Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Joe Martin
OpenLDAP
Commits
f3a86075
Commit
f3a86075
authored
Apr 15, 2010
by
Quanah Gibson-Mount
Browse files
ITS
#6456
parent
f9797d3b
Changes
7
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
f3a86075
...
...
@@ -3,6 +3,7 @@ OpenLDAP 2.4 Change Log
OpenLDAP 2.4.22 Engineering
Added slapd SLAP_SCHEMA_EXPOSE flag for hidden schema elements (ITS#6435)
Added slapd tools selective iterations (ITS#6442)
Added slapo-ldap idassert-passthru (ITS#6456)
Added slapo-pbind
Fixed libldap GnuTLS serial length (ITS#6460)
Fixed slapd acl non-entry internal searches (ITS#6481)
...
...
doc/man/man5/slapd-ldap.5
View file @
f3a86075
...
...
@@ -382,6 +382,24 @@ and
.BR idassert\-method .
.RE
.TP
.B idassert-passthru <authz-regexp>
if defined, selects what
.I local
identities bypass the identity assertion feature.
Those identities need to be known by the remote host.
The string
.B <authz-regexp>
follows the rules defined for the
.I authzFrom
attribute.
See
.BR slapd.conf (5),
section related to
.BR authz\-policy ,
for details on the syntax of this field.
.TP
.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
...
...
servers/slapd/back-ldap/back-ldap.h
View file @
f3a86075
...
...
@@ -238,6 +238,9 @@ typedef struct slap_idassert_t {
BerVarray
si_authz
;
#define li_idassert_authz li_idassert.si_authz
BerVarray
si_passthru
;
#define li_idassert_passthru li_idassert.si_passthru
}
slap_idassert_t
;
/*
...
...
@@ -448,6 +451,7 @@ typedef struct ldap_extra_t {
int
version
,
slap_idassert_t
*
si
,
LDAPControl
*
ctrl
);
int
(
*
controls_free
)(
Operation
*
op
,
SlapReply
*
rs
,
LDAPControl
***
pctrls
);
int
(
*
idassert_authzfrom_parse_cf
)(
const
char
*
fname
,
int
lineno
,
const
char
*
arg
,
slap_idassert_t
*
si
);
int
(
*
idassert_passthru_parse_cf
)(
const
char
*
fname
,
int
lineno
,
const
char
*
arg
,
slap_idassert_t
*
si
);
int
(
*
idassert_parse_cf
)(
const
char
*
fname
,
int
lineno
,
int
argc
,
char
*
argv
[],
slap_idassert_t
*
si
);
void
(
*
retry_info_destroy
)(
slap_retry_info_t
*
ri
);
int
(
*
retry_info_parse
)(
char
*
in
,
slap_retry_info_t
*
ri
,
char
*
buf
,
ber_len_t
buflen
);
...
...
servers/slapd/back-ldap/bind.c
View file @
f3a86075
...
...
@@ -2057,32 +2057,51 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
goto
done
;
}
else
if
(
li
->
li_idassert_authz
&&
!
be_isroot
(
op
)
)
{
struct
berval
authcDN
;
}
else
if
(
!
be_isroot
(
op
)
)
{
if
(
li
->
li_idassert_passthru
)
{
struct
berval
authcDN
;
if
(
BER_BVISNULL
(
&
ndn
)
)
{
authcDN
=
slap_empty_bv
;
}
else
{
authcDN
=
ndn
;
}
rs
->
sr_err
=
slap_sasl_matches
(
op
,
li
->
li_idassert_authz
,
&
authcDN
,
&
authcDN
);
if
(
rs
->
sr_err
!=
LDAP_SUCCESS
)
{
if
(
li
->
li_idassert_flags
&
LDAP_BACK_AUTH_PRESCRIPTIVE
)
{
if
(
sendok
&
LDAP_BACK_SENDERR
)
{
send_ldap_result
(
op
,
rs
);
dobind
=
-
1
;
}
if
(
BER_BVISNULL
(
&
ndn
)
)
{
authcDN
=
slap_empty_bv
;
}
else
{
rs
->
sr_err
=
LDAP_SUCCESS
;
*
binddn
=
slap_empty_bv
;
*
bindcred
=
slap_empty_bv
;
authcDN
=
ndn
;
}
rs
->
sr_err
=
slap_sasl_matches
(
op
,
li
->
li_idassert_passthru
,
&
authcDN
,
&
authcDN
);
if
(
rs
->
sr_err
==
LDAP_SUCCESS
)
{
dobind
=
0
;
break
;
}
}
goto
done
;
if
(
li
->
li_idassert_authz
)
{
struct
berval
authcDN
;
if
(
BER_BVISNULL
(
&
ndn
)
)
{
authcDN
=
slap_empty_bv
;
}
else
{
authcDN
=
ndn
;
}
rs
->
sr_err
=
slap_sasl_matches
(
op
,
li
->
li_idassert_authz
,
&
authcDN
,
&
authcDN
);
if
(
rs
->
sr_err
!=
LDAP_SUCCESS
)
{
if
(
li
->
li_idassert_flags
&
LDAP_BACK_AUTH_PRESCRIPTIVE
)
{
if
(
sendok
&
LDAP_BACK_SENDERR
)
{
send_ldap_result
(
op
,
rs
);
dobind
=
-
1
;
}
}
else
{
rs
->
sr_err
=
LDAP_SUCCESS
;
*
binddn
=
slap_empty_bv
;
*
bindcred
=
slap_empty_bv
;
break
;
}
goto
done
;
}
}
}
...
