X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbind.c;h=34d617e6273b876232b1622cdc8a74b4b85bc653;hb=48b63d4f165269f29c35f89cceddd880c3966ef5;hp=bb9ccd3e1638a431ac888853c60f9ccad3cebadd;hpb=97bc10753776fb384d94d49608961043cb7f8b4b;p=openldap

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index bb9ccd3e16..34d617e627 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -21,12 +21,6 @@
 
 #include "slap.h"
 
-char *supportedSASLMechanisms[] = {
-	"X-CRAM-MD5",
-	"X-DIGEST-MD5",
-	NULL
-};
-
 int
 do_bind(
     Connection	*conn,
@@ -37,19 +31,48 @@ do_bind(
 	ber_int_t		version;
 	ber_tag_t method;
 	char		*mech;
-	char		*cdn, *ndn;
+	char		*dn, *ndn;
 	ber_tag_t	tag;
-	int			rc;
+	int			rc = LDAP_SUCCESS;
 	struct berval	cred;
 	Backend		*be;
 
 	Debug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
 
-	cdn = NULL;
+	dn = NULL;
 	ndn = NULL;
 	mech = NULL;
 	cred.bv_val = NULL;
 
+	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+
+	/* Force to connection to "anonymous" until bind succeeds.
+	 * This may need to be relocated or done on a case by case basis
+	 * to handle certain SASL mechanisms.
+	 */
+
+	if ( conn->c_cdn != NULL ) {
+		free( conn->c_cdn );
+		conn->c_cdn = NULL;
+	}
+
+	if ( conn->c_dn != NULL ) {
+		free( conn->c_dn );
+		conn->c_dn = NULL;
+	}
+
+	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
+	if ( op->o_dn != NULL ) {
+		free( op->o_dn );
+		op->o_dn = ch_strdup( "" );
+	}
+
+	if ( op->o_ndn != NULL ) {
+		free( op->o_ndn );
+		op->o_ndn = ch_strdup( "" );
+	}
+
 	/*
 	 * Parse the bind request.  It looks like this:
 	 *
@@ -59,20 +82,38 @@ do_bind(
 	 *		authentication	CHOICE {
 	 *			simple		[0] OCTET STRING -- passwd
 	 *			krbv42ldap	[1] OCTET STRING
-	 *			krbv42dsa	[1] OCTET STRING
+	 *			krbv42dsa	[2] OCTET STRING
+	 *			SASL		[3] SaslCredentials
 	 *		}
+	 *	}
+	 *
+	 *	SaslCredentials ::= SEQUENCE {
+     *		mechanism           LDAPString,
+     *		credentials         OCTET STRING OPTIONAL
 	 *	}
 	 */
 
-	tag = ber_scanf( ber, "{iat" /*}*/, &version, &cdn, &method );
+	tag = ber_scanf( ber, "{iat" /*}*/, &version, &dn, &method );
 
 	if ( tag == LBER_ERROR ) {
 		Debug( LDAP_DEBUG_ANY, "bind: ber_scanf failed\n", 0, 0, 0 );
-		send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL,
-		    "decoding error" );
+		send_ldap_disconnect( conn, op,
+			LDAP_PROTOCOL_ERROR, "decoding error" );
+		rc = -1;
 		goto cleanup;
 	}
 
+	ndn = ch_strdup( dn );
+
+	if ( dn_normalize_case( ndn ) == NULL ) {
+		Debug( LDAP_DEBUG_ANY, "bind: invalid dn (%s)\n", dn, 0, 0 );
+		send_ldap_result( conn, op, rc = LDAP_INVALID_DN_SYNTAX, NULL,
+		    "invalid DN", NULL, NULL );
+		goto cleanup;
+	}
+
+	op->o_protocol = version;
+
 	if( method != LDAP_AUTH_SASL ) {
 		tag = ber_scanf( ber, /*{*/ "o}", &cred );
 
@@ -94,35 +135,33 @@ do_bind(
 	}
 
 	if ( tag == LBER_ERROR ) {
-		send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL,
+		send_ldap_disconnect( conn, op,
+			LDAP_PROTOCOL_ERROR,
     		"decoding error" );
+		rc = -1;
 		goto cleanup;
 	}
 
-#ifdef GET_CTRLS
 	if( (rc = get_ctrls( conn, op, 1 )) != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_ANY, "do_bind: get_ctrls failed\n", 0, 0, 0 );
 		goto cleanup;
 	} 
-#endif
 
 	if( method == LDAP_AUTH_SASL ) {
 		Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n",
-			cdn, mech, NULL );
+			dn, mech, NULL );
 	} else {
 		Debug( LDAP_DEBUG_TRACE, "do_bind: version %d dn (%s) method %d\n",
-			version, cdn, method );
+			version, dn, method );
 	}
 
-	ndn = dn_normalize_case( ch_strdup( cdn ) );
-
 	Statslog( LDAP_DEBUG_STATS, "conn=%d op=%d BIND dn=\"%s\" method=%d\n",
-	    conn->c_connid, op->o_opid, ndn, method, 0 );
+	    op->o_connid, op->o_opid, ndn, method, 0 );
 
 	if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
 		Debug( LDAP_DEBUG_ANY, "unknown version %d\n", version, 0, 0 );
-		send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL,
-		    "version not supported" );
+		send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
+			NULL, "version not supported", NULL, NULL );
 		goto cleanup;
 	}
 
@@ -130,8 +169,9 @@ do_bind(
 		if ( version < LDAP_VERSION3 ) {
 			Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%d\n",
 				version, 0, 0 );
-			send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, NULL,
-				"sasl bind requires LDAPv3" );
+			send_ldap_disconnect( conn, op,
+				LDAP_PROTOCOL_ERROR, "sasl bind requires LDAPv3" );
+			rc = -1;
 			goto cleanup;
 		}
 
