Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.

servers/slapd/back-bdb2/bind.c

@@ -65,6 +65,7 @@ bdb2i_back_bind_internal(
     Operation		*op,
     char		*dn,
     int			method,
+	char		*mech,
     struct berval	*cred,
 	char**	edn
 )
@@ -86,17 +87,33 @@ bdb2i_back_bind_internal(
 	/* get entry with reader lock */
 	if ( (e = bdb2i_dn2entry_r( be, dn, &matched )) == NULL ) {
 		/* allow noauth binds */
-		if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
-			/*
-			 * bind successful, but return 1 so we don't
-			 * authorize based on noauth credentials
-			 */
-			send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
-			rc = 1;
-		} else if ( be_isroot_pw( be, dn, cred ) ) {
-			/* front end will send result */
-			*edn = ch_strdup( be_root_dn( be ) );
-			rc = 0;
+		rc = 1;
+		if ( method == LDAP_AUTH_SIMPLE ) {
+			if( cred->bv_len == 0 ) {
+				/* SUCCESS */
+				send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
+
+			} else if ( be_isroot_pw( be, dn, cred ) ) {
+				/* front end will send result */
+				*edn = ch_strdup( be_root_dn( be ) );
+				rc = 0;
+
+			} else {
+				send_ldap_result( conn, op,
+					LDAP_NO_SUCH_OBJECT, matched, NULL );
+			}
+
+		} else if ( method == LDAP_AUTH_SASL ) {
+			if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
+				/* insert DIGEST calls here */
+				send_ldap_result( conn, op,
+					LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
+
+			} else {
+				send_ldap_result( conn, op,
+					LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
+			}
+
 		} else {
 			send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
 			rc = 1;
@@ -111,6 +128,14 @@ bdb2i_back_bind_internal(
 
 	/* check for deleted */
 
+	if ( ! access_allowed( be, conn, op, e,
+		"entry", NULL, ACL_AUTH ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+		rc = 1;
+		goto return_results;
+	}
+
 	switch ( method ) {
 	case LDAP_AUTH_SIMPLE:
 		if ( cred->bv_len == 0 ) {
@@ -130,6 +155,14 @@ bdb2i_back_bind_internal(
 			goto return_results;
 		}
 
+		if ( ! access_allowed( be, conn, op, e,
+			"userpassword", NULL, ACL_AUTH ) )
+		{
+			send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+			rc = 1;
+			goto return_results;
+		}
+
 		if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
 			send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 			    NULL, NULL );
@@ -155,11 +188,21 @@ bdb2i_back_bind_internal(
 		if ( bdb2i_krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 			send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 			    NULL, NULL );
-			rc = 0;
+			rc = 1;
 			goto return_results;
 		}
+
+		if ( ! access_allowed( be, conn, op, e,
+			"krbname", NULL, ACL_AUTH ) )
+		{
+			send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+			rc = 1;
+			goto return_results;
+		}
+
 		sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 		    : "", ad.pinst, ad.prealm );
+
 		if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 			/*
 			 * no krbName values present:  check against DN
@@ -195,6 +238,9 @@ bdb2i_back_bind_internal(
 		goto return_results;
 #endif
 
+	case LDAP_AUTH_SASL:
+		/* insert sasl code here */
+
 	default:
 		send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 		    NULL, "auth method not supported" );
@@ -237,7 +283,7 @@ bdb2_back_bind(
 
 	}
 
-	ret = bdb2i_back_bind_internal( be, conn, op, dn, method, cred, edn );
+	ret = bdb2i_back_bind_internal( be, conn, op, dn, method, mech, cred, edn );
 
 	(void) bdb2i_leave_backend_r( lock );
 

servers/slapd/back-ldbm/bind.c

@@ -98,16 +98,19 @@ ldbm_back_bind(
 				rc = 0; /* front end will send result */
 
 			} else {
-				send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
+				send_ldap_result( conn, op,
+					LDAP_NO_SUCH_OBJECT, matched, NULL );
 			}
 
 		} else if ( method == LDAP_AUTH_SASL ) {
-			if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") ) {
+			if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
 				/* insert DIGEST calls here */
-				send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL );
+				send_ldap_result( conn, op,
+					LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
 				
 			} else {
-				send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL );
+				send_ldap_result( conn, op,
+					LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
 			}
 
 		} else {
@@ -193,13 +196,22 @@ ldbm_back_bind(
 		if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 			send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 			    NULL, NULL );
-			rc = 0;
+			rc = 1;
+			goto return_results;
+		}
+
+		if ( ! access_allowed( be, conn, op, e,
+			"krbname", NULL, ACL_AUTH ) )
+		{
+			send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+			rc = 1;
 			goto return_results;
 		}
 
 		sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 		    : "", ad.pinst, ad.prealm );
 
+
 		if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 			/*
 			 * no krbName values present:  check against DN
@@ -236,6 +248,9 @@ ldbm_back_bind(
 		goto return_results;
 #endif
 
+	case LDAP_AUTH_SASL:
+		/* insert SASL code here */
+
 	default:
 		send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 		    NULL, "auth method not supported" );

tests/data/slapd-bdb2-acl.conf

@@ -24,19 +24,26 @@ index		cn,sn,uid	pres,eq,approx
 index		default		none
 lastmod		on
 defaultaccess	none
+
 access		to attr=objectclass
 		by * read
-access		to attr=userpassword
+
+access		to filter="objectclass=person" attr=userpassword
 		by self write
-		by * compare
+		by anonymous auth
+		by * none
+
 access		to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US"
-		by dn=".*,o=University of Michigan,c=US"
-		read
+		by dn=".*,o=University of Michigan,c=US" read
+		by anonymous auth
 		by * none
+
 access		to attr=member
 		by dnattr=member selfwrite
 		by * read
+
 access		to filter="objectclass=rfc822mailgroup"
 		by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write
 		by * read
+
 access		to * by * read