]> git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c
projects / openldap / blob
? search:


dad6b9e2ac7127bc02a2b481863ad827c031cdbf
[openldap] / servers / slapd / back-ldbm / bind.c
1 /* bind.c - ldbm backend bind and unbind routines */
2
3 #include "portable.h"
4
5 #include <stdio.h>
6
7 #include <ac/krb.h>
8 #include <ac/socket.h>
9 #include <ac/string.h>
10 #include <ac/unistd.h>
11
12 #include "slap.h"
13 #include "back-ldbm.h"
14 #include "proto-back-ldbm.h"
15
16 #include <lutil.h>
17
18 #ifdef HAVE_KERBEROS
19 extern int      krbv4_ldap_auth();
20 #endif
21
22 static int
23 crypted_value_find(
24         struct berval       **vals,
25         struct berval       *v,
26         int                 syntax,
27         int                 normalize,
28         struct berval           *cred
29 )
30 {
31         int     i;
32         for ( i = 0; vals[i] != NULL; i++ ) {
33                 if ( syntax != SYNTAX_BIN ) {
34                         int result;
35
36 #ifdef SLAPD_CRYPT
37                         ldap_pvt_thread_mutex_lock( &crypt_mutex );
38 #endif
39
40                         result = lutil_passwd(
41                                 (char*) cred->bv_val,
42                                 (char*) vals[i]->bv_val,
43                                 NULL );
44
45 #ifdef SLAPD_CRYPT
46                         ldap_pvt_thread_mutex_unlock( &crypt_mutex );
47 #endif
48
49                         return result;
50
51                 } else {
52                 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
53                         return( 0 );
54                 }
55         }
56         }
57
58         return( 1 );
59 }
60
61 int
62 ldbm_back_bind(
63     Backend             *be,
64     Connection          *conn,
65     Operation           *op,
66     char                *dn,
67     int                 method,
68         char            *mech,
69     struct berval       *cred,
70         char**  edn
71 )
72 {
73         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
74         Entry           *e;
75         Attribute       *a;
76         int             rc;
77         Entry           *matched;
78 #ifdef HAVE_KERBEROS
79         char            krbname[MAX_K_NAME_SZ + 1];
80         AUTH_DAT        ad;
81 #endif
82
83         Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
84
85         *edn = NULL;
86
87         /* get entry with reader lock */
88         if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
89                 char *matched_dn = NULL;
90                 struct berval **refs = NULL;
91
92                 if( matched != NULL ) {
93                         matched_dn = ch_strdup( matched->e_dn );
94
95                         refs = is_entry_referral( matched )
96                                 ? get_entry_referrals( be, conn, op, matched )
97                                 : NULL;
98
99                         cache_return_entry_r( &li->li_cache, matched );
100                 } else {
101                         refs = default_referral;
102                 }
103
104                 /* allow noauth binds */
105                 rc = 1;
106                 if ( method == LDAP_AUTH_SIMPLE ) {
107                         if( cred->bv_len == 0 ) {
108                                 /* SUCCESS */
109                                 send_ldap_result( conn, op, LDAP_SUCCESS,
110                                         NULL, NULL, NULL, NULL );
111
112                         } else if ( be_isroot_pw( be, dn, cred ) ) {
113                                 *edn = ch_strdup( be_root_dn( be ) );
114                                 rc = 0; /* front end will send result */
115
116                         } else {
117                                 send_ldap_result( conn, op, LDAP_REFERRAL,
118                                         matched_dn, NULL, refs, NULL );
119                         }
120
121                 } else if ( method == LDAP_AUTH_SASL ) {
122                         if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
123                                 /* insert DIGEST calls here */
124                                 send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
125                                         NULL, NULL, NULL, NULL );
126                                 
127                         } else {
128                                 send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
129                                         NULL, NULL, NULL, NULL );
130                         }
131
132                 } else {
133                         send_ldap_result( conn, op, LDAP_REFERRAL,
134                                 matched_dn, NULL, refs, NULL );
135                 }
136
137                 if ( matched != NULL ) {
138                         ber_bvecfree( refs );
139                         free( matched_dn );
140                 }
141                 return( rc );
142         }
143
144         *edn = ch_strdup( e->e_dn );
145
146         /* check for deleted */
147
148         if ( ! access_allowed( be, conn, op, e,
149                 "entry", NULL, ACL_AUTH ) )
150         {
151                 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
152                         NULL, NULL, NULL, NULL );
153                 rc = 1;
154                 goto return_results;
155         }
156
157         if ( is_entry_alias( e ) ) {
158                 /* entry is an alias, don't allow bind */
159                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
160                     0, 0 );
161
162                 send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM,
163                     NULL, NULL, NULL, NULL );
164
165                 rc = 1;
166                 goto return_results;
167         }
168
169         if ( is_entry_referral( e ) ) {
170                 /* entry is a referral, don't allow bind */
171                 struct berval **refs = get_entry_referrals( be,
