git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16
  17 int
  18 bdb_bind(
  19     Backend             *be,
  20     Connection          *conn,
  21     Operation           *op,
  22     const char          *dn,
  23     const char          *ndn,
  24     int                 method,
  25     struct berval       *cred,
  26         char**  edn
  27 )
  28 {
  29         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  30         Entry           *e;
  31         Attribute       *a;
  32         int             rc;
  33         Entry           *matched;
  34 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  35         char            krbname[MAX_K_NAME_SZ + 1];
  36         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  37         AUTH_DAT        ad;
  38 #endif
  39
  40         AttributeDescription *password = slap_schema.si_ad_userPassword;
  41
  42         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn, 0, 0);
  43
  44         *edn = NULL;
  45
  46         /* fetch entry */
  47         rc = dn2entry_r( be, NULL, ndn, &e, &matched );
  48
  49         switch(rc) {
  50         case DB_NOTFOUND:
  51         case 0:
  52                 break;
  53         default:
  54                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  55                     NULL, "internal error", NULL, NULL );
  56                 return rc;
  57         }
  58
  59         /* get entry with reader lock */
  60         if ( e == NULL ) {
  61                 char *matched_dn = NULL;
  62                 struct berval **refs = NULL;
  63
  64                 if( matched != NULL ) {
  65                         matched_dn = ch_strdup( matched->e_dn );
  66
  67                         refs = is_entry_referral( matched )
  68                                 ? get_entry_referrals( be, conn, op, matched )
  69                                 : NULL;
  70
  71                         bdb_entry_return( be, matched );
  72                 } else {
  73                         refs = default_referral;
  74                 }
  75
  76                 /* allow noauth binds */
  77                 rc = 1;
  78                 if ( method == LDAP_AUTH_SIMPLE ) {
  79                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
  80                                 *edn = ch_strdup( be_root_dn( be ) );
  81                                 rc = LDAP_SUCCESS; /* front end will send result */
  82
  83                         } else if ( refs != NULL ) {
  84                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  85                                         matched_dn, NULL, refs, NULL );
  86
  87                         } else {
  88                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  89                                         NULL, NULL, NULL, NULL );
  90                         }
  91
  92                 } else if ( refs != NULL ) {
  93                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  94                                 matched_dn, NULL, refs, NULL );
  95
  96                 } else {
  97                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  98                                 NULL, NULL, NULL, NULL );
  99                 }
 100
 101                 if ( matched != NULL ) {
 102                         ber_bvecfree( refs );
 103                         free( matched_dn );
 104                 }
 105
 106                 return rc;
 107         }
 108
 109         *edn = ch_strdup( e->e_dn );
 110
 111         /* check for deleted */
 112
 113         if ( is_entry_alias( e ) ) {
 114                 /* entry is an alias, don't allow bind */
 115                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 116                     0, 0 );
 117
 118                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 119                     NULL, "entry is alias", NULL, NULL );
 120
 121                 goto done;
 122         }
 123
 124         if ( is_entry_referral( e ) ) {
 125                 /* entry is a referral, don't allow bind */
 126                 struct berval **refs = get_entry_referrals( be,
 127                         conn, op, e );
 128
 129                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 130                     0, 0 );
 131
 132                 if( refs != NULL ) {
 133                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 134                                 e->e_dn, NULL, refs, NULL );
 135
 136                 } else {
 137                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 138                                 NULL, NULL, NULL, NULL );
 139                 }
 140
 141                 ber_bvecfree( refs );
 142
 143                 goto done;
 144         }
 145
 146         switch ( method ) {
 147         case LDAP_AUTH_SIMPLE:
 148                 /* check for root dn/passwd */
 149                 if ( be_isroot_pw( be, conn, dn, cred ) ) {
 150                         /* front end will send result */
 151                         if(*edn != NULL) free( *edn );
 152                         *edn = ch_strdup( be_root_dn( be ) );
 153                         rc = LDAP_SUCCESS;
 154                         goto done;
 155                 }
 156
 157                 if ( ! access_allowed( be, conn, op, e,
 158                         password, NULL, ACL_AUTH ) )
 159                 {
 160                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 161                                 NULL, NULL, NULL, NULL );
 162                         goto done;
 163                 }
 164
 165                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 166                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 167                             NULL, NULL, NULL, NULL );
 168                         goto done;
 169                 }
 170
 171                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 172                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 173                                 NULL, NULL, NULL, NULL );
 174                         goto done;
 175                 }
 176
 177                 rc = 0;
 178                 break;
 179
 180 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 181         case LDAP_AUTH_KRBV41:
 182                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 183                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 184                             NULL, NULL, NULL, NULL );
 185                         goto done;
 186                 }
 187
 188                 if ( ! access_allowed( be, conn, op, e,
 189                         krbattr, NULL, ACL_AUTH ) )
 190                 {
 191                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 192                                 NULL, NULL, NULL, NULL );
 193                         goto done;
 194                 }
 195
 196                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 197                     : "", ad.pinst, ad.prealm );
 198
 199                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 200                         /*
 201                          * no krbname values present:  check against DN
 202                          */
 203                         if ( strcasecmp( dn, krbname ) == 0 ) {
 204                                 rc = 0;
 205                                 break;
 206                         }
 207                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 208                             NULL, NULL, NULL, NULL );
 209                         goto done;
 210
 211                 } else {        /* look for krbname match */
 212                         struct berval   krbval;
 213
 214                         krbval.bv_val = krbname;
 215                         krbval.bv_len = strlen( krbname );
 216
 217                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 218                                 send_ldap_result( conn, op,
 219                                     rc = LDAP_INVALID_CREDENTIALS,
 220                                         NULL, NULL, NULL, NULL );
 221                                 goto done;
 222                         }
 223                 }
 224                 rc = 0;
 225                 break;
 226
 227         case LDAP_AUTH_KRBV42:
 228                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 229                         NULL, "Kerberos bind step 2 not supported",
 230                         NULL, NULL );
 231                 goto done;
 232 #endif
 233
 234         default:
 235                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 236                     NULL, "authentication method not supported", NULL, NULL );
 237                 goto done;
 238         }
 239
 240 done:
 241         /* free entry and reader lock */
 242         bdb_entry_return( be, e );
 243
 244         /* front end with send result on success (rc==0) */
 245         return rc;
 246 }