1 /* bind.c - ldbm backend bind and unbind routines */
4 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
18 #include "back-ldbm.h"
19 #include "proto-back-ldbm.h"
34 struct ldbminfo *li = (struct ldbminfo *) be->be_private;
40 char krbname[MAX_K_NAME_SZ + 1];
44 Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
49 /* get entry with reader lock */
50 if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
51 char *matched_dn = NULL;
52 struct berval **refs = NULL;
54 if( matched != NULL ) {
55 matched_dn = ch_strdup( matched->e_dn );
57 refs = is_entry_referral( matched )
58 ? get_entry_referrals( be, conn, op, matched )
61 cache_return_entry_r( &li->li_cache, matched );
63 refs = default_referral;
66 /* allow noauth binds */
68 if ( method == LDAP_AUTH_SIMPLE ) {
69 if( cred->bv_len == 0 ) {
71 send_ldap_result( conn, op, LDAP_SUCCESS,
72 NULL, NULL, NULL, NULL );
74 } else if ( be_isroot_pw( be, dn, cred ) ) {
75 *edn = ch_strdup( be_root_dn( be ) );
76 rc = 0; /* front end will send result */
78 } else if ( refs != NULL ) {
79 send_ldap_result( conn, op, LDAP_REFERRAL,
80 matched_dn, NULL, refs, NULL );
83 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
84 NULL, NULL, NULL, NULL );
87 } else if ( method == LDAP_AUTH_SASL ) {
88 #ifdef HAVE_CYRUS_SASL
89 rc = sasl_bind( be, conn, op,
90 dn, ndn, mech, cred, edn );
92 if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
93 /* insert DIGEST calls here */
94 send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
95 NULL, NULL, NULL, NULL );
98 send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
99 NULL, NULL, NULL, NULL );
101 #endif /* HAVE_CYRUS_SASL */
102 } else if ( refs != NULL ) {
103 send_ldap_result( conn, op, LDAP_REFERRAL,
104 matched_dn, NULL, refs, NULL );
107 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
108 NULL, NULL, NULL, NULL );
111 if ( matched != NULL ) {
112 ber_bvecfree( refs );
118 *edn = ch_strdup( e->e_dn );
120 /* check for deleted */
122 if ( ! access_allowed( be, conn, op, e,
123 "entry", NULL, ACL_AUTH ) )
125 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
126 NULL, NULL, NULL, NULL );
131 if ( is_entry_alias( e ) ) {
132 /* entry is an alias, don't allow bind */
133 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
136 send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM,
137 NULL, NULL, NULL, NULL );
143 if ( is_entry_referral( e ) ) {
144 /* entry is a referral, don't allow bind */
145 struct berval **refs = get_entry_referrals( be,
148 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
152 send_ldap_result( conn, op, LDAP_REFERRAL,
153 e->e_dn, NULL, refs, NULL );
156 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
157 NULL, NULL, NULL, NULL );
160 ber_bvecfree( refs );
167 case LDAP_AUTH_SIMPLE:
168 if ( cred->bv_len == 0 ) {
169 send_ldap_result( conn, op, LDAP_SUCCESS,
170 NULL, NULL, NULL, NULL );
172 /* stop front end from sending result */
177 /* check for root dn/passwd */
178 if ( be_isroot_pw( be, dn, cred ) ) {
179 /* front end will send result */
180 if(*edn != NULL) free( *edn );
181 *edn = ch_strdup( be_root_dn( be ) );
186 if ( ! access_allowed( be, conn, op, e,
187 "userpassword", NULL, ACL_AUTH ) )
189 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
190 NULL, NULL, NULL, NULL );
195 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
196 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
197 NULL, NULL, NULL, NULL );
199 /* stop front end from sending result */
204 if ( slap_passwd_check( a, cred ) != 0 ) {
205 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
206 NULL, NULL, NULL, NULL );
207 /* stop front end from sending result */
216 case LDAP_AUTH_KRBV41:
217 if ( ! access_allowed( be, conn, op, e,
218 "krbname", NULL, ACL_AUTH ) )
220 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
221 NULL, NULL, NULL, NULL );
226 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
227 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
228 NULL, NULL, NULL, NULL );
233 if ( ! access_allowed( be, conn, op, e,
234 "krbname", NULL, ACL_AUTH ) )
236 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
237 NULL, NULL, NULL, NULL );
242 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
243 : "", ad.pinst, ad.prealm );
246 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
248 * no krbname values present: check against DN
250 if ( strcasecmp( dn, krbname ) == 0 ) {
254 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
255 NULL, NULL, NULL, NULL );
259 } else { /* look for krbname match */
260 struct berval krbval;
262 krbval.bv_val = krbname;
263 krbval.bv_len = strlen( krbname );
265 if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
266 send_ldap_result( conn, op,
267 LDAP_INVALID_CREDENTIALS,
268 NULL, NULL, NULL, NULL );
276 case LDAP_AUTH_KRBV42:
277 send_ldap_result( conn, op, LDAP_SUCCESS,
278 NULL, NULL, NULL, NULL );
279 /* stop front end from sending result */
285 /* insert SASL code here */
286 #ifdef HAVE_CYRUS_SASL
287 /* this may discard edn as we always prefer the SASL authzid
288 * because it may be sealed.
290 rc = sasl_bind( be, conn, op, dn, ndn, mech, cred, edn );
291 #endif /* HAVE_CYRUS_SASL */
293 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
294 NULL, "auth method not supported", NULL, NULL );
300 /* free entry and reader lock */
301 cache_return_entry_r( &li->li_cache, e );
303 /* front end with send result on success (rc==0) */