upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-18 12:54:09 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#8873 - Delete obsolete configuration options from back-ldap, back-meta, and back-asyncmeta

Browse source
This commit is contained in:
Quanah Gibson-Mount 2020-05-13 14:14:46 +00:00
parent fb1933f567
commit f926e66723
5 changed files with 3 additions and 676 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

129
doc/man/man5/slapd-ldap.5
View file

@ -144,10 +144,6 @@ The
.B idassert\-bind
feature, instead, in some cases can be crafted to implement that behavior,
which is \fIintrinsically unsafe and should be used with extreme care\fP.
This directive obsoletes
.BR acl\-authcDN ,
and
.BR acl\-passwd .
The TLS settings default to the same as the main slapd TLS settings,
except for
@ -393,14 +389,6 @@ The identity associated to this directive is also used for privileged
operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
is not. See \fBacl\-bind\fP for details.
This directive obsoletes
.BR idassert\-authcDN ,
.BR idassert\-passwd ,
.BR idassert\-mode ,
and
.BR idassert\-method .
.RE
.TP
.B idassert-passthru <authz-regexp>
if defined, selects what
@ -418,7 +406,6 @@ section related to
.BR authz\-policy ,
for details on the syntax of this field.
.TP
.B idle\-timeout <time>
This directive causes a cached connection to be dropped an recreated
@ -621,122 +608,6 @@ when set to
create a temporary connection whenever competing with other threads
for a shared one; otherwise, wait until the shared connection is available.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3,
and subsequently between 2.3 and 2.4.
As a side-effect, some of the traditional directives have been
deprecated and should be no longer used, as they might disappear
in future releases.
.TP
.B acl\-authcDN "<administrative DN for access control purposes>"
Formerly known as the
.BR binddn ,
it is the DN that is used to query the target server for acl checking;
it is supposed to have read access on the target server to attributes used
on the proxy for acl checking.
There is no risk of giving away such values; they are only used to
check permissions.
.B The acl\-authcDN identity is by no means implicitly used by the proxy
.B when the client connects anonymously.
The
.B idassert\-*
feature can be used (at own risk) for that purpose instead.
This directive is obsoleted by the
.B binddn
arg of
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B acl\-passwd <password>
Formerly known as the
.BR bindpw ,
it is the password used with the above
.B acl\-authcDN
directive.
This directive is obsoleted by the
.B credentials
arg of
.B acl\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-authcDN "<administrative DN for proxyAuthz purposes>"
DN which is used to propagate the client's identity to the target
by means of the proxyAuthz control when the client does not
belong to the DIT fragment that is being proxied by back-ldap.
This directive is obsoleted by the
.B binddn
arg of
.BR idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-passwd <password>
Password used with the
.B idassert\-authcDN
above.
This directive is obsoleted by the
.B credentials
arg of
.B idassert\-bind
when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
.TP
.B idassert\-mode <mode> [<flags>]
defines what type of
.I identity assertion
is used.
This directive is obsoleted by the
.B mode
arg of
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B idassert\-method <method> [<saslargs>]
This directive is obsoleted by the
.B bindmethod
arg of
.BR idassert\-bind ,
and will be dismissed in the future.
.TP
.B port <port>
this directive is no longer supported. Use the
.B uri
directive as described above.
.TP
.B server <hostname[:port]>
this directive is no longer supported. Use the
.B uri
directive as described above.
.TP
.B suffixmassage, map, rewrite*
These directives are no longer supported by back-ldap; their
functionality is now delegated to the
.B rwm
overlay. Essentially, add a statement
.B overlay rwm
first, and prefix all rewrite/map statements with
.B rwm\-
to obtain the original behavior.
See
.BR slapo\-rwm (5)
for details.
.\" However, to ease update from existing configurations, back-ldap still
.\" recognizes them and automatically instantiates the
.\" .B rwm
.\" overlay if available and not instantiated yet.
.\" This behavior may change in the future.
.SH ACCESS CONTROL
The
.B ldap

