1 /* $NetBSD: proxyOld.c,v 1.1.1.4 2014/05/28 09:58:28 tron Exp $ */ 2 3 /* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */ 4 /* $OpenLDAP$ */ 5 /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 6 * 7 * Copyright 2005-2014 The OpenLDAP Foundation. 8 * Portions Copyright 2005 by Howard Chu, Symas Corp. 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted only as authorized by the OpenLDAP 13 * Public License. 14 * 15 * A copy of this license is available in the file LICENSE in the 16 * top-level directory of the distribution or, alternatively, at 17 * <http://www.OpenLDAP.org/license.html>. 18 */ 19 20 #include <portable.h> 21 22 #include <slap.h> 23 24 #include <lber.h> 25 /* 26 #include <lber_pvt.h> 27 #include <lutil.h> 28 */ 29 30 /* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot 31 * of holes in that draft, it doesn't specify that the control is legal 32 * for Add operations, and it makes no mention of Extended operations. 33 * It also doesn't specify whether an empty LDAPDN is allowed in the 34 * control value. 35 * 36 * For usability purposes, we're copying the op / exop behavior from the 37 * newer -12 draft. 38 */ 39 #define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12" 40 41 static char *proxyOld_extops[] = { 42 LDAP_EXOP_MODIFY_PASSWD, 43 LDAP_EXOP_X_WHO_AM_I, 44 NULL 45 }; 46 47 static int 48 proxyOld_parse( 49 Operation *op, 50 SlapReply *rs, 51 LDAPControl *ctrl ) 52 { 53 int rc; 54 BerElement *ber; 55 ber_tag_t tag; 56 struct berval dn = BER_BVNULL; 57 struct berval authzDN = BER_BVNULL; 58 59 60 /* We hijack the flag for the new control. Clearly only one or the 61 * other can be used at any given time. 62 */ 63 if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { 64 rs->sr_text = "proxy authorization control specified multiple times"; 65 return LDAP_PROTOCOL_ERROR; 66 } 67 68 op->o_proxy_authz = ctrl->ldctl_iscritical 69 ? SLAP_CONTROL_CRITICAL 70 : SLAP_CONTROL_NONCRITICAL; 71 72 /* Parse the control value 73 * proxyAuthzControlValue ::= SEQUENCE { 74 * proxyDN LDAPDN 75 * } 76 */ 77 ber = ber_init( &ctrl->ldctl_value ); 78 if ( ber == NULL ) { 79 rs->sr_text = "ber_init failed"; 80 return LDAP_OTHER; 81 } 82 83 tag = ber_scanf( ber, "{m}", &dn ); 84 85 if ( tag == LBER_ERROR ) { 86 rs->sr_text = "proxyOld control could not be decoded"; 87 rc = LDAP_OTHER; 88 goto done; 89 } 90 if ( BER_BVISEMPTY( &dn )) { 91 Debug( LDAP_DEBUG_TRACE, 92 "proxyOld_parse: conn=%lu anonymous\n", 93 op->o_connid, 0, 0 ); 94 authzDN.bv_val = ch_strdup(""); 95 } else { 96 Debug( LDAP_DEBUG_ARGS, 97 "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n", 98 op->o_connid, dn.bv_val, 0 ); 99 rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx ); 100 if ( rc != LDAP_SUCCESS ) { 101 goto done; 102 } 103 rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN ); 104 if ( rc ) { 105 op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx ); 106 rs->sr_text = "not authorized to assume identity"; 107 /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */ 108 rc = LDAP_INSUFFICIENT_ACCESS; 109 goto done; 110 } 111 } 112 free( op->o_ndn.bv_val ); 113 free( op->o_dn.bv_val ); 114 op->o_ndn = authzDN; 115 ber_dupbv( &op->o_dn, &authzDN ); 116 117 Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n", 118 op->o_connid, op->o_opid, 119 authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 ); 120 rc = LDAP_SUCCESS; 121 done: 122 ber_free( ber, 1 ); 123 return rc; 124 } 125 126 int init_module(int argc, char *argv[]) { 127 return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05, 128 SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops, 129 proxyOld_parse, NULL ); 130 } 131