1 /* bind.c - ldbm backend bind and unbind routines */
4 * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
18 #include "back-ldbm.h"
19 #include "proto-back-ldbm.h"
34 struct ldbminfo *li = (struct ldbminfo *) be->be_private;
39 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
40 char krbname[MAX_K_NAME_SZ + 1];
44 #ifdef SLAPD_SCHEMA_NOT_COMPAT
45 static AttributeDescription *password = NULL;
46 static AttributeDescription *entry = NULL;
48 static const char *password = "userpassword";
49 static const char *entry = "entry";
52 Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
57 /* get entry with reader lock */
58 if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
59 char *matched_dn = NULL;
60 struct berval **refs = NULL;
62 if( matched != NULL ) {
63 matched_dn = ch_strdup( matched->e_dn );
65 refs = is_entry_referral( matched )
66 ? get_entry_referrals( be, conn, op, matched )
69 cache_return_entry_r( &li->li_cache, matched );
71 refs = default_referral;
74 /* allow noauth binds */
76 if ( method == LDAP_AUTH_SIMPLE ) {
77 if( cred->bv_len == 0 ) {
79 send_ldap_result( conn, op, LDAP_SUCCESS,
80 NULL, NULL, NULL, NULL );
82 } else if ( be_isroot_pw( be, dn, cred ) ) {
83 *edn = ch_strdup( be_root_dn( be ) );
84 rc = 0; /* front end will send result */
86 } else if ( refs != NULL ) {
87 send_ldap_result( conn, op, LDAP_REFERRAL,
88 matched_dn, NULL, refs, NULL );
91 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
92 NULL, NULL, NULL, NULL );
95 } else if ( method == LDAP_AUTH_SASL ) {
96 #ifdef HAVE_CYRUS_SASL
97 rc = sasl_bind( be, conn, op,
98 dn, ndn, mech, cred, edn );
100 if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
101 /* insert DIGEST calls here */
102 send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
103 NULL, NULL, NULL, NULL );
106 send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
107 NULL, NULL, NULL, NULL );
109 #endif /* HAVE_CYRUS_SASL */
110 } else if ( refs != NULL ) {
111 send_ldap_result( conn, op, LDAP_REFERRAL,
112 matched_dn, NULL, refs, NULL );
115 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
116 NULL, NULL, NULL, NULL );
119 if ( matched != NULL ) {
120 ber_bvecfree( refs );
126 *edn = ch_strdup( e->e_dn );
128 /* check for deleted */
130 if ( ! access_allowed( be, conn, op, e,
131 entry, NULL, ACL_AUTH ) )
133 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
134 NULL, NULL, NULL, NULL );
139 if ( is_entry_alias( e ) ) {
140 /* entry is an alias, don't allow bind */
141 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
144 send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM,
145 NULL, NULL, NULL, NULL );
151 if ( is_entry_referral( e ) ) {
152 /* entry is a referral, don't allow bind */
153 struct berval **refs = get_entry_referrals( be,
156 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
160 send_ldap_result( conn, op, LDAP_REFERRAL,
161 e->e_dn, NULL, refs, NULL );
164 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
165 NULL, NULL, NULL, NULL );
168 ber_bvecfree( refs );
175 case LDAP_AUTH_SIMPLE:
176 if ( cred->bv_len == 0 ) {
177 send_ldap_result( conn, op, LDAP_SUCCESS,
178 NULL, NULL, NULL, NULL );
180 /* stop front end from sending result */
185 /* check for root dn/passwd */
186 if ( be_isroot_pw( be, dn, cred ) ) {
187 /* front end will send result */
188 if(*edn != NULL) free( *edn );
189 *edn = ch_strdup( be_root_dn( be ) );
194 if ( ! access_allowed( be, conn, op, e,
195 password, NULL, ACL_AUTH ) )
197 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
198 NULL, NULL, NULL, NULL );
203 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
204 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
205 NULL, NULL, NULL, NULL );
207 /* stop front end from sending result */
212 if ( slap_passwd_check( a, cred ) != 0 ) {
213 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
214 NULL, NULL, NULL, NULL );
215 /* stop front end from sending result */
223 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
224 case LDAP_AUTH_KRBV41:
225 if ( ! access_allowed( be, conn, op, e,
226 "krbname", NULL, ACL_AUTH ) )
228 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
229 NULL, NULL, NULL, NULL );
234 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
235 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
236 NULL, NULL, NULL, NULL );
241 if ( ! access_allowed( be, conn, op, e,
242 "krbname", NULL, ACL_AUTH ) )
244 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
245 NULL, NULL, NULL, NULL );
250 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
251 : "", ad.pinst, ad.prealm );
254 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
256 * no krbname values present: check against DN
258 if ( strcasecmp( dn, krbname ) == 0 ) {
262 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
263 NULL, NULL, NULL, NULL );
267 } else { /* look for krbname match */
268 struct berval krbval;
270 krbval.bv_val = krbname;
271 krbval.bv_len = strlen( krbname );
273 if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
274 send_ldap_result( conn, op,
275 LDAP_INVALID_CREDENTIALS,
276 NULL, NULL, NULL, NULL );
284 case LDAP_AUTH_KRBV42:
285 send_ldap_result( conn, op, LDAP_SUCCESS,
286 NULL, NULL, NULL, NULL );
287 /* stop front end from sending result */
293 /* insert SASL code here */
294 #ifdef HAVE_CYRUS_SASL
295 /* this may discard edn as we always prefer the SASL authzid
296 * because it may be sealed.
298 rc = sasl_bind( be, conn, op, dn, ndn, mech, cred, edn );
299 #endif /* HAVE_CYRUS_SASL */
301 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
302 NULL, "auth method not supported", NULL, NULL );
308 /* free entry and reader lock */
309 cache_return_entry_r( &li->li_cache, e );
311 /* front end with send result on success (rc==0) */