diff options
Diffstat (limited to '')
-rw-r--r-- | contrib/slapd-modules/proxyOld/Makefile | 58 | ||||
-rw-r--r-- | contrib/slapd-modules/proxyOld/README | 31 | ||||
-rw-r--r-- | contrib/slapd-modules/proxyOld/proxyOld.c | 128 |
3 files changed, 217 insertions, 0 deletions
diff --git a/contrib/slapd-modules/proxyOld/Makefile b/contrib/slapd-modules/proxyOld/Makefile new file mode 100644 index 0000000..d92967c --- /dev/null +++ b/contrib/slapd-modules/proxyOld/Makefile @@ -0,0 +1,58 @@ +# $OpenLDAP$ +# This work is part of OpenLDAP Software <http://www.openldap.org/>. +# +# Copyright 2005-2022 The OpenLDAP Foundation. +# Portions Copyright 2005 Howard Chu, Symas Corp. All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +CC = gcc +OPT = -g -O2 +DEFS = +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS = proxyOld.la +LTVER = 0:0:0 + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +proxyOld.la: proxyOld.lo + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + diff --git a/contrib/slapd-modules/proxyOld/README b/contrib/slapd-modules/proxyOld/README new file mode 100644 index 0000000..bc5e4ab --- /dev/null +++ b/contrib/slapd-modules/proxyOld/README @@ -0,0 +1,31 @@ +This directory contains a slapd module proxyOld that provides support +for the obsolete draft-weltman-ldapb3-proxy-05 revision of the LDAP +Proxy Authorization control. It is merely intended to provide compatibility +in environments where other servers only recognize this old control. +New installations should not use this code. + +To use the module, add: + + moduleload <path to>proxyOld.so + ... + +to your slapd configuration file. Since this is an obsolete feature, +the control is registered with the SLAP_CTRL_HIDE flag so that it will +not be advertised in the rootDSE's supportedControls attribute. + +This code only works as a dynamically loaded module. + +--- +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 1998-2022 The OpenLDAP Foundation. +Portions Copyright 2005 Howard Chu, Symas Corp. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + diff --git a/contrib/slapd-modules/proxyOld/proxyOld.c b/contrib/slapd-modules/proxyOld/proxyOld.c new file mode 100644 index 0000000..2da6888 --- /dev/null +++ b/contrib/slapd-modules/proxyOld/proxyOld.c @@ -0,0 +1,128 @@ +/* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2005-2022 The OpenLDAP Foundation. + * Portions Copyright 2005 by Howard Chu, Symas Corp. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include <portable.h> + +#include <slap.h> + +#include <lber.h> +/* +#include <lber_pvt.h> +#include <lutil.h> +*/ + +/* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot + * of holes in that draft, it doesn't specify that the control is legal + * for Add operations, and it makes no mention of Extended operations. + * It also doesn't specify whether an empty LDAPDN is allowed in the + * control value. + * + * For usability purposes, we're copying the op / exop behavior from the + * newer -12 draft. + */ +#define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12" + +static char *proxyOld_extops[] = { + LDAP_EXOP_MODIFY_PASSWD, + LDAP_EXOP_X_WHO_AM_I, + NULL +}; + +static int +proxyOld_parse( + Operation *op, + SlapReply *rs, + LDAPControl *ctrl ) +{ + int rc; + BerElement *ber; + ber_tag_t tag; + struct berval dn = BER_BVNULL; + struct berval authzDN = BER_BVNULL; + + + /* We hijack the flag for the new control. Clearly only one or the + * other can be used at any given time. + */ + if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { + rs->sr_text = "proxy authorization control specified multiple times"; + return LDAP_PROTOCOL_ERROR; + } + + op->o_proxy_authz = ctrl->ldctl_iscritical + ? SLAP_CONTROL_CRITICAL + : SLAP_CONTROL_NONCRITICAL; + + /* Parse the control value + * proxyAuthzControlValue ::= SEQUENCE { + * proxyDN LDAPDN + * } + */ + ber = ber_init( &ctrl->ldctl_value ); + if ( ber == NULL ) { + rs->sr_text = "ber_init failed"; + return LDAP_OTHER; + } + + tag = ber_scanf( ber, "{m}", &dn ); + + if ( tag == LBER_ERROR ) { + rs->sr_text = "proxyOld control could not be decoded"; + rc = LDAP_OTHER; + goto done; + } + if ( BER_BVISEMPTY( &dn )) { + Debug( LDAP_DEBUG_TRACE, + "proxyOld_parse: conn=%lu anonymous\n", + op->o_connid ); + authzDN.bv_val = ch_strdup(""); + } else { + Debug( LDAP_DEBUG_ARGS, + "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n", + op->o_connid, dn.bv_val ); + rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx ); + if ( rc != LDAP_SUCCESS ) { + goto done; + } + rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN ); + if ( rc ) { + op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx ); + rs->sr_text = "not authorized to assume identity"; + /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */ + rc = LDAP_INSUFFICIENT_ACCESS; + goto done; + } + } + free( op->o_ndn.bv_val ); + free( op->o_dn.bv_val ); + op->o_ndn = authzDN; + ber_dupbv( &op->o_dn, &authzDN ); + + Debug( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n", + op->o_connid, op->o_opid, + authzDN.bv_len ? authzDN.bv_val : "anonymous" ); + rc = LDAP_SUCCESS; +done: + ber_free( ber, 1 ); + return rc; +} + +int init_module(int argc, char *argv[]) { + return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05, + SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops, + proxyOld_parse, NULL ); +} |