assert administrative identity instead of the required one if doing auth check in non-caching mode

a7b55f4f · Pierangelo Masarati · 32d9856f · a7b55f4f · a7b55f4f · a7b55f4f
Commit a7b55f4f authored 20 years ago by Pierangelo Masarati
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -143,7 +143,7 @@ ldap_back_conn_cmp(
 	int rc;
 	
 	/* If local DNs don't match, it is definitely not a match */
-	if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn )) )
+	if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) )
 		return rc;

 	/* For shared sessions, conn is NULL. Only explicitly
@@ -226,17 +226,16 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc )
 struct ldapconn *
 ldap_back_getconn(Operation *op, SlapReply *rs)
 {
-	struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
-	struct ldapconn *lc, lc_curr;
-	LDAP *ld;
-	int is_priv = 0;
+	struct ldapinfo	*li = (struct ldapinfo *)op->o_bd->be_private;
+	struct ldapconn	*lc, lc_curr;
+	LDAP		*ld;
+	int		is_priv = 0;

 	/* Searches for a ldapconn in the avl tree */

 	/* Explicit binds must not be shared */
 	if ( op->o_tag == LDAP_REQ_BIND
-		|| (op->o_conn
-		  && (op->o_bd == op->o_conn->c_authz_backend ))) {
+		|| ( op->o_conn && op->o_bd == op->o_conn->c_authz_backend ) ) {
 		lc_curr.conn = op->o_conn;

 	} else {
@@ -463,7 +462,9 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 				int		freeauthz = 0;

 				/* if SASL supports native authz, prepare for it */
-				if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+				if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
+						( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
+				{
 					switch ( li->idassert_mode ) {
 					case LDAP_BACK_IDASSERT_OTHERID:
 					case LDAP_BACK_IDASSERT_OTHERDN:
@@ -753,7 +754,8 @@ ldap_back_proxy_authz_ctrl(
 {
 	struct ldapinfo	*li = (struct ldapinfo *) op->o_bd->be_private;
 	LDAPControl	**ctrls = NULL;
-	int		i = 0;
+	int		i = 0,
+			mode;
 	struct berval	assertedID;

 	*pctrls = NULL;
@@ -845,7 +847,14 @@ ldap_back_proxy_authz_ctrl(
 		rs->sr_text = "proxyAuthz not allowed within namingContext";
 	}

-	switch ( li->idassert_mode ) {
+	if ( op->o_do_not_cache && op->o_is_auth_check ) {
+		mode = LDAP_BACK_IDASSERT_NOASSERT;
+
+	} else {
+		mode = li->idassert_mode;
+	}
+
+	switch ( mode ) {
 	case LDAP_BACK_IDASSERT_LEGACY:
 	case LDAP_BACK_IDASSERT_SELF:
 		/* original behavior:

--- a/tests/data/slapd-ldapgluepeople.conf
+++ b/tests/data/slapd-ldapgluepeople.conf
@@ -41,6 +41,7 @@ authz-regexp	"^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com"
 #

 access to attr=userpassword
+	by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read
 	by self =wx
 	by anonymous =x


--- a/tests/scripts/test029-ldapglue
+++ b/tests/scripts/test029-ldapglue
@@ -185,33 +185,33 @@ if test $? != 0 ; then
 fi

 # FIXME: this cannot work as is, because SASL bind cannot be proxied!
-#if test $USE_SASL != "no" ; then
-#	ID="bjorn"
-#	BASE="dc=example,dc=com"
-#	echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
-#	$LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
-#		-Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
-#
-#	RC=$?
-#	if test $RC != 0 ; then
-#		echo "ldapsearch failed ($RC)!"
-#		test $KILLSERVERS != no && kill -HUP $KILLPIDS
-#		exit $RC
-#	fi
-#
-#	echo "Filtering ldapsearch results..."
-#	. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
-#	echo "Filtering original ldif used to create database..."
-#	. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
-#	echo "Comparing filter output..."
-#	$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
-#	
-#	if test $? != 0 ; then
-#		echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
-#		test $KILLSERVERS != no && kill -HUP $KILLPIDS
-#		exit 1
-#	fi
-#fi
+if test $USE_SASL != "no" ; then
+	ID="bjorn"
+	BASE="dc=example,dc=com"
+	echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
+	$LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
+		-Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
+
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapsearch failed ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+
+	echo "Filtering ldapsearch results..."
+	. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+	echo "Filtering original ldif used to create database..."
+	. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
+	echo "Comparing filter output..."
+	$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+	
+	if test $? != 0 ; then
+		echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit 1
+	fi
+fi

 test $KILLSERVERS != no && kill -HUP $KILLPIDS