X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Fkbind.c;h=1da20d716fe55209204b20a251188ba53d162f55;hb=a2c6a984270a536432d027a1b5f4830ae3f44176;hp=2831226ed8cde851a96525d06931cfd6cbff263e;hpb=2a869f5a99f537b246ba8640502e2a86117cb6e8;p=openldap diff --git a/libraries/libldap/kbind.c b/libraries/libldap/kbind.c index 2831226ed8..1da20d716f 100644 --- a/libraries/libldap/kbind.c +++ b/libraries/libldap/kbind.c @@ -1,32 +1,51 @@ +/* $OpenLDAP$ */ /* + * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ +/* Portions * Copyright (c) 1993 Regents of the University of Michigan. * All rights reserved. * * kbind.c */ -#include "portable.h" - -#ifndef lint -static char copyright[] = "@(#) Copyright (c) 1993 Regents of the University of Michigan.\nAll rights reserved.\n"; +/* + * BindRequest ::= SEQUENCE { + * version INTEGER, + * name DistinguishedName, -- who + * authentication CHOICE { + * simple [0] OCTET STRING -- passwd +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + * krbv42ldap [1] OCTET STRING + * krbv42dsa [2] OCTET STRING #endif + * sasl [3] SaslCredentials -- LDAPv3 + * } + * } + * + * BindResponse ::= SEQUENCE { + * COMPONENTS OF LDAPResult, + * serverSaslCreds OCTET STRING OPTIONAL -- LDAPv3 + * } + * + */ -#ifdef HAVE_KERBEROS +#include "portable.h" + +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND #include -#include +#include #include #include #include #include -#include "lber.h" -#include "ldap.h" #include "ldap-int.h" - /* * ldap_kerberos_bind1 - initiate a bind to the ldap server using * kerberos authentication. The dn is supplied. It is assumed the user @@ -38,31 +57,20 @@ static char copyright[] = "@(#) Copyright (c) 1993 Regents of the University of * ldap_kerberos_bind1( ld, "cn=manager, o=university of michigan, c=us" ) */ int -ldap_kerberos_bind1( LDAP *ld, char *dn ) +ldap_kerberos_bind1( LDAP *ld, LDAP_CONST char *dn ) { BerElement *ber; char *cred; - int rc, credlen; - char *ldap_get_kerberosv4_credentials(); -#ifdef STR_TRANSLATION - int str_translation_on; -#endif /* STR_TRANSLATION */ - - /* - * The bind request looks like this: - * BindRequest ::= SEQUENCE { - * version INTEGER, - * name DistinguishedName, - * authentication CHOICE { - * krbv42ldap [1] OCTET STRING - * krbv42dsa [2] OCTET STRING - * } - * } - * all wrapped up in an LDAPMessage sequence. - */ + int rc; + ber_len_t credlen; Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind1\n", 0, 0, 0 ); + if( ld->ld_version > LDAP_VERSION2 ) { + ld->ld_errno = LDAP_NOT_SUPPORTED; + return -1; + } + if ( dn == NULL ) dn = ""; @@ -72,36 +80,23 @@ ldap_kerberos_bind1( LDAP *ld, char *dn ) } /* create a message to send */ - if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) { - free( cred ); + if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { + LDAP_FREE( cred ); return( -1 ); } -#ifdef STR_TRANSLATION - if (( str_translation_on = (( ber->ber_options & - LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */ - ber->ber_options &= ~LBER_TRANSLATE_STRINGS; - } -#endif /* STR_TRANSLATION */ - /* fill it in */ - rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND, + rc = ber_printf( ber, "{it{istoN}N}", ++ld->ld_msgid, LDAP_REQ_BIND, ld->ld_version, dn, LDAP_AUTH_KRBV41, cred, credlen ); -#ifdef STR_TRANSLATION - if ( str_translation_on ) { /* restore translation */ - ber->ber_options |= LBER_TRANSLATE_STRINGS; - } -#endif /* STR_TRANSLATION */ - if ( rc == -1 ) { - free( cred ); + LDAP_FREE( cred ); ber_free( ber, 1 ); ld->ld_errno = LDAP_ENCODING_ERROR; return( -1 ); } - free( cred ); + LDAP_FREE( cred ); #ifndef LDAP_NOCACHE if ( ld->ld_cache != NULL ) { @@ -114,7 +109,7 @@ ldap_kerberos_bind1( LDAP *ld, char *dn ) } int -ldap_kerberos_bind1_s( LDAP *ld, char *dn ) +ldap_kerberos_bind1_s( LDAP *ld, LDAP_CONST char *dn ) { int msgid; LDAPMessage *res; @@ -145,18 +140,20 @@ ldap_kerberos_bind1_s( LDAP *ld, char *dn ) * ldap_kerberos_bind2( ld, "cn=manager, o=university