git.sur5r.net Git - openldap/blob - servers/slapd/back-ldbm/bind.c

   1 /* bind.c - ldbm backend bind and unbind routines */
   2
   3 #include "portable.h"
   4
   5 #include <stdio.h>
   6
   7 #include <ac/krb.h>
   8 #include <ac/socket.h>
   9 #include <ac/string.h>
  10 #include <ac/unistd.h>
  11
  12 #include "slap.h"
  13 #include "back-ldbm.h"
  14 #include "proto-back-ldbm.h"
  15
  16 #include <lutil.h>
  17
  18 #ifdef HAVE_KERBEROS
  19 extern int      krbv4_ldap_auth();
  20 #endif
  21
  22 pthread_mutex_t crypt_mutex;
  23
  24 static int
  25 crypted_value_find(
  26         struct berval       **vals,
  27         struct berval       *v,
  28         int                 syntax,
  29         int                 normalize,
  30         struct berval           *cred
  31 )
  32 {
  33         int     i;
  34         for ( i = 0; vals[i] != NULL; i++ ) {
  35                 if ( syntax != SYNTAX_BIN ) {
  36                         int result;
  37
  38                         pthread_mutex_lock( &crypt_mutex );
  39
  40                         result = lutil_passwd(
  41                                 (char*) cred->bv_val,
  42                                 (char*) vals[i]->bv_val);
  43
  44                         pthread_mutex_unlock( &crypt_mutex );
  45
  46                         return result;
  47
  48                 } else {
  49                 if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
  50                         return( 0 );
  51                 }
  52         }
  53         }
  54
  55         return( 1 );
  56 }
  57
  58 int
  59 ldbm_back_bind(
  60     Backend             *be,
  61     Connection          *conn,
  62     Operation           *op,
  63     char                *dn,
  64     int                 method,
  65     struct berval       *cred
  66 )
  67 {
  68         struct ldbminfo *li = (struct ldbminfo *) be->be_private;
  69         Entry           *e;
  70         Attribute       *a;
  71         int             rc;
  72         char            *matched;
  73 #ifdef HAVE_KERBEROS
  74         char            krbname[MAX_K_NAME_SZ + 1];
  75         AUTH_DAT        ad;
  76 #endif
  77
  78         Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
  79
  80         /* get entry with reader lock */
  81         if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
  82                 /* allow noauth binds */
  83                 if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) {
  84                         /*
  85                          * bind successful, but return 1 so we don't
  86                          * authorize based on noauth credentials
  87                          */
  88                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
  89                         rc = 1;
  90                 } else if ( be_isroot_pw( be, dn, cred ) ) {
  91                         /* front end will send result */
  92                         rc = 0;
  93                 } else {
  94                         send_ldap_result( conn, op, LDAP_NO_SUCH_OBJECT, matched, NULL );
  95                         rc = 1;
  96                 }
  97                 if ( matched != NULL ) {
  98                         free( matched );
  99                 }
 100                 return( rc );
 101         }
 102
 103         /* check for deleted */
 104
 105         switch ( method ) {
 106         case LDAP_AUTH_SIMPLE:
 107                 if ( cred->bv_len == 0 ) {
 108                         send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 109
 110                         /* stop front end from sending result */
 111                         rc = 1;
 112                         goto return_results;
 113                 } else if ( be_isroot_pw( be, dn, cred ) ) {
 114                         /* front end will send result */
 115                         rc = 0;
 116                         goto return_results;
 117                 }
 118
 119                 if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
 120                         if ( be_isroot_pw( be, dn, cred ) ) {
 121                                 /* front end will send result */
 122                                 rc = 0;
 123                                 goto return_results;
 124                         }
 125                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 126                             NULL, NULL );
 127                         rc = 1;
 128                         goto return_results;
 129                 }
 130
 131 #ifdef SLAPD_CRYPT
 132                 if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
 133 #else
 134                 if ( value_find( a->a_vals, cred, a->a_syntax, 0 ) != 0 )
 135 #endif
 136                 {
 137                         if ( be_isroot_pw( be, dn, cred ) ) {
 138                                 /* front end will send result */
 139                                 rc = 0;
 140                                 goto return_results;
 141                         }
 142                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 143                                 NULL, NULL );
 144                         rc = 1;
 145                         goto return_results;
 146                 }
 147                 rc = 0;
 148                 break;
 149
 150 #ifdef HAVE_KERBEROS
 151         case LDAP_AUTH_KRBV41:
 152                 if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 153                         send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 154                             NULL, NULL );
 155                         rc = 0;
 156                         goto return_results;
 157                 }
 158                 sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 159                     : "", ad.pinst, ad.prealm );
 160                 if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 161                         /*
 162                          * no krbName values present:  check against DN
 163                          */
 164                         if ( strcasecmp( dn, krbname ) == 0 ) {
 165                                 rc = 0; /* XXX wild ass guess */
 166                                 break;
 167                         }
 168                         send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 169                             NULL, NULL );
 170                         rc = 1;
 171                         goto return_results;
 172                 } else {        /* look for krbName match */
 173                         struct berval   krbval;
 174
 175                         krbval.bv_val = krbname;
 176                         krbval.bv_len = strlen( krbname );
 177
 178                         if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
 179                                 send_ldap_result( conn, op,
 180                                     LDAP_INVALID_CREDENTIALS, NULL, NULL );
 181                                 rc = 1;
 182                                 goto return_results;
 183                         }
 184                 }
 185                 break;
 186
 187         case LDAP_AUTH_KRBV42:
 188                 send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
 189                 /* stop front end from sending result */
 190                 rc = 1;
 191                 goto return_results;
 192 #endif
 193
 194         default:
 195                 send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
 196                     NULL, "auth method not supported" );
 197                 rc = 1;
 198                 goto return_results;
 199         }
 200
 201 return_results:;
 202         /* free entry and reader lock */
 203         cache_return_entry_r( &li->li_cache, e );
 204
 205         /* front end with send result on success (rc==0) */
 206         return( rc );
 207 }
 208