1 /* bind.c - ldbm backend bind and unbind routines */
6 #include <sys/socket.h>
14 /* change for crypted passwords -- lukeh */
16 extern char *crypt (char *key, char *salt);
20 #endif /* LDAP_CRYPT */
22 extern Entry *dn2entry();
23 extern Attribute *attr_find();
26 extern int krbv4_ldap_auth();
30 pthread_mutex_t crypt_mutex;
42 for ( i = 0; vals[i] != NULL; i++ ) {
43 if ( syntax != SYNTAX_BIN &&
44 strncasecmp( "{CRYPT}", vals[i]->bv_val, (sizeof("{CRYPT}") - 1 ) ) == 0 ) {
45 char *userpassword = vals[i]->bv_val + sizeof("{CRYPT}") - 1;
46 pthread_mutex_lock( &crypt_mutex );
47 if ( ( !strcmp( userpassword, crypt( cred->bv_val, userpassword ) ) != 0 ) ) {
48 pthread_mutex_unlock( &crypt_mutex );
51 pthread_mutex_unlock( &crypt_mutex );
53 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
61 #endif /* LDAP_CRYPT */
73 struct ldbminfo *li = (struct ldbminfo *) be->be_private;
79 char krbname[MAX_K_NAME_SZ + 1];
83 if ( (e = dn2entry( be, dn, &matched )) == NULL ) {
84 /* allow noauth binds */
85 if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
87 * bind successful, but return 1 so we don't
88 * authorize based on noauth credentials
90 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
92 } else if ( be_isroot_pw( be, dn, cred ) ) {
93 /* front end will send result */
96 send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT,
100 if ( matched != NULL ) {
107 case LDAP_AUTH_SIMPLE:
108 if ( cred->bv_len == 0 ) {
109 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
111 } else if ( be_isroot_pw( be, dn, cred ) ) {
112 /* front end will send result */
116 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
117 if ( be_isroot_pw( be, dn, cred ) ) {
118 /* front end will send result */
121 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
123 cache_return_entry( &li->li_cache, e );
128 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
130 if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 )
133 if ( be_isroot_pw( be, dn, cred ) ) {
134 /* front end will send result */
137 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
139 cache_return_entry( &li->li_cache, e );
145 case LDAP_AUTH_KRBV41:
146 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
147 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
149 cache_return_entry( &li->li_cache, e );
152 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
153 : "", ad.pinst, ad.prealm );
154 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
156 * no krbName values present: check against DN
158 if ( strcasecmp( dn, krbname ) == 0 ) {
161 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
163 cache_return_entry( &li->li_cache, e );
165 } else { /* look for krbName match */
166 struct berval krbval;
168 krbval.bv_val = krbname;
169 krbval.bv_len = strlen( krbname );
171 if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 )
173 send_ldap_result( conn, op,
174 LDAP_INVALID_CREDENTIALS, NULL, NULL );
175 cache_return_entry( &li->li_cache, e );
181 case LDAP_AUTH_KRBV42:
182 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
183 cache_return_entry( &li->li_cache, e );
188 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
189 NULL, "auth method not supported" );
190 cache_return_entry( &li->li_cache, e );
194 cache_return_entry( &li->li_cache, e );
196 /* success: front end will send result */