git.sur5r.net Git - openldap/blob - servers/slapd/back-bdb2/bind.c

   1 /* bind.c - bdb2 backend bind and unbind routines */
   2
   3 #include "portable.h"
   4
   5 #include <stdio.h>
   6
   7 #include <ac/krb.h>
   8 #include <ac/socket.h>
   9 #include <ac/string.h>
  10 #include <ac/unistd.h>
  11
  12 #include "slap.h"
  13 #include "back-bdb2.h"
  14 #include "proto-back-bdb2.h"
  15
  16 #include <lutil.h>
  17
  18 #ifdef HAVE_KERBEROS
  19 extern int      bdb2i_krbv4_ldap_auth();
  20 #endif
  21
  22 static int
  23 crypted_value_find(
  24         struct berval       **vals,
  25         struct berval       *v,
  26         int                 syntax,
  27         int                 normalize,
  28         struct berval           *cred
  29 )
  30 {
  31         int     i;
  32         for ( i = 0; vals[i] != NULL; i++ ) {
  33                 if ( syntax != SYNTAX_BIN ) {
  34                         int result;
  35
  36 #ifdef SLAPD_CRYPT
  37                         ldap_pvt_thread_mutex_lock( &crypt_mutex );
  38 #endif
  39
  40                         result = lutil_passwd(
  41                                 (char*) cred->bv_val,
  42                                 (char*) vals[i]->bv_val,
  43                                 NULL );
  44
  45 #ifdef SLAPD_CRYPT
  46                         ldap_pvt_thread_mutex_unlock( &crypt_mutex );
  47 #endif
  48
  49                         return result;
  50
  51                 } else {
  52                 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
  53                         return( 0 );
  54                 }
  55         }
  56         }
  57
  58         return( 1 );
  59 }
  60
  61 static int
  62 bdb2i_back_bind_internal(
  63     BackendDB           *be,
  64     Connection          *conn,
  65     Operation           *op,
  66     char                *dn,
  67     int                 method,
  68         char            *mech,
  69     struct berval       *cred,
  70         char**  edn
  71 )
  72 {
  73         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
  74         Entry           *e;
  75         Attribute       *a;
  76         int             rc;
  77         char            *matched;
  78 #ifdef HAVE_KERBEROS
  79         char            krbname[MAX_K_NAME_SZ + 1];
  80         AUTH_DAT        ad;
  81 #endif
  82
  83         Debug(LDAP_DEBUG_ARGS, "==> bdb2_back_bind: dn: %s\n", dn, 0, 0);
  84
  85         *edn = NULL;
  86
  87         /* get entry with reader lock */
  88         if ( (e = bdb2i_dn2entry_r( be, dn, &matched )) == NULL ) {
  89                 /* allow noauth binds */
  90                 rc = 1;
  91                 if ( method == LDAP_AUTH_SIMPLE ) {
  92                         if( cred->bv_len == 0 ) {
  93                                 /* SUCCESS */
  94                                 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
  95
  96                         } else if ( be_isroot_pw( be, dn, cred ) ) {
  97                                 /* front end will send result */
  98                                 *edn = ch_strdup( be_root_dn( be ) );
  99                                 rc = 0;
 100
 101                         } else {
 102                                 send_ldap_result( conn, op,
 103                                         LDAP_NO_SUCH_OBJECT, matched, NULL );
 104                         }
 105
 106                 } else if ( method == LDAP_AUTH_SASL ) {
 107                         if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
 108                                 /* insert DIGEST calls here */
 109                                 send_ldap_result( conn, op,
 110                                         LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
 111
 112                         } else {
 113                                 send_ldap_result( conn, op,
 114                                         LDAP_AUTH_METHOD_NOT_SUPPORTED, NULL, NULL );
 115                         }
 116
 117                 } else {
 118                         send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
 119                         rc = 1;
 120                 }
 121                 if ( matched != NULL ) {
 122                         free( matched );
 123                 }
 124                 return( rc );
 125         }
 126
 127         *edn = ch_strdup( e->e_dn );
 128
 129         /* check for deleted */
 130
 131         if ( ! access_allowed( be, conn, op, e,
 132                 "entry", NULL, ACL_AUTH ) )
 133         {
 134                 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
 135                 rc = 1;
 136                 goto return_results;
 137         }
 138
 139         switch ( method ) {
 140         case LDAP_AUTH_SIMPLE:
 141                 if ( cred->bv_len == 0 ) {
 142                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 143
 144                         /* stop front end from sending result */
 145                         rc = 1;
 146                         goto return_results;
 147                 }
 148
 149                 /* check for root dn/passwd */
 150                 if ( be_isroot_pw( be, dn, cred ) ) {
 151                         /* front end will send result */
 152                         if( *edn != NULL ) free( *edn );
