2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 1998-2004 The OpenLDAP Foundation.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
15 /* Portions Copyright (c) 1993 Regents of the University of Michigan.
16 * All rights reserved.
18 /* Portions Copyright (C) The Internet Society (1997)
19 * ASN.1 fragments are from RFC 2251; see RFC for full legal notices.
23 * BindRequest ::= SEQUENCE {
25 * name DistinguishedName, -- who
26 * authentication CHOICE {
27 * simple [0] OCTET STRING -- passwd
28 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
29 * krbv42ldap [1] OCTET STRING
30 * krbv42dsa [2] OCTET STRING
32 * sasl [3] SaslCredentials -- LDAPv3
36 * BindResponse ::= SEQUENCE {
37 * COMPONENTS OF LDAPResult,
38 * serverSaslCreds OCTET STRING OPTIONAL -- LDAPv3
45 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
48 #include <ac/stdlib.h>
51 #include <ac/socket.h>
52 #include <ac/string.h>
58 * ldap_kerberos_bind1 - initiate a bind to the ldap server using
59 * kerberos authentication. The dn is supplied. It is assumed the user
60 * already has a valid ticket granting ticket. The msgid of the
61 * request is returned on success (suitable for passing to ldap_result()),
62 * -1 is returned if there's trouble.
65 * ldap_kerberos_bind1( ld, "cn=manager, o=university of michigan, c=us" )
68 ldap_kerberos_bind1( LDAP *ld, LDAP_CONST char *dn )
77 LDAP_LOG ( OPERATION, ENTRY, "ldap_kerberos_bind1\n", 0, 0, 0 );
79 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1\n", 0, 0, 0 );
82 if( ld->ld_version > LDAP_VERSION2 ) {
83 ld->ld_errno = LDAP_NOT_SUPPORTED;
90 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "ldapserver",
91 &credlen )) == NULL ) {
92 return( -1 ); /* ld_errno should already be set */
95 /* create a message to send */
96 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
101 LDAP_NEXT_MSGID( ld, id );
103 rc = ber_printf( ber, "{it{istoN}N}", id, LDAP_REQ_BIND,
104 ld->ld_version, dn, LDAP_AUTH_KRBV41, cred, credlen );
109 ld->ld_errno = LDAP_ENCODING_ERROR;
116 /* send the message */
117 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ));
121 ldap_kerberos_bind1_s( LDAP *ld, LDAP_CONST char *dn )
127 LDAP_LOG ( OPERATION, ENTRY, "ldap_kerberos_bind1_s\n", 0, 0, 0 );
129 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1_s\n", 0, 0, 0 );
132 /* initiate the bind */
133 if ( (msgid = ldap_kerberos_bind1( ld, dn )) == -1 )
134 return( ld->ld_errno );
136 /* wait for a result */
137 if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &res )
139 return( ld->ld_errno ); /* ldap_result sets ld_errno */
142 return( ldap_result2error( ld, res, 1 ) );
146 * ldap_kerberos_bind2 - initiate a bind to the X.500 server using
147 * kerberos authentication. The dn is supplied. It is assumed the user
148 * already has a valid ticket granting ticket. The msgid of the
149 * request is returned on success (suitable for passing to ldap_result()),
150 * -1 is returned if there's trouble.
