X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbind.c;h=0c13bad30bc6f2c22fc4457cf0aeebd7a69542b1;hb=0549d46adfa05cb6b5a51f9245452fa41c67020b;hp=b4c1cf72b104353f6856833eaac9734b68ee09e6;hpb=280fc819cf9e8b05efa4df875291af0f20666d40;p=openldap

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index b4c1cf72b1..0c13bad30b 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -1,12 +1,19 @@
 /* bind.c - decode an ldap bind operation and pass it to a backend db */
 /* $OpenLDAP$ */
-/*
- * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2003 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
  */
-
-/*
- * Copyright (c) 1995 Regents of the University of Michigan.
+/* Portions Copyright (c) 1995 Regents of the University of Michigan.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms are permitted
@@ -27,7 +34,7 @@
 #include "ldap_pvt.h"
 #include "slap.h"
 #ifdef LDAP_SLAPI
-#include "slapi.h"
+#include "slapi/slapi.h"
 #endif
 
 
@@ -43,11 +50,7 @@ do_bind(
 	struct berval mech = { 0, NULL };
 	struct berval dn = { 0, NULL };
 	ber_tag_t tag;
-	Backend *be;
-
-#ifdef LDAP_SLAPI
-	Slapi_PBlock *pb = op->o_pb;
-#endif
+	Backend *be = NULL;
 
 #ifdef NEW_LOGGING
 	LDAP_LOG( OPERATION, ENTRY, "do_bind: conn %d\n", op->o_connid, 0, 0 );
@@ -59,25 +62,25 @@ do_bind(
 	 * Force to connection to "anonymous" until bind succeeds.
 	 */
 	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
-	if ( op->o_conn->c_sasl_bind_in_progress ) be = op->o_conn->c_authz_backend;
-
-	/* log authorization identity demotion */
+	if ( op->o_conn->c_sasl_bind_in_progress ) {
+		be = op->o_conn->c_authz_backend;
+	}
 	if ( op->o_conn->c_dn.bv_len ) {
+		/* log authorization identity demotion */
 		Statslog( LDAP_DEBUG_STATS,
-			"conn=%lu op=%lu BIND anonymous mech=implicit ssf=0",
+			"conn=%lu op=%lu BIND anonymous mech=implicit ssf=0\n",
 			op->o_connid, op->o_opid, 0, 0, 0 );
 	}
-
 	connection2anonymous( op->o_conn );
-	if ( op->o_conn->c_sasl_bind_in_progress ) op->o_conn->c_authz_backend = be;
+	if ( op->o_conn->c_sasl_bind_in_progress ) {
+		op->o_conn->c_authz_backend = be;
+	}
 	ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
-
 	if ( op->o_dn.bv_val != NULL ) {
 		free( op->o_dn.bv_val );
 		op->o_dn.bv_val = ch_strdup( "" );
 		op->o_dn.bv_len = 0;
 	}
-
 	if ( op->o_ndn.bv_val != NULL ) {
 		free( op->o_ndn.bv_val );
 		op->o_ndn.bv_val = ch_strdup( "" );
@@ -145,8 +148,7 @@ do_bind(
 	}
 
 	if ( tag == LBER_ERROR ) {
-		send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR,
-		"decoding error" );
+		send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
 		rs->sr_err = SLAPD_DISCONNECT;
 		goto cleanup;
 	}
@@ -165,7 +167,8 @@ do_bind(
 	 * However, we must dup with regular malloc when storing any
 	 * resulting DNs in the op or conn structures.
 	 */
-	rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
+	rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
+		op->o_tmpmemctx );
 	if ( rs->sr_err != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( OPERATION, INFO, 
@@ -193,17 +196,19 @@ do_bind(
 #ifdef NEW_LOGGING
 		LDAP_LOG( OPERATION, DETAIL1, 
 			"do_bind: version=%ld dn=\"%s\" method=%ld\n",
-			(unsigned long) version, op->o_req_dn.bv_val, (unsigned long)method );
+			(unsigned long) version, op->o_req_dn.bv_val,
+			(unsigned long) method );
 #else
 		Debug( LDAP_DEBUG_TRACE,
 			"do_bind: version=%ld dn=\"%s\" method=%ld\n",
-			(unsigned long) version,
-			op->o_req_dn.bv_val, (unsigned long) method );
+			(unsigned long) version, op->o_req_dn.bv_val,
+			(unsigned long) method );
 #endif
 	}
 
