1 /* bind.c - ldbm backend bind and unbind routines */
4 * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/socket.h>
14 #include <ac/string.h>
15 #include <ac/unistd.h>
18 #include "back-ldbm.h"
19 #include "proto-back-ldbm.h"
33 struct ldbminfo *li = (struct ldbminfo *) be->be_private;
38 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
39 char krbname[MAX_K_NAME_SZ + 1];
40 AttributeDescription *krbattr = slap_schema.si_ad_krbName;
44 AttributeDescription *password = slap_schema.si_ad_userPassword;
47 LDAP_LOG(( "backend", LDAP_LEVEL_ENTRY,
48 "ldbm_back_bind: dn: %s.\n", dn ));
50 Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
57 /* get entry with reader lock */
58 if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
59 char *matched_dn = NULL;
60 struct berval **refs = NULL;
62 if( matched != NULL ) {
63 matched_dn = ch_strdup( matched->e_dn );
65 refs = is_entry_referral( matched )
66 ? get_entry_referrals( be, conn, op, matched,
67 dn, LDAP_SCOPE_DEFAULT )
70 cache_return_entry_r( &li->li_cache, matched );
73 refs = referral_rewrite( default_referral,
74 NULL, dn, LDAP_SCOPE_DEFAULT );
77 /* allow noauth binds */
79 if ( method == LDAP_AUTH_SIMPLE ) {
80 if ( be_isroot_pw( be, conn, dn, cred ) ) {
81 *edn = ch_strdup( be_root_dn( be ) );
82 rc = 0; /* front end will send result */
84 } else if ( refs != NULL ) {
85 send_ldap_result( conn, op, LDAP_REFERRAL,
86 matched_dn, NULL, refs, NULL );
89 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
90 NULL, NULL, NULL, NULL );
93 } else if ( refs != NULL ) {
94 send_ldap_result( conn, op, LDAP_REFERRAL,
95 matched_dn, NULL, refs, NULL );
98 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
99 NULL, NULL, NULL, NULL );
102 ber_bvecfree( refs );
107 *edn = ch_strdup( e->e_dn );
109 /* check for deleted */
111 if ( is_entry_alias( e ) ) {
112 /* entry is an alias, don't allow bind */
114 LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
115 "ldbm_back_bind: entry (%s) is an alias.\n", e->e_dn ));
117 Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
122 send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM,
123 NULL, "entry is alias", NULL, NULL );
129 if ( is_entry_referral( e ) ) {
130 /* entry is a referral, don't allow bind */
131 struct berval **refs = get_entry_referrals( be,
132 conn, op, e, dn, LDAP_SCOPE_DEFAULT );
135 LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
136 "ldbm_back_bind: entry(%s) is a referral.\n", e->e_dn ));
138 Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
144 send_ldap_result( conn, op, LDAP_REFERRAL,
145 e->e_dn, NULL, refs, NULL );
148 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
149 NULL, NULL, NULL, NULL );
152 ber_bvecfree( refs );
159 case LDAP_AUTH_SIMPLE:
160 /* check for root dn/passwd */
161 if ( be_isroot_pw( be, conn, dn, cred ) ) {
162 /* front end will send result */
163 if(*edn != NULL) free( *edn );
164 *edn = ch_strdup( be_root_dn( be ) );
169 if ( ! access_allowed( be, conn, op, e,
170 password, NULL, ACL_AUTH ) )
172 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
173 NULL, NULL, NULL, NULL );
178 if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
179 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
180 NULL, NULL, NULL, NULL );
182 /* stop front end from sending result */
187 if ( slap_passwd_check( conn, a, cred ) != 0 ) {
188 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
189 NULL, NULL, NULL, NULL );
190 /* stop front end from sending result */
198 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
199 case LDAP_AUTH_KRBV41:
200 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
201 send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
202 NULL, NULL, NULL, NULL );
207 if ( ! access_allowed( be, conn, op, e,
208 krbattr, NULL, ACL_AUTH ) )
210 send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
211 NULL, NULL, NULL, NULL );
216 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
217 : "", ad.pinst, ad.prealm );
219 if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
221 * no krbname values present: check against DN
223 if ( strcasecmp( dn, krbname ) == 0 ) {
227 send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
228 NULL, NULL, NULL, NULL );
232 } else { /* look for krbname match */
233 struct berval krbval;
235 krbval.bv_val = krbname;
236 krbval.bv_len = strlen( krbname );
238 if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
239 send_ldap_result( conn, op,
240 LDAP_INVALID_CREDENTIALS,
241 NULL, NULL, NULL, NULL );
249 case LDAP_AUTH_KRBV42:
250 send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM,
251 NULL, "Kerberos bind step 2 not supported",
253 /* stop front end from sending result */
254 rc = LDAP_UNWILLING_TO_PERFORM;
259 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
260 NULL, "authentication method not supported", NULL, NULL );
266 /* free entry and reader lock */
267 cache_return_entry_r( &li->li_cache, e );
269 /* front end with send result on success (rc==0) */