/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2006 The OpenLDAP Foundation.
+ * Copyright 1998-2007 The OpenLDAP Foundation.
* Portions Copyright 2003 Kurt D. Zeilenga.
* Portions Copyright 2003 IBM Corporation.
* All rights reserved.
#include <ac/ctype.h>
#include <ac/unistd.h>
#include <ac/errno.h>
+#include <ac/time.h>
#ifdef HAVE_CYRUS_SASL
#ifdef HAVE_SASL_SASL_H
#include "common.h"
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-#if !LDAP_DEPRECATED
-/* Necessary for old LDAPv2 Kerberos Bind methods */
-LDAP_F( int )
-ldap_bind LDAP_P(( /* deprecated */
- LDAP *ld,
- LDAP_CONST char *who,
- LDAP_CONST char *passwd,
- int authmethod ));
-#endif
-#endif
-
/* input-related vars */
/* misc. parameters */
int assertctl;
char *assertion = NULL;
char *authzid = NULL;
+/* support deprecated early version of proxyAuthz */
+#define LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ "2.16.840.1.113730.3.4.12"
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+char *proxydn = NULL;
+#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */
int manageDIT = 0;
int manageDSAit = 0;
int noop = 0;
static int chainingContinuation = -1;
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+/* options */
+struct timeval nettimeout = { -1 , 0 };
+
typedef int (*print_ctrl_fn)( LDAP *ld, LDAPControl *ctrl );
static int print_preread( LDAP *ld, LDAPControl *ctrl );
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)\n")
-N_(" [!]assert=<filter> (an RFC 2254 Filter)\n")
+N_(" [!]assert=<filter> (a RFC 4515 Filter string)\n")
N_(" [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n")
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+#if 0
+ /* non-advertized support for proxyDN */
+N_(" [!]proxydn=<dn> (a RFC 4514 DN string)\n")
+#endif
+#endif
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
N_(" [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]\n")
N_(" one of \"chainingPreferred\", \"chainingRequired\",\n")
N_(" \"referralsPreferred\", \"referralsRequired\"\n")
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-#ifdef LDAP_DEVEL
-N_(" [!]manageDIT\n")
-#endif
N_(" [!]manageDSAit\n")
N_(" [!]noop\n")
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
N_(" ppolicy\n")
#endif
N_(" [!]postread[=<attrs>] (a comma-separated attribute list)\n")
-N_(" [!]preread[=<attrs>] (a comma-separated attribute list)\n"),
-N_(" abandon, cancel (SIGINT sends abandon/cancel; not really controls)\n")
+N_(" [!]preread[=<attrs>] (a comma-separated attribute list)\n")
+#ifdef LDAP_DEVEL
+N_(" [!]relax\n")
+#endif
+N_(" abandon, cancel (SIGINT sends abandon/cancel; not really controls)\n"),
N_(" -f file read operations from `file'\n"),
N_(" -h host LDAP server\n"),
N_(" -H URI LDAP Uniform Resource Indentifier(s)\n"),
N_(" -I use SASL Interactive mode\n"),
-N_(" -k use Kerberos authentication\n"),
-N_(" -K like -k, but do only step 1 of the Kerberos bind\n"),
N_(" -M enable Manage DSA IT control (-MM to make critical)\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -O props SASL security properties\n"),
+N_(" -o <opt>[=<optparam] general options\n"),
+N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
N_(" -p port port on LDAP server\n"),
N_(" -P version procotol version (default: 3)\n"),
N_(" -Q use SASL Quiet mode\n"),
fprintf( stderr, "authzid control previously specified\n");
exit( EXIT_FAILURE );
}
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+ if( proxydn != NULL ) {
+ fprintf( stderr, "authzid control incompatible with proxydn\n");
+ exit( EXIT_FAILURE );
+ }
+#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */
if( cvalue == NULL ) {
fprintf( stderr, "authzid: control value expected\n" );
usage();
assert( authzid == NULL );
authzid = cvalue;
