Commit ae0f47b0 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

improve parsing of acl-authcDN/acl-passwd

parent 066829a8
......@@ -79,8 +79,8 @@ The URI list is space- or comma-separated.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking; it
should have read access on the target server to attributes used on the
proxy for acl checking.
is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl-authcDN identity is by no means implicitly used by the proxy
......@@ -90,7 +90,10 @@ See the
feature instead.
.TP
.B acl-passwd <password>
Password used with the bind DN above.
Password used with the
.B
acl-authcDN
above.
.TP
.B idassert-authcdn "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
......
......@@ -134,17 +134,20 @@ The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B binddn "<administrative DN for access control purposes>"
This directive, as in the LDAP backend, allows to define the DN that is
used to query the target server for acl checking; it should have read
access on the target server to attributes used on the proxy for acl
checking.
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
as in the LDAP backend; it is supposed to have read access
on the target server to attributes used on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.TP
.B bindpw <password for access control purposes>
This directive sets the password for acl checking in conjunction
with the above mentioned "binddn" directive.
.B The acl-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
.TP
.B acl-passwd <password>
Password used with the
.B
acl-authcDN
above.
.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered
......
......@@ -215,24 +215,44 @@ ldap_back_db_config(
/* name to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-authcdn" ) == 0
|| strcasecmp( argv[0], "binddn" ) == 0 ) {
|| strcasecmp( argv[0], "binddn" ) == 0 )
{
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing name in \"%s <name>\" line\n",
fname, lineno, argv[0] );
return( 1 );
}
if ( strcasecmp( argv[0], "binddn" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( argv[1], 0, 1, &li->acl_authcDN );
/* password to use for ldap_back_group */
} else if ( strcasecmp( argv[0], "acl-passwd" ) == 0
|| strcasecmp( argv[0], "bindpw" ) == 0 ) {
|| strcasecmp( argv[0], "bindpw" ) == 0 )
{
if ( argc != 2 ) {
fprintf( stderr,
"%s: line %d: missing password in \"%s <password>\" line\n",
fname, lineno, argv[0] );
return( 1 );
}
if ( strcasecmp( argv[0], "bindpw" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
/* identity assertion stuff... */
......
......@@ -302,7 +302,9 @@ meta_back_db_config(
li->network_timeout = atol(argv[ 1 ]);
/* name to use for meta_back_group */
} else if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
|| strcasecmp( argv[ 0 ], "binddn" ) == 0 )
{
int i = li->ntargets-1;
struct berval dn;
......@@ -320,6 +322,14 @@ meta_back_db_config(
return 1;
}
if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
dn.bv_val = argv[ 1 ];
dn.bv_len = strlen( argv[ 1 ] );
if ( dnNormalize( 0, NULL, NULL, &dn, &li->targets[ i ]->mt_binddn,
......@@ -332,7 +342,9 @@ meta_back_db_config(
}
/* password to use for meta_back_group */
} else if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
} else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
|| strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
{
int i = li->ntargets-1;
if ( i < 0 ) {
......@@ -348,6 +360,15 @@ meta_back_db_config(
fname, lineno );
return 1;
}
if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
fprintf( stderr, "%s: line %d: "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n",
fname, lineno );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( argv[ 1 ], 0L, 1, &li->targets[ i ]->mt_bindpw );
/* save bind creds for referral rebinds? */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment