mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-11-27 02:22:00 +08:00
Update backend "restrictions"
This commit is contained in:
Kurt Zeilenga
parent
98a1705370
commit
fab52fa4ab
@ -637,7 +637,7 @@ backend_check_restrictions(
|
||||
Backend *be,
|
||||
Connection *conn,
|
||||
Operation *op,
|
||||
const char *extoid,
|
||||
const void *opdata,
|
||||
const char **text )
|
||||
{
|
||||
int rc;
|
||||
@ -701,7 +701,9 @@ backend_check_restrictions(
|
||||
return LDAP_OTHER;
|
||||
}
|
||||
|
||||
if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) ) ) {
|
||||
if ( op->o_tag != LDAP_REQ_EXTENDED
|
||||
|| strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) )
|
||||
{
|
||||
/* these checks don't apply to StartTLS */
|
||||
|
||||
if( op->o_tag == LDAP_REQ_EXTENDED ) {
|
||||
@ -709,47 +711,57 @@ backend_check_restrictions(
|
||||
updateop++;
|
||||
}
|
||||
|
||||
if( op->o_ssf < ssf->sss_ssf ) {
|
||||
*text = "confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
if( op->o_transport_ssf < ssf->sss_transport ) {
|
||||
*text = "transport confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
|
||||
if( op->o_tls_ssf < ssf->sss_tls ) {
|
||||
*text = "TLS confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
if( op->o_sasl_ssf < ssf->sss_sasl ) {
|
||||
*text = "SASL confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
|
||||
if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
|
||||
/* these checks don't apply to SASL bind */
|
||||
|
||||
if( op->o_sasl_ssf < ssf->sss_sasl ) {
|
||||
*text = "SASL confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
|
||||
if( op->o_ssf < ssf->sss_ssf ) {
|
||||
*text = "confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
}
|
||||
|
||||
if( updateop ) {
|
||||
if( op->o_ssf < ssf->sss_update_ssf ) {
|
||||
*text = "update confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
if( op->o_transport_ssf < ssf->sss_update_transport ) {
|
||||
*text = "transport update confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
|
||||
if( op->o_tls_ssf < ssf->sss_update_tls ) {
|
||||
*text = "TLS update confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
|
||||
if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
|
||||
*text = "SASL update confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
|
||||
if( op->o_ssf < ssf->sss_update_ssf ) {
|
||||
*text = "update confidentiality required";
|
||||
return LDAP_CONFIDENTIALITY_REQUIRED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (( extoid == NULL || strcmp( extoid, LDAP_EXOP_START_TLS ) )
|
||||
|| op->o_tag == LDAP_REQ_BIND )
|
||||
if ( op->o_tag != LDAP_REQ_BIND && ( op->o_tag != LDAP_REQ_EXTENDED ||
|
||||
strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
|
||||
{
|
||||
/* these checks don't apply to StartTLS or Bind */
|
||||
/* these checks don't apply to Bind or StartTLS */
|
||||
|
||||
if( requires & SLAP_REQUIRE_STRONG ) {
|
||||
/* should check mechanism */
|
||||
|
||||
@ -203,6 +203,14 @@ do_bind(
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* check restrictions */
|
||||
rc = backend_check_restrictions( NULL, conn, op, mech, &text );
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
|
||||
|
||||
if ( conn->c_sasl_bind_mech != NULL ) {
|
||||
@ -290,6 +298,9 @@ do_bind(
|
||||
/* disallow */
|
||||
rc = LDAP_INAPPROPRIATE_AUTH;
|
||||
text = "anonymous bind disallowed";