 153                         *edn = ch_strdup( be_root_dn( be ) );
 154                         rc = 0;
 155                         goto return_results;
 156                 }
 157
 158                 if ( ! access_allowed( be, conn, op, e,
 159                         "userpassword", NULL, ACL_AUTH ) )
 160                 {
 161                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
 162                         rc = 1;
 163                         goto return_results;
 164                 }
 165
 166                 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
 167                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 168                             NULL, NULL );
 169
 170                         /* stop front end from sending result */
 171                         rc = 1;
 172                         goto return_results;
 173                 }
 174
 175                 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
 176                 {
 177                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 178                                 NULL, NULL );
 179                         /* stop front end from sending result */
 180                         rc = 1;
 181                         goto return_results;
 182                 }
 183                 rc = 0;
 184                 break;
 185
 186 #ifdef HAVE_KERBEROS
 187         case LDAP_AUTH_KRBV41:
 188                 if ( bdb2i_krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 189                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 190                             NULL, NULL );
 191                         rc = 1;
 192                         goto return_results;
 193                 }
 194
 195                 if ( ! access_allowed( be, conn, op, e,
 196                         "krbname", NULL, ACL_AUTH ) )
 197                 {
 198                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
 199                         rc = 1;
 200                         goto return_results;
 201                 }
 202
 203                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 204                     : "", ad.pinst, ad.prealm );
 205
 206                 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 207                         /*
 208                          * no krbName values present:  check against DN
 209                          */
 210                         if ( strcasecmp( dn, krbname ) == 0 ) {
 211                                 rc = 0; /* XXX wild ass guess */
 212                                 break;
 213                         }
 214                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 215                             NULL, NULL );
 216                         rc = 1;
 217                         goto return_results;
 218                 } else {        /* look for krbName match */
 219                         struct berval   krbval;
 220
 221                         krbval.bv_val = krbname;
 222                         krbval.bv_len = strlen( krbname );
 223
 224                         if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
 225                                 send_ldap_result( conn, op,
 226                                     LDAP_INVALID_CREDENTIALS, NULL, NULL );
 227                                 rc = 1;
 228                                 goto return_results;
 229                         }
 230                 }
 231                 rc = 0;
 232                 break;
 233
 234         case LDAP_AUTH_KRBV42:
 235                 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 236                 /* stop front end from sending result */
 237                 rc = 1;
 238                 goto return_results;
 239 #endif
 240
 241         case LDAP_AUTH_SASL:
 242                 /* insert sasl code here */
 243
 244         default:
 245                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 246                     NULL, "auth method not supported" );
 247                 rc = 1;
 248                 goto return_results;
 249         }
 250
 251 return_results:;
 252         /* free entry and reader lock */
 253         bdb2i_cache_return_entry_r( &li->li_cache, e );
 254
 255         /* front end with send result on success (rc==0) */
 256         return( rc );
 257 }
 258
 259
 260 int
 261 bdb2_back_bind(
 262     BackendDB           *be,
 263     Connection          *conn,
 264     Operation           *op,
 265     char                *dn,
 266     int                 method,
 267         char            *mech,
 268     struct berval       *cred,
 269         char**  edn
 270 )
 271 {
 272         DB_LOCK         lock;
 273         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
 274         struct timeval  time1;
 275         int             ret;
 276
 277         bdb2i_start_timing( be->bd_info, &time1 );
 278
 279         if ( bdb2i_enter_backend_r( &lock ) != 0 ) {
 280
 281                 send_ldap_result( conn, op, LDAP_OPERATIONS_ERROR, "", "" );
 282                 return( 1 );
 283
 284         }
 285
 286         ret = bdb2i_back_bind_internal( be, conn, op, dn, method, mech, cred, edn );
 287
 288         (void) bdb2i_leave_backend_r( lock );
 289
 290         bdb2i_stop_timing( be->bd_info, time1, "BIND", conn, op );
 291
 292         return( ret );
 293 }
 294
 295