diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2010-10-08 13:10:43 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2010-10-08 13:10:43 -0700 |
| commit | e766b5a9e07666b95d8ba505bd512adccd41d8a3 (patch) | |
| tree | 17a0658dc44db9c9441e5dbc30d8fa2a26546018 /ldap/servers | |
| parent | 3604c48b86e6b6feea63f99bebfecaa346d2bf59 (diff) | |
| download | ds-e766b5a9e07666b95d8ba505bd512adccd41d8a3.tar.gz ds-e766b5a9e07666b95d8ba505bd512adccd41d8a3.tar.xz ds-e766b5a9e07666b95d8ba505bd512adccd41d8a3.zip | |
Bug 631993 - Log authzid when proxy auth control is used
This patch makes the access log entries for search, add, mod, del,
and modrdn operations display the authzid that is used when the
proxy authorization control is sent by the client.
Diffstat (limited to 'ldap/servers')
| -rw-r--r-- | ldap/servers/plugins/acl/acl.h | 2 | ||||
| -rw-r--r-- | ldap/servers/plugins/acl/acleffectiverights.c | 2 | ||||
| -rw-r--r-- | ldap/servers/plugins/acl/aclplugin.c | 2 | ||||
| -rw-r--r-- | ldap/servers/slapd/add.c | 37 | ||||
| -rw-r--r-- | ldap/servers/slapd/delete.c | 32 | ||||
| -rw-r--r-- | ldap/servers/slapd/modify.c | 118 | ||||
| -rw-r--r-- | ldap/servers/slapd/modrdn.c | 34 | ||||
| -rw-r--r-- | ldap/servers/slapd/opshared.c | 44 | ||||
| -rw-r--r-- | ldap/servers/slapd/proxyauth.c (renamed from ldap/servers/plugins/acl/aclproxy.c) | 14 | ||||
| -rw-r--r-- | ldap/servers/slapd/slapi-private.h | 5 |
10 files changed, 240 insertions, 50 deletions
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index 3f4b4e62..9634f05c 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -822,8 +822,6 @@ void acl_set_aclsignature( short value); void acl_regen_aclsignature(); struct acl_pblock * acl_new_proxy_aclpb( Slapi_PBlock *pb ); void acl_set_authorization_dn( Slapi_PBlock *pb, char *dn, int type ); -int acl_get_proxyauth_dn( Slapi_PBlock *pb, char **proxydnp, - char **errtextp ); void acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_from_aclcb); int acl_create_aclpb_pool (); diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c index 5edce85b..0335a1e1 100644 --- a/ldap/servers/plugins/acl/acleffectiverights.c +++ b/ldap/servers/plugins/acl/acleffectiverights.c @@ -124,7 +124,7 @@ _ger_g_permission_granted ( /* * The requestor may be either the bind dn or a proxy dn */ - acl_get_proxyauth_dn ( pb, &proxydn, &errtext ); + proxyauth_get_dn ( pb, &proxydn, &errtext ); if ( proxydn != NULL ) { requestor_sdn = slapi_sdn_new_dn_passin ( proxydn ); diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c index d54250d5..66ef7071 100644 --- a/ldap/servers/plugins/acl/aclplugin.c +++ b/ldap/servers/plugins/acl/aclplugin.c @@ -220,7 +220,7 @@ aclplugin_preop_common( Slapi_PBlock *pb ) * is the "proxy master". */ proxy_dn = NULL; - if ( LDAP_SUCCESS != ( lderr = acl_get_proxyauth_dn( pb, &proxy_dn, + if ( LDAP_SUCCESS != ( lderr = proxyauth_get_dn( pb, &proxy_dn, &errtext ))) { /* * Fatal error -- send a result to the client and arrange to skip diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c index 0e7d5c83..93f4511b 100644 --- a/ldap/servers/slapd/add.c +++ b/ldap/servers/slapd/add.c @@ -453,12 +453,16 @@ static void op_shared_add (Slapi_PBlock *pb) Slapi_Attr *attr = NULL; Slapi_Entry *referral; char errorbuf[BUFSIZ]; - struct slapdplugin *p = NULL; + struct slapdplugin *p = NULL; + char *proxydn = NULL; + char *proxystr = NULL; + int proxy_err = LDAP_SUCCESS; + char *errtext = NULL; slapi_pblock_get (pb, SLAPI_OPERATION, &operation); slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e); slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); - slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op); + slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op); internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL); /* target spec is used to decide which plugins are applicable for the operation */ @@ -470,25 +474,42 @@ static void op_shared_add (Slapi_PBlock *pb) goto done; } + /* get the proxy auth dn if the proxy auth control is present */ + proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if ( !internal_op ) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ADD dn=\"%s\"\n", + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ADD dn=\"%s\"%s\n", pb->pb_conn->c_connid, operation->o_opid, - escape_string(slapi_entry_get_dn_const(e), ebuf)); + escape_string(slapi_entry_get_dn_const(e), ebuf), + proxystr ? proxystr : ""); } else { slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d ADD dn=\"%s\"\n", - LOG_INTERNAL_OP_CON_ID, - LOG_INTERNAL_OP_OP_ID, - escape_string(slapi_entry_get_dn_const(e), ebuf)); + LOG_INTERNAL_OP_CON_ID, + LOG_INTERNAL_OP_OP_ID, + escape_string(slapi_entry_get_dn_const(e), ebuf), + proxystr ? proxystr : ""); } } + /* If we encountered an error parsing the proxy control, return an error + * to the client. We do this here to ensure that we log the operation first. */ + if (proxy_err != LDAP_SUCCESS) + { + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + goto done; + } + /* * We could be serving multiple database backends. Select the * appropriate one. @@ -718,6 +739,8 @@ done: slapi_entry_free(e); valuearray_free(&unhashed_password_vals); slapi_ch_free((void**)&pwdtype); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); } static void diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c index 16d92937..fa7dbe39 100644 --- a/ldap/servers/slapd/delete.c +++ b/ldap/servers/slapd/delete.c @@ -269,6 +269,10 @@ static void op_shared_delete (Slapi_PBlock *pb) Slapi_Entry *ecopy = NULL; char errorbuf[BUFSIZ]; int err; + char *proxydn = NULL; + char *proxystr = NULL; + int proxy_err = LDAP_SUCCESS; + char *errtext = NULL; slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get(pb, SLAPI_OPERATION, &operation); @@ -280,24 +284,42 @@ static void op_shared_delete (Slapi_PBlock *pb) /* target spec is used to decide which plugins are applicable for the operation */ operation_set_target_spec (operation, &sdn); + /* get the proxy auth dn if the proxy auth control is present */ + proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if (!internal_op ) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d DEL dn=\"%s\"\n", + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d DEL dn=\"%s\"%s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, - escape_string(dn, ebuf)); + escape_string(dn, ebuf), + proxystr ? proxystr: ""); } else { - slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d DEL dn=\"%s\"\n", + slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d DEL dn=\"%s\"%s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, - escape_string(dn, ebuf)); + escape_string(dn, ebuf), + proxystr ? proxystr: ""); } } + /* If we encountered an error parsing the proxy control, return an error + * to the client. We do this here to ensure that we log the operation first. */ + if (proxy_err != LDAP_SUCCESS) + { + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + goto free_and_return; + } + /* * We could be serving multiple database backends. Select the * appropriate one. @@ -390,4 +412,6 @@ free_and_return: slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &dn); slapi_ch_free((void **)&dn); slapi_sdn_done(&sdn); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); } diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 3e5b19e3..92b06d78 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -585,9 +585,12 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) Slapi_Operation *operation; char errorbuf[BUFSIZ]; int err; - LDAPMod *lc_mod = NULL; + LDAPMod *lc_mod = NULL; struct slapdplugin *p = NULL; int numattr, i; + char *proxydn = NULL; + int proxy_err = LDAP_SUCCESS; + char *errtext = NULL; slapi_pblock_get (pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods); @@ -615,22 +618,44 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) /* target spec is used to decide which plugins are applicable for the operation */ operation_set_target_spec (pb->pb_op, &sdn); + /* get the proxy auth dn if the proxy auth control is present */ + proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + char *proxystr = NULL; + + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if ( !internal_op ) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"\n", + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, - escape_string(slapi_sdn_get_dn(&sdn), ebuf)); + escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : ""); } else { - slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\"\n", - LOG_INTERNAL_OP_CON_ID, - LOG_INTERNAL_OP_OP_ID, - escape_string(slapi_sdn_get_dn(&sdn), ebuf)); + slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\"%s\n", + LOG_INTERNAL_OP_CON_ID, + LOG_INTERNAL_OP_OP_ID, + escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : ""); } + + slapi_ch_free_string(&proxystr); + } + + /* If we encountered an error parsing the proxy control, return an error + * to the client. We do this here to ensure that we log the operation first. */ + if (proxy_err != LDAP_SUCCESS) + { + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + goto free_and_return; } /* @@ -919,6 +944,8 @@ free_and_return: if (unhashed_pw_attr) slapi_ch_free ((void**)&unhashed_pw_attr); + + slapi_ch_free_string(&proxydn); } static void remove_mod (Slapi_Mods *smods, const char *type, Slapi_Mods *smod_unhashed) @@ -950,6 +977,10 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old char ebuf[BUFSIZ]; Slapi_Value **values= NULL; Slapi_Operation *operation; + int proxy_err = LDAP_SUCCESS; + char *proxydn = NULL; + char *proxystr = NULL; + char *errtext = NULL; slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); if (repl_op) { @@ -965,10 +996,24 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old slapi_pblock_get (pb, SLAPI_PWPOLICY, &pwresponse_req); internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL); - slapi_sdn_init_dn_byref (&sdn, dn); pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn)); + /* get the proxy auth dn if the proxy auth control is present */ + if ((proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext)) != LDAP_SUCCESS) + { + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) + { + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + escape_string(slapi_sdn_get_dn(&sdn), ebuf)); + } + + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + rc = -1; + goto done; + } + /* internal operation has root permisions for subtrees it is allowed to access */ if (!internal_op) { @@ -995,6 +1040,19 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old /* Check if ACIs allow password to be changed */ if ( (res = slapi_acl_check_mods(pb, e, mods, &errtxt)) != LDAP_SUCCESS) { + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) + { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : ""); + } + /* Write access is denied to userPassword by ACIs */ if ( pwresponse_req == 1 ) { slapi_pwpolicy_make_response_control ( pb, -1, -1, @@ -1019,10 +1077,16 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\", %s\n", + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn(&sdn), ebuf), - "user is not allowed to change password"); + proxystr ? proxystr : "", + "user is not allowed to change password"); } rc = -1; @@ -1037,20 +1101,27 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old { if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if ( !internal_op ) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\", %s\n", + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : "", "within password minimum age"); } else { - slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\", %s\n", - LOG_INTERNAL_OP_CON_ID, - LOG_INTERNAL_OP_OP_ID, + slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\"%s, %s\n", + LOG_INTERNAL_OP_CON_ID, + LOG_INTERNAL_OP_OP_ID, escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : "", "within password minimum age"); } } @@ -1072,19 +1143,28 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old case 1: /* failed checking */ if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if ( !internal_op ) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\", %s\n", + slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, - escape_string(slapi_sdn_get_dn(&sdn), ebuf), "invalid password syntax"); + escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : "", + "invalid password syntax"); } else { - slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\", %s\n", + slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\"%s, %s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, - escape_string(slapi_sdn_get_dn(&sdn), ebuf), "invalid password