git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43         u_int32_t       locker;
  44         DB_LOCK         lock;
  45
  46 #ifdef NEW_LOGGING
  47         LDAP_LOG ( OPERATION, ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0 );
  48 #else
  49         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  50 #endif
  51
  52         LOCK_ID(bdb->bi_dbenv, &locker);
  53
  54 dn2entry_retry:
  55         /* get entry */
  56         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0, locker, &lock );
  57
  58         switch(rc) {
  59         case DB_NOTFOUND:
  60         case 0:
  61                 break;
  62         case LDAP_BUSY:
  63                 send_ldap_result( conn, op, LDAP_BUSY,
  64                         NULL, "ldap server busy", NULL, NULL );
  65                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  66                 return LDAP_BUSY;
  67         case DB_LOCK_DEADLOCK:
  68         case DB_LOCK_NOTGRANTED:
  69                 goto dn2entry_retry;
  70         default:
  71                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  72                         NULL, "internal error", NULL, NULL );
  73                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
  74                 return rc;
  75         }
  76
  77         /* get entry with reader lock */
  78         if ( e == NULL ) {
  79                 char *matched_dn = NULL;
  80                 BerVarray refs;
  81
  82                 if( matched != NULL ) {
  83                         matched_dn = ch_strdup( matched->e_dn );
  84
  85                         refs = is_entry_referral( matched )
  86                                 ? get_entry_referrals( be, conn, op, matched )
  87                                 : NULL;
  88
  89                         bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, matched, &lock );
  90                         matched = NULL;
  91
  92                 } else {
  93                         refs = referral_rewrite( default_referral,
  94                                 NULL, dn, LDAP_SCOPE_DEFAULT );
  95                 }
  96
  97                 /* allow noauth binds */
  98                 rc = 1;
  99                 if ( method == LDAP_AUTH_SIMPLE ) {
 100                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 101                                 ber_dupbv( edn, be_root_dn( be ) );
 102                                 rc = LDAP_SUCCESS; /* front end will send result */
 103
 104                         } else if ( refs != NULL ) {
 105                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 106                                         matched_dn, NULL, refs, NULL );
 107
 108                         } else {
 109                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 110                                         NULL, NULL, NULL, NULL );
 111                         }
 112
 113                 } else if ( refs != NULL ) {
 114                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 115                                 matched_dn, NULL, refs, NULL );
 116
 117                 } else {
 118                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 119                                 NULL, NULL, NULL, NULL );
 120                 }
 121
 122                 LOCK_ID_FREE(bdb->bi_dbenv, locker);
 123
 124                 ber_bvarray_free( refs );
 125                 free( matched_dn );
 126
 127                 return rc;
 128         }
 129
 130         ber_dupbv( edn, &e->e_name );
 131
 132         /* check for deleted */
 133 #ifdef BDB_SUBENTRIES
 134         if ( is_entry_subentry( e ) ) {
 135                 /* entry is an subentry, don't allow bind */
 136 #ifdef NEW_LOGGING
 137                 LDAP_LOG ( OPERATION, DETAIL1,
 138                         "bdb_bind: entry is subentry\n", 0, 0, 0 );
 139 #else
 140                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 141                         0, 0 );
 142 #endif
 143
 144                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 145                         NULL, NULL, NULL, NULL );
 146
 147                 goto done;
 148         }
 149 #endif
 150
 151 #ifdef BDB_ALIASES
 152         if ( is_entry_alias( e ) ) {
 153                 /* entry is an alias, don't allow bind */
 154 #ifdef NEW_LOGGING
 155                 LDAP_LOG ( OPERATION, DETAIL1, "bdb_bind: entry is alias\n", 0, 0, 0 );
 156 #else
 157                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 158                         0, 0 );
 159 #endif
 160
 161                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 162                         NULL, "entry is alias", NULL, NULL );
 163
 164                 goto done;
 165         }
 166 #endif
 167
 168         if ( is_entry_referral( e ) ) {
 169                 /* entry is a referral, don't allow bind */
 170                 BerVarray refs = get_entry_referrals( be,
 171                         conn, op, e );
 172
 173 #ifdef NEW_LOGGING
 174                 LDAP_LOG ( OPERATION, DETAIL1,
 175                         "bdb_bind: entry is referral\n", 0, 0, 0 );
 176 #else
 177                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 178                         0, 0 );
 179 #endif
 180
 181                 if( refs != NULL ) {
 182                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 183                                 e->e_dn, NULL, refs, NULL );
 184
 185                 } else {
 186                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 187                                 NULL, NULL, NULL, NULL );
 188                 }
 189
 190                 ber_bvarray_free( refs );
 191
 192                 goto done;
 193         }
 194
 195         switch ( method ) {
 196         case LDAP_AUTH_SIMPLE:
 197                 /* check for root dn/passwd */
 198                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 199                         /* front end will send result */
 200                         if(edn->bv_val != NULL) free( edn->bv_val );
 201                         ber_dupbv( edn, be_root_dn( be ) );
 202                         rc = LDAP_SUCCESS;
 203                         goto done;
 204                 }
 205
 206                 if ( ! access_allowed( be, conn, op, e,
 207                         password, NULL, ACL_AUTH, NULL ) )
 208                 {
 209                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 210                                 NULL, NULL, NULL, NULL );
 211                         goto done;
 212                 }
 213
 214                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 215                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 216                                 NULL, NULL, NULL, NULL );
 217                         goto done;
 218                 }
 219
 220                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 221                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 222                                 NULL, NULL, NULL, NULL );
 223                         goto done;
 224                 }
 225
 226                 rc = 0;
 227                 break;
 228
 229 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 230         case LDAP_AUTH_KRBV41:
 231                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 232                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 233                                 NULL, NULL, NULL, NULL );
 234                         goto done;
 235                 }
 236
 237                 if ( ! access_allowed( be, conn, op, e,
 238                         krbattr, NULL, ACL_AUTH, NULL ) )
 239                 {
 240                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 241                                 NULL, NULL, NULL, NULL );
 242                         goto done;
 243                 }
 244
 245                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 246                         : "", ad.pinst, ad.prealm );
 247
 248                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 249                         /*
 250                          * no krbname values present: check against DN
 251                          */
 252                         if ( strcasecmp( dn, krbname ) == 0 ) {
 253                                 rc = 0;
 254                                 break;
 255                         }
 256                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 257                                 NULL, NULL, NULL, NULL );
 258                         goto done;
 259
 260                 } else {        /* look for krbname match */
 261                         struct berval   krbval;
 262
 263                         krbval.bv_val = krbname;
 264                         krbval.bv_len = strlen( krbname );
 265
 266                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 267                                 send_ldap_result( conn, op,
 268                                         rc = LDAP_INVALID_CREDENTIALS,
 269                                         NULL, NULL, NULL, NULL );
 270                                 goto done;
 271                         }
 272                 }
 273                 rc = 0;
 274                 break;
 275
 276         case LDAP_AUTH_KRBV42:
 277                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 278                         NULL, "Kerberos bind step 2 not supported",
 279                         NULL, NULL );
 280                 goto done;
 281 #endif
 282
 283         default:
 284                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 285                         NULL, "authentication method not supported", NULL, NULL );
 286                 goto done;
 287         }
 288
 289 done:
 290         /* free entry and reader lock */
 291         if( e != NULL ) {
 292                 bdb_cache_return_entry_r( bdb->bi_dbenv, &bdb->bi_cache, e, &lock );
 293         }
 294
 295         LOCK_ID_FREE(bdb->bi_dbenv, locker);
 296
 297         /* front end with send result on success (rc==0) */
 298         return rc;
 299 }