[Date Prev][Date Next]
RE: checking for bound user
- To: <openldap-devel@OpenLDAP.org>
- Subject: RE: checking for bound user
- From: "David Parker" <firstname.lastname@example.org>
- Date: Mon, 5 Apr 2004 11:45:42 -0400
- Content-class: urn:content-classes:message
- Thread-index: AcQSsThJ/QOVlP2FQPGZZcKKvj5CQwIcKa4g
- Thread-topic: checking for bound user
A follow-up question on the bound user:
Once my overlay has bound a user, I want subsequent operations (add,modify,etc) to be verify that the op->o_ndn was bound with my overlay's method, i.e., I don't want a user bound by another backend to be able to perform operations in my overlay. I might be able to achieve the functionality I want with ACLs, as well, but I wanted to check the feasibility of this other approach.
It looks like I could define an id for my bind method along the lines of LDAP_AUTH_SIMPLE, LDAP_AUTH_SASL, etc., LDAP_AUTH_MYBIND (or whatever) and then set this value on op->o_authz.sai_method when I have a successful bind. Subsequent overlay operations could check that field.
Is this the right area to be looking in? I see bind.c setting op->o_conn->c_authtype at one point, and I don't see any reference to sai_method in bind.c. Would setting this field a) persist across requests? b) screw anything else up?
> > Howard's note is that you should use op->o_ndn; in fact,
> > in some cases backend search routines are called out of
> > context for internal purposes; in this case, they might
> > have a null or fake connection, so op->o_ndn should be
> > guaranteed to be set to the identity the operation is
> > supposed to run as. During regular operations, op->o_ndn
> > and op->o_conn->c_ndn should be exactly the same.
> There's also the case of requests using the proxyAuthz control. All of
> slapd's internal identity checks (e.g., for ACLs) use
> op->o_ndn; this is the
> identity that matters.