Commit 014bc9ea authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Add dgAuthz support

parent 779b2a2e
......@@ -58,7 +58,7 @@ static AttributeName anlist_no_attrs[] = {
static AttributeName *slap_anlist_no_attrs = anlist_no_attrs;
#endif
static AttributeDescription *ad_dgIdentity;
static AttributeDescription *ad_dgIdentity, *ad_dgAuthz;
typedef struct dynlist_info_t {
ObjectClass *dli_oc;
......@@ -348,6 +348,26 @@ dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli )
return SLAP_CB_CONTINUE;
}
if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) {
Attribute *authz = NULL;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
return SLAP_CB_CONTINUE;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) {
e = entry_dup( rs->sr_entry );
} else {
......@@ -355,12 +375,6 @@ dynlist_prepare_entry( Operation *op, SlapReply *rs, dynlist_info_t *dli )
}
e_flags = rs->sr_flags | ( REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED );
if ( ad_dgIdentity && ( id = attrs_find( e->e_attrs, ad_dgIdentity ))) {
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
dlc.dlc_e = e;
dlc.dlc_dli = dli;
cb.sc_private = &dlc;
......@@ -557,16 +571,33 @@ dynlist_compare( Operation *op, SlapReply *rs )
* interested in. We'll use slapd's existing dyngroup
* evaluator to get the answer we want.
*/
struct berval *id = NULL;
BerVarray id = NULL, authz = NULL;
o.o_do_not_cache = 1;
if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS ) {
ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
{
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
&& backend_attribute( &o, NULL, &o.o_req_ndn,
ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
{
rs->sr_err = slap_sasl_matches( op, authz,
&o.o_ndn, &o.o_ndn );
ber_bvarray_free_x( authz, op->o_tmpmemctx );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto done;
}
}
o.o_dn = *id;
o.o_ndn = *id;
o.o_groups = NULL; /* authz changed, invalidate cached groups */
}
rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
switch ( rs->sr_err ) {
......@@ -586,6 +617,7 @@ dynlist_compare( Operation *op, SlapReply *rs )
break;
}
done:;
if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
return SLAP_CB_CONTINUE;
......@@ -593,17 +625,34 @@ dynlist_compare( Operation *op, SlapReply *rs )
}
if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
LDAP_SUCCESS || e == NULL ) {
LDAP_SUCCESS || e == NULL )
{
return SLAP_CB_CONTINUE;
}
if ( ad_dgIdentity ) {
Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
if ( id ) {
Attribute *authz;
/* if not rootdn and dgAuthz is present,
* check if user can be authorized as dgIdentity */
if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
{
if ( slap_sasl_matches( op, authz->a_nvals,
&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
{
goto release;
}
}
o.o_dn = id->a_vals[0];
o.o_ndn = id->a_nvals[0];
o.o_groups = NULL;
}
}
dli = (dynlist_info_t *)on->on_bi.bi_private;
for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
Attribute *a;
......@@ -1353,6 +1402,15 @@ dynlist_db_open(
/* Just a warning */
}
rc = slap_str2ad( "dgAuthz", &ad_dgAuthz, &text );
if ( rc != LDAP_SUCCESS ) {
snprintf( cr->msg, sizeof( cr->msg),
"unable to fetch attributeDescription \"dgAuthz\": %d (%s)",
rc, text );
Debug( LDAP_DEBUG_ANY, "dynlist_db_open: %s\n", cr->msg, 0, 0 );
/* Just a warning */
}
return 0;
}
......
......@@ -67,6 +67,13 @@ attributetype ( DynGroupAttr:1
DESC 'Identity to use when processing the memberURL'
SUP distinguishedName SINGLE-VALUE )
attributeType ( DynGroupAttr:2
NAME 'dgAuthz'
DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
EQUALITY authzMatch
SYNTAX 1.3.6.1.4.1.4203.666.2.7
X-ORDERED 'VALUES' )
objectClass ( NetscapeLDAPobjectClass:33
NAME 'groupOfURLs'
SUP top STRUCTURAL
......@@ -79,4 +86,6 @@ objectClass ( NetscapeLDAPobjectClass:33
objectClass ( DynGroupOC:1
NAME 'dgIdentityAux'
SUP top AUXILIARY
MAY dgIdentity )
MAY ( dgIdentity $ dgAuthz ) )
......@@ -139,7 +139,7 @@ objectClass: groupOfURLs
objectClass: dgIdentityAux
cn: Dynamic List of Members
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
dgIdentity: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=ex
dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex
ample,dc=com
member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
ple,dc=com
......@@ -156,3 +156,39 @@ member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
# Testing list search with dgIdentity and dgAuthz anonymously...
dn: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com
objectClass: groupOfURLs
objectClass: dgIdentityAux
cn: Dynamic List of Members
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex
ample,dc=com
dgAuthz: {0}dn:cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,
dc=example,dc=com
# Testing list search with dgIdentity and dgAuthz as the authorized identity...
dn: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com
objectClass: groupOfURLs
objectClass: dgIdentityAux
cn: Dynamic List of Members
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex
ample,dc=com
dgAuthz: {0}dn:cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,
dc=example,dc=com
member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
ple,dc=com
member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl
e,dc=com
member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa
mple,dc=com
member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
=com
member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
......@@ -316,7 +316,7 @@ if test $RC != 0 ; then
exit $RC
fi
CMPDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,$BASEDN"
CMPDN="$BJORNSDN"
echo "Testing list compare..."
echo "# Testing list compare..." >> $SEARCHOUT
$LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
......@@ -451,6 +451,42 @@ if test $RC != 0 ; then
exit $RC
fi
echo "Testing dgAuthz..."
CMPDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,$BASEDN"
$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
> $TESTOUT 2>&1 << EOMODS
dn: cn=Dynamic List of Members,$LISTDN
changetype: modify
add: dgAuthz
dgAuthz: dn:$BABSDN
EOMODS
echo "Testing list search with dgIdentity and dgAuthz anonymously..."
echo "# Testing list search with dgIdentity and dgAuthz anonymously..." >> $SEARCHOUT
$LDAPSEARCH -S "" -b "$LISTDN" -h $LOCALHOST -p $PORT1 \
'(cn=Dynamic List of Members)' '*' \
>> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Testing list search with dgIdentity and dgAuthz as the authorized identity..."
echo "# Testing list search with dgIdentity and dgAuthz as the authorized identity..." >> $SEARCHOUT
$LDAPSEARCH -S "" -b "$LISTDN" -h $LOCALHOST -p $PORT1 \
-D "$BABSDN" -w bjensen \
'(cn=Dynamic List of Members)' '*' \
>> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
LDIF=$DYNLISTOUT
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment