Commit f926e667 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#8873 - Delete obsolete configuration options from back-ldap, back-meta, and back-asyncmeta

parent fb1933f5
Pipeline #411 passed with stage
in 33 minutes and 3 seconds
......@@ -144,10 +144,6 @@ The
.B idassert\-bind
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
.BR acl\-authcDN ,
and
.BR acl\-passwd .
The TLS settings default to the same as the main slapd TLS settings,
except for
......@@ -393,14 +389,6 @@ The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
is not. See \fBacl\-bind\fP for details.
This directive obsoletes
.BR idassert\-authcDN ,
.BR idassert\-passwd ,
.BR idassert\-mode ,
and
.BR idassert\-method .
.RE
.TP
.B idassert-passthru <authz-regexp>
if defined, selects what
......@@ -418,7 +406,6 @@ section related to
.BR authz\-policy ,
for details on the syntax of this field.
.TP
.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
......@@ -621,122 +608,6 @@ when set to
create a temporary connection whenever competing with other threads
for a shared one; otherwise, wait until the shared connection is available.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3,
and subsequently between 2.3 and 2.4.
As a side-effect, some of the traditional directives have been
deprecated and should be no longer used, as they might disappear
in future releases.
.TP
.B acl\-authcDN "<administrative DN for access control purposes>"
Formerly known as the
.BR binddn ,
it is the DN that is used to query the target server for acl checking;
it is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
.B idassert\-*
feature can be used (at own risk) for that purpose instead.
This directive is obsoleted by the
.B binddn
arg of
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B acl\-passwd <password>
Formerly known as the
.BR bindpw ,
it is the password used with the above
.B acl\-authcDN
directive.
This directive is obsoleted by the
.B credentials
arg of
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by the
.B binddn
arg of
.BR idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-passwd <password>
Password used with the
.B idassert\-authcDN
above.
This directive is obsoleted by the
.B credentials
arg of
.B idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
This directive is obsoleted by the
.B mode
arg of
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B idassert\-method <method> [<saslargs>]
This directive is obsoleted by the
.B bindmethod
arg of
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B port <port>
this directive is no longer supported. Use the
.B uri
directive as described above.
.TP
.B server <hostname[:port]>
this directive is no longer supported. Use the
.B uri
directive as described above.
.TP
.B suffixmassage, map, rewrite*
These directives are no longer supported by back-ldap; their
functionality is now delegated to the
.B rwm
overlay. Essentially, add a statement
.B overlay rwm
first, and prefix all rewrite/map statements with
.B rwm\-
to obtain the original behavior.
See
.BR slapo\-rwm (5)
for details.
.\" However, to ease update from existing configurations, back-ldap still
.\" recognizes them and automatically instantiates the
.\" .B rwm
.\" overlay if available and not instantiated yet.
.\" This behavior may change in the future.
.SH ACCESS CONTROL
The
.B ldap
......
......@@ -86,8 +86,6 @@ enum {
/* Target attrs */
enum {
LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_SUFFIXM,
......@@ -115,32 +113,6 @@ static ConfigTable a_metacfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
asyncmeta_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
asyncmeta_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.7 "
......@@ -454,9 +426,7 @@ static ConfigOCs a_metaocs[] = {
"DESC 'Asyncmeta target configuration' "
"SUP olcConfig STRUCTURAL "
"MUST ( olcAsyncMetaSub $ olcDbURI ) "
"MAY ( olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbIDAssertAuthzFrom "
"MAY ( olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertBind "
"$ olcDbSuffixMassage "
"$ olcDbSubtreeExclude "
......@@ -1296,15 +1266,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
ber_bvarray_add( &c->rvalue_vals, &bv );
} break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
/* FIXME no point here, there is no code implementing
* their features. Was this supposed to implement
* acl-bind like back-ldap?