94
servers/slapd/back-asyncmeta/config.c
View file

@ -86,8 +86,6 @@ enum {
/* Target attrs */
enum {
LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_SUFFIXM,
@ -115,32 +113,6 @@ static ConfigTable a_metacfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
asyncmeta_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
asyncmeta_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
asyncmeta_back_cf_gen, "( OLcfgDbAt:3.7 "
@ -454,9 +426,7 @@ static ConfigOCs a_metaocs[] = {
"DESC 'Asyncmeta target configuration' "
"SUP olcConfig STRUCTURAL "
"MUST ( olcAsyncMetaSub $ olcDbURI ) "
"MAY ( olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbIDAssertAuthzFrom "
"MAY ( olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertBind "
"$ olcDbSuffixMassage "
"$ olcDbSubtreeExclude "
@ -1296,15 +1266,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
ber_bvarray_add( &c->rvalue_vals, &bv );
} break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
/* FIXME no point here, there is no code implementing
* their features. Was this supposed to implement
* acl-bind like back-ldap?
*/
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
BerVarray *bvp;
int i;
@ -2153,33 +2114,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
/* name to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n", c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_memfree_x( c->value_dn.bv_val, NULL );
mt->mt_binddn = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
/* password to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n", c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
break;
case LDAP_BACK_CFG_REBIND:
/* save bind creds for referral rebinds? */
if ( c->argc == 1 || c->value_int ) {
@ -2469,8 +2403,6 @@ int
asyncmeta_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
@ -2482,29 +2414,5 @@ asyncmeta_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n", rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n", rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}

353
servers/slapd/back-ldap/config.c
View file

@ -43,16 +43,9 @@ static ConfigDriver ldap_pbind_cf_gen;
enum {
LDAP_BACK_CFG_URI = 1,
LDAP_BACK_CFG_TLS,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_ACL_METHOD,
LDAP_BACK_CFG_ACL_BIND,
LDAP_BACK_CFG_IDASSERT_MODE,
LDAP_BACK_CFG_IDASSERT_AUTHCDN,
LDAP_BACK_CFG_IDASSERT_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_PASSTHRU,
LDAP_BACK_CFG_IDASSERT_METHOD,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_REBIND,
LDAP_BACK_CFG_CHASE,
@ -73,7 +66,6 @@ enum {
LDAP_BACK_CFG_NOUNDEFFILTER,
LDAP_BACK_CFG_ONERR,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_KEEPALIVE,
LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
@ -100,37 +92,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
ldap_back_cf_gen, NULL, NULL, NULL },
/* deprecated, will be removed; aliases "acl-bind" */
{ "acl-method", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_METHOD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "acl-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
@ -140,33 +101,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "idassert-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
"NAME 'olcDbIDAssertAuthcDn' "
"DESC 'Remote Identity Assertion administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; partially aliases "idassert-authcDN" */
{ "proxyauthzdn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
"NAME 'olcDbIDAssertPasswd' "
"DESC 'Remote Identity Assertion administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; partially aliases "idassert-passwd" */
{ "proxyauthzpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
@ -176,18 +110,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "idassert-method", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_METHOD,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
"NAME 'olcDbIDAssertMode' "
"DESC 'Remote Identity Assertion mode' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE)",
NULL, NULL },
{ "idassert-authzFrom", "authzRule", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
@ -370,16 +292,6 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"X-ORDERED 'VALUES' )",
NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
{ "omit-unknown-schema", "true|FALSE", 2, 2, 0,
ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
ldap_back_cf_gen, "( OLcfgDbAt:3.28 "
@ -409,13 +321,8 @@ static ConfigOCs ldapocs[] = {
"SUP olcDatabaseConfig "
"MAY ( olcDbURI "
"$ olcDbStartTLS "
"$ olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbACLBind "
"$ olcDbIDAssertAuthcDn "
"$ olcDbIDAssertPasswd "
"$ olcDbIDAssertBind "
"$ olcDbIDAssertMode "
"$ olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertPassThru "
"$ olcDbRebindAsUser "
@ -1068,13 +975,6 @@ ldap_back_cf_gen( ConfigArgs *c )
}
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
case LDAP_BACK_CFG_ACL_METHOD:
/* handled by LDAP_BACK_CFG_ACL_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_ACL_BIND: {
int i;
@ -1097,14 +997,6 @@ ldap_back_cf_gen( ConfigArgs *c )
break;
}
case LDAP_BACK_CFG_IDASSERT_MODE:
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
case LDAP_BACK_CFG_IDASSERT_PASSWD:
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
BerVarray *bvp;
@ -1502,25 +1394,10 @@ ldap_back_cf_gen( ConfigArgs *c )
rc = 1;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
case LDAP_BACK_CFG_ACL_METHOD:
/* handled by LDAP_BACK_CFG_ACL_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_ACL_BIND:
bindconf_free( &li->li_acl );
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
case LDAP_BACK_CFG_IDASSERT_PASSWD:
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
BerVarray *bvp;
@ -1822,56 +1699,6 @@ done_url:;
#endif
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
switch ( li->li_acl_authmethod ) {
case LDAP_AUTH_NONE:
li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg),
"\"acl-authcDN <DN>\" incompatible "
"with auth method %d",
li->li_acl_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
free( li->li_acl_authcDN.bv_val );
}
ber_memfree_x( c->value_dn.bv_val, NULL );
li->li_acl_authcDN = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
switch ( li->li_acl_authmethod ) {
case LDAP_AUTH_NONE:
li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"acl-passwd <cred>\" incompatible "
"with auth method %d",
li->li_acl_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
free( li->li_acl_passwd.bv_val );
}
ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_acl_passwd );
break;
case LDAP_BACK_CFG_ACL_METHOD:
case LDAP_BACK_CFG_ACL_BIND:
for ( i = 1; i < c->argc; i++ ) {
if ( bindconf_parse( c->argv[ i ], &li->li_acl ) ) {
@ -1887,141 +1714,6 @@ done_url:;
#endif
break;
case LDAP_BACK_CFG_IDASSERT_MODE:
i = verb_to_mask( c->argv[1], idassert_mode );
if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
ber_str2bv( c->argv[1], 0, 1, &li->li_idassert_authzID );
li->li_idassert_authzID.bv_val[ 0 ] = 'u';
} else {
struct berval id, ndn;
ber_str2bv( c->argv[1], 0, 0, &id );
if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
id.bv_val += STRLENOF( "dn:" );
id.bv_len -= STRLENOF( "dn:" );
}
rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: idassert ID \"%s\" is not a valid DN\n",
c->fname, c->lineno, c->argv[1] );
return 1;
}
li->li_idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
li->li_idassert_authzID.bv_val = ch_malloc( li->li_idassert_authzID.bv_len + 1 );
AC_MEMCPY( li->li_idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( &li->li_idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
ch_free( ndn.bv_val );
li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
}
} else {
li->li_idassert_mode = idassert_mode[i].mask;
}
if ( c->argc > 2 ) {
int i;
for ( i = 2; i < c->argc; i++ ) {
if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
} else if ( strcasecmp( c->argv[ i ], "prescriptive" ) == 0 ) {
li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
} else if ( strcasecmp( c->argv[ i ], "non-prescriptive" ) == 0 ) {
li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
} else if ( strcasecmp( c->argv[ i ], "obsolete-proxy-authz" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"obsolete-proxy-authz\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
c->fname, c->lineno );
return 1;
}
li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
} else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"obsolete-encoding-workaround\" flag "
"in \"idassert-mode <args>\" "
"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
c->fname, c->lineno );
return 1;
}
li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
} else {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown flag #%d "
"in \"idassert-mode <args> "
"[<flags>]\" line.\n",
c->fname, c->lineno, i - 2 );
return 1;
}
}
}
break;
case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
switch ( li->li_idassert_authmethod ) {
case LDAP_AUTH_NONE:
li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-authcDN <DN>\" incompatible "
"with auth method %d",
li->li_idassert_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
free( li->li_idassert_authcDN.bv_val );
}
ber_memfree_x( c->value_dn.bv_val, NULL );
li->li_idassert_authcDN = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_IDASSERT_PASSWD:
switch ( li->li_idassert_authmethod ) {
case LDAP_AUTH_NONE:
li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
break;
case LDAP_AUTH_SIMPLE:
break;
default:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-passwd <cred>\" incompatible "
"with auth method %d",
li->li_idassert_authmethod );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
}
if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
free( li->li_idassert_passwd.bv_val );
}
ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
break;
@ -2030,14 +1722,6 @@ done_url:;
rc = slap_idassert_passthru_parse( c, &li->li_idassert );
break;
case LDAP_BACK_CFG_IDASSERT_METHOD:
/* no longer supported */
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"\"idassert-method <args>\": "
"no longer supported; use \"idassert-bind\"" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
case LDAP_BACK_CFG_IDASSERT_BIND:
rc = slap_idassert_parse( c, &li->li_idassert );
break;
@ -2338,15 +2022,6 @@ done_url:;
li->li_flags |= onerr_mode[i].mask;
break;
case LDAP_BACK_CFG_REWRITE:
snprintf( c->cr_msg, sizeof( c->cr_msg ),
"rewrite/remap capabilities have been moved "
"to the \"rwm\" overlay; see slapo-rwm(5) "
"for details (hint: add \"overlay rwm\" "
"and prefix all directives with \"rwm-\")" );
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
return 1;
case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
if ( c->value_int ) {
li->li_flags |= LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
@ -2374,8 +2049,6 @@ int
ldap_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
@ -2387,32 +2060,6 @@ ldap_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}

