git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind( Operation *op, SlapReply *rs )
  20 {
  21         struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
  22         Entry           *e;
  23         Attribute       *a;
  24         EntryInfo       *ei;
  25 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  26         char            krbname[MAX_K_NAME_SZ + 1];
  27         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  28         struct berval   krbval;
  29         AUTH_DAT        ad;
  30 #endif
  31
  32         AttributeDescription *password = slap_schema.si_ad_userPassword;
  33
  34         u_int32_t       locker;
  35         DB_LOCK         lock;
  36
  37 #ifdef NEW_LOGGING
  38         LDAP_LOG ( OPERATION, ARGS, "==> bdb_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0 );
  39 #else
  40         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0);
  41 #endif
  42
  43         /* allow noauth binds */
  44         if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE && be_isroot_pw( op )) {
  45                 ber_dupbv( &op->oq_bind.rb_edn, be_root_dn( op->o_bd ) );
  46                 /* front end will send result */
  47                 return LDAP_SUCCESS;
  48         }
  49
  50         rs->sr_err = LOCK_ID(bdb->bi_dbenv, &locker);
  51         switch(rs->sr_err) {
  52         case 0:
  53                 break;
  54         default:
  55                 rs->sr_text = "internal error";
  56                 send_ldap_result( op, rs );
  57                 return rs->sr_err;
  58         }
  59
  60 dn2entry_retry:
  61         /* get entry with reader lock */
  62         rs->sr_err = bdb_dn2entry( op->o_bd, NULL, &op->o_req_ndn, &ei, 1,
  63                 locker, &lock, op->o_tmpmemctx );
  64
  65         switch(rs->sr_err) {
  66         case DB_NOTFOUND:
  67         case 0:
  68                 break;
  69         case LDAP_BUSY:
  70                 send_ldap_error( op, rs, LDAP_BUSY, "ldap_server_busy" );
  71                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  72                 return LDAP_BUSY;
  73         case DB_LOCK_DEADLOCK:
  74         case DB_LOCK_NOTGRANTED:
  75                 goto dn2entry_retry;
  76         default:
  77                 send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
  78                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  79                 return rs->sr_err;
  80         }
  81
  82         e = ei->bei_e;
  83         if ( rs->sr_err == DB_NOTFOUND ) {
  84                 if( e != NULL ) {
  85                         rs->sr_ref = is_entry_referral( e )
  86                                 ? get_entry_referrals( op, e )
  87                                 : NULL;
  88                         if (rs->sr_ref)
  89                                 rs->sr_matched = ch_strdup( e->e_name.bv_val );
  90
  91                         bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
  92                         e = NULL;
  93                 } else {
  94                         rs->sr_ref = referral_rewrite( default_referral,
  95                                 NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
  96                 }
  97
  98                 if ( rs->sr_ref != NULL ) {
  99                         rs->sr_err = LDAP_REFERRAL;
 100                         send_ldap_result( op, rs );
 101                         free( (char *)rs->sr_matched );
 102                         ber_bvarray_free( rs->sr_ref );
 103                         rs->sr_ref = NULL;
 104                         rs->sr_matched = NULL;
 105                 } else {
 106                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
 107                         send_ldap_result( op, rs );
 108                 }
 109
 110                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
 111
 112                 return rs->sr_err;
 113         }
 114
 115         ber_dupbv( &op->oq_bind.rb_edn, &e->e_name );
 116
 117         /* check for deleted */
 118 #ifdef BDB_SUBENTRIES
 119         if ( is_entry_subentry( e ) ) {
 120                 /* entry is an subentry, don't allow bind */
 121 #ifdef NEW_LOGGING
 122                 LDAP_LOG ( OPERATION, DETAIL1,
 123                         "bdb_bind: entry is subentry\n", 0, 0, 0 );
 124 #else
 125                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 126                         0, 0 );
 127 #endif
 128
 129                 rs->sr_err = LDAP_INVALID_CREDENTIALS;
 130                 send_ldap_result( op );
 131
 132                 goto done;
 133         }
 134 #endif
 135
 136 #ifdef BDB_ALIASES
 137         if ( is_entry_alias( e ) ) {
 138                 /* entry is an alias, don't allow bind */
 139 #ifdef NEW_LOGGING
 140                 LDAP_LOG ( OPERATION, DETAIL1, "bdb_bind: entry is alias\n", 0, 0, 0 );
 141 #else
 142                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 143                         0, 0 );
 144 #endif
 145
 146                 send_ldap_error( op, rs, LDAP_ALIAS_PROBLEM, "entry is alias");
