From 2821de999191f94b0fa95899e762aaf82ed53514 Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Fri, 11 Nov 2016 21:07:54 +0100 Subject: pre_bind: Check permissions for gold services Authentiction for gold services should only be possible for gold accounts. --- service_passwords.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/service_passwords.c b/service_passwords.c index bde1906..3dc432c 100644 --- a/service_passwords.c +++ b/service_passwords.c @@ -498,6 +498,10 @@ static int pre_bind(Slapi_PBlock *pb) int is_internal = 0; char *parent_dn = NULL; + char *service = NULL; + char *service_dn = NULL; + int gold_account = 0; + int gold_service = 0; int rc = 0; char fn[] = "pre_bind in service_passwords plug-in"; @@ -536,7 +540,7 @@ static int pre_bind(Slapi_PBlock *pb) } parent_dn = slapi_dn_parent(dn); - rc |= is_user(parent_dn, NULL); + rc |= is_user(parent_dn, &gold_account); slapi_ch_free_string(&parent_dn); if (rc != 0) { @@ -544,6 +548,22 @@ static int pre_bind(Slapi_PBlock *pb) return SLAPI_BIND_SUCCESS; } + service = get_virtual_service(dn); + service_dn = get_service_dn(service); + rc |= is_service(service_dn, NULL, &gold_service); + slapi_ch_free_string(&service_dn); + slapi_ch_free_string(&service); + + if (rc != 0) { + /* Invalid service */ + return SLAPI_BIND_FAIL; + } + + if (gold_service != 0 && gold_account == 0) { + /* This is a bind for a gold_service, but it's not a gold account. */ + return SLAPI_BIND_FAIL; + } + if (auth_with_password_fallback(dn, credentials) == 0) { /* auth success: set connection info */ rc |= slapi_pblock_set(pb, SLAPI_CONN_DN, dn); -- cgit v1.2.3-1-g7c22