Commit 5716b7f1 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

document saslAuthzTo/saslAuthzFrom new syntax; add onelevel style to DN type

parent 2b393962
......@@ -684,6 +684,87 @@ In general the
.I saslAuthzTo
attribute must be protected with ACLs such that
only privileged users can modify it.
The value of
.I saslAuthzFrom
and
.I saslAuthzTo
describes an
.B identity
or a set of identities; it can take three forms:
.RS
.RS
.TP
.B ldap:///<base>??[<scope>]?<filter>
.RE
.RS
.B dn[.<dnstyle>]:<pattern>
.RE
.RS
.B u[<mech>[<realm>]]:<pattern>
.RE
.RS
.B <pattern>
.RE
.RS
.B <dnstyle>:={exact|onelevel|children|subtree|regex}
.RE
The first form is a valid LDAP
.B uri
where the
.IR <host>:<port> ,
the
.I <attrs>
and the
.I <extensions>
portions must be absent, so that the search occurs locally on either
.I saslAuthzFrom
or
.IR saslAuthzTo .
The second form is a
.BR DN ,
with the optional style modifiers
.IR exact ,
.IR onelevel ,
.IR children ,
and
.I subtree
for exact, onelevel, children and subtree matches, which cause
.I <pattern>
to be normalized according to the DN normalization rules, or the special
.I regex
style, which causes
.I <pattern>
to be compiled according to
.BR regex (7).
The third form is a SASL
.BR id ,
with the optional fields
.I <mech>
and
.I <realm>
that allow to specify a SASL
.BR mechanism ,
and eventually a SASL
.BR realm ,
for those mechanisms that support one.
The need to allow the specification of a mechanism is still debated,
and users are strongly discouraged to rely on this possibility.
For backwards compatibility, if no identity type is provided, i.e. only
.B <pattern>
is present, an
.I exact DN
is assumed; as a consequence,
.B <pattern>
is subjected to DN normalization.
Since the interpretation of
.I saslAuthzFrom
and
.I saslAuthzTo
can impact security, users are strongly encouraged
to explicitly set the type of identity specification that is being used.
.RE
.TP
.B sasl-host <fqdn>
Used to specify the fully qualified domain name used for SASL processing.
......
......@@ -33,6 +33,7 @@
#define LDAP_X_SCOPE_REGEX ((ber_int_t) 0x0020)
#define LDAP_X_SCOPE_CHILDREN ((ber_int_t) 0x0030)
#define LDAP_X_SCOPE_SUBTREE ((ber_int_t) 0x0040)
#define LDAP_X_SCOPE_ONELEVEL ((ber_int_t) 0x0050)
/*
* IDs in DNauthzid form can now have a type specifier, that
......@@ -225,6 +226,10 @@ static int slap_parseURI( Operation *op, struct berval *uri,
bv.bv_val += sizeof( "subtree" ) - 1;
*scope = LDAP_X_SCOPE_SUBTREE;
} else if ( !strncasecmp( bv.bv_val, "onelevel:", sizeof( "onelevel:" ) - 1 ) ) {
bv.bv_val += sizeof( "onelevel" ) - 1;
*scope = LDAP_X_SCOPE_ONELEVEL;
} else {
return LDAP_PROTOCOL_ERROR;
}
......@@ -244,6 +249,7 @@ is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
case LDAP_X_SCOPE_EXACT:
case LDAP_X_SCOPE_CHILDREN:
case LDAP_X_SCOPE_SUBTREE:
case LDAP_X_SCOPE_ONELEVEL:
rc = dnNormalize( 0, NULL, NULL, &bv, nbase, op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) {
*scope = -1;
......@@ -639,6 +645,7 @@ exact_match:
case LDAP_X_SCOPE_CHILDREN:
case LDAP_X_SCOPE_SUBTREE:
case LDAP_X_SCOPE_ONELEVEL:
{
int d = assertDN->bv_len - op.o_req_ndn.bv_len;
......@@ -654,7 +661,29 @@ exact_match:
bv.bv_val = assertDN->bv_val + d;
if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
rc = LDAP_SUCCESS;
switch ( op.oq_search.rs_scope ) {
case LDAP_X_SCOPE_CHILDREN:
rc = LDAP_SUCCESS;
break;
case LDAP_X_SCOPE_ONELEVEL:
{
struct berval pdn;
dnParent( assertDN, &pdn );
/* the common portion of the DN
* already matches, so only check
* if parent DN of assertedDN
* is all the pattern */
if ( pdn.bv_len == op.o_req_ndn.bv_len ) {
rc = LDAP_SUCCESS;
}
break;
}
default:
/* at present, impossible */
assert( 0 );
}
}
}
goto CONCLUDED;
......@@ -863,6 +892,7 @@ void slap_sasl2dn( Operation *opx,
case LDAP_X_SCOPE_REGEX:
case LDAP_X_SCOPE_SUBTREE:
case LDAP_X_SCOPE_CHILDREN:
case LDAP_X_SCOPE_ONELEVEL:
/* correctly parsed, but illegal */
goto FINISHED;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment