X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=09b23924d5f11d5313ac508e30c8350be7804559;hb=a0b5f5138b0888a019b7305de3ef2faf15907429;hp=cd88c667f5e75d4a1aac5ed851b798d5d4c14010;hpb=dc0eacd40b625258355eea866d62188e5aa7ce3b;p=openldap diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index cd88c667f5..09b23924d5 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -16,7 +16,7 @@ * . */ /* ACKNOWLEDGEMENTS: - * This work was initially developed by the Howard Chu for inclusion + * This work was initially developed by Howard Chu for inclusion * in OpenLDAP Software and subsequently enhanced by Pierangelo * Masarati. */ @@ -25,6 +25,7 @@ #include +#include #include #include @@ -38,10 +39,11 @@ static LDAP_REBIND_PROC ldap_back_rebind; -#ifdef LDAP_BACK_PROXY_AUTHZ static int ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ); -#endif /* LDAP_BACK_PROXY_AUTHZ */ + +static int +ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ); int ldap_back_bind( Operation *op, SlapReply *rs ) @@ -52,9 +54,9 @@ ldap_back_bind( Operation *op, SlapReply *rs ) int rc = 0; ber_int_t msgid; - lc = ldap_back_getconn( op, rs ); + lc = ldap_back_getconn( op, rs, LDAP_BACK_SENDERR ); if ( !lc ) { - return( -1 ); + return rs->sr_err; } if ( !BER_BVISNULL( &lc->lc_bound_ndn ) ) { @@ -67,10 +69,14 @@ ldap_back_bind( Operation *op, SlapReply *rs ) rs->sr_err = ldap_sasl_bind( lc->lc_ld, op->o_req_dn.bv_val, LDAP_SASL_SIMPLE, &op->orb_cred, op->o_ctrls, NULL, &msgid ); - rc = ldap_back_op_result( lc, op, rs, msgid, 1 ); + rc = ldap_back_op_result( lc, op, rs, msgid, LDAP_BACK_SENDERR ); if ( rc == LDAP_SUCCESS ) { -#if defined(LDAP_BACK_PROXY_AUTHZ) + /* If defined, proxyAuthz will be used also when + * back-ldap is the authorizing backend; for this + * purpose, a successful bind is followed by a + * bind with the configured identity assertion */ + /* NOTE: use with care */ if ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { ldap_back_proxy_authz_bind( lc, op, rs ); if ( lc->lc_bound == 0 ) { @@ -78,18 +84,16 @@ ldap_back_bind( Operation *op, SlapReply *rs ) goto done; } } -#endif /* LDAP_BACK_PROXY_AUTHZ */ lc->lc_bound = 1; ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn ); - if ( li->savecred ) { + if ( LDAP_BACK_SAVECRED( li ) ) { if ( !BER_BVISNULL( &lc->lc_cred ) ) { memset( lc->lc_cred.bv_val, 0, lc->lc_cred.bv_len ); - ch_free( lc->lc_cred.bv_val ); } - ber_dupbv( &lc->lc_cred, &op->orb_cred ); + ber_bvreplace( &lc->lc_cred, &op->orb_cred ); ldap_set_rebind_proc( lc->lc_ld, ldap_back_rebind, lc ); } } @@ -97,23 +101,45 @@ done:; /* must re-insert if local DN changed as result of bind */ if ( lc->lc_bound && !dn_match( &op->o_req_ndn, &lc->lc_local_ndn ) ) { - int lerr; + int lerr; + + /* wait for all other ops to release the connection */ +retry_lock:; + switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { + case LDAP_PVT_THREAD_EBUSY: + default: + ldap_pvt_thread_yield(); + goto retry_lock; + + case 0: + if ( lc->lc_refcnt > 1 ) { + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); + ldap_pvt_thread_yield(); + goto retry_lock; + } + break; + } - ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + assert( lc->lc_refcnt == 1 ); lc = avl_delete( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp ); - if ( !BER_BVISNULL( &lc->lc_local_ndn ) ) { - ch_free( lc->lc_local_ndn.bv_val ); - } - ber_dupbv( &lc->lc_local_ndn, &op->o_req_ndn ); + assert( lc != NULL ); + + ber_bvreplace( &lc->lc_local_ndn, &op->o_req_ndn ); lerr = avl_insert( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp, ldap_back_conn_dup ); ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); if ( lerr == -1 ) { + /* we can do this because lc_refcnt == 1 */ ldap_back_conn_free( lc ); + lc = NULL; } } + if ( lc != NULL ) { + ldap_back_release_conn( op, rs, lc ); + } + return( rc ); } @@ -210,21 +236,225 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc ) struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; ldap_pvt_thread_mutex_lock( &li->conn_mutex ); - lc = avl_delete( &li->conntree, (caddr_t)lc, - ldap_back_conn_cmp ); - ldap_back_conn_free( (void *)lc ); + + assert( lc->lc_refcnt > 0 ); + if ( --lc->lc_refcnt == 0 ) { + lc = avl_delete( &li->conntree, (caddr_t)lc, + ldap_back_conn_cmp ); + assert( lc != NULL ); + + ldap_back_conn_free( (void *)lc ); + } + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); return 0; } +#ifdef HAVE_TLS +static int +ldap_back_start_tls( + LDAP *ld, + int protocol, + int *is_tls, + const char *url, + unsigned flags, + const char **text ) +{ + int rc = LDAP_SUCCESS; + struct ldapinfo li; + + /* this is ridicolous... */ + li.flags = flags; + + /* start TLS ("tls-[try-]{start,propagate}" statements) */ + if ( ( LDAP_BACK_USE_TLS( &li ) || ( *is_tls && LDAP_BACK_PROPAGATE_TLS( &li ) ) ) + && !ldap_is_ldaps_url( url ) ) + { +#ifdef SLAP_STARTTLS_ASYNCHRONOUS + /* + * use asynchronous StartTLS + * in case, chase referral (not implemented yet) + */ + int msgid; + + if ( protocol == 0 ) { + ldap_get_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (void *)&protocol ); + } + + if ( protocol < LDAP_VERSION3 ) { + protocol = LDAP_VERSION3; + /* Set LDAP version */ + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&protocol ); + } + + rc = ldap_start_tls( ld, NULL, NULL, &msgid ); + if ( rc == LDAP_SUCCESS ) { + LDAPMessage *res = NULL; + int retries = 1; + struct timeval tv = { 0, 0 }; + +retry:; + rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res ); + if ( rc < 0 ) { + rc = LDAP_OTHER; + + } else if ( rc == 0 ) { + if ( retries ) { + retries--; + tv.tv_sec = 0; + tv.tv_usec = 100000; + goto retry; + } + rc = LDAP_OTHER; + + } else if ( rc == LDAP_RES_EXTENDED ) { + struct berval *data = NULL; + + rc = ldap_parse_extended_result( ld, res, + NULL, &data, 0 ); + if ( rc == LDAP_SUCCESS ) { + rc = ldap_result2error( ld, res, 1 ); + res = NULL; + + /* FIXME: in case a referral + * is returned, should we try + * using it instead of the + * configured URI? */ + if ( rc == LDAP_SUCCESS ) { + rc = ldap_install_tls( ld ); + + } else if ( rc == LDAP_REFERRAL ) { + rc = LDAP_OTHER; + *text = "unwilling to chase referral returned by Start TLS exop"; + } + + if ( data ) { + if ( data->bv_val ) { + ber_memfree( data->bv_val ); + } + ber_memfree( data ); + } + } + + } else { + rc = LDAP_OTHER; + } + + if ( res != NULL ) { + ldap_msgfree( res ); + } + } +#else /* ! SLAP_STARTTLS_ASYNCHRONOUS */ + /* + * use synchronous StartTLS + */ + rc = ldap_start_tls_s( ld, NULL, NULL ); +#endif /* ! SLAP_STARTTLS_ASYNCHRONOUS */ + + /* if StartTLS is requested, only attempt it if the URL + * is not "ldaps://"; this may occur not only in case + * of misconfiguration, but also when used in the chain + * overlay, where the "uri" can be parsed out of a referral */ + switch ( rc ) { + case LDAP_SUCCESS: + *is_tls = 1; + break; + + case LDAP_SERVER_DOWN: + break; + + default: + if ( LDAP_BACK_TLS_CRITICAL( &li ) ) { + *text = "could not start TLS"; + break; + } + + /* in case Start TLS is not critical */ + *is_tls = 0; + rc = LDAP_SUCCESS; + break; + } + + } else { + *is_tls = 0; + } + + return rc; +} +#endif /* HAVE_TLS */ + +static int +ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +{ + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + int vers = op->o_protocol; + LDAP *ld = NULL; +#ifdef HAVE_TLS + int is_tls = op->o_conn->c_is_tls; +#endif /* HAVE_TLS */ + + assert( lcp != NULL ); + + rs->sr_err = ldap_initialize( &ld, li->url ); + if ( rs->sr_err != LDAP_SUCCESS ) { + goto error_return; + } + + /* Set LDAP version. This will always succeed: If the