]> git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c
cleanup bind
[openldap] / servers / slapd / back-ldbm / bind.c
1 /* bind.c - ldbm backend bind and unbind routines */
2 /* $OpenLDAP$ */
3 /*
4  * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
6  */
7
8 #include "portable.h"
9
10 #include <stdio.h>
11
12 #include <ac/krb.h>
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
16
17 #include "slap.h"
18 #include "back-ldbm.h"
19 #include "proto-back-ldbm.h"
20
21 int
22 ldbm_back_bind(
23     Backend             *be,
24     Connection          *conn,
25     Operation           *op,
26     struct berval       *dn,
27     struct berval       *ndn,
28     int                 method,
29     struct berval       *cred,
30     struct berval       *edn
31 )
32 {
33         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
34         Entry           *e;
35         Attribute       *a;
36         int             rc;
37         Entry           *matched;
38 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
39         char            krbname[MAX_K_NAME_SZ + 1];
40         AttributeDescription *krbattr = slap_schema.si_ad_krbName;
41         AUTH_DAT        ad;
42 #endif
43
44         AttributeDescription *password = slap_schema.si_ad_userPassword;
45
46 #ifdef NEW_LOGGING
47         LDAP_LOG( BACK_LDBM, ENTRY, 
48                 "ldbm_back_bind: dn: %s.\n", dn->bv_val, 0, 0 );
49 #else
50         Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn->bv_val, 0, 0);
51 #endif
52
53         dn = ndn;
54
55         /* grab giant lock for reading */
56         ldap_pvt_thread_rdwr_rlock(&li->li_giant_rwlock);
57
58         /* get entry with reader lock */
59         if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
60                 char *matched_dn = NULL;
61                 BerVarray refs = NULL;
62
63                 if( matched != NULL ) {
64                         matched_dn = ch_strdup( matched->e_dn );
65
66                         refs = is_entry_referral( matched )
67                                 ? get_entry_referrals( be, conn, op, matched )
68                                 : NULL;
69
70                         cache_return_entry_r( &li->li_cache, matched );
71
72                 } else {
73                         refs = referral_rewrite( default_referral,
74                                 NULL, dn, LDAP_SCOPE_DEFAULT );
75                 }
76
77                 ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
78
79                 /* allow noauth binds */
80                 rc = 1;
81                 if ( method == LDAP_AUTH_SIMPLE ) {
82                         if ( be_isroot_pw( be, conn, dn, cred ) ) {
83                                 ber_dupbv( edn, be_root_dn( be ) );
84                                 rc = 0; /* front end will send result */
85
86                         } else if ( refs != NULL ) {
87                                 send_ldap_result( conn, op, LDAP_REFERRAL,
88                                         matched_dn, NULL, refs, NULL );
89
90                         } else {
91                                 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
92                                         NULL, NULL, NULL, NULL );
93                         }
94
95                 } else if ( refs != NULL ) {
96                         send_ldap_result( conn, op, LDAP_REFERRAL,
97                                 matched_dn, NULL, refs, NULL );
98
99                 } else {
100                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
101                                 NULL, NULL, NULL, NULL );
102                 }
103
104                 if ( refs ) ber_bvarray_free( refs );
105                 if ( matched_dn ) free( matched_dn );
106                 return( rc );
107         }
108
109         ber_dupbv( edn, &e->e_name );
110
111         /* check for deleted */
112
113         if ( is_entry_alias( e ) ) {
114                 /* entry is an alias, don't allow bind */
115 #ifdef NEW_LOGGING
116                 LDAP_LOG( BACK_LDBM, INFO, 
117                         "ldbm_back_bind: entry (%s) is an alias.\n", e->e_dn, 0, 0 );
118 #else
119                 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
120                     0, 0 );
121 #endif
122
123
124                 send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM,
125                     NULL, "entry is alias", NULL, NULL );
126
127                 rc = 1;
128                 goto return_results;
129         }
130
131         if ( is_entry_referral( e ) ) {
132                 /* entry is a referral, don't allow bind */
133                 BerVarray refs = get_entry_referrals( be,
134                         conn, op, e );
135
136 #ifdef NEW_LOGGING
137                 LDAP_LOG( BACK_LDBM, INFO, 
138                            "ldbm_back_bind: entry(%s) is a referral.\n", e->e_dn, 0, 0 );
139 #else
140                 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
141                     0, 0 );
142 #endif
143
144
145                 if( refs != NULL ) {
146                         send_ldap_result( conn, op, LDAP_REFERRAL,
147                                 e->e_dn, NULL, refs, NULL );
148
149                 } else {
150                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
151                                 NULL, NULL, NULL, NULL );
152                 }
153
154                 ber_bvarray_free( refs );
155
156                 rc = 1;
157                 goto return_results;
158         }
159
160         switch ( method ) {
161         case LDAP_AUTH_SIMPLE:
162                 /* check for root dn/passwd */
163                 if ( be_isroot_pw( be, conn, dn, cred ) ) {
164                         /* front end will send result */
165                         if(edn->bv_val != NULL) free( edn->bv_val );
166                         ber_dupbv( edn, be_root_dn( be ) );
167                         rc = 0;
168                         goto return_results;
169                 }
170
171                 if ( ! access_allowed( be, conn, op, e,
172                         password, NULL, ACL_AUTH, NULL ) )
173                 {
174                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
175                                 NULL, NULL, NULL, NULL );
176                         rc = 1;
177                         goto return_results;
178                 }
179
180                 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
181                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
182                             NULL, NULL, NULL, NULL );
183
184                         /* stop front end from sending result */
185                         rc = 1;
186                         goto return_results;
187                 }
188
189                 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
190                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
191                                 NULL, NULL, NULL, NULL );
192                         /* stop front end from sending result */
193                         rc = 1;
194                         goto return_results;
195                 }
196
197                 rc = 0;
198                 break;
199
200 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
201         case LDAP_AUTH_KRBV41:
202                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
203                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
204                             NULL, NULL, NULL, NULL );
205                         rc = 1;
206                         goto return_results;
207                 }
208
209                 if ( ! access_allowed( be, conn, op, e,
210                         krbattr, NULL, ACL_AUTH, NULL ) )
211                 {
212                         send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
213                                 NULL, NULL, NULL, NULL );
214                         rc = 1;
215                         goto return_results;
216                 }
217
218                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
219                     : "", ad.pinst, ad.prealm );
220
221                 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
222                         /*
223                          * no krbname values present:  check against DN
224                          */
225                         if ( strcasecmp( dn->bv_val, krbname ) == 0 ) {
226                                 rc = 0;
227                                 break;
228                         }
229                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
230                             NULL, NULL, NULL, NULL );
231                         rc = 1;
232                         goto return_results;
233
234                 } else {        /* look for krbname match */
235                         struct berval   krbval;
236
237                         krbval.bv_val = krbname;
238                         krbval.bv_len = strlen( krbname );
239
240                         if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
241                                 send_ldap_result( conn, op,
242                                     LDAP_INVALID_CREDENTIALS,
243                                         NULL, NULL, NULL, NULL );
244                                 rc = 1;
245                                 goto return_results;
246                         }
247                 }
248                 rc = 0;
249                 break;
250
251         case LDAP_AUTH_KRBV42:
252                 send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM,
253                         NULL, "Kerberos bind step 2 not supported",
254                         NULL, NULL );
255                 /* stop front end from sending result */
256                 rc = LDAP_UNWILLING_TO_PERFORM;
257                 goto return_results;
258 #endif
259
260         default:
261                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
262                     NULL, "authentication method not supported", NULL, NULL );
263                 rc = 1;
264                 goto return_results;
265         }
266
267 return_results:;
268         /* free entry and reader lock */
269         cache_return_entry_r( &li->li_cache, e );
270         ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);
271
272         /* front end will send result on success (rc==0) */
273         return( rc );
274 }
275