add minimal support for RFC3829 (ITS#6771)

contrib/slapd-modules/authzid/Makefile

+# $OpenLDAP$
+# This work is part of OpenLDAP Software <http://www.openldap.org/>.
+#
+# Copyright 1998-2010 The OpenLDAP Foundation.
+# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted only as authorized by the OpenLDAP
+# Public License.
+#
+# A copy of this license is available in the file LICENSE in the
+# top-level directory of the distribution or, alternatively, at
+# <http://www.OpenLDAP.org/license.html>.
+
+LIBTOOL=../../../libtool
+OPT=-g -O2
+#LIBTOOL=../../../../ldap-devel/libtool
+#OPT=-g -O0
+CC=gcc
+
+LDAP_INC=-I../../../include -I../../../servers/slapd
+#LDAP_INC=-I../../../include -I../../../servers/slapd -I../../../../ldap-devel/include
+INCS=$(LDAP_INC)
+
+LDAP_LIB=-lldap_r -llber
+LIBS=$(LDAP_LIB)
+
+prefix=/usr/local
+exec_prefix=$(prefix)
+ldap_subdir=/openldap
+
+libdir=$(exec_prefix)/lib
+libexecdir=$(exec_prefix)/libexec
+moduledir = $(libexecdir)$(ldap_subdir)
+
+all:	authzid.la
+
+
+authzid.lo:	authzid.c
+	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $?
+
+authzid.la:	authzid.lo
+	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
+	-rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+clean:
+	rm -f authzid.lo authzid.la
+
+install: authzid.la
+	mkdir -p $(DESTDIR)$(moduledir)
+	$(LIBTOOL) --mode=install cp authzid.la $(DESTDIR)$(moduledir)
+

contrib/slapd-modules/authzid/authzid.c

+/* vc.c - LDAP Verify Credentials extop (no spec yet) */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2010 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was initially developed by Pierangelo Masarati for inclusion
+ * in OpenLDAP Software.
+ */
+
+/*
+ * RFC 3829 Authzid
+ */
+
+#include "portable.h"
+
+#include "slap.h"
+#include "lutil.h"
+#include "ac/string.h"
+
+static int authzid_cid;
+
+static int
+authzid_response(
+	Operation *op,
+	SlapReply *rs )
+{
+	if ( rs->sr_tag == LDAP_RES_BIND ) {
+		LDAPControl **ctrls;
+		ber_len_t len = 0;
+		int n = 0;
+
+		/* TEMPORARY! */
+		if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) {
+			if ( op->o_ctrlflag[ authzid_cid ] == SLAP_CONTROL_CRITICAL ) {
+				return rs->sr_err = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
+			}
+
+			op->o_ctrlflag[ authzid_cid ] = SLAP_CONTROL_IGNORED;
+
+			return SLAP_CB_CONTINUE;
+		}
+		/* end of TEMPORARY! */
+
+		if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
+			len = STRLENOF("dn:") + op->o_conn->c_dn.bv_len;
+		}
+
+		/* save original controls in sc_private;
+		 * will be restored by sc_cleanup
+		 */
+		if ( rs->sr_ctrls != NULL ) {
+			op->o_callback->sc_private = rs->sr_ctrls;
+			for ( ; rs->sr_ctrls[n] != NULL; n++ )
+				;
+		}
+
+		ctrls = op->o_tmpalloc( sizeof( LDAPControl * )*( n + 2 ), op->o_tmpmemctx );
+		n = 0;
+		if ( rs->sr_ctrls ) {
+			for ( ; rs->sr_ctrls[n] != NULL; n++ ) {
+				ctrls[n] = rs->sr_ctrls[n];
+			}
+		}
+
+		/* anonymous: "", otherwise "dn:<dn>" */
+		ctrls[n] = op->o_tmpalloc( sizeof( LDAPControl ) + len + 1, op->o_tmpmemctx );
+		ctrls[n]->ldctl_oid = LDAP_CONTROL_AUTHZID_RESPONSE;
+		ctrls[n]->ldctl_iscritical = 0;
+		ctrls[n]->ldctl_value.bv_len = len;
+		ctrls[n]->ldctl_value.bv_val = (char *)&ctrls[n][1];
+		if ( len ) {
+			char *ptr;
+
+			ptr = lutil_strcopy( ctrls[n]->ldctl_value.bv_val, "dn:" );
+			ptr = lutil_strncopy( ptr, op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len );
+		}
+		ctrls[n]->ldctl_value.bv_val[len] = '\0';
+		ctrls[n + 1] = NULL;
+
+		rs->sr_ctrls = ctrls;
+	}
+
+	return SLAP_CB_CONTINUE;
+}
+
+static int
+authzid_cleanup(
+	Operation *op,
+	SlapReply *rs )
+{
+	if ( rs->sr_ctrls ) {
+		LDAPControl *ctrl;
+
+		/* if ours, cleanup */
+		ctrl = ldap_control_find( LDAP_CONTROL_AUTHZID_RESPONSE, rs->sr_ctrls, NULL );
+		if ( ctrl ) {
+			op->o_tmpfree( ctrl, op->o_tmpmemctx );
+			op->o_tmpfree( rs->sr_ctrls, op->o_tmpmemctx );
+		}
+
+		if ( op->o_callback->sc_private != NULL ) {
+			rs->sr_ctrls = (LDAPControl **)op->o_callback->sc_private;
+			op->o_callback->sc_private = NULL;
+		}
+	}
+
+	op->o_tmpfree( op->o_callback, op->o_tmpmemctx );
+	op->o_callback = NULL;
+
+	return SLAP_CB_CONTINUE;
+}
+
+static int
+parse_authzid_ctrl(
+	Operation	*op,
+	SlapReply	*rs,
+	LDAPControl	*ctrl )
+{
+	slap_callback *sc;
+
+	if ( op->o_ctrlflag[ authzid_cid ] != SLAP_CONTROL_NONE ) {
+		rs->sr_text = "authzid control specified multiple times";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
+	if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) {
+		rs->sr_text = "authzid control value not absent";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
+	op->o_ctrlflag[ authzid_cid ] = ctrl->ldctl_iscritical ?  SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL;
+
+	sc = op->o_callback;
+	op->o_callback = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx );
+	op->o_callback->sc_response = authzid_response;
+	op->o_callback->sc_cleanup = authzid_cleanup;
+	op->o_callback->sc_private = NULL;
+	op->o_callback->sc_next = sc;
+
+	return LDAP_SUCCESS;
+}
+
+static int
+authzid_initialize( void )
+{
+	int rc;
+
+	rc = register_supported_control( LDAP_CONTROL_AUTHZID_REQUEST,
+		SLAP_CTRL_GLOBAL|SLAP_CTRL_BIND|SLAP_CTRL_HIDE, NULL,
+		parse_authzid_ctrl, &authzid_cid );
+	if ( rc != LDAP_SUCCESS ) {
+		Debug( LDAP_DEBUG_ANY,
+			"authzid_initialize: failed to register control %s (%d)\n",
+			LDAP_CONTROL_AUTHZID_REQUEST, rc, 0 );
+		return rc;
+	}
+
+	return rc;
+}
+
+int
+init_module( int argc, char *argv[] )
+{
+	return authzid_initialize();
+}
+