@@ -140,7 +180,7 @@ do_bind(
 				"do_bind: no sasl mechanism provided\n",
 				version, 0, 0 );
 			send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
-				NULL, "no sasl mechanism provided" );
+				NULL, "no sasl mechanism provided", NULL, NULL );
 			goto cleanup;
 		}
 
@@ -149,30 +189,63 @@ do_bind(
 				"do_bind: sasl mechanism \"%s\" not supported.\n",
 				mech, 0, 0 );
 			send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
-				NULL, "sasl mechanism not supported" );
+				NULL, "sasl mechanism not supported", NULL, NULL );
 			goto cleanup;
 		}
-	}
 
-	/* accept null binds */
-	if ( ndn == NULL || *ndn == '\0' ) {
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-		conn->c_protocol = version;
+		if ( conn->c_authmech != NULL ) {
+			assert( conn->c_bind_in_progress );
+
+			if((strcmp(conn->c_authmech, mech) != 0)) {
+				/* mechanism changed, cancel in progress bind */
+				conn->c_bind_in_progress = 0;
+				if( conn->c_authstate != NULL ) {
+					free(conn->c_authstate);
+					conn->c_authstate = NULL;
+				}
+				free(conn->c_authmech);
+				conn->c_authmech = NULL;
+			}
 
-		if ( conn->c_cdn != NULL ) {
-			free( conn->c_cdn );
-			conn->c_cdn = NULL;
+#ifdef LDAP_DEBUG
+		} else {
+			assert( !conn->c_bind_in_progress );
+			assert( conn->c_authmech == NULL );
+			assert( conn->c_authstate == NULL );
+#endif
 		}
 
-		if ( conn->c_dn != NULL ) {
-			free( conn->c_dn );
-			conn->c_dn = NULL;
+	} else {
+		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+
+		if ( conn->c_authmech != NULL ) {
+			assert( conn->c_bind_in_progress );
+
+			/* cancel in progress bind */
+			conn->c_bind_in_progress = 0;
+
+			if( conn->c_authstate != NULL ) {
+				free(conn->c_authstate);
+				conn->c_authstate = NULL;
+			}
+			free(conn->c_authmech);
+			conn->c_authmech = NULL;
 		}
+	}
 
-		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+	conn->c_protocol = version;
+	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
-		send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
+	/* accept null binds */
+	if ( ndn == NULL || *ndn == '\0' ) {
+		/*
+		 * we already forced connection to "anonymous", we just
+		 * need to send success
+		 */
+		send_ldap_result( conn, op, LDAP_SUCCESS,
+			NULL, NULL, NULL, NULL );
 		goto cleanup;
 	}
 
@@ -184,30 +257,16 @@ do_bind(
 
 	if ( (be = select_backend( ndn )) == NULL ) {
 		if ( cred.bv_len == 0 ) {
-			ldap_pvt_thread_mutex_lock( &conn->c_mutex );
-
-			conn->c_protocol = version;
-
-			if ( conn->c_cdn != NULL ) {
-				free( conn->c_cdn );
-				conn->c_cdn = NULL;
-			}
-
-			if ( conn->c_dn != NULL ) {
-				free( conn->c_dn );
-				conn->c_dn = NULL;
-			}
+			send_ldap_result( conn, op, LDAP_SUCCESS,
+				NULL, NULL, NULL, NULL );
 
-			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+		} else if ( default_referral ) {
+			send_ldap_result( conn, op, rc = LDAP_REFERRAL,
+				NULL, NULL, default_referral, NULL );
 
-			send_ldap_result( conn, op, LDAP_SUCCESS,
-				NULL, NULL );
-		} else if ( default_referral && *default_referral ) {
-			send_ldap_result( conn, op, rc = LDAP_PARTIAL_RESULTS,
-				NULL, default_referral );
 		} else {
 			send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
-				NULL, default_referral );
+				NULL, NULL, NULL, NULL );
 		}
 
 		goto cleanup;
@@ -217,23 +276,14 @@ do_bind(
 		/* alias suffix */
 		char *edn;
 
-		ndn = suffixAlias( ndn, op, be );
+		/* deref suffix alias if appropriate */
+		ndn = suffix_alias( be, ndn );
 
 		if ( (*be->be_bind)( be, conn, op, ndn, method, mech, &cred, &edn ) == 0 ) {
 			ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-			conn->c_protocol = version;
-
-			if ( conn->c_cdn != NULL ) {
-				free( conn->c_cdn );
-			}
-
-			conn->c_cdn = cdn;
-			cdn = NULL;
-
-			if ( conn->c_dn != NULL ) {
-				free( conn->c_dn );
-			}
+			conn->c_cdn = dn;
+			dn = NULL;
 
 			if(edn != NULL) {
 				conn->c_dn = edn;
@@ -248,20 +298,21 @@ do_bind(
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
 			/* send this here to avoid a race condition */
-			send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL );
+			send_ldap_result( conn, op, LDAP_SUCCESS,
+				NULL, NULL, NULL, NULL );
 
 		} else if (edn != NULL) {
 			free( edn );
 		}
 
 	} else {
-		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, NULL,
-		    "Function not implemented" );
+		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
+			NULL, "Function not implemented", NULL, NULL );
 	}
 
 cleanup:
-	if( cdn != NULL ) {
-		free( cdn );
+	if( dn != NULL ) {
+		free( dn );
 	}
 	if( ndn != NULL ) {
 		free( ndn );