Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external

https://bugzilla.redhat.com/show_bug.cgi?id=554573
Resolves: bug 554573
Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
default is off - when set to on, a SIMPLE bind on a connection that has set
a DN from a cert will be changed to be a SASL/EXTERNAL bind.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: yes - new attribute to document

1 files changed, 2 insertions, 0 deletions

diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index adef7a8a..589756f1 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1869,6 +1869,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
 #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
+#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2084,6 +2085,7 @@ typedef struct _slapdFrontendConfig {
   long system_page_size;		/* system page size */
   int system_page_bits;			/* bit count to shift the system page size */
 #endif /* MEMPOOL_EXPERIMENTAL */
+  int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
 } slapdFrontendConfig_t;
 
 /* possible values for slapdFrontendConfig_t.schemareplace */