git.sur5r.net Git - openldap/blob - servers/slapd/bind.c

   1 /* bind.c - decode an ldap bind operation and pass it to a backend db */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 /*
   9  * Copyright (c) 1995 Regents of the University of Michigan.
  10  * All rights reserved.
  11  *
  12  * Redistribution and use in source and binary forms are permitted
  13  * provided that this notice is preserved and that due credit is given
  14  * to the University of Michigan at Ann Arbor. The name of the University
  15  * may not be used to endorse or promote products derived from this
  16  * software without specific prior written permission. This software
  17  * is provided ``as is'' without express or implied warranty.
  18  */
  19
  20 #include "portable.h"
  21
  22 #include <stdio.h>
  23
  24 #include <ac/string.h>
  25 #include <ac/socket.h>
  26
  27 #include "ldap_pvt.h"
  28 #include "slap.h"
  29
  30 int
  31 do_bind(
  32     Connection  *conn,
  33     Operation   *op
  34 )
  35 {
  36         BerElement      *ber = op->o_ber;
  37         ber_int_t               version;
  38         ber_tag_t method;
  39         char            *mech;
  40         char            *saslmech;
  41         char            *dn;
  42         char *ndn;
  43         ber_tag_t       tag;
  44         int                     rc = LDAP_SUCCESS;
  45         const char      *text;
  46         struct berval   cred;
  47         Backend         *be;
  48
  49         Debug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
  50
  51         dn = NULL;
  52         ndn = NULL;
  53         mech = NULL;
  54         cred.bv_val = NULL;
  55
  56         /*
  57          * Force to connection to "anonymous" until bind succeeds.
  58          */
  59         ldap_pvt_thread_mutex_lock( &conn->c_mutex );
  60         connection2anonymous( conn );
  61         ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
  62
  63         if ( op->o_dn != NULL ) {
  64                 free( op->o_dn );
  65                 op->o_dn = ch_strdup( "" );
  66         }
  67
  68         if ( op->o_ndn != NULL ) {
  69                 free( op->o_ndn );
  70                 op->o_ndn = ch_strdup( "" );
  71         }
  72
  73         /*
  74          * Parse the bind request.  It looks like this:
  75          *
  76          *      BindRequest ::= SEQUENCE {
  77          *              version         INTEGER,                 -- version
  78          *              name            DistinguishedName,       -- dn
  79          *              authentication  CHOICE {
  80          *                      simple          [0] OCTET STRING -- passwd
  81          *                      krbv42ldap      [1] OCTET STRING
  82          *                      krbv42dsa       [2] OCTET STRING
  83          *                      SASL            [3] SaslCredentials
  84          *              }
  85          *      }
  86          *
  87          *      SaslCredentials ::= SEQUENCE {
  88      *          mechanism           LDAPString,
  89      *          credentials         OCTET STRING OPTIONAL
  90          *      }
  91          */
  92
  93         tag = ber_scanf( ber, "{iat" /*}*/, &version, &dn, &method );
  94
  95         if ( tag == LBER_ERROR ) {
  96                 Debug( LDAP_DEBUG_ANY, "bind: ber_scanf failed\n", 0, 0, 0 );
  97                 send_ldap_disconnect( conn, op,
  98                         LDAP_PROTOCOL_ERROR, "decoding error" );
  99                 rc = -1;
 100                 goto cleanup;
 101         }
 102
 103         op->o_protocol = version;
 104
 105         if( method != LDAP_AUTH_SASL ) {
 106                 tag = ber_scanf( ber, /*{*/ "o}", &cred );
 107
 108         } else {
 109                 tag = ber_scanf( ber, "{a" /*}*/, &mech );
 110
 111                 if ( tag != LBER_ERROR ) {
 112                         ber_len_t len;
 113                         tag = ber_peek_tag( ber, &len );
 114
 115                         if ( tag == LDAP_TAG_LDAPCRED ) {
 116                                 tag = ber_scanf( ber, "o", &cred );
 117                         }
 118
 119                         if ( tag != LBER_ERROR ) {
 120                                 tag = ber_scanf( ber, /*{{*/ "}}" );
 121                         }
 122                 }
 123         }
 124
 125         if ( tag == LBER_ERROR ) {
 126                 send_ldap_disconnect( conn, op,
 127                         LDAP_PROTOCOL_ERROR,
 128                 "decoding error" );
 129                 rc = SLAPD_DISCONNECT;
 130                 goto cleanup;
 131         }
 132
 133         if( (rc = get_ctrls( conn, op, 1 )) != LDAP_SUCCESS ) {
 134                 Debug( LDAP_DEBUG_ANY, "do_bind: get_ctrls failed\n", 0, 0, 0 );
 135                 goto cleanup;
 136         }
 137
 138         ndn = ch_strdup( dn );
 139
 140         if ( dn_normalize( ndn ) == NULL ) {
 141                 Debug( LDAP_DEBUG_ANY, "bind: invalid dn (%s)\n", dn, 0, 0 );
 142                 send_ldap_result( conn, op, rc = LDAP_INVALID_DN_SYNTAX, NULL,
 143                     "invalid DN", NULL, NULL );
 144                 goto cleanup;
 145         }
 146
 147         if( method == LDAP_AUTH_SASL ) {
 148                 Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n",
 149                         dn, mech, NULL );
 150         } else {
 151                 Debug( LDAP_DEBUG_TRACE, "do_bind: version=%ld dn=\"%s\" method=%ld\n",
 152                         (unsigned long) version, dn, (unsigned long) method );
 153         }
 154
 155         Statslog( LDAP_DEBUG_STATS, "conn=%ld op=%d BIND dn=\"%s\" method=%ld\n",
 156             op->o_connid, op->o_opid, ndn, (unsigned long) method, 0 );
 157
 158         if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
 159                 Debug( LDAP_DEBUG_ANY, "do_bind: unknown version=%ld\n",
 160                         (unsigned long) version, 0, 0 );
 161                 send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
 162                         NULL, "requested protocol version not supported", NULL, NULL );
 163                 goto cleanup;
 164
 165         } else if (( global_disallows & SLAP_DISALLOW_BIND_V2 ) &&
 166                 version < LDAP_VERSION3 )
 167         {
 168                 send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
 169                         NULL, "requested protocol version not allowed", NULL, NULL );
 170                 goto cleanup;
 171         }
 172
 173         /* we set connection version regardless of whether bind succeeds
 174          * or not.
