1 /* bind.c - ldbm backend bind and unbind routines */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2004 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
22 #include <ac/socket.h>
23 #include <ac/string.h>
24 #include <ac/unistd.h>
27 #include "back-ldbm.h"
28 #include "proto-back-ldbm.h"
35 struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private;
40 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
41 char krbname[MAX_K_NAME_SZ + 1];
42 AttributeDescription *krbattr = slap_schema.si_ad_krbName;
46 AttributeDescription *password = slap_schema.si_ad_userPassword;
49 LDAP_LOG( BACK_LDBM, ENTRY,
50 "ldbm_back_bind: dn: %s.\n", op->o_req_dn.bv_val, 0, 0 );
52 Debug(LDAP_DEBUG_ARGS,
53 "==> ldbm_back_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0);
56 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE && be_isroot_pw( op ) ) {
57 ber_dupbv( &op->oq_bind.rb_edn, be_root_dn( op->o_bd ) );
58 /* front end will send result */
62 /* grab giant lock for reading */
63 ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
65 /* get entry with reader lock */
66 if ( (e = dn2entry_r( op->o_bd, &op->o_req_ndn, &matched )) == NULL ) {
67 if( matched != NULL ) {
68 cache_return_entry_r( &li->li_cache, matched );
70 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
72 /* allow noauth binds */
74 rs->sr_err = LDAP_INVALID_CREDENTIALS;
75 send_ldap_result( op, rs );
79 /* check for deleted */
80 #ifdef LDBM_SUBENTRIES
81 if ( is_entry_subentry( e ) ) {
82 /* entry is an subentry, don't allow bind */
84 LDAP_LOG ( OPERATION, DETAIL1,
85 "bdb_bind: entry is subentry\n", 0, 0, 0 );
87 Debug( LDAP_DEBUG_TRACE,
88 "entry is subentry\n", 0, 0, 0 );
90 rc = LDAP_INVALID_CREDENTIALS;
95 if ( is_entry_alias( e ) ) {
96 /* entry is an alias, don't allow bind */
98 LDAP_LOG( BACK_LDBM, INFO,
99 "ldbm_back_bind: entry (%s) is an alias.\n",
100 e->e_name.bv_val, 0, 0 );
102 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 );
106 rc = LDAP_INVALID_CREDENTIALS;
108 rs->sr_text = "entry is alias";
109 rc = LDAP_ALIAS_PROBLEM;
114 if ( is_entry_referral( e ) ) {
115 /* entry is a referral, don't allow bind */
117 LDAP_LOG( BACK_LDBM, INFO,
118 "ldbm_back_bind: entry(%s) is a referral.\n", e->e_dn, 0, 0 );
120 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
123 rc = LDAP_INVALID_CREDENTIALS;
127 switch ( op->oq_bind.rb_method ) {
128 case LDAP_AUTH_SIMPLE:
129 if ( ! access_allowed( op, e,
130 password, NULL, ACL_AUTH, NULL ) )
133 rc = LDAP_INVALID_CREDENTIALS;
135 rc = LDAP_INSUFFICIENT_ACCESS;
140 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
141 /* stop front end from sending result */
143 rc = LDAP_INVALID_CREDENTIALS;
145 rc = LDAP_INAPPROPRIATE_AUTH;
150 if ( slap_passwd_check( op->o_conn,
151 a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 )
153 /* stop front end from sending result */
154 rc = LDAP_INVALID_CREDENTIALS;
161 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
162 case LDAP_AUTH_KRBV41:
163 if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad )
166 rc = LDAP_INVALID_CREDENTIALS;
170 if ( ! access_allowed( op, e,
171 krbattr, NULL, ACL_AUTH, NULL ) )
173 rc = LDAP_INSUFFICIENT_ACCESS;
177 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
178 : "", ad.pinst, ad.prealm );
180 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
182 * no krbname values present: check against DN
184 if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
188 rc = LDAP_INAPPROPRIATE_AUTH;
191 } else { /* look for krbname match */
192 struct berval krbval;
194 krbval.bv_val = krbname;
195 krbval.bv_len = strlen( krbname );
197 if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
198 rc = LDAP_INVALID_CREDENTIALS;
207 assert( 0 ); /* should not be reachable */
208 rs->sr_text = "authentication method not supported";
209 rc = LDAP_STRONG_AUTH_NOT_SUPPORTED;
213 ber_dupbv( &op->oq_bind.rb_edn, &e->e_name );
216 /* free entry and reader lock */
217 cache_return_entry_r( &li->li_cache, e );
218 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
222 send_ldap_result( op, rs );
224 ber_bvarray_free( rs->sr_ref );
229 /* front end will send result on success (rc==0) */