mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-25 09:09:54 -05:00
Revert to simple authzID behavior
This commit is contained in:
Howard Chu
parent
171e934bf0
commit
8aaaad0dd7
2 changed files with 8 additions and 60 deletions
|
|
@ -750,46 +750,17 @@ static int parseProxyAuthz (
|
|||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
/* FIXME: how can we get the realm? */
|
||||
{
|
||||
int rc;
|
||||
char buf[ SLAP_LDAPDN_MAXLEN ];
|
||||
struct berval id,
|
||||
user = { 0, NULL },
|
||||
realm = { 0, NULL },
|
||||
mech = { 0, NULL };
|
||||
rc = slap_sasl_getdn( op->o_conn, op,
|
||||
ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len,
|
||||
NULL, &dn, SLAP_GETDN_AUTHZID );
|
||||
|
||||
if ( sizeof( buf ) <= ctrl->ldctl_value.bv_len ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
if( rc != LDAP_SUCCESS || !dn.bv_len ) {
|
||||
if ( dn.bv_val ) {
|
||||
ch_free( dn.bv_val );
|
||||
}
|
||||
rs->sr_text = "authzId mapping failed";
|
||||
return LDAP_PROXY_AUTHZ_FAILURE;
|
||||
|
||||
id.bv_len = ctrl->ldctl_value.bv_len;
|
||||
id.bv_val = buf;
|
||||
strncpy( buf, ctrl->ldctl_value.bv_val, sizeof( buf ) );
|
||||
|
||||
rc = slap_parse_user( &id, &user, &realm, &mech );
|
||||
if ( rc == LDAP_SUCCESS ) {
|
||||
struct berval authz = BER_BVC( "AUTHZ" );
|
||||
|
||||
if ( mech.bv_len && !bvmatch( &mech, &authz) ) {
|
||||
rs->sr_text = "mech not allowed in authzId";
|
||||
return LDAP_PROXY_AUTHZ_FAILURE;
|
||||
}
|
||||
} else {
|
||||
user = ctrl->ldctl_value;
|
||||
}
|
||||
|
||||
rc = slap_sasl_getdn( op->o_conn, op,
|
||||
user.bv_val, user.bv_len,
|
||||
realm.bv_val, &dn, SLAP_GETDN_AUTHZID );
|
||||
|
||||
if( rc != LDAP_SUCCESS || !dn.bv_len ) {
|
||||
if ( dn.bv_val ) {
|
||||
ch_free( dn.bv_val );
|
||||
}
|
||||
rs->sr_text = "authzId mapping failed";
|
||||
return LDAP_PROXY_AUTHZ_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
|
|
|
|||
|
|
@ -1881,29 +1881,6 @@ int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
|
|||
|
||||
len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
|
||||
|
||||
#if 0
|
||||
/* username may have embedded realm name */
|
||||
/* FIXME:
|
||||
* userids can legally have embedded '@' chars;
|
||||
* the realm should be set by those mechanisms
|
||||
* that support it by means of the user_realm
|
||||
* variable
|
||||
*/
|
||||
if( ( realm.bv_val = strrchr( dn->bv_val, '@') ) ) {
|
||||
char *r = realm.bv_val;
|
||||
|
||||
realm.bv_val++;
|
||||
realm.bv_len = dn->bv_len - ( realm.bv_val - dn->bv_val );
|
||||
len += sizeof( ",cn=" ) - 2;
|
||||
c1.bv_len -= realm.bv_len + 1;
|
||||
|
||||
if ( strchr( dn->bv_val, '@') == r ) {
|
||||
/* FIXME: ambiguity, is it the realm
|
||||
* or something else? */
|
||||
}
|
||||
|
||||
} else
|
||||
#endif
|
||||
if( user_realm && *user_realm ) {
|
||||
realm.bv_val = user_realm;
|
||||
realm.bv_len = strlen( user_realm );
|
||||
|
|
|
|||
Loading…
Reference in a new issue