 	Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu BIND dn=\"%s\" method=%ld\n",
-	    op->o_connid, op->o_opid, op->o_req_dn.bv_val, (unsigned long) method, 0 );
+	    op->o_connid, op->o_opid, op->o_req_dn.bv_val, (unsigned long) method,
+		0 );
 
 	if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
 #ifdef NEW_LOGGING
@@ -226,8 +231,8 @@ do_bind(
 		goto cleanup;
 	}
 
-	/* we set connection version regardless of whether bind succeeds
-	 * or not.
+	/*
+	 * we set connection version regardless of whether bind succeeds or not.
 	 */
 	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
 	op->o_conn->c_protocol = version;
@@ -352,6 +357,26 @@ do_bind(
 			}
 			op->o_conn->c_sasl_bind_in_progress = 0;
 		}
+
+#ifdef LDAP_SLAPI
+#define	pb	op->o_pb
+		/*
+		 * Normally post-operation plugins are called only after the
+		 * backend operation. Because the front-end performs SASL
+		 * binds on behalf of the backend, we'll make a special
+		 * exception to call the post-operation plugins after a
+		 * SASL bind.
+		 */
+		if ( pb ) {
+			slapi_int_pblock_set_operation( pb, op );
+			slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val );
+			slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method );
+			slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred );
+			slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) );
+			(void) slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb );
+		}
+#endif /* LDAP_SLAPI */
+
 		ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
 
 		goto cleanup;
@@ -372,6 +397,7 @@ do_bind(
 	}
 
 	if ( method == LDAP_AUTH_SIMPLE ) {
+		ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech );
 		/* accept "anonymous" binds */
 		if ( op->orb_cred.bv_len == 0 || op->o_req_ndn.bv_len == 0 ) {
 			rs->sr_err = LDAP_SUCCESS;
@@ -387,7 +413,8 @@ do_bind(
 			{
 				/* DN is not empty, disallow */
 				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
-				rs->sr_text = "unauthenticated bind (DN with no password) disallowed";
+				rs->sr_text =
+					"unauthenticated bind (DN with no password) disallowed";
 
 			} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
 				/* disallow */
@@ -421,31 +448,11 @@ do_bind(
 			send_ldap_result( op, rs );
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, INFO, 
-				   "do_bind: conn %d  v%d simple bind(%s) disallowed\n",
-				   op->o_connid, version, op->o_req_ndn.bv_val );
-#else
-			Debug( LDAP_DEBUG_TRACE,
-				"do_bind: v%d simple bind(%s) disallowed\n",
-				version, op->o_req_ndn.bv_val, 0 );
-#endif
-			goto cleanup;
-
-		} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
-			&& ( op->o_ssf <= 1 ))
-		{
-			rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED;
-			rs->sr_text = "unwilling to perform simple authentication "
-				"without confidentiality protection";
-
-			send_ldap_result( op, rs );
-
-#ifdef NEW_LOGGING
-			LDAP_LOG( OPERATION, INFO, "do_bind: conn %d  "
-				"v%d unprotected simple bind(%s) disallowed\n",
+				"do_bind: conn %d  v%d simple bind(%s) disallowed\n",
 				op->o_connid, version, op->o_req_ndn.bv_val );
 #else
 			Debug( LDAP_DEBUG_TRACE,
-				"do_bind: v%d unprotected simple bind(%s) disallowed\n",
+				"do_bind: v%d simple bind(%s) disallowed\n",
 				version, op->o_req_ndn.bv_val, 0 );
 #endif
 			goto cleanup;
@@ -461,14 +468,15 @@ do_bind(
 			send_ldap_result( op, rs );
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, DETAIL1, 
-				   "do_bind: conn %d  v%d Kerberos V4 bind\n",
-				   op->o_connid, version , 0 );
+				"do_bind: conn %d  v%d Kerberos V4 bind\n",
+				op->o_connid, version , 0 );
 #else
 			Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
 				version, 0, 0 );
 #endif
 			goto cleanup;
 		}
+		ber_str2bv( "KRBV4", sizeof("KRBV4")-1, 0, &mech );
 #endif
 
 	} else {
@@ -478,8 +486,8 @@ do_bind(
 		send_ldap_result( op, rs );
 #ifdef NEW_LOGGING
 		LDAP_LOG( OPERATION, INFO, 
-			   "do_bind: conn %ld  v%d unknown authentication method (%ld)\n",
-			   op->o_connid, version, method );
+			"do_bind: conn %ld  v%d unknown authentication method (%ld)\n",
+			op->o_connid, version, method );
 #else
 		Debug( LDAP_DEBUG_TRACE,
 			"do_bind: v%d unknown authentication method (%ld)\n",
@@ -521,70 +529,91 @@ do_bind(
 	}
 
