allow a hidden parameter to instruct the proxy that the SASL mech can do native authz; will disappear as soon as I can detect it automnatically

2025-01-06 10:46:21 +08:00 · 2004-06-19 18:18:26 +00:00 · 2004-06-19 18:18:26 +00:00 · f34b11760a
commit f34b11760a
parent cb3bfdd3cd
4 changed files with 63 additions and 20 deletions
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@ -93,6 +93,16 @@ struct ldapauth {
 	int		la_sasl_flags;
 	struct berval	la_sasl_mech;
 	struct berval	la_sasl_realm;
+	
+/* FIXME: required until I find a nice way to determine
+ * whether a SASL mechanism is able to authz natively */
+#define LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+#define LDAP_BACK_AUTH_NONE		0x00
+#define	LDAP_BACK_AUTH_NATIVE_AUTHZ	0x01
+	int		la_flags;
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
 };

 struct ldapinfo {
@ -121,6 +131,7 @@ struct ldapinfo {
 #define	idassert_sasl_flags	idassert_la.la_sasl_flags
 #define	idassert_sasl_mech	idassert_la.la_sasl_mech
 #define	idassert_sasl_realm	idassert_la.la_sasl_realm
+#define	idassert_flags		idassert_la.la_flags
 	BerVarray	idassert_authz;
 	
 	int		idassert_ppolicy;
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@ -448,28 +448,35 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 				struct berval	authzID = BER_BVNULL;
 				int		freeauthz = 0;

-				switch ( li->idassert_mode ) {
-				case LDAP_BACK_IDASSERT_OTHERID:
-				case LDAP_BACK_IDASSERT_OTHERDN:
-					authzID = li->idassert_authzID;
-					break;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+				/* if SASL supports native authz, prepare for it */
+				if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+					switch ( li->idassert_mode ) {
+					case LDAP_BACK_IDASSERT_OTHERID:
+					case LDAP_BACK_IDASSERT_OTHERDN:
+						authzID = li->idassert_authzID;
+						break;

-				case LDAP_BACK_IDASSERT_ANONYMOUS:
-					BER_BVSTR( &authzID, "dn:" );
-					break;
+					case LDAP_BACK_IDASSERT_ANONYMOUS:
+						BER_BVSTR( &authzID, "dn:" );
+						break;

-				case LDAP_BACK_IDASSERT_SELF:
-					authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
-					authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
-					AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
-					AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
-							op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
-					freeauthz = 1;
-					break;
+					case LDAP_BACK_IDASSERT_SELF:
+						authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
+						authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
+						AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+						AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
+								op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
+						freeauthz = 1;
+						break;

-				default:
-					break;
+					default:
+						break;
+					}
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
 				}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */

 #if 0	/* will deal with this later... */
 				if ( sasl_secprops != NULL ) {
@ -777,8 +784,14 @@ ldap_back_proxy_authz_ctrl(
 		}

 	} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
-		/* already asserted in SASL */
-		goto done;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+		if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+			/* already asserted in SASL via native authz */
+			goto done;
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+		}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */

 	} else if ( li->idassert_authz ) {
 		int		rc;
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@ -904,6 +904,21 @@ parse_idassert(
 					}
 					ber_str2bv( val, 0, 1, &li->idassert_passwd );

+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+				} else if ( strncasecmp( argv[arg], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
+					char	*val = argv[arg] + STRLENOF( "authz=" );
+
+					if ( strcasecmp( val, "native" ) == 0 ) {
+						li->idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
+
+					} else {
+						fprintf( stderr, "%s: line %s: "
+							"unknown SASL flag \"%s\"\n",
+							fname, lineno, val );
+						return 1;
+					}
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
+
 				} else {
 					fprintf( stderr, "%s: line %d: "
 							"unknown SASL parameter %s\n",
--- a/servers/slapd/back-ldap/init.c
+++ b/servers/slapd/back-ldap/init.c
@ -117,6 +117,10 @@ ldap_back_db_init(
 	BER_BVZERO( &li->idassert_sasl_realm );

 	li->idassert_ppolicy = 0;
+
+#ifdef LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ
+	li->idassert_flags = LDAP_BACK_AUTH_NONE;
+#endif /* LDAP_BACK_HOW_TO_DETECT_SASL_NATIVE_AUTHZ */
 #endif /* LDAP_BACK_PROXY_AUTHZ */

 #ifdef ENABLE_REWRITE