From: Ondřej Kuzník Date: Tue, 4 Apr 2017 14:11:48 +0000 (+0100) Subject: Proxyauthz support X-Git-Tag: OPENLDAP_REL_ENG_2_5_1ALPHA~18^2~204 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59291ba4de14015bf36ebaed41f2f2bc17fa52e7;p=thirdparty%2Fopenldap.git Proxyauthz support --- diff --git a/servers/lloadd/bind.c b/servers/lloadd/bind.c index 1006e010da..a0359ab132 100644 --- a/servers/lloadd/bind.c +++ b/servers/lloadd/bind.c @@ -171,7 +171,18 @@ request_bind_as_vc( Operation *op ) if ( !BER_BVISNULL( &c->c_auth ) ) { ber_memfree( c->c_auth.bv_val ); } - ber_dupbv( &c->c_auth, &binddn ); + if ( !BER_BVISEMPTY( &binddn ) ) { + char *ptr; + c->c_auth.bv_len = STRLENOF("dn:") + binddn.bv_len; + c->c_auth.bv_val = ch_malloc( c->c_auth.bv_len + 1 ); + + ptr = lutil_strcopy( c->c_auth.bv_val, "dn:" ); + ptr = lutil_strncopy( ptr, binddn.bv_val, binddn.bv_len ); + *ptr = '\0'; + } else { + BER_BVZERO( &c->c_auth ); + } + if ( !BER_BVISNULL( &c->c_sasl_bind_mech ) ) { ber_memfree( c->c_sasl_bind_mech.bv_val ); BER_BVZERO( &c->c_sasl_bind_mech ); diff --git a/servers/lloadd/config.c b/servers/lloadd/config.c index 241c7220a1..b686cb2821 100644 --- a/servers/lloadd/config.c +++ b/servers/lloadd/config.c @@ -472,6 +472,8 @@ config_backend( ConfigArgs *c ) } } + bindconf_tls_defaults( &b->b_bindconf ); + if ( b->b_bindconf.sb_method == LDAP_AUTH_SASL ) { #ifndef HAVE_CYRUS_SASL Debug( LDAP_DEBUG_ANY, "config_backend: " diff --git a/servers/lloadd/operation.c b/servers/lloadd/operation.c index 0502531042..d2083442f2 100644 --- a/servers/lloadd/operation.c +++ b/servers/lloadd/operation.c @@ -298,12 +298,38 @@ request_process( void *ctx, void *arg ) op->o_upstream_msgid = msgid = c->c_next_msgid++; rc = tavl_insert( &c->c_ops, op, operation_upstream_cmp, avl_dup_error ); assert( rc == LDAP_SUCCESS ); - ldap_pvt_thread_mutex_unlock( &c->c_mutex ); - ber_printf( output, "t{titOtO}", LDAP_TAG_MESSAGE, - LDAP_TAG_MSGID, msgid, - op->o_tag, &op->o_request, - LDAP_TAG_CONTROLS, BER_BV_OPTIONAL( &op->o_ctrls ) ); + if ( lload_features & LLOAD_FEATURE_PROXYAUTHZ ) { + Debug( LDAP_DEBUG_TRACE, "request_process: " + "proxying identity %s to upstream\n", + c->c_auth.bv_val ); + ber_printf( output, "t{titOt{{sbO}" /* "}}" */, LDAP_TAG_MESSAGE, + LDAP_TAG_MSGID, msgid, + op->o_tag, &op->o_request, + LDAP_TAG_CONTROLS, + LDAP_CONTROL_PROXY_AUTHZ, 1, &c->c_auth ); + + if ( !BER_BVISNULL( &op->o_ctrls ) ) { + BerElement *control_ber = ber_alloc(); + BerValue controls; + + if ( !control_ber ) { + goto fail; + } + ber_init2( control_ber, &op->o_ctrls, 0 ); + ber_peek_element( control_ber, &controls ); + + ber_write( output, controls.bv_val, controls.bv_len, 0 ); + ber_free( control_ber, 0 ); + } + ber_printf( output, /* "{{" */ "}}" ); + } else { + ber_printf( output, "t{titOtO}", LDAP_TAG_MESSAGE, + LDAP_TAG_MSGID, msgid, + op->o_tag, &op->o_request, + LDAP_TAG_CONTROLS, BER_BV_OPTIONAL( &op->o_ctrls ) ); + } + ldap_pvt_thread_mutex_unlock( &c->c_mutex ); ldap_pvt_thread_mutex_unlock( &c->c_io_mutex ); upstream_write_cb( -1, 0, c ); diff --git a/servers/lloadd/proto-slap.h b/servers/lloadd/proto-slap.h index d5c3dfbaa8..b55b155de3 100644 --- a/servers/lloadd/proto-slap.h +++ b/servers/lloadd/proto-slap.h @@ -78,6 +78,7 @@ LDAP_SLAPD_F (int) read_config( const char *fname, const char *dir ); LDAP_SLAPD_F (void) config_destroy( void ); LDAP_SLAPD_F (int) verb_to_mask( const char *word, slap_verbmasks *v ); LDAP_SLAPD_F (int) str2loglevel( const char *s, int *l ); +LDAP_SLAPD_F (void) bindconf_tls_defaults( slap_bindconf *bc ); LDAP_SLAPD_F (void) bindconf_free( slap_bindconf *bc ); /*