 175          */
 176         ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 177         conn->c_protocol = version;
 178         ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 179
 180         if ( method == LDAP_AUTH_SASL ) {
 181                 char *edn;
 182                 slap_ssf_t ssf = 0;
 183
 184                 if ( version < LDAP_VERSION3 ) {
 185                         Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n",
 186                                 (unsigned long) version, 0, 0 );
 187                         send_ldap_disconnect( conn, op,
 188                                 LDAP_PROTOCOL_ERROR, "SASL bind requires LDAPv3" );
 189                         rc = SLAPD_DISCONNECT;
 190                         goto cleanup;
 191                 }
 192
 193                 if( mech == NULL || *mech == '\0' ) {
 194                         Debug( LDAP_DEBUG_ANY,
 195                                 "do_bind: no sasl mechanism provided\n",
 196                                 0, 0, 0 );
 197                         send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
 198                                 NULL, "no SASL mechanism provided", NULL, NULL );
 199                         goto cleanup;
 200                 }
 201
 202                 ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 203
 204                 if ( conn->c_sasl_bind_mech != NULL ) {
 205                         /* SASL bind is in progress */
 206                         saslmech = NULL;
 207
 208                         if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
 209                                 /* mechanism changed */
 210                                 slap_sasl_reset(conn);
 211                         }
 212
 213                         free( conn->c_sasl_bind_mech );
 214                         conn->c_sasl_bind_mech = NULL;
 215
 216 #ifdef LDAP_DEBUG
 217                 } else {
 218                         /* SASL bind is NOT in progress */
 219                         saslmech = mech;
 220                         assert( conn->c_sasl_bind_mech == NULL );
 221 #endif
 222                 }
 223
 224                 ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 225
 226                 edn = NULL;
 227                 rc = slap_sasl_bind( conn, op, dn, ndn, saslmech, &cred,
 228                         &edn, &ssf );
 229
 230                 if( rc == LDAP_SUCCESS ) {
 231                         ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 232                         conn->c_dn = edn;
 233                         conn->c_authmech = mech;
 234                         if( ssf ) conn->c_sasl_layers++;
 235                         conn->c_sasl_ssf = ssf;
 236                         if( ssf > conn->c_ssf ) {
 237                                 conn->c_ssf = ssf;
 238                         }
 239                         ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 240
 241                 } else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
 242                         conn->c_sasl_bind_mech = mech;
 243                 }
 244
 245                 mech = NULL;
 246
 247                 goto cleanup;
 248
 249         } else {
 250                 /* Not SASL, cancel any in-progress bind */
 251                 ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 252
 253                 if ( conn->c_sasl_bind_mech != NULL ) {
 254                         assert( conn->c_sasl_bind_in_progress );
 255
 256                         free(conn->c_sasl_bind_mech);
 257                         conn->c_sasl_bind_mech = NULL;
 258
 259                 } else {
 260                         assert( !conn->c_sasl_bind_in_progress );
 261                 }
 262
 263                 slap_sasl_reset( conn );
 264                 ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 265         }
 266
 267         if ( method == LDAP_AUTH_SIMPLE ) {
 268                 /* accept "anonymous" binds */
 269                 if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
 270                         rc = LDAP_SUCCESS;
 271                         text = NULL;
 272
 273                         if( cred.bv_len &&
 274                                 ( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
 275                         {
 276                                 /* cred is not empty, disallow */
 277                                 rc = LDAP_INVALID_CREDENTIALS;
 278
 279                         } else if ( ndn != NULL && *ndn != '\0' &&
 280                                 ( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
 281                         {
 282                                 /* DN is not empty, disallow */
 283                                 rc = LDAP_UNWILLING_TO_PERFORM;
 284                                 text = "unwilling to allow anonymous bind with non-empty DN";
 285
 286                         } else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
 287                                 /* disallow */
 288                                 rc = LDAP_INAPPROPRIATE_AUTH;
 289                                 text = "anonymous bind disallowed";
 290                         }
 291
 292                         /*
 293                          * we already forced connection to "anonymous",
 294                          * just need to send success
 295                          */
 296                         send_ldap_result( conn, op, rc,
 297                                 NULL, text, NULL, NULL );
 298                         Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
 299                                 version, 0, 0 );
 300                         goto cleanup;
 301
 302                 } else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
 303                         /* disallow simple authentication */
 304                         rc = LDAP_UNWILLING_TO_PERFORM;
 305                         text = "unwilling to perform simple authentication";
 306
 307                         send_ldap_result( conn, op, rc,
 308                                 NULL, text, NULL, NULL );
 309                         Debug( LDAP_DEBUG_TRACE,
 310                                 "do_bind: v%d simple bind(%s) disallowed\n",
 311                                 version, ndn, 0 );
 312                         goto cleanup;
 313                 }
 314
 315 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 316         } else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
 317                 if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
 318                         /* disallow simple authentication */
 319                         rc = LDAP_UNWILLING_TO_PERFORM;
 320                         text = "unwilling to perform Kerberos V4 bind";
 321
 322                         send_ldap_result( conn, op, rc,
 323                                 NULL, text, NULL, NULL );
 324                         Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
 325                                 version, 0, 0 );
 326                         goto cleanup;
 327                 }
 328 #endif
 329
 330         } else {
 331                 rc = LDAP_AUTH_UNKNOWN;
 332                 text = "unknown authentication method";
 333
 334                 send_ldap_result( conn, op, rc,
 335                         NULL, text, NULL, NULL );
 336                 Debug( LDAP_DEBUG_TRACE,
 337                         "do_bind: v%d unknown authentication method (%d)\n",
 338                         version, method, 0 );
 339                 goto cleanup;
 340         }
 341
 342         /*
 343          * We could be serving multiple database backends.  Select the
 344          * appropriate one, or send a referral to our "referral server"
 345          * if we don't hold it.
 346          */
 347
 348         if ( (be = select_backend( ndn )) == NULL ) {
 349                 if ( default_referral ) {
 350                         send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 351                                 NULL, NULL, default_referral, NULL );
 352
 353                 } else {
 354                         /* noSuchObject is not allowed to be returned by bind */
 355                         send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
 356                                 NULL, NULL, NULL, NULL );
 357                 }
 358
 359                 goto cleanup;
 360         }
 361
 362         /* check restrictions */
 363         rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
 364         if( rc != LDAP_SUCCESS ) {
 365                 send_ldap_result( conn, op, rc,
 366                         NULL, text, NULL, NULL );
 367                 goto cleanup;
 368         }
 369
 370         conn->c_authz_backend = be;
 371
 372         if ( be->be_bind ) {
 373                 int ret;
 374                 /* alias suffix */
 375                 char *edn = NULL;
 376
 377                 /* deref suffix alias if appropriate */
 378                 ndn = suffix_alias( be, ndn );
 379
 380                 ret = (*be->be_bind)( be, conn, op, dn, ndn,
 381                         method, &cred, &edn );
 382
 383                 if ( ret == 0 ) {
 384                         ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 385
 386                         conn->c_cdn = dn;
 387                         dn = NULL;
 388
 389                         if(edn != NULL) {
 390                                 conn->c_dn = edn;
 391                         } else {
 392                                 conn->c_dn = ndn;
 393                                 ndn = NULL;
 394                         }
 395
 396                         Debug( LDAP_DEBUG_TRACE, "do_bind: v%d bind: \"%s\" to \"%s\"\n",
 397                         version, conn->c_cdn, conn->c_dn );
 398
 399                         ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 400
 401                         /* send this here to avoid a race condition */
 402                         send_ldap_result( conn, op, LDAP_SUCCESS,
 403                                 NULL, NULL, NULL, NULL );
 404
 405                 } else if (edn != NULL) {
 406                         free( edn );
 407                 }
 408
 409         } else {
 410                 send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 411                         NULL, "operation not supported within namingContext", NULL, NULL );
 412         }
 413
 414 cleanup:
 415         if( rc != LDAP_SASL_BIND_IN_PROGRESS ) {
 416                 ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 417
 418                 /* dispose of mech */
 419                 free( conn->c_sasl_bind_mech );
 420                 conn->c_sasl_bind_mech = NULL;
 421
 422                 ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 423         }
 424
 425         if( dn != NULL ) {
 426                 free( dn );
 427         }
 428         if( ndn != NULL ) {
 429                 free( ndn );
 430         }
 431         if ( mech != NULL ) {
 432                 free( mech );
 433         }
 434         if ( cred.bv_val != NULL ) {
 435                 free( cred.bv_val );
 436         }
 437
 438         return rc;
 439 }