diff options
author | Noriko Hosoi <nhosoi@redhat.com> | 2010-03-08 09:35:02 -0800 |
---|---|---|
committer | Noriko Hosoi <nhosoi@redhat.com> | 2010-03-08 09:35:02 -0800 |
commit | 417e1542fde56d485979daa85d357c5fc14b04d5 (patch) | |
tree | ee12336cc445506eeabdff62d22558e3f962d36a /ldap/servers/slapd/bind.c | |
parent | 031e725dce895bf2382ca7801cef772fe6b24c61 (diff) | |
download | ds-417e1542fde56d485979daa85d357c5fc14b04d5.tar.gz ds-417e1542fde56d485979daa85d357c5fc14b04d5.tar.xz ds-417e1542fde56d485979daa85d357c5fc14b04d5.zip |
Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
https://bugzilla.redhat.com/show_bug.cgi?id=554573
Resolves: bug 554573
Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
Reviewed by: ???
Branch: HEAD
Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
default is off - when set to on, a SIMPLE bind on a connection that has set
a DN from a cert will be changed to be a SASL/EXTERNAL bind.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: yes - new attribute to document
Note: This commit is for reapplying the patch I accidentally reverted
by the previous revert (031e725dce895bf2382ca7801cef772fe6b24c61).
(see commit f4b90ed5e43fa06ea6185cf17073b7a32db6ef4c, as well)
commit 031e725dce895bf2382ca7801cef772fe6b24c61
Author: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri Mar 5 16:09:28 2010 -0800
Revert "Merge branch '547503'"
This reverts commit f2a04fdc45cc8a408267019990504354282c4303, reversing
changes made to 0b95451c7e50cb6b2d0cb310dddca18336e1b2ac.
Diffstat (limited to 'ldap/servers/slapd/bind.c')
-rw-r--r-- | ldap/servers/slapd/bind.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 3458ff66..d3e90091 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -305,7 +305,8 @@ do_bind( Slapi_PBlock *pb ) switch ( version ) { case LDAP_VERSION2: if (method == LDAP_AUTH_SIMPLE - && (dn == NULL || *dn == '\0') && cred.bv_len == 0 + && (config_get_force_sasl_external() || + ((dn == NULL || *dn == '\0') && cred.bv_len == 0)) && pb->pb_conn->c_external_dn != NULL) { /* Treat this like a SASL EXTERNAL Bind: */ method = LDAP_AUTH_SASL; @@ -317,6 +318,17 @@ do_bind( Slapi_PBlock *pb ) } break; case LDAP_VERSION3: + if ((method == LDAP_AUTH_SIMPLE) && + config_get_force_sasl_external() && + (pb->pb_conn->c_external_dn != NULL)) { + /* Treat this like a SASL EXTERNAL Bind: */ + method = LDAP_AUTH_SASL; + saslmech = slapi_ch_strdup (LDAP_SASL_EXTERNAL); + /* This enables a client to establish an identity by sending + * a certificate in the SSL handshake, and also use LDAPv2 + * (by sending this type of Bind request). + */ + } break; default: LDAPDebug( LDAP_DEBUG_TRACE, "bind: unknown LDAP protocol version %d\n", |