Package: openldap2.3
Version: 2.3.30
Severity: wishlist
Normally the OpenLDAP utils follow referrals anonymously, even if the
user supplied credentials. The attached patch adds an option, so the user
can supply a chase type (with credentials or anonymously).
>From my changelog:
* Add -B (rebind type) option to change referral chasing rebinds:
+ anon = old behavior (anonymous rebind)
+ cred = use credentials for rebind
Jan-Marek
P.S. I also have ports of this patch for 2.2 and 2.4, if needed
diff -urN openldap-2.3.30-debian/clients/tools/common.c
openldap-2.3.30/clients/tools/common.c
--- openldap-2.3.30-debian/clients/tools/common.c 2006-01-03
23:16:01.000000000 +0100
+++ openldap-2.3.30/clients/tools/common.c 2007-11-29 11:27:53.000000000
+0100
@@ -85,6 +85,7 @@
struct berval passwd = { 0, NULL };
char *pw_file = NULL;
int referrals = 0;
+int referral_rebind = 0;
int protocol = -1;
int verbose = 0;
int version = 0;
@@ -107,6 +108,9 @@
/* Set in main() */
char *prog = NULL;
+static int tool_default_rebind( LDAP *ld, LDAP_CONST char *url,
+ ber_tag_t request, ber_int_t msgid, void *params );
+
void
tool_init( void )
{
@@ -130,8 +134,11 @@
tool_common_usage( void )
{
static const char *const descriptions[] = {
+N_(" -B <type> referral rebind method (anon|cred)\n"),
+N_(" anon: anonymously (default)\n"),
+N_(" cred: use provided credentials\n"),
N_(" -c continuous operation mode (do not stop on errors)\n"),
-N_(" -C chase referrals (anonymously)\n"),
+N_(" -C chase referrals (default: anonymously - see '-B')\n"),
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)\n")
@@ -226,6 +233,16 @@
int crit, ival;
char *control, *cvalue, *next;
switch( i ) {
+ case 'B':
+ if( strcmp( optarg, "anon" ) == 0 )
+ referral_rebind = 0;
+ else if( strcmp( optarg, "cred" ) == 0 )
+ referral_rebind = 1;
+ else {
+ fprintf( stderr, "%s: unknown referal option
\"%s\"\n", prog, optarg);
+ exit(EXIT_FAILURE);
+ }
+ break;
case 'c': /* continuous operation mode */
contoper++;
break;
@@ -877,6 +894,12 @@
referrals ? "on" : "off" );
exit( EXIT_FAILURE );
}
+ else if( referrals && referral_rebind && (ldap_set_rebind_proc
+ ( ld, tool_default_rebind, NULL ) != LDAP_OPT_SUCCESS ))
+ {
+ fprintf( stderr, "Could not set LDAP_OPT_REBIND_PROC\n"
);
+ exit( EXIT_FAILURE );
+ }
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
!= LDAP_OPT_SUCCESS )
@@ -899,10 +922,11 @@
return ld;
}
-
-void
-tool_bind( LDAP *ld )
+static int
+tool_do_bind( LDAP *ld )
{
+ int rc = EXIT_FAILURE;
+
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
if ( ppolicy ) {
LDAPControl *ctrls[2], c;
@@ -919,7 +943,6 @@
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
void *defaults;
- int rc;
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
@@ -929,7 +952,7 @@
fprintf( stderr,
"Could not set
LDAP_OPT_X_SASL_SECPROPS: %s\n",
sasl_secprops );
- exit( EXIT_FAILURE );
+ return rc;
}
}
@@ -947,12 +970,12 @@
lutil_sasl_freedefs( defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
- exit( EXIT_FAILURE );
+ return rc;
}
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
- exit( EXIT_FAILURE );
+ rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
#endif
} else {
int msgid, err;
@@ -968,19 +991,19 @@
msgid = ldap_bind( ld, binddn, passwd.bv_val, authmethod );
if ( msgid == -1 ) {
ldap_perror( ld, "ldap_bind" );
- exit( EXIT_FAILURE );
+ return rc;
}
if ( ldap_result( ld, msgid, 1, NULL, &result ) == -1 ) {
ldap_perror( ld, "ldap_result" );
- exit( EXIT_FAILURE );
+ return rc;
}
if ( ldap_parse_result( ld, result, &err, &matched, &info,
&refs,
&ctrls, 1 ) != LDAP_SUCCESS )
{
ldap_perror( ld, "ldap_bind parse result" );
- exit( EXIT_FAILURE );
+ return rc;
}
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
@@ -1030,9 +1053,17 @@
if( info ) ber_memfree( info );
if( refs ) ber_memvfree( (void **)refs );
- if ( err != LDAP_SUCCESS ) exit( EXIT_FAILURE );
+ rc = err;
}
}
+
+ return rc;
+}
+
+void tool_bind( LDAP *ld )
+{
+ if( tool_do_bind( ld ) != LDAP_SUCCESS )
+ exit( EXIT_FAILURE );
}
void
@@ -1272,3 +1303,16 @@
return 0;
}
+/*
+ * tool_default_rebind
+ *
+ * This is a callback used for chasing referrals using the same
+ * credentials as the original user on this session.
