git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb/bind.c

   1 /* bind.c - bdb backend bind routine */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11 #include <ac/krb.h>
  12 #include <ac/string.h>
  13 #include <ac/unistd.h>
  14
  15 #include "back-bdb.h"
  16 #include "external.h"
  17
  18 int
  19 bdb_bind(
  20         Backend         *be,
  21         Connection              *conn,
  22         Operation               *op,
  23         struct berval           *dn,
  24         struct berval           *ndn,
  25         int                     method,
  26         struct berval   *cred,
  27         struct berval   *edn
  28 )
  29 {
  30         struct bdb_info *bdb = (struct bdb_info *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         Entry           *matched;
  35 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  38         AUTH_DAT        ad;
  39 #endif
  40
  41         AttributeDescription *password = slap_schema.si_ad_userPassword;
  42
  43 #ifdef NEW_LOGGING
  44         LDAP_LOG (( "bind", LDAP_LEVEL_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val ));
  45 #else
  46         Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
  47 #endif
  48
  49         /* get entry */
  50         rc = bdb_dn2entry_r( be, NULL, ndn, &e, &matched, 0 );
  51
  52         switch(rc) {
  53         case DB_NOTFOUND:
  54         case 0:
  55                 break;
  56         case LDAP_BUSY:
  57                 send_ldap_result( conn, op, LDAP_BUSY,
  58                         NULL, "ldap server busy", NULL, NULL );
  59                 return LDAP_BUSY;
  60         default:
  61                 send_ldap_result( conn, op, rc=LDAP_OTHER,
  62                         NULL, "internal error", NULL, NULL );
  63                 return rc;
  64         }
  65
  66         /* get entry with reader lock */
  67         if ( e == NULL ) {
  68                 char *matched_dn = NULL;
  69                 BerVarray refs;
  70
  71                 if( matched != NULL ) {
  72                         matched_dn = ch_strdup( matched->e_dn );
  73
  74                         refs = is_entry_referral( matched )
  75                                 ? get_entry_referrals( be, conn, op, matched )
  76                                 : NULL;
  77
  78                         bdb_cache_return_entry_r( &bdb->bi_cache, matched );
  79                         matched = NULL;
  80
  81                 } else {
  82                         refs = referral_rewrite( default_referral,
  83                                 NULL, dn, LDAP_SCOPE_DEFAULT );
  84                 }
  85
  86                 /* allow noauth binds */
  87                 rc = 1;
  88                 if ( method == LDAP_AUTH_SIMPLE ) {
  89                         if ( be_isroot_pw( be, conn, ndn, cred ) ) {
  90                                 ber_dupbv( edn, be_root_dn( be ) );
  91                                 rc = LDAP_SUCCESS; /* front end will send result */
  92
  93                         } else if ( refs != NULL ) {
  94                                 send_ldap_result( conn, op, rc = LDAP_REFERRAL,
  95                                         matched_dn, NULL, refs, NULL );
  96
  97                         } else {
  98                                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
  99                                         NULL, NULL, NULL, NULL );
 100                         }
 101
 102                 } else if ( refs != NULL ) {
 103                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 104                                 matched_dn, NULL, refs, NULL );
 105
 106                 } else {
 107                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 108                                 NULL, NULL, NULL, NULL );
 109                 }
 110
 111                 ber_bvarray_free( refs );
 112                 free( matched_dn );
 113
 114                 return rc;
 115         }
 116
 117         ber_dupbv( edn, &e->e_name );
 118
 119         /* check for deleted */
 120 #ifdef BDB_SUBENTRIES
 121         if ( is_entry_subentry( e ) ) {
 122                 /* entry is an subentry, don't allow bind */
 123 #ifdef NEW_LOGGING
 124                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is subentry\n" ));
 125 #else
 126                 Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
 127                         0, 0 );
 128 #endif
 129
 130                 send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 131                         NULL, NULL, NULL, NULL );
 132
 133                 goto done;
 134         }
 135 #endif
 136
 137 #ifdef BDB_ALIASES
 138         if ( is_entry_alias( e ) ) {
 139                 /* entry is an alias, don't allow bind */
 140 #ifdef NEW_LOGGING
 141                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is alias\n" ));
 142 #else
 143                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
 144                         0, 0 );
 145 #endif
 146
 147                 send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
 148                         NULL, "entry is alias", NULL, NULL );
 149
 150                 goto done;
 151         }
 152 #endif
 153
 154         if ( is_entry_referral( e ) ) {
