Commit d6e7f0f6 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Rework c_authzid_backend in preparation for sasl_setpass() support

parent 4d3b4f9e
......@@ -413,8 +413,15 @@ glue_back_bind (
be = glue_back_select (b0, ndn->bv_val);
if (be && be->be_bind) {
conn->c_authz_backend = be;
rc = be->be_bind (be, conn, op, dn, ndn, method, cred, edn);
if( rc == LDAP_SUCCESS ) {
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if( conn->c_authz_backend == NULL ) {
conn->c_authz_backend = be;
}
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
}
} else {
rc = LDAP_UNWILLING_TO_PERFORM;
send_ldap_result (conn, op, rc, NULL, "No bind target found",
......
......@@ -478,8 +478,6 @@ do_bind(
goto cleanup;
}
conn->c_authz_backend = be;
if ( be->be_bind ) {
int ret;
......@@ -492,6 +490,10 @@ do_bind(
if ( ret == 0 ) {
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if( conn->c_authz_backend == NULL ) {
conn->c_authz_backend = be;
}
if(edn.bv_len) {
conn->c_dn = edn;
} else {
......
......@@ -573,8 +573,8 @@ long connection_init(
void connection2anonymous( Connection *c )
{
assert( connections != NULL );
assert( c != NULL );
assert( connections != NULL );
assert( c != NULL );
{
ber_len_t max = sockbuf_max_incoming;
......@@ -587,16 +587,16 @@ void connection2anonymous( Connection *c )
}
c->c_authmech.bv_len = 0;
if(c->c_dn.bv_val != NULL) {
free(c->c_dn.bv_val);
c->c_dn.bv_val = NULL;
}
c->c_dn.bv_len = 0;
if(c->c_ndn.bv_val != NULL) {
free(c->c_ndn.bv_val);
c->c_ndn.bv_val = NULL;
}
c->c_ndn.bv_len = 0;
if(c->c_dn.bv_val != NULL) {
free(c->c_dn.bv_val);
c->c_dn.bv_val = NULL;
}
c->c_dn.bv_len = 0;
if(c->c_ndn.bv_val != NULL) {
free(c->c_ndn.bv_val);
c->c_ndn.bv_val = NULL;
}
c->c_ndn.bv_len = 0;
if(c->c_cdn.bv_val != NULL) {
free(c->c_cdn.bv_val);
......@@ -605,17 +605,15 @@ void connection2anonymous( Connection *c )
c->c_cdn.bv_len = 0;
c->c_authz_backend = NULL;
{
GroupAssertion *g, *n;
for (g = c->c_groups; g; g=n)
{
n = g->ga_next;
free(g);
GroupAssertion *g, *n;
for (g = c->c_groups; g; g=n) {
n = g->ga_next;
free(g);
}
c->c_groups = NULL;
}
c->c_groups = NULL;
}
}
static void
......
......@@ -29,6 +29,7 @@ int passwd_extop(
const char **text,
BerVarray *refs )
{
Backend *be;
int rc;
assert( reqoid != NULL );
......@@ -39,7 +40,16 @@ int passwd_extop(
return LDAP_STRONG_AUTH_REQUIRED;
}
if( conn->c_authz_backend == NULL || !conn->c_authz_backend->be_extended ) {
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
be = conn->c_authz_backend;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
if( be == NULL ) {
*text = "operation not supported for SASL user";
return LDAP_UNWILLING_TO_PERFORM;
}
if( !be->be_extended ) {
*text = "operation not supported for current user";
return LDAP_UNWILLING_TO_PERFORM;
}
......@@ -47,23 +57,22 @@ int passwd_extop(
{
struct berval passwd = BER_BVC( LDAP_EXOP_MODIFY_PASSWD );
rc = backend_check_restrictions( conn->c_authz_backend,
conn, op, &passwd, text );
rc = backend_check_restrictions( be, conn, op, &passwd, text );
}
if( rc != LDAP_SUCCESS ) {
return rc;
}
if( conn->c_authz_backend->be_update_ndn.bv_len ) {
if( be->be_update_ndn.bv_len ) {
/* we SHOULD return a referral in this case */
*refs = referral_rewrite( conn->c_authz_backend->be_update_refs,
*refs = referral_rewrite( be->be_update_refs,
NULL, NULL, LDAP_SCOPE_DEFAULT );
rc = LDAP_REFERRAL;
} else {
rc = conn->c_authz_backend->be_extended(
conn->c_authz_backend, conn, op,
rc = be->be_extended(
be, conn, op,
reqoid, reqdata,
rspoid, rspdata, rspctrls,
text, refs );
......
