[Date Prev][Date Next] [Chronological] [Thread] [Top]

allow anonymous_update patch

To: openldap-devel@OpenLDAP.org
Subject: allow anonymous_update patch
From: Marian Eichholz <marian.eichholz@freenet-ag.de>
Date: Fri, 25 Oct 2002 13:52:57 +0200
Content-disposition: inline
User-agent: Mutt/1.4i

Hello,

Kurt asked me to supply a patch, to allow the administrator anonymous backed
data modifications (if she really is inclined to do so).

Here it goes.

I am not too happy with this minimalistic approach (use of global_allows, no
complementary disallow), but I didn't want to touch the code too much (now).

Probably You find a better way of integration.
As long as the admin gets back her freedom to set up the policy, it will be
fine for me :-)

Yours,

- Marian


diff -r -u openldap-2.1.8-dist/doc/man/man5/slapd.conf.5 openldap-2.1.8/doc/man/man5/slapd.conf.5
--- openldap-2.1.8-dist/doc/man/man5/slapd.conf.5	Thu Oct 10 03:50:45 2002
+++ openldap-2.1.8/doc/man/man5/slapd.conf.5	Fri Oct 25 13:37:04 2002
@@ -84,6 +84,8 @@
 when DN is empty).
 .B bind_anon_dn
 allows unauthenticated (anonymous) bind when DN is not empty.
+.B anonymous_update
+allows unauthenticated (anonymous) modifications of the backend data.
 .TP
 .B argsfile <filename>
 The ( absolute ) name of a file that will hold the 
diff -r -u openldap-2.1.8-dist/servers/slapd/backend.c openldap-2.1.8/servers/slapd/backend.c
--- openldap-2.1.8-dist/servers/slapd/backend.c	Thu Oct 10 03:45:55 2002
+++ openldap-2.1.8/servers/slapd/backend.c	Fri Oct 25 10:57:01 2002
@@ -910,7 +910,8 @@
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
 
-			if( op->o_ndn.bv_len == 0 ) {
+			if( op->o_ndn.bv_len == 0
+			    && !( global_allows & SLAP_ALLOW_UPDATE_ANON )) {
 				*text = "modifications require authentication";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}
diff -r -u openldap-2.1.8-dist/servers/slapd/config.c openldap-2.1.8/servers/slapd/config.c
--- openldap-2.1.8-dist/servers/slapd/config.c	Thu Oct 10 03:45:55 2002
+++ openldap-2.1.8/servers/slapd/config.c	Fri Oct 25 13:31:36 2002
@@ -1262,6 +1262,7 @@
 			allows = 0;
 
 			for( i=1; i < cargc; i++ ) {
+
 				if( strcasecmp( cargv[i], "bind_v2" ) == 0 ) {
 					allows |= SLAP_ALLOW_BIND_V2;
 
@@ -1270,6 +1271,9 @@
 
 				} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
 					allows |= SLAP_ALLOW_BIND_ANON_DN;
+
+				} else if( strcasecmp( cargv[i], "anonymous_update" ) == 0 ) {
+				        allows |= SLAP_ALLOW_UPDATE_ANON;
 
 				} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
 #ifdef NEW_LOGGING
diff -r -u openldap-2.1.8-dist/servers/slapd/slap.h openldap-2.1.8/servers/slapd/slap.h
--- openldap-2.1.8-dist/servers/slapd/slap.h	Thu Oct 10 03:45:56 2002
+++ openldap-2.1.8/servers/slapd/slap.h	Thu Oct 24 17:43:11 2002
@@ -1254,6 +1254,8 @@
 #define SLAP_ALLOW_BIND_V2			0x0001U	/* LDAPv2 bind */
 #define SLAP_ALLOW_BIND_ANON_CRED	0x0002U /* cred should be empty */
 #define SLAP_ALLOW_BIND_ANON_DN		0x0003U /* dn should be empty */
+#define SLAP_ALLOW_UPDATE_ANON			0x0004U	/* non authenticated updates */
+
 
 #define SLAP_DISALLOW_BIND_ANON		0x0001U /* no anonymous */
 #define SLAP_DISALLOW_BIND_SIMPLE	0x0002U	/* simple authentication */

Follow-Ups:
- Re: allow anonymous_update patch
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: LDAP_STRONG_REQUIRED unconditionally
Next by Date: Re: allow anonymous_update patch
Index(es):
- Chronological
- Thread