 155                 /* entry is a referral, don't allow bind */
 156                 BerVarray refs = get_entry_referrals( be,
 157                         conn, op, e );
 158
 159 #ifdef NEW_LOGGING
 160                 LDAP_LOG (( "bind", LDAP_LEVEL_DETAIL1, "bdb_bind: entry is referral\n" ));
 161 #else
 162                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 163                         0, 0 );
 164 #endif
 165
 166                 if( refs != NULL ) {
 167                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 168                                 e->e_dn, NULL, refs, NULL );
 169
 170                 } else {
 171                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 172                                 NULL, NULL, NULL, NULL );
 173                 }
 174
 175                 ber_bvarray_free( refs );
 176
 177                 goto done;
 178         }
 179
 180         switch ( method ) {
 181         case LDAP_AUTH_SIMPLE:
 182                 /* check for root dn/passwd */
 183                 if ( be_isroot_pw( be, conn, ndn, cred ) ) {
 184                         /* front end will send result */
 185                         if(edn->bv_val != NULL) free( edn->bv_val );
 186                         ber_dupbv( edn, be_root_dn( be ) );
 187                         rc = LDAP_SUCCESS;
 188                         goto done;
 189                 }
 190
 191                 if ( ! access_allowed( be, conn, op, e,
 192                         password, NULL, ACL_AUTH, NULL ) )
 193                 {
 194                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 195                                 NULL, NULL, NULL, NULL );
 196                         goto done;
 197                 }
 198
 199                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 200                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 201                                 NULL, NULL, NULL, NULL );
 202                         goto done;
 203                 }
 204
 205                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
 206                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 207                                 NULL, NULL, NULL, NULL );
 208                         goto done;
 209                 }
 210
 211                 rc = 0;
 212                 break;
 213
 214 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 215         case LDAP_AUTH_KRBV41:
 216                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 217                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 218                                 NULL, NULL, NULL, NULL );
 219                         goto done;
 220                 }
 221
 222                 if ( ! access_allowed( be, conn, op, e,
 223                         krbattr, NULL, ACL_AUTH, NULL ) )
 224                 {
 225                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 226                                 NULL, NULL, NULL, NULL );
 227                         goto done;
 228                 }
 229
 230                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 231                         : "", ad.pinst, ad.prealm );
 232
 233                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 234                         /*
 235                          * no krbname values present: check against DN
 236                          */
 237                         if ( strcasecmp( dn, krbname ) == 0 ) {
 238                                 rc = 0;
 239                                 break;
 240                         }
 241                         send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
 242                                 NULL, NULL, NULL, NULL );
 243                         goto done;
 244
 245                 } else {        /* look for krbname match */
 246                         struct berval   krbval;
 247
 248                         krbval.bv_val = krbname;
 249                         krbval.bv_len = strlen( krbname );
 250
 251                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 252                                 send_ldap_result( conn, op,
 253                                         rc = LDAP_INVALID_CREDENTIALS,
 254                                         NULL, NULL, NULL, NULL );
 255                                 goto done;
 256                         }
 257                 }
 258                 rc = 0;
 259                 break;
 260
 261         case LDAP_AUTH_KRBV42:
 262                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 263                         NULL, "Kerberos bind step 2 not supported",
 264                         NULL, NULL );
 265                 goto done;
 266 #endif
 267
 268         default:
 269                 send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
 270                         NULL, "authentication method not supported", NULL, NULL );
 271                 goto done;
 272         }
 273
 274 done:
 275         /* free entry and reader lock */
 276         if( e != NULL ) {
 277                 bdb_cache_return_entry_r( &bdb->bi_cache, e );
 278         }
 279
 280         /* front end with send result on success (rc==0) */
 281         return rc;
 282 }