client + * bound with a particular version, then so can we. + */ + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers ); + + /* automatically chase referrals ("[dont-]chase-referrals" statement) */ + if ( LDAP_BACK_CHASE_REFERRALS( li ) ) { + ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); + } + +#ifdef HAVE_TLS + rs->sr_err = ldap_back_start_tls( ld, + op->o_protocol, &is_tls, + li->url, li->flags, &rs->sr_text ); + if ( rs->sr_err != LDAP_SUCCESS ) { + ldap_unbind_ext( ld, NULL, NULL ); + goto error_return; + } +#endif /* HAVE_TLS */ + + if ( *lcp == NULL ) { + *lcp = (struct ldapconn *)ch_calloc( 1, sizeof( struct ldapconn ) ); + (*lcp)->lc_flags= li->flags; + } + (*lcp)->lc_ld = ld; + (*lcp)->lc_refcnt = 1; +#ifdef HAVE_TLS + (*lcp)->lc_is_tls = is_tls; +#endif /* HAVE_TLS */ + +error_return:; + if ( rs->sr_err != LDAP_SUCCESS ) { + rs->sr_err = slap_map_api2result( rs ); + if ( sendok & LDAP_BACK_SENDERR ) { + if ( rs->sr_text == NULL ) { + rs->sr_text = "ldap_initialize() failed"; + } + send_ldap_result( op, rs ); + rs->sr_text = NULL; + } + } + + return rs->sr_err; +} + struct ldapconn * -ldap_back_getconn( Operation *op, SlapReply *rs ) +ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - struct ldapconn *lc, lc_curr; - LDAP *ld; - int is_priv = 0; + struct ldapconn *lc, + lc_curr = { 0 }; + int refcnt = 1; /* Searches for a ldapconn in the avl tree */ @@ -237,73 +467,100 @@ ldap_back_getconn( Operation *op, SlapReply *rs ) lc_curr.lc_conn = op->o_conn; } else { - lc_curr.lc_conn = NULL; +#ifdef HAVE_TLS + if ( op->o_conn->c_is_tls ) { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN_TLS; + } else +#endif /* HAVE_TLS */ + { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN; + } } /* Internal searches are privileged and shared. So is root. */ + /* FIXME: there seem to be concurrency issues */ if ( op->o_do_not_cache || be_isroot( op ) ) { lc_curr.lc_local_ndn = op->o_bd->be_rootndn; - lc_curr.lc_conn = NULL; - is_priv = 1; +#ifdef HAVE_TLS + if ( op->o_conn->c_is_tls ) { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN_TLS; + } else +#endif /* HAVE_TLS */ + { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN; + } + lc_curr.lc_ispriv = 1; } else { lc_curr.lc_local_ndn = op->o_ndn; } ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + lc = (struct ldapconn *)avl_find( li->conntree, (caddr_t)&lc_curr, ldap_back_conn_cmp ); + if ( lc != NULL ) { + refcnt = ++lc->lc_refcnt; + } ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); /* Looks like we didn't get a bind. Open a new session... */ - if ( !lc ) { - int vers = op->o_protocol; - rs->sr_err = ldap_initialize( &ld, li->url ); - - if ( rs->sr_err != LDAP_SUCCESS ) { - rs->sr_err = slap_map_api2result( rs ); - if ( rs->sr_text == NULL ) { - rs->sr_text = "ldap_initialize() failed"; - } - if ( op->o_conn ) { - send_ldap_result( op, rs ); - } - rs->sr_text = NULL; - return( NULL ); + if ( lc == NULL ) { + if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) { + return NULL; } - /* Set LDAP version. This will always succeed: If the client - * bound with a particular version, then so can we. - */ - ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, - (const void *)&vers ); - /* FIXME: configurable? */ - ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); - lc = (struct ldapconn *)ch_malloc( sizeof( struct ldapconn ) ); lc->lc_conn = lc_curr.lc_conn; - lc->lc_ld = ld; ber_dupbv( &lc->lc_local_ndn, &lc_curr.lc_local_ndn ); - ldap_pvt_thread_mutex_init( &lc->lc_mutex ); - - if ( is_priv ) { + if ( lc_curr.lc_ispriv ) { ber_dupbv( &lc->lc_cred, &li->acl_passwd ); ber_dupbv( &lc->lc_bound_ndn, &li->acl_authcDN ); + lc->lc_ispriv = lc_curr.lc_ispriv; } else { BER_BVZERO( &lc->lc_cred ); BER_BVZERO( &lc->lc_bound_ndn ); if ( op->o_conn && !BER_BVISEMPTY( &op->o_ndn ) - && op->o_bd == op->o_conn->c_authz_backend ) + && op->o_bd->be_private == op->o_conn->c_authz_backend->be_private ) { ber_dupbv( &lc->lc_bound_ndn, &op->o_ndn ); } } +#ifdef HAVE_TLS + /* if start TLS failed but it was not mandatory, + * check if the non-TLS connection was already + * in cache; in case, destroy the newly created + * connection and use the existing one */ + if ( lc->lc_conn == LDAP_BACK_PRIV_CONN_TLS + && !ldap_tls_inplace( lc->lc_ld ) ) + { + struct ldapconn *tmplc; + + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN; + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + tmplc = (struct ldapconn *)avl_find( li->conntree, + (caddr_t)&lc_curr, ldap_back_conn_cmp ); + if ( tmplc != NULL ) { + refcnt = ++tmplc->lc_refcnt; + ldap_back_conn_free( lc ); + lc = tmplc; + } + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); + + if ( tmplc != NULL ) { + goto done; + } + } +#endif /* HAVE_TLS */ + lc->lc_bound = 0; /* Inserts the newly created ldapconn in the avl tree */ ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + + assert( lc->lc_refcnt == 1 ); rs->sr_err = avl_insert( &li->conntree, (caddr_t)lc, ldap_back_conn_cmp, ldap_back_conn_dup ); @@ -314,23 +571,42 @@ ldap_back_getconn( Operation *op, SlapReply *rs ) ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %p inserted\n", (void *) lc, 0, 0 ); + "=>ldap_back_getconn: conn %p inserted (refcnt=%u)\n", + (void *)lc, refcnt, 0 ); /* Err could be -1 in case a duplicate ldapconn is inserted */ if ( rs->sr_err != 0 ) { ldap_back_conn_free( lc ); - if ( op->o_conn ) { + rs->sr_err = LDAP_OTHER; + if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { send_ldap_error( op, rs, LDAP_OTHER, - "internal server error" ); + "internal server error" ); } - return( NULL ); + return NULL; } + } else { Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %p fetched\n", (void *) lc, 0, 0 ); + "=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n", + (void *)lc, refcnt, 0 ); } - - return( lc ); + +done:; + return lc; +} + +void +ldap_back_release_conn( + Operation *op, + SlapReply *rs, + struct ldapconn *lc ) +{ + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + assert( lc->lc_refcnt > 0 ); + lc->lc_refcnt--; + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); } /* @@ -339,16 +615,26 @@ ldap_back_getconn( Operation *op, SlapReply *rs ) * Note: as the check for the value of lc->lc_bound was already here, I removed * it from all the callers, and I made the function return the flag, so * it can be used to simplify the check. + * + * Note: dolock indicates whether li->conn_mutex must be locked or not */ -int -ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) +static int +ldap_back_dobind_int( + struct ldapconn *lc, + Operation *op, + SlapReply *rs, + ldap_back_send_t sendok, + int retries, + int dolock ) { int rc; ber_int_t msgid; - ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); + assert( retries >= 0 ); + if ( !lc->lc_bound ) { -#ifdef LDAP_BACK_PROXY_AUTHZ + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + /* * FIXME: we need to let clients use proxyAuthz * otherwise we cannot do symmetric pools of servers; @@ -363,23 +649,104 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) */ /* * if no bind took place yet, but the connection is bound - * and the "proxyauthzdn" is set, then bind as - * "proxyauthzdn" and explicitly add the proxyAuthz - * control to every operation with the dn bound - * to the connection as control value. + * and the "idassert-authcDN" (or other ID) is set, + * then bind as the asserting identity and explicitly + * add the proxyAuthz control to every operation with the + * dn bound to the connection as control value. + * This is done also if this is the authrizing backend, + * but the "override" flag