document saslAuthzTo/saslAuthzFrom new syntax; add onelevel style to DN type

2026-01-05 22:50:51 -05:00 · 2004-03-06 11:00:49 +00:00 · 2004-03-06 11:00:49 +00:00 · 5716b7f1b2
commit 5716b7f1b2
parent 2b393962fc
2 changed files with 112 additions and 1 deletions
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -684,6 +684,87 @@ In general the
 .I saslAuthzTo
 attribute must be protected with ACLs such that
 only privileged users can modify it.
+The value of
+.I saslAuthzFrom
+and
+.I saslAuthzTo
+describes an 
+.B identity 
+or a set of identities; it can take three forms:
+.RS
+.RS
+.TP
+.B ldap:///<base>??[<scope>]?<filter>
+.RE
+.RS
+.B dn[.<dnstyle>]:<pattern>
+.RE
+.RS
+.B u[<mech>[<realm>]]:<pattern>
+.RE
+.RS
+.B <pattern>
+.RE
+.RS
+
+.B <dnstyle>:={exact|onelevel|children|subtree|regex}
+
+.RE
+The first form is a valid LDAP
+.B uri
+where the 
+.IR <host>:<port> ,
+the
+.I <attrs>
+and the
+.I <extensions>
+portions must be absent, so that the search occurs locally on either
+.I saslAuthzFrom
+or 
+.IR saslAuthzTo .
+The second form is a 
+.BR DN ,
+with the optional style modifiers
+.IR exact ,
+.IR onelevel ,
+.IR children ,
+and
+.I subtree
+for exact, onelevel, children and subtree matches, which cause 
+.I <pattern>
+to be normalized according to the DN normalization rules, or the special
+.I regex
+style, which causes
+.I <pattern>
+to be compiled according to 
+.BR regex (7).
+The third form is a SASL
+.BR id ,
+with the optional fields
+.I <mech>
+and
+.I <realm>
+that allow to specify a SASL
+.BR mechanism ,
+and eventually a SASL
+.BR realm ,
+for those mechanisms that support one.
+The need to allow the specification of a mechanism is still debated, 
+and users are strongly discouraged to rely on this possibility.
+For backwards compatibility, if no identity type is provided, i.e. only
+.B <pattern>
+is present, an
+.I exact DN
+is assumed; as a consequence, 
+.B <pattern>
+is subjected to DN normalization.
+Since the interpretation of
+.I saslAuthzFrom
+and
+.I saslAuthzTo
+can impact security, users are strongly encouraged 
+to explicitly set the type of identity specification that is being used.
+.RE
 .TP
 .B sasl-host <fqdn>
 Used to specify the fully qualified domain name used for SASL processing.
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@ -33,6 +33,7 @@
 #define LDAP_X_SCOPE_REGEX	((ber_int_t) 0x0020)
 #define LDAP_X_SCOPE_CHILDREN	((ber_int_t) 0x0030)
 #define LDAP_X_SCOPE_SUBTREE	((ber_int_t) 0x0040)
+#define LDAP_X_SCOPE_ONELEVEL	((ber_int_t) 0x0050)

 /*
 * IDs in DNauthzid form can now have a type specifier, that
@ -225,6 +226,10 @@ static int slap_parseURI( Operation *op, struct berval *uri,
 				bv.bv_val += sizeof( "subtree" ) - 1;
 				*scope = LDAP_X_SCOPE_SUBTREE;

+			} else if ( !strncasecmp( bv.bv_val, "onelevel:", sizeof( "onelevel:" ) - 1 ) ) {
+				bv.bv_val += sizeof( "onelevel" ) - 1;
+				*scope = LDAP_X_SCOPE_ONELEVEL;
+
 			} else {
 				return LDAP_PROTOCOL_ERROR;
 			}
@ -244,6 +249,7 @@ is_dn:		bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 		case LDAP_X_SCOPE_EXACT:
 		case LDAP_X_SCOPE_CHILDREN:
 		case LDAP_X_SCOPE_SUBTREE:
+		case LDAP_X_SCOPE_ONELEVEL:
 			rc = dnNormalize( 0, NULL, NULL, &bv, nbase, op->o_tmpmemctx );
 			if( rc != LDAP_SUCCESS ) {
 				*scope = -1;
@ -639,6 +645,7 @@ exact_match:

 	case LDAP_X_SCOPE_CHILDREN:
 	case LDAP_X_SCOPE_SUBTREE:
+	case LDAP_X_SCOPE_ONELEVEL:
 	{
 		int	d = assertDN->bv_len - op.o_req_ndn.bv_len;

@ -654,7 +661,29 @@ exact_match:
 			bv.bv_val = assertDN->bv_val + d;

 			if ( bv.bv_val[ -1 ] == ',' && dn_match( &op.o_req_ndn, &bv ) ) {
-				rc = LDAP_SUCCESS;
+				switch ( op.oq_search.rs_scope ) {
+				case LDAP_X_SCOPE_CHILDREN:
+					rc = LDAP_SUCCESS;
+					break;
+
+				case LDAP_X_SCOPE_ONELEVEL:
+				{
+					struct berval	pdn;
+
+					dnParent( assertDN, &pdn );
+					/* the common portion of the DN
+					 * already matches, so only check
+					 * if parent DN of assertedDN 
+					 * is all the pattern */
+					if ( pdn.bv_len == op.o_req_ndn.bv_len ) {
+						rc = LDAP_SUCCESS;
+					}
+					break;
+				}
+				default:
+					/* at present, impossible */
+					assert( 0 );
+				}
 			}
 		}
 		goto CONCLUDED;
@ -863,6 +892,7 @@ void slap_sasl2dn( Operation *opx,
 	case LDAP_X_SCOPE_REGEX:
 	case LDAP_X_SCOPE_SUBTREE:
 	case LDAP_X_SCOPE_CHILDREN:
+	case LDAP_X_SCOPE_ONELEVEL:
 		/* correctly parsed, but illegal */
 		goto FINISHED;