+ */
+static int
+tool_default_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
+ ber_int_t msgid, void *params )
+{
+ return tool_do_bind( ld );
+}
+
diff -urN openldap-2.3.30-debian/clients/tools/ldapcompare.c
openldap-2.3.30/clients/tools/ldapcompare.c
--- openldap-2.3.30-debian/clients/tools/ldapcompare.c 2006-01-03
23:16:01.000000000 +0100
+++ openldap-2.3.30/clients/tools/ldapcompare.c 2007-11-29 11:27:53.000000000
+0100
@@ -99,7 +99,7 @@
const char options[] = "z"
- "Cd:D:e:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "B:Cd:D:e:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff -urN openldap-2.3.30-debian/clients/tools/ldapmodify.c
openldap-2.3.30/clients/tools/ldapmodify.c
--- openldap-2.3.30-debian/clients/tools/ldapmodify.c 2006-04-04
05:23:28.000000000 +0200
+++ openldap-2.3.30/clients/tools/ldapmodify.c 2007-11-29 11:27:53.000000000
+0100
@@ -153,7 +153,7 @@
const char options[] = "aE:FrS:"
- "cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "B:cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff -urN openldap-2.3.30-debian/clients/tools/ldapmodrdn.c
openldap-2.3.30/clients/tools/ldapmodrdn.c
--- openldap-2.3.30-debian/clients/tools/ldapmodrdn.c 2006-01-03
23:16:01.000000000 +0100
+++ openldap-2.3.30/clients/tools/ldapmodrdn.c 2007-11-29 11:27:53.000000000
+0100
@@ -90,7 +90,7 @@
const char options[] = "rs:"
- "cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "B:cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff -urN openldap-2.3.30-debian/clients/tools/ldappasswd.c
openldap-2.3.30/clients/tools/ldappasswd.c
--- openldap-2.3.30-debian/clients/tools/ldappasswd.c 2006-02-16
21:06:03.000000000 +0100
+++ openldap-2.3.30/clients/tools/ldappasswd.c 2007-11-29 11:27:53.000000000
+0100
@@ -81,7 +81,7 @@
const char options[] = "a:As:St:T:"
- "d:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
+ "B:Cd:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff -urN openldap-2.3.30-debian/clients/tools/ldapsearch.c
openldap-2.3.30/clients/tools/ldapsearch.c
--- openldap-2.3.30-debian/clients/tools/ldapsearch.c 2006-08-25
04:51:46.000000000 +0200
+++ openldap-2.3.30/clients/tools/ldapsearch.c 2007-11-29 11:27:53.000000000
+0100
@@ -233,7 +233,7 @@
const char options[] = "a:Ab:cE:F:l:Ls:S:tT:uz:"
- "Cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "B:Cd:D:e:f:h:H:IkKMnO:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff -urN openldap-2.3.30-debian/clients/tools/ldapwhoami.c
openldap-2.3.30/clients/tools/ldapwhoami.c
--- openldap-2.3.30-debian/clients/tools/ldapwhoami.c 2006-04-04
05:23:28.000000000 +0200
+++ openldap-2.3.30/clients/tools/ldapwhoami.c 2007-11-29 11:27:53.000000000
+0100
@@ -62,7 +62,7 @@
const char options[] = ""
- "d:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
+ "B:Cd:D:e:h:H:InO:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
