X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=92d5856fa1ff00c248a15e707f036e3d4ad69d10;hb=82540c5cc1be5bf17b22f3a41d12d1bc56180654;hp=89ef3f517b27dcb69e15e71c52a783112daf71f0;hpb=6e6118c6cc2866ccc208c279c27f4c8fac282b7a;p=openldap diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 89ef3f517b..92d5856fa1 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -1,7 +1,7 @@ /* bind.c - ldap backend bind function */ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ /* This is an altered version */ @@ -47,73 +47,116 @@ #include "slap.h" #include "back-ldap.h" +#define PRINT_CONNTREE 0 + +static LDAP_REBIND_PROC ldap_back_rebind; + int ldap_back_bind( Backend *be, Connection *conn, Operation *op, - const char *dn, - const char *ndn, + struct berval *dn, + struct berval *ndn, int method, struct berval *cred, - char **edn + struct berval *edn ) { struct ldapinfo *li = (struct ldapinfo *) be->be_private; struct ldapconn *lc; - char *mdn = NULL; + struct berval mdn = { 0, NULL }; int rc = 0; - *edn = NULL; - lc = ldap_back_getconn(li, conn, op); if ( !lc ) { return( -1 ); } - mdn = ldap_back_dn_massage( li, ch_strdup( dn ), 0 ); - if ( mdn == NULL ) { - return -1; + /* + * Rewrite the bind dn if needed + */ +#ifdef ENABLE_REWRITE + switch ( rewrite_session( li->rwinfo, "bindDn", dn->bv_val, conn, &mdn.bv_val ) ) { + case REWRITE_REGEXEC_OK: + if ( mdn.bv_val == NULL ) { + mdn.bv_val = ( char * )dn->bv_val; + } +#ifdef NEW_LOGGING + LDAP_LOG( BACK_LDAP, DETAIL1, + "[rw] bindDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn.bv_val, 0 ); +#else /* !NEW_LOGGING */ + Debug( LDAP_DEBUG_ARGS, "rw> bindDn: \"%s\" -> \"%s\"\n%s", + dn->bv_val, mdn.bv_val, "" ); +#endif /* !NEW_LOGGING */ + break; + + case REWRITE_REGEXEC_UNWILLING: + send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM, + NULL, "Unwilling to perform", NULL, NULL ); + return( -1 ); + + case REWRITE_REGEXEC_ERR: + send_ldap_result( conn, op, LDAP_OTHER, + NULL, "Operations error", NULL, NULL ); + return( -1 ); } +#else /* !ENABLE_REWRITE */ + ldap_back_dn_massage( li, dn, &mdn, 0, 1 ); +#endif /* !ENABLE_REWRITE */ - if (ldap_bind_s(lc->ld, mdn, cred->bv_val, method) != LDAP_SUCCESS) { + rc = ldap_bind_s(lc->ld, mdn.bv_val, cred->bv_val, method); + if (rc != LDAP_SUCCESS) { rc = ldap_back_op_result( lc, op ); } else { lc->bound = 1; } - - free( mdn ); + + if ( li->savecred ) { + if ( lc->cred.bv_val ) + ch_free( lc->cred.bv_val ); + ber_dupbv( &lc->cred, cred ); + ldap_set_rebind_proc( lc->ld, ldap_back_rebind, lc ); + } + + if ( lc->bound_dn.bv_val ) + ch_free( lc->bound_dn.bv_val ); + if ( mdn.bv_val != dn->bv_val ) { + lc->bound_dn = mdn; + } else { + ber_dupbv( &lc->bound_dn, dn ); + } return( rc ); } /* - * conn_cmp + * ldap_back_conn_cmp * * compares two struct ldapconn based on the value of the conn pointer; * used by avl stuff */ int -conn_cmp( +ldap_back_conn_cmp( const void *c1, const void *c2 ) { - struct ldapconn *lc1 = (struct ldapconn *)c1; - struct ldapconn *lc2 = (struct ldapconn *)c2; + const struct ldapconn *lc1 = (const struct ldapconn *)c1; + const struct ldapconn *lc2 = (const struct ldapconn *)c2; return ( ( lc1->conn < lc2->conn ) ? -1 : ( ( lc1->conn > lc2-> conn ) ? 