Skip to content
Snippets Groups Projects
Commit a7b55f4f authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

assert administrative identity instead of the required one if doing auth check in non-caching mode

parent 32d9856f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
servers/slapd/back-ldap/bind.c
+ 19
10
View file @ a7b55f4f
...@@ -143,7 +143,7 @@ ldap_back_conn_cmp( ...@@ -143,7 +143,7 @@ ldap_back_conn_cmp(
int rc; int rc;
/* If local DNs don't match, it is definitely not a match */ /* If local DNs don't match, it is definitely not a match */
if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn )) ) if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) )
return rc; return rc;
/* For shared sessions, conn is NULL. Only explicitly /* For shared sessions, conn is NULL. Only explicitly
...@@ -226,17 +226,16 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc ) ...@@ -226,17 +226,16 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc )
struct ldapconn * struct ldapconn *
ldap_back_getconn(Operation *op, SlapReply *rs) ldap_back_getconn(Operation *op, SlapReply *rs)
{ {
struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
struct ldapconn *lc, lc_curr; struct ldapconn *lc, lc_curr;
LDAP *ld; LDAP *ld;
int is_priv = 0; int is_priv = 0;
/* Searches for a ldapconn in the avl tree */ /* Searches for a ldapconn in the avl tree */
/* Explicit binds must not be shared */ /* Explicit binds must not be shared */
if ( op->o_tag == LDAP_REQ_BIND if ( op->o_tag == LDAP_REQ_BIND
|| (op->o_conn || ( op->o_conn && op->o_bd == op->o_conn->c_authz_backend ) ) {
&& (op->o_bd == op->o_conn->c_authz_backend ))) {
lc_curr.conn = op->o_conn; lc_curr.conn = op->o_conn;
} else { } else {
...@@ -463,7 +462,9 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) ...@@ -463,7 +462,9 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
int freeauthz = 0; int freeauthz = 0;
/* if SASL supports native authz, prepare for it */ /* if SASL supports native authz, prepare for it */
if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) { if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
{
switch ( li->idassert_mode ) { switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_OTHERID: case LDAP_BACK_IDASSERT_OTHERID:
case LDAP_BACK_IDASSERT_OTHERDN: case LDAP_BACK_IDASSERT_OTHERDN:
...@@ -753,7 +754,8 @@ ldap_back_proxy_authz_ctrl( ...@@ -753,7 +754,8 @@ ldap_back_proxy_authz_ctrl(
{ {
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
LDAPControl **ctrls = NULL; LDAPControl **ctrls = NULL;
int i = 0; int i = 0,
mode;
struct berval assertedID; struct berval assertedID;
*pctrls = NULL; *pctrls = NULL;
...@@ -845,7 +847,14 @@ ldap_back_proxy_authz_ctrl( ...@@ -845,7 +847,14 @@ ldap_back_proxy_authz_ctrl(
rs->sr_text = "proxyAuthz not allowed within namingContext"; rs->sr_text = "proxyAuthz not allowed within namingContext";
} }
switch ( li->idassert_mode ) { if ( op->o_do_not_cache && op->o_is_auth_check ) {
mode = LDAP_BACK_IDASSERT_NOASSERT;
} else {
mode = li->idassert_mode;
}
switch ( mode ) {
case LDAP_BACK_IDASSERT_LEGACY: case LDAP_BACK_IDASSERT_LEGACY:
case LDAP_BACK_IDASSERT_SELF: case LDAP_BACK_IDASSERT_SELF:
/* original behavior: /* original behavior:
......
tests/data/slapd-ldapgluepeople.conf
+ 1
0
View file @ a7b55f4f
...@@ -41,6 +41,7 @@ authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com" ...@@ -41,6 +41,7 @@ authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com"
# #
access to attr=userpassword access to attr=userpassword
by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read
by self =wx by self =wx
by anonymous =x by anonymous =x
......
tests/scripts/test029-ldapglue
+ 27
27
View file @ a7b55f4f
...@@ -185,33 +185,33 @@ if test $? != 0 ; then ...@@ -185,33 +185,33 @@ if test $? != 0 ; then
fi fi
# FIXME: this cannot work as is, because SASL bind cannot be proxied! # FIXME: this cannot work as is, because SASL bind cannot be proxied!
#if test $USE_SASL != "no" ; then if test $USE_SASL != "no" ; then
# ID="bjorn" ID="bjorn"
# BASE="dc=example,dc=com" BASE="dc=example,dc=com"
# echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..." echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
# $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \ $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
# -Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1 -Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
#
# RC=$? RC=$?
# if test $RC != 0 ; then if test $RC != 0 ; then
# echo "ldapsearch failed ($RC)!" echo "ldapsearch failed ($RC)!"
# test $KILLSERVERS != no && kill -HUP $KILLPIDS test $KILLSERVERS != no && kill -HUP $KILLPIDS
# exit $RC exit $RC
# fi fi
#
# echo "Filtering ldapsearch results..." echo "Filtering ldapsearch results..."
# . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
# echo "Filtering original ldif used to create database..." echo "Filtering original ldif used to create database..."
# . $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT . $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
# echo "Comparing filter output..." echo "Comparing filter output..."
# $CMP $SEARCHFLT $LDIFFLT > $CMPOUT $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
#
# if test $? != 0 ; then if test $? != 0 ; then
# echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed" echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
# test $KILLSERVERS != no && kill -HUP $KILLPIDS test $KILLSERVERS != no && kill -HUP $KILLPIDS
# exit 1 exit 1
# fi fi
#fi fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS test $KILLSERVERS != no && kill -HUP $KILLPIDS
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment