2 * Copyright (c) 1993 Regents of the University of Michigan.
11 static char copyright[] = "@(#) Copyright (c) 1993 Regents of the University of Michigan.\nAll rights reserved.\n";
20 #include <ac/socket.h>
21 #include <ac/string.h>
30 * ldap_kerberos_bind1 - initiate a bind to the ldap server using
31 * kerberos authentication. The dn is supplied. It is assumed the user
32 * already has a valid ticket granting ticket. The msgid of the
33 * request is returned on success (suitable for passing to ldap_result()),
34 * -1 is returned if there's trouble.
37 * ldap_kerberos_bind1( ld, "cn=manager, o=university of michigan, c=us" )
40 ldap_kerberos_bind1( LDAP *ld, char *dn )
45 char *ldap_get_kerberosv4_credentials();
46 #ifdef STR_TRANSLATION
47 int str_translation_on;
48 #endif /* STR_TRANSLATION */
51 * The bind request looks like this:
52 * BindRequest ::= SEQUENCE {
54 * name DistinguishedName,
55 * authentication CHOICE {
56 * krbv42ldap [1] OCTET STRING
57 * krbv42dsa [2] OCTET STRING
60 * all wrapped up in an LDAPMessage sequence.
63 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1\n", 0, 0, 0 );
68 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "ldapserver",
69 &credlen )) == NULL ) {
70 return( -1 ); /* ld_errno should already be set */
73 /* create a message to send */
74 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) {
79 #ifdef STR_TRANSLATION
80 if (( str_translation_on = (( ber->ber_options &
81 LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */
82 ber->ber_options &= ~LBER_TRANSLATE_STRINGS;
84 #endif /* STR_TRANSLATION */
87 rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND,
88 ld->ld_version, dn, LDAP_AUTH_KRBV41, cred, credlen );
90 #ifdef STR_TRANSLATION
91 if ( str_translation_on ) { /* restore translation */
92 ber->ber_options |= LBER_TRANSLATE_STRINGS;
94 #endif /* STR_TRANSLATION */
99 ld->ld_errno = LDAP_ENCODING_ERROR;
106 if ( ld->ld_cache != NULL ) {
107 ldap_flush_cache( ld );
109 #endif /* !NO_CACHE */
111 /* send the message */
112 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber ));
116 ldap_kerberos_bind1_s( LDAP *ld, char *dn )
121 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1_s\n", 0, 0, 0 );
123 /* initiate the bind */
124 if ( (msgid = ldap_kerberos_bind1( ld, dn )) == -1 )
125 return( ld->ld_errno );
127 /* wait for a result */
128 if ( ldap_result( ld, ld->ld_msgid, 1, (struct timeval *) 0, &res )
130 return( ld->ld_errno ); /* ldap_result sets ld_errno */
133 return( ldap_result2error( ld, res, 1 ) );
137 * ldap_kerberos_bind2 - initiate a bind to the X.500 server using
138 * kerberos authentication. The dn is supplied. It is assumed the user
139 * already has a valid ticket granting ticket. The msgid of the
140 * request is returned on success (suitable for passing to ldap_result()),
141 * -1 is returned if there's trouble.
144 * ldap_kerberos_bind2( ld, "cn=manager, o=university of michigan, c=us" )
147 ldap_kerberos_bind2( LDAP *ld, char *dn )
152 char *ldap_get_kerberosv4_credentials();
153 #ifdef STR_TRANSLATION
154 int str_translation_on;
155 #endif /* STR_TRANSLATION */
157 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2\n", 0, 0, 0 );
162 if ( (cred = ldap_get_kerberosv4_credentials( ld, dn, "x500dsa", &credlen ))
164 return( -1 ); /* ld_errno should already be set */
167 /* create a message to send */
168 if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) {
173 #ifdef STR_TRANSLATION
174 if (( str_translation_on = (( ber->ber_options &
175 LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */
176 ber->ber_options &= ~LBER_TRANSLATE_STRINGS;
178 #endif /* STR_TRANSLATION */
181 rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND,
182 ld->ld_version, dn, LDAP_AUTH_KRBV42, cred, credlen );
185 #ifdef STR_TRANSLATION
186 if ( str_translation_on ) { /* restore translation */
187 ber->ber_options |= LBER_TRANSLATE_STRINGS;
189 #endif /* STR_TRANSLATION */
195 ld->ld_errno = LDAP_ENCODING_ERROR;
199 /* send the message */
200 return ( ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber ));
203 /* synchronous bind to DSA using kerberos */
205 ldap_kerberos_bind2_s( LDAP *ld, char *dn )
210 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2_s\n", 0, 0, 0 );
212 /* initiate the bind */
213 if ( (msgid = ldap_kerberos_bind2( ld, dn )) == -1 )
214 return( ld->ld_errno );
216 /* wait for a result */
217 if ( ldap_result( ld, ld->ld_msgid, 1, (struct timeval *) 0, &res )
219 return( ld->ld_errno ); /* ldap_result sets ld_errno */
222 return( ldap_result2error( ld, res, 1 ) );
225 /* synchronous bind to ldap and DSA using kerberos */
227 ldap_kerberos_bind_s( LDAP *ld, char *dn )
231 Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind_s\n", 0, 0, 0 );
233 if ( (err = ldap_kerberos_bind1_s( ld, dn )) != LDAP_SUCCESS )
236 return( ldap_kerberos_bind2_s( ld, dn ) );
242 * ldap_get_kerberosv4_credentials - obtain kerberos v4 credentials for ldap.
243 * The dn of the entry to which to bind is supplied. It's assumed the
244 * user already has a tgt.
248 ldap_get_kerberosv4_credentials( LDAP *ld, char *who, char *service, int *len )
252 char realm[REALM_SZ], *cred, *krbinstance;
254 Debug( LDAP_DEBUG_TRACE, "ldap_get_kerberosv4_credentials\n", 0, 0, 0 );
256 if ( (err = krb_get_tf_realm( tkt_string(), realm )) != KSUCCESS ) {
257 #ifndef NO_USERINTERFACE
258 fprintf( stderr, "krb_get_tf_realm failed (%s)\n",
260 #endif /* NO_USERINTERFACE */
261 ld->ld_errno = LDAP_INVALID_CREDENTIALS;
265 #ifdef LDAP_REFERRALS
266 krbinstance = ld->ld_defconn->lconn_krbinstance;
267 #else /* LDAP_REFERRALS */
268 krbinstance = ld->ld_host;
269 #endif /* LDAP_REFERRALS */
271 if ( (err = krb_mk_req( &ktxt, service, krbinstance, realm, 0 ))
273 #ifndef NO_USERINTERFACE
274 fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] );
275 #endif /* NO_USERINTERFACE */
276 ld->ld_errno = LDAP_INVALID_CREDENTIALS;
280 if ( ( cred = malloc( ktxt.length )) == NULL ) {
281 ld->ld_errno = LDAP_NO_MEMORY;
286 memcpy( cred, ktxt.dat, ktxt.length );
291 #endif /* !AUTHMAN */
292 #endif /* KERBEROS */