git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2
   3 #include "portable.h"
   4
   5 #include <stdio.h>
   6
   7 #include <ac/krb.h>
   8 #include <ac/socket.h>
   9 #include <ac/string.h>
  10 #include <ac/unistd.h>
  11
  12 #include "slap.h"
  13 #include "back-ldbm.h"
  14 #include "proto-back-ldbm.h"
  15
  16 #include <lutil.h>
  17
  18 #ifdef HAVE_KERBEROS
  19 extern int      krbv4_ldap_auth();
  20 #endif
  21
  22 static int
  23 crypted_value_find(
  24         struct berval       **vals,
  25         struct berval       *v,
  26         int                 syntax,
  27         int                 normalize,
  28         struct berval           *cred
  29 )
  30 {
  31         int     i;
  32         for ( i = 0; vals[i] != NULL; i++ ) {
  33                 if ( syntax != SYNTAX_BIN ) {
  34                         int result;
  35
  36 #ifdef SLAPD_CRYPT
  37                         pthread_mutex_lock( &crypt_mutex );
  38 #endif
  39
  40                         result = lutil_passwd(
  41                                 (char*) cred->bv_val,
  42                                 (char*) vals[i]->bv_val);
  43
  44 #ifdef SLAPD_CRYPT
  45                         pthread_mutex_unlock( &crypt_mutex );
  46 #endif
  47
  48                         return result;
  49
  50                 } else {
  51                 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
  52                         return( 0 );
  53                 }
  54         }
  55         }
  56
  57         return( 1 );
  58 }
  59
  60 int
  61 ldbm_back_bind(
  62     Backend             *be,
  63     Connection          *conn,
  64     Operation           *op,
  65     char                *dn,
  66     int                 method,
  67     struct berval       *cred
  68 )
  69 {
  70         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
  71         Entry           *e;
  72         Attribute       *a;
  73         int             rc;
  74         char            *matched;
  75 #ifdef HAVE_KERBEROS
  76         char            krbname[MAX_K_NAME_SZ + 1];
  77         AUTH_DAT        ad;
  78 #endif
  79
  80         Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
  81
  82         /* get entry with reader lock */
  83         if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
  84                 /* allow noauth binds */
  85                 if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
  86                         /*
  87                          * bind successful, but return 1 so we don't
  88                          * authorize based on noauth credentials
  89                          */
  90                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
  91                         rc = 1;
  92                 } else if ( be_isroot_pw( be, dn, cred ) ) {
  93                         /* front end will send result */
  94                         rc = 0;
  95                 } else {
  96                         send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
  97                         rc = 1;
  98                 }
  99                 if ( matched != NULL ) {
 100                         free( matched );
 101                 }
 102                 return( rc );
 103         }
 104
 105         /* check for deleted */
 106
 107         switch ( method ) {
 108         case LDAP_AUTH_SIMPLE:
 109                 if ( cred->bv_len == 0 ) {
 110                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 111
 112                         /* stop front end from sending result */
 113                         rc = 1;
 114                         goto return_results;
 115                 } else if ( be_isroot_pw( be, dn, cred ) ) {
 116                         /* front end will send result */
 117                         rc = 0;
 118                         goto return_results;
 119                 }
 120
 121                 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
 122                         if ( be_isroot_pw( be, dn, cred ) ) {
 123                                 /* front end will send result */
 124                                 rc = 0;
 125                                 goto return_results;
 126                         }
 127                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 128                             NULL, NULL );
 129                         rc = 1;
 130                         goto return_results;
 131                 }
 132
 133 #ifdef SLAPD_CRYPT
 134                 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
 135 #else
 136                 if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 )
 137 #endif
 138                 {
 139                         if ( be_isroot_pw( be, dn, cred ) ) {
 140                                 /* front end will send result */
 141                                 rc = 0;
 142                                 goto return_results;
 143                         }
 144                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 145                                 NULL, NULL );
 146                         rc = 1;
 147                         goto return_results;
 148                 }
 149                 rc = 0;
 150                 break;
 151
 152 #ifdef HAVE_KERBEROS
 153         case LDAP_AUTH_KRBV41:
 154                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 155                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 156                             NULL, NULL );
 157                         rc = 0;
 158                         goto return_results;
 159                 }
 160                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 161                     : "", ad.pinst, ad.prealm );
 162                 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 163                         /*
 164                          * no krbName values present:  check against DN
 165                          */
 166                         if ( strcasecmp( dn, krbname ) == 0 ) {
 167                                 rc = 0; /* XXX wild ass guess */
 168                                 break;
 169                         }
 170                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 171                             NULL, NULL );
 172                         rc = 1;
 173                         goto return_results;
 174                 } else {        /* look for krbName match */
 175                         struct berval   krbval;
 176
 177                         krbval.bv_val = krbname;
 178                         krbval.bv_len = strlen( krbname );
 179
 180                         if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
 181                                 send_ldap_result( conn, op,
 182                                     LDAP_INVALID_CREDENTIALS, NULL, NULL );
 183                                 rc = 1;
 184                                 goto return_results;
 185                         }
 186                 }
 187                 rc = 0;
 188                 break;
 189
 190         case LDAP_AUTH_KRBV42:
 191                 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 192                 /* stop front end from sending result */
 193                 rc = 1;
 194                 goto return_results;
 195 #endif
 196
 197         default:
 198                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 199                     NULL, "auth method not supported" );
 200                 rc = 1;
 201                 goto return_results;
 202         }
 203
 204 return_results:;
 205         /* free entry and reader lock */
 206         cache_return_entry_r( &li->li_cache, e );
 207
 208         /* front end with send result on success (rc==0) */
 209         return( rc );
 210 }
 211