git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  44
  45         /* get entry */
  46         rc = bdb_dn2entry( be, NULL, ndn, &e, &matched, 0 );
  47
  48         switch(rc) {
  49         case DB_NOTFOUND:
  50         case 0:
  51                 break;
  52         default:
  53                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  54                         NULL, "internal error", NULL, NULL );
  55                 return rc;
  56         }
  57
  58         /* get entry with reader lock */
  59         if ( e == NULL ) {
  60                 char *matched_dn = NULL;
  61                 BerVarray refs;
  62
  63                 if( matched != NULL ) {
  64                         matched_dn = ch_strdup( matched->e_dn );
  65
  66                         refs = is_entry_referral( matched )
  67                                 ? get_entry_referrals( be, conn, op, matched )
  68                                 : NULL;
  69
  70                         bdb_entry_return( be, matched );
  71                         matched = NULL;
  72
  73                 } else {
  74                         refs = referral_rewrite( default_referral,
  75                                 NULL, dn, LDAP_SCOPE_DEFAULT );
  76                 }
  77
  78                 /* allow noauth binds */
  79                 rc = 1;
  80                 if ( method == LDAP_AUTH_SIMPLE ) {
  81                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
  82                                 ber_dupbv( edn, be_root_dn( be ) );
  83                                 rc = LDAP_SUCCESS; /* front end will send result */
  84
  85                         } else if ( refs != NULL ) {
  86                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  87                                         matched_dn, NULL, refs, NULL );
  88
  89                         } else {
  90                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  91                                         NULL, NULL, NULL, NULL );
  92                         }
  93
  94                 } else if ( refs != NULL ) {
  95                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  96                                 matched_dn, NULL, refs, NULL );
  97
  98                 } else {
  99                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 100                                 NULL, NULL, NULL, NULL );
 101                 }
 102
 103                 ber_bvarray_free( refs );
 104                 free( matched_dn );
 105
 106                 return rc;
 107         }
 108
 109         ber_dupbv( edn, &e->e_name );
 110
 111         /* check for deleted */
 112
 113         if ( is_entry_alias( e ) ) {
 114                 /* entry is an alias, don't allow bind */
 115                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 116                         0, 0 );
 117
 118                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 119                         NULL, "entry is alias", NULL, NULL );
 120
 121                 goto done;
 122         }
 123
 124         if ( is_entry_referral( e ) ) {
 125                 /* entry is a referral, don't allow bind */
 126                 BerVarray refs = get_entry_referrals( be,
 127                         conn, op, e );
 128
 129                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 130                         0, 0 );
 131
 132                 if( refs != NULL ) {
 133                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 134                                 e->e_dn, NULL, refs, NULL );
 135
 136                 } else {
 137                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 138                                 NULL, NULL, NULL, NULL );
 139                 }
 140
 141                 ber_bvarray_free( refs );
 142
 143                 goto done;
 144         }
 145
 146         switch ( method ) {
 147         case LDAP_AUTH_SIMPLE:
 148                 /* check for root dn/passwd */
 149                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 150                         /* front end will send result */
 151                         if(edn->bv_val != NULL) free( edn->bv_val );
 152                         ber_dupbv( edn, be_root_dn( be ) );
 153                         rc = LDAP_SUCCESS;
 154                         goto done;
 155                 }
 156
 157                 if ( ! access_allowed( be, conn, op, e,
 158                         password, NULL, ACL_AUTH ) )
 159                 {
 160                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 161                                 NULL, NULL, NULL, NULL );
 162                         goto done;
 163                 }
 164
 165                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 166                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 167                                 NULL, NULL, NULL, NULL );
 168                         goto done;
 169                 }
 170
 171                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 172                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 173                                 NULL, NULL, NULL, NULL );
 174                         goto done;
 175                 }
 176
 177                 rc = 0;
 178                 break;
 179
 180 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 181         case LDAP_AUTH_KRBV41:
 182                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 183                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 184                                 NULL, NULL, NULL, NULL );
 185                         goto done;
 186                 }
 187
 188                 if ( ! access_allowed( be, conn, op, e,
 189                         krbattr, NULL, ACL_AUTH ) )
 190                 {
 191                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 192                                 NULL, NULL, NULL, NULL );
 193                         goto done;
 194                 }
 195
 196                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 197                         : "", ad.pinst, ad.prealm );
 198
 199                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 200                         /*
 201                          * no krbname values present: check against DN
 202                          */
 203                         if ( strcasecmp( dn, krbname ) == 0 ) {
 204                                 rc = 0;
 205                                 break;
 206                         }
 207                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 208                                 NULL, NULL, NULL, NULL );
 209                         goto done;
 210
 211                 } else {        /* look for krbname match */
 212                         struct berval   krbval;
 213
 214                         krbval.bv_val = krbname;
 215                         krbval.bv_len = strlen( krbname );
 216
 217                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 218                                 send_ldap_result( conn, op,
 219                                         rc = LDAP_INVALID_CREDENTIALS,
 220                                         NULL, NULL, NULL, NULL );
 221                                 goto done;
 222                         }
 223                 }
 224                 rc = 0;
 225                 break;
 226
 227         case LDAP_AUTH_KRBV42:
 228                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 229                         NULL, "Kerberos bind step 2 not supported",
 230                         NULL, NULL );
 231                 goto done;
 232 #endif
 233
 234         default:
 235                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 236                         NULL, "authentication method not supported", NULL, NULL );
 237                 goto done;
 238         }
 239
 240 done:
 241         /* free entry and reader lock */
 242         if( e != NULL ) {
 243                 bdb_entry_return( be, e );
 244         }
 245
 246         /* front end with send result on success (rc==0) */
 247         return rc;
 248 }