Commit 113727ba authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

allow 'all' vs. 'any' sasl-authz-policy

parent babc993e
......@@ -640,9 +640,19 @@ flag will use rules in the
.I saslAuthzTo
attribute of the authentication DN.
The
.B both
flag will allow both of the above. The rules are simply regular expressions
specifying which DNs are allowed to perform proxy authorization. The
.B any
flag, an alias for the deprecated value of
.BR both ,
will allow any of the above, whatever succeeds first (checked in
.BR to ,
.B from
sequence.
The
.B all
flag requires both authorizations to succeed.
The rules are simply regular expressions specifying which DNs are allowed
to perform proxy authorization.
The
.I saslAuthzFrom
attribute in an entry specifies which other users
are allowed to proxy login to this entry. The
......
......@@ -72,9 +72,10 @@ static int nSaslRegexp = 0;
static SaslRegexp_t *SaslRegexp = NULL;
/* What SASL proxy authorization policies are allowed? */
#define SASL_AUTHZ_NONE 0
#define SASL_AUTHZ_FROM 1
#define SASL_AUTHZ_TO 2
#define SASL_AUTHZ_NONE 0x00
#define SASL_AUTHZ_FROM 0x01
#define SASL_AUTHZ_TO 0x02
#define SASL_AUTHZ_AND 0x10
static int authz_policy = SASL_AUTHZ_NONE;
......@@ -88,8 +89,10 @@ int slap_sasl_setpolicy( const char *arg )
authz_policy = SASL_AUTHZ_FROM;
} else if ( strcasecmp( arg, "to" ) == 0 ) {
authz_policy = SASL_AUTHZ_TO;
} else if ( strcasecmp( arg, "both" ) == 0 ) {
} else if ( strcasecmp( arg, "both" ) == 0 || strcasecmp( arg, "any" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
} else if ( strcasecmp( arg, "all" ) == 0 ) {
authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND;
} else {
rc = LDAP_OTHER;
}
......@@ -972,7 +975,7 @@ int slap_sasl_authorized( Operation *op,
if( authz_policy & SASL_AUTHZ_TO ) {
rc = slap_sasl_check_authz( op, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
if( rc == LDAP_SUCCESS ) {
if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
goto DONE;
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment