remove #ifdef's for identity assertion

servers/slapd/back-ldap/add.c

@@ -58,7 +58,7 @@ ldap_back_add(
 	}
 
 	/* Count number of attributes in entry */
-	for (i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next)
+	for ( i = 1, a = op->oq_add.rs_e->e_attrs; a; i++, a = a->a_next )
 		/* just count attrs */ ;
 	
 	/* Create array of LDAPMods for ldap_add() */
@@ -89,14 +89,12 @@ ldap_back_add(
 	attrs[ i ] = NULL;
 
 	ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		send_ldap_result( op, rs );
 		rc = -1;
 		goto cleanup;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
 	rs->sr_err = ldap_add_ext( lc->lc_ld, op->o_req_dn.bv_val, attrs,
@@ -110,9 +108,7 @@ retry:
 	}
 
 cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	if ( attrs ) {
 		for ( --i; i >= 0; --i ) {

servers/slapd/back-ldap/back-ldap.h

@@ -24,12 +24,6 @@
 #ifndef SLAPD_LDAP_H
 #define SLAPD_LDAP_H
 
-#include "proto-ldap.h"
-
-#ifdef LDAP_DEVEL
-#define LDAP_BACK_PROXY_AUTHZ
-#endif
-
 LDAP_BEGIN_DECL
 
 struct slap_conn;
@@ -71,7 +65,6 @@ struct ldapinfo {
 #define	acl_authcDN	acl_la.la_authcDN
 #define	acl_passwd	acl_la.la_passwd
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	/* ID assert stuff */
 	int		idassert_mode;
 #define	LDAP_BACK_IDASSERT_LEGACY	0
@@ -95,7 +88,6 @@ struct ldapinfo {
 	
 	int		idassert_ppolicy;
 	/* end of ID assert stuff */
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	ldap_pvt_thread_mutex_t		conn_mutex;
 	int		savecred;
@@ -104,33 +96,8 @@ struct ldapinfo {
 	int		rwm_started;
 };
 
-int ldap_back_freeconn( Operation *op, struct ldapconn *lc );
-struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs);
-int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs);
-int ldap_back_retry(struct ldapconn *lc, Operation *op, SlapReply *rs);
-int ldap_back_map_result(SlapReply *rs);
-int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
-	ber_int_t msgid, int sendok);
-int	back_ldap_LTX_init_module(int argc, char *argv[]);
-
-extern int ldap_back_conn_cmp( const void *c1, const void *c2);
-extern int ldap_back_conn_dup( void *c1, void *c2 );
-extern void ldap_back_conn_free( void *c );
-
-#ifdef LDAP_BACK_PROXY_AUTHZ
-extern int
-ldap_back_proxy_authz_ctrl(
-		struct ldapconn	*lc,
-		Operation	*op,
-		SlapReply	*rs,
-		LDAPControl	***pctrls );
-
-extern int
-ldap_back_proxy_authz_ctrl_free(
-		Operation	*op,
-		LDAPControl	***pctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
-
 LDAP_END_DECL
 
+#include "proto-ldap.h"
+
 #endif /* SLAPD_LDAP_H */

servers/slapd/back-ldap/bind.c

@@ -38,10 +38,8 @@
 
 static LDAP_REBIND_PROC	ldap_back_rebind;
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 static int
 ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 int
 ldap_back_bind( Operation *op, SlapReply *rs )
@@ -70,7 +68,11 @@ ldap_back_bind( Operation *op, SlapReply *rs )
 	rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
 
 	if ( rc == LDAP_SUCCESS ) {
-#if defined(LDAP_BACK_PROXY_AUTHZ)
+		/* If defined, proxyAuthz will be used also when
+		 * back-ldap is the authorizing backend; for this
+		 * purpose, a successful bind is followed by a
+		 * bind with the configured identity assertion */
+		/* NOTE: use with care */
 		if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
 			ldap_back_proxy_authz_bind( lc, op, rs );
 			if ( lc->lc_bound == 0 ) {
@@ -78,7 +80,6 @@ ldap_back_bind( Operation *op, SlapReply *rs )
 				goto done;
 			}
 		}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 		lc->lc_bound = 1;
 		ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn );
@@ -348,7 +349,6 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 
 	ldap_pvt_thread_mutex_lock( &lc->lc_mutex );
 	if ( !lc->lc_bound ) {
-#ifdef LDAP_BACK_PROXY_AUTHZ
 		/*
 		 * FIXME: we need to let clients use proxyAuthz
 		 * otherwise we cannot do symmetric pools of servers;
@@ -363,16 +363,15 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 		 */
 		/*
 		 * if no bind took place yet, but the connection is bound
-		 * and the "proxyauthzdn" is set, then bind as 
-		 * "proxyauthzdn" and explicitly add the proxyAuthz 
-		 * control to every operation with the dn bound 
-		 * to the connection as control value.
+		 * and the "idassert-authcDN" (or other ID) is set, 
+		 * then bind as the asserting ideintity and explicitly 
+		 * add the proxyAuthz control to every operation with the
+		 * dn bound to the connection as control value.
 		 */
 		if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) {
 			(void)ldap_back_proxy_authz_bind( lc, op, rs );
 			goto done;
 		}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 		rs->sr_err = ldap_sasl_bind( lc->lc_ld,
 				lc->lc_bound_ndn.bv_val,
@@ -527,7 +526,6 @@ ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs )
 	return ldap_back_dobind( lc, op, rs );
 }
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 static int
 ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 {
@@ -927,6 +925,9 @@ ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls )
 {
 	LDAPControl	**ctrls = *pctrls;
 
