git.sur5r.net Git - openldap/blob - servers/slapd/slapauth.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 2004-2015 The OpenLDAP Foundation.
   5  * Portions Copyright 2004 Pierangelo Masarati.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16 /* ACKNOWLEDGEMENTS:
  17  * This work was initially developed by Pierangelo Masarati for inclusion
  18  * in OpenLDAP Software.
  19  */
  20
  21 #include "portable.h"
  22
  23 #include <stdio.h>
  24
  25 #include <ac/stdlib.h>
  26
  27 #include <ac/ctype.h>
  28 #include <ac/string.h>
  29 #include <ac/socket.h>
  30 #include <ac/unistd.h>
  31
  32 #include <lber.h>
  33 #include <ldif.h>
  34 #include <lutil.h>
  35
  36 #include "slapcommon.h"
  37
  38 static int
  39 do_check( Connection *c, Operation *op, struct berval *id )
  40 {
  41         struct berval   authcdn;
  42         int             rc;
  43
  44         rc = slap_sasl_getdn( c, op, id, realm, &authcdn, SLAP_GETDN_AUTHCID );
  45         if ( rc != LDAP_SUCCESS ) {
  46                 fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
  47                                 id->bv_val, rc,
  48                                 ldap_err2string( rc ) );
  49                 rc = 1;
  50
  51         } else {
  52                 if ( !BER_BVISNULL( &authzID ) ) {
  53                         rc = slap_sasl_authorized( op, &authcdn, &authzID );
  54
  55                         fprintf( stderr,
  56                                         "ID:      <%s>\n"
  57                                         "authcDN: <%s>\n"
  58                                         "authzDN: <%s>\n"
  59                                         "authorization %s\n",
  60                                         id->bv_val,
  61                                         authcdn.bv_val,
  62                                         authzID.bv_val,
  63                                         rc == LDAP_SUCCESS ? "OK" : "failed" );
  64
  65                 } else {
  66                         fprintf( stderr, "ID: <%s> check succeeded\n"
  67                                         "authcID:     <%s>\n",
  68                                         id->bv_val,
  69                                         authcdn.bv_val );
  70                         op->o_tmpfree( authcdn.bv_val, op->o_tmpmemctx );
  71                 }
  72                 rc = 0;
  73         }
  74
  75         return rc;
  76 }
  77
  78 int
  79 slapauth( int argc, char **argv )
  80 {
  81         int                     rc = EXIT_SUCCESS;
  82         const char              *progname = "slapauth";
  83         Connection              conn = {0};
  84         OperationBuffer opbuf;
  85         Operation               *op;
  86         void                    *thrctx;
  87
  88         slap_tool_init( progname, SLAPAUTH, argc, argv );
  89
  90         argv = &argv[ optind ];
  91         argc -= optind;
  92
  93         thrctx = ldap_pvt_thread_pool_context();
  94         connection_fake_init( &conn, &opbuf, thrctx );
  95         op = &opbuf.ob_op;
  96
  97         conn.c_sasl_bind_mech = mech;
  98
  99         if ( !BER_BVISNULL( &authzID ) ) {
 100                 struct berval   authzdn;
 101
 102                 rc = slap_sasl_getdn( &conn, op, &authzID, NULL, &authzdn,
 103                                 SLAP_GETDN_AUTHZID );
 104                 if ( rc != LDAP_SUCCESS ) {
 105                         fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
 106                                         authzID.bv_val, rc,
 107                                         ldap_err2string( rc ) );
 108                         rc = 1;
 109                         BER_BVZERO( &authzID );
 110                         goto destroy;
 111                 }
 112
 113                 authzID = authzdn;
 114         }
 115
 116
 117         if ( !BER_BVISNULL( &authcID ) ) {
 118                 if ( !BER_BVISNULL( &authzID ) || argc == 0 ) {
 119                         rc = do_check( &conn, op, &authcID );
 120                         goto destroy;
 121                 }
 122
 123                 for ( ; argc--; argv++ ) {
 124                         struct berval   authzdn;
 125
 126                         ber_str2bv( argv[ 0 ], 0, 0, &authzID );
 127
 128                         rc = slap_sasl_getdn( &conn, op, &authzID, NULL, &authzdn,
 129                                         SLAP_GETDN_AUTHZID );
 130                         if ( rc != LDAP_SUCCESS ) {
 131                                 fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
 132                                                 authzID.bv_val, rc,
 133                                                 ldap_err2string( rc ) );
 134                                 rc = -1;
 135                                 BER_BVZERO( &authzID );
 136                                 if ( !continuemode ) {
 137                                         goto destroy;
 138                                 }
 139                         }
 140
 141                         authzID = authzdn;
 142
 143                         rc = do_check( &conn, op, &authcID );
 144
 145                         op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
 146                         BER_BVZERO( &authzID );
 147
 148                         if ( rc && !continuemode ) {
 149                                 goto destroy;
 150                         }
 151                 }
 152
 153                 goto destroy;
 154         }
 155
 156         for ( ; argc--; argv++ ) {
 157                 struct berval   id;
 158
 159                 ber_str2bv( argv[ 0 ], 0, 0, &id );
 160
 161                 rc = do_check( &conn, op, &id );
 162
 163                 if ( rc && !continuemode ) {
 164                         goto destroy;
 165                 }
 166         }
 167
 168 destroy:;
 169         if ( !BER_BVISNULL( &authzID ) ) {
 170                 op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
 171         }
 172         if ( slap_tool_destroy())
 173                 rc = EXIT_FAILURE;
 174
 175         return rc;
 176 }
 177