vor 15 Jahren · 417e1542fd
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 
				 autom4te.cache
			
 
				 *~
			
 
				+*.patch
			
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -305,7 +305,8 @@ do_bind( Slapi_PBlock *pb )
 
				     switch ( version ) {
			
 
				     case LDAP_VERSION2:
			
 
				         if (method == LDAP_AUTH_SIMPLE
			
 
				-            && (dn == NULL || *dn == '\0') && cred.bv_len == 0
			
 
				+            && (config_get_force_sasl_external() ||
			
 
				+                ((dn == NULL || *dn == '\0') && cred.bv_len == 0))
			
 
				             && pb->pb_conn->c_external_dn != NULL) {
			
 
				             /* Treat this like a SASL EXTERNAL Bind: */
			
 
				             method = LDAP_AUTH_SASL;
			
@@ -317,6 +318,17 @@ do_bind( Slapi_PBlock *pb )
 
				         }
			
 
				         break;
			
 
				     case LDAP_VERSION3:
			
 
				+        if ((method == LDAP_AUTH_SIMPLE) &&
			
 
				+            config_get_force_sasl_external() &&
			
 
				+            (pb->pb_conn->c_external_dn != NULL)) {
			
 
				+            /* Treat this like a SASL EXTERNAL Bind: */
			
 
				+            method = LDAP_AUTH_SASL;
			
 
				+            saslmech = slapi_ch_strdup (LDAP_SASL_EXTERNAL);
			
 
				+            /* This enables a client to establish an identity by sending
			
 
				+             * a certificate in the SSL handshake, and also use LDAPv2
			
 
				+             * (by sending this type of Bind request).
			
 
				+             */
			
 
				+        }
			
 
				         break;
			
 
				     default:
			
 
				         LDAPDebug( LDAP_DEBUG_TRACE, "bind: unknown LDAP protocol version %d\n",
			
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -620,7 +620,11 @@ static struct config_get_and_set {
 
				 		(ConfigGetFunc)config_get_anon_access_switch},
			
 
				 	{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,
			
 
				 		NULL, 0,
			
 
				-		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL}
			
 
				+		(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL},
			
 
				+	{CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE, config_set_force_sasl_external,
			
 
				+		NULL, 0,
			
 
				+		(void**)&global_slapdFrontendConfig.force_sasl_external, CONFIG_ON_OFF,
			
 
				+		(ConfigGetFunc)config_get_force_sasl_external}
			
 
				 #ifdef MEMPOOL_EXPERIMENTAL
			
 
				 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
			
 
				 		NULL, 0,
			
@@ -921,6 +925,7 @@ FrontendConfig_init () {
 
				   cfg->rewrite_rfc1274 = LDAP_OFF;
			
 
				   cfg->schemareplace = slapi_ch_strdup( CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY );
			
 
				   cfg->schema_ignore_trailing_spaces = SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES;
			
 
				+  cfg->force_sasl_external = LDAP_OFF; /* do not force sasl external by default - let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind if that's what they want to do */
			
 
				 
			
 
				   cfg->pwpolicy_local = LDAP_OFF;
			
 
				   cfg->pw_policy.pw_change = LDAP_ON;
			
@@ -5491,6 +5496,34 @@ config_set_anon_access_switch( const char *attrname, char *value,
 
				 	return retVal;
			
 
				 }
			
 
				 
			
 
				+int
			
 
				+config_get_force_sasl_external(void)
			
 
				+{
			
 
				+	int retVal;
			
 
				+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
			
 
				+	CFG_LOCK_READ(slapdFrontendConfig);
			
 
				+	retVal = slapdFrontendConfig->force_sasl_external;
			
 
				+	CFG_UNLOCK_READ(slapdFrontendConfig);
			
 
				+
			
 
				+	return retVal;
			
 
				+}
			
 
				+
			
 
				+int
			
 
				+config_set_force_sasl_external( const char *attrname, char *value,
			
 
				+		char *errorbuf, int apply )
			
 
				+{
			
 
				+	int retVal = LDAP_SUCCESS;
			
 
				+	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
			
 
				+
			
 
				+	retVal = config_set_onoff(attrname,
			
 
				+		value,
			
 
				+		&(slapdFrontendConfig->force_sasl_external),
			
 
				+		errorbuf,
			
 
				+		apply);
			
 
				+
			
 
				+	return retVal;
			
 
				+}
			
 
				+
			
 
				 
			
 
				 /*
			
 
				  * This function is intended to be used from the dse code modify callback.  It
			
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -370,6 +370,7 @@ int config_set_anon_access_switch(const char *attrname, char *value, char *error
 
				 int config_set_minssf(const char *attrname, char *value, char *errorbuf, int apply );
			
 
				 int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
			
 
				 int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
			
 
				+int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
			
 
				 
			
 
				 #if !defined(_WIN32) && !defined(AIX)
			
 
				 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
			
@@ -507,6 +508,7 @@ int config_get_mempool_maxfreelist();
 
				 long config_get_system_page_size();
			
 
				 int config_get_system_page_bits();
			
 
				 #endif
			
 
				+int config_get_force_sasl_external();
			
 
				 
			
 
				 int is_abspath(const char *);
			
 
				 char* rel2abspath( char * );
			
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1869,6 +1869,7 @@ typedef struct _slapdEntryPoints {
 
				 #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
			
 
				 #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
			
 
				 #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
			
 
				+#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
			
 
				 
			
 
				 #ifdef MEMPOOL_EXPERIMENTAL
			
 
				 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
			
@@ -2084,6 +2085,7 @@ typedef struct _slapdFrontendConfig {
 
				   long system_page_size;		/* system page size */
			
 
				   int system_page_bits;			/* bit count to shift the system page size */
			
 
				 #endif /* MEMPOOL_EXPERIMENTAL */
			
 
				+  int force_sasl_external;      /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
			
 
				 } slapdFrontendConfig_t;
			
 
				 
			
 
				 /* possible values for slapdFrontendConfig_t.schemareplace */