]> git.sur5r.net Git - openldap/blob - servers/slapd/bind.c
now I remember why I introduced the 'has_ldapinfo_dn_ru' flag
[openldap] / servers / slapd / bind.c
1 /* bind.c - decode an ldap bind operation and pass it to a backend db */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2004 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27 #include "portable.h"
28
29 #include <stdio.h>
30
31 #include <ac/string.h>
32 #include <ac/socket.h>
33
34 #include "ldap_pvt.h"
35 #include "slap.h"
36 #ifdef LDAP_SLAPI
37 #include "slapi/slapi.h"
38 #endif
39
40
41 int
42 do_bind(
43     Operation   *op,
44     SlapReply   *rs
45 )
46 {
47         BerElement *ber = op->o_ber;
48         ber_int_t version;
49         ber_tag_t method;
50         struct berval mech = { 0, NULL };
51         struct berval dn = { 0, NULL };
52         ber_tag_t tag;
53         Backend *be = NULL;
54
55 #ifdef NEW_LOGGING
56         LDAP_LOG( OPERATION, ENTRY, "do_bind: conn %d\n", op->o_connid, 0, 0 );
57 #else
58         Debug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
59 #endif
60
61         /*
62          * Force to connection to "anonymous" until bind succeeds.
63          */
64         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
65         if ( op->o_conn->c_sasl_bind_in_progress ) {
66                 be = op->o_conn->c_authz_backend;
67         }
68         if ( op->o_conn->c_dn.bv_len ) {
69                 /* log authorization identity demotion */
70                 Statslog( LDAP_DEBUG_STATS,
71                         "conn=%lu op=%lu BIND anonymous mech=implicit ssf=0\n",
72                         op->o_connid, op->o_opid, 0, 0, 0 );
73         }
74         connection2anonymous( op->o_conn );
75         if ( op->o_conn->c_sasl_bind_in_progress ) {
76                 op->o_conn->c_authz_backend = be;
77         }
78         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
79         if ( op->o_dn.bv_val != NULL ) {
80                 free( op->o_dn.bv_val );
81                 op->o_dn.bv_val = ch_strdup( "" );
82                 op->o_dn.bv_len = 0;
83         }
84         if ( op->o_ndn.bv_val != NULL ) {
85                 free( op->o_ndn.bv_val );
86                 op->o_ndn.bv_val = ch_strdup( "" );
87                 op->o_ndn.bv_len = 0;
88         }
89
90         /*
91          * Parse the bind request.  It looks like this:
92          *
93          *      BindRequest ::= SEQUENCE {
94          *              version         INTEGER,                 -- version
95          *              name            DistinguishedName,       -- dn
96          *              authentication  CHOICE {
97          *                      simple          [0] OCTET STRING -- passwd
98          *                      krbv42ldap      [1] OCTET STRING
99          *                      krbv42dsa       [2] OCTET STRING
100          *                      SASL            [3] SaslCredentials
101          *              }
102          *      }
103          *
104          *      SaslCredentials ::= SEQUENCE {
105          *              mechanism           LDAPString,
106          *              credentials         OCTET STRING OPTIONAL
107          *      }
108          */
109
110         tag = ber_scanf( ber, "{imt" /*}*/, &version, &dn, &method );
111
112         if ( tag == LBER_ERROR ) {
113 #ifdef NEW_LOGGING
114                 LDAP_LOG( OPERATION, ERR, 
115                         "do_bind: conn %d  ber_scanf failed\n", op->o_connid, 0, 0 );
116 #else
117                 Debug( LDAP_DEBUG_ANY, "bind: ber_scanf failed\n", 0, 0, 0 );
118 #endif
119                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
120                 rs->sr_err = -1;
121                 goto cleanup;
122         }
123
124         op->o_protocol = version;
125
126         if( method != LDAP_AUTH_SASL ) {
127                 tag = ber_scanf( ber, /*{*/ "m}", &op->orb_cred );
128
129         } else {
130                 tag = ber_scanf( ber, "{m" /*}*/, &mech );
131
132                 if ( tag != LBER_ERROR ) {
133                         ber_len_t len;
134                         tag = ber_peek_tag( ber, &len );
135
136                         if ( tag == LDAP_TAG_LDAPCRED ) { 
137                                 tag = ber_scanf( ber, "m", &op->orb_cred );
138                         } else {
139                                 tag = LDAP_TAG_LDAPCRED;
140                                 op->orb_cred.bv_val = NULL;
141                                 op->orb_cred.bv_len = 0;
142                         }
143
144                         if ( tag != LBER_ERROR ) {
145                                 tag = ber_scanf( ber, /*{{*/ "}}" );
146                         }
147                 }
148         }
149
150         if ( tag == LBER_ERROR ) {
151                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
152                 rs->sr_err = SLAPD_DISCONNECT;
153                 goto cleanup;
154         }
155
156         if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
157 #ifdef NEW_LOGGING
158                 LDAP_LOG( OPERATION, INFO, 
159                         "do_bind: conn %d  get_ctrls failed\n", op->o_connid, 0, 0 );
160 #else
161                 Debug( LDAP_DEBUG_ANY, "do_bind: get_ctrls failed\n", 0, 0, 0 );
162 #endif
163                 goto cleanup;
164         } 
165
166         /* We use the tmpmemctx here because it speeds up normalization.
