Back to index

openldap  2.4.31
proxyOld.c
Go to the documentation of this file.
00001 /* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */
00002 /* $OpenLDAP$ */
00003 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
00004  *
00005  * Copyright 2005-2012 The OpenLDAP Foundation.
00006  * Portions Copyright 2005 by Howard Chu, Symas Corp.
00007  * All rights reserved.
00008  *
00009  * Redistribution and use in source and binary forms, with or without
00010  * modification, are permitted only as authorized by the OpenLDAP
00011  * Public License.
00012  *
00013  * A copy of this license is available in the file LICENSE in the
00014  * top-level directory of the distribution or, alternatively, at
00015  * <http://www.OpenLDAP.org/license.html>.
00016  */
00017 
00018 #include <portable.h>
00019 
00020 #include <slap.h>
00021 
00022 #include <lber.h>
00023 /*
00024 #include <lber_pvt.h>
00025 #include <lutil.h>
00026 */
00027 
00028 /* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot
00029  * of holes in that draft, it doesn't specify that the control is legal
00030  * for Add operations, and it makes no mention of Extended operations.
00031  * It also doesn't specify whether an empty LDAPDN is allowed in the
00032  * control value.
00033  *
00034  * For usability purposes, we're copying the op / exop behavior from the
00035  * newer -12 draft.
00036  */
00037 #define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12"
00038 
00039 static char *proxyOld_extops[] = {
00040        LDAP_EXOP_MODIFY_PASSWD,
00041        LDAP_EXOP_X_WHO_AM_I,
00042        NULL
00043 };
00044 
00045 static int
00046 proxyOld_parse(
00047        Operation *op,
00048        SlapReply *rs,
00049        LDAPControl *ctrl )
00050 {
00051        int rc;
00052        BerElement    *ber;
00053        ber_tag_t     tag;
00054        struct berval dn = BER_BVNULL;
00055        struct berval authzDN = BER_BVNULL;
00056 
00057 
00058        /* We hijack the flag for the new control. Clearly only one or the
00059         * other can be used at any given time.
00060         */
00061        if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) {
00062               rs->sr_text = "proxy authorization control specified multiple times";
00063               return LDAP_PROTOCOL_ERROR;
00064        }
00065 
00066        op->o_proxy_authz = ctrl->ldctl_iscritical
00067               ? SLAP_CONTROL_CRITICAL
00068               : SLAP_CONTROL_NONCRITICAL;
00069 
00070        /* Parse the control value
00071         *  proxyAuthzControlValue ::= SEQUENCE {
00072         *            proxyDN       LDAPDN
00073         *     }
00074         */
00075        ber = ber_init( &ctrl->ldctl_value );
00076        if ( ber == NULL ) {
00077               rs->sr_text = "ber_init failed";
00078               return LDAP_OTHER;
00079        }
00080 
00081        tag = ber_scanf( ber, "{m}", &dn );
00082 
00083        if ( tag == LBER_ERROR ) {
00084               rs->sr_text = "proxyOld control could not be decoded";
00085               rc = LDAP_OTHER;
00086               goto done;
00087        }
00088        if ( BER_BVISEMPTY( &dn )) {
00089               Debug( LDAP_DEBUG_TRACE,
00090                      "proxyOld_parse: conn=%lu anonymous\n",
00091                             op->o_connid, 0, 0 );
00092               authzDN.bv_val = ch_strdup("");
00093        } else {
00094               Debug( LDAP_DEBUG_ARGS,
00095                      "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n",
00096                             op->o_connid, dn.bv_val, 0 );
00097               rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx );
00098               if ( rc != LDAP_SUCCESS ) {
00099                      goto done;
00100               }
00101               rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN );
00102               if ( rc ) {
00103                      op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx );
00104                      rs->sr_text = "not authorized to assume identity";
00105                      /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */
00106                      rc = LDAP_INSUFFICIENT_ACCESS;
00107                      goto done;
00108               }
00109        }
00110        free( op->o_ndn.bv_val );
00111        free( op->o_dn.bv_val );
00112        op->o_ndn = authzDN;
00113        ber_dupbv( &op->o_dn, &authzDN );
00114 
00115        Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n",
00116               op->o_connid, op->o_opid,
00117               authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 );
00118        rc = LDAP_SUCCESS;
00119 done:
00120        ber_free( ber, 1 );
00121        return rc;
00122 }
00123 
00124 int init_module(int argc, char *argv[]) {
00125        return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05,
00126               SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops,
00127               proxyOld_parse, NULL );
00128 }