...
servers/slapd/back-ldap/config.c
View file @
f3a86075
...
...
@@ -54,6 +54,7 @@ enum {
LDAP_BACK_CFG_IDASSERT_AUTHCDN
,
LDAP_BACK_CFG_IDASSERT_PASSWD
,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM
,
LDAP_BACK_CFG_IDASSERT_PASSTHRU
,
LDAP_BACK_CFG_IDASSERT_METHOD
,
LDAP_BACK_CFG_IDASSERT_BIND
,
LDAP_BACK_CFG_REBIND
,
...
...
@@ -185,6 +186,7 @@ static ConfigTable ldapcfg[] = {
ldap_back_cf_gen
,
"( OLcfgDbAt:3.9 "
"NAME 'olcDbIDAssertAuthzFrom' "
"DESC 'Remote Identity Assertion authz rules' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString "
"X-ORDERED 'VALUES' )"
,
NULL
,
NULL
},
...
...
@@ -326,6 +328,16 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsBoolean "
"SINGLE-VALUE )"
,
NULL
,
NULL
},
{
"idassert-passThru"
,
"authzRule"
,
2
,
2
,
0
,
ARG_MAGIC
|
LDAP_BACK_CFG_IDASSERT_PASSTHRU
,
ldap_back_cf_gen
,
"( OLcfgDbAt:3.27 "
"NAME 'olcDbIDAssertPassThru' "
"DESC 'Remote Identity Assertion passthru rules' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString "
"X-ORDERED 'VALUES' )"
,
NULL
,
NULL
},
{
"suffixmassage"
,
"[virtual]> <real"
,
2
,
3
,
0
,
ARG_STRING
|
ARG_MAGIC
|
LDAP_BACK_CFG_REWRITE
,
ldap_back_cf_gen
,
NULL
,
NULL
,
NULL
},
...
...
@@ -354,6 +366,7 @@ static ConfigOCs ldapocs[] = {
"$ olcDbIDAssertBind "
"$ olcDbIDAssertMode "
"$ olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertPassThru "
"$ olcDbRebindAsUser "
"$ olcDbChaseReferrals "
"$ olcDbTFSupport "
...
...
@@ -668,8 +681,76 @@ slap_idassert_authzfrom_parse( ConfigArgs *c, slap_idassert_t *si )
Debug
(
LDAP_DEBUG_ANY
,
"%s: %s.
\n
"
,
c
->
log
,
c
->
cr_msg
,
0
);
return
1
;
}
if
(
c
->
valx
==
-
1
)
{
ber_bvarray_add
(
&
si
->
si_authz
,
&
bv
);
}
else
{
int
i
;
for
(
i
=
0
;
!
BER_BVISNULL
(
&
si
->
si_authz
[
i
]
);
i
++
)
;
if
(
i
<=
c
->
valx
)
{
ber_bvarray_add
(
&
si
->
si_authz
,
&
bv
);
}
else
{
BerVarray
tmp
=
ber_memrealloc
(
si
->
si_authz
,
sizeof
(
struct
berval
)
*
(
i
+
2
)
);
if
(
tmp
==
NULL
)
{
return
-
1
;
}
si
->
si_authz
=
tmp
;
for
(
;
i
>
c
->
valx
;
i
--
)
{
si
->
si_authz
[
i
]
=
si
->
si_authz
[
i
-
1
];
}
si
->
si_authz
[
c
->
valx
]
=
bv
;
}
}
return
0
;
}
static
int
slap_idassert_passthru_parse
(
ConfigArgs
*
c
,
slap_idassert_t
*
si
)
{
struct
berval
bv
;
struct
berval
in
;
int
rc
;
ber_str2bv
(
c
->
argv
[
1
],
0
,
0
,
&
in
);
rc
=
authzNormalize
(
0
,
NULL
,
NULL
,
&
in
,
&
bv
,
NULL
);
if
(
rc
!=
LDAP_SUCCESS
)
{
snprintf
(
c
->
cr_msg
,
sizeof
(
c
->
cr_msg
),
"
\"
idassert-passThru <authz>
\"
: "
"invalid syntax"
);
Debug
(
LDAP_DEBUG_ANY
,
"%s: %s.
