Commit 3ebb40c4 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

port identity assertion to back-meta; share as much code as possible with back-ldap; misc cleanup

parent 3f9201e9
......@@ -93,7 +93,8 @@ ldap_back_add(
attrs[ i ] = NULL;
ctrls = op->o_ctrls;
rs->sr_err = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
rs->sr_err = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
li->li_version, &li->li_idassert, op, rs, &ctrls );
if ( rs->sr_err != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
......
......@@ -44,18 +44,23 @@ typedef struct ldapconn_t {
struct berval lc_bound_ndn;
struct berval lc_local_ndn;
unsigned lc_lcflags;
#define LDAP_BACK_CONN_ISSET(lc,f) ((lc)->lc_lcflags & (f))
#define LDAP_BACK_CONN_SET(lc,f) ((lc)->lc_lcflags |= (f))
#define LDAP_BACK_CONN_CLEAR(lc,f) ((lc)->lc_lcflags &= ~(f))
#define LDAP_BACK_CONN_CPY(lc,f,mlc) \
#define LDAP_BACK_CONN_ISSET_F(fp,f) (*(fp) & (f))
#define LDAP_BACK_CONN_SET_F(fp,f) (*(fp) |= (f))
#define LDAP_BACK_CONN_CLEAR_F(fp,f) (*(fp) &= ~(f))
#define LDAP_BACK_CONN_CPY_F(fp,f,mfp) \
do { \
if ( ((f) & (mlc)->lc_lcflags) == (f) ) { \
(lc)->lc_lcflags |= (f); \
if ( ((f) & *(mfp)) == (f) ) { \
*(fp) |= (f); \
} else { \
(lc)->lc_lcflags &= ~(f); \
*(fp) &= ~(f); \
} \
} while ( 0 )
#define LDAP_BACK_CONN_ISSET(lc,f) LDAP_BACK_CONN_ISSET_F(&(lc)->lc_lcflags, (f))
#define LDAP_BACK_CONN_SET(lc,f) LDAP_BACK_CONN_SET_F(&(lc)->lc_lcflags, (f))
#define LDAP_BACK_CONN_CLEAR(lc,f) LDAP_BACK_CONN_CLEAR_F(&(lc)->lc_lcflags, (f))
#define LDAP_BACK_CONN_CPY(lc,f,mlc) LDAP_BACK_CONN_CPY_F(&(lc)->lc_lcflags, (f), &(mlc)->lc_lcflags)
#define LDAP_BACK_FCONN_ISBOUND (0x00000001U)
#define LDAP_BACK_FCONN_ISANON (0x00000002U)
#define LDAP_BACK_FCONN_ISBMASK (LDAP_BACK_FCONN_ISBOUND|LDAP_BACK_FCONN_ISANON)
......@@ -96,18 +101,6 @@ typedef struct ldapconn_t {
time_t lc_time;
} ldapconn_t;
/*
* identity assertion modes
*/
enum {
LDAP_BACK_IDASSERT_LEGACY = 1,
LDAP_BACK_IDASSERT_NOASSERT,
LDAP_BACK_IDASSERT_ANONYMOUS,
LDAP_BACK_IDASSERT_SELF,
LDAP_BACK_IDASSERT_OTHERDN,
LDAP_BACK_IDASSERT_OTHERID
};
/*
* operation enumeration for timeouts
*/
......@@ -137,6 +130,47 @@ typedef struct slap_retry_info_t {
#define SLAP_RETRYNUM_FINITE(n) ((n) > SLAP_RETRYNUM_FOREVER) /* not forever */
} slap_retry_info_t;
/*
* identity assertion modes
*/
typedef enum {
LDAP_BACK_IDASSERT_LEGACY = 1,
LDAP_BACK_IDASSERT_NOASSERT,
LDAP_BACK_IDASSERT_ANONYMOUS,
LDAP_BACK_IDASSERT_SELF,
LDAP_BACK_IDASSERT_OTHERDN,
LDAP_BACK_IDASSERT_OTHERID
} slap_idassert_mode_t;
/* ID assert stuff */
typedef struct slap_idassert_t {
slap_idassert_mode_t si_mode;
#define li_idassert_mode li_idassert.si_mode
slap_bindconf si_bc;
#define li_idassert_authcID li_idassert.si_bc.sb_authcId
#define li_idassert_authcDN li_idassert.si_bc.sb_binddn
#define li_idassert_passwd li_idassert.si_bc.sb_cred
#define li_idassert_authzID li_idassert.si_bc.sb_authzId
#define li_idassert_authmethod li_idassert.si_bc.sb_method
#define li_idassert_sasl_mech li_idassert.si_bc.sb_saslmech
#define li_idassert_sasl_realm li_idassert.si_bc.sb_realm
#define li_idassert_secprops li_idassert.si_bc.sb_secprops
#define li_idassert_tls li_idassert.si_bc.sb_tls
unsigned si_flags;
#define LDAP_BACK_AUTH_NONE 0x00U
#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01U
#define LDAP_BACK_AUTH_OVERRIDE 0x02U
#define LDAP_BACK_AUTH_PRESCRIPTIVE 0x04U
#define LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ 0x08U
#define LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND 0x10U
#define li_idassert_flags li_idassert.si_flags
BerVarray si_authz;
#define li_idassert_authz li_idassert.si_authz
} slap_idassert_t;
/*
* Hook to allow mucking with ldapinfo_t when quarantine is over
*/
......@@ -166,27 +200,7 @@ typedef struct ldapinfo_t {
#define li_acl_secprops li_acl.sb_secprops
/* ID assert stuff */
int li_idassert_mode;
slap_bindconf li_idassert;
#define li_idassert_authcID li_idassert.sb_authcId
#define li_idassert_authcDN li_idassert.sb_binddn
#define li_idassert_passwd li_idassert.sb_cred
#define li_idassert_authzID li_idassert.sb_authzId
#define li_idassert_authmethod li_idassert.sb_method
