diff options
| author |   martinh <martinh@openbsd.org> | 2010-06-30 19:26:39 +0000 |
|---|---|---|
| committer | martinh <martinh@openbsd.org> | 2010-06-30 19:26:39 +0000 |
| commit | 3cf00f2ac62d13a2d038d36f44b73fe37cf5657e (patch) | |
| tree | fbed3bfea189cad501492d67a4630f87904bb66e /usr.sbin/ldapd/auth.c | |
| parent | for scsibus, silence the activate function when unknown events are given. (diff) | |
| download | wireguard-openbsd-3cf00f2ac62d13a2d038d36f44b73fe37cf5657e.tar.xz wireguard-openbsd-3cf00f2ac62d13a2d038d36f44b73fe37cf5657e.zip | |
Add a global root user that is allowed to read/write entries in all local
namespaces. Useful for dump/restore of all namespaces.
Diffstat (limited to 'usr.sbin/ldapd/auth.c')
| -rw-r--r-- | usr.sbin/ldapd/auth.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/usr.sbin/ldapd/auth.c b/usr.sbin/ldapd/auth.c index 3bc1406a492..715000222b9 100644 --- a/usr.sbin/ldapd/auth.c +++ b/usr.sbin/ldapd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.4 2010/06/29 21:54:38 martinh Exp $ */ +/* $OpenBSD: auth.c,v 1.5 2010/06/30 19:26:39 martinh Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> @@ -110,8 +110,14 @@ authorized(struct conn *conn, struct namespace *ns, int rights, char *dn, int type = ACI_ALLOW; /* Root DN is always allowed. */ - if (conn->binddn && ns && strcasecmp(conn->binddn, ns->rootdn) == 0) - return 1; + if (conn->binddn != NULL) { + if (conf->rootdn != NULL && + strcasecmp(conn->binddn, conf->rootdn) == 0) + return 1; + if (ns != NULL && ns->rootdn != NULL && + strcasecmp(conn->binddn, ns->rootdn) == 0) + return 1; + } /* Default to deny for write access. */ if ((rights & (ACI_WRITE | ACI_CREATE)) != 0) @@ -162,6 +168,9 @@ check_password(const char *stored_passwd, const char *passwd) unsigned char tmp[128]; SHA_CTX ctx; + if (stored_passwd == NULL) + return -1; + if (strncmp(stored_passwd, "{SHA}", 5) == 0) { sz = b64_pton(stored_passwd + 5, tmp, sizeof(tmp)); if (sz != SHA_DIGEST_LENGTH) @@ -276,10 +285,12 @@ ldap_auth_simple(struct request *req, char *binddn, struct ber_element *auth) return LDAP_UNWILLING_TO_PERFORM; } - if ((ns = namespace_lookup_base(binddn, 1)) == NULL) + if (conf->rootdn != NULL && strcmp(conf->rootdn, binddn) == 0) { + if (check_password(conf->rootpw, password) == 0) + ok = 1; + } else if ((ns = namespace_lookup_base(binddn, 1)) == NULL) { return LDAP_INVALID_CREDENTIALS; - - if (strcmp(ns->rootdn, binddn) == 0) { + } else if (ns->rootdn != NULL && strcmp(ns->rootdn, binddn) == 0) { if (check_password(ns->rootpw, password) == 0) ok = 1; } else if (namespace_has_referrals(ns)) { |