ITS#6523

8313874b · Quanah Gibson-Mount · 4ca27dd2 · 8313874b · 8313874b · 8313874b
Commit 8313874b authored Apr 19, 2010 by Quanah Gibson-Mount
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,7 @@ OpenLDAP 2.4.22 Engineering
 	Fixed slapo-accesslog to not replicate internal purges (ITS#6519)
 	Fixed slapd-bdb contextCSN updates from updatedn (ITS#6469)
 	Fixed slapd-bdb lockobj zeroing (ITS#6501)
+	Fixed slapd-ldap/meta control criticality (ITS#6523)
 	Fixed slapd-ldap/meta with ordered values (ITS#6516)
 	Fixed slapo-collect REP_ENTRY flag handling (ITS#5340,ITS#6423)
 	Fixed slapo-dds with NULL backend (ITS#6490)

--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -341,7 +341,7 @@ useful when the asserted identities do not exist on the remote server.

 Flags can be

-\fBoverride,[non\-]prescriptive\fP
+\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical\fP

 When the 
 .B override
@@ -365,6 +365,13 @@ whose assertion is not allowed by the
 .B idassert\-authzFrom
 patterns.

+When the
+.B proxy\-authz\-non\-critical
+flag is used (the default), the proxyAuthz control is not marked as critical,
+in violation of RFC 4370.  Use of
+.B proxy\-authz\-critical
+is recommended.
+
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert

--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -464,7 +464,7 @@ useful when the asserted identities do not exist on the remote server.

 Flags can be

-\fBoverride,[non\-]prescriptive\fP
+\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical\fP

 When the 
 .B override
@@ -488,6 +488,13 @@ whose assertion is not allowed by the
 .B idassert\-authzFrom
 patterns.

+When the
+.B proxy\-authz\-non\-critical
+flag is used (the default), the proxyAuthz control is not marked as critical,
+in violation of RFC 4370.  Use of
+.B proxy\-authz\-critical
+is recommended.
+
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert

--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -234,6 +234,7 @@ typedef struct slap_idassert_t {
 #define	LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ		(0x08U)
 #define	LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND	(0x10U)
 #define	LDAP_BACK_AUTH_AUTHZ_ALL			(0x20U)
+#define	LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL		(0x40U)
 #define	li_idassert_flags	li_idassert.si_flags

 	BerVarray	si_authz;

--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1298,6 +1298,7 @@ ldap_back_dobind_int(
 	ber_int_t	msgid;
 	ber_tag_t	o_tag = op->o_tag;
 	slap_callback cb = {0};
+	char		*tmp_dn;

 	assert( lcp != NULL );
 	assert( retries >= 0 );
@@ -1462,8 +1463,18 @@ retry_lock:;
 #endif /* HAVE_CYRUS_SASL */

 retry:;
+	if ( BER_BVISNULL( &lc->lc_cred ) ) {
+		tmp_dn = "";
+		if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) {
+			Debug( LDAP_DEBUG_ANY, "%s ldap_back_dobind_int: DN=\"%s\" without creds, binding anonymously",
+				op->o_log_prefix, lc->lc_bound_ndn.bv_val, 0 );
+		}
+
+	} else {
+		tmp_dn = lc->lc_bound_ndn.bv_val;
+	}
 	rs->sr_err = ldap_sasl_bind( lc->lc_ld,
-			BER_BVISNULL( &lc->lc_cred ) ? "" : lc->lc_bound_ndn.bv_val,
+			tmp_dn,
 			LDAP_SASL_SIMPLE, &lc->lc_cred,
 			NULL, NULL, &msgid );

@@ -2487,6 +2498,7 @@ ldap_back_proxy_authz_ctrl(
 	}

 	ctrl->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+	ctrl->ldctl_iscritical = ( ( si->si_flags & LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL ) == LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL );

 	switch ( si->si_mode ) {
 	/* already in u:ID or dn:DN form */

--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -863,6 +863,12 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 						si->si_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
 					}

+				} else if ( strcasecmp( flags[ j ], "proxy-authz-critical" ) == 0 ) {
+					si->si_flags |= LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
+
+				} else if ( strcasecmp( flags[ j ], "proxy-authz-non-critical" ) == 0 ) {
+					si->si_flags &= ~LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
+
 				} else {
 					snprintf( c->cr_msg, sizeof( c->cr_msg ),
 						"\"idassert-bind <args>\": "
@@ -1137,7 +1143,7 @@ ldap_back_cf_gen( ConfigArgs *c )
 					(void)lutil_strcopy( ptr, "authz=native" );
 				}

-				len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround" );
+				len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical" );
 				/* flags */
 				if ( !BER_BVISEMPTY( &bv ) ) {
 					len += STRLENOF( " " );
@@ -1170,6 +1176,13 @@ ldap_back_cf_gen( ConfigArgs *c )
 					ptr = lutil_strcopy( ptr, ",obsolete-encoding-workaround" );
 				}

+				if ( li->li_idassert_flags & LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL ) {
+					ptr = lutil_strcopy( ptr, ",proxy-authz-critical" );
+
+				} else {
+					ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
+				}
+
 				bv.bv_len = ( ptr - bv.bv_val );
 				/* end-of-flags */
 			}
@@ -1452,6 +1465,7 @@ ldap_back_cf_gen( ConfigArgs *c )

 		case LDAP_BACK_CFG_IDASSERT_BIND:
 			bindconf_free( &li->li_idassert.si_bc );
+			memset( &li->li_idassert, 0, sizeof( slap_idassert_t ) );
 			break;

 		case LDAP_BACK_CFG_REBIND: