diff options
| author | Martin Hedenfal <martinh@cvs.openbsd.org> | 2010-10-19 09:10:13 +0000 |
|---|---|---|
| committer | Martin Hedenfal <martinh@cvs.openbsd.org> | 2010-10-19 09:10:13 +0000 |
| commit | c7bf049c4c12d4d68c32757aed3dd6a1a6be2d75 (patch) | |
| tree | da4e3af88483b11b2321f32a605b49f8ecf67e76 /usr.sbin/ldapd | |
| parent | e154dbba927d48c799102e09bd34fdefdc331676 (diff) | |
Remember the bind DN after BSD authentication. This makes access control
work for SASL and BSDAUTH binds as it does for simple binds.
Diffstat (limited to 'usr.sbin/ldapd')
| -rw-r--r-- | usr.sbin/ldapd/auth.c | 26 | ||||
| -rw-r--r-- | usr.sbin/ldapd/conn.c | 3 | ||||
| -rw-r--r-- | usr.sbin/ldapd/ldapd.h | 3 |
3 files changed, 24 insertions, 8 deletions
diff --git a/usr.sbin/ldapd/auth.c b/usr.sbin/ldapd/auth.c index ff8e9a05c0e..a4cb1d2bf66 100644 --- a/usr.sbin/ldapd/auth.c +++ b/usr.sbin/ldapd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.7 2010/09/20 17:26:47 martinh Exp $ */ +/* $OpenBSD: auth.c,v 1.8 2010/10/19 09:10:12 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -266,6 +266,11 @@ ldap_auth_sasl(struct request *req, char *binddn, struct ber_element *params) if (send_auth_request(req, authcid, password) != 0) return LDAP_OPERATIONS_ERROR; + free(req->conn->binddn); + req->conn->binddn = NULL; + if ((req->conn->pending_binddn = strdup(authcid)) == NULL) + return LDAP_OTHER; + return LDAP_SUCCESS; } @@ -333,16 +338,20 @@ ldap_auth_simple(struct request *req, char *binddn, struct ber_element *auth) } } + free(req->conn->binddn); + req->conn->binddn = NULL; + if (ok == 1) { - free(req->conn->binddn); if ((req->conn->binddn = strdup(binddn)) == NULL) return LDAP_OTHER; log_debug("successfully authenticated as %s", req->conn->binddn); return LDAP_SUCCESS; - } else if (ok == 2) + } else if (ok == 2) { + if ((req->conn->pending_binddn = strdup(binddn)) == NULL) + return LDAP_OTHER; return -LDAP_SASL_BIND_IN_PROGRESS; - else if (ok == 0) + } else if (ok == 0) return LDAP_INVALID_CREDENTIALS; else return LDAP_OPERATIONS_ERROR; @@ -353,10 +362,15 @@ ldap_bind_continue(struct conn *conn, int ok) { int rc; - if (ok) + if (ok) { rc = LDAP_SUCCESS; - else + conn->binddn = conn->pending_binddn; + log_debug("successfully authenticated as %s", conn->binddn); + } else { rc = LDAP_INVALID_CREDENTIALS; + free(conn->pending_binddn); + } + conn->pending_binddn = NULL; ldap_respond(conn->bind_req, rc); conn->bind_req = NULL; diff --git a/usr.sbin/ldapd/conn.c b/usr.sbin/ldapd/conn.c index 9db22e7ba71..7c7e137e720 100644 --- a/usr.sbin/ldapd/conn.c +++ b/usr.sbin/ldapd/conn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conn.c,v 1.5 2010/07/01 20:09:34 martinh Exp $ */ +/* $OpenBSD: conn.c,v 1.6 2010/10/19 09:10:12 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -68,6 +68,7 @@ conn_close(struct conn *conn) bufferevent_free(conn->bev); close(conn->fd); free(conn->binddn); + free(conn->pending_binddn); free(conn); --stats.conns; diff --git a/usr.sbin/ldapd/ldapd.h b/usr.sbin/ldapd/ldapd.h index ada9de485f5..a2dfeca08c9 100644 --- a/usr.sbin/ldapd/ldapd.h +++ b/usr.sbin/ldapd/ldapd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ldapd.h,v 1.18 2010/09/01 17:34:15 martinh Exp $ */ +/* $OpenBSD: ldapd.h,v 1.19 2010/10/19 09:10:12 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -210,6 +210,7 @@ struct conn int disconnect; struct request *bind_req; /* ongoing bind request */ char *binddn; + char *pending_binddn; TAILQ_HEAD(, search) searches; struct listener *listener; /* where it connected from */ |