167          * However, we must dup with regular malloc when storing any
168          * resulting DNs in the op or conn structures.
169          */
170         rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
171                 op->o_tmpmemctx );
172         if ( rs->sr_err != LDAP_SUCCESS ) {
173 #ifdef NEW_LOGGING
174                 LDAP_LOG( OPERATION, INFO, 
175                         "do_bind: conn %d  invalid dn (%s)\n", 
176                         op->o_connid, dn.bv_val, 0 );
177 #else
178                 Debug( LDAP_DEBUG_ANY, "bind: invalid dn (%s)\n",
179                         dn.bv_val, 0, 0 );
180 #endif
181                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
182                 goto cleanup;
183         }
184
185         if( method == LDAP_AUTH_SASL ) {
186 #ifdef NEW_LOGGING
187                 LDAP_LOG( OPERATION,     DETAIL1, 
188                         "do_sasl_bind: conn %d  dn (%s) mech %s\n", 
189                         op->o_connid, op->o_req_dn.bv_val, mech.bv_val );
190 #else
191                 Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n",
192                         op->o_req_dn.bv_val, mech.bv_val, NULL );
193 #endif
194
195         } else {
196 #ifdef NEW_LOGGING
197                 LDAP_LOG( OPERATION, DETAIL1, 
198                         "do_bind: version=%ld dn=\"%s\" method=%ld\n",
199                         (unsigned long) version, op->o_req_dn.bv_val,
200                         (unsigned long) method );
201 #else
202                 Debug( LDAP_DEBUG_TRACE,
203                         "do_bind: version=%ld dn=\"%s\" method=%ld\n",
204                         (unsigned long) version, op->o_req_dn.bv_val,
205                         (unsigned long) method );
206 #endif
207         }
208
209         Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu BIND dn=\"%s\" method=%ld\n",
210             op->o_connid, op->o_opid, op->o_req_dn.bv_val, (unsigned long) method,
211                 0 );
212
213         if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
214 #ifdef NEW_LOGGING
215                 LDAP_LOG( OPERATION, INFO, 
216                         "do_bind: conn %d  unknown version = %ld\n",
217                         op->o_connid, (unsigned long)version, 0 );
218 #else
219                 Debug( LDAP_DEBUG_ANY, "do_bind: unknown version=%ld\n",
220                         (unsigned long) version, 0, 0 );
221 #endif
222                 send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR,
223                         "requested protocol version not supported" );
224                 goto cleanup;
225
226         } else if (!( global_allows & SLAP_ALLOW_BIND_V2 ) &&
227                 version < LDAP_VERSION3 )
228         {
229                 send_ldap_error( op, rs, LDAP_PROTOCOL_ERROR,
230                         "historical protocol version requested, use LDAPv3 instead" );
231                 goto cleanup;
232         }
233
234         /*
235          * we set connection version regardless of whether bind succeeds or not.
