X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbind.c;h=d7b1cf36ec52eb90781b3bfcdbee17c0294106eb;hb=30d946959ed8d046af2a9817a3fdc24a4e42d233;hp=98884d4e43b7924c9385f852fc031d43e7742a02;hpb=925714ceeff035c596ad3d3c899ff631986c6757;p=openldap

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 98884d4e43..d7b1cf36ec 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -1,7 +1,7 @@
 /* bind.c - decode an ldap bind operation and pass it to a backend db */
 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -18,6 +18,7 @@
  */
 
 #include "portable.h"
+#include "slapi_common.h"
 
 #include <stdio.h>
 
@@ -26,6 +27,8 @@
 
 #include "ldap_pvt.h"
 #include "slap.h"
+#include "slapi.h"
+
 
 int
 do_bind(
@@ -45,7 +48,9 @@ do_bind(
 	int	rc = LDAP_SUCCESS;
 	const char *text;
 	struct berval cred = { 0, NULL };
-	Backend *be;
+	Backend *be = NULL;
+
+	Slapi_PBlock *pb = op->o_pb;
 
 #ifdef NEW_LOGGING
 	LDAP_LOG( OPERATION, ENTRY, "do_bind: conn %d\n", conn->c_connid, 0, 0 );
@@ -58,6 +63,14 @@ do_bind(
 	 */
 	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 	if ( conn->c_sasl_bind_in_progress ) be = conn->c_authz_backend;
+
+	/* log authorization identity demotion */
+	if ( conn->c_dn.bv_len ) {
+		Statslog( LDAP_DEBUG_STATS,
+			"conn=%lu op=%lu AUTHZ anonymous mech=implicit ssf=0",
+			op->o_connid, op->o_opid, 0, 0, 0 );
+	}
+
 	connection2anonymous( conn );
 	if ( conn->c_sasl_bind_in_progress ) conn->c_authz_backend = be;
 	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
@@ -89,8 +102,8 @@ do_bind(
 	 *	}
 	 *
 	 *	SaslCredentials ::= SEQUENCE {
-     *		mechanism	    LDAPString,
-     *		credentials	    OCTET STRING OPTIONAL
+	 *		mechanism	    LDAPString,
+	 *		credentials	    OCTET STRING OPTIONAL
 	 *	}
 	 */
 
@@ -232,7 +245,6 @@ do_bind(
 	}
 
 	/* Set the bindop for the benefit of in-directory SASL lookups */
-	ldap_pvt_thread_mutex_lock( &conn->c_sasl_bindmutex );
 	conn->c_sasl_bindop = op;
 
 	if ( method == LDAP_AUTH_SASL ) {
@@ -278,7 +290,7 @@ do_bind(
 
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if ( conn->c_sasl_bind_in_progress ) {
-			if((ber_bvcmp(&conn->c_sasl_bind_mech, &mech) != 0)) {
+			if( !bvmatch( &conn->c_sasl_bind_mech, &mech ) ) {
 				/* mechanism changed between bind steps */
 				slap_sasl_reset(conn);
 			}
@@ -311,19 +323,30 @@ do_bind(
 			}
 
 			if( conn->c_dn.bv_len != 0 ) {
-				ber_len_t max = sockbuf_max_incoming;
+				ber_len_t max = sockbuf_max_incoming_auth;
 				ber_sockbuf_ctrl( conn->c_sb,
 					LBER_SB_OPT_SET_MAX_INCOMING, &max );
 			}
 
+			/* log authorization identity */
+			Statslog( LDAP_DEBUG_STATS,
+				"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=%s ssf=%d\n",
+				op->o_connid, op->o_opid,
+				conn->c_dn.bv_val ? conn->c_dn.bv_val : "<empty>",
+				conn->c_authmech.bv_val, ssf );
+
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, DETAIL1, 
 				"do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
-				conn->c_authmech.bv_val, conn->c_dn.bv_val, ssf );
+				conn->c_authmech.bv_val,
+				conn->c_dn.bv_val ? conn->c_dn.bv_val : "<empty>",
+				ssf );
 #else
 			Debug( LDAP_DEBUG_TRACE,
 				"do_bind: SASL/%s bind: dn=\"%s\" ssf=%d\n",
-				conn->c_authmech.bv_val, conn->c_dn.bv_val, ssf );
+				conn->c_authmech.bv_val,
+				conn->c_dn.bv_val ? conn->c_dn.bv_val : "<empty>",
+				ssf );
 #endif
 
 		} else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {
@@ -420,7 +443,7 @@ do_bind(
 			goto cleanup;
 
 		} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
-			&& ( op->o_ssf < global_ssf_set.sss_ssf ))
+			&& ( op->o_ssf <= 1 ))
 		{
 			rc = LDAP_CONFIDENTIALITY_REQUIRED;
 			text = "unwilling to perform simple authentication "
@@ -513,6 +536,69 @@ do_bind(
 		goto cleanup;
 	}
 
