git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind( Operation *op, SlapReply *rs )
  20 {
  21         struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
  22         Entry           *e;
  23         Attribute       *a;
  24         Entry           *matched;
  25 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  26         char            krbname[MAX_K_NAME_SZ + 1];
  27         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  28         struct berval   krbval;
  29         AUTH_DAT        ad;
  30 #endif
  31
  32         AttributeDescription *password = slap_schema.si_ad_userPassword;
  33
  34         u_int32_t       locker;
  35         DB_LOCK         lock;
  36
  37 #ifdef NEW_LOGGING
  38         LDAP_LOG ( OPERATION, ARGS, "==> bdb_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0 );
  39 #else
  40         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0);
  41 #endif
  42
  43         /* allow noauth binds */
  44         if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE && be_isroot_pw( op )) {
  45                 ber_dupbv( &op->oq_bind.rb_edn, be_root_dn( op->o_bd ) );
  46                 /* front end will send result */
  47                 return LDAP_SUCCESS;
  48         }
  49
  50         rs->sr_err = LOCK_ID(bdb->bi_dbenv, &locker);
  51         switch(rs->sr_err) {
  52         case 0:
  53                 break;
  54         default:
  55                 rs->sr_text = "internal error";
  56                 send_ldap_result( op, rs );
  57                 return rs->sr_err;
  58         }
  59
  60 dn2entry_retry:
  61         /* get entry with reader lock */
  62         rs->sr_err = bdb_dn2entry_r( op->o_bd, NULL, &op->o_req_ndn, &e, &matched, 0, locker, &lock );
  63
  64         switch(rs->sr_err) {
  65         case DB_NOTFOUND:
  66         case 0:
  67                 break;
  68         case LDAP_BUSY:
  69                 send_ldap_error( op, rs, LDAP_BUSY, "ldap_server_busy" );
  70                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  71                 return LDAP_BUSY;
  72         case DB_LOCK_DEADLOCK:
  73         case DB_LOCK_NOTGRANTED:
  74                 goto dn2entry_retry;
  75         default:
  76                 send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
  77                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  78                 return rs->sr_err;
  79         }
  80
  81         if ( e == NULL ) {
  82                 if( matched != NULL ) {
  83                         rs->sr_ref = is_entry_referral( matched )
  84                                 ? get_entry_referrals( op, matched )
  85                                 : NULL;
  86                         if (rs->sr_ref)
  87                                 rs->sr_matched = ch_strdup( matched->e_name.bv_val );
  88
  89                         bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, matched, &lock );
  90                         matched = NULL;
  91
  92                 } else {
  93                         rs->sr_ref = referral_rewrite( default_referral,
  94                                 NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
  95                 }
  96
  97                 if ( rs->sr_ref != NULL ) {
  98                         rs->sr_err = LDAP_REFERRAL;
  99                         send_ldap_result( op, rs );
 100                         free( (char *)rs->sr_matched );
 101                         ber_bvarray_free( rs->sr_ref );
 102                         rs->sr_ref = NULL;
 103                         rs->sr_matched = NULL;
 104                 } else {
 105                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
 106                         send_ldap_result( op, rs );
 107                 }
 108
 109                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
 110
 111                 return rs->sr_err;
 112         }
 113
 114         ber_dupbv( &op->oq_bind.rb_edn, &e->e_name );
 115
 116         /* check for deleted */
 117 #ifdef BDB_SUBENTRIES
 118         if ( is_entry_subentry( e ) ) {
 119                 /* entry is an subentry, don't allow bind */
 120 #ifdef NEW_LOGGING
 121                 LDAP_LOG ( OPERATION, DETAIL1,
 122                         "bdb_bind: entry is subentry\n", 0, 0, 0 );
 123 #else
 124                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 125                         0, 0 );
 126 #endif
 127
 128                 rs->sr_err = LDAP_INVALID_CREDENTIALS;
 129                 send_ldap_result( op );
 130
 131                 goto done;
 132         }
 133 #endif
 134
 135 #ifdef BDB_ALIASES
 136         if ( is_entry_alias( e ) ) {
 137                 /* entry is an alias, don't allow bind */
 138 #ifdef NEW_LOGGING
 139                 LDAP_LOG ( OPERATION, DETAIL1, "bdb_bind: entry is alias\n", 0, 0, 0 );
 140 #else
 141                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 142                         0, 0 );
 143 #endif
 144
 145                 send_ldap_error( op, rs, LDAP_ALIAS_PROBLEM, "entry is alias");