|
||||
|
||||
} else {
|
||||
rc = backend_check_restrictions( NULL, conn, op, mech, &text );
|
||||
}
|
||||
|
||||
/*
|
||||
@ -363,7 +374,7 @@ do_bind(
|
||||
}
|
||||
|
||||
/* check restrictions */
|
||||
rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
|
||||
rc = backend_check_restrictions( be, conn, op, NULL, &text );
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
|
||||
@ -166,7 +166,7 @@ LDAP_SLAPD_F( int ) backend_check_restrictions LDAP_P((
|
||||
Backend *be,
|
||||
Connection *conn,
|
||||
Operation *op,
|
||||
const char *extoid,
|
||||
const void *opdata,
|
||||
const char **text ));
|
||||
|
||||
LDAP_SLAPD_F( int ) backend_check_referrals LDAP_P((
|
||||
@ -779,6 +779,7 @@ LDAP_SLAPD_F (int) global_idletimeout;
|
||||
LDAP_SLAPD_F (int) global_schemacheck;
|
||||
LDAP_SLAPD_F (char) *global_host;
|
||||
LDAP_SLAPD_F (char) *global_realm;
|
||||
LDAP_SLAPD_F (int) sasl_external_x509dn_convert;
|
||||
LDAP_SLAPD_F (char) *default_passwd_hash;
|
||||
LDAP_SLAPD_F (int) lber_debug;
|
||||
LDAP_SLAPD_F (int) ldap_syslog;
|
||||
|
||||
@ -27,7 +27,7 @@
|
||||
|
||||
int
|
||||
do_search(
|
||||
Connection *conn, /* where to send results */
|
||||
Connection *conn, /* where to send results */
|
||||
Operation *op /* info about the op to which we're responding */
|
||||
) {
|
||||
int i;
|
||||
@ -140,7 +140,7 @@ do_search(
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
rc = 0;
|
||||
rc = LDAP_SUCCESS;
|
||||
|
||||
Debug( LDAP_DEBUG_ARGS, " attrs:", 0, 0, 0 );
|
||||
|
||||
@ -156,28 +156,62 @@ do_search(
|
||||
"conn=%ld op=%d SRCH base=\"%s\" scope=%d filter=\"%s\"\n",
|
||||
op->o_connid, op->o_opid, base, scope, fstr );
|
||||
|
||||
manageDSAit = get_manageDSAit( op );
|
||||
|
||||
if ( scope == LDAP_SCOPE_BASE ) {
|
||||
Entry *entry = NULL;
|
||||
|
||||
if ( strcasecmp( nbase, LDAP_ROOT_DSE ) == 0 ) {
|
||||
/* check restrictions */
|
||||
rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
rc = root_dse_info( conn, &entry, &text );
|
||||
}
|
||||
|
||||
#if defined( SLAPD_MONITOR_DN )
|
||||
else if ( strcasecmp( nbase, SLAPD_MONITOR_DN ) == 0 ) {
|
||||
/* check restrictions */
|
||||
rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
rc = monitor_info( &entry, &text );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined( SLAPD_CONFIG_DN )
|
||||
else if ( strcasecmp( nbase, SLAPD_CONFIG_DN ) == 0 ) {
|
||||
/* check restrictions */
|
||||
rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
rc = config_info( &entry, &text );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined( SLAPD_SCHEMA_DN )
|
||||
else if ( strcasecmp( nbase, SLAPD_SCHEMA_DN ) == 0 ) {
|
||||
rc= schema_info( &entry, &text );
|
||||
/* check restrictions */
|
||||
rc = backend_check_restrictions( NULL, conn, op, NULL, &text ) ;
|
||||
if( rc != LDAP_SUCCESS ) {
|
||||
send_ldap_result( conn, op, rc,
|
||||
NULL, text, NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
rc = schema_info( &entry, &text );
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -210,8 +244,6 @@ do_search(
|
||||
nbase = ch_strdup( default_search_nbase );
|
||||
}
|
||||
|
||||
manageDSAit = get_manageDSAit( op );
|
||||
|
||||
/*
|
||||
* We could be serving multiple database backends. Select the
|
||||
* appropriate one, or send a referral to our "referral server"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user