diff options
| author | Noriko Hosoi <nhosoi@redhat.com> | 2010-03-08 09:35:02 -0800 |
|---|---|---|
| committer | Noriko Hosoi <nhosoi@redhat.com> | 2010-03-08 09:35:02 -0800 |
| commit | 417e1542fde56d485979daa85d357c5fc14b04d5 (patch) | |
| tree | ee12336cc445506eeabdff62d22558e3f962d36a /ldap/servers/slapd/libglobs.c | |
| parent | 031e725dce895bf2382ca7801cef772fe6b24c61 (diff) | |
| download | ds-417e1542fde56d485979daa85d357c5fc14b04d5.tar.gz ds-417e1542fde56d485979daa85d357c5fc14b04d5.tar.xz ds-417e1542fde56d485979daa85d357c5fc14b04d5.zip | |
Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
https://bugzilla.redhat.com/show_bug.cgi?id=554573
Resolves: bug 554573
Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
Reviewed by: ???
Branch: HEAD
Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
default is off - when set to on, a SIMPLE bind on a connection that has set
a DN from a cert will be changed to be a SASL/EXTERNAL bind.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: yes - new attribute to document
Note: This commit is for reapplying the patch I accidentally reverted
by the previous revert (031e725dce895bf2382ca7801cef772fe6b24c61).
(see commit f4b90ed5e43fa06ea6185cf17073b7a32db6ef4c, as well)
commit 031e725dce895bf2382ca7801cef772fe6b24c61
Author: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri Mar 5 16:09:28 2010 -0800
Revert "Merge branch '547503'"
This reverts commit f2a04fdc45cc8a408267019990504354282c4303, reversing
changes made to 0b95451c7e50cb6b2d0cb310dddca18336e1b2ac.
Diffstat (limited to 'ldap/servers/slapd/libglobs.c')
| -rw-r--r-- | ldap/servers/slapd/libglobs.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index c4026ac6..89a3c793 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -620,7 +620,11 @@ static struct config_get_and_set { (ConfigGetFunc)config_get_anon_access_switch}, {CONFIG_MINSSF_ATTRIBUTE, config_set_minssf, NULL, 0, - (void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL} + (void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL}, + {CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE, config_set_force_sasl_external, + NULL, 0, + (void**)&global_slapdFrontendConfig.force_sasl_external, CONFIG_ON_OFF, + (ConfigGetFunc)config_get_force_sasl_external} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -921,6 +925,7 @@ FrontendConfig_init () { cfg->rewrite_rfc1274 = LDAP_OFF; cfg->schemareplace = slapi_ch_strdup( CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY ); cfg->schema_ignore_trailing_spaces = SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES; + cfg->force_sasl_external = LDAP_OFF; /* do not force sasl external by default - let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind if that's what they want to do */ cfg->pwpolicy_local = LDAP_OFF; cfg->pw_policy.pw_change = LDAP_ON; @@ -5491,6 +5496,34 @@ config_set_anon_access_switch( const char *attrname, char *value, return retVal; } +int +config_get_force_sasl_external(void) +{ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->force_sasl_external; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int +config_set_force_sasl_external( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->force_sasl_external), + errorbuf, + apply); + + return retVal; +} + /* * This function is intended to be used from the dse code modify callback. It |