X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=eb3d49703b20f02acb6a5296f94625228998f7bb;hb=5cd816f4eb2fc09a59cc53267c731d91badcae97;hp=d1428c12043e8bfc0941be966e170b474452d96b;hpb=da6d9eb0463255782f3fa70c61fd958d94c048cf;p=openldap diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index d1428c1204..eb3d49703b 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -112,7 +112,7 @@ ldap_back_print_conntree( ldapinfo_t *li, char *msg ) #endif /* LDAP_BACK_PRINT_CONNTREE */ static int -ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock ); +ldap_back_freeconn( ldapinfo_t *li, ldapconn_t *lc, int dolock ); static ldapconn_t * ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok, @@ -127,22 +127,69 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok, struct berval *binddn, struct berval *bindcred ); static int -ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, +ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ); static int ldap_back_conndnlc_cmp( const void *c1, const void *c2 ); +ldapconn_t * +ldap_back_conn_delete( ldapinfo_t *li, ldapconn_t *lc ) +{ + if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { + if ( LDAP_BACK_CONN_CACHED( lc ) ) { + assert( lc->lc_q.tqe_prev != NULL ); + assert( li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num > 0 ); + li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num--; + LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); + LDAP_TAILQ_ENTRY_INIT( lc, lc_q ); + LDAP_BACK_CONN_CACHED_CLEAR( lc ); + + } else { + assert( LDAP_BACK_CONN_TAINTED( lc ) ); + assert( lc->lc_q.tqe_prev == NULL ); + } + + } else { + ldapconn_t *tmplc = NULL; + + if ( LDAP_BACK_CONN_CACHED( lc ) ) { + assert( !LDAP_BACK_CONN_TAINTED( lc ) ); + tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, + ldap_back_conndnlc_cmp ); + assert( tmplc == lc ); + LDAP_BACK_CONN_CACHED_CLEAR( lc ); + } + + assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc ); + } + + return lc; +} + int ldap_back_bind( Operation *op, SlapReply *rs ) { ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private; ldapconn_t *lc; - int rc = 0; + LDAPControl **ctrls = NULL; + struct berval save_o_dn; + int save_o_do_not_cache, + rc = 0; ber_int_t msgid; ldap_back_send_t retrying = LDAP_BACK_RETRYING; + /* allow rootdn as a means to auth without the need to actually + * contact the proxied DSA */ + switch ( be_rootdn_bind( op, rs ) ) { + case SLAP_CB_CONTINUE: + break; + + default: + return rs->sr_err; + } + lc = ldap_back_getconn( op, rs, LDAP_BACK_BIND_SERR, NULL, NULL ); if ( !lc ) { return rs->sr_err; @@ -161,11 +208,27 @@ ldap_back_bind( Operation *op, SlapReply *rs ) } LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); + /* don't add proxyAuthz; set the bindDN */ + save_o_dn = op->o_dn; + save_o_do_not_cache = op->o_do_not_cache; + op->o_dn = op->o_req_dn; + op->o_do_not_cache = 1; + + ctrls = op->o_ctrls; + rc = ldap_back_controls_add( op, rs, lc, &ctrls ); + op->o_dn = save_o_dn; + op->o_do_not_cache = save_o_do_not_cache; + if ( rc != LDAP_SUCCESS ) { + send_ldap_result( op, rs ); + ldap_back_release_conn( li, lc ); + return( rc ); + } + retry:; /* method is always LDAP_AUTH_SIMPLE if we got here */ rs->sr_err = ldap_sasl_bind( lc->lc_ld, op->o_req_dn.bv_val, LDAP_SASL_SIMPLE, - &op->orb_cred, op->o_ctrls, NULL, &msgid ); + &op->orb_cred, ctrls, NULL, &msgid ); /* FIXME: should we always retry, or only when piping the bind * in the "override" connection pool? */ rc = ldap_back_op_result( lc, op, rs, msgid, @@ -178,6 +241,8 @@ retry:; } } + ldap_back_controls_free( op, rs, &ctrls ); + if ( rc == LDAP_SUCCESS ) { /* If defined, proxyAuthz will be used also when * back-ldap is the authorizing backend; for this @@ -187,9 +252,7 @@ retry:; * connection with identity assertion */ /* NOTE: use with care */ if ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) { - assert( lc->lc_binding == 1 ); - lc->lc_binding = 0; - ldap_back_release_conn( op, rs, lc ); + ldap_back_release_conn( li, lc ); return( rc ); } @@ -212,9 +275,6 @@ retry:; } } - assert( lc->lc_binding == 1 ); - lc->lc_binding = 0; - /* must re-insert if local DN changed as result of bind */ if ( !LDAP_BACK_CONN_ISBOUND( lc ) || ( !dn_match( &op->o_req_ndn, &lc->lc_local_ndn ) @@ -237,27 +297,7 @@ retry_lock:; #endif /* LDAP_BACK_PRINT_CONNTREE */ assert( lc->lc_refcnt == 1 ); - if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { - /* this can happen, for example, if the bind fails - * for some reason... */ - if ( lc->lc_q.tqe_prev != NULL ) { - assert( LDAP_BACK_CONN_CACHED( lc ) ); - assert( li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num > 0 ); - LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); - li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num--; - lc->lc_q.tqe_prev = NULL; - lc->lc_q.tqe_next = NULL; - - } else { - assert( !LDAP_BACK_CONN_CACHED( lc ) ); - } - - } else { - tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - assert( ( LDAP_BACK_CONN_TAINTED( lc ) && tmplc == NULL ) || lc == tmplc ); - } - LDAP_BACK_CONN_CACHED_CLEAR( lc ); + ldap_back_conn_delete( li, lc ); /* delete all cached connections with the current connection */ if ( LDAP_BACK_SINGLECONN( li ) ) { @@ -312,7 +352,7 @@ retry_lock:; } if ( lc != NULL ) { - ldap_back_release_conn( op, rs, lc ); + ldap_back_release_conn( li, lc ); } return( rc ); @@ -414,10 +454,8 @@ ldap_back_conndn_dup( void *c1, void *c2 ) } static int -ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock ) +ldap_back_freeconn( ldapinfo_t *li, ldapconn_t *lc, int dolock ) { - ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private; - if ( dolock ) { ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); } @@ -426,31 +464,7 @@ ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock ) ldap_back_print_conntree( li, ">>> ldap_back_freeconn" ); #endif /* LDAP_BACK_PRINT_CONNTREE */ - if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { - if ( lc->lc_q.tqe_prev != NULL ) { - assert( LDAP_BACK_CONN_CACHED( lc ) ); - assert( li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num > 0 ); - li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num--; - LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); - LDAP_BACK_CONN_CACHED_CLEAR( lc ); - - } else { - assert( !LDAP_BACK_CONN_CACHED( lc ) ); - } - lc->lc_q.tqe_prev = NULL; - lc->lc_q.tqe_next = NULL; - - } else { - ldapconn_t *tmplc = NULL; - - if ( LDAP_BACK_CONN_CACHED( lc ) ) { - tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - assert( tmplc == lc ); - LDAP_BACK_CONN_CACHED_CLEAR( lc ); - } - assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc ); - } + (void)ldap_back_conn_delete( li, lc ); if ( lc->lc_refcnt == 0 ) { ldap_back_conn_free( (void *)lc ); @@ -610,7 +624,7 @@ retry:; #endif /* HAVE_TLS */ static int -ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; int version; @@ -618,10 +632,9 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac #ifdef HAVE_TLS int is_tls = op->o_conn->c_is_tls; time_t lc_time = (time_t)(-1); + slap_bindconf *sb; #endif /* HAVE_TLS */ - assert( lcp != NULL ); - ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); rs->sr_err = ldap_initialize( &ld, li->li_uri ); ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex ); @@ -661,12 +674,29 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac } #ifdef HAVE_TLS + if ( LDAP_BACK_CONN_ISPRIV( lc ) ) { + sb = &li->li_acl; + + } else if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { + sb = &li->li_idassert.si_bc; + + } else { + sb = &li->li_tls; + } + + if ( sb->sb_tls_do_init ) { + bindconf_tls_set( sb, ld ); + } else if ( sb->sb_tls_ctx ) { + ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); + } + ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls, li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text ); ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex ); if ( rs->sr_err != LDAP_SUCCESS ) { ldap_unbind_ext( ld, NULL, NULL ); + rs->sr_text = "Start TLS failed"; goto error_return; } else if ( li->li_idle_timeout ) { @@ -675,21 +705,16 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac } #endif /* HAVE_TLS */ - if ( *lcp == NULL ) { - *lcp = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); - (*lcp)->lc_flags = li->li_flags; - } - (*lcp)->lc_ld = ld; - (*lcp)->lc_refcnt = 1; - (*lcp)->lc_binding = 1; + lc->lc_ld = ld; + lc->lc_refcnt = 1; #ifdef HAVE_TLS if ( is_tls ) { - LDAP_BACK_CONN_ISTLS_SET( *lcp ); + LDAP_BACK_CONN_ISTLS_SET( lc ); } else { - LDAP_BACK_CONN_ISTLS_CLEAR( *lcp ); + LDAP_BACK_CONN_ISTLS_CLEAR( lc ); } if ( lc_time != (time_t)(-1) ) { - (*lcp)->lc_time = lc_time; + lc->lc_time = lc_time; } #endif /* HAVE_TLS */ @@ -698,15 +723,14 @@ error_return:; rs->sr_err = slap_map_api2result( rs ); if ( sendok & LDAP_BACK_SENDERR ) { if ( rs->sr_text == NULL ) { - rs->sr_text = "ldap_initialize() failed"; + rs->sr_text = "Proxy connection initialization failed"; } send_ldap_result( op, rs ); - rs->sr_text = NULL; } } else { if ( li->li_conn_ttl > 0 ) { - (*lcp)->lc_create_time = op->o_time; + lc->lc_create_time = op->o_time; } } @@ -725,7 +749,6 @@ ldap_back_getconn( ldapconn_t *lc = NULL, lc_curr = { 0 }; int refcnt = 1, - binding = 1, lookupconn = !( sendok & LDAP_BACK_BINDING ); /* if the server is quarantined, and @@ -755,6 +778,7 @@ ldap_back_getconn( if ( dont_retry ) { rs->sr_err = LDAP_UNAVAILABLE; if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { + rs->sr_text = "Target is quarantined"; send_ldap_result( op, rs ); } return NULL; @@ -788,13 +812,13 @@ ldap_back_getconn( op->o_ndn = op->o_req_ndn; } isproxyauthz = ldap_back_is_proxy_authz( op, rs, sendok, binddn, bindcred ); - if ( isproxyauthz == -1 ) { - return NULL; - } if ( op->o_tag == LDAP_REQ_BIND ) { op->o_dn = save_o_dn; op->o_ndn = save_o_ndn; } + if ( isproxyauthz == -1 ) { + return NULL; + } lc_curr.lc_local_ndn = op->o_ndn; /* Explicit binds must not be shared; @@ -845,8 +869,7 @@ retry_lock: { LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); - lc->lc_q.tqe_prev = NULL; - lc->lc_q.tqe_next = NULL; + LDAP_TAILQ_ENTRY_INIT( lc, lc_q ); LDAP_TAILQ_INSERT_TAIL( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, lc, lc_q ); } @@ -884,7 +907,6 @@ retry_lock: } refcnt = ++lc->lc_refcnt; - binding = ++lc->lc_binding; } } ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); @@ -892,7 +914,11 @@ retry_lock: /* Looks like we didn't get a bind. Open a new session... */ if ( lc == NULL ) { - if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) { + lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); + lc->lc_flags = li->li_flags; + lc->lc_lcflags = lc_curr.lc_lcflags; + if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) { + ch_free( lc ); return NULL; } @@ -966,7 +992,6 @@ retry_lock: if ( tmplc != NULL ) { refcnt = ++tmplc->lc_refcnt; - binding = ++tmplc->lc_binding; ldap_back_conn_free( lc ); lc = tmplc; } @@ -984,7 +1009,6 @@ retry_lock: LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); assert( lc->lc_refcnt == 1 ); - assert( lc->lc_binding == 1 ); #if LDAP_BACK_PRINT_CONNTREE > 0 ldap_back_print_conntree( li, ">>> ldap_back_getconn(insert)" ); @@ -1017,8 +1041,8 @@ retry_lock: char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), - "lc=%p inserted refcnt=%u binding=%u rc=%d", - (void *)lc, refcnt, binding, rs->sr_err ); + "lc=%p inserted refcnt=%u rc=%d", + (void *)lc, refcnt, rs->sr_err ); Debug( LDAP_DEBUG_TRACE, "=>ldap_back_getconn: %s: %s\n", @@ -1048,10 +1072,9 @@ retry_lock: LDAP_BACK_CONN_CACHED_CLEAR( lc ); ldap_back_conn_free( lc ); rs->sr_err = LDAP_OTHER; - rs->sr_text = "proxy bind collision"; + rs->sr_text = "Proxy bind collision"; if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { send_ldap_result( op, rs ); - rs->sr_text = NULL; } return NULL; } @@ -1073,26 +1096,8 @@ retry_lock: ldap_back_print_conntree( li, ">>> ldap_back_getconn(timeout)" ); #endif /* LDAP_BACK_PRINT_CONNTREE */ - if ( LDAP_BACK_PCONN_ISPRIV( lc ) ) { - if ( lc->lc_q.tqe_prev != NULL ) { - assert( LDAP_BACK_CONN_CACHED( lc ) ); - assert( li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num > 0 ); - LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv, - lc, lc_q ); - li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_num--; - lc->lc_q.tqe_prev = NULL; - lc->lc_q.tqe_next = NULL; - - } else { - assert( !LDAP_BACK_CONN_CACHED( lc ) ); - } - - } else { - (void)avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc, - ldap_back_conndnlc_cmp ); - } + (void)ldap_back_conn_delete( li, lc ); LDAP_BACK_CONN_TAINTED_SET( lc ); - LDAP_BACK_CONN_CACHED_CLEAR( lc ); #if LDAP_BACK_PRINT_CONNTREE > 0 ldap_back_print_conntree( li, "<<< ldap_back_getconn(timeout)" ); @@ -1105,8 +1110,9 @@ retry_lock: char buf[ SLAP_TEXT_BUFLEN ]; snprintf( buf, sizeof( buf ), - "conn %p fetched refcnt=%u binding=%u%s", - (void *)lc, refcnt, binding, expiring ? " expiring" : "" ); + "conn %p fetched refcnt=%u%s", + (void *)lc, refcnt, + expiring ? " expiring" : "" ); Debug( LDAP_DEBUG_TRACE, "=>ldap_back_getconn: %s.\n", buf, 0, 0 ); } @@ -1121,12 +1127,10 @@ done:; void ldap_back_release_conn_lock( - Operation *op, - SlapReply *rs, + ldapinfo_t *li, ldapconn_t **lcp, int dolock ) { - ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; ldapconn_t *lc = *lcp; @@ -1137,7 +1141,7 @@ ldap_back_release_conn_lock( LDAP_BACK_CONN_BINDING_CLEAR( lc ); lc->lc_refcnt--; if ( LDAP_BACK_CONN_TAINTED( lc ) ) { - ldap_back_freeconn( op, lc, 0 ); + ldap_back_freeconn( li, lc, 0 ); *lcp = NULL; } if ( dolock ) { @@ -1216,6 +1220,17 @@ done:; ldap_pvt_thread_mutex_unlock( &li->li_quarantine_mutex ); } +static int +ldap_back_dobind_cb( + Operation *op, + SlapReply *rs +) +{ + ber_tag_t *tptr = op->o_callback->sc_private; + op->o_tag = *tptr; + return SLAP_CB_CONTINUE; +} + /* * ldap_back_dobind_int * @@ -1240,6 +1255,8 @@ ldap_back_dobind_int( isbound, binding = 0; ber_int_t msgid; + ber_tag_t o_tag = op->o_tag; + slap_callback cb = {0}; assert( lcp != NULL ); assert( retries >= 0 ); @@ -1268,7 +1285,6 @@ retry_lock:; /* check if already bound */ rc = isbound = LDAP_BACK_CONN_ISBOUND( lc ); if ( isbound ) { - lc->lc_binding--; if ( dolock ) { ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } @@ -1290,16 +1306,6 @@ retry_lock:; } } - /* wait for pending operations to finish */ - /* FIXME: may become a bottleneck! */ - if ( lc->lc_refcnt != lc->lc_binding ) { - if ( dolock ) { - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - } - ldap_pvt_thread_yield(); - goto retry_lock; - } - if ( dolock ) { ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); } @@ -1322,10 +1328,16 @@ retry_lock:; * then bind as the asserting identity and explicitly * add the proxyAuthz control to every operation with the * dn bound to the connection as control value. - * This is done also if this is the authrizing backend, + * This is done also if this is the authorizing backend, * but the "override" flag is given to idassert. * It allows to use SASL bind and yet proxyAuthz users */ + op->o_tag = LDAP_REQ_BIND; + cb.sc_next = op->o_callback; + cb.sc_private = &o_tag; + cb.sc_response = ldap_back_dobind_cb; + op->o_callback = &cb; + if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { /* if we got here, it shouldn't return result */ @@ -1361,6 +1373,14 @@ retry_lock:; li->li_acl_authcID.bv_val, li->li_acl_passwd.bv_val, NULL ); + if ( defaults == NULL ) { + rs->sr_err = LDAP_OTHER; + LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); + if ( sendok & LDAP_BACK_SENDERR ) { + send_ldap_result( op, rs ); + } + goto done; + } rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, li->li_acl_authcDN.bv_val, @@ -1407,9 +1427,9 @@ retry:; lc->lc_ld = NULL; /* lc here must be the regular lc, reset and ready for init */ - rs->sr_err = ldap_back_prepare_conn( &lc, op, rs, sendok ); + rs->sr_err = ldap_back_prepare_conn( lc, op, rs, sendok ); if ( rs->sr_err != LDAP_SUCCESS ) { - lc->lc_binding--; + sendok &= ~LDAP_BACK_SENDERR; lc->lc_refcnt = 0; } } @@ -1424,22 +1444,11 @@ retry:; } goto retry; } - - } else { - if ( dolock ) { - ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); - } - lc->lc_binding--; - if ( dolock ) { - ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); - } } - /* FIXME: one binding-- too many? */ - lc->lc_binding--; assert( lc->lc_refcnt == 1 ); lc->lc_refcnt = 0; - ldap_back_freeconn( op, lc, dolock ); + ldap_back_freeconn( li, lc, dolock ); *lcp = NULL; rs->sr_err = slap_map_api2result( rs ); @@ -1450,29 +1459,38 @@ retry:; if ( rs->sr_err != LDAP_SUCCESS && ( sendok & LDAP_BACK_SENDERR ) ) { + if ( op->o_callback == &cb ) + op->o_callback = cb.sc_next; + op->o_tag = o_tag; + rs->sr_text = "Proxy can't contact remote server"; send_ldap_result( op, rs ); } - return 0; + rc = 0; + goto leave; } rc = ldap_back_op_result( lc, op, rs, msgid, - -1, (sendok|LDAP_BACK_BINDING) ); + -1, ( sendok | LDAP_BACK_BINDING ) ); if ( rc == LDAP_SUCCESS ) { LDAP_BACK_CONN_ISBOUND_SET( lc ); } done:; - lc->lc_binding--; LDAP_BACK_CONN_BINDING_CLEAR( lc ); rc = LDAP_BACK_CONN_ISBOUND( lc ); if ( !rc ) { - ldap_back_release_conn_lock( op, rs, lcp, dolock ); + ldap_back_release_conn_lock( li, lcp, dolock ); } else if ( LDAP_BACK_SAVECRED( li ) ) { ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc ); } +leave:; + if ( op->o_callback == &cb ) + op->o_callback = cb.sc_next; + op->o_tag = o_tag; + return rc; } @@ -1670,8 +1688,23 @@ retry:; if ( sendok & LDAP_BACK_BINDING ) { ldap_unbind_ext( lc->lc_ld, NULL, NULL ); lc->lc_ld = NULL; + + /* let it be used, but taint/delete it so that + * no-one else can look it up any further */ + ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); + +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, ">>> ldap_back_getconn(timeout)" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + + (void)ldap_back_conn_delete( li, lc ); LDAP_BACK_CONN_TAINTED_SET( lc ); +#if LDAP_BACK_PRINT_CONNTREE > 0 + ldap_back_print_conntree( li, "<<< ldap_back_getconn(timeout)" ); +#endif /* LDAP_BACK_PRINT_CONNTREE */ + ldap_pvt_thread_mutex_unlock( &li->li_conninfo.lai_mutex ); + } else { (void)ldap_back_cancel( lc, op, rs, msgid, sendok ); } @@ -1707,18 +1740,44 @@ retry:; if ( rc != LDAP_SUCCESS ) { rs->sr_err = rc; } - if ( refs != NULL ) { - int i; - - for ( i = 0; refs[ i ] != NULL; i++ ) - /* count */ ; - rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( i + 1 ), - op->o_tmpmemctx ); - for ( i = 0; refs[ i ] != NULL; i++ ) { - ber_str2bv( refs[ i ], 0, 0, &rs->sr_ref[ i ] ); + + /* RFC 4511: referrals can only appear + * if result code is LDAP_REFERRAL */ + if ( refs != NULL + && refs[ 0 ] != NULL + && refs[ 0 ][ 0 ] != '\0' ) + { + if ( rs->sr_err != LDAP_REFERRAL ) { + Debug( LDAP_DEBUG_ANY, + "%s ldap_back_op_result: " + "got referrals with err=%d\n", + op->o_log_prefix, + rs->sr_err, 0 ); + + } else { + int i; + + for ( i = 0; refs[ i ] != NULL; i++ ) + /* count */ ; + rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( i + 1 ), + op->o_tmpmemctx ); + for ( i = 0; refs[ i ] != NULL; i++ ) { + ber_str2bv( refs[ i ], 0, 0, &rs->sr_ref[ i ] ); + } + BER_BVZERO( &rs->sr_ref[ i ] ); } - BER_BVZERO( &rs->sr_ref[ i ] ); + + } else if ( rs->sr_err == LDAP_REFERRAL ) { + Debug( LDAP_DEBUG_ANY, + "%s ldap_back_op_result: " + "got err=%d with null " + "or empty referrals\n", + op->o_log_prefix, + rs->sr_err, 0 ); + + rs->sr_err = LDAP_NO_SUCH_OBJECT; } + if ( ctrls != NULL ) { rs->sr_ctrls = ctrls; } @@ -1747,6 +1806,7 @@ retry:; ldap_back_quarantine( op, rs ); } if ( op->o_conn && ( sendok & LDAP_BACK_SENDERR ) ) { + if ( rs->sr_text == NULL ) rs->sr_text = "Proxy operation retry failed"; send_ldap_result( op, rs ); } } @@ -1772,12 +1832,14 @@ retry:; rs->sr_text = NULL; if ( rs->sr_ref ) { - assert( refs != NULL ); - ber_memvfree( (void **)refs ); op->o_tmpfree( rs->sr_ref, op->o_tmpmemctx ); rs->sr_ref = NULL; } + if ( refs ) { + ber_memvfree( (void **)refs ); + } + if ( ctrls ) { assert( rs->sr_ctrls != NULL ); ldap_controls_free( ctrls ); @@ -1792,8 +1854,7 @@ int ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; - int rc = 0, - binding; + int rc = 0; assert( lcp != NULL ); assert( *lcp != NULL ); @@ -1801,7 +1862,7 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); if ( (*lcp)->lc_refcnt == 1 ) { - binding = LDAP_BACK_CONN_BINDING( *lcp ); + int binding = LDAP_BACK_CONN_BINDING( *lcp ); ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); Debug( LDAP_DEBUG_ANY, @@ -1816,11 +1877,11 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ LDAP_BACK_CONN_ISBOUND_CLEAR( (*lcp) ); /* lc here must be the regular lc, reset and ready for init */ - rc = ldap_back_prepare_conn( lcp, op, rs, sendok ); + rc = ldap_back_prepare_conn( *lcp, op, rs, sendok ); if ( rc != LDAP_SUCCESS ) { /* freeit, because lc_refcnt == 1 */ (*lcp)->lc_refcnt = 0; - (void)ldap_back_freeconn( op, *lcp, 0 ); + (void)ldap_back_freeconn( li, *lcp, 0 ); *lcp = NULL; rc = 0; @@ -1836,7 +1897,7 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ /* freeit, because lc_refcnt == 1 */ (*lcp)->lc_refcnt = 0; LDAP_BACK_CONN_TAINTED_SET( *lcp ); - (void)ldap_back_freeconn( op, *lcp, 0 ); + (void)ldap_back_freeconn( li, *lcp, 0 ); *lcp = NULL; } } @@ -1847,12 +1908,12 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_ (void *)(*lcp), (*lcp)->lc_refcnt, 0 ); LDAP_BACK_CONN_TAINTED_SET( *lcp ); - ldap_back_release_conn_lock( op, rs, lcp, 0 ); + ldap_back_release_conn_lock( li, lcp, 0 ); assert( *lcp == NULL ); - if ( sendok ) { + if ( sendok & LDAP_BACK_SENDERR ) { rs->sr_err = LDAP_UNAVAILABLE; - rs->sr_text = "unable to retry"; + rs->sr_text = "Unable to retry"; send_ldap_result( op, rs ); } } @@ -1919,7 +1980,10 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok, default: /* NOTE: rootdn can always idassert */ - if ( BER_BVISNULL( &ndn ) && li->li_idassert_authz == NULL ) { + if ( BER_BVISNULL( &ndn ) + && li->li_idassert_authz == NULL + && !( li->li_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) + { if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { rs->sr_err = LDAP_INAPPROPRIATE_AUTH; if ( sendok & LDAP_BACK_SENDERR ) { @@ -2056,6 +2120,14 @@ ldap_back_proxy_authz_bind( li->li_idassert_authcID.bv_val, li->li_idassert_passwd.bv_val, authzID.bv_val ); + if ( defaults == NULL ) { + rs->sr_err = LDAP_OTHER; + LDAP_BACK_CONN_ISBOUND_CLEAR( lc ); + if ( sendok & LDAP_BACK_SENDERR ) { + send_ldap_result( op, rs ); + } + goto done; + } rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn->bv_val, li->li_idassert_sasl_mech.bv_val, NULL, NULL, @@ -2094,7 +2166,7 @@ ldap_back_proxy_authz_bind( binddn->bv_val, LDAP_SASL_SIMPLE, bindcred, NULL, NULL, &msgid ); rc = ldap_back_op_result( lc, op, rs, msgid, - -1, (sendok|LDAP_BACK_BINDING) ); + -1, ( sendok | LDAP_BACK_BINDING ) ); break; default: @@ -2159,48 +2231,31 @@ done:; */ int ldap_back_proxy_authz_ctrl( + Operation *op, + SlapReply *rs, struct berval *bound_ndn, int version, slap_idassert_t *si, - Operation *op, - SlapReply *rs, - LDAPControl ***pctrls ) + LDAPControl *ctrl ) { - LDAPControl **ctrls = NULL; - int i = 0; slap_idassert_mode_t mode; struct berval assertedID, ndn; + int isroot = 0; - *pctrls = NULL; - - rs->sr_err = LDAP_SUCCESS; - - /* don't proxyAuthz if protocol is not LDAPv3 */ - switch ( version ) { - case LDAP_VERSION3: - break; - - case 0: - if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) { - break; - } - /* fall thru */ - - default: - goto done; - } + rs->sr_err = SLAP_CB_CONTINUE; /* FIXME: SASL/EXTERNAL over ldapi:// doesn't honor the authcID, * but if it is not set this test fails. We need a different * means to detect if idassert is enabled */ if ( ( BER_BVISNULL( &si->si_bc.sb_authcId ) || BER_BVISEMPTY( &si->si_bc.sb_authcId ) ) - && ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) ) ) + && ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) ) + && BER_BVISNULL( &si->si_bc.sb_saslmech ) ) { goto done; } - if ( !op->o_conn || op->o_do_not_cache || be_isroot( op ) ) { + if ( !op->o_conn || op->o_do_not_cache || ( isroot = be_isroot( op ) ) ) { goto done; } @@ -2252,7 +2307,7 @@ ldap_back_proxy_authz_ctrl( goto done; } - } else if ( si->si_authz && !be_isroot( op ) ) { + } else if ( si->si_authz && !isroot ) { int rc; struct berval authcDN; @@ -2262,7 +2317,7 @@ ldap_back_proxy_authz_ctrl( authcDN = ndn; } rc = slap_sasl_matches( op, si->si_authz, - &authcDN, & authcDN ); + &authcDN, &authcDN ); if ( rc != LDAP_SUCCESS ) { if ( si->si_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { /* ndn is not authorized @@ -2303,21 +2358,11 @@ ldap_back_proxy_authz_ctrl( } switch ( mode ) { - case LDAP_BACK_IDASSERT_SELF: - if ( BER_BVISNULL( &ndn ) ) { - goto done; - } - assertedID = ndn; - break; - case LDAP_BACK_IDASSERT_LEGACY: /* original behavior: * assert the client's identity */ - if ( BER_BVISNULL( &ndn ) ) { - assertedID = slap_empty_bv; - } else { - assertedID = ndn; - } + case LDAP_BACK_IDASSERT_SELF: + assertedID = ndn; break; case LDAP_BACK_IDASSERT_ANONYMOUS: @@ -2339,6 +2384,7 @@ ldap_back_proxy_authz_ctrl( assert( 0 ); } + /* if we got here, "" is allowed to proxyAuthz */ if ( BER_BVISNULL( &assertedID ) ) { assertedID = slap_empty_bv; } @@ -2348,33 +2394,25 @@ ldap_back_proxy_authz_ctrl( goto done; } - if ( op->o_ctrls ) { - for ( i = 0; op->o_ctrls[ i ]; i++ ) - /* just count ctrls */ ; - } - - ctrls = op->o_tmpalloc( sizeof( LDAPControl * ) * (i + 2) + sizeof( LDAPControl ), - op->o_tmpmemctx ); - ctrls[ 0 ] = (LDAPControl *)&ctrls[ i + 2 ]; - - ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; - ctrls[ 0 ]->ldctl_iscritical = 1; + ctrl->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ; switch ( si->si_mode ) { /* already in u:ID or dn:DN form */ case LDAP_BACK_IDASSERT_OTHERID: case LDAP_BACK_IDASSERT_OTHERDN: - ber_dupbv_x( &ctrls[ 0 ]->ldctl_value, &assertedID, op->o_tmpmemctx ); + ber_dupbv_x( &ctrl->ldctl_value, &assertedID, op->o_tmpmemctx ); + rs->sr_err = LDAP_SUCCESS; break; /* needs the dn: prefix */ default: - ctrls[ 0 ]->ldctl_value.bv_len = assertedID.bv_len + STRLENOF( "dn:" ); - ctrls[ 0 ]->ldctl_value.bv_val = op->o_tmpalloc( ctrls[ 0 ]->ldctl_value.bv_len + 1, + ctrl->ldctl_value.bv_len = assertedID.bv_len + STRLENOF( "dn:" ); + ctrl->ldctl_value.bv_val = op->o_tmpalloc( ctrl->ldctl_value.bv_len + 1, op->o_tmpmemctx ); - AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) ); - AC_MEMCPY( &ctrls[ 0 ]->ldctl_value.bv_val[ STRLENOF( "dn:" ) ], + AC_MEMCPY( ctrl->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) ); + AC_MEMCPY( &ctrl->ldctl_value.bv_val[ STRLENOF( "dn:" ) ], assertedID.bv_val, assertedID.bv_len + 1 ); + rs->sr_err = LDAP_SUCCESS; break; } @@ -2383,7 +2421,7 @@ ldap_back_proxy_authz_ctrl( * this hack provides compatibility with those DSAs that * implement it this way */ if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) { - struct berval authzID = ctrls[ 0 ]->ldctl_value; + struct berval authzID = ctrl->ldctl_value; BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; ber_tag_t tag; @@ -2397,32 +2435,29 @@ ldap_back_proxy_authz_ctrl( goto free_ber; } - if ( ber_flatten2( ber, &ctrls[ 0 ]->ldctl_value, 1 ) == -1 ) { + if ( ber_flatten2( ber, &ctrl->ldctl_value, 1 ) == -1 ) { rs->sr_err = LDAP_OTHER; goto free_ber; } + rs->sr_err = LDAP_SUCCESS; + free_ber:; op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx ); ber_free_buf( ber ); if ( rs->sr_err != LDAP_SUCCESS ) { - op->o_tmpfree( ctrls, op->o_tmpmemctx ); - ctrls = NULL; goto done; } } else if ( si->si_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) { - struct berval authzID = ctrls[ 0 ]->ldctl_value, + struct berval authzID = ctrl->ldctl_value, tmp; BerElementBuffer berbuf; BerElement *ber = (BerElement *)&berbuf; ber_tag_t tag; if ( strncasecmp( authzID.bv_val, "dn:", STRLENOF( "dn:" ) ) != 0 ) { - op->o_tmpfree( ctrls[ 0 ]->ldctl_value.bv_val, op->o_tmpmemctx ); - op->o_tmpfree( ctrls, op->o_tmpmemctx ); - ctrls = NULL; rs->sr_err = LDAP_PROTOCOL_ERROR; goto done; } @@ -2442,30 +2477,130 @@ free_ber:; goto free_ber2; } - if ( ber_flatten2( ber, &ctrls[ 0 ]->ldctl_value, 1 ) == -1 ) { + if ( ber_flatten2( ber, &ctrl->ldctl_value, 1 ) == -1 ) { rs->sr_err = LDAP_OTHER; goto free_ber2; } + ctrl->ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ; + rs->sr_err = LDAP_SUCCESS; + free_ber2:; op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx ); ber_free_buf( ber ); if ( rs->sr_err != LDAP_SUCCESS ) { - op->o_tmpfree( ctrls, op->o_tmpmemctx ); - ctrls = NULL; goto done; } + } - ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ; +done:; + + return rs->sr_err; +} + +/* + * Add controls; + * + * if any needs to be added, it is prepended to existing ones, + * in a newly allocated array. The companion function + * ldap_back_controls_free() must be used to restore the original + * status of op->o_ctrls. + */ +int +ldap_back_controls_add( + Operation *op, + SlapReply *rs, + ldapconn_t *lc, + LDAPControl ***pctrls ) +{ + ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; + + LDAPControl **ctrls = NULL; + /* set to the maximum number of controls this backend can add */ + LDAPControl c[ 2 ] = { 0 }; + int i = 0, j = 0; + + *pctrls = NULL; + + rs->sr_err = LDAP_SUCCESS; + + /* don't add controls if protocol is not LDAPv3 */ + switch ( li->li_version ) { + case LDAP_VERSION3: + break; + + case 0: + if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) { + break; + } + /* fall thru */ + + default: + goto done; + } + + /* proxyAuthz for identity assertion */ + switch ( ldap_back_proxy_authz_ctrl( op, rs, &lc->lc_bound_ndn, + li->li_version, &li->li_idassert, &c[ j ] ) ) + { + case SLAP_CB_CONTINUE: + break; + + case LDAP_SUCCESS: + j++; + break; + + default: + goto done; + } + +#ifdef SLAP_CONTROL_X_SESSION_TRACKING + /* session tracking */ + if ( LDAP_BACK_ST_REQUEST( li ) ) { + switch ( slap_ctrl_session_tracking_request_add( op, rs, &c[ j ] ) ) { + case SLAP_CB_CONTINUE: + break; + + case LDAP_SUCCESS: + j++; + break; + + default: + goto done; + } + } +#endif /* SLAP_CONTROL_X_SESSION_TRACKING */ + + if ( rs->sr_err == SLAP_CB_CONTINUE ) { + rs->sr_err = LDAP_SUCCESS; } + if ( j == 0 ) { + goto done; + } + + if ( op->o_ctrls ) { + for ( i = 0; op->o_ctrls[ i ]; i++ ) + /* just count ctrls */ ; + } + + ctrls = op->o_tmpalloc( sizeof( LDAPControl * ) * (i + j + 1) + j * sizeof( LDAPControl ), + op->o_tmpmemctx ); + ctrls[ 0 ] = (LDAPControl *)&ctrls[ i + j + 1 ]; + *ctrls[ 0 ] = c[ 0 ]; + for ( i = 1; i < j; i++ ) { + ctrls[ i ] = &ctrls[ 0 ][ i ]; + *ctrls[ i ] = c[ i ]; + } + + i = 0; if ( op->o_ctrls ) { for ( i = 0; op->o_ctrls[ i ]; i++ ) { - ctrls[ i + 1 ] = op->o_ctrls[ i ]; + ctrls[ i + j ] = op->o_ctrls[ i ]; } } - ctrls[ i + 1 ] = NULL; + ctrls[ i + j ] = NULL; done:; if ( ctrls == NULL ) { @@ -2478,18 +2613,25 @@ done:; } int -ldap_back_proxy_authz_ctrl_free( Operation *op, LDAPControl ***pctrls ) +ldap_back_controls_free( Operation *op, SlapReply *rs, LDAPControl ***pctrls ) { LDAPControl **ctrls = *pctrls; - /* we assume that the first control is the proxyAuthz - * added by back-ldap, so it's the only one we explicitly - * free */ + /* we assume that the controls added by the proxy come first, + * so as soon as we find op->o_ctrls[ 0 ] we can stop */ if ( ctrls && ctrls != op->o_ctrls ) { + int i; + assert( ctrls[ 0 ] != NULL ); - if ( !BER_BVISNULL( &ctrls[ 0 ]->ldctl_value ) ) { - op->o_tmpfree( ctrls[ 0 ]->ldctl_value.bv_val, op->o_tmpmemctx ); + for ( i = 0; ctrls[ i ] != NULL; i++ ) { + if ( op->o_ctrls && ctrls[ i ] == op->o_ctrls[ 0 ] ) { + break; + } + + if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) { + op->o_tmpfree( ctrls[ i ]->ldctl_value.bv_val, op->o_tmpmemctx ); + } } op->o_tmpfree( ctrls, op->o_tmpmemctx );