git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         u_int32_t       locker;
  44         DB_LOCK         lock;
  45
  46 #ifdef NEW_LOGGING
  47         LDAP_LOG (( "bind", LDAP_LEVEL_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val ));
  48 #else
  49         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  50 #endif
  51
  52         LOCK_ID(bdb->bi_dbenv, &locker);
  53
  54 dn2entry_retry:
  55         /* get entry */
  56         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0, locker, &lock );
  57
  58         switch(rc) {
  59         case DB_NOTFOUND:
  60         case 0:
  61                 break;
  62         case LDAP_BUSY:
  63                 send_ldap_result( conn, op, LDAP_BUSY,
  64                         NULL, "ldap server busy", NULL, NULL );
  65                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  66                 return LDAP_BUSY;
  67         case DB_LOCK_DEADLOCK:
  68         case DB_LOCK_NOTGRANTED:
  69                 goto dn2entry_retry;
  70         default:
  71                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  72                         NULL, "internal error", NULL, NULL );
  73                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  74                 return rc;
  75         }
  76
  77         /* get entry with reader lock */
  78         if ( e == NULL ) {
  79                 char *matched_dn = NULL;
  80                 BerVarray refs;
  81
  82                 if( matched != NULL ) {
  83                         matched_dn = ch_strdup( matched->e_dn );
  84
  85                         refs = is_entry_referral( matched )
  86                                 ? get_entry_referrals( be, conn, op, matched )
  87                                 : NULL;
  88
  89                         bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, matched, &lock );
  90                         matched = NULL;
  91
  92                 } else {
  93                         refs = referral_rewrite( default_referral,
  94                                 NULL, dn, LDAP_SCOPE_DEFAULT );
  95                 }
  96
  97                 /* allow noauth binds */
  98                 rc = 1;
  99                 if ( method == LDAP_AUTH_SIMPLE ) {
 100                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 101                                 ber_dupbv( edn, be_root_dn( be ) );
 102                                 rc = LDAP_SUCCESS; /* front end will send result */
 103
 104                         } else if ( refs != NULL ) {
 105                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 106                                         matched_dn, NULL, refs, NULL );
 107
 108                         } else {
 109                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 110                                         NULL, NULL, NULL, NULL );
 111                         }
 112
 113                 } else if ( refs != NULL ) {
 114                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 115                                 matched_dn, NULL, refs, NULL );
 116
 117                 } else {
 118                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 119                                 NULL, NULL, NULL, NULL );
 120                 }
 121
 122                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
 123
 124                 ber_bvarray_free( refs );
 125                 free( matched_dn );
 126
 127                 return rc;
 128         }
 129
 130         ber_dupbv( edn, &e->e_name );
 131
 132         /* check for deleted */
 133 #ifdef BDB_SUBENTRIES
 134         if ( is_entry_subentry( e ) ) {
 135                 /* entry is an subentry, don't allow bind */
 136 #ifdef NEW_LOGGING
 137                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is subentry\n" ));
 138 #else
 139                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 140                         0, 0 );
 141 #endif
 142
 143                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 144                         NULL, NULL, NULL, NULL );
 145
 146                 goto done;
 147         }
 148 #endif
 149
 150 #ifdef BDB_ALIASES
 151         if ( is_entry_alias( e ) ) {
 152                 /* entry is an alias, don't allow bind */
 153 #ifdef NEW_LOGGING
 154                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is alias\n" ));
 155 #else
 156                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 157                         0, 0 );
 158 #endif
 159
 160                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 161                         NULL, "entry is alias", NULL, NULL );
 162
 163                 goto done;
 164         }
 165 #endif
 166
 167         if ( is_entry_referral( e ) ) {
 168                 /* entry is a referral, don't allow bind */
 169                 BerVarray refs = get_entry_referrals( be,
 170                         conn, op, e );
 171
 172 #ifdef NEW_LOGGING
 173                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is referral\n" ));
 174 #else
 175                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 176                         0, 0 );
 177 #endif
 178
 179                 if( refs != NULL ) {
 180                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 181                                 e->e_dn, NULL, refs, NULL );
 182
 183                 } else {
 184                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 185                                 NULL, NULL, NULL, NULL );
 186                 }
 187
 188                 ber_bvarray_free( refs );
 189
 190                 goto done;
 191         }
 192
 193         switch ( method ) {
 194         case LDAP_AUTH_SIMPLE:
 195                 /* check for root dn/passwd */
 196                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 197                         /* front end will send result */
 198                         if(edn->bv_val != NULL) free( edn->bv_val );
 199                         ber_dupbv( edn, be_root_dn( be ) );
 200                         rc = LDAP_SUCCESS;
 201                         goto done;
 202                 }
 203
 204                 if ( ! access_allowed( be, conn, op, e,
 205                         password, NULL, ACL_AUTH, NULL ) )
 206                 {
 207                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 208                                 NULL, NULL, NULL, NULL );
 209                         goto done;
 210                 }
 211
 212                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 213                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 214                                 NULL, NULL, NULL, NULL );
 215                         goto done;
 216                 }
 217
 218                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 219                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 220                                 NULL, NULL, NULL, NULL );
 221                         goto done;
 222                 }
 223
 224                 rc = 0;
 225                 break;
 226
 227 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 228         case LDAP_AUTH_KRBV41:
 229                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 230                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 231                                 NULL, NULL, NULL, NULL );
 232                         goto done;
 233                 }
 234
 235                 if ( ! access_allowed( be, conn, op, e,
 236                         krbattr, NULL, ACL_AUTH, NULL ) )
 237                 {
 238                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 239                                 NULL, NULL, NULL, NULL );
 240                         goto done;
 241                 }
 242
 243                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 244                         : "", ad.pinst, ad.prealm );
 245
 246                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 247                         /*
 248                          * no krbname values present: check against DN
 249                          */
 250                         if ( strcasecmp( dn, krbname ) == 0 ) {
 251                                 rc = 0;
 252                                 break;
 253                         }
 254                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 255                                 NULL, NULL, NULL, NULL );
 256                         goto done;
 257
 258                 } else {        /* look for krbname match */
 259                         struct berval   krbval;
 260
 261                         krbval.bv_val = krbname;
 262                         krbval.bv_len = strlen( krbname );
 263
 264                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 265                                 send_ldap_result( conn, op,
 266                                         rc = LDAP_INVALID_CREDENTIALS,
 267                                         NULL, NULL, NULL, NULL );
 268                                 goto done;
 269                         }
 270                 }
 271                 rc = 0;
 272                 break;
 273
 274         case LDAP_AUTH_KRBV42:
 275                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 276                         NULL, "Kerberos bind step 2 not supported",
 277                         NULL, NULL );
 278                 goto done;
 279 #endif
 280
 281         default:
 282                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 283                         NULL, "authentication method not supported", NULL, NULL );
 284                 goto done;
 285         }
 286
 287 done:
 288         /* free entry and reader lock */
 289         if( e != NULL ) {
 290                 bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
 291         }
 292
 293         LOCK_ID_FREE(bdb->bi_dbenv, locker);
 294
 295         /* front end with send result on success (rc==0) */
 296         return rc;
 297 }