236          */
237         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
238         op->o_conn->c_protocol = version;
239         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
240
241         /* check for inappropriate controls */
242         if( get_manageDSAit( op ) == SLAP_CRITICAL_CONTROL ) {
243                 send_ldap_error( op, rs,
244                         LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
245                         "manageDSAit control inappropriate" );
246                 goto cleanup;
247         }
248
249         /* Set the bindop for the benefit of in-directory SASL lookups */
250         op->o_conn->c_sasl_bindop = op;
251
252         if ( method == LDAP_AUTH_SASL ) {
253                 if ( version < LDAP_VERSION3 ) {
254 #ifdef NEW_LOGGING
255                         LDAP_LOG( OPERATION, INFO, 
256                                 "do_bind: conn %d  sasl with LDAPv%ld\n",
257                                 op->o_connid, (unsigned long)version , 0 );
258 #else
259                         Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n",
260                                 (unsigned long) version, 0, 0 );
261 #endif
262                         send_ldap_discon( op, rs,
263                                 LDAP_PROTOCOL_ERROR, "SASL bind requires LDAPv3" );
264                         rs->sr_err = SLAPD_DISCONNECT;
265                         goto cleanup;
266                 }
267
268                 if( mech.bv_len == 0 ) {
269 #ifdef NEW_LOGGING
270                         LDAP_LOG( OPERATION, INFO, 
271                                    "do_bind: conn %d  no SASL mechanism provided\n",
272                                    op->o_connid, 0, 0 );
273 #else
274                         Debug( LDAP_DEBUG_ANY,
275                                 "do_bind: no sasl mechanism provided\n",
276                                 0, 0, 0 );
277 #endif
278                         send_ldap_error( op, rs, LDAP_AUTH_METHOD_NOT_SUPPORTED,
279                                 "no SASL mechanism provided" );
280                         goto cleanup;
281                 }
282
283                 /* check restrictions */
284                 if( backend_check_restrictions( op, rs, &mech ) != LDAP_SUCCESS ) {
285                         send_ldap_result( op, rs );
286                         goto cleanup;
287                 }
288
289                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
290                 if ( op->o_conn->c_sasl_bind_in_progress ) {
291                         if( !bvmatch( &op->o_conn->c_sasl_bind_mech, &mech ) ) {
292                                 /* mechanism changed between bind steps */
293                                 slap_sasl_reset(op->o_conn);
294                         }
295                 } else {
296                         ber_dupbv(&op->o_conn->c_sasl_bind_mech, &mech);
297                 }
298                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
299
300                 rs->sr_err = slap_sasl_bind( op, rs );
301
302                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
303                 if( rs->sr_err == LDAP_SUCCESS ) {
304                         ber_dupbv(&op->o_conn->c_dn, &op->orb_edn);
305                         if( op->orb_edn.bv_len != 0 ) {
306                                 /* edn is always normalized already */
307                                 ber_dupbv( &op->o_conn->c_ndn, &op->o_conn->c_dn );
308                         }
309                         op->o_tmpfree( op->orb_edn.bv_val, op->o_tmpmemctx );
310                         op->orb_edn.bv_val = NULL;
311                         op->orb_edn.bv_len = 0;
312                         op->o_conn->c_authmech = op->o_conn->c_sasl_bind_mech;
313                         op->o_conn->c_sasl_bind_mech.bv_val = NULL;
314                         op->o_conn->c_sasl_bind_mech.bv_len = 0;
315                         op->o_conn->c_sasl_bind_in_progress = 0;
316
317                         op->o_conn->c_sasl_ssf = op->orb_ssf;
318                         if( op->orb_ssf > op->o_conn->c_ssf ) {
319                                 op->o_conn->c_ssf = op->orb_ssf;
320                         }
321
322                         if( op->o_conn->c_dn.bv_len != 0 ) {
323                                 ber_len_t max = sockbuf_max_incoming_auth;
324                                 ber_sockbuf_ctrl( op->o_conn->c_sb,
325                                         LBER_SB_OPT_SET_MAX_INCOMING, &max );
326                         }
327
328                         /* log authorization identity */
329                         Statslog( LDAP_DEBUG_STATS,
330                                 "conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=%d\n",
331                                 op->o_connid, op->o_opid,
332                                 op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "<empty>",
333                                 op->o_conn->c_authmech.bv_val, op->orb_ssf );
334
335 #ifdef NEW_LOGGING
336                         LDAP_LOG( OPERATION, DETAIL1, 
337                                 "do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
338                                 op->o_conn->c_authmech.bv_val,
339                                 op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "<empty>",
340                                 op->orb_ssf );
341 #else
342                         Debug( LDAP_DEBUG_TRACE,
343                                 "do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
344                                 op->o_conn->c_authmech.bv_val,
345                                 op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "<empty>",
346                                 op->orb_ssf );
347 #endif
348
349                 } else if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) {
350                         op->o_conn->c_sasl_bind_in_progress = 1;
351
352                 } else {
353                         if ( op->o_conn->c_sasl_bind_mech.bv_val ) {
354                                 free( op->o_conn->c_sasl_bind_mech.bv_val );
355                                 op->o_conn->c_sasl_bind_mech.bv_val = NULL;
356                                 op->o_conn->c_sasl_bind_mech.bv_len = 0;
357                         }
358                         op->o_conn->c_sasl_bind_in_progress = 0;
359                 }
360
361 #ifdef LDAP_SLAPI
362 #define pb      op->o_pb
363                 /*
364                  * Normally post-operation plugins are called only after the
365                  * backend operation. Because the front-end performs SASL
366                  * binds on behalf of the backend, we'll make a special
367                  * exception to call the post-operation plugins after a
368                  * SASL bind.