\n
"
,
c
->
log
,
c
->
cr_msg
,
0
);
return
1
;
}
ber_bvarray_add
(
&
si
->
si_authz
,
&
bv
);
if
(
c
->
valx
==
-
1
)
{
ber_bvarray_add
(
&
si
->
si_passthru
,
&
bv
);
}
else
{
int
i
;
for
(
i
=
0
;
!
BER_BVISNULL
(
&
si
->
si_passthru
[
i
]
);
i
++
)
;
if
(
i
<=
c
->
valx
)
{
ber_bvarray_add
(
&
si
->
si_passthru
,
&
bv
);
}
else
{
BerVarray
tmp
=
ber_memrealloc
(
si
->
si_passthru
,
sizeof
(
struct
berval
)
*
(
i
+
2
)
);
if
(
tmp
==
NULL
)
{
return
-
1
;
}
si
->
si_passthru
=
tmp
;
for
(
;
i
>
c
->
valx
;
i
--
)
{
si
->
si_passthru
[
i
]
=
si
->
si_passthru
[
i
-
1
];
}
si
->
si_passthru
[
c
->
valx
]
=
bv
;
}
}
return
0
;
}
...
...
@@ -835,6 +916,22 @@ slap_idassert_authzfrom_parse_cf( const char *fname, int lineno, const char *arg
return
slap_idassert_authzfrom_parse
(
&
c
,
si
);
}
int
slap_idassert_passthru_parse_cf
(
const
char
*
fname
,
int
lineno
,
const
char
*
arg
,
slap_idassert_t
*
si
)
{
ConfigArgs
c
=
{
0
};
char
*
argv
[
3
];
snprintf
(
c
.
log
,
sizeof
(
c
.
log
),
"%s: line %d"
,
fname
,
lineno
);
c
.
argc
=
2
;
c
.
argv
=
argv
;
argv
[
0
]
=
"idassert-passThru"
;
argv
[
1
]
=
(
char
*
)
arg
;
argv
[
2
]
=
NULL
;
return
slap_idassert_passthru_parse
(
&
c
,
si
);
}
int
slap_idassert_parse_cf
(
const
char
*
fname
,
int
lineno
,
int
argc
,
char
*
argv
[],
slap_idassert_t
*
si
)
{
...
...
@@ -936,11 +1033,23 @@ ldap_back_cf_gen( ConfigArgs *c )
rc
=
1
;
break
;
case
LDAP_BACK_CFG_IDASSERT_AUTHZFROM
:
{
case
LDAP_BACK_CFG_IDASSERT_AUTHZFROM
:
case
LDAP_BACK_CFG_IDASSERT_PASSTHRU
:
{
BerVarray
*
bvp
;
int
i
;
struct
berval
bv
=
BER_BVNULL
;
char
buf
[
SLAP_TEXT_BUFLEN
];
if
(
li
->
li_idassert_authz
==
NULL
)
{
if
(
(
li
->
li_idassert_flags
&
LDAP_BACK_AUTH_AUTHZ_ALL
)
)
{
switch
(
c
->
type
)
{
case
LDAP_BACK_CFG_IDASSERT_AUTHZFROM
:
bvp
=
&
li
->
li_idassert_authz
;
break
;
case
LDAP_BACK_CFG_IDASSERT_PASSTHRU
:
bvp
=
&
li
->
li_idassert_passthru
;
break
;
default:
assert
(
0
);
break
;
}
if
(
*
bvp
==
NULL
)
{
if
(
*
bvp
==
li
->
li_idassert_authz
&&
(
li
->
li_idassert_flags
&
LDAP_BACK_AUTH_AUTHZ_ALL
)
)
{
BER_BVSTR
(
&
bv
,
"*"
);
value_add_one
(
&
c
->
rvalue_vals
,
&
bv
);
...
...
@@ -950,9 +1059,18 @@ ldap_back_cf_gen( ConfigArgs *c )
break
;
}
for
(
i
=
0
;
!
BER_BVISNULL
(
&
li
->
li_idassert_authz
[
i
]
);
i
++
)
{
value_add_one
(
&
c
->
rvalue_vals
,
&
li
->
li_idassert_authz
[
i
]
);
for
(
i
=
0
;
!