 146
 147                 goto done;
 148         }
 149 #endif
 150
 151         if ( is_entry_referral( e ) ) {
 152                 /* entry is a referral, don't allow bind */
 153                 rs->sr_ref = get_entry_referrals( op, e );
 154
 155 #ifdef NEW_LOGGING
 156                 LDAP_LOG ( OPERATION, DETAIL1,
 157                         "bdb_bind: entry is referral\n", 0, 0, 0 );
 158 #else
 159                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 160                         0, 0 );
 161 #endif
 162
 163                 if( rs->sr_ref != NULL ) {
 164                         rs->sr_err = LDAP_REFERRAL;
 165                         rs->sr_matched = e->e_name.bv_val;
 166                         send_ldap_result( op, rs );
 167                         ber_bvarray_free( rs->sr_ref );
 168                         rs->sr_ref = NULL;
 169                         rs->sr_matched = NULL;
 170                 } else {
 171                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
 172                         send_ldap_result( op, rs );
 173                 }
 174
 175                 goto done;
 176         }
 177
 178         switch ( op->oq_bind.rb_method ) {
 179         case LDAP_AUTH_SIMPLE:
 180                 rs->sr_err = access_allowed( op, e,
 181                         password, NULL, ACL_AUTH, NULL );
 182                 if ( ! rs->sr_err ) {
 183                         rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 184                         send_ldap_result( op, rs );
 185                         goto done;
 186                 }
 187
 188                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 189                         rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
 190                         send_ldap_result( op, rs );
 191                         goto done;
 192                 }
 193
 194                 if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred ) != 0 ) {
 195                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
 196                         send_ldap_result( op, rs );
 197                         goto done;
 198                 }
 199
 200                 rs->sr_err = 0;
 201                 break;
 202
 203 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 204         case LDAP_AUTH_KRBV41:
 205                 if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad ) != LDAP_SUCCESS ) {
 206                         rs->sr_err = LDAP_INVALID_CREDENTIALS,
 207                         send_ldap_result( op );
 208                         goto done;
 209                 }
 210
 211                 rs->sr_err = access_allowed( op, e,
 212                         krbattr, NULL, ACL_AUTH, NULL );
 213                 if ( ! rs->sr_err ) {
 214                         rs->sr_err = LDAP_INSUFFICIENT_ACCESS,
 215                         send_ldap_result( op );
 216                         goto done;
 217                 }
 218
 219                 krbval.bv_len = sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 220                         : "", ad.pinst, ad.prealm );
 221
 222                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 223                         /*
 224                          * no krbname values present: check against DN
 225                          */
 226                         if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
 227                                 rs->sr_err = 0;
 228                                 break;
 229                         }
 230                         rs->sr_err = LDAP_INAPPROPRIATE_AUTH,
 231                         send_ldap_result( op );
 232                         goto done;
 233
 234                 } else {        /* look for krbname match */
 235                         krbval.bv_val = krbname;
 236
 237                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 238                                 rs->sr_err = LDAP_INVALID_CREDENTIALS;
 239                                 send_ldap_result( op );
 240                                 goto done;
 241                         }
 242                 }
 243                 rs->sr_err = 0;
 244                 break;
 245
 246         case LDAP_AUTH_KRBV42:
 247                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 248                         "Kerberos bind step 2 not supported" );
 249                 goto done;
 250 #endif
 251
 252         default:
 253                 send_ldap_error( op, rs, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 254                         "authentication method not supported" );
 255                 goto done;
 256         }
 257
 258 done:
 259         /* free entry and reader lock */
 260         if( e != NULL ) {
 261                 bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
 262         }
 263
 264         LOCK_ID_FREE(bdb->bi_dbenv, locker);
 265
 266         /* front end will send result on success (rs->sr_err==0) */
 267         return rs->sr_err;
 268 }