#define li_idassert_sasl_mech li_idassert.sb_saslmech
#define li_idassert_sasl_realm li_idassert.sb_realm
#define li_idassert_secprops li_idassert.sb_secprops
unsigned li_idassert_flags;
#define LDAP_BACK_AUTH_NONE 0x00U
#define LDAP_BACK_AUTH_NATIVE_AUTHZ 0x01U
#define LDAP_BACK_AUTH_OVERRIDE 0x02U
#define LDAP_BACK_AUTH_PRESCRIPTIVE 0x04U
#define LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ 0x08U
#define LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND 0x10U
BerVarray li_idassert_authz;
slap_idassert_t li_idassert;
/* end of ID assert stuff */
int li_nretries;
......
......@@ -971,24 +971,6 @@ retry_lock:;
ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex );
}
#if 0
while ( lc->lc_refcnt > 1 ) {
ldap_pvt_thread_yield();
rc = LDAP_BACK_CONN_ISBOUND( lc );
if ( rc ) {
return rc;
}
}
if ( dolock ) {
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
}
LDAP_BACK_CONN_BINDING_SET( lc );
if ( dolock ) {
ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex );
}
#endif
/*
* FIXME: we need to let clients use proxyAuthz
* otherwise we cannot do symmetric pools of servers;
......@@ -1743,23 +1725,24 @@ done:;
int
ldap_back_proxy_authz_ctrl(
struct berval *bound_ndn,
int version,
slap_idassert_t *si,
Operation *op,
SlapReply *rs,
LDAPControl ***pctrls )
{
ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private;
LDAPControl **ctrls = NULL;
int i = 0,
mode;
struct berval assertedID,
ndn;
LDAPControl **ctrls = NULL;
int i = 0;
slap_idassert_mode_t mode;
struct berval assertedID,
ndn;
*pctrls = NULL;
rs->sr_err = LDAP_SUCCESS;
/* don't proxyAuthz if protocol is not LDAPv3 */
switch ( li->li_version ) {
switch ( version ) {
case LDAP_VERSION3:
break;
......@@ -1776,8 +1759,8 @@ ldap_back_proxy_authz_ctrl(
/* FIXME: SASL/EXTERNAL over ldapi:// doesn't honor the authcID,
* but if it is not set this test fails. We need a different
* means to detect if idassert is enabled */
if ( ( BER_BVISNULL( &li->li_idassert_authcID ) || BER_BVISEMPTY( &li->li_idassert_authcID ) )
&& ( BER_BVISNULL( &li->li_idassert_authcDN ) || BER_BVISEMPTY( &li->li_idassert_authcDN ) ) )
if ( ( BER_BVISNULL( &si->si_bc.sb_authcId ) || BER_BVISEMPTY( &si->si_bc.sb_authcId ) )
&& ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) ) )
{
goto done;
}
......@@ -1796,7 +1779,7 @@ ldap_back_proxy_authz_ctrl(
ndn = op->o_ndn;
}
if ( li->li_idassert_mode == LDAP_BACK_IDASSERT_LEGACY ) {
if ( si->si_mode == LDAP_BACK_IDASSERT_LEGACY ) {
if ( op->o_proxy_authz ) {
/*
* FIXME: we do not want to perform proxyAuthz
......@@ -1823,18 +1806,18 @@ ldap_back_proxy_authz_ctrl(
goto done;
}
if ( BER_BVISNULL( &li->li_idassert_authcDN ) ) {
if ( BER_BVISNULL( &si->si_bc.sb_binddn ) ) {
goto done;
}
} else if ( li->li_idassert_authmethod == LDAP_AUTH_SASL ) {
if ( ( li->li_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
} else if ( si->si_bc.sb_method == LDAP_AUTH_SASL ) {
if ( ( si->si_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
{
/* already asserted in SASL via native authz */
goto done;
}
} else if ( li->li_idassert_authz && !be_isroot( op ) ) {
} else if ( si->si_authz && !be_isroot( op ) ) {
int rc;
struct berval authcDN;
......@@ -1843,11 +1826,10 @@ ldap_back_proxy_authz_ctrl(
} else {
authcDN = ndn;
}
rc = slap_sasl_matches( op, li->li_idassert_authz,
rc = slap_sasl_matches( op, si->si_authz,
&authcDN, & authcDN );
if ( rc != LDAP_SUCCESS ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE )
{
if ( si->si_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
/* ndn is not authorized
* to use idassert */
rs->sr_err = rc;
......@@ -1882,7 +1864,7 @@ ldap_back_proxy_authz_ctrl(
mode = LDAP_BACK_IDASSERT_NOASSERT;
} else {
mode = li->li_idassert_mode;
mode = si->si_mode;
}
switch ( mode ) {
......@@ -1915,7 +1897,7 @@ ldap_back_proxy_authz_ctrl(
case LDAP_BACK_IDASSERT_OTHERID:
case LDAP_BACK_IDASSERT_OTHERDN:
/* assert idassert DN */
assertedID = li->li_idassert_authzID;
assertedID = si->si_bc.sb_authzId;
break;
default:
......@@ -1943,7 +1925,7 @@ ldap_back_proxy_authz_ctrl(
ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
ctrls[ 0 ]->ldctl_iscritical = 1;
switch ( li->li_idassert_mode ) {
switch ( si->si_mode ) {
/* already in u:ID or dn:DN form */
case LDAP_BACK_IDASSERT_OTHERID:
case LDAP_BACK_IDASSERT_OTHERDN:
......@@ -1965,7 +1947,7 @@ ldap_back_proxy_authz_ctrl(
* to encode the value of the authzID (and called it proxyDN);
* this hack provides compatibility with those DSAs that
* implement it this way */
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
struct berval authzID = ctrls[ 0 ]->ldctl_value;
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
......@@ -1995,7 +1977,7 @@ free_ber:;
goto done;
}
} else if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
} else if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
struct berval authzID = ctrls[ 0 ]->ldctl_value,
tmp;
BerElementBuffer berbuf;
......
......@@ -36,6 +36,8 @@ ldap_back_compare(
Operation *op,
SlapReply *rs )
{
ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private;
ldapconn_t *lc;
ber_int_t msgid;
int do_retry = 1;
......@@ -49,7 +51,8 @@ ldap_back_compare(
}
ctrls = op->o_ctrls;
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn, op, rs, &ctrls );
rc = ldap_back_proxy_authz_ctrl( &lc->lc_bound_ndn,
li->li_version, &li->li_idassert, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
send_ldap_result( op, rs );
goto cleanup;
......
......@@ -512,6 +512,181 @@ slap_retry_info_destroy(
ri->ri_num = NULL;
}
static int
slap_idassert_authzfrom_parse( ConfigArgs *c, slap_idassert_t *si )
{
ldapinfo_t *li = ( ldapinfo_t * )c->be->be_private;
struct berval bv;
struct berval in;
int rc;
ber_str2bv( c->argv[ 1 ], 0, 0, &in );
rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
if ( rc != LDAP_SUCCESS ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-authzFrom <authz>\": "
"invalid syntax" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
ber_bvarray_add( &li->li_idassert_authz, &bv );
return 0;
}
static int
slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
{
int i;
for ( i = 1; i < c->argc; i++ ) {
if ( strncasecmp( c->argv[ i ], "mode=", STRLENOF( "mode=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "mode=" );
int j;
j = verb_to_mask( argvi, idassert_mode );
if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unknown mode \"%s\"",
argvi );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
si->si_mode = idassert_mode[ j ].mask;
} else if ( strncasecmp( c->argv[ i ], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "authz=" );
if ( strcasecmp( argvi, "native" ) == 0 ) {
if ( si->si_bc.sb_method != LDAP_AUTH_SASL ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"authz=\"native\" incompatible "
"with auth method" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
si->si_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else if ( strcasecmp( argvi, "proxyAuthz" ) == 0 ) {
si->si_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unknown authz \"%s\"",
argvi );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
} else if ( strncasecmp( c->argv[ i ], "flags=", STRLENOF( "flags=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "flags=" );
char **flags = ldap_str2charray( argvi, "," );
int j, err = 0;
if ( flags == NULL ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unable to parse flags \"%s\"",
argvi );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
for ( j = 0; flags[ j ] != NULL; j++ ) {
if ( strcasecmp( flags[ j ], "override" ) == 0 ) {
si->si_flags |= LDAP_BACK_AUTH_OVERRIDE;
} else if ( strcasecmp( flags[ j ], "prescriptive" ) == 0 ) {
si->si_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
} else if ( strcasecmp( flags[ j ], "non-prescriptive" ) == 0 ) {
si->si_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
} else if ( strcasecmp( flags[ j ], "obsolete-proxy-authz" ) == 0 ) {
if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
Debug( LDAP_DEBUG_ANY,
"%s: \"obsolete-proxy-authz\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
c->log, 0, 0 );
err = 1;
break;
} else {
si->si_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
}
} else if ( strcasecmp( flags[ j ], "obsolete-encoding-workaround" ) == 0 ) {
