ITS#8873 - Delete obsolete configuration options from back-ldap, back-meta, and back...

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 71d25ac99e6d34ac585990afd583d287de09d2e5..77683aaf219e02a639c80b661573b3a557750fbb 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -144,10 +144,6 @@ The
 .B idassert\-bind
 feature, instead, in some cases can be crafted to implement that behavior,
 which is \fIintrinsically unsafe and should be used with extreme care\fP.
-This directive obsoletes
-.BR acl\-authcDN ,
-and
-.BR acl\-passwd .
 
 The TLS settings default to the same as the main slapd TLS settings,
 except for
@@ -393,14 +389,6 @@ The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
 is not.  See \fBacl\-bind\fP for details.
 
-This directive obsoletes
-.BR idassert\-authcDN ,
-.BR idassert\-passwd ,
-.BR idassert\-mode ,
-and
-.BR idassert\-method .
-.RE
-
 .TP
 .B idassert-passthru <authz-regexp>
 if defined, selects what
@@ -418,7 +406,6 @@ section related to
 .BR authz\-policy ,
 for details on the syntax of this field.
 
-
 .TP
 .B idle\-timeout <time>
 This directive causes a cached connection to be dropped an recreated
@@ -621,122 +608,6 @@ when set to
 create a temporary connection whenever competing with other threads
 for a shared one; otherwise, wait until the shared connection is available.
 
-.SH BACKWARD COMPATIBILITY
-The LDAP backend has been heavily reworked between releases 2.2 and 2.3,
-and subsequently between 2.3 and 2.4.
-As a side-effect, some of the traditional directives have been
-deprecated and should be no longer used, as they might disappear
-in future releases.
-
-.TP
-.B acl\-authcDN "<administrative DN for access control purposes>"
-Formerly known as the
-.BR binddn ,
-it is the DN that is used to query the target server for acl checking;
-it is supposed to have read access on the target server to attributes used
-on the proxy for acl checking.
-There is no risk of giving away such values; they are only used to
-check permissions.
-
-.B The acl\-authcDN identity is by no means implicitly used by the proxy 
-.B when the client connects anonymously.
-The
-.B idassert\-*
-feature can be used (at own risk) for that purpose instead.
-
-This directive is obsoleted by the
-.B binddn
-arg of
-.B acl\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B acl\-passwd <password>
-Formerly known as the
-.BR bindpw ,
-it is the password used with the above
-.B acl\-authcDN
-directive.
-This directive is obsoleted by the
-.B credentials
-arg of
-.B acl\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B idassert\-authcDN "<administrative DN for proxyAuthz purposes>"
-DN which is used to propagate the client's identity to the target
-by means of the proxyAuthz control when the client does not
-belong to the DIT fragment that is being proxied by back-ldap.
-This directive is obsoleted by the
-.B binddn
-arg of
-.BR idassert\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B idassert\-passwd <password>
-Password used with the
-.B idassert\-authcDN
-above.
-This directive is obsoleted by the
-.B credentials
-arg of
-.B idassert\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B idassert\-mode <mode> [<flags>]
-defines what type of
-.I identity assertion
-is used.
-This directive is obsoleted by the
-.B mode
-arg of 
-.BR idassert\-bind ,
-and will be dismissed in the future.
-
-.TP
-.B idassert\-method <method> [<saslargs>]
-This directive is obsoleted by the
-.B bindmethod
-arg of
-.BR idassert\-bind ,
-and will be dismissed in the future.
-
-.TP
-.B port <port>
-this directive is no longer supported.  Use the 
-.B uri
-directive as described above.
-
-.TP
-.B server <hostname[:port]>
-this directive is no longer supported.  Use the 
-.B uri
-directive as described above.
-
-.TP
-.B suffixmassage, map, rewrite*
-These directives are no longer supported by back-ldap; their 
-functionality is now delegated to the
-.B rwm
-overlay.  Essentially, add a statement
-
-.B overlay rwm
-
-first, and prefix all rewrite/map statements with
-.B rwm\-
-to obtain the original behavior.
-See
-.BR slapo\-rwm (5)
-for details.
-.\" However, to ease update from existing configurations, back-ldap still 
-.\" recognizes them and automatically instantiates the
-.\" .B rwm
-.\" overlay if available and not instantiated yet.
-.\" This behavior may change in the future.
-
 .SH ACCESS CONTROL
 The
 .B ldap

diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c
index b04b9e97d4b80df285a6ad9c9d06c65bd2368d70..5873d9c0a31ff3efbca1c6a2e9f0739e9c773d24 100644 (file)
--- a/servers/slapd/back-asyncmeta/config.c
+++ b/servers/slapd/back-asyncmeta/config.c
@@ -86,8 +86,6 @@ enum {
 /* Target attrs */
 enum {
        LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
-       LDAP_BACK_CFG_ACL_AUTHCDN,
-       LDAP_BACK_CFG_ACL_PASSWD,
        LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
        LDAP_BACK_CFG_IDASSERT_BIND,
        LDAP_BACK_CFG_SUFFIXM,
@@ -115,32 +113,6 @@ static ConfigTable a_metacfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "SINGLE-VALUE )",
                NULL, NULL },
-       { "acl-authcDN", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-               asyncmeta_back_cf_gen, "( OLcfgDbAt:3.2 "
-                       "NAME 'olcDbACLAuthcDn' "
-                       "DESC 'Remote ACL administrative identity' "
-                       "OBSOLETE "
-                       "SYNTAX OMsDN "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-authcDN" */
-       { "binddn", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-               asyncmeta_back_cf_gen, NULL, NULL, NULL },
-       { "acl-passwd", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-               asyncmeta_back_cf_gen, "( OLcfgDbAt:3.3 "
-                       "NAME 'olcDbACLPasswd' "
-                       "DESC 'Remote ACL administrative identity credentials' "
-                       "OBSOLETE "
-                       "SYNTAX OMsDirectoryString "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-passwd" */
-       { "bindpw", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-               asyncmeta_back_cf_gen, NULL, NULL, NULL },
        { "idassert-bind", "args", 2, 0, 0,
                ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
                asyncmeta_back_cf_gen, "( OLcfgDbAt:3.7 "
@@ -454,9 +426,7 @@ static ConfigOCs a_metaocs[] = {
                "DESC 'Asyncmeta target configuration' "
                "SUP olcConfig STRUCTURAL "
                "MUST ( olcAsyncMetaSub $ olcDbURI ) "
-               "MAY ( olcDbACLAuthcDn "
-                       "$ olcDbACLPasswd "
-                       "$ olcDbIDAssertAuthzFrom "
+               "MAY ( olcDbIDAssertAuthzFrom "
                        "$ olcDbIDAssertBind "
                        "$ olcDbSuffixMassage "
                        "$ olcDbSubtreeExclude "
@@ -1296,15 +1266,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
                        ber_bvarray_add( &c->rvalue_vals, &bv );
                        } break;
 
-               case LDAP_BACK_CFG_ACL_AUTHCDN:
-               case LDAP_BACK_CFG_ACL_PASSWD:
-                       /* FIXME no point here, there is no code implementing
-                        * their features. Was this supposed to implement
-                        * acl-bind like back-ldap?
-                        */
-                       rc = 1;
-                       break;
-
                case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
                        BerVarray       *bvp;
                        int             i;
@@ -2153,33 +2114,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
                mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
                break;
 
