]> git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c
projects / openldap / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added LDAP_LOG messages
[openldap] / servers / slapd / back-bdb / bind.c
1 /* bind.c - bdb backend bind routine */
2 /* $OpenLDAP$ */
3 /*
4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
6  */
7
8 #include "portable.h"
9
10 #include <stdio.h>
11 #include <ac/krb.h>
12 #include <ac/string.h>
13 #include <ac/unistd.h>
14
15 #include "back-bdb.h"
16 #include "external.h"
17
18 int
19 bdb_bind(
20         Backend         *be,
21         Connection              *conn,
22         Operation               *op,
23         struct berval           *dn,
24         struct berval           *ndn,
25         int                     method,
26         struct berval   *cred,
27         struct berval   *edn
28 )
29 {
30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
31         Entry           *e;
32         Attribute       *a;
33         int             rc;
34         Entry           *matched;
35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
36         char            krbname[MAX_K_NAME_SZ + 1];
37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
38         AUTH_DAT        ad;
39 #endif
40
41         AttributeDescription *password = slap_schema.si_ad_userPassword;
42
43         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
44
45         /* get entry */
46         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0 );
47
48         switch(rc) {
49         case DB_NOTFOUND:
50         case 0:
51                 break;
52         default:
53                 send_ldap_result( conn, op, rc=LDAP_OTHER,
54                         NULL, "internal error", NULL, NULL );
55                 return rc;
56         }
57
58         /* get entry with reader lock */
59         if ( e == NULL ) {
60                 char *matched_dn = NULL;
61                 BerVarray refs;
62
63                 if( matched != NULL ) {
64                         matched_dn = ch_strdup( matched->e_dn );
65
66                         refs = is_entry_referral( matched )
67                                 ? get_entry_referrals( be, conn, op, matched )
68                                 : NULL;
69
70                         bdb_cache_return_entry_r( &bdb->bi_cache, matched );
71                         matched = NULL;
72
73                 } else {
74                         refs = referral_rewrite( default_referral,
75                                 NULL, dn, LDAP_SCOPE_DEFAULT );
76                 }
77
78                 /* allow noauth binds */
79                 rc = 1;
80                 if ( method == LDAP_AUTH_SIMPLE ) {
81                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
82                                 ber_dupbv( edn, be_root_dn( be ) );
83                                 rc = LDAP_SUCCESS; /* front end will send result */
84
85                         } else if ( refs != NULL ) {
86                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
87                                         matched_dn, NULL, refs, NULL );
88
89                         } else {
90                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
91                                         NULL, NULL, NULL, NULL );
92                         }
93
94                 } else if ( refs != NULL ) {
95                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
96                                 matched_dn, NULL, refs, NULL );
97
98                 } else {
99                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
100                                 NULL, NULL, NULL, NULL );
101                 }
102
103                 ber_bvarray_free( refs );
104                 free( matched_dn );
105
106                 return rc;
107         }
108
109         ber_dupbv( edn, &e->e_name );
110
111         /* check for deleted */
112 #ifdef BDB_SUBENTRIES
113         if ( is_entry_subentry( e ) ) {
114                 /* entry is an subentry, don't allow bind */
115                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
116                         0, 0 );
117
118                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
119                         NULL, NULL, NULL, NULL );
120
121                 goto done;
122         }
123 #endif
124
125 #ifdef BDB_ALIASES
126         if ( is_entry_alias( e ) ) {
127                 /* entry is an alias, don't allow bind */
128                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
129                         0, 0 );
130
131                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
132                         NULL, "entry is alias", NULL, NULL );
133
134                 goto done;
135         }
136 #endif
137
138         if ( is_entry_referral( e ) ) {
139                 /* entry is a referral, don't allow bind */
140                 BerVarray refs = get_entry_referrals( be,
141                         conn, op, e );
142
143                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
144                         0, 0 );
145
146                 if( refs != NULL ) {
147                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
148                                 e->e_dn, NULL, refs, NULL );
149
150                 } else {
151                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
152                                 NULL, NULL, NULL, NULL );
153                 }
154
155                 ber_bvarray_free( refs );
156
157                 goto done;
158         }
159
160         switch ( method ) {
161         case LDAP_AUTH_SIMPLE:
162                 /* check for root dn/passwd */
163                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
164                         /* front end will send result */
165                         if(edn->bv_val != NULL) free( edn->bv_val );
166                         ber_dupbv( edn, be_root_dn( be ) );
167                         rc = LDAP_SUCCESS;
168                         goto done;
169                 }
170
171                 if ( ! access_allowed( be, conn, op, e,
172                         password, NULL, ACL_AUTH, NULL ) )
173                 {
174                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
175                                 NULL, NULL, NULL, NULL );
176                         goto done;
177                 }
178
179                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
180                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
181                                 NULL, NULL, NULL, NULL );
182                         goto done;
183                 }
184
185                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
186                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
187                                 NULL, NULL, NULL, NULL );
188                         goto done;
189                 }
190
191                 rc = 0;
192                 break;
193
194 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
195         case LDAP_AUTH_KRBV41:
196                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
197                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
198                                 NULL, NULL, NULL, NULL );
199                         goto done;
200                 }
201
202                 if ( ! access_allowed( be, conn, op, e,
203                         krbattr, NULL, ACL_AUTH, NULL ) )
204                 {
205                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
206                                 NULL, NULL, NULL, NULL );
207                         goto done;
208                 }
209
210                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
211                         : "", ad.pinst, ad.prealm );
212
213                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
214                         /*
215                          * no krbname values present: check against DN
216                          */
217                         if ( strcasecmp( dn, krbname ) == 0 ) {
218                                 rc = 0;
219                                 break;
220                         }
221                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
222                                 NULL, NULL, NULL, NULL );
223                         goto done;
224
225                 } else {        /* look for krbname match */
226                         struct berval   krbval;
227
228                         krbval.bv_val = krbname;
229                         krbval.bv_len = strlen( krbname );
230
231                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
232                                 send_ldap_result( conn, op,
233                                         rc = LDAP_INVALID_CREDENTIALS,
234                                         NULL, NULL, NULL, NULL );
235                                 goto done;
236                         }
237                 }
238                 rc = 0;
239                 break;
240
241         case LDAP_AUTH_KRBV42:
242                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
243                         NULL, "Kerberos bind step 2 not supported",
244                         NULL, NULL );
245                 goto done;
246 #endif
247
248         default:
249                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
250                         NULL, "authentication method not supported", NULL, NULL );
251                 goto done;
252         }
253
254 done:
255         /* free entry and reader lock */
256         if( e != NULL ) {
257                 bdb_cache_return_entry_r( &bdb->bi_cache, e );
258         }
259
260         /* front end with send result on success (rc==0) */
261         return rc;
262 }
Cloned from git://git.openldap.org/openldap.git