X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslurpd%2Fldap_op.c;h=dc06b2d310e215eb600257e9e56855cbd35e418c;hb=a6e232e7c1c6815b214e5f920459cd63ceeb54e7;hp=855eca296b3182a3bd8e177d26e7a46cb38cf273;hpb=a0b741102d939c2fd2f6ae50e91af6904f53798f;p=openldap
diff --git a/servers/slurpd/ldap_op.c b/servers/slurpd/ldap_op.c
index 855eca296b..dc06b2d310 100644
--- a/servers/slurpd/ldap_op.c
+++ b/servers/slurpd/ldap_op.c
@@ -1,5 +1,19 @@
-/*
- * Copyright (c) 1996 Regents of the University of Michigan.
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software .
+ *
+ * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Portions Copyright 2003 Mark Benson.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * .
+ */
+/* Portions Copyright (c) 1996 Regents of the University of Michigan.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
@@ -9,6 +23,12 @@
* software without specific prior written permission. This software
* is provided ``as is'' without express or implied warranty.
*/
+/* ACKNOWLEDGEMENTS:
+ * This work was originally developed by the University of Michigan
+ * (as part of U-MICH LDAP). Additional significant contributors
+ * include:
+ * Mark Benson
+ */
/*
* ldap_op.c - routines to perform LDAP operations
@@ -17,47 +37,41 @@
#include "portable.h"
#include
-#include
+
+#include
#include
#include
#include
#include
-#include /* Get_t getpid() */
+#include
-#include
-
-#include
+#define LDAP_DEPRECATED 1
#include
-
+#include "lutil_ldap.h"
#include "slurp.h"
/* Forward references */
static struct berval **make_singlevalued_berval LDAP_P(( char *, int ));
-static int op_ldap_add LDAP_P(( Ri *, Re *, char ** ));
-static int op_ldap_modify LDAP_P(( Ri *, Re *, char ** ));
-static int op_ldap_delete LDAP_P(( Ri *, Re *, char ** ));
-static int op_ldap_modrdn LDAP_P(( Ri *, Re *, char ** ));
+static int op_ldap_add LDAP_P(( Ri *, Re *, char **, int * ));
+static int op_ldap_modify LDAP_P(( Ri *, Re *, char **, int * ));
+static int op_ldap_delete LDAP_P(( Ri *, Re *, char **, int * ));
+static int op_ldap_modrdn LDAP_P(( Ri *, Re *, char **, int * ));
static LDAPMod *alloc_ldapmod LDAP_P(( void ));
static void free_ldapmod LDAP_P(( LDAPMod * ));
static void free_ldmarr LDAP_P(( LDAPMod ** ));
static int getmodtype LDAP_P(( char * ));
+#ifdef SLAPD_UNUSED
static void dump_ldm_array LDAP_P(( LDAPMod ** ));
-static char **read_krbnames LDAP_P(( Ri * ));
-static void upcase LDAP_P(( char * ));
+#endif
static int do_bind LDAP_P(( Ri *, int * ));
static int do_unbind LDAP_P(( Ri * ));
-static char *kattrs[] = {"kerberosName", NULL };
-static struct timeval kst = {30L, 0L};
-
-
-
/*
* Determine the type of ldap operation being performed and call the
* appropriate routine.
- * - If successful, returns ERR_DO_LDAP_OK
+ * - If successful, returns DO_LDAP_OK
* - If a retryable error occurs, ERR_DO_LDAP_RETRYABLE is returned.
* The caller should wait a while and retry the operation.
* - If a fatal error occurs, ERR_DO_LDAP_FATAL is returned. The caller
@@ -66,90 +80,97 @@ static struct timeval kst = {30L, 0L};
*/
int
do_ldap(
- Ri *ri,
- Re *re,
- char **errmsg
+ Ri *ri,
+ Re *re,
+ char **errmsg,
+ int *errfree
)
{
- int rc = 0;
- int lderr = LDAP_SUCCESS;
- int retry = 2;
-
- *errmsg = NULL;
-
- while ( retry > 0 ) {
- if ( ri->ri_ldp == NULL ) {
- rc = do_bind( ri, &lderr );
- if ( rc != BIND_OK ) {
- return DO_LDAP_ERR_RETRYABLE;
- }
- }
-
- switch ( re->re_changetype ) {
- case T_ADDCT:
- lderr = op_ldap_add( ri, re, errmsg );
- if ( lderr != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: ldap_add_s failed adding \"%s\": %s\n",
- *errmsg ? *errmsg : ldap_err2string( lderr ),
- re->re_dn, 0 );
- }
- break;
- case T_MODIFYCT:
- lderr = op_ldap_modify( ri, re, errmsg );
- if ( lderr != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: ldap_modify_s failed modifying \"%s\": %s\n",
- *errmsg ? *errmsg : ldap_err2string( lderr ),
- re->re_dn, 0 );
- }
- break;
- case T_DELETECT:
- lderr = op_ldap_delete( ri, re, errmsg );
- if ( lderr != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: ldap_delete_s failed deleting \"%s\": %s\n",
- *errmsg ? *errmsg : ldap_err2string( lderr ),
- re->re_dn, 0 );
- }
- break;
- case T_MODRDNCT:
- lderr = op_ldap_modrdn( ri, re, errmsg );
- if ( lderr != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: ldap_modrdn_s failed modifying %s: %s\n",
- *errmsg ? *errmsg : ldap_err2string( lderr ),
- re->re_dn, 0 );
- }
- break;
- default:
- Debug( LDAP_DEBUG_ANY,
- "Error: do_ldap: bad op \"%d\", dn = \"%s\"\n",
- re->re_changetype, re->re_dn, 0 );
- return DO_LDAP_ERR_FATAL;
- }
-
- /*
- * Analyze return code. If ok, just return. If LDAP_SERVER_DOWN,
- * we may have been idle long enough that the remote slapd timed
- * us out. Rebind and try again.