369                  */
370                 if ( pb ) {
371                         slapi_int_pblock_set_operation( pb, op );
372                         slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val );
373                         slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method );
374                         slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred );
375                         slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) );
376                         (void) slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb );
377                 }
378 #endif /* LDAP_SLAPI */
379
380                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
381
382                 goto cleanup;
383
384         } else {
385                 /* Not SASL, cancel any in-progress bind */
386                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
387
388                 if ( op->o_conn->c_sasl_bind_mech.bv_val != NULL ) {
389                         free(op->o_conn->c_sasl_bind_mech.bv_val);
390                         op->o_conn->c_sasl_bind_mech.bv_val = NULL;
391                         op->o_conn->c_sasl_bind_mech.bv_len = 0;
392                 }
393                 op->o_conn->c_sasl_bind_in_progress = 0;
394
395                 slap_sasl_reset( op->o_conn );
396                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
397         }
398
399         if ( method == LDAP_AUTH_SIMPLE ) {
400                 ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech );
401                 /* accept "anonymous" binds */
402                 if ( op->orb_cred.bv_len == 0 || op->o_req_ndn.bv_len == 0 ) {
403                         rs->sr_err = LDAP_SUCCESS;
404
405                         if( op->orb_cred.bv_len &&
406                                 !( global_allows & SLAP_ALLOW_BIND_ANON_CRED ))
407                         {
408                                 /* cred is not empty, disallow */
409                                 rs->sr_err = LDAP_INVALID_CREDENTIALS;
410
411                         } else if ( op->o_req_ndn.bv_len &&
412                                 !( global_allows & SLAP_ALLOW_BIND_ANON_DN ))
413                         {
414                                 /* DN is not empty, disallow */
415                                 rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
416                                 rs->sr_text =
417                                         "unauthenticated bind (DN with no password) disallowed";
418
419                         } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
420                                 /* disallow */
421                                 rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
422                                 rs->sr_text = "anonymous bind disallowed";
423
424                         } else {
425                                 backend_check_restrictions( op, rs, &mech );
426                         }
427
428                         /*
429                          * we already forced connection to "anonymous",
430                          * just need to send success
431                          */
432                         send_ldap_result( op, rs );
433 #ifdef NEW_LOGGING
434                         LDAP_LOG( OPERATION, DETAIL1, 
435                                    "do_bind: conn %d  v%d anonymous bind\n",
436                                    op->o_connid, version , 0 );
437 #else
438                         Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
439                                 version, 0, 0 );
440 #endif
441                         goto cleanup;
442
443                 } else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
444                         /* disallow simple authentication */
445                         rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
446                         rs->sr_text = "unwilling to perform simple authentication";
447
448                         send_ldap_result( op, rs );
449 #ifdef NEW_LOGGING
450                         LDAP_LOG( OPERATION, INFO, 
451                                 "do_bind: conn %d  v%d simple bind(%s) disallowed\n",
452                                 op->o_connid, version, op->o_req_ndn.bv_val );
453 #else
454                         Debug( LDAP_DEBUG_TRACE,
455                                 "do_bind: v%d simple bind(%s) disallowed\n",
456                                 version, op->o_req_ndn.bv_val, 0 );
457 #endif
458                         goto cleanup;
459                 }
460
461 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
462         } else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
463                 if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
464                         /* disallow simple authentication */
465                         rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
466                         rs->sr_text = "unwilling to perform Kerberos V4 bind";
467
468                         send_ldap_result( op, rs );
469 #ifdef NEW_LOGGING
470                         LDAP_LOG( OPERATION, DETAIL1, 
471                                 "do_bind: conn %d  v%d Kerberos V4 bind\n",
472                                 op->o_connid, version , 0 );
473 #else
474                         Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
475                                 version, 0, 0 );
476 #endif
477                         goto cleanup;
478                 }
479                 ber_str2bv( "KRBV4", sizeof("KRBV4")-1, 0, &mech );
480 #endif
481
482         } else {
483                 rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
484                 rs->sr_text = "unknown authentication method";
485
486                 send_ldap_result( op, rs );
487 #ifdef NEW_LOGGING
488                 LDAP_LOG( OPERATION, INFO, 
489                         "do_bind: conn %ld  v%d unknown authentication method (%ld)\n",
490                         op->o_connid, version, method );
491 #else
492                 Debug( LDAP_DEBUG_TRACE,
493                         "do_bind: v%d unknown authentication method (%ld)\n",
494                         version, method, 0 );
495 #endif
496                 goto cleanup;
497         }
498
499         /*
500          * We could be serving multiple database backends.  Select the
501          * appropriate one, or send a referral to our "referral server"
502          * if we don't hold it.