99
servers/slapd/back-meta/config.c
View file

@ -91,8 +91,6 @@ enum {
/* Target attrs */
enum {
LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
LDAP_BACK_CFG_ACL_AUTHCDN,
LDAP_BACK_CFG_ACL_PASSWD,
LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
LDAP_BACK_CFG_IDASSERT_BIND,
LDAP_BACK_CFG_REWRITE,
@ -127,33 +125,6 @@ static ConfigTable metacfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "acl-authcDN", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
meta_back_cf_gen, "( OLcfgDbAt:3.2 "
"NAME 'olcDbACLAuthcDn' "
"DESC 'Remote ACL administrative identity' "
"EQUALITY distinguishedNameMatch "
"OBSOLETE "
"SYNTAX OMsDN "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-authcDN" */
{ "binddn", "DN", 2, 2, 0,
ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
meta_back_cf_gen, NULL, NULL, NULL },
{ "acl-passwd", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
meta_back_cf_gen, "( OLcfgDbAt:3.3 "
"NAME 'olcDbACLPasswd' "
"DESC 'Remote ACL administrative identity credentials' "
"OBSOLETE "
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
/* deprecated, will be removed; aliases "acl-passwd" */
{ "bindpw", "cred", 2, 2, 0,
ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
meta_back_cf_gen, NULL, NULL, NULL },
{ "idassert-bind", "args", 2, 0, 0,
ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
meta_back_cf_gen, "( OLcfgDbAt:3.7 "
@ -506,9 +477,7 @@ static ConfigOCs metaocs[] = {
"DESC 'Meta target configuration' "
"SUP olcConfig STRUCTURAL "
"MUST ( olcMetaSub $ olcDbURI ) "
"MAY ( olcDbACLAuthcDn "
"$ olcDbACLPasswd "
"$ olcDbIDAssertAuthzFrom "
"MAY ( olcDbIDAssertAuthzFrom "
"$ olcDbIDAssertBind "
"$ olcDbMap "
"$ olcDbRewrite "
@ -1408,15 +1377,6 @@ meta_back_cf_gen( ConfigArgs *c )
ber_bvarray_add( &c->rvalue_vals, &bv );
} break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
/* FIXME no point here, there is no code implementing
* their features. Was this supposed to implement
* acl-bind like back-ldap?
*/
rc = 1;
break;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
BerVarray *bvp;
int i;
@ -2308,35 +2268,6 @@ meta_back_cf_gen( ConfigArgs *c )
mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
break;
case LDAP_BACK_CFG_ACL_AUTHCDN:
/* name to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"\"binddn\" statement is deprecated; "
"use \"acl-authcDN\" instead\n",
c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_memfree_x( c->value_dn.bv_val, NULL );
mt->mt_binddn = c->value_ndn;
BER_BVZERO( &c->value_dn );
BER_BVZERO( &c->value_ndn );
break;
case LDAP_BACK_CFG_ACL_PASSWD:
/* password to use for meta_back_group */
if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s "
"\"bindpw\" statement is deprecated; "
"use \"acl-passwd\" instead\n",
c->log );
/* FIXME: some day we'll need to throw an error */
}
ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
break;
case LDAP_BACK_CFG_REBIND:
/* save bind creds for referral rebinds? */
if ( c->argc == 1 || c->value_int ) {
@ -2979,8 +2910,6 @@ int
meta_back_init_cf( BackendInfo *bi )
{
int rc;
AttributeDescription *ad = NULL;
const char *text;
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( LDAP_BACK_CFG_LAST );
@ -2992,32 +2921,6 @@ meta_back_init_cf( BackendInfo *bi )
return rc;
}
/* setup olcDbAclPasswd and olcDbIDAssertPasswd
* to be base64-encoded when written in LDIF form;
* basically, we don't care if it fails */
rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbACLPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
ad = NULL;
rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
if ( rc ) {
Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
"warning, unable to get \"olcDbIDAssertPasswd\" "
"attribute description: %d: %s\n",
rc, text );
} else {
(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
ad->ad_type->sat_oid );
}
return 0;
}

4
tests/data/slapd-idassert.conf
View file

@ -102,9 +102,7 @@ database ldap
suffix "o=Esempio,c=IT"
uri "@URI1@"
acl-authcDN "cn=Proxy IT,ou=Admin,dc=example,dc=com"
acl-passwd proxy
acl-bind bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy"
idassert-bind bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
# authorizes database