Commit e9ab146a authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

fix previous commit in case of access to non existent backend (e.g. rootDSE);...

fix previous commit in case of access to non existent backend (e.g. rootDSE); add (and document) authzID/DN support
parent 387864a9
......@@ -11,6 +11,7 @@ slapacl \- Check access to a list of attributes.
.B [\-D authcDN | \-U authcID]
.B \-b DN
.B [\-u]
.B [\-X authzID | \-o authzDN=DN]
.B [attr[/access][:value]] [...]
.LP
.SH DESCRIPTION
......@@ -63,6 +64,36 @@ rules (see
for details); mutually exclusive with
.BR \-D .
.TP
.BI \-X " authzID"
specify an authorization ID to be mapped to a
.B DN
as by means of
.B authz-regexp
or
.B authz-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
.TP
.BI \-o " option[=value]"
Specify an
.BR option
with a(n optional)
.BR value .
Possible options/values are:
.LP
.nf
sockurl
domain
peername
sockname
ssf
transport_ssf
tls_ssf
sasl_ssf
authzDN
.fi
.TP
.BI \-b " DN"
specify the
.B DN
......
......@@ -90,10 +90,18 @@ slapacl( int argc, char **argv )
op->o_sasl_ssf = sasl_ssf;
if ( !BER_BVISNULL( &authcID ) ) {
if ( !BER_BVISNULL( &authcDN ) ) {
fprintf( stderr, "both authcID=\"%s\" "
"and authcDN=\"%s\" provided\n",
authcID.bv_val, authcDN.bv_val );
rc = 1;
goto destroy;
}
rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
&authcDN, SLAP_GETDN_AUTHCID );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
authcID.bv_val, rc,
ldap_err2string( rc ) );
rc = 1;
......@@ -115,9 +123,47 @@ slapacl( int argc, char **argv )
authcDN = ndn;
}
if ( !BER_BVISNULL( &authzID ) ) {
if ( !BER_BVISNULL( &authzDN ) ) {
fprintf( stderr, "both authzID=\"%s\" "
"and authzDN=\"%s\" provided\n",
authzID.bv_val, authzDN.bv_val );
rc = 1;
goto destroy;
}
rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
&authzDN, SLAP_GETDN_AUTHZID );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
authzID.bv_val, rc,
ldap_err2string( rc ) );
rc = 1;
goto destroy;
}
} else if ( !BER_BVISNULL( &authzDN ) ) {
struct berval ndn;
rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
authzDN.bv_val, rc,
ldap_err2string( rc ) );
rc = 1;
goto destroy;
}
ch_free( authzDN.bv_val );
authzDN = ndn;
}
if ( !BER_BVISNULL( &authcDN ) ) {
fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
}
if ( !BER_BVISNULL( &authzDN ) ) {
fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
}
assert( !BER_BVISNULL( &baseDN ) );
......@@ -131,12 +177,16 @@ slapacl( int argc, char **argv )
}
op->o_bd = be;
if ( !BER_BVISNULL( &authzDN ) ) {
op->o_dn = authzDN;
op->o_ndn = authzDN;
}
if ( !BER_BVISNULL( &authcDN ) ) {
op->o_dn = authcDN;
op->o_ndn = authcDN;
op->o_conn->c_dn = authcDN;
op->o_conn->c_ndn = authcDN;
}
if ( !dryrun ) {
if ( !dryrun && be ) {
ID id;
if ( !be->be_entry_open ||
......@@ -264,7 +314,7 @@ slapacl( int argc, char **argv )
destroy:;
ber_memfree( e.e_name.bv_val );
ber_memfree( e.e_nname.bv_val );
if ( !dryrun ) {
if ( !dryrun && be ) {
if ( ep != &e ) {
be_entry_release_r( op, ep );
}
......
......@@ -54,9 +54,8 @@ usage( int tool, const char *progname )
switch( tool ) {
case SLAPACL:
options = "\n\t[-U authcID | -D authcDN]"
" -b DN -o <var>[=<val>] [-u]"
"\n\t[attr[/access][:value]] [...]\n";
options = "\n\t[-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]"
"\n\t-b DN -o <var>[=<val>] [-u] [attr[/access][:value]] [...]\n";
break;
case SLAPADD:
......@@ -142,6 +141,9 @@ parse_slapacl( void )
} else if ( strncasecmp( optarg, "sasl_ssf", len ) == 0 ) {
sasl_ssf = atoi( p );
} else if ( strncasecmp( optarg, "authzDN", len ) == 0 ) {
ber_str2bv( p, 0, 1, &authzDN );
} else {
return -1;
}
......@@ -214,7 +216,7 @@ slap_tool_init(
break;
case SLAPACL:
options = "b:D:d:f:F:o:uU:v";
options = "b:D:d:f:F:o:uU:vX:";
mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
break;
......
......@@ -42,8 +42,9 @@ typedef struct tool_vars {
Filter *tv_filter;
struct berval tv_sub_ndn;
FILE *tv_ldiffp;
struct berval tv_authcDN;
struct berval tv_baseDN;
struct berval tv_authcDN;
struct berval tv_authzDN;
struct berval tv_authcID;
struct berval tv_authzID;
struct berval tv_mech;
......@@ -70,8 +71,9 @@ extern tool_vars tool_globals;
#define filter tool_globals.tv_filter
#define sub_ndn tool_globals.tv_sub_ndn
#define ldiffp tool_globals.tv_ldiffp
#define authcDN tool_globals.tv_authcDN
#define baseDN tool_globals.tv_baseDN
#define authcDN tool_globals.tv_authcDN
#define authzDN tool_globals.tv_authzDN
#define authcID tool_globals.tv_authcID
#define authzID tool_globals.tv_authzID
#define mech tool_globals.tv_mech
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment