summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2018-05-18 12:36:31 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2018-05-18 12:36:31 +0000
commit08d9f17863a5b751df9abc2b024a8d53392044e4 (patch)
treea48b85f964a6231bf0719b5307dd0b031f979bb1
parent6bb3d371c4cf0feb88b8db0a973c68cf16d967a5 (diff)
Add support for attribute filter rules on search/read operations.
OK jmatthew@
-rw-r--r--usr.sbin/ldapd/ldapd.conf.55
-rw-r--r--usr.sbin/ldapd/parse.y8
-rw-r--r--usr.sbin/ldapd/search.c18
3 files changed, 18 insertions, 13 deletions
diff --git a/usr.sbin/ldapd/ldapd.conf.5 b/usr.sbin/ldapd/ldapd.conf.5
index fbe16fcec9d..034f8e86744 100644
--- a/usr.sbin/ldapd/ldapd.conf.5
+++ b/usr.sbin/ldapd/ldapd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ldapd.conf.5,v 1.24 2018/05/14 11:10:15 reyk Exp $
+.\" $OpenBSD: ldapd.conf.5,v 1.25 2018/05/18 12:36:30 reyk Exp $
.\"
.\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
@@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
-.Dd $Mdocdate: May 14 2018 $
+.Dd $Mdocdate: May 18 2018 $
.Dt LDAPD.CONF 5
.Os
.Sh NAME
@@ -252,7 +252,6 @@ The scope can be restricted to an optional attribute:
.Bl -tag -width Ds
.It attribute Ar name
The filter rule applies to the specified attribute.
-Attributes can only be specified for write access rules.
.El
.Pp
Finally, the filter rule can match a bind DN:
diff --git a/usr.sbin/ldapd/parse.y b/usr.sbin/ldapd/parse.y
index 68c885852b3..3a634984830 100644
--- a/usr.sbin/ldapd/parse.y
+++ b/usr.sbin/ldapd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.27 2018/05/14 07:53:47 reyk Exp $ */
+/* $OpenBSD: parse.y,v 1.28 2018/05/18 12:36:30 reyk Exp $ */
/*
* Copyright (c) 2009, 2010 Martin Hedenfalk <martinh@openbsd.org>
@@ -1164,12 +1164,6 @@ mk_aci(int type, int rights, enum scope scope, char *target, char *attr,
aci->scope,
aci->subject ? aci->subject : "any");
- if (aci->attribute && aci->rights != ACI_WRITE) {
- yyerror("attributes only supported for write access filters");
- free(aci);
- return NULL;
- }
-
return aci;
}
diff --git a/usr.sbin/ldapd/search.c b/usr.sbin/ldapd/search.c
index 2e965653337..d583c89d6ce 100644
--- a/usr.sbin/ldapd/search.c
+++ b/usr.sbin/ldapd/search.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: search.c,v 1.21 2018/05/16 10:08:47 reyk Exp $ */
+/* $OpenBSD: search.c,v 1.22 2018/05/18 12:36:30 reyk Exp $ */
/*
* Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
@@ -102,7 +102,7 @@ search_result(const char *dn, size_t dnlen, struct ber_element *attrs,
struct ber_element *root, *elm, *filtered_attrs = NULL, *link, *a;
struct ber_element *prev, *next;
char *adesc;
- void *buf;
+ void *buf, *searchdn = NULL;
if ((root = ber_add_sequence(NULL)) == NULL)
goto fail;
@@ -111,10 +111,20 @@ search_result(const char *dn, size_t dnlen, struct ber_element *attrs,
goto fail;
link = filtered_attrs;
+ if ((searchdn = strndup(dn, dnlen)) == NULL)
+ goto fail;
+
for (prev = NULL, a = attrs->be_sub; a; a = next) {
if (ber_get_string(a->be_sub, &adesc) != 0)
goto fail;
- if (should_include_attribute(adesc, search, 0)) {
+ /*
+ * Check if read access to the attribute is allowed and if it
+ * should be included in the search result. The attribute is
+ * filtered out in the result if one of these conditions fails.
+ */
+ if (authorized(search->conn, search->ns, ACI_READ,
+ searchdn, adesc, LDAP_SCOPE_BASE) &&
+ should_include_attribute(adesc, search, 0)) {
next = a->be_next;
if (prev != NULL)
prev->be_next = a->be_next; /* unlink a */
@@ -152,11 +162,13 @@ search_result(const char *dn, size_t dnlen, struct ber_element *attrs,
return -1;
}
+ free(searchdn);
return 0;
fail:
log_warn("search result");
if (root)
ber_free_elements(root);
+ free(searchdn);
return -1;
}