Commit bf0373b4 authored by Howard Chu's avatar Howard Chu
Browse files

Add conn->c_sasl_authz_dn, store SASL authzDN separately from authcDN

parent 89bae499
......@@ -609,6 +609,10 @@ void connection2anonymous( Connection *c )
free(c->c_ndn.bv_val);
}
BER_BVZERO( &c->c_ndn );
if(c->c_sasl_authz_dn.bv_val != NULL) {
free(c->c_sasl_authz_dn.bv_val);
}
BER_BVZERO( &c->c_sasl_authz_dn );
c->c_authz_backend = NULL;
}
......@@ -1598,8 +1602,13 @@ static int connection_op_activate( Operation *op )
if (!op->o_dn.bv_len) {
op->o_authz = op->o_conn->c_authz;
ber_dupbv( &op->o_dn, &op->o_conn->c_dn );
ber_dupbv( &op->o_ndn, &op->o_conn->c_ndn );
if ( BER_BVISNULL( &op->o_conn->c_sasl_authz_dn )) {
ber_dupbv( &op->o_dn, &op->o_conn->c_dn );
ber_dupbv( &op->o_ndn, &op->o_conn->c_ndn );
} else {
ber_dupbv( &op->o_dn, &op->o_conn->c_sasl_authz_dn );
ber_dupbv( &op->o_ndn, &op->o_conn->c_sasl_authz_dn );
}
}
op->o_authtype = op->o_conn->c_authtype;
ber_dupbv( &op->o_authmech, &op->o_conn->c_authmech );
......
......@@ -576,7 +576,7 @@ slap_sasl_authorize(
{
Connection *conn = (Connection *)context;
struct propval auxvals[3];
struct berval authcDN, authzDN;
struct berval authcDN, authzDN=BER_BVNULL;
int rc;
/* Simple Binds don't support proxy authorization, ignore it */
......@@ -601,17 +601,16 @@ slap_sasl_authorize(
}
AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
conn->c_sasl_dn = authcDN;
/* Nothing to do if no authzID was given */
if ( !auxvals[1].name || !auxvals[1].values ) {
conn->c_sasl_dn = authcDN;
goto ok;
}
AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
ch_free( authcDN.bv_val );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE, "SASL Proxy Authorize [conn=%ld]: "
"proxy authorization disallowed (%d)\n",
......@@ -622,18 +621,19 @@ slap_sasl_authorize(
return SASL_NOAUTHZ;
}
conn->c_sasl_dn = authzDN;
conn->c_sasl_authz_dn = authzDN;
ok:
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
"conn=%lu op=%lu BIND authcid=\"%s\"\n",
"conn=%lu op=%lu BIND authcid=\"%s\" authzid=\"%s\"\n",
conn->c_connid, conn->c_sasl_bindop->o_opid,
auth_identity, 0, 0);
auth_identity, requested_user, 0);
}
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
" proxy authorization allowed\n",
(long) (conn ? conn->c_connid : -1), 0, 0 );
" proxy authorization allowed authzDN=\"%s\"\n",
(long) (conn ? conn->c_connid : -1),
authzDN.bv_val ? authzDN.bv_val : "", 0 );
return SASL_OK;
}
#else
......@@ -682,11 +682,11 @@ slap_sasl_authorize(
*errstr = ldap_err2string( rc );
return SASL_NOAUTHZ;
}
conn->c_sasl_dn = authcDN;
if( ( authzid == NULL ) || !strcmp( authcid, authzid ) ) {
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
"Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
conn->c_sasl_dn = authcDN;
goto ok;
}
......@@ -695,13 +695,11 @@ slap_sasl_authorize(
rc = slap_sasl_getdn( conn, NULL, &bvauthzid, realm,
&authzDN, SLAP_GETDN_AUTHZID );
if( rc != LDAP_SUCCESS ) {
ch_free( authcDN.bv_val );
*errstr = ldap_err2string( rc );
return SASL_NOAUTHZ;
}
rc = slap_sasl_authorized(conn->c_sasl_bindop, &authcDN, &authzDN );
ch_free( authcDN.bv_val );
if( rc ) {
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
"proxy authorization disallowed (%d)\n",
......@@ -711,18 +709,19 @@ slap_sasl_authorize(
ch_free( authzDN.bv_val );
return SASL_NOAUTHZ;
}
conn->c_sasl_dn = authzDN;
conn->c_sasl_authz_dn = authzDN;
ok:
Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
" authorization allowed\n",
(long) (conn ? conn->c_connid : -1), 0, 0 );
" authorization allowed authzDN=\"%s\"\n",
(long) (conn ? conn->c_connid : -1),
authzDN.bv_val ? authzDN.bv_val : "", 0 );
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
"conn=%lu op=%lu BIND authcid=\"%s\"\n",
"conn=%lu op=%lu BIND authcid=\"%s\" authzid=\"%s\"\n",
conn->c_connid, conn->c_sasl_bindop->o_opid,
authcid, 0, 0);
authcid, authzid ? authzid : "", 0);
}
*errstr = NULL;
......
......@@ -2484,6 +2484,7 @@ typedef struct slap_conn {
int c_sasl_bind_in_progress; /* multi-op bind in progress */
struct berval c_sasl_bind_mech; /* mech in progress */
struct berval c_sasl_dn; /* temporary storage */
struct berval c_sasl_authz_dn; /* SASL proxy authz */
/* authorization backend */
Backend *c_authz_backend;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment