mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-01-06 15:10:22 -05:00
assert administrative identity instead of the required one if doing auth check in non-caching mode
This commit is contained in:
Pierangelo Masarati
parent
32d9856fb1
commit
a7b55f4f44
3 changed files with 47 additions and 37 deletions
|
|
@ -143,7 +143,7 @@ ldap_back_conn_cmp(
|
|||
int rc;
|
||||
|
||||
/* If local DNs don't match, it is definitely not a match */
|
||||
if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn )) )
|
||||
if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) )
|
||||
return rc;
|
||||
|
||||
/* For shared sessions, conn is NULL. Only explicitly
|
||||
|
|
@ -226,17 +226,16 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc )
|
|||
struct ldapconn *
|
||||
ldap_back_getconn(Operation *op, SlapReply *rs)
|
||||
{
|
||||
struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
|
||||
struct ldapconn *lc, lc_curr;
|
||||
LDAP *ld;
|
||||
int is_priv = 0;
|
||||
struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
|
||||
struct ldapconn *lc, lc_curr;
|
||||
LDAP *ld;
|
||||
int is_priv = 0;
|
||||
|
||||
/* Searches for a ldapconn in the avl tree */
|
||||
|
||||
/* Explicit binds must not be shared */
|
||||
if ( op->o_tag == LDAP_REQ_BIND
|
||||
|| (op->o_conn
|
||||
&& (op->o_bd == op->o_conn->c_authz_backend ))) {
|
||||
|| ( op->o_conn && op->o_bd == op->o_conn->c_authz_backend ) ) {
|
||||
lc_curr.conn = op->o_conn;
|
||||
|
||||
} else {
|
||||
|
|
@ -463,7 +462,9 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
|
|||
int freeauthz = 0;
|
||||
|
||||
/* if SASL supports native authz, prepare for it */
|
||||
if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
|
||||
if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
|
||||
( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
|
||||
{
|
||||
switch ( li->idassert_mode ) {
|
||||
case LDAP_BACK_IDASSERT_OTHERID:
|
||||
case LDAP_BACK_IDASSERT_OTHERDN:
|
||||
|
|
@ -753,7 +754,8 @@ ldap_back_proxy_authz_ctrl(
|
|||
{
|
||||
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
|
||||
LDAPControl **ctrls = NULL;
|
||||
int i = 0;
|
||||
int i = 0,
|
||||
mode;
|
||||
struct berval assertedID;
|
||||
|
||||
*pctrls = NULL;
|
||||
|
|
@ -845,7 +847,14 @@ ldap_back_proxy_authz_ctrl(
|
|||
rs->sr_text = "proxyAuthz not allowed within namingContext";
|
||||
}
|
||||
|
||||
switch ( li->idassert_mode ) {
|
||||
if ( op->o_do_not_cache && op->o_is_auth_check ) {
|
||||
mode = LDAP_BACK_IDASSERT_NOASSERT;
|
||||
|
||||
} else {
|
||||
mode = li->idassert_mode;
|
||||
}
|
||||
|
||||
switch ( mode ) {
|
||||
case LDAP_BACK_IDASSERT_LEGACY:
|
||||
case LDAP_BACK_IDASSERT_SELF:
|
||||
/* original behavior:
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ authz-regexp "^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com"
|
|||
#
|
||||
|
||||
access to attr=userpassword
|
||||
by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read
|
||||
by self =wx
|
||||
by anonymous =x
|
||||
|
||||
|
|
|
|||
|
|
@ -185,33 +185,33 @@ if test $? != 0 ; then
|
|||
fi
|
||||
|
||||
# FIXME: this cannot work as is, because SASL bind cannot be proxied!
|
||||
#if test $USE_SASL != "no" ; then
|
||||
# ID="bjorn"
|
||||
# BASE="dc=example,dc=com"
|
||||
# echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
|
||||
# $LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
|
||||
# -Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
|
||||
#
|
||||
# RC=$?
|
||||
# if test $RC != 0 ; then
|
||||
# echo "ldapsearch failed ($RC)!"
|
||||
# test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
# exit $RC
|
||||
# fi
|
||||
#
|
||||
# echo "Filtering ldapsearch results..."
|
||||
# . $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
|
||||
# echo "Filtering original ldif used to create database..."
|
||||
# . $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
|
||||
# echo "Comparing filter output..."
|
||||
# $CMP $SEARCHFLT $LDIFFLT > $CMPOUT
|
||||
#
|
||||
# if test $? != 0 ; then
|
||||
# echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
|
||||
# test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
# exit 1
|
||||
# fi
|
||||
#fi
|
||||
if test $USE_SASL != "no" ; then
|
||||
ID="bjorn"
|
||||
BASE="dc=example,dc=com"
|
||||
echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
|
||||
$LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
|
||||
-Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
|
||||
|
||||
RC=$?
|
||||
if test $RC != 0 ; then
|
||||
echo "ldapsearch failed ($RC)!"
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit $RC
|
||||
fi
|
||||
|
||||
echo "Filtering ldapsearch results..."
|
||||
. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
|
||||
echo "Filtering original ldif used to create database..."
|
||||
. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
|
||||
echo "Comparing filter output..."
|
||||
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
|
||||
|
||||
if test $? != 0 ; then
|
||||
echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue