git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20     Backend             *be,
  21     Connection          *conn,
  22     Operation           *op,
  23     const char          *dn,
  24     const char          *ndn,
  25     int                 method,
  26     struct berval       *cred,
  27         char**  edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn, 0, 0);
  44
  45         *edn = NULL;
  46
  47         /* fetch entry */
  48         rc = dn2entry_r( be, NULL, ndn, &e, &matched );
  49
  50         switch(rc) {
  51         case DB_NOTFOUND:
  52         case 0:
  53                 break;
  54         default:
  55                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  56                     NULL, "internal error", NULL, NULL );
  57                 return rc;
  58         }
  59
  60         /* get entry with reader lock */
  61         if ( e == NULL ) {
  62                 char *matched_dn = NULL;
  63                 struct berval **refs = NULL;
  64
  65                 if( matched != NULL ) {
  66                         matched_dn = ch_strdup( matched->e_dn );
  67
  68                         refs = is_entry_referral( matched )
  69                                 ? get_entry_referrals( be, conn, op, matched )
  70                                 : NULL;
  71
  72                         bdb_entry_return( be, matched );
  73                 } else {
  74                         refs = default_referral;
  75                 }
  76
  77                 /* allow noauth binds */
  78                 rc = 1;
  79                 if ( method == LDAP_AUTH_SIMPLE ) {
  80                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
  81                                 *edn = ch_strdup( be_root_dn( be ) );
  82                                 rc = LDAP_SUCCESS; /* front end will send result */
  83
  84                         } else if ( refs != NULL ) {
  85                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  86                                         matched_dn, NULL, refs, NULL );
  87
  88                         } else {
  89                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  90                                         NULL, NULL, NULL, NULL );
  91                         }
  92
  93                 } else if ( refs != NULL ) {
  94                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  95                                 matched_dn, NULL, refs, NULL );
  96
  97                 } else {
  98                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  99                                 NULL, NULL, NULL, NULL );
 100                 }
 101
 102                 if ( matched != NULL ) {
 103                         ber_bvecfree( refs );
 104                         free( matched_dn );
 105                 }
 106
 107                 return rc;
 108         }
 109
 110         *edn = ch_strdup( e->e_dn );
 111
 112         /* check for deleted */
 113
 114         if ( is_entry_alias( e ) ) {
 115                 /* entry is an alias, don't allow bind */
 116                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 117                     0, 0 );
 118
 119                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 120                     NULL, "entry is alias", NULL, NULL );
 121
 122                 goto done;
 123         }
 124
 125         if ( is_entry_referral( e ) ) {
 126                 /* entry is a referral, don't allow bind */
 127                 struct berval **refs = get_entry_referrals( be,
 128                         conn, op, e );
 129
 130                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 131                     0, 0 );
 132
 133                 if( refs != NULL ) {
 134                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 135                                 e->e_dn, NULL, refs, NULL );
 136
 137                 } else {
 138                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 139                                 NULL, NULL, NULL, NULL );
 140                 }
 141
 142                 ber_bvecfree( refs );
 143
 144                 goto done;
 145         }
 146
 147         switch ( method ) {
 148         case LDAP_AUTH_SIMPLE:
 149                 /* check for root dn/passwd */
 150                 if ( be_isroot_pw( be, conn, dn, cred ) ) {
 151                         /* front end will send result */
 152                         if(*edn != NULL) free( *edn );
 153                         *edn = ch_strdup( be_root_dn( be ) );
 154                         rc = LDAP_SUCCESS;
 155                         goto done;
 156                 }
 157
 158                 if ( ! access_allowed( be, conn, op, e,
 159                         password, NULL, ACL_AUTH ) )
 160                 {
 161                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 162                                 NULL, NULL, NULL, NULL );
 163                         goto done;
 164                 }
 165
 166                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 167                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 168                             NULL, NULL, NULL, NULL );
 169                         goto done;
 170                 }
 171
 172                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 173                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 174                                 NULL, NULL, NULL, NULL );
 175                         goto done;
 176                 }
 177
 178                 rc = 0;
 179                 break;
 180
 181 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 182         case LDAP_AUTH_KRBV41:
 183                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 184                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 185                             NULL, NULL, NULL, NULL );
 186                         goto done;
 187                 }
 188
 189                 if ( ! access_allowed( be, conn, op, e,
 190                         krbattr, NULL, ACL_AUTH ) )
 191                 {
 192                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 193                                 NULL, NULL, NULL, NULL );
 194                         goto done;
 195                 }
 196
 197                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 198                     : "", ad.pinst, ad.prealm );
 199
 200                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 201                         /*
 202                          * no krbname values present:  check against DN
 203                          */
 204                         if ( strcasecmp( dn, krbname ) == 0 ) {
 205                                 rc = 0;
 206                                 break;
 207                         }
 208                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 209                             NULL, NULL, NULL, NULL );
 210                         goto done;
 211
 212                 } else {        /* look for krbname match */
 213                         struct berval   krbval;
 214
 215                         krbval.bv_val = krbname;
 216                         krbval.bv_len = strlen( krbname );
 217
 218                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 219                                 send_ldap_result( conn, op,
 220                                     rc = LDAP_INVALID_CREDENTIALS,
 221                                         NULL, NULL, NULL, NULL );
 222                                 goto done;
 223                         }
 224                 }
 225                 rc = 0;
 226                 break;
 227
 228         case LDAP_AUTH_KRBV42:
 229                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 230                         NULL, "Kerberos bind step 2 not supported",
 231                         NULL, NULL );
 232                 goto done;
 233 #endif
 234
 235         default:
 236                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 237                     NULL, "authentication method not supported", NULL, NULL );
 238                 goto done;
 239         }
 240
 241 done:
 242         /* free entry and reader lock */
 243         bdb_entry_return( be, e );
 244
 245         /* front end with send result on success (rc==0) */
 246         return rc;
 247 }