+	/* we assume that the first control is the proxyAuthz
+	 * added by back-ldap, so it's the only one we explicitly 
+	 * free */
 	if ( ctrls && ctrls != op->o_ctrls ) {
 		assert( ctrls[ 0 ] );
 
@@ -942,4 +943,3 @@ ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls )
 
 	return 0;
 }
-#endif /* LDAP_BACK_PROXY_AUTHZ */

servers/slapd/back-ldap/compare.c

@@ -49,14 +49,12 @@ ldap_back_compare(
 	}
 
 	ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		send_ldap_result( op, rs );
 		rc = -1;
 		goto cleanup;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
 	rs->sr_err = ldap_compare_ext( lc->lc_ld, op->o_req_ndn.bv_val,
@@ -72,9 +70,7 @@ retry:
 	}
 
 cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 	
 	return rc;
 }

servers/slapd/back-ldap/config.c

@@ -235,12 +235,14 @@ ldap_back_db_config(
 		}
 		ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	/* identity assertion stuff... */
 	} else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0
-			|| strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 ) {
+			|| strncasecmp( argv[0], "proxyauthz", STRLENOF( "proxyauthz" ) ) == 0 )
+	{
+		/* NOTE: "proxyauthz{DN,pw}" was initially used; it's now
+		 * deprected and undocumented, it can be dropped at some
+		 * point, since nobody should be really using it */
 		return parse_idassert( be, fname, lineno, argc, argv );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	/* save bind creds for referral rebinds? */
 	} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
@@ -393,7 +395,6 @@ retry:
 }
 
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 static int
 parse_idassert(
     BackendDB	*be,
@@ -557,7 +558,7 @@ parse_idassert(
 		}
 
 		if ( strcasecmp( argv[1], "none" ) == 0 ) {
-			/* FIXME: is this useful? */
+			/* FIXME: is this at all useful? */
 			li->idassert_authmethod = LDAP_AUTH_NONE;
 
 			if ( argc != 2 ) {
@@ -697,4 +698,3 @@ parse_idassert(
 
 	return 0;
 }
-#endif /* LDAP_BACK_PROXY_AUTHZ */

servers/slapd/back-ldap/delete.c

@@ -49,7 +49,6 @@ ldap_back_delete(
 		goto cleanup;
 	}
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	ctrls = op->o_ctrls;
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
@@ -57,7 +56,6 @@ ldap_back_delete(
 		rc = -1;
 		goto cleanup;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
 	rs->sr_err = ldap_delete_ext( lc->lc_ld, op->o_req_ndn.bv_val,
@@ -65,13 +63,13 @@ retry:
 	rc = ldap_back_op_result( lc, op, rs, msgid, 1 );
 	if ( rs->sr_err == LDAP_SERVER_DOWN && do_retry ) {
 		do_retry = 0;
-		if ( ldap_back_retry (lc, op, rs )) goto retry;
+		if ( ldap_back_retry (lc, op, rs ) ) {
+			goto retry;
+		}
 	}
 
 cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	return rc;
 }

servers/slapd/back-ldap/extended.c

@@ -48,7 +48,6 @@ ldap_back_extended(
 	for ( i = 0; exop_table[i].extended != NULL; i++ ) {
 		if ( bvmatch( exop_table[i].oid, &op->oq_extended.rs_reqoid ) )
 		{
-#ifdef LDAP_BACK_PROXY_AUTHZ 
 			struct ldapconn	*lc;
 			LDAPControl	**oldctrls = NULL;
 			int		rc;
@@ -81,9 +80,6 @@ ldap_back_extended(
 			op->o_ctrls = oldctrls;
 
 			return rc;
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			return ( *exop_table[i].extended )( op, rs );
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
 		}
 	}
 

servers/slapd/back-ldap/init.c

@@ -90,7 +90,6 @@ ldap_back_db_init( Backend *be )
 	BER_BVZERO( &li->acl_authcDN );
 	BER_BVZERO( &li->acl_passwd );
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	li->idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
 
 	BER_BVZERO( &li->idassert_authcID );
@@ -109,7 +108,6 @@ ldap_back_db_init( Backend *be )
 
 	/* by default, use proxyAuthz control on each operation */
 	li->idassert_flags = LDAP_BACK_AUTH_NONE;
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	ldap_pvt_thread_mutex_init( &li->conn_mutex );
 
