git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         u_int32_t       locker;
  44         DB_LOCK         lock;
  45
  46 #ifdef NEW_LOGGING
  47         LDAP_LOG ( OPERATION, ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0 );
  48 #else
  49         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  50 #endif
  51
  52         /* XXYYZ: need to check return value */
  53         LOCK_ID(bdb->bi_dbenv, &locker);
  54
  55 dn2entry_retry:
  56         /* get entry */
  57         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0, locker, &lock );
  58
  59         switch(rc) {
  60         case DB_NOTFOUND:
  61         case 0:
  62                 break;
  63         case LDAP_BUSY:
  64                 send_ldap_result( conn, op, LDAP_BUSY,
  65                         NULL, "ldap server busy", NULL, NULL );
  66                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  67                 return LDAP_BUSY;
  68         case DB_LOCK_DEADLOCK:
  69         case DB_LOCK_NOTGRANTED:
  70                 goto dn2entry_retry;
  71         default:
  72                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  73                         NULL, "internal error", NULL, NULL );
  74                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  75                 return rc;
  76         }
  77
  78         /* get entry with reader lock */
  79         if ( e == NULL ) {
  80                 char *matched_dn = NULL;
  81                 BerVarray refs;
  82
  83                 if( matched != NULL ) {
  84                         matched_dn = ch_strdup( matched->e_dn );
  85
  86                         refs = is_entry_referral( matched )
  87                                 ? get_entry_referrals( be, conn, op, matched )
  88                                 : NULL;
  89
  90                         bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, matched, &lock );
  91                         matched = NULL;
  92
  93                 } else {
  94                         refs = referral_rewrite( default_referral,
  95                                 NULL, dn, LDAP_SCOPE_DEFAULT );
  96                 }
  97
  98                 /* allow noauth binds */
  99                 rc = 1;
 100                 if ( method == LDAP_AUTH_SIMPLE ) {
 101                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 102                                 ber_dupbv( edn, be_root_dn( be ) );
 103                                 rc = LDAP_SUCCESS; /* front end will send result */
 104
 105                         } else if ( refs != NULL ) {
 106                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 107                                         matched_dn, NULL, refs, NULL );
 108
 109                         } else {
 110                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 111                                         NULL, NULL, NULL, NULL );
 112                         }
 113
 114                 } else if ( refs != NULL ) {
 115                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 116                                 matched_dn, NULL, refs, NULL );
 117
 118                 } else {
 119                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 120                                 NULL, NULL, NULL, NULL );
 121                 }
 122
 123                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
 124
 125                 ber_bvarray_free( refs );
 126                 free( matched_dn );
 127
 128                 return rc;
 129         }
 130
 131         ber_dupbv( edn, &e->e_name );
 132
 133         /* check for deleted */
 134 #ifdef BDB_SUBENTRIES
 135         if ( is_entry_subentry( e ) ) {
 136                 /* entry is an subentry, don't allow bind */
 137 #ifdef NEW_LOGGING
 138                 LDAP_LOG ( OPERATION, DETAIL1,
 139                         "bdb_bind: entry is subentry\n", 0, 0, 0 );
 140 #else
 141                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 142                         0, 0 );
 143 #endif
 144
 145                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 146                         NULL, NULL, NULL, NULL );
 147
 148                 goto done;
 149         }
 150 #endif
 151
 152 #ifdef BDB_ALIASES
 153         if ( is_entry_alias( e ) ) {
 154                 /* entry is an alias, don't allow bind */
 155 #ifdef NEW_LOGGING
 156                 LDAP_LOG ( OPERATION, DETAIL1, "bdb_bind: entry is alias\n", 0, 0, 0 );
 157 #else
 158                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 159                         0, 0 );
 160 #endif
 161
 162                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 163                         NULL, "entry is alias", NULL, NULL );
 164
 165                 goto done;
 166         }
 167 #endif
 168
 169         if ( is_entry_referral( e ) ) {
 170                 /* entry is a referral, don't allow bind */
 171                 BerVarray refs = get_entry_referrals( be,
 172                         conn, op, e );
 173
 174 #ifdef NEW_LOGGING
 175                 LDAP_LOG ( OPERATION, DETAIL1,
 176                         "bdb_bind: entry is referral\n", 0, 0, 0 );
 177 #else
 178                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 179                         0, 0 );
 180 #endif
 181
 182                 if( refs != NULL ) {
 183                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 184                                 e->e_dn, NULL, refs, NULL );
 185
 186                 } else {
 187                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 188                                 NULL, NULL, NULL, NULL );
 189                 }
 190
 191                 ber_bvarray_free( refs );
 192
 193                 goto done;
 194         }
 195
 196         switch ( method ) {
 197         case LDAP_AUTH_SIMPLE:
 198                 /* check for root dn/passwd */
 199                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 200                         /* front end will send result */
 201                         if(edn->bv_val != NULL) free( edn->bv_val );
 202                         ber_dupbv( edn, be_root_dn( be ) );
 203                         rc = LDAP_SUCCESS;
 204                         goto done;
 205                 }
 206
 207                 if ( ! access_allowed( be, conn, op, e,
 208                         password, NULL, ACL_AUTH, NULL ) )
 209                 {
 210                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 211                                 NULL, NULL, NULL, NULL );
 212                         goto done;
 213                 }
 214
 215                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 216                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 217                                 NULL, NULL, NULL, NULL );
 218                         goto done;
 219                 }
 220
 221                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 222                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 223                                 NULL, NULL, NULL, NULL );
 224                         goto done;
 225                 }
 226
 227                 rc = 0;
 228                 break;
 229
 230 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 231         case LDAP_AUTH_KRBV41:
 232                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 233                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 234                                 NULL, NULL, NULL, NULL );
 235                         goto done;
 236                 }
 237
 238                 if ( ! access_allowed( be, conn, op, e,
 239                         krbattr, NULL, ACL_AUTH, NULL ) )
 240                 {
 241                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 242                                 NULL, NULL, NULL, NULL );
 243                         goto done;
 244                 }
 245
 246                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 247                         : "", ad.pinst, ad.prealm );
 248
 249                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 250                         /*
 251                          * no krbname values present: check against DN
 252                          */
 253                         if ( strcasecmp( dn, krbname ) == 0 ) {
 254                                 rc = 0;
 255                                 break;
 256                         }
 257                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 258                                 NULL, NULL, NULL, NULL );
 259                         goto done;
 260
 261                 } else {        /* look for krbname match */
 262                         struct berval   krbval;
 263
 264                         krbval.bv_val = krbname;
 265                         krbval.bv_len = strlen( krbname );
 266
 267                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 268                                 send_ldap_result( conn, op,
 269                                         rc = LDAP_INVALID_CREDENTIALS,
 270                                         NULL, NULL, NULL, NULL );
 271                                 goto done;
 272                         }
 273                 }
 274                 rc = 0;
 275                 break;
 276
 277         case LDAP_AUTH_KRBV42:
 278                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 279                         NULL, "Kerberos bind step 2 not supported",
 280                         NULL, NULL );
 281                 goto done;
 282 #endif
 283
 284         default:
 285                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 286                         NULL, "authentication method not supported", NULL, NULL );
 287                 goto done;
 288         }
 289
 290 done:
 291         /* free entry and reader lock */
 292         if( e != NULL ) {
 293                 bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
 294         }
 295
 296         LOCK_ID_FREE(bdb->bi_dbenv, locker);
 297
 298         /* front end with send result on success (rc==0) */
 299         return rc;
 300 }