diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2010-10-08 13:10:43 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2010-10-08 13:10:43 -0700 |
| commit | e766b5a9e07666b95d8ba505bd512adccd41d8a3 (patch) | |
| tree | 17a0658dc44db9c9441e5dbc30d8fa2a26546018 /ldap/servers/slapd/modrdn.c | |
| parent | 3604c48b86e6b6feea63f99bebfecaa346d2bf59 (diff) | |
| download | ds-e766b5a9e07666b95d8ba505bd512adccd41d8a3.tar.gz ds-e766b5a9e07666b95d8ba505bd512adccd41d8a3.tar.xz ds-e766b5a9e07666b95d8ba505bd512adccd41d8a3.zip | |
Bug 631993 - Log authzid when proxy auth control is used
This patch makes the access log entries for search, add, mod, del,
and modrdn operations display the authzid that is used when the
proxy authorization control is sent by the client.
Diffstat (limited to 'ldap/servers/slapd/modrdn.c')
| -rw-r--r-- | ldap/servers/slapd/modrdn.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c index e8084c22..24e444c6 100644 --- a/ldap/servers/slapd/modrdn.c +++ b/ldap/servers/slapd/modrdn.c @@ -438,7 +438,11 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) Slapi_Operation *operation; Slapi_Entry *referral; char errorbuf[BUFSIZ]; - int err; + int err; + char *proxydn = NULL; + char *proxystr = NULL; + int proxy_err = LDAP_SUCCESS; + char *errtext = NULL; slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn); @@ -479,6 +483,9 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn ); slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, (void *)newsuperior); + /* get the proxy auth dn if the proxy auth control is present */ + proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext); + /* * first, log the operation to the access log, * then check rdn and newsuperior, @@ -486,28 +493,43 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) */ if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { + if (proxydn) + { + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + if ( !internal_op ) { slapi_log_access(LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"\n", + "conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(dn, dnbuf), (NULL == newrdn) ? "(null)" : escape_string(newrdn, newrdnbuf), - (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf)); + (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf), + proxystr ? proxystr : ""); } else { slapi_log_access(LDAP_DEBUG_ARGS, - "conn=%s op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"\n", + "conn=%s op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, escape_string(dn, dnbuf), (NULL == newrdn) ? "(null)" : escape_string(newrdn, newrdnbuf), - (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf)); + (NULL == newsuperior) ? "(null)" : escape_string(newsuperior, newsuperiorbuf), + proxystr ? proxystr : ""); } } + /* If we encountered an error parsing the proxy control, return an error + * to the client. We do this here to ensure that we log the operation first. */ + if (proxy_err != LDAP_SUCCESS) + { + send_ldap_result(pb, proxy_err, NULL, errtext, 0, NULL); + goto free_and_return_nolock; + } + /* check that the rdn is formatted correctly */ if ((rdns = slapi_ldap_explode_rdn(newrdn, 0)) == NULL) { @@ -681,6 +703,8 @@ free_and_return_nolock: slapi_entry_free(pse); slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods ); ldap_mods_free( mods, 1 ); + slapi_ch_free_string(&proxydn); + slapi_ch_free_string(&proxystr); /* retrieve these in case a pre- or post-op plugin has changed them */ slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &s); |