git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         u_int32_t       locker;
  44         DB_LOCK         lock;
  45
  46 #ifdef NEW_LOGGING
  47         LDAP_LOG ( OPERATION, ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0 );
  48 #else
  49         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  50 #endif
  51
  52         rc = LOCK_ID(bdb->bi_dbenv, &locker);
  53         switch(rc) {
  54         case 0:
  55                 break;
  56         default:
  57                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  58                         NULL, "internal error", NULL, NULL );
  59                 return rc;
  60         }
  61
  62 dn2entry_retry:
  63         /* get entry */
  64         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0, locker, &lock );
  65
  66         switch(rc) {
  67         case DB_NOTFOUND:
  68         case 0:
  69                 break;
  70         case LDAP_BUSY:
  71                 send_ldap_result( conn, op, LDAP_BUSY,
  72                         NULL, "ldap server busy", NULL, NULL );
  73                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  74                 return LDAP_BUSY;
  75         case DB_LOCK_DEADLOCK:
  76         case DB_LOCK_NOTGRANTED:
  77                 goto dn2entry_retry;
  78         default:
  79                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  80                         NULL, "internal error", NULL, NULL );
  81                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  82                 return rc;
  83         }
  84
  85         /* get entry with reader lock */
  86         if ( e == NULL ) {
  87                 char *matched_dn = NULL;
  88                 BerVarray refs;
  89
  90                 if( matched != NULL ) {
  91                         matched_dn = ch_strdup( matched->e_dn );
  92
  93                         refs = is_entry_referral( matched )
  94                                 ? get_entry_referrals( be, conn, op, matched )
  95                                 : NULL;
  96
  97                         bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, matched, &lock );
  98                         matched = NULL;
  99
 100                 } else {
 101                         refs = referral_rewrite( default_referral,
 102                                 NULL, dn, LDAP_SCOPE_DEFAULT );
 103                 }
 104
 105                 /* allow noauth binds */
 106                 rc = 1;
 107                 if ( method == LDAP_AUTH_SIMPLE ) {
 108                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 109                                 ber_dupbv( edn, be_root_dn( be ) );
 110                                 rc = LDAP_SUCCESS; /* front end will send result */
 111
 112                         } else if ( refs != NULL ) {
 113                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 114                                         matched_dn, NULL, refs, NULL );
 115
 116                         } else {
 117                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 118                                         NULL, NULL, NULL, NULL );
 119                         }
 120
 121                 } else if ( refs != NULL ) {
 122                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 123                                 matched_dn, NULL, refs, NULL );
 124
 125                 } else {
 126                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 127                                 NULL, NULL, NULL, NULL );
 128                 }
 129
 130                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
 131
 132                 ber_bvarray_free( refs );
 133                 free( matched_dn );
 134
 135                 return rc;
 136         }
 137
 138         ber_dupbv( edn, &e->e_name );
 139
 140         /* check for deleted */
 141 #ifdef BDB_SUBENTRIES
 142         if ( is_entry_subentry( e ) ) {
 143                 /* entry is an subentry, don't allow bind */
 144 #ifdef NEW_LOGGING
 145                 LDAP_LOG ( OPERATION, DETAIL1,
 146                         "bdb_bind: entry is subentry\n", 0, 0, 0 );
 147 #else
 148                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 149                         0, 0 );
 150 #endif
 151
 152                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 153                         NULL, NULL, NULL, NULL );
 154
 155                 goto done;
 156         }
 157 #endif
 158
 159 #ifdef BDB_ALIASES
 160         if ( is_entry_alias( e ) ) {
 161                 /* entry is an alias, don't allow bind */
 162 #ifdef NEW_LOGGING
 163                 LDAP_LOG ( OPERATION, DETAIL1, "bdb_bind: entry is alias\n", 0, 0, 0 );
 164 #else
 165                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 166                         0, 0 );
 167 #endif
 168
 169                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 170                         NULL, "entry is alias", NULL, NULL );
 171
 172                 goto done;
 173         }
 174 #endif
 175
 176         if ( is_entry_referral( e ) ) {
 177                 /* entry is a referral, don't allow bind */
 178                 BerVarray refs = get_entry_referrals( be,
 179                         conn, op, e );
 180
 181 #ifdef NEW_LOGGING
 182                 LDAP_LOG ( OPERATION, DETAIL1,
 183                         "bdb_bind: entry is referral\n", 0, 0, 0 );
 184 #else
 185                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 186                         0, 0 );
 187 #endif
 188
 189                 if( refs != NULL ) {
 190                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 191                                 e->e_dn, NULL, refs, NULL );
 192
 193                 } else {
 194                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 195                                 NULL, NULL, NULL, NULL );
 196                 }
 197
 198                 ber_bvarray_free( refs );
 199
 200                 goto done;
 201         }
 202
 203         switch ( method ) {
 204         case LDAP_AUTH_SIMPLE:
 205                 /* check for root dn/passwd */
 206                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 207                         /* front end will send result */
 208                         if(edn->bv_val != NULL) free( edn->bv_val );
 209                         ber_dupbv( edn, be_root_dn( be ) );
 210                         rc = LDAP_SUCCESS;
 211                         goto done;
 212                 }
 213
 214                 if ( ! access_allowed( be, conn, op, e,
 215                         password, NULL, ACL_AUTH, NULL ) )
 216                 {
 217                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 218                                 NULL, NULL, NULL, NULL );
 219                         goto done;
 220                 }
 221
 222                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 223                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 224                                 NULL, NULL, NULL, NULL );
 225                         goto done;
 226                 }
 227
 228                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 229                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 230                                 NULL, NULL, NULL, NULL );
 231                         goto done;
 232                 }
 233
 234                 rc = 0;
 235                 break;
 236
 237 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 238         case LDAP_AUTH_KRBV41:
 239                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 240                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 241                                 NULL, NULL, NULL, NULL );
 242                         goto done;
 243                 }
 244
 245                 if ( ! access_allowed( be, conn, op, e,
 246                         krbattr, NULL, ACL_AUTH, NULL ) )
 247                 {
 248                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 249                                 NULL, NULL, NULL, NULL );
 250                         goto done;
 251                 }
 252
 253                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 254                         : "", ad.pinst, ad.prealm );
 255
 256                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 257                         /*
 258                          * no krbname values present: check against DN
 259                          */
 260                         if ( strcasecmp( dn, krbname ) == 0 ) {
 261                                 rc = 0;
 262                                 break;
 263                         }
 264                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 265                                 NULL, NULL, NULL, NULL );
 266                         goto done;
 267
 268                 } else {        /* look for krbname match */
 269                         struct berval   krbval;
 270
 271                         krbval.bv_val = krbname;
 272                         krbval.bv_len = strlen( krbname );
 273
 274                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 275                                 send_ldap_result( conn, op,
 276                                         rc = LDAP_INVALID_CREDENTIALS,
 277                                         NULL, NULL, NULL, NULL );
 278                                 goto done;
 279                         }
 280                 }
 281                 rc = 0;
 282                 break;
 283
 284         case LDAP_AUTH_KRBV42:
 285                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 286                         NULL, "Kerberos bind step 2 not supported",
 287                         NULL, NULL );
 288                 goto done;
 289 #endif
 290
 291         default:
 292                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 293                         NULL, "authentication method not supported", NULL, NULL );
 294                 goto done;
 295         }
 296
 297 done:
 298         /* free entry and reader lock */
 299         if( e != NULL ) {
 300                 bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
 301         }
 302
 303         LOCK_ID_FREE(bdb->bi_dbenv, locker);
 304
 305         /* front end with send result on success (rc==0) */
 306         return rc;
 307 }