172                         conn, op, e );
173
174                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
175                     0, 0 );
176
177                 send_ldap_result( conn, op, LDAP_REFERRAL,
178                     e->e_dn, NULL, refs, NULL );
179
180                 ber_bvecfree( refs );
181
182                 rc = 1;
183                 goto return_results;
184         }
185
186         switch ( method ) {
187         case LDAP_AUTH_SIMPLE:
188                 if ( cred->bv_len == 0 ) {
189                         send_ldap_result( conn, op, LDAP_SUCCESS,
190                                 NULL, NULL, NULL, NULL );
191
192                         /* stop front end from sending result */
193                         rc = 1;
194                         goto return_results;
195                 } 
196
197                 /* check for root dn/passwd */
198                 if ( be_isroot_pw( be, dn, cred ) ) {
199                         /* front end will send result */
200                         if(*edn != NULL) free( *edn );
201                         *edn = ch_strdup( be_root_dn( be ) );
202                         rc = 0;
203                         goto return_results;
204                 }
205
206                 if ( ! access_allowed( be, conn, op, e,
207                         "userpassword", NULL, ACL_AUTH ) )
208                 {
209                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
210                                 NULL, NULL, NULL, NULL );
211                         rc = 1;
212                         goto return_results;
213                 }
214
215                 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
216                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
217                             NULL, NULL, NULL, NULL );
218
219                         /* stop front end from sending result */
220                         rc = 1;
221                         goto return_results;
222                 }
223
224                 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
225                 {
226                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
227                                 NULL, NULL, NULL, NULL );
228                         /* stop front end from sending result */
229                         rc = 1;
230                         goto return_results;
231                 }
232
233                 rc = 0;
234                 break;
235
236 #ifdef HAVE_KERBEROS
237         case LDAP_AUTH_KRBV41:
238                 if ( ! access_allowed( be, conn, op, e,
239                         "krbname", NULL, ACL_AUTH ) )
240                 {
241                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
242                                 NULL, NULL, NULL, NULL );
243                         rc = 1;
244                         goto return_results;
245                 }
246
247                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
248                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
249                             NULL, NULL, NULL, NULL );
250                         rc = 1;
251                         goto return_results;
252                 }
253
254                 if ( ! access_allowed( be, conn, op, e,
255                         "krbname", NULL, ACL_AUTH ) )
256                 {
257                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
258                                 NULL, NULL, NULL, NULL );
259                         rc = 1;
260                         goto return_results;
261                 }
262
263                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
264                     : "", ad.pinst, ad.prealm );
265
266
267                 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
268                         /*
269                          * no krbName values present:  check against DN
270                          */
271                         if ( strcasecmp( dn, krbname ) == 0 ) {
272                                 rc = 0;
273                                 break;
274                         }
275                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
276                             NULL, NULL, NULL, NULL );
277                         rc = 1;
278                         goto return_results;
279
280                 } else {        /* look for krbName match */
281                         struct berval   krbval;
282
283                         krbval.bv_val = krbname;
284                         krbval.bv_len = strlen( krbname );
285
286                         if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
287                                 send_ldap_result( conn, op,
288                                     LDAP_INVALID_CREDENTIALS,
289                                         NULL, NULL, NULL, NULL );
290                                 rc = 1;
291                                 goto return_results;
292                         }
293                 }
294                 rc = 0;
295                 break;
296
297         case LDAP_AUTH_KRBV42:
298                 send_ldap_result( conn, op, LDAP_SUCCESS,
299                         NULL, NULL, NULL, NULL );
300                 /* stop front end from sending result */
301                 rc = 1;
302                 goto return_results;
303 #endif
304
305         case LDAP_AUTH_SASL:
306                 /* insert SASL code here */
307
308         default:
309                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
310                     NULL, "auth method not supported", NULL, NULL );
311                 rc = 1;
312                 goto return_results;
313         }
314
315 return_results:;
316         /* free entry and reader lock */
317         cache_return_entry_r( &li->li_cache, e );
318
319         /* front end with send result on success (rc==0) */
320         return( rc );
321 }
322
Cloned from git://git.openldap.org/openldap.git