503          */
504
505         if ( (op->o_bd = select_backend( &op->o_req_ndn, 0, 0 )) == NULL ) {
506                 if ( default_referral ) {
507                         rs->sr_ref = referral_rewrite( default_referral,
508                                 NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
509                         if (!rs->sr_ref) rs->sr_ref = default_referral;
510
511                         rs->sr_err = LDAP_REFERRAL;
512                         send_ldap_result( op, rs );
513
514                         if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
515
516                 } else {
517                         /* noSuchObject is not allowed to be returned by bind */
518                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
519                         send_ldap_result( op, rs );
520                 }
521
522                 goto cleanup;
523         }
524
525         /* check restrictions */
526         if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
527                 send_ldap_result( op, rs );
528                 goto cleanup;
529         }
530
531 #if defined( LDAP_SLAPI )
532         if ( pb ) {
533                 int rc;
534                 slapi_int_pblock_set_operation( pb, op );
535                 slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val );
536                 slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method );
537                 slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred );
538                 slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) );
539                 slapi_pblock_set( pb, SLAPI_CONN_DN, (void *)(0) );
540
541                 rc = slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_PRE_BIND_FN, pb );
542
543 #ifdef NEW_LOGGING
544                 LDAP_LOG( OPERATION, INFO,
545                         "do_bind: Bind preoperation plugin returned %d\n",
546                         rs->sr_err, 0, 0);
547 #else
548                 Debug(LDAP_DEBUG_TRACE,
549                         "do_bind: Bind preoperation plugin returned %d.\n",
550                         rs->sr_err, 0, 0);
551 #endif
552
553                 switch ( rc ) {
554                 case SLAPI_BIND_SUCCESS:
555                         /* Continue with backend processing */
556                         break;
557                 case SLAPI_BIND_FAIL:
558                         /* Failure, server sends result */
559                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
560                         send_ldap_result( op, rs );
561                         goto cleanup;
562                         break;
563                 case SLAPI_BIND_ANONYMOUS:
564                         /* SLAPI_BIND_ANONYMOUS is undocumented XXX */
565                 default:
566                         /* Authoritative, plugin sent result, or no plugins called. */
567                         if ( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE,
568                                 (void *)&rs->sr_err) != 0 )
569                         {
570                                 rs->sr_err = LDAP_OTHER;
571                         }
572
573                         op->orb_edn.bv_val = NULL;
574                         op->orb_edn.bv_len = 0;
575
576                         if ( rs->sr_err == LDAP_SUCCESS ) {
577                                 slapi_pblock_get( pb, SLAPI_CONN_DN, (void *)&op->orb_edn.bv_val );
578                                 if ( op->orb_edn.bv_val == NULL ) {
579                                         if ( rc == 1 ) {
580                                                 /* No plugins were called; continue. */
581                                                 break;
582                                         }
583                                 } else {
584                                         op->orb_edn.bv_len = strlen( op->orb_edn.bv_val );
585                                 }
586                                 rs->sr_err = dnPrettyNormal( NULL, &op->orb_edn,
587                                         &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
588                                 ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
589                                 ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);
590                                 ber_dupbv(&op->o_conn->c_ndn, &op->o_req_ndn);
591                                 op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
592                                 op->o_req_dn.bv_val = NULL;
593                                 op->o_req_dn.bv_len = 0;
594                                 op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
595                                 op->o_req_ndn.bv_val = NULL;
596                                 op->o_req_ndn.bv_len = 0;
597                                 if ( op->o_conn->c_dn.bv_len != 0 ) {
598                                         ber_len_t max = sockbuf_max_incoming_auth;