 147
 148                 goto done;
 149         }
 150 #endif
 151
 152         if ( is_entry_referral( e ) ) {
 153                 /* entry is a referral, don't allow bind */
 154                 rs->sr_ref = get_entry_referrals( op, e );
 155
 156 #ifdef NEW_LOGGING
 157                 LDAP_LOG ( OPERATION, DETAIL1,
 158                         "bdb_bind: entry is referral\n", 0, 0, 0 );
 159 #else
 160                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 161                         0, 0 );
 162 #endif
 163
 164                 if( rs->sr_ref != NULL ) {
 165                         rs->sr_err = LDAP_REFERRAL;
 166                         rs->sr_matched = e->e_name.bv_val;
 167                         send_ldap_result( op, rs );
 168                         ber_bvarray_free( rs->sr_ref );
 169                         rs->sr_ref = NULL;
 170                         rs->sr_matched = NULL;
 171                 } else {
 172                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
 173                         send_ldap_result( op, rs );
 174                 }
 175
 176                 goto done;
 177         }
 178
 179         switch ( op->oq_bind.rb_method ) {
 180         case LDAP_AUTH_SIMPLE:
 181                 rs->sr_err = access_allowed( op, e,
 182                         password, NULL, ACL_AUTH, NULL );
 183                 if ( ! rs->sr_err ) {
 184                         rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 185                         send_ldap_result( op, rs );
 186                         goto done;
 187                 }
 188
 189                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 190                         rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
 191                         send_ldap_result( op, rs );
 192                         goto done;
 193                 }
 194
 195                 if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) {
 196                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
 197                         send_ldap_result( op, rs );
 198                         goto done;
 199                 }
 200
 201                 rs->sr_err = 0;
 202                 break;
 203
 204 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 205         case LDAP_AUTH_KRBV41:
 206                 if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad ) != LDAP_SUCCESS ) {
 207                         rs->sr_err = LDAP_INVALID_CREDENTIALS,
 208                         send_ldap_result( op );
 209                         goto done;
 210                 }
 211
 212                 rs->sr_err = access_allowed( op, e,
 213                         krbattr, NULL, ACL_AUTH, NULL );
 214                 if ( ! rs->sr_err ) {
 215                         rs->sr_err = LDAP_INSUFFICIENT_ACCESS,
 216                         send_ldap_result( op );
 217                         goto done;
 218                 }
 219
 220                 krbval.bv_len = sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 221                         : "", ad.pinst, ad.prealm );
 222
 223                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 224                         /*
 225                          * no krbname values present: check against DN
 226                          */
 227                         if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
 228                                 rs->sr_err = 0;
 229                                 break;
 230                         }
 231                         rs->sr_err = LDAP_INAPPROPRIATE_AUTH,
 232                         send_ldap_result( op );
 233                         goto done;
 234
 235                 } else {        /* look for krbname match */
 236                         krbval.bv_val = krbname;
 237
 238                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 239                                 rs->sr_err = LDAP_INVALID_CREDENTIALS;
 240                                 send_ldap_result( op );
 241                                 goto done;
 242                         }
 243                 }
 244                 rs->sr_err = 0;
 245                 break;
 246
 247         case LDAP_AUTH_KRBV42:
 248                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 249                         "Kerberos bind step 2 not supported" );
 250                 goto done;
 251 #endif
 252
 253         default:
 254                 send_ldap_error( op, rs, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 255                         "authentication method not supported" );
 256                 goto done;
 257         }
 258
 259 done:
 260         /* free entry and reader lock */
 261         if( e != NULL ) {
 262                 bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
 263         }
 264
 265         LOCK_ID_FREE(bdb->bi_dbenv, locker);
 266
 267         /* front end will send result on success (rs->sr_err==0) */
 268         return rs->sr_err;
 269 }