is given to idassert. + * It allows to use SASL bind and yet proxyAuthz users */ - if ( op->o_conn != NULL && BER_BVISNULL( &lc->lc_bound_ndn ) ) { + if ( op->o_conn != NULL && + !op->o_do_not_cache && + ( BER_BVISNULL( &lc->lc_bound_ndn ) || + ( li->idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) ) + { (void)ldap_back_proxy_authz_bind( lc, op, rs ); goto done; } -#endif /* LDAP_BACK_PROXY_AUTHZ */ +#ifdef HAVE_CYRUS_SASL + if ( lc->lc_ispriv && li->acl_authmethod == LDAP_AUTH_SASL ) { + void *defaults = NULL; + +#if 1 /* will deal with this later... */ + if ( li->acl_secprops != NULL ) { + rc = ldap_set_option( lc->lc_ld, + LDAP_OPT_X_SASL_SECPROPS, li->acl_secprops); + + if( rc != LDAP_OPT_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "Error: ldap_set_option " + "(%s,SECPROPS,\"%s\") failed!\n", + li->url, li->acl_secprops, 0 ); + goto done; + } + } +#endif + + defaults = lutil_sasl_defaults( lc->lc_ld, + li->acl_sasl_mech.bv_val, + li->acl_sasl_realm.bv_val, + li->acl_authcID.bv_val, + li->acl_passwd.bv_val, + NULL ); + + rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, + li->acl_authcDN.bv_val, + li->acl_sasl_mech.bv_val, NULL, NULL, + LDAP_SASL_QUIET, lutil_sasl_interact, + defaults ); + + lutil_sasl_freedefs( defaults ); + + rs->sr_err = slap_map_api2result( rs ); + if ( rs->sr_err != LDAP_SUCCESS ) { + lc->lc_bound = 0; + send_ldap_result( op, rs ); + + } else { + lc->lc_bound = 1; + } + goto done; + } +#endif /* HAVE_CYRUS_SASL */ + +retry:; rs->sr_err = ldap_sasl_bind( lc->lc_ld, lc->lc_bound_ndn.bv_val, LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, &msgid ); - - rc = ldap_back_op_result( lc, op, rs, msgid, 0 ); + + if ( rs->sr_err == LDAP_SERVER_DOWN ) { + if ( retries > 0 ) { + if ( dolock ) { + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + } + + assert( lc->lc_refcnt > 0 ); + if ( lc->lc_refcnt == 1 ) { + ldap_unbind_ext( lc->lc_ld, NULL, NULL ); + lc->lc_ld = NULL; + + /* lc here must be the regular lc, reset and ready for init */ + rs->sr_err = ldap_back_prepare_conn( &lc, op, rs, sendok ); + } + if ( dolock ) { + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); + } + if ( rs->sr_err == LDAP_SUCCESS ) { + retries--; + goto retry; + } + } + + ldap_back_freeconn( op, lc ); + rs->sr_err = slap_map_api2result( rs ); + + return 0; + } + + rc = ldap_back_op_result( lc, op, rs, msgid, sendok ); if ( rc == LDAP_SUCCESS ) { lc->lc_bound = 1; } @@ -387,10 +754,15 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs ) done:; rc = lc->lc_bound; - ldap_pvt_thread_mutex_unlock( &lc->lc_mutex ); return rc; } +int +ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +{ + return ldap_back_dobind_int( lc, op, rs, sendok, 1, 1 ); +} + /* * ldap_back_rebind * @@ -401,7 +773,25 @@ static int ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *params ) { - struct ldapconn *lc = params; + struct ldapconn *lc = (struct ldapconn *)params; + +#ifdef HAVE_TLS + /* ... otherwise we couldn't get here */ + assert( lc != NULL ); + + if ( !ldap_tls_inplace( ld ) ) { + int is_tls = lc->lc_is_tls, + rc; + const char *text = NULL; + + rc = ldap_back_start_tls( ld, 0, &is_tls, url, lc->lc_flags, &text ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + } +#endif /* HAVE_TLS */ + + /* FIXME: add checks on the URL/identity? */ return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val, LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, NULL ); @@ -409,11 +799,11 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, int ldap_back_op_result( - struct ldapconn *lc, - Operation *op, - SlapReply *rs, - ber_int_t msgid, - int sendok ) + struct ldapconn *lc, + Operation *op, + SlapReply *rs, + ber_int_t msgid, + ldap_back_send_t sendok ) { char *match = NULL; LDAPMessage *res = NULL; @@ -428,17 +818,30 @@ ldap_back_op_result( * to a successful state, get the error from the * remote server response */ if ( ERR_OK( rs->sr_err ) ) { + int rc; + struct timeval tv = { 0, 0 }; + +retry:; /* if result parsing fails, note the failure reason */ - if ( ldap_result( lc->lc_ld, msgid, 1, NULL, &res ) == -1 ) { + switch ( ldap_result( lc->lc_ld, msgid, 1, &tv, &res ) ) { + case 0: + tv.tv_sec = 0; + tv.tv_usec = 100000; /* 0.1 s */ + ldap_pvt_thread_yield(); + goto retry; + + case -1: ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rs->sr_err ); + break; + /* otherwise get the result; if it is not * LDAP_SUCCESS, record it in the reply * structure (this includes * LDAP_COMPARE_{TRUE|FALSE}) */ - } else { - int rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err, + default: + rc = ldap_parse_result( lc->lc_ld, res, &rs->sr_err, &match, &text, NULL, NULL, 1 ); rs->sr_text = text; if ( rc != LDAP_SUCCESS ) { @@ -462,7 +865,10 @@ ldap_back_op_result( rs->sr_matched = match; } } - if ( op->o_conn && ( sendok || rs->sr_err != LDAP_SUCCESS ) ) { + if ( op->o_conn && + ( ( sendok & LDAP_BACK_SENDOK ) + || ( ( sendok & LDAP_BACK_SENDERR ) && rs->sr_err != LDAP_SUCCESS ) ) ) + { send_ldap_result( op, rs ); } if ( match ) { @@ -481,40 +887,30 @@ ldap_back_op_result( /* return true if bound, false if failed */ int -ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs ) +ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { + int rc = 0; struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - int vers = op->o_protocol; - LDAP *ld; + + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); - ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); - ldap_unbind_ext_s( lc->lc_ld, NULL, NULL ); - lc->lc_bound = 0; - rs->sr_err = ldap_initialize( &ld, li->url ); - - if ( rs->sr_err != LDAP_SUCCESS ) { - rs->sr_err = slap_map_api2result( rs ); - if ( rs->sr_text == NULL ) { - rs->sr_text = "ldap_initialize() failed"; - } - if ( op->o_conn ) { - send_ldap_result( op, rs ); + if ( lc->lc_refcnt == 1 ) { + ldap_unbind_ext( lc->lc_ld, NULL, NULL ); + lc->lc_ld = NULL; + lc->lc_bound = 0; + + /* lc here must be the regular lc, reset and ready for init */ + rc = ldap_back_prepare_conn( &lc, op, rs, sendok ); + if ( rc == LDAP_SUCCESS ) { + rc = ldap_back_dobind_int( lc, op, rs, sendok, 0, 0 ); } - rs->sr_text = NULL; - return 0; } - /* Set LDAP version. This will always succeed: If the client - * bound with a particular version, then so can we. - */ - ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers ); - /* FIXME: configurable? */ - ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); - lc->lc_ld = ld; - ldap_pvt_thread_mutex_unlock( &lc->lc_mutex ); - return ldap_back_dobind( lc, op, rs ); + + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); + + return rc; } -#ifdef LDAP_BACK_PROXY_AUTHZ static int ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ) { @@ -561,14 +957,30 @@ ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ) break; default: - if ( li->idassert_authz ) { - struct berval authcDN = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn; + /* NOTE: rootdn can always idassert */ + if ( li->idassert_authz && !be_isroot( op ) ) { + struct berval authcDN; + + if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + authcDN = slap_empty_bv; + } else { + authcDN = op->o_conn->c_ndn; + } rs->sr_err = slap_sasl_matches( op, li->idassert_authz, &authcDN, &authcDN ); if ( rs->sr_err != LDAP_SUCCESS ) { - send_ldap_result( op, rs ); - lc->lc_bound = 0; + if ( li->idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { + send_ldap_result( op, rs ); + lc->lc_bound = 0; + + } else { + rs->sr_err = LDAP_SUCCESS; + binddn = slap_empty_bv; + bindcred = slap_empty_bv; + break; + } + goto done; } } @@ -640,7 +1052,7 @@ ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ) rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn.bv_val, li->idassert_sasl_mech.bv_val, NULL, NULL, - li->idassert_sasl_flags, lutil_sasl_interact, + LDAP_SASL_QUIET, lutil_sasl_interact, defaults ); lutil_sasl_freedefs( defaults ); @@ -679,7 +1091,7 @@ ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs ) goto done; } - rc = ldap_back_op_result( lc, op, rs, msgid, 0 ); + rc = ldap_back_op_result( lc, op, rs, msgid, LDAP_BACK_SENDERR ); if ( rc == LDAP_SUCCESS ) { lc->lc_bound = 1; } @@ -706,8 +1118,12 @@ done:; * If no server-side controls are defined for the operation, * simply add the proxyAuthz control; otherwise, if the * proxyAuthz control is not already set, add it as - * the first one (FIXME: is controls order significant - * for security?). + * the first one + * + * FIXME: is controls order significant for security? + * ANSWER: controls ordering and interoperability + * must be indicated by the specs of each control; if none + * is specified, the order is irrelevant. */ int ldap_back_proxy_authz_ctrl( @@ -724,12 +1140,18 @@ ldap_back_proxy_authz_ctrl( *pctrls = NULL; + rs->sr_err = LDAP_SUCCESS; + + /* FIXME: SASL/EXTERNAL over ldapi:// doesn't honor the authcID, + * but if it is not set this test fails. We need a different + * means to detect if idassert is enabled */ if ( ( BER_BVISNULL( &li->idassert_authcID ) || BER_BVISEMPTY( &li->idassert_authcID ) ) - && ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) ) { + && ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) ) + { goto done; } - if ( !op->o_conn ) { + if ( !op->o_conn || op->o_do_not_cache || be_isroot( op ) ) { goto done; } @@ -775,17 +1197,25 @@ ldap_back_proxy_authz_ctrl( goto done; } - } else if ( li->idassert_authz ) { + } else if ( li->idassert_authz && !be_isroot( op ) ) { int rc; - struct berval authcDN = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn; - + struct berval authcDN; + if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + authcDN = slap_empty_bv; + } else { + authcDN = op->o_conn->c_ndn; + } rc = slap_sasl_matches( op, li->idassert_authz, &authcDN, & authcDN ); if ( rc != LDAP_SUCCESS ) { - /* op->o_conn->c_ndn is not authorized - * to use idassert */ - return rc; + if ( li->idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) + { + /* op->o_conn->c_ndn is not authorized + * to use idassert */ + return rc; + } + return rs->sr_err; } } @@ -823,7 +1253,11 @@ ldap_back_proxy_authz_ctrl( case LDAP_BACK_IDASSERT_SELF: /* original behavior: * assert the client's identity */ - assertedID = BER_BVISNULL( &op->o_conn->c_ndn ) ? slap_empty_bv : op->o_conn->c_ndn; + if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) { + assertedID = slap_empty_bv; + } else { + assertedID = op->o_conn->c_ndn; + } break; case LDAP_BACK_IDASSERT_ANONYMOUS: @@ -872,7 +1306,7 @@ ldap_back_proxy_authz_ctrl( ctrls[ 0 ]->ldctl_value.bv_len = assertedID.bv_len + STRLENOF( "dn:" ); ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 ); AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) ); - AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ), + AC_MEMCPY( &ctrls[ 0 ]->ldctl_value.bv_val[ STRLENOF( "dn:" ) ], assertedID.bv_val, assertedID.bv_len + 1 ); break; } @@ -899,8 +1333,11 @@ ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls ) { LDAPControl **ctrls = *pctrls; + /* we assume that the first control is the proxyAuthz + * added by back-ldap, so it's the only one we explicitly + * free */ if ( ctrls && ctrls != op->o_ctrls ) { - assert( ctrls[ 0 ] ); + assert( ctrls[ 0 ] != NULL ); if ( !BER_BVISNULL( &ctrls[ 0 ]->ldctl_value ) ) { free( ctrls[ 0 ]->ldctl_value.bv_val ); @@ -914,4 +1351,3 @@ ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls ) return 0; } -#endif /* LDAP_BACK_PROXY_AUTHZ */