From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 11 Nov 2002 19:35:52 +0000 (+0000)
Subject: add authz stats logging
X-Git-Tag: OPENLDAP_REL_ENG_2_1_9~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da576373bde8bdcd8f2ac19e8ab6fb01a34903ee;p=thirdparty%2Fopenldap.git

add authz stats logging
---

diff --git a/CHANGES b/CHANGES
index ae603695f0..d5a1f95044 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,8 @@ OpenLDAP 2.1.9 Engineering
 	Fixed slapd referral/alias normalization bug
 	Fixed slapd logging bugs (ITS#2170)
 	Fixed slapd rootdse entry_free bug (ITS#2172)
-	Added "allow update_anon" feature (ITS#2155)
+	Added slapd allow update_anon feature (ITS#2155)
+	Added slapd authz stats logging feature (ITS#2165)
 	Removed lint
 	Build Environment
 		Add subordinate referral test
diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 1129fa6f43..1b3220c2c3 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -58,6 +58,14 @@ do_bind(
 	 */
 	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 	if ( conn->c_sasl_bind_in_progress ) be = conn->c_authz_backend;
+
+	/* log authorization identity demotion */
+	if ( conn->c_dn.bv_len ) {
+		Statslog( LDAP_DEBUG_STATS,
+			"conn=%lu op=%lu AUTHZ anonymous mech=implicit ssf=0",
+			op->o_connid, op->o_opid, 0, 0, 0 );
+	}
+
 	connection2anonymous( conn );
 	if ( conn->c_sasl_bind_in_progress ) conn->c_authz_backend = be;
 	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
@@ -315,6 +323,12 @@ do_bind(
 					LBER_SB_OPT_SET_MAX_INCOMING, &max );
 			}
 
+			/* log authorization identity */
+			Statslog( LDAP_DEBUG_STATS,
+				"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=%s ssf=%d\n",
+				op->o_connid, op->o_opid,
+				conn->c_dn.bv_val, conn->c_authmech.bv_val, ssf );
+
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, DETAIL1, 
 				"do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
@@ -546,6 +560,12 @@ do_bind(
 					LBER_SB_OPT_SET_MAX_INCOMING, &max );
 			}
 
+			/* log authorization identity */
+			Statslog( LDAP_DEBUG_STATS,
+				"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=simple ssf=0\n",
+				op->o_connid, op->o_opid,
+				conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 );
+
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, DETAIL1, 
 				"do_bind: v%d bind: \"%s\" to \"%s\" \n",
diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
new file mode 100644
index 0000000000..46dbf83b91
--- /dev/null
+++ b/servers/slapd/starttls.c
@@ -0,0 +1,117 @@
+/* $OpenLDAP$ */
+/* 
+ * Copyright 1999-2002 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted only
+ * as authorized by the OpenLDAP Public License.  A copy of this
+ * license is available at http://www.OpenLDAP.org/license.html or
+ * in file LICENSE in the top-level directory of the distribution.
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+#include <ac/socket.h>
+
+#include <ldap_pvt.h>
+
+#include "slap.h"
+
+#ifdef HAVE_TLS
+
+int
+starttls_extop (
+	Connection *conn,
+	Operation *op,
+	const char * reqoid,
+	struct berval * reqdata,
+	char ** rspoid,
+	struct berval ** rspdata,
+	LDAPControl ***rspctrls,
+	const char ** text,
+	BerVarray * refs )
+{
+	void *ctx;
+	int rc;
+
+	if ( reqdata != NULL ) {
+		/* no request data should be provided */
+		*text = "no request data expected";
+		return LDAP_PROTOCOL_ERROR;
+	}
+
+	/* acquire connection lock */
+	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+
+	/* can't start TLS if it is already started */
+	if (conn->c_is_tls != 0) {
+		*text = "TLS already started";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	/* can't start TLS if there are other op's around */
+	if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) &&
+			(LDAP_STAILQ_FIRST(&conn->c_ops) != op ||
+			LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
+		( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) ))
+	{
+		*text = "cannot start TLS when operations are outstanding";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
+		( conn->c_dn.bv_len != 0 ) )
+	{
+		Statslog( LDAP_DEBUG_STATS,
+			"conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0",
+			op->o_connid, op->o_opid, 0, 0, 0 );
+
+		/* force to anonymous */
+		connection2anonymous( conn );
+	}
+
+	if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+		( conn->c_dn.bv_len != 0 ) )
+	{
+		*text = "cannot start TLS after authentication";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	/* fail if TLS could not be initialized */
+	if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
+		|| ctx == NULL)
+	{
+		if (default_referral != NULL) {
+			/* caller will put the referral in the result */
+			rc = LDAP_REFERRAL;
+			goto done;
+		}
+
+		*text = "Could not initialize TLS";
+		rc = LDAP_UNAVAILABLE;
+		goto done;
+	}
+
+    conn->c_is_tls = 1;
+    conn->c_needs_tls_accept = 1;
+
+    rc = LDAP_SUCCESS;
+
+done:
+	/* give up connection lock */
+	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
+	/*
+	 * RACE CONDITION: we give up lock before sending result
+	 * Should be resolved by reworking connection state, not
+	 * by moving send here (so as to ensure proper TLS sequencing)
+	 */
+
+	return rc;
+}
+
+#endif	/* HAVE_TLS */