git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2
   3 #include <stdio.h>
   4 #include <string.h>
   5 #include <sys/types.h>
   6 #include <sys/socket.h>
   7 #include "slap.h"
   8 #include "back-ldbm.h"
   9 #ifdef KERBEROS
  10 #include "krb.h"
  11 #endif
  12
  13 extern Entry            *dn2entry();
  14 extern Attribute        *attr_find();
  15
  16 #ifdef KERBEROS
  17 extern int      krbv4_ldap_auth();
  18 #endif
  19
  20 int
  21 ldbm_back_bind(
  22     Backend             *be,
  23     Connection          *conn,
  24     Operation           *op,
  25     char                *dn,
  26     int                 method,
  27     struct berval       *cred
  28 )
  29 {
  30         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
  31         Entry           *e;
  32         Attribute       *a;
  33         int             rc;
  34         char            *matched = NULL;
  35 #ifdef KERBEROS
  36         char            krbname[MAX_K_NAME_SZ + 1];
  37         AUTH_DAT        ad;
  38 #endif
  39
  40         if ( (e = dn2entry( be, dn, &matched )) == NULL ) {
  41                 /* allow noauth binds */
  42                 if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
  43                         /*
  44                          * bind successful, but return 1 so we don't
  45                          * authorize based on noauth credentials
  46                          */
  47                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
  48                         rc = 1;
  49                 } else if ( be_isroot_pw( be, dn, cred ) ) {
  50                         /* front end will send result */
  51                         rc = 0;
  52                 } else {
  53                         send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT,
  54                             matched, NULL );
  55                         rc = 1;
  56                 }
  57                 if ( matched != NULL ) {
  58                         free( matched );
  59                 }
  60                 return( rc );
  61         }
  62
  63         switch ( method ) {
  64         case LDAP_AUTH_SIMPLE:
  65                 if ( cred->bv_len == 0 ) {
  66                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
  67                         return( 1 );
  68                 } else if ( be_isroot_pw( be, dn, cred ) ) {
  69                         /* front end will send result */
  70                         return( 0 );
  71                 }
  72
  73                 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
  74                         if ( be_isroot_pw( be, dn, cred ) ) {
  75                                 /* front end will send result */
  76                                 return( 0 );
  77                         }
  78                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
  79                             NULL, NULL );
  80                         cache_return_entry( &li->li_cache, e );
  81                         return( 1 );
  82                 }
  83
  84                 if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 ) {
  85                         if ( be_isroot_pw( be, dn, cred ) ) {
  86                                 /* front end will send result */
  87                                 return( 0 );
  88                         }
  89                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
  90                             NULL, NULL );
  91                         cache_return_entry( &li->li_cache, e );
  92                         return( 1 );
  93                 }
  94                 break;
  95
  96 #ifdef KERBEROS
  97         case LDAP_AUTH_KRBV41:
  98                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
  99                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 100                             NULL, NULL );
 101                         cache_return_entry( &li->li_cache, e );
 102                         return( 1 );
 103                 }
 104                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 105                     : "", ad.pinst, ad.prealm );
 106                 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 107                         /*
 108                          * no krbName values present:  check against DN
 109                          */
 110                         if ( strcasecmp( dn, krbname ) == 0 ) {
 111                                 break;
 112                         }
 113                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 114                             NULL, NULL );
 115                         cache_return_entry( &li->li_cache, e );
 116                         return( 1 );
 117                 } else {        /* look for krbName match */
 118                         struct berval   krbval;
 119
 120                         krbval.bv_val = krbname;
 121                         krbval.bv_len = strlen( krbname );
 122
 123                         if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 )
 124                             != 0 ) {
 125                                 send_ldap_result( conn, op,
 126                                     LDAP_INVALID_CREDENTIALS, NULL, NULL );
 127                                 cache_return_entry( &li->li_cache, e );
 128                                 return( 1 );
 129                         }
 130                 }
 131                 break;
 132
 133         case LDAP_AUTH_KRBV42:
 134                 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 135                 cache_return_entry( &li->li_cache, e );
 136                 return( 1 );
 137 #endif
 138
 139         default:
 140                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 141                     NULL, "auth method not supported" );
 142                 cache_return_entry( &li->li_cache, e );
 143                 return( 1 );
 144         }
 145
 146         cache_return_entry( &li->li_cache, e );
 147
 148         /* success:  front end will send result */
 149         return( 0 );
 150 }