*/
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_sasl_bind_in_progress ) be = conn->c_authz_backend;
+
+ /* log authorization identity demotion */
+ if ( conn->c_dn.bv_len ) {
+ Statslog( LDAP_DEBUG_STATS,
+ "conn=%lu op=%lu AUTHZ anonymous mech=implicit ssf=0",
+ op->o_connid, op->o_opid, 0, 0, 0 );
+ }
+
connection2anonymous( conn );
if ( conn->c_sasl_bind_in_progress ) conn->c_authz_backend = be;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
LBER_SB_OPT_SET_MAX_INCOMING, &max );
}
+ /* log authorization identity */
+ Statslog( LDAP_DEBUG_STATS,
+ "conn=%lu op=%lu AUTHZ dn=\"%s\" mech=%s ssf=%d\n",
+ op->o_connid, op->o_opid,
+ conn->c_dn.bv_val, conn->c_authmech.bv_val, ssf );
+
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, DETAIL1,
"do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
LBER_SB_OPT_SET_MAX_INCOMING, &max );
}
+ /* log authorization identity */
+ Statslog( LDAP_DEBUG_STATS,
+ "conn=%lu op=%lu AUTHZ dn=\"%s\" mech=simple ssf=0\n",
+ op->o_connid, op->o_opid,
+ conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 );
+
#ifdef NEW_LOGGING
LDAP_LOG( OPERATION, DETAIL1,
"do_bind: v%d bind: \"%s\" to \"%s\" \n",
--- /dev/null
+/* $OpenLDAP$ */
+/*
+ * Copyright 1999-2002 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted only
+ * as authorized by the OpenLDAP Public License. A copy of this
+ * license is available at http://www.OpenLDAP.org/license.html or
+ * in file LICENSE in the top-level directory of the distribution.
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+#include <ac/socket.h>
+
+#include <ldap_pvt.h>
+
+#include "slap.h"
+
+#ifdef HAVE_TLS
+
+int
+starttls_extop (
+ Connection *conn,
+ Operation *op,
+ const char * reqoid,
+ struct berval * reqdata,
+ char ** rspoid,
+ struct berval ** rspdata,
+ LDAPControl ***rspctrls,
+ const char ** text,
+ BerVarray * refs )
+{
+ void *ctx;
+ int rc;
+
+ if ( reqdata != NULL ) {
+ /* no request data should be provided */
+ *text = "no request data expected";
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ /* acquire connection lock */
+ ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+
+ /* can't start TLS if it is already started */
+ if (conn->c_is_tls != 0) {
+ *text = "TLS already started";
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ /* can't start TLS if there are other op's around */
+ if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) &&
+ (LDAP_STAILQ_FIRST(&conn->c_ops) != op ||
+ LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
+ ( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) ))
+ {
+ *text = "cannot start TLS when operations are outstanding";
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
+ ( conn->c_dn.bv_len != 0 ) )
+ {
+ Statslog( LDAP_DEBUG_STATS,
+ "conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0",
+ op->o_connid, op->o_opid, 0, 0, 0 );
+
+ /* force to anonymous */
+ connection2anonymous( conn );
+ }
+
+ if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+ ( conn->c_dn.bv_len != 0 ) )
+ {
+ *text = "cannot start TLS after authentication";
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ /* fail if TLS could not be initialized */
+ if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
+ || ctx == NULL)
+ {
+ if (default_referral != NULL) {
+ /* caller will put the referral in the result */
+ rc = LDAP_REFERRAL;
+ goto done;
+ }
+
+ *text = "Could not initialize TLS";
+ rc = LDAP_UNAVAILABLE;
+ goto done;
+ }
+
+ conn->c_is_tls = 1;
+ conn->c_needs_tls_accept = 1;
+
+ rc = LDAP_SUCCESS;
+
+done:
+ /* give up connection lock */
+ ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
+ /*
+ * RACE CONDITION: we give up lock before sending result
+ * Should be resolved by reworking connection state, not
+ * by moving send here (so as to ensure proper TLS sequencing)
+ */
+
+ return rc;
+}
+
+#endif /* HAVE_TLS */
projects / thirdparty / openldap.git / commitdiff