 #if defined( LDAP_SLAPI )
-	slapi_x_pblock_set_operation( pb, op );
-	slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val );
-	slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method );
-	slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred );
-	slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) );
-
-	rs->sr_err = doPluginFNs( op->o_bd, SLAPI_PLUGIN_PRE_BIND_FN, pb );
-	if ( rs->sr_err != SLAPI_BIND_SUCCESS ) {
-		/*
-		 * Binding is a special case for SLAPI plugins. It is
-		 * possible for a bind plugin to be successful *and*
-		 * abort further processing; this means it has handled
-		 * a bind request authoritatively. If we have reached
-		 * here, a result has been sent to the client (XXX
-		 * need to check with Sun whether SLAPI_BIND_ANONYMOUS
-		 * means a result has been sent).
-		 */
-		int ldapRc;
+	if ( pb ) {
+		int rc;
+		slapi_int_pblock_set_operation( pb, op );
+		slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val );
+		slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method );
+		slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred );
+		slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) );
+		slapi_pblock_set( pb, SLAPI_CONN_DN, (void *)(0) );
 
-		if ( slapi_pblock_get( pb, SLAPI_RESULT_CODE, (void *)&ldapRc ) != 0 )
-			ldapRc = LDAP_OTHER;
+		rc = slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_PRE_BIND_FN, pb );
 
-		op->orb_edn.bv_val = NULL;
-		op->orb_edn.bv_len = 0;
-		if ( rs->sr_err != SLAPI_BIND_FAIL && ldapRc == LDAP_SUCCESS ) {
-			/* Set the new connection DN. */
-			if ( rs->sr_err != SLAPI_BIND_ANONYMOUS ) {
-				slapi_pblock_get( pb, SLAPI_CONN_DN, (void *)&op->orb_edn.bv_val );
-				if ( op->orb_edn.bv_val ) op->orb_edn.bv_len = strlen( op->orb_edn.bv_val );
-			}
-			rs->sr_err = dnPrettyNormal( NULL, &op->orb_edn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
-			ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
-			ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);
-			ber_dupbv(&op->o_conn->c_ndn, &op->o_req_ndn);
-			op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
-			op->o_req_dn.bv_val = NULL;
-			op->o_req_dn.bv_len = 0;
-			op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
-			op->o_req_ndn.bv_val = NULL;
-			op->o_req_ndn.bv_len = 0;
-			if ( op->o_conn->c_dn.bv_len != 0 ) {
-				ber_len_t max = sockbuf_max_incoming_auth;
-				ber_sockbuf_ctrl( op->o_conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max );
-			}
-			/* log authorization identity */
-			Statslog( LDAP_DEBUG_STATS,
-				"conn=%lu op=%lu BIND dn=\"%s\" mech=simple (SLAPI) ssf=0\n",
-				op->o_connid, op->o_opid,
-				op->o_conn->c_dn.bv_val, 0, 0 );
-			ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
-		}
 #ifdef NEW_LOGGING
-		LDAP_LOG( OPERATION, INFO, "do_bind: Bind preoperation plugin returned %d\n",
-				rs->sr_err, 0, 0);
+		LDAP_LOG( OPERATION, INFO,
+			"do_bind: Bind preoperation plugin returned %d\n",
+			rs->sr_err, 0, 0);
 #else
-		Debug(LDAP_DEBUG_TRACE, "do_bind: Bind preoperation plugin returned %d.\n",
-				rs->sr_err, 0, 0);
+		Debug(LDAP_DEBUG_TRACE,
+			"do_bind: Bind preoperation plugin returned %d.\n",
+			rs->sr_err, 0, 0);
 #endif
-		rs->sr_err = ldapRc;
-		goto cleanup;
+
+		switch ( rc ) {
+		case SLAPI_BIND_SUCCESS:
+			/* Continue with backend processing */
+			break;
+		case SLAPI_BIND_FAIL:
+			/* Failure, server sends result */
+			rs->sr_err = LDAP_INVALID_CREDENTIALS;
+			send_ldap_result( op, rs );
+			goto cleanup;
+			break;
+		case SLAPI_BIND_ANONYMOUS:
+			/* SLAPI_BIND_ANONYMOUS is undocumented XXX */
+		default:
+			/* Authoritative, plugin sent result, or no plugins called. */
+			if ( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE,
+				(void *)&rs->sr_err) != 0 )
+			{
+				rs->sr_err = LDAP_OTHER;
+			}
+
+			op->orb_edn.bv_val = NULL;
+			op->orb_edn.bv_len = 0;
+
+			if ( rs->sr_err == LDAP_SUCCESS ) {
+				slapi_pblock_get( pb, SLAPI_CONN_DN, (void *)&op->orb_edn.bv_val );
+				if ( op->orb_edn.bv_val == NULL ) {
+					if ( rc == 1 ) {
+						/* No plugins were called; continue. */
+						break;
+					}
+				} else {
+					op->orb_edn.bv_len = strlen( op->orb_edn.bv_val );
+				}
+				rs->sr_err = dnPrettyNormal( NULL, &op->orb_edn,
+					&op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
+				ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
+				ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);
+				ber_dupbv(&op->o_conn->c_ndn, &op->o_req_ndn);
+				op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
+				op->o_req_dn.bv_val = NULL;
+				op->o_req_dn.bv_len = 0;
+				op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
+				op->o_req_ndn.bv_val = NULL;
+				op->o_req_ndn.bv_len = 0;
+				if ( op->o_conn->c_dn.bv_len != 0 ) {
+					ber_len_t max = sockbuf_max_incoming_auth;
+					ber_sockbuf_ctrl( op->o_conn->c_sb,
+						LBER_SB_OPT_SET_MAX_INCOMING, &max );
+				}
+				/* log authorization identity */
+				Statslog( LDAP_DEBUG_STATS,
+					"conn=%lu op=%lu BIND dn=\"%s\" mech=%s (SLAPI) ssf=0\n",
+					op->o_connid, op->o_opid,
+					op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "<empty>",
+					mech.bv_val, 0 );
+				ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
+			}
+			goto cleanup;
+			break;
+		}
 	}
 #endif /* defined( LDAP_SLAPI ) */
 
