[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: checking for bound user

A follow-up question on the bound user:

Once my overlay has bound a user, I want subsequent operations (add,modify,etc) to be verify that the op->o_ndn was bound with my overlay's method, i.e., I don't want a user bound by another backend to be able to perform operations in my overlay. I might be able to achieve the functionality I want with ACLs, as well, but I wanted to check the feasibility of this other approach.

It looks like I could define an id for my bind method along the lines of LDAP_AUTH_SIMPLE, LDAP_AUTH_SASL, etc., LDAP_AUTH_MYBIND (or whatever) and then set this value on op->o_authz.sai_method when I have a successful bind. Subsequent overlay operations could check that field.

Is this the right area to be looking in? I see bind.c setting op->o_conn->c_authtype at one point, and I don't see any reference to sai_method in bind.c. Would setting this field a) persist across requests? b) screw anything else up?



> > Howard's note is that you should use op->o_ndn; in fact,
> > in some cases backend search routines are called out of
> > context for internal purposes; in this case, they might
> > have a null or fake connection, so op->o_ndn should be
> > guaranteed to be set to the identity the operation is
> > supposed to run as.  During regular operations, op->o_ndn
> > and op->o_conn->c_ndn should be exactly the same.
> There's also the case of requests using the proxyAuthz control. All of
> slapd's internal identity checks (e.g., for ACLs) use 
> op->o_ndn; this is the
> identity that matters.