*/
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
BerVarray *bvp;
int i;
......@@ -2153,33 +2114,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
/* name to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n", c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_memfree_x( c->value_dn.bv_val, NULL );
mt->mt_binddn = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
/* password to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n", c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
break;
case LDAP_BACK_CFG_REBIND:
/* save bind creds for referral rebinds? */
if ( c->argc == 1 || c->value_int ) {
......@@ -2469,8 +2403,6 @@ int
asyncmeta_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
......@@ -2482,29 +2414,5 @@ asyncmeta_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n", rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n", rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}
......@@ -43,16 +43,9 @@ static ConfigDriver ldap_pbind_cf_gen;
enum {
LDAP_BACK_CFG_URI = 1,
LDAP_BACK_CFG_TLS,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_ACL_METHOD,
LDAP_BACK_CFG_ACL_BIND,
LDAP_BACK_CFG_IDASSERT_MODE,
LDAP_BACK_CFG_IDASSERT_AUTHCDN,
LDAP_BACK_CFG_IDASSERT_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_PASSTHRU,
LDAP_BACK_CFG_IDASSERT_METHOD,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_REBIND,
LDAP_BACK_CFG_CHASE,
......@@ -73,7 +66,6 @@ enum {
LDAP_BACK_CFG_NOUNDEFFILTER,
LDAP_BACK_CFG_ONERR,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_KEEPALIVE,
LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
......@@ -100,37 +92,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
ldap_back_cf_gen, NULL, NULL, NULL },
/* deprecated, will be removed; aliases "acl-bind" */
{ "acl-method", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_METHOD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "acl-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
......@@ -140,33 +101,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "idassert-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
"NAME 'olcDbIDAssertAuthcDn' "
"DESC 'Remote Identity Assertion administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; partially aliases "idassert-authcDN" */
{ "proxyauthzdn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
"NAME 'olcDbIDAssertPasswd' "
"DESC 'Remote Identity Assertion administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; partially aliases "idassert-passwd" */
{ "proxyauthzpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
......@@ -176,18 +110,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "idassert-method", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_METHOD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
"NAME 'olcDbIDAssertMode' "
"DESC 'Remote Identity Assertion mode' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE)",
NULL, NULL },
{ "idassert-authzFrom", "authzRule", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
......@@ -370,16 +292,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"X-ORDERED 'VALUES' )",
NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "omit-unknown-schema", "true|FALSE", 2, 2, 0,
ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
ldap_back_cf_gen, "( OLcfgDbAt:3.28 "
......@@ -409,13 +321,8 @@ static ConfigOCs ldapocs[] = {
"SUP olcDatabaseConfig "
"MAY ( olcDbURI "
"$ olcDbStartTLS "
"$ olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbACLBind "
"$ olcDbIDAssertAuthcDn "
"$ olcDbIDAssertPasswd "
"$ olcDbIDAssertBind "
"$ olcDbIDAssertMode "
"$ olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertPassThru "
"$ olcDbRebindAsUser "
......@@ -1068,13 +975,6 @@ ldap_back_cf_gen( ConfigArgs *c )
}
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
case LDAP_BACK_CFG_ACL_METHOD:
/* handled by LDAP_BACK_CFG_ACL_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_ACL_BIND: {
int i;
......@@ -1097,14 +997,6 @@ ldap_back_cf_gen( ConfigArgs *c )
break;
}
case LDAP_BACK_CFG_IDASSERT_MODE:
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
case LDAP_BACK_CFG_IDASSERT_PASSWD:
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
BerVarray *bvp;
......@@ -1502,25 +1394,10 @@ ldap_back_cf_gen( ConfigArgs *c )
rc = 1;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
case LDAP_BACK_CFG_ACL_METHOD:
/* handled by LDAP_BACK_CFG_ACL_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_ACL_BIND:
bindconf_free( &li->li_acl );
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
case LDAP_BACK_CFG_IDASSERT_PASSWD:
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
BerVarray *bvp;
......@@ -1822,56 +1699,6 @@ done_url:;
#endif
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
switch ( li->li_acl_authmethod ) {
case LDAP_AUTH_NONE:
li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg),
"\"acl-authcDN <DN>\" incompatible "
"with auth method %d",
li->li_acl_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
free( li->li_acl_authcDN.bv_val );
}
ber_memfree_x( c->value_dn.bv_val, NULL );
li->li_acl_authcDN = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
switch ( li->li_acl_authmethod ) {
case LDAP_AUTH_NONE:
li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"acl-passwd <cred>\" incompatible "
"with auth method %d",
li->li_acl_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
free( li->li_acl_passwd.bv_val );
}
ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_acl_passwd );
break;
case LDAP_BACK_CFG_ACL_METHOD:
case LDAP_BACK_CFG_ACL_BIND:
for ( i = 1; i < c->argc; i++ ) {
if ( bindconf_parse( c->argv[ i ], &li->li_acl ) ) {
......@@ -1887,141 +1714,6 @@ done_url:;
#endif
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
i = verb_to_mask( c->argv[1], idassert_mode );
if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
ber_str2bv( c->argv[1], 0, 1, &li->li_idassert_authzID );
li->li_idassert_authzID.bv_val[ 0 ] = 'u';
} else {
struct berval id, ndn;
ber_str2bv( c->argv[1], 0, 0, &id );
if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
id.bv_val += STRLENOF( "dn:" );
id.bv_len -= STRLENOF( "dn:" );
}
rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: idassert ID \"%s\" is not a valid DN\n",
c->fname, c->lineno, c->argv[1] );
return 1;
}
li->li_idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
li->li_idassert_authzID.bv_val = ch_malloc( li->li_idassert_authzID.bv_len + 1 );
AC_MEMCPY( li->li_idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( &li->li_idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
ch_free( ndn.bv_val );
li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
}
} else {
li->li_idassert_mode = idassert_mode[i].mask;
}
if ( c->argc > 2 ) {
int i;
for ( i = 2; i < c->argc; i++ ) {
if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
} else if ( strcasecmp( c->argv[ i ], "prescriptive" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
} else if ( strcasecmp( c->argv[ i ], "non-prescriptive" ) == 0 ) {
li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
} else if ( strcasecmp( c->argv[ i ], "obsolete-proxy-authz" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"obsolete-proxy-authz\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
c->fname, c->lineno );
return 1;
}
li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
} else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"obsolete-encoding-workaround\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
c->fname, c->lineno );
return 1;