Commit 3eebd5bb authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

expose slap_sasl_matches() to allow external matching of authz* stuff; fix...

expose slap_sasl_matches() to allow external matching of authz* stuff; fix backwards compatibility bug for "dn:<pat>" as a shortcut to "dn.exact:<pat>"
parent 08a8e7b8
......@@ -1001,6 +1001,9 @@ LDAP_SLAPD_F (int) slap_sasl_getdn( Connection *conn, Operation *op,
LDAP_SLAPD_F (int) slap_parse_user LDAP_P((
struct berval *id, struct berval *user,
struct berval *realm, struct berval *mech ));
LDAP_SLAPD_F (int) slap_sasl_matches LDAP_P((
Operation *op, BerVarray rules,
struct berval *assertDN, struct berval *authc ));
LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
Operation *op,
struct berval *saslname,
......
......@@ -89,6 +89,10 @@ struct rewrite_info *sasl_rwinfo = NULL;
static int authz_policy = SASL_AUTHZ_NONE;
static
int slap_sasl_match( Operation *opx, struct berval *rule,
struct berval *assertDN, struct berval *authc );
int slap_sasl_setpolicy( const char *arg )
{
int rc = LDAP_SUCCESS;
......@@ -250,6 +254,7 @@ static int slap_parseURI( Operation *op, struct berval *uri,
} else {
if ( bv.bv_val[ 0 ] != ':' )
return LDAP_PROTOCOL_ERROR;
*scope = LDAP_X_SCOPE_EXACT;
bv.bv_val++;
}
......@@ -830,6 +835,24 @@ static int sasl_sc_smatch( Operation *o, SlapReply *rs )
return 0;
}
int
slap_sasl_matches( Operation *op, BerVarray rules,
struct berval *assertDN, struct berval *authc )
{
int rc = LDAP_INAPPROPRIATE_AUTH;
if ( rules != NULL ) {
int i;
for( i = 0; !BER_BVISNULL( &rules[i] ); i++ ) {
rc = slap_sasl_match( op, &rules[i], assertDN, authc );
if ( rc == LDAP_SUCCESS ) break;
}
}
return rc;
}
/*
* Map a SASL regexp rule to a DN. If the rule is just a DN or a scope=base
* URI, just strcmp the rule (or its searchbase) to the *assertDN. Otherwise,
......@@ -1072,7 +1095,7 @@ slap_sasl_check_authz( Operation *op,
struct berval *authc )
{
int i, rc;
BerVarray vals=NULL;
BerVarray vals = NULL;
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
......@@ -1084,18 +1107,11 @@ slap_sasl_check_authz( Operation *op,
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
#endif
rc = backend_attribute( op, NULL,
searchDN, ad, &vals );
rc = backend_attribute( op, NULL, searchDN, ad, &vals );
if( rc != LDAP_SUCCESS ) goto COMPLETE;
/* Check if the *assertDN matches any **vals */
if( vals != NULL ) {
for( i=0; !BER_BVISNULL( &vals[i] ); i++ ) {
rc = slap_sasl_match( op, &vals[i], assertDN, authc );
if ( rc == LDAP_SUCCESS ) goto COMPLETE;
}
}
rc = LDAP_INAPPROPRIATE_AUTH;
/* Check if the *assertDN matches any *vals */
rc = slap_sasl_matches( op, vals, assertDN, authc );
COMPLETE:
if( vals ) ber_bvarray_free_x( vals, op->o_tmpmemctx );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment