openldap-software mailing list for now.
-- Howard Chu, 2002-07-12
+
+Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
+This is fast and secure, and needs no username or password to be stored.
+The SASL config file is just
+
+ldapdb_uri: ldapi://
+ldapdb_mech: EXTERNAL
+
+The slapd.conf will need to map these usernames to LDAP DNs:
+
+sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
+ ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2))
+
+sasl-regexp uid=(.*),cn=external,cn=auth
+ ldap:///dc=example,dc=com??sub?(uid=$1)
+
requests to another LDAP server. While processing requests it will also
chase referrals, so that referrals are fully processed instead of being
returned to the slapd client.
+
+Sessions that explicitly Bind to the back-ldap database always create their
+own private connection to the remote LDAP server. Anonymous sessions will
+share a single anonymous connection to the remote server. For sessions bound
+through other mechanisms, all sessions with the same DN will share the
+same connection. This connection pooling strategy can enhance the proxy's
+efficiency by reducing the overhead of repeatedly making/breaking multiple
+connections.
+
.SH CONFIGURATION
These
.B slapd.conf
.B bindpw <password>
Password used with the bind DN above.
.TP
+.B proxy-whoami
+Turns on proxying of the WhoAmI extended operation. If this option is
+given, back-ldap will replace slapd's original WhoAmI routine with its
+own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
+request will be forwarded to the remote LDAP server. Other sessions will
+be handled by the local slapd, as before. This option is mainly useful
+in conjunction with Proxy Authorization.
+.TP
.B rebind-as-user
If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals.
ObjectClass *oc,
struct berval *ocname );
+static int entry_naming_check(
+ Entry *e,
+ const char** text,
+ char *textbuf, size_t textlen );
/*
* entry_schema_check - check that entry e conforms to the schema required
* by its object class(es).
return LDAP_NO_OBJECT_CLASS_MODS;
}
- { /* naming check */
- LDAPRDN *rdn;
- const char *p;
- ber_len_t cnt;
-
- /*
- * Get attribute type(s) and attribute value(s) of our RDN
- */
- if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
- LDAP_DN_FORMAT_LDAP ) )
- {
- *text = "unrecongized attribute type(s) in RDN";
- return LDAP_INVALID_DN_SYNTAX;
- }
-
- /* Check that each AVA of the RDN is present in the entry */
- /* FIXME: Should also check that each AVA lists a distinct type */
- for ( cnt = 0; rdn[0][cnt]; cnt++ ) {
- LDAPAVA *ava = rdn[0][cnt];
- AttributeDescription *desc = NULL;
- Attribute *attr;
- const char *errtext;
-
- rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
- if ( rc != LDAP_SUCCESS ) {
- snprintf( textbuf, textlen, "%s (in RDN)", errtext );
- return rc;
- }
-
- /* find the naming attribute */
- attr = attr_find( e->e_attrs, desc );
- if ( attr == NULL ) {
- snprintf( textbuf, textlen,
- "naming attribute '%s' is not present in entry",
- ava->la_attr );
- return LDAP_NO_SUCH_ATTRIBUTE;
- }
-
- if ( value_find( desc, attr->a_vals, &ava->la_value ) != 0 ) {
- snprintf( textbuf, textlen,
- "value of naming attribute '%s' is not present in entry",
- ava->la_attr );
- return LDAP_NO_SUCH_ATTRIBUTE;
- }
- }
+ /* naming check */
+ rc = entry_naming_check( e, text, textbuf, textlen );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
}
#ifdef SLAP_EXTENDED_SCHEMA
return structural_class( ocmod->sml_bvalues, sc, NULL,
text, textbuf, textlen );
}
+
+
+static int
+entry_naming_check(
+ Entry *e,
+ const char** text,
+ char *textbuf, size_t textlen )
+{
+ /* naming check */
+ LDAPRDN *rdn = NULL;
+ const char *p = NULL;
+ ber_len_t cnt;
+ int rc = LDAP_SUCCESS;
+
+ /*
+ * Get attribute type(s) and attribute value(s) of our RDN
+ */
+ if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
+ LDAP_DN_FORMAT_LDAP ) )
+ {
+ *text = "unrecongized attribute type(s) in RDN";
+ return LDAP_INVALID_DN_SYNTAX;
+ }
+
+ /* Check that each AVA of the RDN is present in the entry */
+ /* FIXME: Should also check that each AVA lists a distinct type */
+ for ( cnt = 0; rdn[0][cnt]; cnt++ ) {
+ LDAPAVA *ava = rdn[0][cnt];
+ AttributeDescription *desc = NULL;
+ Attribute *attr;
+ const char *errtext;
+
+ rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
+ if ( rc != LDAP_SUCCESS ) {
+ snprintf( textbuf, textlen, "%s (in RDN)", errtext );
+ break;
+ }
+
+ /* find the naming attribute */
+ attr = attr_find( e->e_attrs, desc );
+ if ( attr == NULL ) {
+ snprintf( textbuf, textlen,
+ "naming attribute '%s' is not present in entry",
+ ava->la_attr.bv_val );
+ rc = LDAP_NO_SUCH_ATTRIBUTE;
+ break;
+ }
+
+ if ( value_find( desc, attr->a_vals, &ava->la_value ) != 0 ) {
+ snprintf( textbuf, textlen,
+ "value of naming attribute '%s' is not present in entry",
+ ava->la_attr.bv_val );
+ rc = LDAP_NO_SUCH_ATTRIBUTE;
+ break;
+ }
+ }
+
+ ldap_rdnfree( rdn );
+ return rc;
+}
+
projects / thirdparty / openldap.git / commitdiff