......@@ -357,21 +357,22 @@ static int sasl_sc_sasl2dn( BackendDB *be, Connection *conn, Operation *o,
struct berval *ndn = o->o_callback->sc_private;
/* We only want to be called once */
if (ndn->bv_val) {
if( ndn->bv_val ) {
free(ndn->bv_val);
ndn->bv_val = NULL;
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1,
"slap_sasl2dn: search DN returned more than 1 entry\n" ));
LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1,
"slap_sasl2dn: search DN returned more than 1 entry\n" ));
#else
Debug( LDAP_DEBUG_TRACE,
"slap_sasl2dn: search DN returned more than 1 entry\n", 0,0,0 );
Debug( LDAP_DEBUG_TRACE,
"slap_sasl2dn: search DN returned more than 1 entry\n", 0,0,0 );
#endif
return -1;
} else {
ber_dupbv(ndn, &e->e_nname);
return 0;
}
ber_dupbv(ndn, &e->e_nname);
return 0;
}
/*
......@@ -396,9 +397,10 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
"slap_sasl2dn: converting SASL name %s to DN.\n", saslname->bv_val ));
#else
Debug( LDAP_DEBUG_TRACE,
"==>slap_sasl2dn: Converting SASL name %s to a DN\n", saslname->bv_val, 0,0 );
Debug( LDAP_DEBUG_TRACE, "==>slap_sasl2dn: "
"converting SASL name %s to a DN\n", saslname->bv_val, 0,0 );
#endif
dn->bv_val = NULL;
dn->bv_len = 0;
cb.sc_private = dn;
......@@ -414,8 +416,6 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
be = select_backend( &uri.dn, 0, 1 );
conn->c_authz_backend = be;
/* Massive shortcut: search scope == base */
if( uri.scope == LDAP_SCOPE_BASE ) {
*dn = uri.dn;
......@@ -426,16 +426,17 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
#ifdef NEW_LOGGING
LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1,
"slap_sasl2dn: performing internal search (base=%s, scope=%d)\n",
uri.dn.bv_val, uri.scope ));
"slap_sasl2dn: performing internal search (base=%s, scope=%d)\n",
uri.dn.bv_val, uri.scope ));
#else
Debug( LDAP_DEBUG_TRACE,
"slap_sasl2dn: performing internal search (base=%s, scope=%d)\n",
uri.dn.bv_val, uri.scope, 0 );
#endif
if(( be == NULL ) || ( be->be_search == NULL))
if(( be == NULL ) || ( be->be_search == NULL)) {
goto FINISHED;
}
suffix_alias( be, &uri.dn );
op.o_tag = LDAP_REQ_SEARCH;
......@@ -444,10 +445,14 @@ void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn
op.o_callback = &cb;
op.o_time = slap_get_time();
(*be->be_search)( be, /*conn*/NULL, &op, /*base*/NULL, &uri.dn,
uri.scope, /*deref=*/1, /*sizelimit=*/1, /*time=*/0, filter, /*fstr=*/NULL,
/*attrs=*/NULL, /*attrsonly=*/0 );
(*be->be_search)( be, NULL, &op, NULL, &uri.dn,
uri.scope, LDAP_DEREF_NEVER, 1, 0,
filter, NULL, NULL, 1 );
if( dn->bv_len ) {
conn->c_authz_backend = be;
}
FINISHED:
if( uri.dn.bv_len ) ch_free( uri.dn.bv_val );
if( uri.filter.bv_len ) ch_free( uri.filter.bv_val );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment