X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbind.c;h=2678c18b4883fc22779ace536c51107881d57a68;hb=6e602b549420181bfe6ad55d863963a5b11544d1;hp=7a433c93ad5cc8f93b237f2c4ea720225a1ac83f;hpb=2fdbc553746c44df7ec15c88b73d608743bfa030;p=openldap diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 7a433c93ad..2678c18b48 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -43,7 +43,7 @@ do_bind( struct berval mech = { 0, NULL }; struct berval dn = { 0, NULL }; ber_tag_t tag; - Backend *be; + Backend *be = NULL; #ifdef LDAP_SLAPI Slapi_PBlock *pb = op->o_pb; @@ -64,7 +64,7 @@ do_bind( /* log authorization identity demotion */ if ( op->o_conn->c_dn.bv_len ) { Statslog( LDAP_DEBUG_STATS, - "conn=%lu op=%lu BIND anonymous mech=implicit ssf=0", + "conn=%lu op=%lu BIND anonymous mech=implicit ssf=0\n", op->o_connid, op->o_opid, 0, 0, 0 ); } @@ -121,7 +121,7 @@ do_bind( op->o_protocol = version; if( method != LDAP_AUTH_SASL ) { - tag = ber_scanf( ber, /*{*/ "m}", &op->oq_bind.rb_cred ); + tag = ber_scanf( ber, /*{*/ "m}", &op->orb_cred ); } else { tag = ber_scanf( ber, "{m" /*}*/, &mech ); @@ -131,11 +131,11 @@ do_bind( tag = ber_peek_tag( ber, &len ); if ( tag == LDAP_TAG_LDAPCRED ) { - tag = ber_scanf( ber, "m", &op->oq_bind.rb_cred ); + tag = ber_scanf( ber, "m", &op->orb_cred ); } else { tag = LDAP_TAG_LDAPCRED; - op->oq_bind.rb_cred.bv_val = NULL; - op->oq_bind.rb_cred.bv_len = 0; + op->orb_cred.bv_val = NULL; + op->orb_cred.bv_len = 0; } if ( tag != LBER_ERROR ) { @@ -161,7 +161,11 @@ do_bind( goto cleanup; } - rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn ); + /* We use the tmpmemctx here because it speeds up normalization. + * However, we must dup with regular malloc when storing any + * resulting DNs in the op or conn structures. + */ + rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); if ( rs->sr_err != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, @@ -292,19 +296,22 @@ do_bind( ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); if( rs->sr_err == LDAP_SUCCESS ) { - op->o_conn->c_dn = op->oq_bind.rb_edn; - if( op->oq_bind.rb_edn.bv_len != 0 ) { + ber_dupbv(&op->o_conn->c_dn, &op->orb_edn); + if( op->orb_edn.bv_len != 0 ) { /* edn is always normalized already */ ber_dupbv( &op->o_conn->c_ndn, &op->o_conn->c_dn ); } + op->o_tmpfree( op->orb_edn.bv_val, op->o_tmpmemctx ); + op->orb_edn.bv_val = NULL; + op->orb_edn.bv_len = 0; op->o_conn->c_authmech = op->o_conn->c_sasl_bind_mech; op->o_conn->c_sasl_bind_mech.bv_val = NULL; op->o_conn->c_sasl_bind_mech.bv_len = 0; op->o_conn->c_sasl_bind_in_progress = 0; - op->o_conn->c_sasl_ssf = op->oq_bind.rb_ssf; - if( op->oq_bind.rb_ssf > op->o_conn->c_ssf ) { - op->o_conn->c_ssf = op->oq_bind.rb_ssf; + op->o_conn->c_sasl_ssf = op->orb_ssf; + if( op->orb_ssf > op->o_conn->c_ssf ) { + op->o_conn->c_ssf = op->orb_ssf; } if( op->o_conn->c_dn.bv_len != 0 ) { @@ -318,20 +325,20 @@ do_bind( "conn=%lu op=%lu BIND dn=\"%s\" mech=%s ssf=%d\n", op->o_connid, op->o_opid, op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "", - op->o_conn->c_authmech.bv_val, op->oq_bind.rb_ssf ); + op->o_conn->c_authmech.bv_val, op->orb_ssf ); #ifdef NEW_LOGGING LDAP_LOG( OPERATION, DETAIL1, "do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n", op->o_conn->c_authmech.bv_val, op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "", - op->oq_bind.rb_ssf ); + op->orb_ssf ); #else Debug( LDAP_DEBUG_TRACE, "do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n", op->o_conn->c_authmech.bv_val, op->o_conn->c_dn.bv_val ? op->o_conn->c_dn.bv_val : "", - op->oq_bind.rb_ssf ); + op->orb_ssf ); #endif } else if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) { @@ -366,10 +373,10 @@ do_bind( if ( method == LDAP_AUTH_SIMPLE ) { /* accept "anonymous" binds */ - if ( op->oq_bind.rb_cred.bv_len == 0 || op->o_req_ndn.bv_len == 0 ) { + if ( op->orb_cred.bv_len == 0 || op->o_req_ndn.bv_len == 0 ) { rs->sr_err = LDAP_SUCCESS; - if( op->oq_bind.rb_cred.bv_len && + if( op->orb_cred.bv_len && !