From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Mon, 27 Apr 2026 11:52:52 +0000 (+0100)
Subject: ITS#10494 backend: Honour require none
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fopenldap.git

ITS#10494 backend: Honour require none
---

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index c33acd0db2..64497b576e 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1123,7 +1123,11 @@ backend_check_restrictions(
 		}
 
 		restrictops |= op->o_bd->be_restrictops;
-		requires |= op->o_bd->be_requires;
+		if ( op->o_bd->be_requires & SLAP_REQUIRE_NONE ) {
+			requires = op->o_bd->be_requires & ~SLAP_REQUIRE_NONE;
+		} else {
+			requires |= op->o_bd->be_requires;
+		}
 		bssf = &op->o_bd->be_ssf_set.sss_ssf;
 		fssf = &ssfs.sss_ssf;
 		for ( i=0; i < (int)(sizeof(ssfs)/sizeof(slap_ssf_t)); i++ ) {
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index a99c481c60..fe9c5d4567 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -3677,11 +3677,12 @@ config_disallows(ConfigArgs *c) {
 
 static int
 config_requires(ConfigArgs *c) {
-	slap_mask_t requires = frontendDB->be_requires;
+	slap_mask_t requires = 0, have_none = 0;
 	int i, argc = c->argc;
 	char **argv = c->argv;
 
 	slap_verbmasks requires_ops[] = {
+		{ BER_BVC("none"),		SLAP_REQUIRE_NONE },
 		{ BER_BVC("bind"),		SLAP_REQUIRE_BIND },
 		{ BER_BVC("LDAPv3"),		SLAP_REQUIRE_LDAP_V3 },
 		{ BER_BVC("authc"),		SLAP_REQUIRE_AUTHC },
@@ -3704,9 +3705,9 @@ config_requires(ConfigArgs *c) {
 	if ( strcasecmp( c->argv[ 1 ], "none" ) == 0 ) {
 		argv++;
 		argc--;
-		requires = 0;
+		have_none = c->be != frontendDB ? SLAP_REQUIRE_NONE : 0;
 	}
-	i = verbs_to_mask(argc, argv, requires_ops, &requires);
+	i = verbs_to_mask(argc, argv, requires_ops+1, &requires);
 	if ( i ) {
 		if (strcasecmp( c->argv[ i ], "none" ) == 0 ) {
 			snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> \"none\" (#%d) must be listed first", c->argv[0], i - 1 );
@@ -3719,7 +3720,7 @@ config_requires(ConfigArgs *c) {
 		}
 		return(1);
 	}
-	c->be->be_requires = requires;
+	c->be->be_requires = requires | have_none;
 	return(0);
 }
 
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 1d520fab9d..b530e175a8 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1992,6 +1992,7 @@ struct BackendDB {
 #define SLAP_REQUIRE_AUTHC		0x0004U	/* authentication before op */
 #define SLAP_REQUIRE_SASL		0x0008U	/* SASL before op  */
 #define SLAP_REQUIRE_STRONG		0x0010U	/* strong authentication before op */
+#define SLAP_REQUIRE_NONE		0x8000U	/* do not inherit require from frontend */
 
 	/* Required Security Strength Factor */
 	slap_ssf_set_t be_ssf_set;