of michigan, c=us" ) */ int -ldap_kerberos_bind2( LDAP *ld, char *dn ) +ldap_kerberos_bind2( LDAP *ld, LDAP_CONST char *dn ) { BerElement *ber; char *cred; - int rc, credlen; - char *ldap_get_kerberosv4_credentials(); -#ifdef STR_TRANSLATION - int str_translation_on; -#endif /* STR_TRANSLATION */ + int rc; + ber_len_t credlen; Debug( LDAP_DEBUG_TRACE, "ldap_kerberos_bind2\n", 0, 0, 0 ); + if( ld->ld_version > LDAP_VERSION2 ) { + ld->ld_errno = LDAP_NOT_SUPPORTED; + return -1; + } + if ( dn == NULL ) dn = ""; @@ -166,30 +163,17 @@ ldap_kerberos_bind2( LDAP *ld, char *dn ) } /* create a message to send */ - if ( (ber = ldap_alloc_ber_with_options( ld )) == NULLBER ) { - free( cred ); + if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { + LDAP_FREE( cred ); return( -1 ); } -#ifdef STR_TRANSLATION - if (( str_translation_on = (( ber->ber_options & - LBER_TRANSLATE_STRINGS ) != 0 ))) { /* turn translation off */ - ber->ber_options &= ~LBER_TRANSLATE_STRINGS; - } -#endif /* STR_TRANSLATION */ - /* fill it in */ - rc = ber_printf( ber, "{it{isto}}", ++ld->ld_msgid, LDAP_REQ_BIND, + rc = ber_printf( ber, "{it{istoN}N}", ++ld->ld_msgid, LDAP_REQ_BIND, ld->ld_version, dn, LDAP_AUTH_KRBV42, cred, credlen ); -#ifdef STR_TRANSLATION - if ( str_translation_on ) { /* restore translation */ - ber->ber_options |= LBER_TRANSLATE_STRINGS; - } -#endif /* STR_TRANSLATION */ - - free( cred ); + LDAP_FREE( cred ); if ( rc == -1 ) { ber_free( ber, 1 ); @@ -203,7 +187,7 @@ ldap_kerberos_bind2( LDAP *ld, char *dn ) /* synchronous bind to DSA using kerberos */ int -ldap_kerberos_bind2_s( LDAP *ld, char *dn ) +ldap_kerberos_bind2_s( LDAP *ld, LDAP_CONST char *dn ) { int msgid; LDAPMessage *res; @@ -225,7 +209,7 @@ ldap_kerberos_bind2_s( LDAP *ld, char *dn ) /* synchronous bind to ldap and DSA using kerberos */ int -ldap_kerberos_bind_s( LDAP *ld, char *dn ) +ldap_kerberos_bind_s( LDAP *ld, LDAP_CONST char *dn ) { int err; @@ -246,7 +230,11 @@ ldap_kerberos_bind_s( LDAP *ld, char *dn ) */ char * -ldap_get_kerberosv4_credentials( LDAP *ld, char *who, char *service, int *len ) +ldap_get_kerberosv4_credentials( + LDAP *ld, + LDAP_CONST char *who, + LDAP_CONST char *service, + ber_len_t *len ) { KTEXT_ST ktxt; int err; @@ -255,39 +243,40 @@ ldap_get_kerberosv4_credentials( LDAP *ld, char *who, char *service, int *len ) Debug( LDAP_DEBUG_TRACE, "ldap_get_kerberosv4_credentials\n", 0, 0, 0 ); if ( (err = krb_get_tf_realm( tkt_string(), realm )) != KSUCCESS ) { -#ifdef LDAP_LIBUI - fprintf( stderr, "krb_get_tf_realm failed (%s)\n", - krb_err_txt[err] ); -#endif /* LDAP_LIBUI */ - ld->ld_errno = LDAP_INVALID_CREDENTIALS; + Debug( LDAP_DEBUG_ANY, "ldap_get_kerberosv4_credentials: " + "krb_get_tf_realm failed: %s\n", krb_err_txt[err], 0, 0 ); + ld->ld_errno = LDAP_AUTH_UNKNOWN; return( NULL ); } -#ifdef LDAP_REFERRALS + if ( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) { + /* not connected yet */ + int rc = ldap_open_defconn( ld ); + + if( rc < 0 ) return NULL; + } + krbinstance = ld->ld_defconn->lconn_krbinstance; -#else /* LDAP_REFERRALS */ - krbinstance = ld->ld_host; -#endif /* LDAP_REFERRALS */ if ( (err = krb_mk_req( &ktxt, service, krbinstance, realm, 0 )) - != KSUCCESS ) { -#ifdef LDAP_LIBUI - fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] ); -#endif /* LDAP_LIBUI */ - ld->ld_errno = LDAP_INVALID_CREDENTIALS; + != KSUCCESS ) + { + Debug( LDAP_DEBUG_ANY, "ldap_get_kerberosv4_credentials: " + "krb_mk_req failed (%s)\n", krb_err_txt[err], 0, 0 ); + ld->ld_errno = LDAP_AUTH_UNKNOWN; return( NULL ); } - if ( ( cred = malloc( ktxt.length )) == NULL ) { + if ( ( cred = LDAP_MALLOC( ktxt.length )) == NULL ) { ld->ld_errno = LDAP_NO_MEMORY; return( NULL ); } *len = ktxt.length; - memcpy( cred, ktxt.dat, ktxt.length ); + AC_MEMCPY( cred, ktxt.dat, ktxt.length ); return( cred ); } #endif /* !AUTHMAN */ -#endif /* HAVE_KERBEROS */ +#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */