X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-bdb%2Fbind.c;h=5072dbfcf63c1b0b652564d7d0340fd97753d4fd;hb=bf3f0a1ad0c474ff8b9181fc8749943776a29db6;hp=371bc15fb4cf2b4f80be3b4f076b0c45b20055a3;hpb=d474789d0dec6dc481156b2c78ffe8545987bdbb;p=openldap

diff --git a/servers/slapd/back-bdb/bind.c b/servers/slapd/back-bdb/bind.c
index 371bc15fb4..5072dbfcf6 100644
--- a/servers/slapd/back-bdb/bind.c
+++ b/servers/slapd/back-bdb/bind.c
@@ -1,249 +1,172 @@
 /* bind.c - bdb backend bind routine */
 /* $OpenLDAP$ */
-/*
- * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2000-2007 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
  */
 
 #include "portable.h"
 
 #include <stdio.h>
-#include <ac/krb.h>
 #include <ac/string.h>
 #include <ac/unistd.h>
 
 #include "back-bdb.h"
-#include "external.h"
 
 int
-bdb_bind(
-	Backend		*be,
-	Connection		*conn,
-	Operation		*op,
-	struct berval		*dn,
-	struct berval		*ndn,
-	int			method,
-	struct berval	*cred,
-	struct berval	*edn
-)
+bdb_bind( Operation *op, SlapReply *rs )
 {
-	struct bdb_info *bdb = (struct bdb_info *) be->be_private;
+	struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
 	Entry		*e;
 	Attribute	*a;
-	int		rc;
-	Entry		*matched;
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	char		krbname[MAX_K_NAME_SZ + 1];
-	AttributeDescription *krbattr = slap_schema.si_ad_krbName;
-	AUTH_DAT	ad;
-#endif
+	EntryInfo	*ei;
 
 	AttributeDescription *password = slap_schema.si_ad_userPassword;
 
-	Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn->bv_val, 0, 0);
+	BDB_LOCKER	locker;
+	DB_LOCK		lock;
 
-	/* get entry */
-	rc = bdb_dn2entry( be, NULL, ndn->bv_val, &e, &matched, 0 );
+	Debug( LDAP_DEBUG_ARGS,
+		"==> " LDAP_XSTRING(bdb_bind) ": dn: %s\n",
+		op->o_req_dn.bv_val, 0, 0);
 
-	switch(rc) {
-	case DB_NOTFOUND:
+	/* allow noauth binds */
+	switch ( be_rootdn_bind( op, NULL ) ) {
+	case LDAP_SUCCESS:
+		/* frontend will send result */
+		return rs->sr_err;
+
+	default:
+		/* give the database a chanche */
+		/* NOTE: this behavior departs from that of other backends,
+		 * since the others, in case of password checking failure
+		 * do not give the database a chance.  If an entry with
+		 * rootdn's name does not exist in the database the result
+		 * will be the same.  See ITS#4962 for discussion. */
+		break;
+	}
+
+	rs->sr_err = LOCK_ID(bdb->bi_dbenv, &locker);
+	switch(rs->sr_err) {
 	case 0:
 		break;
 	default:
-		send_ldap_result( conn, op, rc=LDAP_OTHER,
-			NULL, "internal error", NULL, NULL );
-		return rc;
+		rs->sr_text = "internal error";
+		send_ldap_result( op, rs );
+		return rs->sr_err;
 	}
 
+dn2entry_retry:
 	/* get entry with reader lock */
-	if ( e == NULL ) {
-		char *matched_dn = NULL;
-		struct berval **refs;
-
-		if( matched != NULL ) {
-			matched_dn = ch_strdup( matched->e_dn );
+	rs->sr_err = bdb_dn2entry( op, NULL, &op->o_req_ndn, &ei, 1,
+		locker, &lock );
 
-			refs = is_entry_referral( matched )
-				? get_entry_referrals( be, conn, op, matched,
-					dn->bv_val, LDAP_SCOPE_DEFAULT )
-				: NULL;
-
-			bdb_entry_return( be, matched );
-			matched = NULL;
+	switch(rs->sr_err) {
+	case DB_NOTFOUND:
+	case 0:
+		break;
+	case LDAP_BUSY:
+		send_ldap_error( op, rs, LDAP_BUSY, "ldap_server_busy" );
+		LOCK_ID_FREE(bdb->bi_dbenv, locker);
+		return LDAP_BUSY;
+	case DB_LOCK_DEADLOCK:
+	case DB_LOCK_NOTGRANTED:
+		goto dn2entry_retry;
+	default:
+		send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
+		LOCK_ID_FREE(bdb->bi_dbenv, locker);
+		return rs->sr_err;
+	}
 
-		} else {
-			refs = referral_rewrite( default_referral,
-				NULL, dn->bv_val, LDAP_SCOPE_DEFAULT );
+	e = ei->bei_e;
+	if ( rs->sr_err == DB_NOTFOUND ) {
+		if( e != NULL ) {
+			bdb_cache_return_entry_r( bdb, e, &lock );
+			e = NULL;
 		}
 
-		/* allow noauth binds */
-		rc = 1;
-		if ( method == LDAP_AUTH_SIMPLE ) {
-			if ( be_isroot_pw( be, conn, ndn, cred ) ) {
-				ber_dupbv( edn, be_root_dn( be ) );
-				rc = LDAP_SUCCESS; /* front end will send result */
-
-			} else if ( refs != NULL ) {
-				send_ldap_result( conn, op, rc = LDAP_REFERRAL,
-					matched_dn, NULL, refs, NULL );
-
-			} else {
-				send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
-					NULL, NULL, NULL, NULL );
-			}
-
-		} else if ( refs != NULL ) {
-			send_ldap_result( conn, op, rc = LDAP_REFERRAL,
-				matched_dn, NULL, refs, NULL );
-
-		} else {
-			send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
-				NULL, NULL, NULL, NULL );
-		}
+		rs->sr_err = LDAP_INVALID_CREDENTIALS;
+		send_ldap_result( op, rs );
 
-		ber_bvecfree( refs );
-		free( matched_dn );
+		LOCK_ID_FREE(bdb->bi_dbenv, locker);
 
-		return rc;
+		return rs->sr_err;
 	}
 
-	ber_dupbv( edn, &e->e_name );
+	ber_dupbv( &op->oq_bind.rb_edn, &e->e_name );
 
 	/* check for deleted */
+	if ( is_entry_subentry( e ) ) {
+		/* entry is an subentry, don't allow bind */
+		Debug( LDAP_DEBUG_TRACE, "entry is subentry\n", 0,
+			0, 0 );
+		rs->sr_err = LDAP_INVALID_CREDENTIALS;
+		goto done;
+	}
 
 	if ( is_entry_alias( e ) ) {
 		/* entry is an alias, don't allow bind */
-		Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
-			0, 0 );
-
-		send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM,
-			NULL, "entry is alias", NULL, NULL );
-
+		Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 );
+		rs->sr_err = LDAP_INVALID_CREDENTIALS;
 		goto done;
 	}
 
 	if ( is_entry_referral( e ) ) {
-		/* entry is a referral, don't allow bind */
-		struct berval **refs = get_entry_referrals( be,
-			conn, op, e, dn->bv_val, LDAP_SCOPE_DEFAULT );
-
 		Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
 			0, 0 );
-
-		if( refs != NULL ) {
-			send_ldap_result( conn, op, rc = LDAP_REFERRAL,
-				e->e_dn, NULL, refs, NULL );
-
-		} else {
-			send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
-				NULL, NULL, NULL, NULL );
-		}
-
-		ber_bvecfree( refs );
-
+		rs->sr_err = LDAP_INVALID_CREDENTIALS;
 		goto done;
 	}
 
-	switch ( method ) {
+	switch ( op->oq_bind.rb_method ) {
 	case LDAP_AUTH_SIMPLE:
-		/* check for root dn/passwd */
-		if ( be_isroot_pw( be, conn, ndn, cred ) ) {
-			/* front end will send result */
-			if(edn->bv_val != NULL) free( edn->bv_val );
-			ber_dupbv( edn, be_root_dn( be ) );
-			rc = LDAP_SUCCESS;
+		a = attr_find( e->e_attrs, password );
+		if ( a == NULL ) {
+			rs->sr_err = LDAP_INVALID_CREDENTIALS;
 			goto done;
 		}
 
-		if ( ! access_allowed( be, conn, op, e,
-			password, NULL, ACL_AUTH ) )
+		if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
+					&rs->sr_text ) != 0 )
 		{
-			send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
-				NULL, NULL, NULL, NULL );
+			/* failure; stop front end from sending result */
+			rs->sr_err = LDAP_INVALID_CREDENTIALS;
 			goto done;
 		}
-
-		if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
-			send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
-				NULL, NULL, NULL, NULL );
-			goto done;
-		}
-
-		if ( slap_passwd_check( conn, a, cred ) != 0 ) {
-			send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
-				NULL, NULL, NULL, NULL );
-			goto done;
-		}
-
-		rc = 0;
-		break;
-
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	case LDAP_AUTH_KRBV41:
-		if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
-			send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
-				NULL, NULL, NULL, NULL );
-			goto done;
-		}
-
-		if ( ! access_allowed( be, conn, op, e,
-			krbattr, NULL, ACL_AUTH ) )
-		{
-			send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
-				NULL, NULL, NULL, NULL );
-			goto done;
-		}
-
-		sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
-			: "", ad.pinst, ad.prealm );
-
-		if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
-			/*
-			 * no krbname values present: check against DN
-			 */
-			if ( strcasecmp( dn, krbname ) == 0 ) {
-				rc = 0;
-				break;
-			}
-			send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH,
-				NULL, NULL, NULL, NULL );
-			goto done;
-
-		} else {	/* look for krbname match */
-			struct berval	krbval;
-
-			krbval.bv_val = krbname;
-			krbval.bv_len = strlen( krbname );
-
-			if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
-				send_ldap_result( conn, op,
-					rc = LDAP_INVALID_CREDENTIALS,
-					NULL, NULL, NULL, NULL );
-				goto done;
-			}
-		}
-		rc = 0;
+			
+		rs->sr_err = 0;
 		break;
 
-	case LDAP_AUTH_KRBV42:
-		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
-			NULL, "Kerberos bind step 2 not supported",
-			NULL, NULL );
-		goto done;
-#endif
-
 	default:
-		send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED,
-			NULL, "authentication method not supported", NULL, NULL );
-		goto done;
+		assert( 0 ); /* should not be reachable */
+		rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED;
+		rs->sr_text = "authentication method not supported";
 	}
 
 done:
 	/* free entry and reader lock */
 	if( e != NULL ) {
-		bdb_entry_return( be, e );
+		bdb_cache_return_entry_r( bdb, e, &lock );
 	}
 
-	/* front end with send result on success (rc==0) */
-	return rc;
+	LOCK_ID_FREE(bdb->bi_dbenv, locker);
+
+	if ( rs->sr_err ) {
+		send_ldap_result( op, rs );
+		if ( rs->sr_ref ) {
+			ber_bvarray_free( rs->sr_ref );
+			rs->sr_ref = NULL;
+		}
+	}
+	/* front end will send result on success (rs->sr_err==0) */
+	return rs->sr_err;
 }