- } else if ( strcasecmp( control, "manageDIT" ) == 0 ) {
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+ } else if ( strcasecmp( control, "proxydn" ) == 0 ) {
+ if( proxydn != NULL ) {
+ fprintf( stderr, "proxydn control previously specified\n");
+ exit( EXIT_FAILURE );
+ }
+ if( authzid != NULL ) {
+ fprintf( stderr, "proxydn control incompatible with authzid\n");
+ exit( EXIT_FAILURE );
+ }
+ if( cvalue == NULL ) {
+ fprintf( stderr, "proxydn: control value expected\n" );
+ usage();
+ }
+ if( !crit ) {
+ fprintf( stderr, "proxydn: must be marked critical\n" );
+ usage();
+ }
+
+ assert( proxydn == NULL );
+ proxydn = cvalue;
+#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */
+
+ } else if ( ( strcasecmp( control, "relax" ) == 0 ) ||
+ ( strcasecmp( control, "manageDIT" ) == 0 ) )
+ {
if( manageDIT ) {
fprintf( stderr,
- "manageDIT control previously specified\n");
+ "relax control previously specified\n");
exit( EXIT_FAILURE );
}
if( cvalue != NULL ) {
fprintf( stderr,
- "manageDIT: no control value expected\n" );
+ "relax: no control value expected\n" );
usage();
}
prog );
exit( EXIT_FAILURE );
#endif
- case 'k': /* kerberos bind */
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- if( authmethod != -1 ) {
- fprintf( stderr, "%s: -k incompatible with previous "
- "authentication choice\n", prog );
- exit( EXIT_FAILURE );
- }
- authmethod = LDAP_AUTH_KRBV4;
-#else
- fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
- exit( EXIT_FAILURE );
-#endif
- break;
- case 'K': /* kerberos bind, part one only */
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- if( authmethod != -1 ) {
- fprintf( stderr, "%s: incompatible with previous "
- "authentication choice\n", prog );
- exit( EXIT_FAILURE );
- }
- authmethod = LDAP_AUTH_KRBV41;
-#else
- fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
- exit( EXIT_FAILURE );
-#endif
- break;
case 'M':
/* enable Manage DSA IT */
manageDSAit++;
case 'n': /* print operations, don't actually do them */
dont++;
break;
+ case 'o':
+ control = ber_strdup( optarg );
+ if ( (cvalue = strchr( control, '=' )) != NULL ) {
+ *cvalue++ = '\0';
+ }
+
+ if ( strcasecmp( control, "nettimeout" ) == 0 ) {
+ if( nettimeout.tv_sec != -1 ) {
+ fprintf( stderr, "nettimeout option previously specified\n");
+ exit( EXIT_FAILURE );
+ }
+ if( cvalue == NULL || cvalue[0] == '\0' ) {
+ fprintf( stderr, "nettimeout: option value expected\n" );
+ usage();
+ }
+ if ( strcasecmp( cvalue, "none" ) == 0 ) {
+ nettimeout.tv_sec = 0;
+ } else if ( strcasecmp( cvalue, "max" ) == 0 ) {
+ nettimeout.tv_sec = LDAP_MAXINT;
+ } else {
+ ival = strtol( cvalue, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr,
+ _("Unable to parse network timeout \"%s\"\n"), cvalue );
+ exit( EXIT_FAILURE );
+ }
+ nettimeout.tv_sec = ival;
+ }
+ if( nettimeout.tv_sec < 0 || nettimeout.tv_sec > LDAP_MAXINT ) {
+ fprintf( stderr, _("%s: invalid network timeout (%ld) specified\n"),
+ prog, (long)nettimeout.tv_sec );
+ exit( EXIT_FAILURE );
+ }
+ } else {
+ fprintf( stderr, "Invalid general option name: %s\n",
+ control );
+ usage();
+ }
+ break;
case 'O':
#ifdef HAVE_CYRUS_SASL
if( sasl_secprops != NULL ) {
if( protocol == LDAP_VERSION2 ) {
if( assertctl || authzid || manageDIT || manageDSAit ||
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+ proxydn ||
+#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
chaining ||
#endif
exit( EXIT_FAILURE );
}
#endif
-
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- } else {
- if ( authmethod == LDAP_AUTH_KRBV4 || authmethod == LDAP_AUTH_KRBV41 ) {
- fprintf( stderr, "%s: -k/-K incompatible with LDAPv%d\n",
- prog, protocol );
- exit( EXIT_FAILURE );
- }
-#endif
}
}
}
}
}
+
+ if ( nettimeout.tv_sec > 0 ) {
+ if ( ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &nettimeout )