-       case LDAP_BACK_CFG_ACL_AUTHCDN:
-       /* name to use for meta_back_group */
-               if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
-                       Debug( LDAP_DEBUG_ANY, "%s: "
-                               "\"binddn\" statement is deprecated; "
-                               "use \"acl-authcDN\" instead\n", c->log );
-                       /* FIXME: some day we'll need to throw an error */
-               }
-
-               ber_memfree_x( c->value_dn.bv_val, NULL );
-               mt->mt_binddn = c->value_ndn;
-               BER_BVZERO( &c->value_dn );
-               BER_BVZERO( &c->value_ndn );
-               break;
-
-       case LDAP_BACK_CFG_ACL_PASSWD:
-       /* password to use for meta_back_group */
-               if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
-                       Debug( LDAP_DEBUG_ANY, "%s "
-                               "\"bindpw\" statement is deprecated; "
-                               "use \"acl-passwd\" instead\n", c->log );
-                       /* FIXME: some day we'll need to throw an error */
-               }
-
-               ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
-               break;
-
        case LDAP_BACK_CFG_REBIND:
        /* save bind creds for referral rebinds? */
                if ( c->argc == 1 || c->value_int ) {
@@ -2469,8 +2403,6 @@ int
 asyncmeta_back_init_cf( BackendInfo *bi )
 {
        int                     rc;
-       AttributeDescription    *ad = NULL;
-       const char              *text;
 
        /* Make sure we don't exceed the bits reserved for userland */
        config_check_userland( LDAP_BACK_CFG_LAST );
@@ -2482,29 +2414,5 @@ asyncmeta_back_init_cf( BackendInfo *bi )
                return rc;
        }
 
-       /* setup olcDbAclPasswd and olcDbIDAssertPasswd
-        * to be base64-encoded when written in LDIF form;
-        * basically, we don't care if it fails */
-       rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
-       if ( rc ) {
-               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-                       "warning, unable to get \"olcDbACLPasswd\" "
-                       "attribute description: %d: %s\n", rc, text );
-       } else {
-               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-                       ad->ad_type->sat_oid );
-       }
-
-       ad = NULL;
-       rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
-       if ( rc ) {
-               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-                       "warning, unable to get \"olcDbIDAssertPasswd\" "
-                       "attribute description: %d: %s\n", rc, text );
-       } else {
-               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-                       ad->ad_type->sat_oid );
-       }
-
        return 0;
 }

diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 4b9fc38bac0abd7f4ce4cd2579703ae8206cf579..a12bce933e64fd34560ff3a96a42043f47c70c29 100644 (file)
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -43,16 +43,9 @@ static ConfigDriver ldap_pbind_cf_gen;
 enum {
        LDAP_BACK_CFG_URI = 1,
        LDAP_BACK_CFG_TLS,
-       LDAP_BACK_CFG_ACL_AUTHCDN,
-       LDAP_BACK_CFG_ACL_PASSWD,
-       LDAP_BACK_CFG_ACL_METHOD,
        LDAP_BACK_CFG_ACL_BIND,
-       LDAP_BACK_CFG_IDASSERT_MODE,
-       LDAP_BACK_CFG_IDASSERT_AUTHCDN,
-       LDAP_BACK_CFG_IDASSERT_PASSWD,
        LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
        LDAP_BACK_CFG_IDASSERT_PASSTHRU,
-       LDAP_BACK_CFG_IDASSERT_METHOD,
        LDAP_BACK_CFG_IDASSERT_BIND,
        LDAP_BACK_CFG_REBIND,
        LDAP_BACK_CFG_CHASE,
@@ -73,7 +66,6 @@ enum {
        LDAP_BACK_CFG_NOUNDEFFILTER,
        LDAP_BACK_CFG_ONERR,
 