@@ -128,7 +126,6 @@ ldap_back_db_open( BackendDB *be )
 		"ldap_back_db_open: URI=%s\n",
 		li->url != NULL ? li->url : "", 0, 0 );
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	/* by default, use proxyAuthz control on each operation */
 	switch ( li->idassert_mode ) {
 	case LDAP_BACK_IDASSERT_LEGACY:
@@ -141,10 +138,14 @@ ldap_back_db_open( BackendDB *be )
 	default:
 		break;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 #if 0 && defined(SLAPD_MONITOR)
 	{
+		/* FIXME: disabled because namingContexts doesn't have
+		 * a matching rule, and using an MRA filter doesn't work
+		 * because the normalized assertion is compared to the 
+		 * non-normalized value, which in general differ.
+		 * See ITS#3406 */
 		struct berval	filter,
 				base = BER_BVC( "cn=Databases,cn=Monitor" );
 		struct berval	vals[ 2 ];
@@ -221,7 +222,6 @@ ldap_back_db_destroy(
 			ch_free( li->acl_passwd.bv_val );
 			BER_BVZERO( &li->acl_passwd );
 		}
-#ifdef LDAP_BACK_PROXY_AUTHZ
 		if ( !BER_BVISNULL( &li->idassert_authcID ) ) {
 			ch_free( li->idassert_authcID.bv_val );
 			BER_BVZERO( &li->idassert_authcID );
@@ -246,7 +246,6 @@ ldap_back_db_destroy(
 			ch_free( li->idassert_sasl_realm.bv_val );
 			BER_BVZERO( &li->idassert_sasl_realm );
 		}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
                 if ( li->conntree ) {
 			avl_free( li->conntree, ldap_back_conn_free );
 		}

servers/slapd/back-ldap/modify.c

@@ -96,14 +96,12 @@ ldap_back_modify(
 	modv[ i ] = 0;
 
 	ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		send_ldap_result( op, rs );
 		rc = -1;
 		goto cleanup;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
 	rs->sr_err = ldap_modify_ext( lc->lc_ld, op->o_req_ndn.bv_val, modv,
@@ -117,9 +115,7 @@ retry:
 	}
 
 cleanup:;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	for ( i = 0; modv[ i ]; i++ ) {
 		ch_free( modv[ i ]->mod_bvalues );

servers/slapd/back-ldap/modrdn.c

@@ -56,14 +56,12 @@ ldap_back_modrdn(
 	}
 
 	ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		send_ldap_result( op, rs );
 		rc = -1;
 		goto cleanup;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 retry:
 	rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_ndn.bv_val,
@@ -78,9 +76,7 @@ retry:
 	}
 
 cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	return rc;
 }

servers/slapd/back-ldap/proto-ldap.h

@@ -48,6 +48,33 @@ extern BI_connection_destroy	ldap_back_conn_destroy;
 
 extern BI_entry_get_rw		ldap_back_entry_get;
 
+int ldap_back_freeconn( Operation *op, struct ldapconn *lc );
+struct ldapconn *ldap_back_getconn(struct slap_op *op, struct slap_rep *rs);
+int ldap_back_dobind(struct ldapconn *lc, Operation *op, SlapReply *rs);
+int ldap_back_retry(struct ldapconn *lc, Operation *op, SlapReply *rs);
+int ldap_back_map_result(SlapReply *rs);
+int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs,
+	ber_int_t msgid, int sendok);
+int	back_ldap_LTX_init_module(int argc, char *argv[]);
+
+extern int ldap_back_conn_cmp( const void *c1, const void *c2);
+extern int ldap_back_conn_dup( void *c1, void *c2 );
+extern void ldap_back_conn_free( void *c );
+
+extern int
+ldap_back_proxy_authz_ctrl(
+		struct ldapconn	*lc,
+		Operation	*op,
+		SlapReply	*rs,
+		LDAPControl	***pctrls );
+
+extern int
+ldap_back_proxy_authz_ctrl_free(
+		Operation	*op,
+		LDAPControl	***pctrls );
+
+extern int chain_init( void );
+
 LDAP_END_DECL
 
 #endif /* PROTO_LDAP_H */

servers/slapd/back-ldap/search.c

@@ -105,13 +105,11 @@ ldap_back_search(
 	}
 
 	ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		dontfreetext = 1;
 		goto finish;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 	
 retry:
 	rs->sr_err = ldap_search_ext( lc->lc_ld, op->o_req_ndn.bv_val,
@@ -274,9 +272,7 @@ fail:;
 finish:;
 	send_ldap_result( op, rs );
 
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	if ( rs->sr_ctrls ) {
 		ldap_controls_free( rs->sr_ctrls );
@@ -547,12 +543,10 @@ ldap_back_entry_get(
 	}
 
 	ctrls = op->o_ctrls;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, &rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		goto cleanup;
 	}
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 	
 retry:
 	rc = ldap_search_ext_s( lc->lc_ld, ndn->bv_val, LDAP_SCOPE_BASE, filter,
@@ -583,9 +577,7 @@ retry:
 	}
 
 cleanup:
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	if ( result ) {
 		ldap_msgfree( result );