+#if defined( LDAP_SLAPI )
+	slapi_x_backend_set_pb( pb, be );
+	slapi_x_connection_set_pb( pb, conn );
+	slapi_x_operation_set_pb( pb, op );
+	slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val );
+	slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method );
+	slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&cred );
+	slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(1) );
+
+	rc = doPluginFNs( be, SLAPI_PLUGIN_PRE_BIND_FN, pb );
+	if ( rc != SLAPI_BIND_SUCCESS ) {
+		/*
+		 * Binding is a special case for SLAPI plugins. It is
+		 * possible for a bind plugin to be successful *and*
+		 * abort further processing; this means it has handled
+		 * a bind request authoritatively. If we have reached
+		 * here, a result has been sent to the client (XXX
+		 * need to check with Sun whether SLAPI_BIND_ANONYMOUS
+		 * means a result has been sent).
+		 */
+		int ldapRc;
+
+		if ( slapi_pblock_get( pb, SLAPI_RESULT_CODE, (void *)&ldapRc ) != 0 )
+			ldapRc = LDAP_OPERATIONS_ERROR;
+
+		edn.bv_val = NULL;
+		edn.bv_len = 0;
+		if ( rc != SLAPI_BIND_FAIL && ldapRc == LDAP_SUCCESS ) {
+			/* Set the new connection DN. */
+			if ( rc != SLAPI_BIND_ANONYMOUS ) {
+				slapi_pblock_get( pb, SLAPI_CONN_DN, (void *)&edn.bv_val );
+			}
+			rc = dnPrettyNormal( NULL, &edn, &pdn, &ndn );
+			ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+			conn->c_dn = pdn;
+			conn->c_ndn = ndn;
+			pdn.bv_val = NULL;
+			pdn.bv_len = 0;
+			ndn.bv_val = NULL;
+			ndn.bv_len = 0;
+			if ( conn->c_dn.bv_len != 0 ) {
+				ber_len_t max = sockbuf_max_incoming_auth;
+				ber_sockbuf_ctrl( conn->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max );
+			}
+			/* log authorization identity */
+			Statslog( LDAP_DEBUG_STATS,
+				"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=simple (SLAPI) ssf=0\n",
+				op->o_connid, op->o_opid,
+				conn->c_dn.bv_val, 0, 0 );
+			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+		}
+#ifdef NEW_LOGGING
+		LDAP_LOG( OPERATION, INFO, "do_bind: Bind preoperation plugin returned %d\n",
+				rc, 0, 0);
+#else
+		Debug(LDAP_DEBUG_TRACE, "do_bind: Bind preoperation plugin returned %d.\n",
+				rc, 0, 0);
+#endif
+		rc = ldapRc;
+		goto cleanup;
+	}
+#endif /* defined( LDAP_SLAPI ) */
+
 	if ( be->be_bind ) {
 		int ret;
 
@@ -542,11 +628,17 @@ do_bind(
 			ndn.bv_len = 0;
 
 			if( conn->c_dn.bv_len != 0 ) {
-				ber_len_t max = sockbuf_max_incoming;
+				ber_len_t max = sockbuf_max_incoming_auth;
 				ber_sockbuf_ctrl( conn->c_sb,
 					LBER_SB_OPT_SET_MAX_INCOMING, &max );
 			}
 
+			/* log authorization identity */
+			Statslog( LDAP_DEBUG_STATS,
+				"conn=%lu op=%lu AUTHZ dn=\"%s\" mech=simple ssf=0\n",
+				op->o_connid, op->o_opid,
+				conn->c_dn.bv_val, conn->c_authmech.bv_val, 0 );
+
 #ifdef NEW_LOGGING
 			LDAP_LOG( OPERATION, DETAIL1, 
 				"do_bind: v%d bind: \"%s\" to \"%s\" \n",
@@ -573,9 +665,20 @@ do_bind(
 			NULL, NULL );
 	}
 
+#if defined( LDAP_SLAPI )
+	if ( doPluginFNs( be, SLAPI_PLUGIN_POST_BIND_FN, pb ) != 0 ) {
+#ifdef NEW_LOGGING
+		LDAP_LOG( OPERATION, INFO, "do_bind: Bind postoperation plugins failed\n",
+				0, 0, 0);
+#else
+		Debug(LDAP_DEBUG_TRACE, "do_bind: Bind postoperation plugins failed.\n",
+				0, 0, 0);
+#endif
+	}
+#endif /* defined( LDAP_SLAPI ) */
+
 cleanup:
 	conn->c_sasl_bindop = NULL;
-	ldap_pvt_thread_mutex_unlock( &conn->c_sasl_bindmutex );
 
 	if( pdn.bv_val != NULL ) {
 		free( pdn.bv_val );