( global_allows & SLAP_ALLOW_BIND_ANON_CRED )) { /* cred is not empty, disallow */ @@ -428,7 +435,7 @@ do_bind( { rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED; rs->sr_text = "unwilling to perform simple authentication " - "without confidentilty protection"; + "without confidentiality protection"; send_ldap_result( op, rs ); @@ -517,11 +524,11 @@ do_bind( slapi_x_pblock_set_operation( pb, op ); slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val ); slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method ); - slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->oq_bind.rb_cred ); + slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred ); slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) ); rs->sr_err = doPluginFNs( op->o_bd, SLAPI_PLUGIN_PRE_BIND_FN, pb ); - if ( rs->sr_err != SLAPI_BIND_SUCCESS ) { + if ( rs->sr_err < 0 ) { /* * Binding is a special case for SLAPI plugins. It is * possible for a bind plugin to be successful *and* @@ -533,22 +540,26 @@ do_bind( */ int ldapRc; - if ( slapi_pblock_get( pb, SLAPI_RESULT_CODE, (void *)&ldapRc ) != 0 ) + if ( ( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE, (void *)&ldapRc ) != 0 ) || + ldapRc == LDAP_SUCCESS ) { ldapRc = LDAP_OTHER; - - op->oq_bind.rb_edn.bv_val = NULL; - op->oq_bind.rb_edn.bv_len = 0; + } + op->orb_edn.bv_val = NULL; + op->orb_edn.bv_len = 0; if ( rs->sr_err != SLAPI_BIND_FAIL && ldapRc == LDAP_SUCCESS ) { /* Set the new connection DN. */ if ( rs->sr_err != SLAPI_BIND_ANONYMOUS ) { - slapi_pblock_get( pb, SLAPI_CONN_DN, (void *)&op->oq_bind.rb_edn.bv_val ); + slapi_pblock_get( pb, SLAPI_CONN_DN, (void *)&op->orb_edn.bv_val ); + if ( op->orb_edn.bv_val ) op->orb_edn.bv_len = strlen( op->orb_edn.bv_val ); } - rs->sr_err = dnPrettyNormal( NULL, &op->oq_bind.rb_edn, &op->o_req_dn, &op->o_req_ndn ); + rs->sr_err = dnPrettyNormal( NULL, &op->orb_edn, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx ); ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); - op->o_conn->c_dn = op->o_req_dn; - op->o_conn->c_ndn = op->o_req_ndn; + ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn); + ber_dupbv(&op->o_conn->c_ndn, &op->o_req_ndn); + op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx ); op->o_req_dn.bv_val = NULL; op->o_req_dn.bv_len = 0; + op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx ); op->o_req_ndn.bv_val = NULL; op->o_req_ndn.bv_len = 0; if ( op->o_conn->c_dn.bv_len != 0 ) { @@ -575,7 +586,7 @@ do_bind( #endif /* defined( LDAP_SLAPI ) */ if ( op->o_bd->be_bind ) { - op->oq_bind.rb_method = method; + op->orb_method = method; rs->sr_err = (op->o_bd->be_bind)( op, rs ); if ( rs->sr_err == 0 ) { @@ -585,17 +596,14 @@ do_bind( op->o_conn->c_authz_backend = op->o_bd; } - if(op->oq_bind.rb_edn.bv_len) { - op->o_conn->c_dn = op->oq_bind.rb_edn; + /* be_bind returns regular/global edn */ + if(op->orb_edn.bv_len) { + op->o_conn->c_dn = op->orb_edn; } else { - op->o_conn->c_dn = op->o_req_dn; - op->o_req_dn.bv_val = NULL; - op->o_req_dn.bv_len = 0; + ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn); } - op->o_conn->c_ndn = op->o_req_ndn; - op->o_req_ndn.bv_val = NULL; - op->o_req_ndn.bv_len = 0; + ber_dupbv( &op->o_conn->c_ndn, &op->o_req_ndn ); if( op->o_conn->c_dn.bv_len != 0 ) { ber_len_t max = sockbuf_max_incoming_auth; @@ -624,8 +632,8 @@ do_bind( /* send this here to avoid a race condition */ send_ldap_result( op, rs ); - } else if (op->oq_bind.rb_edn.bv_val != NULL) { - free( op->oq_bind.rb_edn.bv_val ); + } else if (op->orb_edn.bv_val != NULL) { + free( op->orb_edn.bv_val ); } } else { @@ -634,7 +642,7 @@ do_bind( } #if defined( LDAP_SLAPI ) - if ( doPluginFNs( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb ) != 0 ) { + if ( doPluginFNs( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb ) < 0 ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, "do_bind: Bind postoperation plugins failed\n", 0, 0, 0); @@ -649,10 +657,12 @@ cleanup: op->o_conn->c_sasl_bindop = NULL; if( op->o_req_dn.bv_val != NULL ) { - free( op->o_req_dn.bv_val ); + sl_free( op->o_req_dn.bv_val, op->o_tmpmemctx ); + op->o_req_dn.bv_val = NULL; } if( op->o_req_ndn.bv_val != NULL ) { - free( op->o_req_ndn.bv_val ); + sl_free( op->o_req_ndn.bv_val, op->o_tmpmemctx ); + op->o_req_ndn.bv_val = NULL; } return rs->sr_err;