[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: allow anonymous_update patch
If you would like this patch considered for inclusion in
OpenLDAP Software, please submit it using the Issue Tracking
System <http://www.openldap.org/its/>. Thanks, Kurt
At 04:52 AM 2002-10-25, Marian Eichholz wrote:
>Hello,
>
>Kurt asked me to supply a patch, to allow the administrator anonymous backed
>data modifications (if she really is inclined to do so).
>
>Here it goes.
>
>I am not too happy with this minimalistic approach (use of global_allows, no
>complementary disallow), but I didn't want to touch the code too much (now).
>
>Probably You find a better way of integration.
>As long as the admin gets back her freedom to set up the policy, it will be
>fine for me :-)
>
>Yours,
>
>- Marian
>
>
>diff -r -u openldap-2.1.8-dist/doc/man/man5/slapd.conf.5 openldap-2.1.8/doc/man/man5/slapd.conf.5
>--- openldap-2.1.8-dist/doc/man/man5/slapd.conf.5 Thu Oct 10 03:50:45 2002
>+++ openldap-2.1.8/doc/man/man5/slapd.conf.5 Fri Oct 25 13:37:04 2002
>@@ -84,6 +84,8 @@
> when DN is empty).
> .B bind_anon_dn
> allows unauthenticated (anonymous) bind when DN is not empty.
>+.B anonymous_update
>+allows unauthenticated (anonymous) modifications of the backend data.
> .TP
> .B argsfile <filename>
> The ( absolute ) name of a file that will hold the
>diff -r -u openldap-2.1.8-dist/servers/slapd/backend.c openldap-2.1.8/servers/slapd/backend.c
>--- openldap-2.1.8-dist/servers/slapd/backend.c Thu Oct 10 03:45:55 2002
>+++ openldap-2.1.8/servers/slapd/backend.c Fri Oct 25 10:57:01 2002
>@@ -910,7 +910,8 @@
> return LDAP_CONFIDENTIALITY_REQUIRED;
> }
>
>- if( op->o_ndn.bv_len == 0 ) {
>+ if( op->o_ndn.bv_len == 0
>+ && !( global_allows & SLAP_ALLOW_UPDATE_ANON )) {
> *text = "modifications require authentication";
> return LDAP_STRONG_AUTH_REQUIRED;
> }
>diff -r -u openldap-2.1.8-dist/servers/slapd/config.c openldap-2.1.8/servers/slapd/config.c
>--- openldap-2.1.8-dist/servers/slapd/config.c Thu Oct 10 03:45:55 2002
>+++ openldap-2.1.8/servers/slapd/config.c Fri Oct 25 13:31:36 2002
>@@ -1262,6 +1262,7 @@
> allows = 0;
>
> for( i=1; i < cargc; i++ ) {
>+
> if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
> allows |= SLAP_ALLOW_BIND_V2;
>
>@@ -1270,6 +1271,9 @@
>
> } else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
> allows |= SLAP_ALLOW_BIND_ANON_DN;
>+
>+ } else if( strcasecmp( cargv[i], "anonymous_update" ) == 0 ) {
>+ allows |= SLAP_ALLOW_UPDATE_ANON;
>
> } else if( strcasecmp( cargv[i], "none" ) != 0 ) {
> #ifdef NEW_LOGGING
>diff -r -u openldap-2.1.8-dist/servers/slapd/slap.h openldap-2.1.8/servers/slapd/slap.h
>--- openldap-2.1.8-dist/servers/slapd/slap.h Thu Oct 10 03:45:56 2002
>+++ openldap-2.1.8/servers/slapd/slap.h Thu Oct 24 17:43:11 2002
>@@ -1254,6 +1254,8 @@
> #define SLAP_ALLOW_BIND_V2 0x0001U /* LDAPv2 bind */
> #define SLAP_ALLOW_BIND_ANON_CRED 0x0002U /* cred should be empty */
> #define SLAP_ALLOW_BIND_ANON_DN 0x0003U /* dn should be empty */
>+#define SLAP_ALLOW_UPDATE_ANON 0x0004U /* non authenticated updates */
>+
>
> #define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */
> #define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */