diff options
| -rw-r--r-- | usr.sbin/ldapd/auth.c | 23 | ||||
| -rw-r--r-- | usr.sbin/ldapd/ldapd.conf.5 | 11 | ||||
| -rw-r--r-- | usr.sbin/ldapd/ldapd.h | 4 | ||||
| -rw-r--r-- | usr.sbin/ldapd/parse.y | 7 |
4 files changed, 35 insertions, 10 deletions
diff --git a/usr.sbin/ldapd/auth.c b/usr.sbin/ldapd/auth.c index 3bc1406a492..715000222b9 100644 --- a/usr.sbin/ldapd/auth.c +++ b/usr.sbin/ldapd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.4 2010/06/29 21:54:38 martinh Exp $ */ +/* $OpenBSD: auth.c,v 1.5 2010/06/30 19:26:39 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -110,8 +110,14 @@ authorized(struct conn *conn, struct namespace *ns, int rights, char *dn, int type = ACI_ALLOW; /* Root DN is always allowed. */ - if (conn->binddn && ns && strcasecmp(conn->binddn, ns->rootdn) == 0) - return 1; + if (conn->binddn != NULL) { + if (conf->rootdn != NULL && + strcasecmp(conn->binddn, conf->rootdn) == 0) + return 1; + if (ns != NULL && ns->rootdn != NULL && + strcasecmp(conn->binddn, ns->rootdn) == 0) + return 1; + } /* Default to deny for write access. */ if ((rights & (ACI_WRITE | ACI_CREATE)) != 0) @@ -162,6 +168,9 @@ check_password(const char *stored_passwd, const char *passwd) unsigned char tmp[128]; SHA_CTX ctx; + if (stored_passwd == NULL) + return -1; + if (strncmp(stored_passwd, "{SHA}", 5) == 0) { sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp)); if (sz != SHA_DIGEST_LENGTH) @@ -276,10 +285,12 @@ ldap_auth_simple(struct request *req, char *binddn, struct ber_element *auth) return LDAP_UNWILLING_TO_PERFORM; } - if ((ns = namespace_lookup_base(binddn, 1)) == NULL) + if (conf->rootdn != NULL && strcmp(conf->rootdn, binddn) == 0) { + if (check_password(conf->rootpw, password) == 0) + ok = 1; + } else if ((ns = namespace_lookup_base(binddn, 1)) == NULL) { return LDAP_INVALID_CREDENTIALS; - - if (strcmp(ns->rootdn, binddn) == 0) { + } else if (ns->rootdn != NULL && strcmp(ns->rootdn, binddn) == 0) { if (check_password(ns->rootpw, password) == 0) ok = 1; } else if (namespace_has_referrals(ns)) { diff --git a/usr.sbin/ldapd/ldapd.conf.5 b/usr.sbin/ldapd/ldapd.conf.5 index d4c55ad995f..a4fff57b916 100644 --- a/usr.sbin/ldapd/ldapd.conf.5 +++ b/usr.sbin/ldapd/ldapd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ldapd.conf.5,v 1.4 2010/06/29 22:39:47 jmc Exp $ +.\" $OpenBSD: ldapd.conf.5,v 1.5 2010/06/30 19:26:39 martinh Exp $ .\" .\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: June 29 2010 $ +.Dd $Mdocdate: June 30 2010 $ .Dt LDAPD.CONF 5 .Os .Sh NAME @@ -114,6 +114,13 @@ The URL format has the following format: ldap://ldap.example.com ldaps://ldap.example.com:3890 .Ed +.It rootdn Ar dn +Specify the distinguished name of the root user for all namespaces. +The root user is always allowed to read and write entries in all +local namespaces. +.It rootpw Ar password +Password for the root user. +Specified either in plain text, or in hashed format. .It schema Ar filename Add schema definitions from the specified file. .El diff --git a/usr.sbin/ldapd/ldapd.h b/usr.sbin/ldapd/ldapd.h index 5837391a984..ea206c14e09 100644 --- a/usr.sbin/ldapd/ldapd.h +++ b/usr.sbin/ldapd/ldapd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ldapd.h,v 1.14 2010/06/29 21:54:38 martinh Exp $ */ +/* $OpenBSD: ldapd.h,v 1.15 2010/06/30 19:26:39 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -241,6 +241,8 @@ struct ldapd_config struct referrals referrals; struct acl acl; struct schema *schema; + char *rootdn; + char *rootpw; }; struct ldapd_stats diff --git a/usr.sbin/ldapd/parse.y b/usr.sbin/ldapd/parse.y index 8297ab90292..0b31c4177b7 100644 --- a/usr.sbin/ldapd/parse.y +++ b/usr.sbin/ldapd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.6 2010/06/29 21:54:38 martinh Exp $ */ +/* $OpenBSD: parse.y,v 1.7 2010/06/30 19:26:39 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martinh@openbsd.org> @@ -209,6 +209,11 @@ conf_main : LISTEN ON STRING port ssl certname { ref->url = $2; SLIST_INSERT_HEAD(&conf->referrals, ref, next); } + | ROOTDN STRING { + conf->rootdn = $2; + normalize_dn(conf->rootdn); + } + | ROOTPW STRING { conf->rootpw = $2; } ; namespace : NAMESPACE STRING '{' '\n' { |