git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2
   3 #include <stdio.h>
   4 #include <string.h>
   5 #include <sys/types.h>
   6 #include <sys/socket.h>
   7 #include "slap.h"
   8 #include "back-ldbm.h"
   9 #ifdef KERBEROS
  10 #include "krb.h"
  11 #endif
  12
  13 #ifdef LDAP_CRYPT
  14 /* change for crypted passwords -- lukeh */
  15 #ifdef __NeXT__
  16 extern char *crypt (char *key, char *salt);
  17 #else
  18 #include <unistd.h>
  19 #endif
  20 #endif /* LDAP_CRYPT */
  21
  22 extern Entry            *dn2entry();
  23 extern Attribute        *attr_find();
  24
  25 #ifdef KERBEROS
  26 extern int      krbv4_ldap_auth();
  27 #endif
  28
  29 #ifdef LDAP_CRYPT
  30 pthread_mutex_t crypt_mutex;
  31
  32 static int
  33 crypted_value_find(
  34         struct berval       **vals,
  35         struct berval       *v,
  36         int                 syntax,
  37         int                 normalize,
  38         struct berval           *cred
  39 )
  40 {
  41         int     i;
  42         for ( i = 0; vals[i] != NULL; i++ ) {
  43                 if ( syntax != SYNTAX_BIN &&
  44                         strncasecmp( "{CRYPT}", vals[i]->bv_val, (sizeof("{CRYPT}") - 1 ) ) == 0 ) {
  45                                 char *userpassword = vals[i]->bv_val + sizeof("{CRYPT}") - 1;
  46                                 pthread_mutex_lock( &crypt_mutex );
  47                                 if ( ( !strcmp( userpassword, crypt( cred->bv_val, userpassword ) ) != 0 ) ) {
  48                                         pthread_mutex_unlock( &crypt_mutex );
  49                                         return ( 0 );
  50                                 }
  51                                 pthread_mutex_unlock( &crypt_mutex );
  52                 } else {
  53                 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
  54                         return( 0 );
  55                 }
  56         }
  57         }
  58
  59         return( 1 );
  60 }
  61 #endif /* LDAP_CRYPT */
  62
  63 int
  64 ldbm_back_bind(
  65     Backend             *be,
  66     Connection          *conn,
  67     Operation           *op,
  68     char                *dn,
  69     int                 method,
  70     struct berval       *cred
  71 )
  72 {
  73         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
  74         Entry           *e;
  75         Attribute       *a;
  76         int             rc;
  77         char            *matched = NULL;
  78 #ifdef KERBEROS
  79         char            krbname[MAX_K_NAME_SZ + 1];
  80         AUTH_DAT        ad;
  81 #endif
  82
  83         if ( (e = dn2entry( be, dn, &matched )) == NULL ) {
  84                 /* allow noauth binds */
  85                 if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
  86                         /*
  87                          * bind successful, but return 1 so we don't
  88                          * authorize based on noauth credentials
  89                          */
  90                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
  91                         rc = 1;
  92                 } else if ( be_isroot_pw( be, dn, cred ) ) {
  93                         /* front end will send result */
  94                         rc = 0;
  95                 } else {
  96                         send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT,
  97                             matched, NULL );
  98                         rc = 1;
  99                 }
 100                 if ( matched != NULL ) {
 101                         free( matched );
 102                 }
 103                 return( rc );
 104         }
 105
 106         switch ( method ) {
 107         case LDAP_AUTH_SIMPLE:
 108                 if ( cred->bv_len == 0 ) {
 109                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 110                         return( 1 );
 111                 } else if ( be_isroot_pw( be, dn, cred ) ) {
 112                         /* front end will send result */
 113                         return( 0 );
 114                 }
 115
 116                 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
 117                         if ( be_isroot_pw( be, dn, cred ) ) {
 118                                 /* front end will send result */
 119                                 return( 0 );
 120                         }
 121                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 122                             NULL, NULL );
 123                         cache_return_entry( &li->li_cache, e );
 124                         return( 1 );
 125                 }
 126
 127 #ifdef LDAP_CRYPT
 128                 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
 129 #else
 130                 if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 )
 131 #endif
 132 {
 133                         if ( be_isroot_pw( be, dn, cred ) ) {
 134                                 /* front end will send result */
 135                                 return( 0 );
 136                         }
 137                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 138                                 NULL, NULL );
 139                         cache_return_entry( &li->li_cache, e );
 140                         return( 1 );
 141                 }
 142                 break;
 143
 144 #ifdef KERBEROS
 145         case LDAP_AUTH_KRBV41:
 146                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 147                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 148                             NULL, NULL );
 149                         cache_return_entry( &li->li_cache, e );
 150                         return( 1 );
 151                 }
 152                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 153                     : "", ad.pinst, ad.prealm );
 154                 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 155                         /*
 156                          * no krbName values present:  check against DN
 157                          */
 158                         if ( strcasecmp( dn, krbname ) == 0 ) {
 159                                 break;
 160                         }
 161                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 162                             NULL, NULL );
 163                         cache_return_entry( &li->li_cache, e );
 164                         return( 1 );
 165                 } else {        /* look for krbName match */
 166                         struct berval   krbval;
 167
 168                         krbval.bv_val = krbname;
 169                         krbval.bv_len = strlen( krbname );
 170
 171                         if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 )
 172                             != 0 ) {
 173                                 send_ldap_result( conn, op,
 174                                     LDAP_INVALID_CREDENTIALS, NULL, NULL );
 175                                 cache_return_entry( &li->li_cache, e );
 176                                 return( 1 );
 177                         }
 178                 }
 179                 break;
 180
 181         case LDAP_AUTH_KRBV42:
 182                 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 183                 cache_return_entry( &li->li_cache, e );
 184                 return( 1 );
 185 #endif
 186
 187         default:
 188                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 189                     NULL, "auth method not supported" );
 190                 cache_return_entry( &li->li_cache, e );
 191                 return( 1 );
 192         }
 193
 194         cache_return_entry( &li->li_cache, e );
 195
 196         /* success:  front end will send result */
 197         return( 0 );
 198 }