-       LDAP_BACK_CFG_REWRITE,
        LDAP_BACK_CFG_KEEPALIVE,
 
        LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
@@ -100,37 +92,6 @@ static ConfigTable ldapcfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "SINGLE-VALUE )",
                NULL, NULL },
-       { "acl-authcDN", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-               ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
-                       "NAME 'olcDbACLAuthcDn' "
-                       "DESC 'Remote ACL administrative identity' "
-                       "EQUALITY distinguishedNameMatch "
-                       "OBSOLETE "
-                       "SYNTAX OMsDN "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-authcDN" */
-       { "binddn", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-               ldap_back_cf_gen, NULL, NULL, NULL },
-       { "acl-passwd", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-               ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
-                       "NAME 'olcDbACLPasswd' "
-                       "DESC 'Remote ACL administrative identity credentials' "
-                       "OBSOLETE "
-                       "SYNTAX OMsDirectoryString "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-passwd" */
-       { "bindpw", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-               ldap_back_cf_gen, NULL, NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-bind" */
-       { "acl-method", "args", 2, 0, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_METHOD,
-               ldap_back_cf_gen, NULL, NULL, NULL },
        { "acl-bind", "args", 2, 0, 0,
                ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
                ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
@@ -140,33 +101,6 @@ static ConfigTable ldapcfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "SINGLE-VALUE )",
                NULL, NULL },
-       { "idassert-authcDN", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
-               ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
-                       "NAME 'olcDbIDAssertAuthcDn' "
-                       "DESC 'Remote Identity Assertion administrative identity' "
-                       "EQUALITY distinguishedNameMatch "
-                       "OBSOLETE "
-                       "SYNTAX OMsDN "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; partially aliases "idassert-authcDN" */
-       { "proxyauthzdn", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
-               ldap_back_cf_gen, NULL, NULL, NULL },
-       { "idassert-passwd", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
-               ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
-                       "NAME 'olcDbIDAssertPasswd' "
-                       "DESC 'Remote Identity Assertion administrative identity credentials' "
-                       "OBSOLETE "
-                       "SYNTAX OMsDirectoryString "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; partially aliases "idassert-passwd" */
-       { "proxyauthzpw", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
-               ldap_back_cf_gen, NULL, NULL, NULL },
        { "idassert-bind", "args", 2, 0, 0,
                ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
                ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
@@ -176,18 +110,6 @@ static ConfigTable ldapcfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "SINGLE-VALUE )",
                NULL, NULL },
-       { "idassert-method", "args", 2, 0, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_METHOD,
-               ldap_back_cf_gen, NULL, NULL, NULL },
-       { "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
-               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
-               ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
-                       "NAME 'olcDbIDAssertMode' "
-                       "DESC 'Remote Identity Assertion mode' "
-                       "OBSOLETE "
-                       "SYNTAX OMsDirectoryString "
-                       "SINGLE-VALUE)",
-               NULL, NULL },
        { "idassert-authzFrom", "authzRule", 2, 2, 0,
                ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
                ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
@@ -370,16 +292,6 @@ static ConfigTable ldapcfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "X-ORDERED 'VALUES' )",
                NULL, NULL },
-
-       { "suffixmassage", "[virtual]> <real", 2, 3, 0,
-               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
-               ldap_back_cf_gen, NULL, NULL, NULL },
-       { "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
-               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
-               ldap_back_cf_gen, NULL, NULL, NULL },
-       { "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
-               ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
-               ldap_back_cf_gen, NULL, NULL, NULL },
        { "omit-unknown-schema", "true|FALSE", 2, 2, 0,
                ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
                ldap_back_cf_gen, "( OLcfgDbAt:3.28 "
@@ -409,13 +321,8 @@ static ConfigOCs ldapocs[] = {
                "SUP olcDatabaseConfig "
                "MAY ( olcDbURI "
                        "$ olcDbStartTLS "
-                       "$ olcDbACLAuthcDn "
-                       "$ olcDbACLPasswd "
                        "$ olcDbACLBind "
-                       "$ olcDbIDAssertAuthcDn "
-                       "$ olcDbIDAssertPasswd "
                        "$ olcDbIDAssertBind "
-                       "$ olcDbIDAssertMode "
                        "$ olcDbIDAssertAuthzFrom "
                        "$ olcDbIDAssertPassThru "
                        "$ olcDbRebindAsUser "
@@ -1068,13 +975,6 @@ ldap_back_cf_gen( ConfigArgs *c )
                        }
                        break;
 
-               case LDAP_BACK_CFG_ACL_AUTHCDN:
-               case LDAP_BACK_CFG_ACL_PASSWD:
-               case LDAP_BACK_CFG_ACL_METHOD:
-                       /* handled by LDAP_BACK_CFG_ACL_BIND */
-                       rc = 1;
-                       break;
-
                case LDAP_BACK_CFG_ACL_BIND: {
                        int     i;
 
@@ -1097,14 +997,6 @@ ldap_back_cf_gen( ConfigArgs *c )
                        break;
                }
 