if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
Debug( LDAP_DEBUG_ANY,
"%s: \"obsolete-encoding-workaround\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
c->log, 0, 0 );
err = 1;
break;
} else {
si->si_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
}
} else {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unknown flag \"%s\"",
flags[ j ] );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
err = 1;
break;
}
}
ldap_charray_free( flags );
if ( err ) {
return 1;
}
} else if ( bindconf_parse( c->argv[ i ], &si->si_bc ) ) {
return 1;
}
}
return 0;
}
/* NOTE: temporary, until back-meta is ported to back-config */
int
slap_idassert_authzfrom_parse_cf( const char *fname, int lineno, const char *arg, slap_idassert_t *si )
{
ConfigArgs c = { 0 };
char *argv[ 2 ];
snprintf( c.log, sizeof( c.log ), "%s: line %d", fname, lineno );
c.argc = 2;
c.argv = argv;
argv[ 0 ] = arg;
argv[ 1 ] = NULL;
return slap_idassert_authzfrom_parse( &c, si );
}
int
slap_idassert_parse_cf( const char *fname, int lineno, int argc, char *argv[], slap_idassert_t *si )
{
ConfigArgs c = { 0 };
snprintf( c.log, sizeof( c.log ), "%s: line %d", fname, lineno );
c.argc = argc;
c.argv = argv;
return slap_idassert_parse( &c, si );
}
static int
ldap_back_cf_gen( ConfigArgs *c )
{
......@@ -689,7 +864,7 @@ ldap_back_cf_gen( ConfigArgs *c )
/* end-of-flags */
}
bindconf_unparse( &li->li_idassert, &bc );
bindconf_unparse( &li->li_idassert.si_bc, &bc );
if ( !BER_BVISNULL( &bv ) ) {
ber_len_t len = bv.bv_len + bc.bv_len;
......@@ -912,7 +1087,7 @@ ldap_back_cf_gen( ConfigArgs *c )
break;
case LDAP_BACK_CFG_IDASSERT_BIND:
bindconf_free( &li->li_idassert );
bindconf_free( &li->li_idassert.si_bc );
break;
case LDAP_BACK_CFG_REBIND:
......@@ -1315,22 +1490,9 @@ done_url:;
ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
struct berval bv;
struct berval in;
int rc;
ber_str2bv( c->argv[ 1 ], 0, 0, &in );
rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
if ( rc != LDAP_SUCCESS ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-authzFrom <authz>\": "
"invalid syntax" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
ber_bvarray_add( &li->li_idassert_authz, &bv );
} break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
break;
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* no longer supported */
......@@ -1341,122 +1503,7 @@ done_url:;
return 1;
case LDAP_BACK_CFG_IDASSERT_BIND:
for ( i = 1; i < c->argc; i++ ) {
if ( strncasecmp( c->argv[ i ], "mode=", STRLENOF( "mode=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "mode=" );
int j;
j = verb_to_mask( argvi, idassert_mode );
if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unknown mode \"%s\"",
argvi );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
li->li_idassert_mode = idassert_mode[ j ].mask;
} else if ( strncasecmp( c->argv[ i ], "authz=", STRLENOF( "authz=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "authz=" );
if ( strcasecmp( argvi, "native" ) == 0 ) {
if ( li->li_idassert_authmethod != LDAP_AUTH_SASL ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"authz=\"native\" incompatible "
"with auth method" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
li->li_idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else if ( strcasecmp( argvi, "proxyAuthz" ) == 0 ) {
li->li_idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
} else {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unknown authz \"%s\"",
argvi );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
} else if ( strncasecmp( c->argv[ i ], "flags=", STRLENOF( "flags=" ) ) == 0 ) {
char *argvi = c->argv[ i ] + STRLENOF( "flags=" );
char **flags = ldap_str2charray( argvi, "," );
int j, err = 0;
if ( flags == NULL ) {
snprintf( c->msg, sizeof( c->msg ),
"\"idassert-bind <args>\": "
"unable to parse flags \"%s\"",
argvi );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
for ( j = 0; flags[ j ] != NULL; j++ ) {
if ( strcasecmp( flags[ j ], "override" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
} else if ( strcasecmp( flags[ j ], "prescriptive" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;