599                                         ber_sockbuf_ctrl( op->o_conn->c_sb,
600                                                 LBER_SB_OPT_SET_MAX_INCOMING, &max );
601                                 }
602                                 /* log authorization identity */
603                                 Statslog( LDAP_DEBUG_STATS,
604                                         "conn=%lu op=%lu BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n",
605                                         op->o_connid, op->o_opid,
606                                         op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "<empty>",
607                                         mech.bv_val, 0 );
608                                 ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
609                         }
610                         goto cleanup;
611                         break;
612                 }
613         }
614 #endif /* defined( LDAP_SLAPI ) */
615
616         if( op->o_bd->be_bind ) {
617                 op->orb_method = method;
618                 rs->sr_err = (op->o_bd->be_bind)( op, rs );
619
620                 if ( rs->sr_err == 0 ) {
621                         ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
622
623                         if( op->o_conn->c_authz_backend == NULL ) {
624                                 op->o_conn->c_authz_backend = op->o_bd;
625                         }
626
627                         /* be_bind returns regular/global edn */
628                         if( op->orb_edn.bv_len ) {
629                                 op->o_conn->c_dn = op->orb_edn;
630                         } else {
631                                 ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);
632                         }
633
634                         ber_dupbv( &op->o_conn->c_ndn, &op->o_req_ndn );
635
636                         if( op->o_conn->c_dn.bv_len != 0 ) {
637                                 ber_len_t max = sockbuf_max_incoming_auth;
638                                 ber_sockbuf_ctrl( op->o_conn->c_sb,
639                                         LBER_SB_OPT_SET_MAX_INCOMING, &max );
640                         }
641
642                         /* log authorization identity */
643                         Statslog( LDAP_DEBUG_STATS,
644                                 "conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=0\n",
645                                 op->o_connid, op->o_opid,
646                                 op->o_conn->c_dn.bv_val, mech.bv_val, 0 );
647
648 #ifdef NEW_LOGGING
649                         LDAP_LOG( OPERATION, DETAIL1, 
650                                 "do_bind: v%d bind: \"%s\" to \"%s\" \n",
651                                 version, op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_val );
652 #else
653                         Debug( LDAP_DEBUG_TRACE,
654                                 "do_bind: v%d bind: \"%s\" to \"%s\"\n",
655                                 version, dn.bv_val, op->o_conn->c_dn.bv_val );
656 #endif
657
658                         ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
659
660                         /* send this here to avoid a race condition */
661                         send_ldap_result( op, rs );
662
663                 } else if (op->orb_edn.bv_val != NULL) {
664                         free( op->orb_edn.bv_val );
665                 }
666
667         } else {
668                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
669                         "operation not supported within naming context" );
670         }
671
672 #if defined( LDAP_SLAPI )
673         if ( pb != NULL && slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb ) < 0 ) {
674 #ifdef NEW_LOGGING
675                 LDAP_LOG( OPERATION, INFO,
676                         "do_bind: Bind postoperation plugins failed\n",
677                         0, 0, 0);
678 #else
679                 Debug(LDAP_DEBUG_TRACE,
680                         "do_bind: Bind postoperation plugins failed.\n",
681                         0, 0, 0);
682 #endif
683         }
684 #endif /* defined( LDAP_SLAPI ) */
685
686 cleanup:
687         if ( rs->sr_err == LDAP_SUCCESS ) {
688                 if ( method != LDAP_AUTH_SASL ) {
689                         ber_dupbv( &op->o_conn->c_authmech, &mech );
690                 }
691                 op->o_conn->c_authtype = method;
692         }
693
694         op->o_conn->c_sasl_bindop = NULL;
695
696         if( op->o_req_dn.bv_val != NULL ) {
697                 sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx );
698                 op->o_req_dn.bv_val = NULL;
699         }
700         if( op->o_req_ndn.bv_val != NULL ) {
701                 sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx );
702                 op->o_req_ndn.bv_val = NULL;
703         }
704
705         return rs->sr_err;
706 }