2 * Copyright (c) 1993 Regents of the University of Michigan.
11 static char copyright[] = "@(#) Copyright (c) 1993 Regents of the University of Michigan.\nAll rights reserved.\n";
20 #include <ac/socket.h>
21 #include <ac/string.h>
31 * ldap_kerberos_bind1 - initiate a bind to the ldap server using
32 * kerberos authentication. The dn is supplied. It is assumed the user
33 * already has a valid ticket granting ticket. The msgid of the
34 * request is returned on success (suitable for passing to ldap_result()),
35 * -1 is returned if there's trouble.
38 * ldap_kerberos_bind1( ld, "cn=manager, o=university of michigan, c=us" )
41 ldap_kerberos_bind1( LDAP *ld, char *dn )
46 char *ldap_get_kerberosv4_credentials();
47 #ifdef STR_TRANSLATION
48 int str_translation_on;
49 #endif /* STR_TRANSLATION */
52 * The bind request looks like this:
53 * BindRequest ::= SEQUENCE {
55 * name DistinguishedName,
56 * authentication CHOICE {
57 * krbv42ldap [1] OCTET STRING
58 * krbv42dsa [2] OCTET STRING
61 * all wrapped up in an LDAPMessage sequence.
64 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1\n", 0, 0, 0 );
69 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "ldapserver",
70 &credlen )) == NULL ) {
71 return( -1 ); /* ld_errno should already be set */
74 /* create a message to send */
75 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) {
80 #ifdef STR_TRANSLATION
81 if (( str_translation_on = (( ber->ber_options &
82 LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */
83 ber->ber_options &= ~LBER_TRANSLATE_STRINGS;
85 #endif /* STR_TRANSLATION */
88 rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND,
89 ld->ld_version, dn, LDAP_AUTH_KRBV41, cred, credlen );
91 #ifdef STR_TRANSLATION
92 if ( str_translation_on ) { /* restore translation */
93 ber->ber_options |= LBER_TRANSLATE_STRINGS;
95 #endif /* STR_TRANSLATION */
100 ld->ld_errno = LDAP_ENCODING_ERROR;
107 if ( ld->ld_cache != NULL ) {
108 ldap_flush_cache( ld );
110 #endif /* !LDAP_NOCACHE */
112 /* send the message */
113 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber ));
117 ldap_kerberos_bind1_s( LDAP *ld, char *dn )
122 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1_s\n", 0, 0, 0 );
124 /* initiate the bind */
125 if ( (msgid = ldap_kerberos_bind1( ld, dn )) == -1 )
126 return( ld->ld_errno );
128 /* wait for a result */
129 if ( ldap_result( ld, ld->ld_msgid, 1, (struct timeval *) 0, &res )
131 return( ld->ld_errno ); /* ldap_result sets ld_errno */
134 return( ldap_result2error( ld, res, 1 ) );
138 * ldap_kerberos_bind2 - initiate a bind to the X.500 server using
139 * kerberos authentication. The dn is supplied. It is assumed the user
140 * already has a valid ticket granting ticket. The msgid of the
141 * request is returned on success (suitable for passing to ldap_result()),
142 * -1 is returned if there's trouble.
145 * ldap_kerberos_bind2( ld, "cn=manager, o=university of michigan, c=us" )
148 ldap_kerberos_bind2( LDAP *ld, char *dn )
153 char *ldap_get_kerberosv4_credentials();
154 #ifdef STR_TRANSLATION
155 int str_translation_on;
156 #endif /* STR_TRANSLATION */
158 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2\n", 0, 0, 0 );
163 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "x500dsa", &credlen ))
165 return( -1 ); /* ld_errno should already be set */
168 /* create a message to send */
169 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) {
174 #ifdef STR_TRANSLATION
175 if (( str_translation_on = (( ber->ber_options &
176 LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */
177 ber->ber_options &= ~LBER_TRANSLATE_STRINGS;
179 #endif /* STR_TRANSLATION */
182 rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND,
183 ld->ld_version, dn, LDAP_AUTH_KRBV42, cred, credlen );
186 #ifdef STR_TRANSLATION
187 if ( str_translation_on ) { /* restore translation */
188 ber->ber_options |= LBER_TRANSLATE_STRINGS;
190 #endif /* STR_TRANSLATION */
196 ld->ld_errno = LDAP_ENCODING_ERROR;
200 /* send the message */
201 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber ));
204 /* synchronous bind to DSA using kerberos */
206 ldap_kerberos_bind2_s( LDAP *ld, char *dn )
211 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2_s\n", 0, 0, 0 );
213 /* initiate the bind */
214 if ( (msgid = ldap_kerberos_bind2( ld, dn )) == -1 )
215 return( ld->ld_errno );
217 /* wait for a result */
218 if ( ldap_result( ld, ld->ld_msgid, 1, (struct timeval *) 0, &res )
220 return( ld->ld_errno ); /* ldap_result sets ld_errno */
223 return( ldap_result2error( ld, res, 1 ) );
226 /* synchronous bind to ldap and DSA using kerberos */
228 ldap_kerberos_bind_s( LDAP *ld, char *dn )
232 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind_s\n", 0, 0, 0 );
234 if ( (err = ldap_kerberos_bind1_s( ld, dn )) != LDAP_SUCCESS )
237 return( ldap_kerberos_bind2_s( ld, dn ) );
243 * ldap_get_kerberosv4_credentials - obtain kerberos v4 credentials for ldap.
244 * The dn of the entry to which to bind is supplied. It's assumed the
245 * user already has a tgt.
249 ldap_get_kerberosv4_credentials( LDAP *ld, char *who, char *service, int *len )
253 char realm[REALM_SZ], *cred, *krbinstance;
255 Debug( LDAP_DEBUG_TRACE, "ldap_get_kerberosv4_credentials\n", 0, 0, 0 );
257 if ( (err = krb_get_tf_realm( tkt_string(), realm )) != KSUCCESS ) {
259 fprintf( stderr, "krb_get_tf_realm failed (%s)\n",
261 #endif /* LDAP_LIBUI */
262 ld->ld_errno = LDAP_INVALID_CREDENTIALS;
266 #ifdef LDAP_REFERRALS
267 krbinstance = ld->ld_defconn->lconn_krbinstance;
268 #else /* LDAP_REFERRALS */
269 krbinstance = ld->ld_host;
270 #endif /* LDAP_REFERRALS */
272 if ( (err = krb_mk_req( &ktxt, service, krbinstance, realm, 0 ))
275 fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] );
276 #endif /* LDAP_LIBUI */
277 ld->ld_errno = LDAP_INVALID_CREDENTIALS;
281 if ( ( cred = malloc( ktxt.length )) == NULL ) {
282 ld->ld_errno = LDAP_NO_MEMORY;
287 memcpy( cred, ktxt.dat, ktxt.length );
292 #endif /* !AUTHMAN */
293 #endif /* HAVE_KERBEROS */