diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2018-05-18 12:36:31 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2018-05-18 12:36:31 +0000 |
commit | 08d9f17863a5b751df9abc2b024a8d53392044e4 (patch) | |
tree | a48b85f964a6231bf0719b5307dd0b031f979bb1 | |
parent | 6bb3d371c4cf0feb88b8db0a973c68cf16d967a5 (diff) |
Add support for attribute filter rules on search/read operations.
OK jmatthew@
-rw-r--r-- | usr.sbin/ldapd/ldapd.conf.5 | 5 | ||||
-rw-r--r-- | usr.sbin/ldapd/parse.y | 8 | ||||
-rw-r--r-- | usr.sbin/ldapd/search.c | 18 |
3 files changed, 18 insertions, 13 deletions
diff --git a/usr.sbin/ldapd/ldapd.conf.5 b/usr.sbin/ldapd/ldapd.conf.5 index fbe16fcec9d..034f8e86744 100644 --- a/usr.sbin/ldapd/ldapd.conf.5 +++ b/usr.sbin/ldapd/ldapd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ldapd.conf.5,v 1.24 2018/05/14 11:10:15 reyk Exp $ +.\" $OpenBSD: ldapd.conf.5,v 1.25 2018/05/18 12:36:30 reyk Exp $ .\" .\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: May 14 2018 $ +.Dd $Mdocdate: May 18 2018 $ .Dt LDAPD.CONF 5 .Os .Sh NAME @@ -252,7 +252,6 @@ The scope can be restricted to an optional attribute: .Bl -tag -width Ds .It attribute Ar name The filter rule applies to the specified attribute. -Attributes can only be specified for write access rules. .El .Pp Finally, the filter rule can match a bind DN: diff --git a/usr.sbin/ldapd/parse.y b/usr.sbin/ldapd/parse.y index 68c885852b3..3a634984830 100644 --- a/usr.sbin/ldapd/parse.y +++ b/usr.sbin/ldapd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.27 2018/05/14 07:53:47 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.28 2018/05/18 12:36:30 reyk Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martinh@openbsd.org> @@ -1164,12 +1164,6 @@ mk_aci(int type, int rights, enum scope scope, char *target, char *attr, aci->scope, aci->subject ? aci->subject : "any"); - if (aci->attribute && aci->rights != ACI_WRITE) { - yyerror("attributes only supported for write access filters"); - free(aci); - return NULL; - } - return aci; } diff --git a/usr.sbin/ldapd/search.c b/usr.sbin/ldapd/search.c index 2e965653337..d583c89d6ce 100644 --- a/usr.sbin/ldapd/search.c +++ b/usr.sbin/ldapd/search.c @@ -1,4 +1,4 @@ -/* $OpenBSD: search.c,v 1.21 2018/05/16 10:08:47 reyk Exp $ */ +/* $OpenBSD: search.c,v 1.22 2018/05/18 12:36:30 reyk Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -102,7 +102,7 @@ search_result(const char *dn, size_t dnlen, struct ber_element *attrs, struct ber_element *root, *elm, *filtered_attrs = NULL, *link, *a; struct ber_element *prev, *next; char *adesc; - void *buf; + void *buf, *searchdn = NULL; if ((root = ber_add_sequence(NULL)) == NULL) goto fail; @@ -111,10 +111,20 @@ search_result(const char *dn, size_t dnlen, struct ber_element *attrs, goto fail; link = filtered_attrs; + if ((searchdn = strndup(dn, dnlen)) == NULL) + goto fail; + for (prev = NULL, a = attrs->be_sub; a; a = next) { if (ber_get_string(a->be_sub, &adesc) != 0) goto fail; - if (should_include_attribute(adesc, search, 0)) { + /* + * Check if read access to the attribute is allowed and if it + * should be included in the search result. The attribute is + * filtered out in the result if one of these conditions fails. + */ + if (authorized(search->conn, search->ns, ACI_READ, + searchdn, adesc, LDAP_SCOPE_BASE) && + should_include_attribute(adesc, search, 0)) { next = a->be_next; if (prev != NULL) prev->be_next = a->be_next; /* unlink a */ @@ -152,11 +162,13 @@ search_result(const char *dn, size_t dnlen, struct ber_element *attrs, return -1; } + free(searchdn); return 0; fail: log_warn("search result"); if (root) ber_free_elements(root); + free(searchdn); return -1; } |