git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  44
  45         /* get entry */
  46         rc = bdb_dn2entry( be, NULL, ndn->bv_val, &e, &matched, 0 );
  47
  48         switch(rc) {
  49         case DB_NOTFOUND:
  50         case 0:
  51                 break;
  52         default:
  53                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  54                         NULL, "internal error", NULL, NULL );
  55                 return rc;
  56         }
  57
  58         /* get entry with reader lock */
  59         if ( e == NULL ) {
  60                 char *matched_dn = NULL;
  61                 struct berval **refs;
  62
  63                 if( matched != NULL ) {
  64                         matched_dn = ch_strdup( matched->e_dn );
  65
  66                         refs = is_entry_referral( matched )
  67                                 ? get_entry_referrals( be, conn, op, matched,
  68                                         dn->bv_val, LDAP_SCOPE_DEFAULT )
  69                                 : NULL;
  70
  71                         bdb_entry_return( be, matched );
  72                         matched = NULL;
  73
  74                 } else {
  75                         refs = referral_rewrite( default_referral,
  76                                 NULL, dn->bv_val, LDAP_SCOPE_DEFAULT );
  77                 }
  78
  79                 /* allow noauth binds */
  80                 rc = 1;
  81                 if ( method == LDAP_AUTH_SIMPLE ) {
  82                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
  83                                 ber_dupbv( edn, be_root_dn( be ) );
  84                                 rc = LDAP_SUCCESS; /* front end will send result */
  85
  86                         } else if ( refs != NULL ) {
  87                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  88                                         matched_dn, NULL, refs, NULL );
  89
  90                         } else {
  91                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  92                                         NULL, NULL, NULL, NULL );
  93                         }
  94
  95                 } else if ( refs != NULL ) {
  96                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  97                                 matched_dn, NULL, refs, NULL );
  98
  99                 } else {
 100                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 101                                 NULL, NULL, NULL, NULL );
 102                 }
 103
 104                 ber_bvecfree( refs );
 105                 free( matched_dn );
 106
 107                 return rc;
 108         }
 109
 110         ber_dupbv( edn, &e->e_name );
 111
 112         /* check for deleted */
 113
 114         if ( is_entry_alias( e ) ) {
 115                 /* entry is an alias, don't allow bind */
 116                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 117                         0, 0 );
 118
 119                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 120                         NULL, "entry is alias", NULL, NULL );
 121
 122                 goto done;
 123         }
 124
 125         if ( is_entry_referral( e ) ) {
 126                 /* entry is a referral, don't allow bind */
 127                 struct berval **refs = get_entry_referrals( be,
 128                         conn, op, e, dn->bv_val, LDAP_SCOPE_DEFAULT );
 129
 130                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 131                         0, 0 );
 132
 133                 if( refs != NULL ) {
 134                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 135                                 e->e_dn, NULL, refs, NULL );
 136
 137                 } else {
 138                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 139                                 NULL, NULL, NULL, NULL );
 140                 }
 141
 142                 ber_bvecfree( refs );
 143
 144                 goto done;
 145         }
 146
 147         switch ( method ) {
 148         case LDAP_AUTH_SIMPLE:
 149                 /* check for root dn/passwd */
 150                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 151                         /* front end will send result */
 152                         if(edn->bv_val != NULL) free( edn->bv_val );
 153                         ber_dupbv( edn, be_root_dn( be ) );
 154                         rc = LDAP_SUCCESS;
 155                         goto done;
 156                 }
 157
 158                 if ( ! access_allowed( be, conn, op, e,
 159                         password, NULL, ACL_AUTH ) )
 160                 {
 161                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 162                                 NULL, NULL, NULL, NULL );
 163                         goto done;
 164                 }
 165
 166                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 167                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 168                                 NULL, NULL, NULL, NULL );
 169                         goto done;
 170                 }
 171
 172                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 173                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 174                                 NULL, NULL, NULL, NULL );
 175                         goto done;
 176                 }
 177
 178                 rc = 0;
 179                 break;
 180
 181 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 182         case LDAP_AUTH_KRBV41:
 183                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 184                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 185                                 NULL, NULL, NULL, NULL );
 186                         goto done;
 187                 }
 188
 189                 if ( ! access_allowed( be, conn, op, e,
 190                         krbattr, NULL, ACL_AUTH ) )
 191                 {
 192                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 193                                 NULL, NULL, NULL, NULL );
 194                         goto done;
 195                 }
 196
 197                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 198                         : "", ad.pinst, ad.prealm );
 199
 200                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 201                         /*
 202                          * no krbname values present: check against DN
 203                          */
 204                         if ( strcasecmp( dn, krbname ) == 0 ) {
 205                                 rc = 0;
 206                                 break;
 207                         }
 208                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 209                                 NULL, NULL, NULL, NULL );
 210                         goto done;
 211
 212                 } else {        /* look for krbname match */
 213                         struct berval   krbval;
 214
 215                         krbval.bv_val = krbname;
 216                         krbval.bv_len = strlen( krbname );
 217
 218                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 219                                 send_ldap_result( conn, op,
 220                                         rc = LDAP_INVALID_CREDENTIALS,
 221                                         NULL, NULL, NULL, NULL );
 222                                 goto done;
 223                         }
 224                 }
 225                 rc = 0;
 226                 break;
 227
 228         case LDAP_AUTH_KRBV42:
 229                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 230                         NULL, "Kerberos bind step 2 not supported",
 231                         NULL, NULL );
 232                 goto done;
 233 #endif
 234
 235         default:
 236                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 237                         NULL, "authentication method not supported", NULL, NULL );
 238                 goto done;
 239         }
 240
 241 done:
 242         /* free entry and reader lock */
 243         if( e != NULL ) {
 244                 bdb_entry_return( be, e );
 245         }
 246
 247         /* front end with send result on success (rc==0) */
 248         return rc;
 249 }