-               case LDAP_BACK_CFG_IDASSERT_MODE:
-               case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
-               case LDAP_BACK_CFG_IDASSERT_PASSWD:
-               case LDAP_BACK_CFG_IDASSERT_METHOD:
-                       /* handled by LDAP_BACK_CFG_IDASSERT_BIND */
-                       rc = 1;
-                       break;
-
                case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
                case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
                        BerVarray       *bvp;
@@ -1502,25 +1394,10 @@ ldap_back_cf_gen( ConfigArgs *c )
                        rc = 1;
                        break;
 
-               case LDAP_BACK_CFG_ACL_AUTHCDN:
-               case LDAP_BACK_CFG_ACL_PASSWD:
-               case LDAP_BACK_CFG_ACL_METHOD:
-                       /* handled by LDAP_BACK_CFG_ACL_BIND */
-                       rc = 1;
-                       break;
-
                case LDAP_BACK_CFG_ACL_BIND:
                        bindconf_free( &li->li_acl );
                        break;
 
-               case LDAP_BACK_CFG_IDASSERT_MODE:
-               case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
-               case LDAP_BACK_CFG_IDASSERT_PASSWD:
-               case LDAP_BACK_CFG_IDASSERT_METHOD:
-                       /* handled by LDAP_BACK_CFG_IDASSERT_BIND */
-                       rc = 1;
-                       break;
-
                case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
                case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
                        BerVarray *bvp;
@@ -1822,56 +1699,6 @@ done_url:;
 #endif
                break;
 
-       case LDAP_BACK_CFG_ACL_AUTHCDN:
-               switch ( li->li_acl_authmethod ) {
-               case LDAP_AUTH_NONE:
-                       li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
-                       break;
-
-               case LDAP_AUTH_SIMPLE:
-                       break;
-
-               default:
-                       snprintf( c->cr_msg, sizeof( c->cr_msg),
-                               "\"acl-authcDN <DN>\" incompatible "
-                               "with auth method %d",
-                               li->li_acl_authmethod );
-                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-                       return 1;
-               }
-               if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
-                       free( li->li_acl_authcDN.bv_val );
-               }
-               ber_memfree_x( c->value_dn.bv_val, NULL );
-               li->li_acl_authcDN = c->value_ndn;
-               BER_BVZERO( &c->value_dn );
-               BER_BVZERO( &c->value_ndn );
-               break;
-
-       case LDAP_BACK_CFG_ACL_PASSWD:
-               switch ( li->li_acl_authmethod ) {
-               case LDAP_AUTH_NONE:
-                       li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
-                       break;
-
-               case LDAP_AUTH_SIMPLE:
-                       break;
-
-               default:
-                       snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                               "\"acl-passwd <cred>\" incompatible "
-                               "with auth method %d",
-                               li->li_acl_authmethod );
-                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-                       return 1;
-               }
-               if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
-                       free( li->li_acl_passwd.bv_val );
-               }
-               ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_acl_passwd );
-               break;
-
-       case LDAP_BACK_CFG_ACL_METHOD:
        case LDAP_BACK_CFG_ACL_BIND:
                for ( i = 1; i < c->argc; i++ ) {
                        if ( bindconf_parse( c->argv[ i ], &li->li_acl ) ) {
@@ -1887,141 +1714,6 @@ done_url:;
 #endif
                break;
 