-	if ( op->o_bd->be_bind ) {
+	if( op->o_bd->be_bind ) {
 		op->orb_method = method;
 		rs->sr_err = (op->o_bd->be_bind)( op, rs );
 
@@ -596,7 +625,7 @@ do_bind(
 			}
 
 			/* be_bind returns regular/global edn */
-			if(op->orb_edn.bv_len) {
+			if( op->orb_edn.bv_len ) {
 				op->o_conn->c_dn = op->orb_edn;
 			} else {
 				ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);
@@ -612,9 +641,9 @@ do_bind(
 
 			/* log authorization identity */
 			Statslog( LDAP_DEBUG_STATS,
-				"conn=%lu op=%lu BIND dn=\"%s\" mech=simple ssf=0\n",
+				"conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=0\n",
 				op->o_connid, op->o_opid,
-				op->o_conn->c_dn.bv_val, 0, 0 );
+				op->o_conn->c_dn.bv_val, mech.bv_val, 0 );
 
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, DETAIL1, 
@@ -637,22 +666,31 @@ do_bind(
 
 	} else {
 		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-			"operation not supported within namingContext" );
+			"operation not supported within naming context" );
 	}
 
 #if defined( LDAP_SLAPI )
-	if ( doPluginFNs( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb ) != 0 ) {
+	if ( pb != NULL && slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb ) < 0 ) {
 #ifdef NEW_LOGGING
-		LDAP_LOG( OPERATION, INFO, "do_bind: Bind postoperation plugins failed\n",
-				0, 0, 0);
+		LDAP_LOG( OPERATION, INFO,
+			"do_bind: Bind postoperation plugins failed\n",
+			0, 0, 0);
 #else
-		Debug(LDAP_DEBUG_TRACE, "do_bind: Bind postoperation plugins failed.\n",
-				0, 0, 0);
+		Debug(LDAP_DEBUG_TRACE,
+			"do_bind: Bind postoperation plugins failed.\n",
+			0, 0, 0);
 #endif
 	}
 #endif /* defined( LDAP_SLAPI ) */
 
 cleanup:
+	if ( rs->sr_err == LDAP_SUCCESS ) {
+		if ( method != LDAP_AUTH_SASL ) {
+			ber_dupbv( &op->o_conn->c_authmech, &mech );
+		}
+		op->o_conn->c_authtype = method;
+	}
+
 	op->o_conn->c_sasl_bindop = NULL;
 
 	if( op->o_req_dn.bv_val != NULL ) {