2 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
3 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
6 * Copyright (c) 1993 Regents of the University of Michigan.
17 #include <ac/stdlib.h>
20 #include <ac/socket.h>
21 #include <ac/string.h>
28 * ldap_kerberos_bind1 - initiate a bind to the ldap server using
29 * kerberos authentication. The dn is supplied. It is assumed the user
30 * already has a valid ticket granting ticket. The msgid of the
31 * request is returned on success (suitable for passing to ldap_result()),
32 * -1 is returned if there's trouble.
35 * ldap_kerberos_bind1( ld, "cn=manager, o=university of michigan, c=us" )
38 ldap_kerberos_bind1( LDAP *ld, LDAP_CONST char *dn )
43 #ifdef STR_TRANSLATION
44 int str_translation_on;
45 #endif /* STR_TRANSLATION */
48 * The bind request looks like this:
49 * BindRequest ::= SEQUENCE {
51 * name DistinguishedName,
52 * authentication CHOICE {
53 * krbv42ldap [1] OCTET STRING
54 * krbv42dsa [2] OCTET STRING
57 * all wrapped up in an LDAPMessage sequence.
60 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1\n", 0, 0, 0 );
65 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "ldapserver",
66 &credlen )) == NULL ) {
67 return( -1 ); /* ld_errno should already be set */
70 /* create a message to send */
71 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) {
76 #ifdef STR_TRANSLATION
77 if (( str_translation_on = (( ber->ber_options &
78 LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */
79 ber->ber_options &= ~LBER_TRANSLATE_STRINGS;
81 #endif /* STR_TRANSLATION */
84 rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND,
85 ld->ld_version, dn, LDAP_AUTH_KRBV41, cred, credlen );
87 #ifdef STR_TRANSLATION
88 if ( str_translation_on ) { /* restore translation */
89 ber->ber_options |= LBER_TRANSLATE_STRINGS;
91 #endif /* STR_TRANSLATION */
96 ld->ld_errno = LDAP_ENCODING_ERROR;
103 if ( ld->ld_cache != NULL ) {
104 ldap_flush_cache( ld );
106 #endif /* !LDAP_NOCACHE */
108 /* send the message */
109 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber ));
113 ldap_kerberos_bind1_s( LDAP *ld, LDAP_CONST char *dn )
118 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1_s\n", 0, 0, 0 );
120 /* initiate the bind */
121 if ( (msgid = ldap_kerberos_bind1( ld, dn )) == -1 )
122 return( ld->ld_errno );
124 /* wait for a result */
125 if ( ldap_result( ld, ld->ld_msgid, 1, (struct timeval *) 0, &res )
127 return( ld->ld_errno ); /* ldap_result sets ld_errno */
130 return( ldap_result2error( ld, res, 1 ) );
134 * ldap_kerberos_bind2 - initiate a bind to the X.500 server using
135 * kerberos authentication. The dn is supplied. It is assumed the user
136 * already has a valid ticket granting ticket. The msgid of the
137 * request is returned on success (suitable for passing to ldap_result()),
138 * -1 is returned if there's trouble.
141 * ldap_kerberos_bind2( ld, "cn=manager, o=university of michigan, c=us" )
144 ldap_kerberos_bind2( LDAP *ld, LDAP_CONST char *dn )
149 #ifdef STR_TRANSLATION
150 int str_translation_on;
151 #endif /* STR_TRANSLATION */
153 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2\n", 0, 0, 0 );
158 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "x500dsa", &credlen ))
160 return( -1 ); /* ld_errno should already be set */
163 /* create a message to send */
164 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) {
169 #ifdef STR_TRANSLATION
170 if (( str_translation_on = (( ber->ber_options &
171 LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */
172 ber->ber_options &= ~LBER_TRANSLATE_STRINGS;
174 #endif /* STR_TRANSLATION */
177 rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND,
178 ld->ld_version, dn, LDAP_AUTH_KRBV42, cred, credlen );
181 #ifdef STR_TRANSLATION
182 if ( str_translation_on ) { /* restore translation */
183 ber->ber_options |= LBER_TRANSLATE_STRINGS;
185 #endif /* STR_TRANSLATION */
191 ld->ld_errno = LDAP_ENCODING_ERROR;
195 /* send the message */
196 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber ));
199 /* synchronous bind to DSA using kerberos */
201 ldap_kerberos_bind2_s( LDAP *ld, LDAP_CONST char *dn )
206 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2_s\n", 0, 0, 0 );
208 /* initiate the bind */
209 if ( (msgid = ldap_kerberos_bind2( ld, dn )) == -1 )
210 return( ld->ld_errno );
212 /* wait for a result */
213 if ( ldap_result( ld, ld->ld_msgid, 1, (struct timeval *) 0, &res )
215 return( ld->ld_errno ); /* ldap_result sets ld_errno */
218 return( ldap_result2error( ld, res, 1 ) );
221 /* synchronous bind to ldap and DSA using kerberos */
223 ldap_kerberos_bind_s( LDAP *ld, LDAP_CONST char *dn )
227 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind_s\n", 0, 0, 0 );
229 if ( (err = ldap_kerberos_bind1_s( ld, dn )) != LDAP_SUCCESS )
232 return( ldap_kerberos_bind2_s( ld, dn ) );
238 * ldap_get_kerberosv4_credentials - obtain kerberos v4 credentials for ldap.
239 * The dn of the entry to which to bind is supplied. It's assumed the
240 * user already has a tgt.
244 ldap_get_kerberosv4_credentials(
246 LDAP_CONST char *who,
247 LDAP_CONST char *service,
252 char realm[REALM_SZ], *cred, *krbinstance;
254 Debug( LDAP_DEBUG_TRACE, "ldap_get_kerberosv4_credentials\n", 0, 0, 0 );
256 if ( (err = krb_get_tf_realm( tkt_string(), realm )) != KSUCCESS ) {
258 fprintf( stderr, "krb_get_tf_realm failed (%s)\n",
260 #endif /* LDAP_LIBUI */
261 ld->ld_errno = LDAP_INVALID_CREDENTIALS;
265 krbinstance = ld->ld_defconn->lconn_krbinstance;
267 if ( (err = krb_mk_req( &ktxt, service, krbinstance, realm, 0 ))
270 fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] );
271 #endif /* LDAP_LIBUI */
272 ld->ld_errno = LDAP_INVALID_CREDENTIALS;
276 if ( ( cred = LDAP_MALLOC( ktxt.length )) == NULL ) {
277 ld->ld_errno = LDAP_NO_MEMORY;
282 memcpy( cred, ktxt.dat, ktxt.length );
287 #endif /* !AUTHMAN */
288 #endif /* HAVE_KERBEROS */