1 /* bind.c - ldbm backend bind and unbind routines */
6 #include <sys/socket.h>
14 /* change for crypted passwords -- lukeh */
16 extern char *crypt (char *key, char *salt);
20 #endif /* LDAP_CRYPT */
24 #endif /* LDAP_SHA1 */
26 #include <lutil_md5.h>
31 extern Entry *dn2entry();
32 extern Attribute *attr_find();
35 extern int krbv4_ldap_auth();
39 pthread_mutex_t crypt_mutex;
51 for ( i = 0; vals[i] != NULL; i++ ) {
52 if ( syntax != SYNTAX_BIN && strncasecmp( "{CRYPT}",
53 vals[i]->bv_val, (sizeof("{CRYPT}") - 1 ) ) == 0 ) {
54 char *userpassword = vals[i]->bv_val + sizeof("{CRYPT}") - 1;
55 pthread_mutex_lock( &crypt_mutex );
56 if (strcmp(userpassword, crypt(cred->bv_val,
57 userpassword)) == 0) {
58 pthread_mutex_unlock( &crypt_mutex );
61 pthread_mutex_unlock( &crypt_mutex );
63 } else if ( syntax != SYNTAX_BIN && strncasecmp( "{MD5}",
64 vals[i]->bv_val, (sizeof("{MD5}") - 1 ) ) == 0 ) {
66 unsigned char MD5digest[20];
67 char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
69 char *userpassword = vals[i]->bv_val + sizeof("{MD5}") - 1;
72 MD5Update(&MD5context, cred->bv_val, strlen(cred->bv_val));
73 MD5Final(MD5digest, &MD5context);
75 if (b64_ntop(MD5digest, sizeof(MD5digest),
76 base64digest, sizeof(base64digest)) < 0)
81 if (strcmp(userpassword, base64digest) == 0) {
86 } else if ( syntax != SYNTAX_BIN && strncasecmp( "{SHA}",
87 vals[i]->bv_val, (sizeof("{SHA}") - 1 ) ) == 0 ) {
89 unsigned char SHA1digest[20];
90 char base64digest[29]; /* ceiling(sizeof(input)/3) * 4 + 1 */
92 char *userpassword = vals[i]->bv_val + sizeof("{SHA}") - 1;
94 SHA1Init(&SHA1context);
95 SHA1Update(&SHA1context, cred->bv_val, strlen(cred->bv_val));
96 SHA1Final(SHA1digest, &SHA1context);
98 if (b64_ntop(SHA1digest, sizeof(SHA1digest),
99 base64digest, sizeof(base64digest)) < 0)
104 if (strcmp(userpassword, base64digest) == 0) {
107 #endif /* LDAP_SHA1 */
109 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
117 #endif /* LDAP_CRYPT */
129 struct ldbminfo *li = (struct ldbminfo *) be->be_private;
133 char *matched = NULL;
135 char krbname[MAX_K_NAME_SZ + 1];
139 if ( (e = dn2entry( be, dn, &matched )) == NULL ) {
140 /* allow noauth binds */
141 if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
143 * bind successful, but return 1 so we don't
144 * authorize based on noauth credentials
146 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
148 } else if ( be_isroot_pw( be, dn, cred ) ) {
149 /* front end will send result */
152 send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT,
156 if ( matched != NULL ) {
163 case LDAP_AUTH_SIMPLE:
164 if ( cred->bv_len == 0 ) {
165 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
167 } else if ( be_isroot_pw( be, dn, cred ) ) {
168 /* front end will send result */
172 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
173 if ( be_isroot_pw( be, dn, cred ) ) {
174 /* front end will send result */
177 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
179 cache_return_entry( &li->li_cache, e );
184 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
186 if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 )
189 if ( be_isroot_pw( be, dn, cred ) ) {
190 /* front end will send result */
193 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
195 cache_return_entry( &li->li_cache, e );
201 case LDAP_AUTH_KRBV41:
202 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
203 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
205 cache_return_entry( &li->li_cache, e );
208 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
209 : "", ad.pinst, ad.prealm );
210 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
212 * no krbName values present: check against DN
214 if ( strcasecmp( dn, krbname ) == 0 ) {
217 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
219 cache_return_entry( &li->li_cache, e );
221 } else { /* look for krbName match */
222 struct berval krbval;
224 krbval.bv_val = krbname;
225 krbval.bv_len = strlen( krbname );
227 if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 )
229 send_ldap_result( conn, op,
230 LDAP_INVALID_CREDENTIALS, NULL, NULL );
231 cache_return_entry( &li->li_cache, e );
237 case LDAP_AUTH_KRBV42:
238 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
239 cache_return_entry( &li->li_cache, e );
244 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
245 NULL, "auth method not supported" );
246 cache_return_entry( &li->li_cache, e );
250 cache_return_entry( &li->li_cache, e );
252 /* success: front end will send result */