diff options
| author | Alexander Sulfrian <alexander@sulfrian.net> | 2016-11-11 21:07:54 +0100 |
|---|---|---|
| committer | Alexander Sulfrian <alexander@sulfrian.net> | 2016-11-11 21:53:38 +0100 |
| commit | 2821de999191f94b0fa95899e762aaf82ed53514 (patch) | |
| tree | 5753cb779150639565752cb61bbfc909e8ce6f88 | |
| parent | bac7367d5d3b3140ccc12a908cc763e9b299f424 (diff) | |
| download | ldap-plugin-2821de999191f94b0fa95899e762aaf82ed53514.tar.gz ldap-plugin-2821de999191f94b0fa95899e762aaf82ed53514.tar.bz2 ldap-plugin-2821de999191f94b0fa95899e762aaf82ed53514.zip | |
pre_bind: Check permissions for gold services
Authentiction for gold services should only be possible for
gold accounts.
| -rw-r--r-- | service_passwords.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/service_passwords.c b/service_passwords.c index bde1906..3dc432c 100644 --- a/service_passwords.c +++ b/service_passwords.c @@ -498,6 +498,10 @@ static int pre_bind(Slapi_PBlock *pb) int is_internal = 0; char *parent_dn = NULL; + char *service = NULL; + char *service_dn = NULL; + int gold_account = 0; + int gold_service = 0; int rc = 0; char fn[] = "pre_bind in service_passwords plug-in"; @@ -536,7 +540,7 @@ static int pre_bind(Slapi_PBlock *pb) } parent_dn = slapi_dn_parent(dn); - rc |= is_user(parent_dn, NULL); + rc |= is_user(parent_dn, &gold_account); slapi_ch_free_string(&parent_dn); if (rc != 0) { @@ -544,6 +548,22 @@ static int pre_bind(Slapi_PBlock *pb) return SLAPI_BIND_SUCCESS; } + service = get_virtual_service(dn); + service_dn = get_service_dn(service); + rc |= is_service(service_dn, NULL, &gold_service); + slapi_ch_free_string(&service_dn); + slapi_ch_free_string(&service); + + if (rc != 0) { + /* Invalid service */ + return SLAPI_BIND_FAIL; + } + + if (gold_service != 0 && gold_account == 0) { + /* This is a bind for a gold_service, but it's not a gold account. */ + return SLAPI_BIND_FAIL; + } + if (auth_with_password_fallback(dn, credentials) == 0) { /* auth success: set connection info */ rc |= slapi_pblock_set(pb, SLAPI_CONN_DN, dn); |