-       case LDAP_BACK_CFG_IDASSERT_MODE:
-               i = verb_to_mask( c->argv[1], idassert_mode );
-               if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
-                       if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
-                               li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
-                               ber_str2bv( c->argv[1], 0, 1, &li->li_idassert_authzID );
-                               li->li_idassert_authzID.bv_val[ 0 ] = 'u';
-                               
-                       } else {
-                               struct berval   id, ndn;
-
-                               ber_str2bv( c->argv[1], 0, 0, &id );
-
-                               if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
-                                       id.bv_val += STRLENOF( "dn:" );
-                                       id.bv_len -= STRLENOF( "dn:" );
-                               }
-
-                               rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
-                                if ( rc != LDAP_SUCCESS ) {
-                                        Debug( LDAP_DEBUG_ANY,
-                                                "%s: line %d: idassert ID \"%s\" is not a valid DN\n",
-                                                c->fname, c->lineno, c->argv[1] );
-                                        return 1;
-                                }
-
-                                li->li_idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
-                                li->li_idassert_authzID.bv_val = ch_malloc( li->li_idassert_authzID.bv_len + 1 );
-                                AC_MEMCPY( li->li_idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
-                                AC_MEMCPY( &li->li_idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
-                                ch_free( ndn.bv_val );
-
-                                li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
-                       }
-
-               } else {
-                       li->li_idassert_mode = idassert_mode[i].mask;
-               }
-
-               if ( c->argc > 2 ) {
-                       int     i;
-
-                       for ( i = 2; i < c->argc; i++ ) {
-                               if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
-                                       li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
-
-                               } else if ( strcasecmp( c->argv[ i ], "prescriptive" ) == 0 ) {
-                                       li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
-
-                               } else if ( strcasecmp( c->argv[ i ], "non-prescriptive" ) == 0 ) {
-                                       li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
-
-                               } else if ( strcasecmp( c->argv[ i ], "obsolete-proxy-authz" ) == 0 ) {
-                                       if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
-                                               Debug( LDAP_DEBUG_ANY,
-                                                               "%s: line %d: \"obsolete-proxy-authz\" flag "
-                                                       "in \"idassert-mode <args>\" "
-                                                       "incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
-                                                                                               c->fname, c->lineno );
-                                               return 1;
-                                       }
-                                       li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
-
-                               } else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
-                                       if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
-                                               Debug( LDAP_DEBUG_ANY,
-                                                               "%s: line %d: \"obsolete-encoding-workaround\" flag "
-                                                       "in \"idassert-mode <args>\" "
-                                                       "incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
-                                                                                               c->fname, c->lineno );
-                                               return 1;
-                                       }
-                                       li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
-
-                               } else {
-                                       Debug( LDAP_DEBUG_ANY,
-                                               "%s: line %d: unknown flag #%d "
-                                               "in \"idassert-mode <args> "
-                                               "[<flags>]\" line.\n",
-                                               c->fname, c->lineno, i - 2 );
-                                       return 1;
-                               }
-                        }
-                }
-               break;
-
-       case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
-               switch ( li->li_idassert_authmethod ) {
-               case LDAP_AUTH_NONE:
-                       li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
-                       break;
-
-               case LDAP_AUTH_SIMPLE:
-                       break;
-
-               default:
-                       snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                               "\"idassert-authcDN <DN>\" incompatible "
-                               "with auth method %d",
-                               li->li_idassert_authmethod );
-                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-                       return 1;
-               }
-               if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
-                       free( li->li_idassert_authcDN.bv_val );
-               }
-               ber_memfree_x( c->value_dn.bv_val, NULL );
-               li->li_idassert_authcDN = c->value_ndn;
-               BER_BVZERO( &c->value_dn );
-               BER_BVZERO( &c->value_ndn );
-               break;
-
-       case LDAP_BACK_CFG_IDASSERT_PASSWD:
-               switch ( li->li_idassert_authmethod ) {
-               case LDAP_AUTH_NONE:
-                       li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
-                       break;
-
-               case LDAP_AUTH_SIMPLE:
-                       break;
-
-               default:
-                       snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                               "\"idassert-passwd <cred>\" incompatible "
-                               "with auth method %d",
-                               li->li_idassert_authmethod );
-                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-                       return 1;
-               }
-               if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
-                       free( li->li_idassert_passwd.bv_val );
-               }
-               ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
-               break;
-
        case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
                rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
                break;
@@ -2030,14 +1722,6 @@ done_url:;
                rc = slap_idassert_passthru_parse( c, &li->li_idassert );
                break;
 
