1 /* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */ 2 /* $OpenLDAP: pkg/ldap/contrib/slapd-modules/proxyOld/proxyOld.c,v 1.1 2006/03/30 06:22:39 hyc Exp $ */ 3 /* 4 * Copyright 2005 by Howard Chu, Symas Corp. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted only as authorized by the OpenLDAP 9 * Public License. 10 * 11 * A copy of this license is available in the file LICENSE in the 12 * top-level directory of the distribution or, alternatively, at 13 * <http://www.OpenLDAP.org/license.html>. 14 */ 15 16 #include <portable.h> 17 18 #include <slap.h> 19 20 #include <lber.h> 21 /* 22 #include <lber_pvt.h> 23 #include <lutil.h> 24 */ 25 26 /* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot 27 * of holes in that draft, it doesn't specify that the control is legal 28 * for Add operations, and it makes no mention of Extended operations. 29 * It also doesn't specify whether an empty LDAPDN is allowed in the 30 * control value. 31 * 32 * For usability purposes, we're copying the op / exop behavior from the 33 * newer -12 draft. 34 */ 35 #define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12" 36 37 static char *proxyOld_extops[] = { 38 LDAP_EXOP_MODIFY_PASSWD, 39 LDAP_EXOP_X_WHO_AM_I, 40 NULL 41 }; 42 43 static int 44 proxyOld_parse( 45 Operation *op, 46 SlapReply *rs, 47 LDAPControl *ctrl ) 48 { 49 int rc; 50 BerElement *ber; 51 ber_tag_t tag; 52 struct berval dn = BER_BVNULL; 53 struct berval authzDN = BER_BVNULL; 54 55 56 /* We hijack the flag for the new control. Clearly only one or the 57 * other can be used at any given time. 58 */ 59 if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { 60 rs->sr_text = "proxy authorization control specified multiple times"; 61 return LDAP_PROTOCOL_ERROR; 62 } 63 64 op->o_proxy_authz = ctrl->ldctl_iscritical 65 ? SLAP_CONTROL_CRITICAL 66 : SLAP_CONTROL_NONCRITICAL; 67 68 /* Parse the control value 69 * proxyAuthzControlValue ::= SEQUENCE { 70 * proxyDN LDAPDN 71 * } 72 */ 73 ber = ber_init( &ctrl->ldctl_value ); 74 if ( ber == NULL ) { 75 rs->sr_text = "ber_init failed"; 76 return LDAP_OTHER; 77 } 78 79 tag = ber_scanf( ber, "{m}", &dn ); 80 81 if ( tag == LBER_ERROR ) { 82 rs->sr_text = "proxyOld control could not be decoded"; 83 rc = LDAP_OTHER; 84 goto done; 85 } 86 if ( BER_BVISEMPTY( &dn )) { 87 Debug( LDAP_DEBUG_TRACE, 88 "proxyOld_parse: conn=%lu anonymous\n", 89 op->o_connid, 0, 0 ); 90 authzDN.bv_val = ch_strdup(""); 91 } else { 92 Debug( LDAP_DEBUG_ARGS, 93 "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n", 94 op->o_connid, dn.bv_val, 0 ); 95 rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx ); 96 if ( rc != LDAP_SUCCESS ) { 97 goto done; 98 } 99 rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN ); 100 if ( rc ) { 101 op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx ); 102 rs->sr_text = "not authorized to assume identity"; 103 /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */ 104 rc = LDAP_INSUFFICIENT_ACCESS; 105 goto done; 106 } 107 } 108 free( op->o_ndn.bv_val ); 109 free( op->o_dn.bv_val ); 110 op->o_ndn = authzDN; 111 ber_dupbv( &op->o_dn, &authzDN ); 112 113 Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n", 114 op->o_connid, op->o_opid, 115 authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 ); 116 rc = LDAP_SUCCESS; 117 done: 118 ber_free( ber, 1 ); 119 return rc; 120 } 121 122 int init_module(int argc, char *argv[]) { 123 return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05, 124 SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops, 125 proxyOld_parse, NULL ); 126 } 127