1/* proxyOld.c - module for supporting obsolete (rev 05) proxyAuthz control */ 2/* $OpenLDAP$ */ 3/* This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 * 5 * Copyright 2005-2011 The OpenLDAP Foundation. 6 * Portions Copyright 2005 by Howard Chu, Symas Corp. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted only as authorized by the OpenLDAP 11 * Public License. 12 * 13 * A copy of this license is available in the file LICENSE in the 14 * top-level directory of the distribution or, alternatively, at 15 * <http://www.OpenLDAP.org/license.html>. 16 */ 17 18#include <portable.h> 19 20#include <slap.h> 21 22#include <lber.h> 23/* 24#include <lber_pvt.h> 25#include <lutil.h> 26*/ 27 28/* This code is based on draft-weltman-ldapv3-proxy-05. There are a lot 29 * of holes in that draft, it doesn't specify that the control is legal 30 * for Add operations, and it makes no mention of Extended operations. 31 * It also doesn't specify whether an empty LDAPDN is allowed in the 32 * control value. 33 * 34 * For usability purposes, we're copying the op / exop behavior from the 35 * newer -12 draft. 36 */ 37#define LDAP_CONTROL_PROXY_AUTHZ05 "2.16.840.1.113730.3.4.12" 38 39static char *proxyOld_extops[] = { 40 LDAP_EXOP_MODIFY_PASSWD, 41 LDAP_EXOP_X_WHO_AM_I, 42 NULL 43}; 44 45static int 46proxyOld_parse( 47 Operation *op, 48 SlapReply *rs, 49 LDAPControl *ctrl ) 50{ 51 int rc; 52 BerElement *ber; 53 ber_tag_t tag; 54 struct berval dn = BER_BVNULL; 55 struct berval authzDN = BER_BVNULL; 56 57 58 /* We hijack the flag for the new control. Clearly only one or the 59 * other can be used at any given time. 60 */ 61 if ( op->o_proxy_authz != SLAP_CONTROL_NONE ) { 62 rs->sr_text = "proxy authorization control specified multiple times"; 63 return LDAP_PROTOCOL_ERROR; 64 } 65 66 op->o_proxy_authz = ctrl->ldctl_iscritical 67 ? SLAP_CONTROL_CRITICAL 68 : SLAP_CONTROL_NONCRITICAL; 69 70 /* Parse the control value 71 * proxyAuthzControlValue ::= SEQUENCE { 72 * proxyDN LDAPDN 73 * } 74 */ 75 ber = ber_init( &ctrl->ldctl_value ); 76 if ( ber == NULL ) { 77 rs->sr_text = "ber_init failed"; 78 return LDAP_OTHER; 79 } 80 81 tag = ber_scanf( ber, "{m}", &dn ); 82 83 if ( tag == LBER_ERROR ) { 84 rs->sr_text = "proxyOld control could not be decoded"; 85 rc = LDAP_OTHER; 86 goto done; 87 } 88 if ( BER_BVISEMPTY( &dn )) { 89 Debug( LDAP_DEBUG_TRACE, 90 "proxyOld_parse: conn=%lu anonymous\n", 91 op->o_connid, 0, 0 ); 92 authzDN.bv_val = ch_strdup(""); 93 } else { 94 Debug( LDAP_DEBUG_ARGS, 95 "proxyOld_parse: conn %lu ctrl DN=\"%s\"\n", 96 op->o_connid, dn.bv_val, 0 ); 97 rc = dnNormalize( 0, NULL, NULL, &dn, &authzDN, op->o_tmpmemctx ); 98 if ( rc != LDAP_SUCCESS ) { 99 goto done; 100 } 101 rc = slap_sasl_authorized( op, &op->o_ndn, &authzDN ); 102 if ( rc ) { 103 op->o_tmpfree( authzDN.bv_val, op->o_tmpmemctx ); 104 rs->sr_text = "not authorized to assume identity"; 105 /* new spec uses LDAP_PROXY_AUTHZ_FAILURE */ 106 rc = LDAP_INSUFFICIENT_ACCESS; 107 goto done; 108 } 109 } 110 free( op->o_ndn.bv_val ); 111 free( op->o_dn.bv_val ); 112 op->o_ndn = authzDN; 113 ber_dupbv( &op->o_dn, &authzDN ); 114 115 Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYOLD dn=\"%s\"\n", 116 op->o_connid, op->o_opid, 117 authzDN.bv_len ? authzDN.bv_val : "anonymous", 0, 0 ); 118 rc = LDAP_SUCCESS; 119done: 120 ber_free( ber, 1 ); 121 return rc; 122} 123 124int init_module(int argc, char *argv[]) { 125 return register_supported_control( LDAP_CONTROL_PROXY_AUTHZ05, 126 SLAP_CTRL_GLOBAL|SLAP_CTRL_HIDE|SLAP_CTRL_ACCESS, proxyOld_extops, 127 proxyOld_parse, NULL ); 128} 129