-       case LDAP_BACK_CFG_IDASSERT_METHOD:
-               /* no longer supported */
-               snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                       "\"idassert-method <args>\": "
-                       "no longer supported; use \"idassert-bind\"" );
-               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-               return 1;
-
        case LDAP_BACK_CFG_IDASSERT_BIND:
                rc = slap_idassert_parse( c, &li->li_idassert );
                break;
@@ -2338,15 +2022,6 @@ done_url:;
                li->li_flags |= onerr_mode[i].mask;
                break;
 
-       case LDAP_BACK_CFG_REWRITE:
-               snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                       "rewrite/remap capabilities have been moved "
-                       "to the \"rwm\" overlay; see slapo-rwm(5) "
-                       "for details (hint: add \"overlay rwm\" "
-                       "and prefix all directives with \"rwm-\")" );
-               Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-               return 1;
-
        case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
                if ( c->value_int ) {
                        li->li_flags |= LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
@@ -2374,8 +2049,6 @@ int
 ldap_back_init_cf( BackendInfo *bi )
 {
        int                     rc;
-       AttributeDescription    *ad = NULL;
-       const char              *text;
 
        /* Make sure we don't exceed the bits reserved for userland */
        config_check_userland( LDAP_BACK_CFG_LAST );
@@ -2387,32 +2060,6 @@ ldap_back_init_cf( BackendInfo *bi )
                return rc;
        }
 
-       /* setup olcDbAclPasswd and olcDbIDAssertPasswd 
-        * to be base64-encoded when written in LDIF form;
-        * basically, we don't care if it fails */
-       rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
-       if ( rc ) {
-               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-                       "warning, unable to get \"olcDbACLPasswd\" "
-                       "attribute description: %d: %s\n",
-                       rc, text );
-       } else {
-               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-                       ad->ad_type->sat_oid );
-       }
-
-       ad = NULL;
-       rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
-       if ( rc ) {
-               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-                       "warning, unable to get \"olcDbIDAssertPasswd\" "
-                       "attribute description: %d: %s\n",
-                       rc, text );
-       } else {
-               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-                       ad->ad_type->sat_oid );
-       }
-
        return 0;
 }
 

diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index 32970c68efdb9d96c73926c70525ff989071e110..73926611ba91caab2420b9e9c4682d9a59b9a4b0 100644 (file)
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -91,8 +91,6 @@ enum {
 /* Target attrs */
 enum {
        LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
-       LDAP_BACK_CFG_ACL_AUTHCDN,
-       LDAP_BACK_CFG_ACL_PASSWD,
        LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
        LDAP_BACK_CFG_IDASSERT_BIND,
        LDAP_BACK_CFG_REWRITE,
@@ -127,33 +125,6 @@ static ConfigTable metacfg[] = {
                        "SYNTAX OMsDirectoryString "
                        "SINGLE-VALUE )",
                NULL, NULL },
-       { "acl-authcDN", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-               meta_back_cf_gen, "( OLcfgDbAt:3.2 "
-                       "NAME 'olcDbACLAuthcDn' "
-                       "DESC 'Remote ACL administrative identity' "
-                       "EQUALITY distinguishedNameMatch "
-                       "OBSOLETE "
-                       "SYNTAX OMsDN "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-authcDN" */
-       { "binddn", "DN", 2, 2, 0,
-               ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-               meta_back_cf_gen, NULL, NULL, NULL },
-       { "acl-passwd", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-               meta_back_cf_gen, "( OLcfgDbAt:3.3 "
-                       "NAME 'olcDbACLPasswd' "
-                       "DESC 'Remote ACL administrative identity credentials' "
-                       "OBSOLETE "
-                       "SYNTAX OMsDirectoryString "
-                       "SINGLE-VALUE )",
-               NULL, NULL },
-       /* deprecated, will be removed; aliases "acl-passwd" */
-       { "bindpw", "cred", 2, 2, 0,
-               ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-               meta_back_cf_gen, NULL, NULL, NULL },
        { "idassert-bind", "args", 2, 0, 0,
                ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
                meta_back_cf_gen, "( OLcfgDbAt:3.7 "
@@ -506,9 +477,7 @@ static ConfigOCs metaocs[] = {
                "DESC 'Meta target configuration' "
                "SUP olcConfig STRUCTURAL "
                "MUST ( olcMetaSub $ olcDbURI ) "
-               "MAY ( olcDbACLAuthcDn "
-                       "$ olcDbACLPasswd "
-                       "$ olcDbIDAssertAuthzFrom "
+               "MAY ( olcDbIDAssertAuthzFrom "
                        "$ olcDbIDAssertBind "
                        "$ olcDbMap "
                        "$ olcDbRewrite "
@@ -1408,15 +1377,6 @@ meta_back_cf_gen( ConfigArgs *c )
                        ber_bvarray_add( &c->rvalue_vals, &bv );
                        } break;
 