+ != LDAP_OPT_SUCCESS )
+ {
+ fprintf( stderr, "Could not set LDAP_OPT_NETWORK_TIMEOUT %ld\n",
+ (long)nettimeout.tv_sec );
+ exit( EXIT_FAILURE );
+ }
+ }
}
return ld;
void
tool_bind( LDAP *ld )
{
+ LDAPControl **sctrlsp = NULL;
+ LDAPControl *sctrls[2];
+ int nsctrls = 0;
+
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
+ LDAPControl c;
if ( ppolicy ) {
- LDAPControl *ctrls[2], c;
c.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
c.ldctl_value.bv_val = NULL;
c.ldctl_value.bv_len = 0;
c.ldctl_iscritical = 0;
- ctrls[0] = &c;
- ctrls[1] = NULL;
- ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
+ sctrls[nsctrls] = &c;
+ sctrls[++nsctrls] = NULL;
}
#endif
+ if ( nsctrls ) {
+ sctrlsp = sctrls;
+ }
+
+ assert( nsctrls < sizeof(sctrls)/sizeof(sctrls[0]) );
+
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
void *defaults;
passwd.bv_val,
sasl_authz_id );
- rc = ldap_sasl_interactive_bind_s( ld, binddn,
- sasl_mech, NULL, NULL,
- sasl_flags, lutil_sasl_interact, defaults );
+ rc = ldap_sasl_interactive_bind_s( ld, binddn, sasl_mech,
+ sctrlsp,
+ NULL, sasl_flags, lutil_sasl_interact, defaults );
lutil_sasl_freedefs( defaults );
if( rc != LDAP_SUCCESS ) {
msgbuf[0] = 0;
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- if ( authmethod == LDAP_AUTH_KRBV4 || authmethod == LDAP_AUTH_KRBV41 ) {
- msgid = ldap_bind( ld, binddn, passwd.bv_val, authmethod );
- if ( msgid == -1 ) {
- tool_perror( "ldap_bind", -1, NULL, NULL, NULL, NULL );
- exit( LDAP_LOCAL_ERROR );
- }
- } else
-#endif
{
/* simple bind */
- rc = ldap_sasl_bind( ld, binddn, LDAP_SASL_SIMPLE,
- &passwd, NULL, NULL, &msgid );
+ rc = ldap_sasl_bind( ld, binddn, LDAP_SASL_SIMPLE, &passwd,
+ sctrlsp, NULL, &msgid );
if ( msgid == -1 ) {
tool_perror( "ldap_sasl_bind(SIMPLE)", rc,
NULL, NULL, NULL, NULL );
int i = 0, j, crit = 0, err;
LDAPControl c[10], **ctrls;
+ if ( ! ( assertctl
+ || authzid
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+ || proxydn
+#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */
+ || manageDIT
+ || manageDSAit
+ || noop
+ || preread
+ || postread
+#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
+ || chaining
+#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ || count ) )
+ {
+ return;
+ }
+
ctrls = (LDAPControl**) malloc(sizeof(c) + (count+1)*sizeof(LDAPControl*));
if ( ctrls == NULL ) {
fprintf( stderr, "No memory\n" );
}
if ( authzid ) {
- c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
c[i].ldctl_value.bv_val = authzid;
c[i].ldctl_value.bv_len = strlen( authzid );
+ c[i].ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+ c[i].ldctl_iscritical = 1;
+ ctrls[i] = &c[i];
+ i++;
+ }
+
+#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+ /* NOTE: doesn't need an extra count because it's incompatible
+ * with authzid */
+ if ( proxydn ) {
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
+
+ ber_init2( ber, NULL, LBER_USE_DER );
+
+ if ( ber_printf( ber, "s", proxydn ) == LBER_ERROR ) {
+ exit( EXIT_FAILURE );
+ }
+
+ if ( ber_flatten2( ber, &c[i].ldctl_value, 0 ) == -1 ) {
+ exit( EXIT_FAILURE );
+ }
+
+ c[i].ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ;
c[i].ldctl_iscritical = 1;
ctrls[i] = &c[i];
i++;
}
+#endif /* LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ */
if ( manageDIT ) {
c[i].ldctl_oid = LDAP_CONTROL_MANAGEDIT;
if ( estimate > 0 ) {
ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ),
- "estimate=%lu", estimate );
+ "estimate=%d", estimate );
}
if ( pr_cookie.bv_len > 0 ) {
{
int first = 1;
- if ( !isdigit( s[ 0 ] ) ) {
+ if ( !isdigit( (unsigned char) s[ 0 ] ) ) {
return 0;
}
continue;
}
- if ( !isdigit( s[ 0 ] ) ) {
+ if ( !isdigit( (unsigned char) s[ 0 ] ) ) {
return 0;
}
projects / openldap / blobdiff