1 /* bind.c - ldbm backend bind and unbind routines */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
22 #include <ac/socket.h>
23 #include <ac/string.h>
24 #include <ac/unistd.h>
27 #include "back-ldbm.h"
28 #include "proto-back-ldbm.h"
35 struct ldbminfo *li = (struct ldbminfo *) op->o_bd->be_private;
40 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
41 char krbname[MAX_K_NAME_SZ + 1];
42 AttributeDescription *krbattr = slap_schema.si_ad_krbName;
46 AttributeDescription *password = slap_schema.si_ad_userPassword;
48 Debug(LDAP_DEBUG_ARGS,
49 "==> ldbm_back_bind: dn: %s\n", op->o_req_dn.bv_val, 0, 0);
51 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE && be_isroot_pw( op ) ) {
52 ber_dupbv( &op->oq_bind.rb_edn, be_root_dn( op->o_bd ) );
53 /* front end will send result */
57 /* grab giant lock for reading */
58 ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
60 /* get entry with reader lock */
61 if ( (e = dn2entry_r( op->o_bd, &op->o_req_ndn, &matched )) == NULL ) {
62 if( matched != NULL ) {
63 cache_return_entry_r( &li->li_cache, matched );
65 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
67 /* allow noauth binds */
69 rs->sr_err = LDAP_INVALID_CREDENTIALS;
70 send_ldap_result( op, rs );
74 /* check for deleted */
75 #ifdef LDBM_SUBENTRIES
76 if ( is_entry_subentry( e ) ) {
77 /* entry is an subentry, don't allow bind */
78 Debug( LDAP_DEBUG_TRACE,
79 "entry is subentry\n", 0, 0, 0 );
80 rc = LDAP_INVALID_CREDENTIALS;
85 if ( is_entry_alias( e ) ) {
86 /* entry is an alias, don't allow bind */
87 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 );
90 rc = LDAP_INVALID_CREDENTIALS;
92 rs->sr_text = "entry is alias";
93 rc = LDAP_ALIAS_PROBLEM;
98 if ( is_entry_referral( e ) ) {
99 /* entry is a referral, don't allow bind */
100 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, 0, 0 );
102 rc = LDAP_INVALID_CREDENTIALS;
106 switch ( op->oq_bind.rb_method ) {
107 case LDAP_AUTH_SIMPLE:
108 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
109 /* stop front end from sending result */
110 rc = LDAP_INVALID_CREDENTIALS;
114 if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
115 &rs->sr_text ) != 0 )
117 /* failure; stop front end from sending result */
118 rc = LDAP_INVALID_CREDENTIALS;
125 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
126 case LDAP_AUTH_KRBV41:
127 if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad )
130 rc = LDAP_INVALID_CREDENTIALS;
134 if ( ! access_allowed( op, e,
135 krbattr, NULL, ACL_AUTH, NULL ) )
137 rc = LDAP_INSUFFICIENT_ACCESS;
141 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
142 : "", ad.pinst, ad.prealm );
144 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
146 * no krbname values present: check against DN
148 if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
152 rc = LDAP_INAPPROPRIATE_AUTH;
155 } else { /* look for krbname match */
156 struct berval krbval;
158 krbval.bv_val = krbname;
159 krbval.bv_len = strlen( krbname );
161 if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
162 rc = LDAP_INVALID_CREDENTIALS;
171 assert( 0 ); /* should not be reachable */
172 rs->sr_text = "authentication method not supported";
173 rc = LDAP_STRONG_AUTH_NOT_SUPPORTED;
177 ber_dupbv( &op->oq_bind.rb_edn, &e->e_name );
180 /* free entry and reader lock */
181 cache_return_entry_r( &li->li_cache, e );
182 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
186 send_ldap_result( op, rs );
188 ber_bvarray_free( rs->sr_ref );
193 /* front end will send result on success (rc==0) */