syntax"); + escape_string(slapi_sdn_get_dn(&sdn), ebuf), + proxystr ? proxystr : "", + "invalid password syntax"); } } rc = -1; @@ -1103,5 +1183,7 @@ done: slapi_entry_free( e ); slapi_sdn_done (&sdn); delete_passwdPolicy(&pwpolicy); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); return rc; } diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c index e8084c22..24e444c6 100644 --- a/ldap/servers/slapd/modrdn.c +++ b/ldap/servers/slapd/modrdn.c @@ -438,7 +438,11 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) Slapi_Operation *operation; Slapi_Entry *referral; char errorbuf[BUFSIZ]; - int err; + int err; + char *proxydn = NULL; + char *proxystr = NULL; + int proxy_err = LDAP_SUCCESS; + char *errtext = NULL; slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn); @@ -479,6 +483,9 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn ); slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, (void *)newsuperior); + /* get the proxy auth dn if the proxy auth control is present */ + proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); + /* * first, log the operation to the access log, * then check rdn and newsuperior, @@ -486,28 +493,43 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) */ if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if ( !internal_op ) { slapi_log_access(LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"\n", + "conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(dn, dnbuf), (NULL == newrdn) ? "(null)" : escape_string(newrdn, newrdnbuf), - (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf)); + (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf), + proxystr ? proxystr : ""); } else { slapi_log_access(LDAP_DEBUG_ARGS, - "conn=%s op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"\n", + "conn=%s op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, escape_string(dn, dnbuf), (NULL == newrdn) ? "(null)" : escape_string(newrdn, newrdnbuf), - (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf)); + (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf), + proxystr ? proxystr : ""); } } + /* If we encountered an error parsing the proxy control, return an error + * to the client. We do this here to ensure that we log the operation first. */ + if (proxy_err != LDAP_SUCCESS) + { + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + goto free_and_return_nolock; + } + /* check that the rdn is formatted correctly */ if ((rdns = slapi_ldap_explode_rdn(newrdn, 0)) == NULL) { @@ -681,6 +703,8 @@ free_and_return_nolock: slapi_entry_free(pse); slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods ); ldap_mods_free( mods, 1 ); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); /* retrieve these in case a pre- or post-op plugin has changed them */ slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &s); diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c index 7aec7910..e271137e 100644 --- a/ldap/servers/slapd/opshared.c +++ b/ldap/servers/slapd/opshared.c @@ -200,7 +200,10 @@ op_shared_search (Slapi_PBlock *pb, int send_result) Slapi_DN sdn; Slapi_Operation *operation; Slapi_Entry *referral = NULL; - + char *proxydn = NULL; + char *proxystr = NULL; + int proxy_err = LDAP_SUCCESS; + char *errtext = NULL; char errorbuf[BUFSIZ]; int nentries,pnentries; int flag_search_base_found = 0; @@ -236,6 +239,9 @@ op_shared_search (Slapi_PBlock *pb, int send_result) flag_psearch = operation_is_flag_set(operation, OP_FLAG_PS); slapi_sdn_init_dn_byref(&sdn, base); + + /* get the proxy auth dn if the proxy auth control is present */ + proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { @@ -243,7 +249,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result) #define SLAPD_SEARCH_FMTSTR_BASE "conn=%" NSPRIu64 " op=%d SRCH base=\"%s\" scope=%d " #define SLAPD_SEARCH_FMTSTR_BASE_INT "conn=%s op=%d SRCH base=\"%s\" scope=%d " -#define SLAPD_SEARCH_FMTSTR_REMAINDER " attrs=%s%s\n" +#define SLAPD_SEARCH_FMTSTR_REMAINDER " attrs=%s%s%s\n" PR_ASSERT(fstr); if ( strlen(fstr) > 1024 ) @@ -279,6 +285,11 @@ op_shared_search (Slapi_PBlock *pb, int send_result) 1 /* include quotes */ ); attrliststr = attrlistbuf; } + + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } if ( !internal_op ) { @@ -287,7 +298,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result) pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn (&sdn), ebuf), scope, fstr, attrliststr, - flag_psearch ? " options=persistent" : ""); + flag_psearch ? " options=persistent" : "", + proxystr ? proxystr : ""); } else { @@ -296,9 +308,19 @@ op_shared_search (Slapi_PBlock *pb, int send_result) LOG_INTERNAL_OP_OP_ID, escape_string(slapi_sdn_get_dn (&sdn), ebuf), scope, fstr, attrliststr, - flag_psearch ? " options=persistent" : ""); + flag_psearch ? " options=persistent" : "", + proxystr ? proxystr : ""); } } + + /* If we encountered an error parsing the proxy control, return an error + * to the client. We do this here to ensure that we log the operation first. */ + if (proxy_err != LDAP_SUCCESS) + { + rc = -1; + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + goto free_and_return_nolock; + } slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void*)slapi_sdn_get_ndn (&sdn)); @@ -855,6 +877,8 @@ next_be: slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc); index_subsys_filter_decoders_done(pb); slapi_sdn_done(&sdn); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); } /* Returns 1 if this processing on this entry is finished @@ -1511,12 +1535,22 @@ send_results_ext(Slapi_PBlock *pb, int send_result, int *nentries, int pagesize, void op_shared_log_error_access (Slapi_PBlock *pb, const char *type, const char *dn, const char *msg) { char ebuf[BUFSIZ]; - slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s dn=\"%s\", %s\n", + char *proxydn = NULL; + char *proxystr = NULL; + + if ((proxyauth_get_dn(pb, &proxydn, NULL) == LDAP_SUCCESS)) { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + + slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s dn=\"%s\"%s, %s\n", ( pb->pb_conn ? pb->pb_conn->c_connid : 0), ( pb->pb_op ? pb->pb_op->o_opid : 0), type, escape_string( dn, ebuf ), + proxystr ? proxystr : "", msg ? msg : "" ); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); } diff --git a/ldap/servers/plugins/acl/aclproxy.c b/ldap/servers/slapd/proxyauth.c index 46eb437a..9dbcac88 100644 --- a/ldap/servers/plugins/acl/aclproxy.c +++ b/ldap/servers/slapd/proxyauth.c @@ -32,7 +32,7 @@ * * * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. - * Copyright (C) 2005 Red Hat, Inc. + * Copyright (C) 2010 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ @@ -40,7 +40,7 @@ # include <config.h> #endif -#include "acl.h" +#include "slap.h" #define BEGIN do { #define END } while(0); @@ -92,7 +92,7 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, size_t dnlen = 0; BEGIN - ber_tag_t tag; + ber_tag_t tag; if ( version != 1 && version != 2 ) { break; @@ -103,12 +103,12 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, } /* create_LDAPProxyAuth */ - spec = (LDAPProxyAuth*)slapi_ch_calloc(1,sizeof (LDAPProxyAuth)); + spec = (LDAPProxyAuth*)slapi_ch_calloc(1,sizeof (LDAPProxyAuth)); if (!spec) { break; } - ber = ber_init(spec_ber); + ber = ber_init(spec_ber); if (!ber) { break; } @@ -118,7 +118,7 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, } else { tag = ber_scanf(ber, "a", &spec->auth_dn); } - if (tag == LBER_ERROR) { + if (tag == LBER_ERROR) { lderr = LDAP_PROTOCOL_ERROR; break; } @@ -180,7 +180,7 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp, * returned if the proxy auth control is not present or not critical. */ int -acl_get_proxyauth_dn( Slapi_PBlock *pb, char **proxydnp, char **errtextp ) +proxyauth_get_dn( Slapi_PBlock *pb, char **proxydnp, char **errtextp ) { char *dn = 0; LDAPProxyAuth *spec = 0; diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index d6c5c6f3..36808ce7 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -825,6 +825,11 @@ void valuearray_add_valuearray_fast( Slapi_Value ***vals, Slapi_Value **addvals, int valuearray_find(const Slapi_Attr *a, Slapi_Value **va, const Slapi_Value *v); int valuearray_normalize_value(Slapi_Value **vals); +/* + * proxyauth.c + */ +int proxyauth_get_dn( Slapi_PBlock *pb, char **proxydnp, char **errtextp ); + /****************************************************************************** * Database plugin interface. |