From bbd73eddf3e4cc0fed3f3dcb0a57b05877f752fc Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Mon, 8 Apr 2013 23:04:30 -0400 Subject: [PATCH] Ticket 77 - [RFE] Add ACI support for ldapi RFE Description: Add support for LDAPI connection types in access control. Fix Description: Extended the authMethod keyword to include LDAPI. (targetattr = "*") (version 3.0;acl "ldapi";allow (all)(userdn = "ldap:///anyone" and authmethod = "ldapi" or ip = "127.0.0.1");) https://fedorahosted.org/389/ticket/77 Reviewed by: ? --- ldap/servers/plugins/acl/acl.h | 2 ++ ldap/servers/plugins/acl/acl_ext.c | 18 ++++++++++++++++-- ldap/servers/plugins/acl/aclinit.c | 2 +- ldap/servers/plugins/acl/acllas.c | 19 +++++++++++++++---- ldap/servers/slapd/libslapd.def | 1 + ldap/servers/slapd/pblock.c | 9 +++++++++ ldap/servers/slapd/slapi-plugin.h | 9 +++++++++ 7 files changed, 53 insertions(+), 7 deletions(-) diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index 5e840a9..0eb8570 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -209,6 +209,7 @@ typedef enum #define DS_ATTR_AUTHTYPE "authtype" #define DS_ATTR_CERT "clientcert" #define DS_ATTR_SSF "ssf" +#define DS_ATTR_LDAPI "ldapi" #define ACL_ANOM_MAX_ACL 40 struct scoped_entry_anominfo { @@ -664,6 +665,7 @@ typedef struct { Acl_PBlock *aclpb; Slapi_Entry *resourceEntry; int ssf; + char *ldapi; }lasInfo; diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c index f8699b4..b3f9072 100644 --- a/ldap/servers/plugins/acl/acl_ext.c +++ b/ldap/servers/plugins/acl/acl_ext.c @@ -446,7 +446,6 @@ acl__handle_plugin_config_entry (Slapi_Entry *e, void *callback_data ) int acl_create_aclpb_pool () { - Acl_PBlock *aclpb; Acl_PBlock *prev_aclpb; Acl_PBlock *first_aclpb; @@ -648,6 +647,11 @@ acl__malloc_aclpb ( ) "Unable to set the AUTH TYPE in the Plist\n"); goto error; } + if (PListInitProp(aclpb->aclpb_proplist, 0, DS_ATTR_LDAPI, aclpb, 0) < 0) { + slapi_log_error(SLAPI_LOG_FATAL, plugin_name, + "Unable to set the AUTH TYPE in the Plist\n"); + goto error; + } if (PListInitProp(aclpb->aclpb_proplist, 0, DS_ATTR_ENTRY, aclpb, 0) < 0) { slapi_log_error(SLAPI_LOG_FATAL, plugin_name, "Unable to set the ENTRY TYPE in the Plist\n"); @@ -771,7 +775,7 @@ acl__free_aclpb ( Acl_PBlock **aclpb_ptr) /* Initializes the aclpb */ void -acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy_from_aclcb) +acl_init_aclpb ( Slapi_PBlock *pb, Acl_PBlock *aclpb, const char *ndn, int copy_from_aclcb) { struct acl_cblock *aclcb = NULL; char *authType; @@ -818,6 +822,13 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy "Unable to set the AUTH TYPE in the Plist\n"); return; } + if(slapi_is_ldapi_conn(pb)){ + if(PListAssignValue(aclpb->aclpb_proplist, DS_ATTR_LDAPI, "yes", 0) < 0){ + slapi_log_error(SLAPI_LOG_FATAL, plugin_name, + "Unable to set the AUTH TYPE in the Plist\n"); + return; + } + } slapi_pblock_get ( pb, SLAPI_OPERATION_SSF, &ssf); if (PListAssignValue(aclpb->aclpb_proplist, DS_ATTR_SSF, (const void *)ssf, 0) < 0) { slapi_log_error(SLAPI_LOG_FATAL, plugin_name, @@ -1036,6 +1047,9 @@ acl__done_aclpb ( struct acl_pblock *aclpb ) PListDeleteProp(aclpb->aclpb_proplist, rc, NULL); } + /* reset the LDAPI property */ + PListAssignValue(aclpb->aclpb_proplist, DS_ATTR_LDAPI, NULL, 0); + /* * Remove the DS_ATTR_IP property from the property list. * The value of this property is just the property pointer diff --git a/ldap/servers/plugins/acl/aclinit.c b/ldap/servers/plugins/acl/aclinit.c index 9628075..12efa74 100644 --- a/ldap/servers/plugins/acl/aclinit.c +++ b/ldap/servers/plugins/acl/aclinit.c @@ -547,7 +547,7 @@ __aclinit__RegisterLases(void) return ACL_ERR; } if (ACL_LasRegister(NULL, DS_LAS_AUTHMETHOD, - (LASEvalFunc_t)DS_LASAuthMethodEval, + (LASEvalFunc_t)DS_LASAuthMethodEval, (LASFlushFunc_t)NULL) < 0) { slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "Unable to register CLIENTAUTHTYPE Las\n"); diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index 5bcb482..eb440e7 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -1684,7 +1684,9 @@ DS_LASAuthMethodEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, /* None method means, we don't care -- otherwise we care */ if ((strcasecmp(attr, "none") == 0) || - (strcasecmp(attr, lasinfo.authType) == 0)) { + (strcasecmp(attr, lasinfo.authType) == 0) || + (lasinfo.ldapi && strcasecmp(attr, DS_ATTR_LDAPI) == 0)) + { matched = ACL_TRUE; } @@ -3678,6 +3680,7 @@ acllas__handle_client_search ( Slapi_Entry *e, void *callback_data ) aclpb->aclpb_client_entry = slapi_entry_dup ( e ); return 0; } + /* * * Do all the necessary setup for all the @@ -3694,7 +3697,6 @@ acllas__handle_client_search ( Slapi_Entry *e, void *callback_data ) * #define LAS_EVAL_FAIL -4 * #define LAS_EVAL_INVALID -5 */ - static int __acllas_setup ( NSErr_t *errp, char *attr_name, CmpOp_t comparator, int allow_range, char *attr_pattern, int *cachable, void **LAS_cookie, @@ -3750,8 +3752,8 @@ __acllas_setup ( NSErr_t *errp, char *attr_name, CmpOp_t comparator, return LAS_EVAL_FAIL; } - if ((rc = PListFindValue(subject, DS_ATTR_ENTRY, - (void **)&linfo->resourceEntry, NULL)) < 0) { + if ((rc = PListFindValue(subject, DS_ATTR_ENTRY, + (void **)&linfo->resourceEntry, NULL)) < 0){ acl_print_acllib_err(errp, NULL); slapi_log_error( SLAPI_LOG_ACL, plugin_name, "%s:Unable to get the Slapi_Entry attr(%d)\n",lasName, rc); @@ -3767,6 +3769,15 @@ __acllas_setup ( NSErr_t *errp, char *attr_name, CmpOp_t comparator, "%s:Unable to get the ACLPB(%d)\n", lasName, rc); return LAS_EVAL_FAIL; } + + /* LDAPI? */ + if ((rc = PListFindValue(subject, DS_ATTR_LDAPI, (void **)&linfo->ldapi, NULL)) < 0){ + slapi_log_error( SLAPI_LOG_ACL, plugin_name, + "%s:Unable to get LDAPI value(%d)\n", lasName, rc); + + return LAS_EVAL_FAIL; + } + if (NULL == attr_pattern ) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, "%s:No rule value in the ACL\n", lasName); diff --git a/ldap/servers/slapd/libslapd.def b/ldap/servers/slapd/libslapd.def index 70a2993..4b7cd7b 100644 --- a/ldap/servers/slapd/libslapd.def +++ b/ldap/servers/slapd/libslapd.def @@ -1199,3 +1199,4 @@ EXPORTS config_get_pw_mincategories @1206 config_get_pw_mintokenlength @1207 slapi_check_account_lock @1208 + slapi_is_ldapi_conn @1209 diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c index 8d8c66f..d88d224 100644 --- a/ldap/servers/slapd/pblock.c +++ b/ldap/servers/slapd/pblock.c @@ -3535,6 +3535,15 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value ) return( 0 ); } +int +slapi_is_ldapi_conn(Slapi_PBlock *pb) +{ + if(pb && pb->pb_conn){ + return pb->pb_conn->c_unix_local; + } else { + return 0; + } +} /* * Clears (and free's as appropriate) the bind DN and related credentials diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index f2dc6af..25ccb00 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -6067,6 +6067,15 @@ int slapi_back_transaction_commit(Slapi_PBlock *pb); */ int slapi_back_transaction_abort(Slapi_PBlock *pb); +/** + * Checks if the connection type is LDAPI + * + * \param pb Parameter block. + * + * \return \c 1 if connection type is LDAPI + * \return \c 0 if connection is not LDAPI + */ +int slapi_is_ldapi_conn(Slapi_PBlock *pb); int slapi_be_is_flag_set(Slapi_Backend * be, int flag); void slapi_be_set_flag(Slapi_Backend * be, int flag); -- 1.7.1