git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43 #ifdef NEW_LOGGING
  44         LDAP_LOG (( "bind", LDAP_LEVEL_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val ));
  45 #else
  46         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  47 #endif
  48
  49         /* get entry */
  50         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0 );
  51
  52         switch(rc) {
  53         case DB_NOTFOUND:
  54         case 0:
  55                 break;
  56         default:
  57                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  58                         NULL, "internal error", NULL, NULL );
  59                 return rc;
  60         }
  61
  62         /* get entry with reader lock */
  63         if ( e == NULL ) {
  64                 char *matched_dn = NULL;
  65                 BerVarray refs;
  66
  67                 if( matched != NULL ) {
  68                         matched_dn = ch_strdup( matched->e_dn );
  69
  70                         refs = is_entry_referral( matched )
  71                                 ? get_entry_referrals( be, conn, op, matched )
  72                                 : NULL;
  73
  74                         bdb_cache_return_entry_r( &bdb->bi_cache, matched );
  75                         matched = NULL;
  76
  77                 } else {
  78                         refs = referral_rewrite( default_referral,
  79                                 NULL, dn, LDAP_SCOPE_DEFAULT );
  80                 }
  81
  82                 /* allow noauth binds */
  83                 rc = 1;
  84                 if ( method == LDAP_AUTH_SIMPLE ) {
  85                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
  86                                 ber_dupbv( edn, be_root_dn( be ) );
  87                                 rc = LDAP_SUCCESS; /* front end will send result */
  88
  89                         } else if ( refs != NULL ) {
  90                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  91                                         matched_dn, NULL, refs, NULL );
  92
  93                         } else {
  94                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  95                                         NULL, NULL, NULL, NULL );
  96                         }
  97
  98                 } else if ( refs != NULL ) {
  99                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 100                                 matched_dn, NULL, refs, NULL );
 101
 102                 } else {
 103                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 104                                 NULL, NULL, NULL, NULL );
 105                 }
 106
 107                 ber_bvarray_free( refs );
 108                 free( matched_dn );
 109
 110                 return rc;
 111         }
 112
 113         ber_dupbv( edn, &e->e_name );
 114
 115         /* check for deleted */
 116 #ifdef BDB_SUBENTRIES
 117         if ( is_entry_subentry( e ) ) {
 118                 /* entry is an subentry, don't allow bind */
 119 #ifdef NEW_LOGGING
 120                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is subentry\n" ));
 121 #else
 122                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 123                         0, 0 );
 124 #endif
 125
 126                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 127                         NULL, NULL, NULL, NULL );
 128
 129                 goto done;
 130         }
 131 #endif
 132
 133 #ifdef BDB_ALIASES
 134         if ( is_entry_alias( e ) ) {
 135                 /* entry is an alias, don't allow bind */
 136 #ifdef NEW_LOGGING
 137                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is alias\n" ));
 138 #else
 139                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 140                         0, 0 );
 141 #endif
 142
 143                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 144                         NULL, "entry is alias", NULL, NULL );
 145
 146                 goto done;
 147         }
 148 #endif
 149
 150         if ( is_entry_referral( e ) ) {
 151                 /* entry is a referral, don't allow bind */
 152                 BerVarray refs = get_entry_referrals( be,
 153                         conn, op, e );
 154
 155 #ifdef NEW_LOGGING
 156                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is referral\n" ));
 157 #else
 158                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 159                         0, 0 );
 160 #endif
 161
 162                 if( refs != NULL ) {
 163                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 164                                 e->e_dn, NULL, refs, NULL );
 165
 166                 } else {
 167                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 168                                 NULL, NULL, NULL, NULL );
 169                 }
 170
 171                 ber_bvarray_free( refs );
 172
 173                 goto done;
 174         }
 175
 176         switch ( method ) {
 177         case LDAP_AUTH_SIMPLE:
 178                 /* check for root dn/passwd */
 179                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 180                         /* front end will send result */
 181                         if(edn->bv_val != NULL) free( edn->bv_val );
 182                         ber_dupbv( edn, be_root_dn( be ) );
 183                         rc = LDAP_SUCCESS;
 184                         goto done;
 185                 }
 186
 187                 if ( ! access_allowed( be, conn, op, e,
 188                         password, NULL, ACL_AUTH, NULL ) )
 189                 {
 190                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 191                                 NULL, NULL, NULL, NULL );
 192                         goto done;
 193                 }
 194
 195                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 196                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 197                                 NULL, NULL, NULL, NULL );
 198                         goto done;
 199                 }
 200
 201                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 202                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 203                                 NULL, NULL, NULL, NULL );
 204                         goto done;
 205                 }
 206
 207                 rc = 0;
 208                 break;
 209
 210 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 211         case LDAP_AUTH_KRBV41:
 212                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 213                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 214                                 NULL, NULL, NULL, NULL );
 215                         goto done;
 216                 }
 217
 218                 if ( ! access_allowed( be, conn, op, e,
 219                         krbattr, NULL, ACL_AUTH, NULL ) )
 220                 {
 221                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 222                                 NULL, NULL, NULL, NULL );
 223                         goto done;
 224                 }
 225
 226                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 227                         : "", ad.pinst, ad.prealm );
 228
 229                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 230                         /*
 231                          * no krbname values present: check against DN
 232                          */
 233                         if ( strcasecmp( dn, krbname ) == 0 ) {
 234                                 rc = 0;
 235                                 break;
 236                         }
 237                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 238                                 NULL, NULL, NULL, NULL );
 239                         goto done;
 240
 241                 } else {        /* look for krbname match */
 242                         struct berval   krbval;
 243
 244                         krbval.bv_val = krbname;
 245                         krbval.bv_len = strlen( krbname );
 246
 247                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 248                                 send_ldap_result( conn, op,
 249                                         rc = LDAP_INVALID_CREDENTIALS,
 250                                         NULL, NULL, NULL, NULL );
 251                                 goto done;
 252                         }
 253                 }
 254                 rc = 0;
 255                 break;
 256
 257         case LDAP_AUTH_KRBV42:
 258                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 259                         NULL, "Kerberos bind step 2 not supported",
 260                         NULL, NULL );
 261                 goto done;
 262 #endif
 263
 264         default:
 265                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 266                         NULL, "authentication method not supported", NULL, NULL );
 267                 goto done;
 268         }
 269
 270 done:
 271         /* free entry and reader lock */
 272         if( e != NULL ) {
 273                 bdb_cache_return_entry_r( &bdb->bi_cache, e );
 274         }
 275
 276         /* front end with send result on success (rc==0) */
 277         return rc;
 278 }