[Opensync-commits] r5550 - plugins/ldap-sync/src

[<svn...@op...>]

Author: scriptor
Date: Mon Apr  6 22:21:25 2009
New Revision: 5550
URL: http://www.opensync.org/changeset/5550

Log:
Completed support for proxy authorization (authz):
If you want to act on behalf of someone else, you 
authenticate as one person, and state the name of the
other person as "authorization identifier" authz.

Modified:
   plugins/ldap-sync/src/ldap-sync
   plugins/ldap-sync/src/ldap_connect.c
   plugins/ldap-sync/src/ldap_plugin.c
   plugins/ldap-sync/src/ldap_plugin.h
   plugins/ldap-sync/src/ldap_sasl.c

Modified: plugins/ldap-sync/src/ldap-sync
==============================================================================
--- plugins/ldap-sync/src/ldap-sync	Mon Apr  6 22:20:51 2009	(r5549)
+++ plugins/ldap-sync/src/ldap-sync	Mon Apr  6 22:21:25 2009	(r5550)
@@ -15,6 +15,12 @@
 		</AdvancedOption>
 
 		<AdvancedOption>
+			<Name>authzid</Name>
+			<Type>string</Type>
+			<Value></Value>
+		</AdvancedOption>
+
+		<AdvancedOption>
 			<Name>password</Name>
 			<Type>string</Type>
 			<Value>secret</Value>

Modified: plugins/ldap-sync/src/ldap_connect.c
==============================================================================
--- plugins/ldap-sync/src/ldap_connect.c	Mon Apr  6 22:20:51 2009	(r5549)
+++ plugins/ldap-sync/src/ldap_connect.c	Mon Apr  6 22:21:25 2009	(r5550)
@@ -1350,7 +1350,7 @@
 			msg = ldap_plugin_report_ldap_error(sinkenv, __FILE__, __LINE__, rv);
 	
 		
-			osync_error_set(error, OSYNC_ERROR_GENERIC, "%s:%i: ERROR: Unable to search on \"%s\" with filter \"%s\" and scope \"%s\": %s", __FILE__, __LINE__, searchbase, filter, scope_str, msg ? msg : "");
+			osync_error_set(error, OSYNC_ERROR_GENERIC, "%s:%i: ERROR: Unable to search on \"%s\" with authentication mechanism \"%s\", filter \"%s\" and scope \"%s\": %s", __FILE__, __LINE__, searchbase, sinkenv->authmech, filter, scope_str, msg ? msg : "");
 	
 			if (msg) {
 				g_free(msg);
@@ -2242,7 +2242,7 @@
 #endif
 
 
-		osync_trace(TRACE_INTERNAL, "%s:%i: WARNING: uid = NULL. Returning NULL. May be, that there is really not a single entry stored on the LDAP server.\n", __FILE__, __LINE__);
+		osync_trace(TRACE_INTERNAL, "%s:%i: WARNING: uid = NULL. Returning NULL. May be, that there is really not a single entry stored on the LDAP server. Authentication mechanism = \"%s\", objtype = \"%s\", scope LDAP_SCOPE_ONELEVEL, searchbase = \"%s\", filter=\"%s\".\n", __FILE__, __LINE__, sinkenv->authmech, osync_objtype_sink_get_name(sinkenv->sink), sinkenv->searchbase, filter);
 
 
 		if (ldap_get_option(sinkenv->ld, LDAP_OPT_RESULT_CODE, &result_code) != LDAP_OPT_SUCCESS) {

Modified: plugins/ldap-sync/src/ldap_plugin.c
==============================================================================
--- plugins/ldap-sync/src/ldap_plugin.c	Mon Apr  6 22:20:51 2009	(r5549)
+++ plugins/ldap-sync/src/ldap_plugin.c	Mon Apr  6 22:21:25 2009	(r5550)
@@ -82,6 +82,11 @@
 			sinkenv->authcid = NULL;
 		}
 	
+		if (sinkenv->authzid) {
+			g_free(sinkenv->authzid);
+			sinkenv->authzid = NULL;
+		}
+
 		if (sinkenv->authmech) {	
 			g_free(sinkenv->authmech);
 			sinkenv->authmech = NULL;
@@ -617,6 +622,7 @@
 	sinkenv->binddn = NULL;
 	sinkenv->bindpwd = NULL;
 	sinkenv->authcid = NULL;
+	sinkenv->authzid = NULL; 
 	sinkenv->searchbase = NULL;
 	sinkenv->searchfilter = NULL;
 	sinkenv->storebase = NULL;
@@ -684,6 +690,9 @@
 		if (!strcmp(name, "authcid"))
 			sinkenv->authcid = g_strdup(val);
 
+		if (!strcmp(name, "authzid")) 
+			sinkenv->authzid = g_strdup(val);
+
 		if (!strcmp(name, "anonymous")) {
 #ifdef DEBUG_auth
 			ldap_plugin_printf("%s:%i: Previous setting of anonymous was: %i", __FILE__, __LINE__, sinkenv->anonymous);
@@ -1012,6 +1021,12 @@
 		osync_trace(TRACE_INTERNAL, "sinkenv->authcid         = NULL");
 
 
+	if (sinkenv->authzid)
+		osync_trace(TRACE_INTERNAL, "sinkenv->authzid         = \"%s\"", sinkenv->authzid);
+	else
+		osync_trace(TRACE_INTERNAL, "sinkenv->authzid         = NULL");
+
+
 	if (sinkenv->bindpwd)
 		osync_trace(TRACE_SENSITIVE, "sinkenv->bindpwd         = \"%s\"", sinkenv->bindpwd);
 	else

Modified: plugins/ldap-sync/src/ldap_plugin.h
==============================================================================
--- plugins/ldap-sync/src/ldap_plugin.h	Mon Apr  6 22:20:51 2009	(r5549)
+++ plugins/ldap-sync/src/ldap_plugin.h	Mon Apr  6 22:21:25 2009	(r5550)
@@ -319,6 +319,9 @@
 	char *url;             ///< URL, resulting from hostname, port and encryption.
   char *binddn;          ///< Bind DN (for simple authentication)
 	char *authcid;         ///< authcid (for SASL based authentication)
+	char *authzid;         ///< authzid If the user wants to act on behalf of
+                         ///< someone else. Proxy authorization: Authenticate
+                         ///< as one person, act as a different person.
   char *bindpwd;         ///< Bind password
   char *searchbase;      ///< Base DN for any searches
   char *searchfilter;    ///< Search filter

Modified: plugins/ldap-sync/src/ldap_sasl.c
==============================================================================
--- plugins/ldap-sync/src/ldap_sasl.c	Mon Apr  6 22:20:51 2009	(r5549)
+++ plugins/ldap-sync/src/ldap_sasl.c	Mon Apr  6 22:21:25 2009	(r5550)
@@ -138,11 +138,14 @@
  *          Has to be freed by ber_free(); likewise the members of this struct.
  *
  * @param ld The LDAP connection handle.
- * @param mech The SASL mechanism.
+ * @param mech The SASL authentication mechanism.
  * @param realm SASL realm
- * @param authcid For authentication
+ * @param authcid The authentication identifier.
  * @param passwd Password
- * @param authzid For authorization
+ * @param authzid The authorization identifier, if the person who has
+ *                authenticated as authcid wants to act on behalf of
+ *                someone else.  Then the authzid must be the identifier
+ *                of this other person.
  *
  */