BER_BVISNULL
(
&
((
*
bvp
)[
i
])
);
i
++
)
{
char
*
ptr
;
int
len
=
snprintf
(
buf
,
sizeof
(
buf
),
SLAP_X_ORDERED_FMT
,
i
);
bv
.
bv_len
=
((
*
bvp
)[
i
]).
bv_len
+
len
;
bv
.
bv_val
=
ber_memrealloc
(
bv
.
bv_val
,
bv
.
bv_len
+
1
);
ptr
=
bv
.
bv_val
;
ptr
=
lutil_strcopy
(
ptr
,
buf
);
ptr
=
lutil_strncopy
(
ptr
,
((
*
bvp
)[
i
]).
bv_val
,
((
*
bvp
)[
i
]).
bv_len
);
value_add_one
(
&
c
->
rvalue_vals
,
&
bv
);
}
if
(
bv
.
bv_val
)
{
ber_memfree
(
bv
.
bv_val
);
}
break
;
}
...
...
@@ -1287,11 +1405,43 @@ ldap_back_cf_gen( ConfigArgs *c )
break
;
case
LDAP_BACK_CFG_IDASSERT_AUTHZFROM
:
if
(
li
->
li_idassert_authz
!=
NULL
)
{
ber_bvarray_free
(
li
->
li_idassert_authz
);
li
->
li_idassert_authz
=
NULL
;
case
LDAP_BACK_CFG_IDASSERT_PASSTHRU
:
{
BerVarray
*
bvp
;
switch
(
c
->
type
)
{
case
LDAP_BACK_CFG_IDASSERT_AUTHZFROM
:
bvp
=
&
li
->
li_idassert_authz
;
break
;
case
LDAP_BACK_CFG_IDASSERT_PASSTHRU
:
bvp
=
&
li
->
li_idassert_passthru
;
break
;
default:
assert
(
0
);
break
;
}
break
;
if
(
c
->
valx
<
0
)
{
if
(
*
bvp
!=
NULL
)
{
ber_bvarray_free
(
*
bvp
);
*
bvp
=
NULL
;
}
}
else
{
int
i
;
if
(
*
bvp
==
NULL
)
{
rc
=
1
;
break
;
}
for
(
i
=
0
;
!
BER_BVISNULL
(
&
((
*
bvp
)[
i
])
);
i
++
)
;
if
(
i
>=
c
->
valx
)
{
rc
=
1
;
break
;
}
ber_memfree
(
((
*
bvp
)[
c
->
valx
]).
bv_val
);
for
(
i
=
c
->
valx
;
!
BER_BVISNULL
(
&
((
*
bvp
)[
i
+
1
])
);
i
++
)
{
(
*
bvp
)[
i
]
=
(
*
bvp
)[
i
+
1
];
}
BER_BVZERO
(
&
((
*
bvp
)[
i
])
);
}
}
break
;
case
LDAP_BACK_CFG_IDASSERT_BIND
:
bindconf_free
(
&
li
->
li_idassert
.
si_bc
);
...
...
@@ -1732,6 +1882,10 @@ done_url:;
rc
=
slap_idassert_authzfrom_parse
(
c
,
&
li
->
li_idassert
);
break
;
case
LDAP_BACK_CFG_IDASSERT_PASSTHRU
:
rc
=
slap_idassert_passthru_parse
(
c
,
&
li
->
li_idassert
);
break
;
case
LDAP_BACK_CFG_IDASSERT_METHOD
:
/* no longer supported */
snprintf
(
c
->
cr_msg
,
sizeof
(
c
->
cr_msg
),
...
...
servers/slapd/back-ldap/init.c
View file @
f3a86075
...
...
@@ -36,6 +36,7 @@ static const ldap_extra_t ldap_extra = {
ldap_back_proxy_authz_ctrl
,
ldap_back_controls_free
,
slap_idassert_authzfrom_parse_cf
,
slap_idassert_passthru_parse_cf
,
slap_idassert_parse_cf
,
slap_retry_info_destroy
,
slap_retry_info_parse
,
...
...
servers/slapd/back-ldap/proto-ldap.h
View file @
f3a86075
...
...
@@ -102,6 +102,7 @@ extern int slap_retry_info_parse( char *in, slap_retry_info_t *ri,
extern
int
slap_retry_info_unparse
(
slap_retry_info_t
*
ri
,
struct
berval
*
bvout
);
extern
int
slap_idassert_authzfrom_parse_cf
(
const
char
*
fname
,
int
lineno
,
const
char
*
arg
,
slap_idassert_t
*
si
);
extern
int
slap_idassert_passthru_parse_cf
(
const
char
*
fname
,
int
lineno
,
const
char
*
arg
,
slap_idassert_t
*
si
);
extern
int
slap_idassert_parse_cf
(
const
char
*
fname
,
int
lineno
,
int
argc
,
char
*
argv
[],
slap_idassert_t
*
si
);
extern
int
chain_initialize
(
void
);
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment