upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 00:29:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.

Browse source
This commit is contained in:
Kurt Zeilenga 1999-07-07 18:47:51 +00:00
parent 7541ccbe10
commit b8edef2b2c
3 changed files with 91 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
servers/slapd/back-bdb2/bind.c
View file

@ -65,6 +65,7 @@ bdb2i_back_bind_internal(
Operation *op,
char *dn,
int method,
char *mech,
struct berval *cred,
char** edn
)
@ -86,17 +87,33 @@ bdb2i_back_bind_internal(
/* get entry with reader lock */
if ( (e = bdb2i_dn2entry_r( be, dn, &matched )) == NULL ) {
/* allow noauth binds */
if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
/*
* bind successful, but return 1 so we don't
* authorize based on noauth credentials
*/
send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
rc = 1;
} else if ( be_isroot_pw( be, dn, cred ) ) {
/* front end will send result */
*edn = ch_strdup( be_root_dn( be ) );
rc = 0;
rc = 1;
if ( method == LDAP_AUTH_SIMPLE ) {
if( cred->bv_len == 0 ) {
/* SUCCESS */
send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
} else if ( be_isroot_pw( be, dn, cred ) ) {
/* front end will send result */
*edn = ch_strdup( be_root_dn( be ) );
rc = 0;
} else {
send_ldap_result( conn, op,
LDAP_NO_SUCH_OBJECT, matched, NULL );
}
} else if ( method == LDAP_AUTH_SASL ) {
if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
/* insert DIGEST calls here */
send_ldap_result( conn, op,
LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
} else {
send_ldap_result( conn, op,
LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
}
} else {
send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
rc = 1;
@ -111,6 +128,14 @@ bdb2i_back_bind_internal(
/* check for deleted */
if ( ! access_allowed( be, conn, op, e,
"entry", NULL, ACL_AUTH ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
rc = 1;
goto return_results;
}
switch ( method ) {
case LDAP_AUTH_SIMPLE:
if ( cred->bv_len == 0 ) {
@ -130,6 +155,14 @@ bdb2i_back_bind_internal(
goto return_results;
}
if ( ! access_allowed( be, conn, op, e,
"userpassword", NULL, ACL_AUTH ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
rc = 1;
goto return_results;
}
if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
NULL, NULL );
@ -155,11 +188,21 @@ bdb2i_back_bind_internal(
if ( bdb2i_krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
NULL, NULL );
rc = 0;
rc = 1;
goto return_results;
}
if ( ! access_allowed( be, conn, op, e,
"krbname", NULL, ACL_AUTH ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
rc = 1;
goto return_results;
}
sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
: "", ad.pinst, ad.prealm );
if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
/*
* no krbName values present: check against DN
@ -195,6 +238,9 @@ bdb2i_back_bind_internal(
goto return_results;
#endif
case LDAP_AUTH_SASL:
/* insert sasl code here */
default:
send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
NULL, "auth method not supported" );
@ -237,7 +283,7 @@ bdb2_back_bind(
}
ret = bdb2i_back_bind_internal( be, conn, op, dn, method, cred, edn );
ret = bdb2i_back_bind_internal( be, conn, op, dn, method, mech, cred, edn );
(void) bdb2i_leave_backend_r( lock );

25
servers/slapd/back-ldbm/bind.c
View file

@ -98,16 +98,19 @@ ldbm_back_bind(
rc = 0; /* front end will send result */
} else {
send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
send_ldap_result( conn, op,
LDAP_NO_SUCH_OBJECT, matched, NULL );
}
} else if ( method == LDAP_AUTH_SASL ) {
if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") ) {
if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
/* insert DIGEST calls here */
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL );
send_ldap_result( conn, op,
LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
} else {
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH, NULL, NULL );
send_ldap_result( conn, op,
LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
}
} else {
@ -193,13 +196,22 @@ ldbm_back_bind(
if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
NULL, NULL );
rc = 0;
rc = 1;
goto return_results;
}
if ( ! access_allowed( be, conn, op, e,
"krbname", NULL, ACL_AUTH ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
rc = 1;
goto return_results;
}
sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
: "", ad.pinst, ad.prealm );
if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
/*
* no krbName values present: check against DN
@ -236,6 +248,9 @@ ldbm_back_bind(
goto return_results;
#endif
case LDAP_AUTH_SASL:
/* insert SASL code here */
default:
send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
NULL, "auth method not supported" );

17
tests/data/slapd-bdb2-acl.conf
View file

@ -24,19 +24,26 @@ index cn,sn,uid pres,eq,approx
index default none
lastmod on
defaultaccess none
access to attr=objectclass
by * read
access to attr=userpassword
access to filter="objectclass=person" attr=userpassword
by self write
by * compare
access to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US"
by dn=".*,o=University of Michigan,c=US"
read
by anonymous auth
by * none
access to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US"
by dn=".*,o=University of Michigan,c=US" read
by anonymous auth
by * none
access to attr=member
by dnattr=member selfwrite
by * read
access to filter="objectclass=rfc822mailgroup"
by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write
by * read
access to * by * read