval tv_authzDN; struct berval tv_authcID; struct berval tv_authzID; struct berval tv_mech; @@ -70,8 +71,9 @@ extern tool_vars tool_globals; #define filter tool_globals.tv_filter #define sub_ndn tool_globals.tv_sub_ndn #define ldiffp tool_globals.tv_ldiffp -#define authcDN tool_globals.tv_authcDN #define baseDN tool_globals.tv_baseDN +#define authcDN tool_globals.tv_authcDN +#define authzDN tool_globals.tv_authzDN #define authcID tool_globals.tv_authcID #define authzID tool_globals.tv_authzID #define mech tool_globals.tv_mech