Proxyauthz support

59291ba4 · Ondřej Kuzník · Ondřej Kuzník · 9309bc94 · 59291ba4 · 59291ba4
Commit 59291ba4 authored Apr 04, 2017 by Ondřej Kuzník Committed by Ondřej Kuzník Nov 17, 2020
--- a/servers/lloadd/bind.c
+++ b/servers/lloadd/bind.c
@@ -171,7 +171,18 @@ request_bind_as_vc( Operation *op )
            if ( !BER_BVISNULL( &c->c_auth ) ) {
                ber_memfree( c->c_auth.bv_val );
            }
-            ber_dupbv( &c->c_auth, &binddn );
+            if ( !BER_BVISEMPTY( &binddn ) ) {
+                char *ptr;
+                c->c_auth.bv_len = STRLENOF("dn:") + binddn.bv_len;
+                c->c_auth.bv_val = ch_malloc( c->c_auth.bv_len + 1 );
+
+                ptr = lutil_strcopy( c->c_auth.bv_val, "dn:" );
+                ptr = lutil_strncopy( ptr, binddn.bv_val, binddn.bv_len );
+                *ptr = '\0';
+            } else {
+                BER_BVZERO( &c->c_auth );
+            }
+
            if ( !BER_BVISNULL( &c->c_sasl_bind_mech ) ) {
                ber_memfree( c->c_sasl_bind_mech.bv_val );
                BER_BVZERO( &c->c_sasl_bind_mech );

--- a/servers/lloadd/config.c
+++ b/servers/lloadd/config.c
@@ -472,6 +472,8 @@ config_backend( ConfigArgs *c )
        }
    }

+    bindconf_tls_defaults( &b->b_bindconf );
+
    if ( b->b_bindconf.sb_method == LDAP_AUTH_SASL ) {
 #ifndef HAVE_CYRUS_SASL
        Debug( LDAP_DEBUG_ANY, "config_backend: "

--- a/servers/lloadd/operation.c
+++ b/servers/lloadd/operation.c
@@ -298,12 +298,38 @@ request_process( void *ctx, void *arg )
    op->o_upstream_msgid = msgid = c->c_next_msgid++;
    rc = tavl_insert( &c->c_ops, op, operation_upstream_cmp, avl_dup_error );
    assert( rc == LDAP_SUCCESS );
-    ldap_pvt_thread_mutex_unlock( &c->c_mutex );

-    ber_printf( output, "t{titOtO}", LDAP_TAG_MESSAGE,
-            LDAP_TAG_MSGID, msgid,
-            op->o_tag, &op->o_request,
-            LDAP_TAG_CONTROLS, BER_BV_OPTIONAL( &op->o_ctrls ) );
+    if ( lload_features & LLOAD_FEATURE_PROXYAUTHZ ) {
+        Debug( LDAP_DEBUG_TRACE, "request_process: "
+                "proxying identity %s to upstream\n",
+                c->c_auth.bv_val );
+        ber_printf( output, "t{titOt{{sbO}" /* "}}" */, LDAP_TAG_MESSAGE,
+                LDAP_TAG_MSGID, msgid,
+                op->o_tag, &op->o_request,
+                LDAP_TAG_CONTROLS,
+                LDAP_CONTROL_PROXY_AUTHZ, 1, &c->c_auth );
+
+        if ( !BER_BVISNULL( &op->o_ctrls ) ) {
+            BerElement *control_ber = ber_alloc();
+            BerValue controls;
+
+            if ( !control_ber ) {
+                goto fail;
+            }
+            ber_init2( control_ber, &op->o_ctrls, 0 );
+            ber_peek_element( control_ber, &controls );
+
+            ber_write( output, controls.bv_val, controls.bv_len, 0 );
+            ber_free( control_ber, 0 );
+        }
+        ber_printf( output, /* "{{" */ "}}" );
+    } else {
+        ber_printf( output, "t{titOtO}", LDAP_TAG_MESSAGE,
+                LDAP_TAG_MSGID, msgid,
+                op->o_tag, &op->o_request,
+                LDAP_TAG_CONTROLS, BER_BV_OPTIONAL( &op->o_ctrls ) );
+    }
+    ldap_pvt_thread_mutex_unlock( &c->c_mutex );
    ldap_pvt_thread_mutex_unlock( &c->c_io_mutex );

    upstream_write_cb( -1, 0, c );

--- a/servers/lloadd/proto-slap.h
+++ b/servers/lloadd/proto-slap.h
@@ -78,6 +78,7 @@ LDAP_SLAPD_F (int) read_config( const char *fname, const char *dir );
 LDAP_SLAPD_F (void) config_destroy( void );
 LDAP_SLAPD_F (int) verb_to_mask( const char *word, slap_verbmasks *v );
 LDAP_SLAPD_F (int) str2loglevel( const char *s, int *l );
+LDAP_SLAPD_F (void) bindconf_tls_defaults( slap_bindconf *bc );
 LDAP_SLAPD_F (void) bindconf_free( slap_bindconf *bc );

 /*