git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 1998-2004 The OpenLDAP Foundation.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in the file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16
  17 #include "portable.h"
  18
  19 #include <stdio.h>
  20
  21 #include <ac/krb.h>
  22 #include <ac/socket.h>
  23 #include <ac/string.h>
  24 #include <ac/unistd.h>
  25
  26 #include "slap.h"
  27 #include "back-ldbm.h"
  28 #include "proto-back-ldbm.h"
  29
  30 int
  31 ldbm_back_bind(
  32     Operation           *op,
  33     SlapReply           *rs )
  34 {
  35         struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private;
  36         Entry           *e;
  37         Attribute       *a;
  38         int             rc;
  39         Entry           *matched;
  40 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
  41         char            krbname[MAX_K_NAME_SZ + 1];
  42         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
  43         AUTH_DAT        ad;
  44 #endif
  45
  46         AttributeDescription *password = slap_schema.si_ad_userPassword;
  47
  48 #ifdef NEW_LOGGING
  49         LDAP_LOG( BACK_LDBM, ENTRY,
  50                 "ldbm_back_bind: dn: %s.\n", op->o_req_dn.bv_val, 0, 0 );
  51 #else
  52         Debug(LDAP_DEBUG_ARGS,
  53                 "==> ldbm_back_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0);
  54 #endif
  55
  56         if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE && be_isroot_pw( op ) ) {
  57                 ber_dupbv( &op->oq_bind.rb_edn, be_root_dn( op->o_bd ) );
  58                 /* front end will send result */
  59                 return LDAP_SUCCESS;
  60         }
  61
  62         /* grab giant lock for reading */
  63         ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
  64
  65         /* get entry with reader lock */
  66         if ( (e = dn2entry_r( op->o_bd, &op->o_req_ndn, &matched )) == NULL ) {
  67                 if( matched != NULL ) {
  68                         cache_return_entry_r( &li->li_cache, matched );
  69                 }
  70                 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
  71
  72                 /* allow noauth binds */
  73                 rc = 1;
  74                 rs->sr_err = LDAP_INVALID_CREDENTIALS;
  75                 send_ldap_result( op, rs );
  76                 return rs->sr_err;
  77         }
  78
  79         /* check for deleted */
  80 #ifdef LDBM_SUBENTRIES
  81         if ( is_entry_subentry( e ) ) {
  82                 /* entry is an subentry, don't allow bind */
  83 #ifdef NEW_LOGGING
  84                 LDAP_LOG ( OPERATION, DETAIL1,
  85                                 "bdb_bind: entry is subentry\n", 0, 0, 0 );
  86 #else
  87                 Debug( LDAP_DEBUG_TRACE,
  88                                 "entry is subentry\n", 0, 0, 0 );
  89 #endif
  90                 rc = LDAP_INVALID_CREDENTIALS;
  91                 goto return_results;
  92         }
  93 #endif
  94
  95         if ( is_entry_alias( e ) ) {
  96                 /* entry is an alias, don't allow bind */
  97 #ifdef NEW_LOGGING
  98                 LDAP_LOG( BACK_LDBM, INFO,
  99                         "ldbm_back_bind: entry (%s) is an alias.\n",
 100                         e->e_name.bv_val, 0, 0 );
 101 #else
 102                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 );
 103 #endif
 104
 105 #if 1
 106                 rc = LDAP_INVALID_CREDENTIALS;
 107 #else
 108                 rs->sr_text = "entry is alias";
 109                 rc = LDAP_ALIAS_PROBLEM;
 110 #endif
 111                 goto return_results;
 112         }
 113
 114         if ( is_entry_referral( e ) ) {
 115                 /* entry is a referral, don't allow bind */
 116 #ifdef NEW_LOGGING
 117                 LDAP_LOG( BACK_LDBM, INFO,
 118                         "ldbm_back_bind: entry(%s) is a referral.\n", e->e_dn, 0, 0 );
 119 #else
 120                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
 121 #endif
 122
 123                 rc = LDAP_INVALID_CREDENTIALS;
 124                 goto return_results;
 125         }
 126
 127         switch ( op->oq_bind.rb_method ) {
 128         case LDAP_AUTH_SIMPLE:
 129                 if ( ! access_allowed( op, e,
 130                         password, NULL, ACL_AUTH, NULL ) )
 131                 {
 132 #if 1
 133                         rc = LDAP_INVALID_CREDENTIALS;
 134 #else
 135                         rc = LDAP_INSUFFICIENT_ACCESS;
 136 #endif
 137                         goto return_results;
 138                 }
 139
 140                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
 141                         /* stop front end from sending result */
 142 #if 1
 143                         rc = LDAP_INVALID_CREDENTIALS;
 144 #else
 145                         rc = LDAP_INAPPROPRIATE_AUTH;
 146 #endif
 147                         goto return_results;
 148                 }
 149
 150                 if ( slap_passwd_check( op->o_conn,
 151                         a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 )
 152                 {
 153                         /* stop front end from sending result */
 154                         rc = LDAP_INVALID_CREDENTIALS;
 155                         goto return_results;
 156                 }
 157
 158                 rc = 0;
 159                 break;
 160
 161 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 162         case LDAP_AUTH_KRBV41:
 163                 if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad )
 164                         != LDAP_SUCCESS )
 165                 {
 166                         rc = LDAP_INVALID_CREDENTIALS;
 167                         goto return_results;
 168                 }
 169
 170                 if ( ! access_allowed( op, e,
 171                         krbattr, NULL, ACL_AUTH, NULL ) )
 172                 {
 173                         rc = LDAP_INSUFFICIENT_ACCESS;
 174                         goto return_results;
 175                 }
 176
 177                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 178                     : "", ad.pinst, ad.prealm );
 179
 180                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
 181                         /*
 182                          * no krbname values present:  check against DN
 183                          */
 184                         if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
 185                                 rc = 0;
 186                                 break;
 187                         }
 188                         rc = LDAP_INAPPROPRIATE_AUTH;
 189                         goto return_results;
 190
 191                 } else {        /* look for krbname match */
 192                         struct berval   krbval;
 193
 194                         krbval.bv_val = krbname;
 195                         krbval.bv_len = strlen( krbname );
 196
 197                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
 198                                 rc = LDAP_INVALID_CREDENTIALS;
 199                                 goto return_results;
 200                         }
 201                 }
 202                 rc = 0;
 203                 break;
 204 #endif
 205
 206         default:
 207                 assert( 0 ); /* should not be reachable */
 208                 rs->sr_text = "authentication method not supported";
 209                 rc = LDAP_STRONG_AUTH_NOT_SUPPORTED;
 210                 goto return_results;
 211         }
 212
 213         ber_dupbv( &op->oq_bind.rb_edn, &e->e_name );
 214
 215 return_results:;
 216         /* free entry and reader lock */
 217         cache_return_entry_r( &li->li_cache, e );
 218         ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
 219
 220         if ( rc ) {
 221                 rs->sr_err = rc;
 222                 send_ldap_result( op, rs );
 223                 if ( rs->sr_ref ) {
 224                         ber_bvarray_free( rs->sr_ref );
 225                         rs->sr_ref = NULL;
 226                 }
 227         }
 228
 229         /* front end will send result on success (rc==0) */
 230         return( rc );
 231 }
 232