153 * ldap_kerberos_bind2( ld, "cn=manager, o=university of michigan, c=us" )
156 ldap_kerberos_bind2( LDAP *ld, LDAP_CONST char *dn )
165 LDAP_LOG ( OPERATION, ENTRY, "ldap_kerberos_bind2\n", 0, 0, 0 );
167 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2\n", 0, 0, 0 );
170 if( ld->ld_version > LDAP_VERSION2 ) {
171 ld->ld_errno = LDAP_NOT_SUPPORTED;
178 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "x500dsa", &credlen ))
180 return( -1 ); /* ld_errno should already be set */
183 /* create a message to send */
184 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
189 LDAP_NEXT_MSGID( ld, id );
191 rc = ber_printf( ber, "{it{istoN}N}", id, LDAP_REQ_BIND,
192 ld->ld_version, dn, LDAP_AUTH_KRBV42, cred, credlen );
198 ld->ld_errno = LDAP_ENCODING_ERROR;
202 /* send the message */
203 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ));
206 /* synchronous bind to DSA using kerberos */
208 ldap_kerberos_bind2_s( LDAP *ld, LDAP_CONST char *dn )
214 LDAP_LOG ( OPERATION, ENTRY, "ldap_kerberos_bind2_s\n" , 0, 0, 0);
216 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2_s\n", 0, 0, 0 );
219 /* initiate the bind */
220 if ( (msgid = ldap_kerberos_bind2( ld, dn )) == -1 )
221 return( ld->ld_errno );
223 /* wait for a result */
224 if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &res )
226 return( ld->ld_errno ); /* ldap_result sets ld_errno */
229 return( ldap_result2error( ld, res, 1 ) );
232 /* synchronous bind to ldap and DSA using kerberos */
234 ldap_kerberos_bind_s( LDAP *ld, LDAP_CONST char *dn )
239 LDAP_LOG ( OPERATION, ENTRY, "ldap_kerberos_bind_s\n", 0, 0, 0 );
241 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind_s\n", 0, 0, 0 );
244 if ( (err = ldap_kerberos_bind1_s( ld, dn )) != LDAP_SUCCESS )
247 return( ldap_kerberos_bind2_s( ld, dn ) );
253 * ldap_get_kerberosv4_credentials - obtain kerberos v4 credentials for ldap.
254 * The dn of the entry to which to bind is supplied. It's assumed the
255 * user already has a tgt.
259 ldap_get_kerberosv4_credentials(
261 LDAP_CONST char *who,
262 LDAP_CONST char *service,
267 char realm[REALM_SZ], *cred, *krbinstance;
270 LDAP_LOG ( OPERATION, ENTRY, "ldap_get_kerberosv4_credentials\n", 0, 0, 0 );
272 Debug( LDAP_DEBUG_TRACE, "ldap_get_kerberosv4_credentials\n", 0, 0, 0 );
275 if ( (err = krb_get_tf_realm( tkt_string(), realm )) != KSUCCESS ) {
277 LDAP_LOG ( OPERATION, ERR,
278 "ldap_get_kerberosv4_credentials: krb_get_tf_realm failed: %s\n",
279 krb_err_txt[err], 0, 0 );
281 Debug( LDAP_DEBUG_ANY, "ldap_get_kerberosv4_credentials: "
282 "krb_get_tf_realm failed: %s\n", krb_err_txt[err], 0, 0 );
284 ld->ld_errno = LDAP_AUTH_UNKNOWN;
288 if ( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) {
289 /* not connected yet */
290 int rc = ldap_open_defconn( ld );
292 if( rc < 0 ) return NULL;
295 krbinstance = ld->ld_defconn->lconn_krbinstance;
297 if ( (err = krb_mk_req( &ktxt, service, krbinstance, realm, 0 ))
301 LDAP_LOG ( OPERATION, ERR,
302 "ldap_get_kerberosv4_credentials: krb_mk_req failed: %s\n",
303 krb_err_txt[err], 0, 0 );
305 Debug( LDAP_DEBUG_ANY, "ldap_get_kerberosv4_credentials: "
306 "krb_mk_req failed (%s)\n", krb_err_txt[err], 0, 0 );
308 ld->ld_errno = LDAP_AUTH_UNKNOWN;
312 if ( ( cred = LDAP_MALLOC( ktxt.length )) == NULL ) {
313 ld->ld_errno = LDAP_NO_MEMORY;
318 AC_MEMCPY( cred, ktxt.dat, ktxt.length );
323 #endif /* !AUTHMAN */
324 #endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */