mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
honor per-target tls/chase referrals/rebind as user (ITS#6190)
This commit is contained in:
parent
f32bc8bc85
commit
efabe1d279
@ -301,6 +301,14 @@ typedef struct metatarget_t {
|
||||
#define META_BACK_TGT_ISSET(mt,f) ( ( (mt)->mt_flags & (f) ) == (f) )
|
||||
#define META_BACK_TGT_ISMASK(mt,m,f) ( ( (mt)->mt_flags & (m) ) == (f) )
|
||||
|
||||
#define META_BACK_TGT_SAVECRED(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_SAVECRED )
|
||||
|
||||
#define META_BACK_TGT_USE_TLS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_USE_TLS )
|
||||
#define META_BACK_TGT_PROPAGATE_TLS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_PROPAGATE_TLS )
|
||||
#define META_BACK_TGT_TLS_CRITICAL(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_TLS_CRITICAL )
|
||||
|
||||
#define META_BACK_TGT_CHASE_REFERRALS(mt) META_BACK_TGT_ISSET( (mt), LDAP_BACK_F_CHASE_REFERRALS )
|
||||
|
||||
#define META_BACK_TGT_T_F(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK, LDAP_BACK_F_T_F )
|
||||
#define META_BACK_TGT_T_F_DISCOVER(mt) META_BACK_TGT_ISMASK( (mt), LDAP_BACK_F_T_F_MASK2, LDAP_BACK_F_T_F_DISCOVER )
|
||||
|
||||
|
@ -538,7 +538,7 @@ meta_back_single_bind(
|
||||
LDAP_BACK_CONN_ISBOUND_SET( msc );
|
||||
mc->mc_authz_target = candidate;
|
||||
|
||||
if ( LDAP_BACK_SAVECRED( mi ) ) {
|
||||
if ( META_BACK_TGT_SAVECRED( mt ) ) {
|
||||
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
|
||||
memset( msc->msc_cred.bv_val, 0,
|
||||
msc->msc_cred.bv_len );
|
||||
@ -1539,7 +1539,7 @@ meta_back_proxy_authz_bind( metaconn_t *mc, int candidate, Operation *op, SlapRe
|
||||
LDAP_BACK_CONN_ISBOUND_SET( msc );
|
||||
ber_bvreplace( &msc->msc_bound_ndn, &binddn );
|
||||
|
||||
if ( LDAP_BACK_SAVECRED( mi ) ) {
|
||||
if ( META_BACK_TGT_SAVECRED( mt ) ) {
|
||||
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
|
||||
memset( msc->msc_cred.bv_val, 0,
|
||||
msc->msc_cred.bv_len );
|
||||
|
@ -640,6 +640,10 @@ meta_back_db_config(
|
||||
|
||||
/* save bind creds for referral rebinds? */
|
||||
} else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
|
||||
unsigned *flagsp = mi->mi_ntargets ?
|
||||
&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
|
||||
: &mi->mi_flags;
|
||||
|
||||
if ( argc > 2 ) {
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
|
||||
@ -651,16 +655,16 @@ meta_back_db_config(
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
|
||||
fname, lineno, 0 );
|
||||
mi->mi_flags |= LDAP_BACK_F_SAVECRED;
|
||||
*flagsp |= LDAP_BACK_F_SAVECRED;
|
||||
|
||||
} else {
|
||||
switch ( check_true_false( argv[ 1 ] ) ) {
|
||||
case 0:
|
||||
mi->mi_flags &= ~LDAP_BACK_F_SAVECRED;
|
||||
*flagsp &= ~LDAP_BACK_F_SAVECRED;
|
||||
break;
|
||||
|
||||
case 1:
|
||||
mi->mi_flags |= LDAP_BACK_F_SAVECRED;
|
||||
*flagsp |= LDAP_BACK_F_SAVECRED;
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -418,13 +418,13 @@ retry_lock:;
|
||||
|
||||
/* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
|
||||
ldap_set_option( msc->msc_ld, LDAP_OPT_REFERRALS,
|
||||
LDAP_BACK_CHASE_REFERRALS( mi ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
|
||||
META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
/* start TLS ("tls [try-]{start|propagate}" statement) */
|
||||
if ( ( LDAP_BACK_USE_TLS( mi )
|
||||
if ( ( META_BACK_TGT_USE_TLS( mt )
|
||||
|| ( op->o_conn->c_is_tls
|
||||
&& LDAP_BACK_PROPAGATE_TLS( mi ) ) )
|
||||
&& META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
|
||||
&& !is_ldaps )
|
||||
{
|
||||
#ifdef SLAP_STARTTLS_ASYNCHRONOUS
|
||||
@ -526,7 +526,7 @@ retry:;
|
||||
* overlay, where the "uri" can be parsed out of a referral */
|
||||
if ( rs->sr_err == LDAP_SERVER_DOWN
|
||||
|| ( rs->sr_err != LDAP_SUCCESS
|
||||
&& LDAP_BACK_TLS_CRITICAL( mi ) ) )
|
||||
&& META_BACK_TGT_TLS_CRITICAL( mt ) ) )
|
||||
{
|
||||
|
||||
#ifdef DEBUG_205
|
||||
|
@ -199,7 +199,7 @@ meta_search_dobind_init(
|
||||
* because the connection is not shared until bind is over */
|
||||
if ( !BER_BVISNULL( &binddn ) ) {
|
||||
ber_bvreplace( &msc->msc_bound_ndn, &binddn );
|
||||
if ( LDAP_BACK_SAVECRED( mi ) && !BER_BVISNULL( &cred ) ) {
|
||||
if ( META_BACK_TGT_SAVECRED( mt ) && !BER_BVISNULL( &cred ) ) {
|
||||
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
|
||||
memset( msc->msc_cred.bv_val, 0,
|
||||
msc->msc_cred.bv_len );
|
||||
|
Loading…
Reference in New Issue
Block a user