-               case LDAP_BACK_CFG_ACL_AUTHCDN:
-               case LDAP_BACK_CFG_ACL_PASSWD:
-                       /* FIXME no point here, there is no code implementing
-                        * their features. Was this supposed to implement
-                        * acl-bind like back-ldap?
-                        */
-                       rc = 1;
-                       break;
-
                case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
                        BerVarray       *bvp;
                        int             i;
@@ -2308,35 +2268,6 @@ meta_back_cf_gen( ConfigArgs *c )
                mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
                break;
 
-       case LDAP_BACK_CFG_ACL_AUTHCDN:
-       /* name to use for meta_back_group */
-               if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
-                       Debug( LDAP_DEBUG_ANY, "%s: "
-                               "\"binddn\" statement is deprecated; "
-                               "use \"acl-authcDN\" instead\n",
-                               c->log );
-                       /* FIXME: some day we'll need to throw an error */
-               }
-
-               ber_memfree_x( c->value_dn.bv_val, NULL );
-               mt->mt_binddn = c->value_ndn;
-               BER_BVZERO( &c->value_dn );
-               BER_BVZERO( &c->value_ndn );
-               break;
-
-       case LDAP_BACK_CFG_ACL_PASSWD:
-       /* password to use for meta_back_group */
-               if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
-                       Debug( LDAP_DEBUG_ANY, "%s "
-                               "\"bindpw\" statement is deprecated; "
-                               "use \"acl-passwd\" instead\n",
-                               c->log );
-                       /* FIXME: some day we'll need to throw an error */
-               }
-
-               ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
-               break;
-
        case LDAP_BACK_CFG_REBIND:
        /* save bind creds for referral rebinds? */
                if ( c->argc == 1 || c->value_int ) {
@@ -2979,8 +2910,6 @@ int
 meta_back_init_cf( BackendInfo *bi )
 {
        int                     rc;
-       AttributeDescription    *ad = NULL;
-       const char              *text;
 
        /* Make sure we don't exceed the bits reserved for userland */
        config_check_userland( LDAP_BACK_CFG_LAST );
@@ -2992,32 +2921,6 @@ meta_back_init_cf( BackendInfo *bi )
                return rc;
        }
 
-       /* setup olcDbAclPasswd and olcDbIDAssertPasswd
-        * to be base64-encoded when written in LDIF form;
-        * basically, we don't care if it fails */
-       rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
-       if ( rc ) {
-               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-                       "warning, unable to get \"olcDbACLPasswd\" "
-                       "attribute description: %d: %s\n",
-                       rc, text );
-       } else {
-               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-                       ad->ad_type->sat_oid );
-       }
-
-       ad = NULL;
-       rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
-       if ( rc ) {
-               Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-                       "warning, unable to get \"olcDbIDAssertPasswd\" "
-                       "attribute description: %d: %s\n",
-                       rc, text );
-       } else {
-               (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-                       ad->ad_type->sat_oid );
-       }
-
        return 0;
 }
 

diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index 5d13f218fc8e2d052c7ff45910325be6ae99ba70..6a329e483f1cd48134016af8746ccccb7d1ea163 100644 (file)
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -102,9 +102,7 @@ database    ldap
 suffix         "o=Esempio,c=IT"
 uri            "@URI1@"
 
-acl-authcDN    "cn=Proxy IT,ou=Admin,dc=example,dc=com"
-acl-passwd     proxy
-
+acl-bind       bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy"
 idassert-bind  bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
 
 # authorizes database