From 4d154353b014576b9630d63d3ed7b5e5676f13bf Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz Date: Jun 20 2016 12:20:54 +0000 Subject: Ticket #48366 - proxyauth does not work bound as directory manager Description: when binding as directory manager always full access is granted, even if a proxyauthzid is presnt Fix: when evaluating if access control can be skipped check for proxy auth Ticket: https://fedorahosted.org/389/ticket/48366 Reviewed by: Noriko, Thanks --- diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index be2b805..ba6b774 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -287,7 +287,7 @@ acl_access_allowed( /* Check for things we need to skip */ TNF_PROBE_0_DEBUG(acl_skipaccess_start,"ACL",""); - if ( acl_skip_access_check ( pb, e )) { + if ( acl_skip_access_check ( pb, e, access )) { slapi_log_error (loglevel, plugin_name, "conn=%" NSPRIu64 " op=%d (main): Allow %s on entry(%s)" ": root user\n", @@ -921,7 +921,7 @@ acl_read_access_allowed_on_entry ( ** If it's the root, or acl is off or the entry is a rootdse, ** Then you have the privilege to read it. */ - if ( acl_skip_access_check ( pb, e ) ) { + if ( acl_skip_access_check ( pb, e, access ) ) { char *n_edn = slapi_entry_get_ndn ( e ); slapi_log_error (SLAPI_LOG_ACL, plugin_name, "Root access (%s) allowed on entry(%s)\n", @@ -1227,7 +1227,7 @@ acl_read_access_allowed_on_attr ( n_edn = slapi_entry_get_ndn ( e ); /* If it's the root or acl is off or rootdse, he has all the priv */ - if ( acl_skip_access_check ( pb, e ) ) { + if ( acl_skip_access_check ( pb, e, access ) ) { slapi_log_error (SLAPI_LOG_ACL, plugin_name, "Root access (%s) allowed on entry(%s)\n", acl_access2str(access), @@ -4053,14 +4053,17 @@ acl__get_attrEval ( struct acl_pblock *aclpb, char *attr ) * */ int -acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e ) +acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e, int access ) { int rv, isRoot, accessCheckDisabled; void *conn = NULL; Slapi_Backend *be; + struct acl_pblock *aclpb = NULL; slapi_pblock_get ( pb, SLAPI_REQUESTOR_ISROOT, &isRoot ); - if ( isRoot ) return ACL_TRUE; + /* need to check if root is proying another user */ + aclpb = acl_get_aclpb ( pb, ACLPB_PROXYDN_PBLOCK ); + if ( isRoot && ((access &SLAPI_ACL_PROXY) || !aclpb)) return ACL_TRUE; /* See if this is local request */ slapi_pblock_get ( pb, SLAPI_CONNECTION, &conn); diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h index da39cbc..6e3198f 100644 --- a/ldap/servers/plugins/acl/acl.h +++ b/ldap/servers/plugins/acl/acl.h @@ -822,7 +822,7 @@ void acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_from_aclcb); int acl_create_aclpb_pool (); void acl_destroy_aclpb_pool (); -int acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e ); +int acl_skip_access_check ( Slapi_PBlock *pb, Slapi_Entry *e, int access ); int aclext_alloc_lockarray (); void aclext_free_lockarray(); diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c index d604e37..cc0e9b3 100644 --- a/ldap/servers/plugins/acl/acllist.c +++ b/ldap/servers/plugins/acl/acllist.c @@ -611,7 +611,7 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) char *basedn = NULL; int index; - if ( acl_skip_access_check ( pb, NULL ) ) { + if ( acl_skip_access_check ( pb, NULL, 0 ) ) { return; } diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c index d90996e..50de2cc 100644 --- a/ldap/servers/plugins/acl/aclplugin.c +++ b/ldap/servers/plugins/acl/aclplugin.c @@ -110,14 +110,22 @@ aclplugin_preop_search ( Slapi_PBlock *pb ) Slapi_DN *sdn = NULL; int optype; int isRoot; + int isProxy = 0; int rc = 0; + char *errtxt = NULL; + char *proxy_dn = NULL; TNF_PROBE_0_DEBUG(aclplugin_preop_search_start ,"ACL",""); slapi_pblock_get ( pb, SLAPI_OPERATION_TYPE, &optype ); slapi_pblock_get ( pb, SLAPI_REQUESTOR_ISROOT, &isRoot ); - if ( isRoot ) { + if (LDAP_SUCCESS == proxyauth_get_dn(pb, &proxy_dn, &errtxt) && proxy_dn) { + isProxy = 1; + slapi_ch_free_string(&proxy_dn); + } + + if ( isRoot && !isProxy) { TNF_PROBE_1_DEBUG(aclplugin_preop_search_end ,"ACL","", tnf_string,isroot,""); return rc;