From 9bcb37b5c19bddb488560c9cc74232634871c41b Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Tue, 10 Jan 2006 02:05:54 +0000
Subject: [PATCH] refine fix to ITS#4320

---
 doc/man/man5/slapd.conf.5 | 5 ++++-
 servers/slapd/bconfig.c   | 1 +
 servers/slapd/controls.c  | 7 +++++++
 servers/slapd/slap.h      | 3 ++-
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index dbad1a97d2..0a4de7b915 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -100,8 +100,11 @@ when DN is empty).
 .B bind_anon_dn
 allows unauthenticated (anonymous) bind when DN is not empty.
 .B update_anon
-allow unauthenticated (anonymous) update operations to be processed
+allows unauthenticated (anonymous) update operations to be processed
 (subject to access controls and other administrative limits).
+.B proxy_authz_anon
+allows unauthenticated (anonymous) proxy authorization control to be processed
+(subject to access controls, authorization and other administrative limits).
 .TP
 .B argsfile <filename>
 The ( absolute ) name of a file that will hold the 
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 9392830613..1014ec7fed 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -1996,6 +1996,7 @@ config_allows(ConfigArgs *c) {
 		{ BER_BVC("bind_anon_cred"),	SLAP_ALLOW_BIND_ANON_CRED },
 		{ BER_BVC("bind_anon_dn"),	SLAP_ALLOW_BIND_ANON_DN },
 		{ BER_BVC("update_anon"),	SLAP_ALLOW_UPDATE_ANON },
+		{ BER_BVC("proxy_authz_anon"),	SLAP_ALLOW_PROXY_AUTHZ_ANON },
 		{ BER_BVNULL,	0 }
 	};
 	if (c->op == SLAP_CONFIG_EMIT) {
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 0ed668bd80..1931dd14ae 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -877,6 +877,13 @@ static int parseProxyAuthz (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( !( global_allows & SLAP_ALLOW_PROXY_AUTHZ_ANON )
+		&& BER_BVISEMPTY( &op->o_ndn ) )
+	{
+		rs->sr_text = "anonymous proxyAuthz not allowed";
+		return LDAP_PROXY_AUTHZ_FAILURE;
+	}
+
 	op->o_proxy_authz = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index f2a37db1c0..6c18cb88bb 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1771,11 +1771,12 @@ struct slap_backend_db {
 	| SLAP_RESTRICT_OP_BIND \
 	| SLAP_RESTRICT_OP_EXTENDED )
 
-#define SLAP_ALLOW_BIND_V2			0x0001U	/* LDAPv2 bind */
+#define SLAP_ALLOW_BIND_V2		0x0001U	/* LDAPv2 bind */
 #define SLAP_ALLOW_BIND_ANON_CRED	0x0002U /* cred should be empty */
 #define SLAP_ALLOW_BIND_ANON_DN		0x0004U /* dn should be empty */
 
 #define SLAP_ALLOW_UPDATE_ANON		0x0008U /* allow anonymous updates */
+#define SLAP_ALLOW_PROXY_AUTHZ_ANON	0x0010U /* allow anonymous proxyAuthz */
 
 #define SLAP_DISALLOW_BIND_ANON		0x0001U /* no anonymous */
 #define SLAP_DISALLOW_BIND_SIMPLE	0x0002U	/* simple authentication */
-- 
GitLab