1 : 0 ) ); } /* - * conn_dup + * ldap_back_conn_dup * * returns -1 in case a duplicate struct ldapconn has been inserted; * used by avl stuff */ int -conn_dup( +ldap_back_conn_dup( void *c1, void *c2 ) @@ -124,6 +167,7 @@ conn_dup( return( ( lc1->conn == lc2->conn ) ? -1 : 0 ); } +#if PRINT_CONNTREE > 0 static void ravl_print( Avlnode *root, int depth ) { int i; @@ -136,7 +180,7 @@ static void ravl_print( Avlnode *root, int depth ) for ( i = 0; i < depth; i++ ) printf( " " ); - printf( "c(%d) %d\n", ((struct ldapconn *) root->avl_data)->conn->c_connid, root->avl_bf ); + printf( "c(%ld) %d\n", ((struct ldapconn *) root->avl_data)->conn->c_connid, root->avl_bf ); ravl_print( root->avl_left, depth+1 ); } @@ -153,6 +197,7 @@ static void myprint( Avlnode *root ) printf( "********\n" ); } +#endif /* PRINT_CONNTREE */ struct ldapconn * ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) @@ -164,7 +209,7 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) lc_curr.conn = conn; ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = (struct ldapconn *)avl_find( li->conntree, - (caddr_t)&lc_curr, conn_cmp ); + (caddr_t)&lc_curr, ldap_back_conn_cmp ); ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); /* Looks like we didn't get a bind. Open a new session... */ @@ -186,40 +231,112 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op) lc = (struct ldapconn *)ch_malloc(sizeof(struct ldapconn)); lc->conn = conn; lc->ld = ld; - if ( lc->conn->c_cdn != NULL && lc->conn->c_cdn[0] != '\0' ) { - lc->bound_dn = ldap_back_dn_massage( li, - ch_strdup( lc->conn->c_cdn ), 0 ); + + lc->cred.bv_len = 0; + lc->cred.bv_val = NULL; + +#ifdef ENABLE_REWRITE + /* + * Sets a cookie for the rewrite session + */ + ( void )rewrite_session_init( li->rwinfo, conn ); +#endif /* ENABLE_REWRITE */ + + if ( lc->conn->c_dn.bv_len != 0 ) { + + /* + * Rewrite the bind dn if needed + */ +#ifdef ENABLE_REWRITE + lc->bound_dn.bv_val = NULL; + lc->bound_dn.bv_len = 0; + switch ( rewrite_session( li->rwinfo, "bindDn", + lc->conn->c_dn.bv_val, conn, + &lc->bound_dn.bv_val ) ) { + case REWRITE_REGEXEC_OK: + if ( lc->bound_dn.bv_val == NULL ) { + ber_dupbv( &lc->bound_dn, &lc->conn->c_dn ); + } +#ifdef NEW_LOGGING + LDAP_LOG( BACK_LDAP, DETAIL1, + "[rw] bindDn: \"%s\" ->" + " \"%s\"\n%s", + lc->conn->c_dn.bv_val, + lc->bound_dn.bv_val, "" ); +#else /* !NEW_LOGGING */ + Debug( LDAP_DEBUG_ARGS, + "rw> bindDn: \"%s\" ->" + " \"%s\"\n%s", + lc->conn->c_dn.bv_val, + lc->bound_dn.bv_val, "" ); +#endif /* !NEW_LOGGING */ + break; + + case REWRITE_REGEXEC_UNWILLING: + send_ldap_result( conn, op, + LDAP_UNWILLING_TO_PERFORM, + NULL, "Unwilling to perform", + NULL, NULL ); + return( NULL ); + + case REWRITE_REGEXEC_ERR: + send_ldap_result( conn, op, + LDAP_OTHER, + NULL, "Operations error", + NULL, NULL ); + return( NULL ); + } +#else /* !ENABLE_REWRITE */ + struct berval bv; + ldap_back_dn_massage( li, &lc->conn->c_dn, &bv, 0, 1 ); + if ( bv.bv_val == lc->conn->c_dn.bv_val ) + ber_dupbv( &lc->bound_dn, &bv ); + else + lc->bound_dn = bv; +#endif /* !ENABLE_REWRITE */ } else { - lc->bound_dn = NULL; + lc->bound_dn.bv_val = NULL; + lc->bound_dn.bv_len = 0; } lc->bound = 0; /* Inserts the newly created ldapconn in the avl tree */ ldap_pvt_thread_mutex_lock( &li->conn_mutex ); err = avl_insert( &li->conntree, (caddr_t)lc, - conn_cmp, conn_dup ); + ldap_back_conn_cmp, ldap_back_conn_dup ); -#if 0 +#if PRINT_CONNTREE > 0 myprint( li->conntree ); -#endif +#endif /* PRINT_CONNTREE */ ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); +#ifdef NEW_LOGGING + LDAP_LOG( BACK_LDAP, INFO, + "ldap_back_getconn: conn %ld inserted\n", lc->conn->c_connid, 0, 0); +#else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %d inserted\n", - lc->conn->c_connid, 0, 0 ); + "=>ldap_back_getconn: conn %ld inserted\n%s%s", + lc->conn->c_connid, "", "" ); +#endif /* !NEW_LOGGING */ /* Err could be -1 in case a duplicate ldapconn is inserted */ if ( err != 0 ) { - send_ldap_result( conn, op, LDAP_OPERATIONS_ERROR, + send_ldap_result( conn, op, LDAP_OTHER, NULL, "internal server error", NULL, NULL ); /* better destroy the ldapconn struct? */ return( NULL ); } } else { - Debug( LDAP_DEBUG_TRACE, - "=>ldap_back_getconn: conn %d fetched\n", +#ifdef NEW_LOGGING + LDAP_LOG( BACK_LDAP, INFO, + "ldap_back_getconn: conn %ld inserted\n", lc->conn->c_connid, 0, 0 ); +#else /* !NEW_LOGGING */ + Debug( LDAP_DEBUG_TRACE, + "=>ldap_back_getconn: conn %ld fetched%s%s\n", + lc->conn->c_connid, "", "" ); +#endif /* !NEW_LOGGING */ } return( lc ); @@ -239,7 +356,7 @@ ldap_back_dobind(struct ldapconn *lc, Operation *op) return( lc->bound ); } - if (ldap_bind_s(lc->ld, lc->bound_dn, NULL, LDAP_AUTH_SIMPLE) != + if (ldap_bind_s(lc->ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) { ldap_back_op_result(lc, op); return( 0 ); @@ -247,6 +364,21 @@ ldap_back_dobind(struct ldapconn *lc, Operation *op) return( lc->bound = 1 ); } +/* + * ldap_back_rebind + * + * This is a callback used for chasing referrals using the same + * credentials as the original user on this session. + */ +static int +ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, + ber_int_t msgid, void *params ) +{ + struct ldapconn *lc = params; + + return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE ); +} + /* Map API errors to protocol errors... */ int @@ -257,7 +389,7 @@ ldap_back_map_result(int err) case LDAP_SERVER_DOWN: return LDAP_UNAVAILABLE; case LDAP_LOCAL_ERROR: - return LDAP_OPERATIONS_ERROR; + return LDAP_OTHER; case LDAP_ENCODING_ERROR: case LDAP_DECODING_ERROR: return LDAP_PROTOCOL_ERROR; @@ -266,13 +398,13 @@ ldap_back_map_result(int err) case LDAP_AUTH_UNKNOWN: return LDAP_AUTH_METHOD_NOT_SUPPORTED; case LDAP_FILTER_ERROR: - return LDAP_OPERATIONS_ERROR; + return LDAP_OTHER; case LDAP_USER_CANCELLED: - return LDAP_OPERATIONS_ERROR; + return LDAP_OTHER; case LDAP_PARAM_ERROR: return LDAP_PROTOCOL_ERROR; case LDAP_NO_MEMORY: - return LDAP_OPERATIONS_ERROR; + return LDAP_OTHER; case LDAP_CONNECT_ERROR: return LDAP_UNAVAILABLE; case LDAP_NOT_SUPPORTED: @@ -305,9 +437,29 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op) ldap_get_option(lc->ld, LDAP_OPT_ERROR_STRING, &msg); ldap_get_option(lc->ld, LDAP_OPT_MATCHED_DN, &match); err = ldap_back_map_result(err); + +#ifdef ENABLE_REWRITE + + /* + * FIXME: need rewrite info for match; mmmh ... + */ send_ldap_result( lc->conn, op, err, match, msg, NULL, NULL ); /* better test the pointers before freeing? */ - if ( match ) free( match ); + if ( match ) { + free( match ); + } + +#else /* !ENABLE_REWRITE */ + + send_ldap_result( lc->conn, op, err, match, msg, NULL, NULL ); + /* better test the pointers before freeing? */ + if ( match ) { + free( match ); + } + +#endif /* !ENABLE_REWRITE */ + if ( msg ) free( msg ); return( (err==LDAP_SUCCESS) ? 0 : -1 ); } +