- */
- if ( lderr == LDAP_SUCCESS ) {
- return DO_LDAP_OK;
- } else if ( lderr == LDAP_SERVER_DOWN ) {
- /* The LDAP server may have timed us out - rebind and try again */
- (void) do_unbind( ri );
- retry--;
- } else {
- return DO_LDAP_ERR_FATAL;
- }
- }
- return DO_LDAP_ERR_FATAL;
+ int retry = 2;
+ *errmsg = NULL;
+ *errfree = 0;
+
+ do {
+ int lderr;
+ if ( ri->ri_ldp == NULL ) {
+ lderr = do_bind( ri, &lderr );
+
+ if ( lderr != BIND_OK ) {
+ return DO_LDAP_ERR_RETRYABLE;
+ }
+ }
+
+ switch ( re->re_changetype ) {
+ case T_ADDCT:
+ lderr = op_ldap_add( ri, re, errmsg, errfree );
+ if ( lderr != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_add_s failed adding DN \"%s\": %s\n",
+ re->re_dn, *errmsg && (*errmsg)[0] ?
+ *errmsg : ldap_err2string( lderr ), 0 );
+ }
+ break;
+
+ case T_MODIFYCT:
+ lderr = op_ldap_modify( ri, re, errmsg, errfree );
+ if ( lderr != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_modify_s failed modifying DN \"%s\": %s\n",
+ re->re_dn, *errmsg && (*errmsg)[0] ?
+ *errmsg : ldap_err2string( lderr ), 0 );
+ }
+ break;
+
+ case T_DELETECT:
+ lderr = op_ldap_delete( ri, re, errmsg, errfree );
+ if ( lderr != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_delete_s failed deleting DN \"%s\": %s\n",
+ re->re_dn, *errmsg && (*errmsg)[0] ?
+ *errmsg : ldap_err2string( lderr ), 0 );
+ }
+ break;
+
+ case T_MODRDNCT:
+ lderr = op_ldap_modrdn( ri, re, errmsg, errfree );
+ if ( lderr != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_modrdn_s failed modifying DN \"%s\": %s\n",
+ re->re_dn, *errmsg && (*errmsg)[0] ?
+ *errmsg : ldap_err2string( lderr ), 0 );
+ }
+ break;
+
+ default:
+ Debug( LDAP_DEBUG_ANY,
+ "Error: do_ldap: bad op \"%d\", DN \"%s\"\n",
+ re->re_changetype, re->re_dn, 0 );
+ return DO_LDAP_ERR_FATAL;
+ }
+
+ /*
+ * Analyze return code. If ok, just return. If LDAP_SERVER_DOWN,
+ * we may have been idle long enough that the remote slapd timed
+ * us out. Rebind and try again.
+ */
+ switch( lderr ) {
+ case LDAP_SUCCESS:
+ return DO_LDAP_OK;
+
+ default:
+ return DO_LDAP_ERR_FATAL;
+
+ case LDAP_SERVER_DOWN: /* server went down */
+ (void) do_unbind( ri );
+ retry--;
+ }
+ } while ( retry > 0 );
+
+ return DO_LDAP_ERR_RETRYABLE;
}
-
/*
* Perform an ldap add operation.
*/
@@ -157,7 +178,8 @@ static int
op_ldap_add(
Ri *ri,
Re *re,
- char **errmsg
+ char **errmsg,
+ int *errfree
)
{
Mi *mi;
@@ -193,7 +215,9 @@ op_ldap_add(
ri->ri_hostname, ri->ri_port, re->re_dn );
rc = ldap_add_s( ri->ri_ldp, re->re_dn, ldmarr );
- ldap_get_option( ri->ri_ldp, LDAP_OPT_ERROR_NUMBER, &lderr);
+ ldap_get_option( ri->ri_ldp, LDAP_OPT_RESULT_CODE, &lderr);
+ ldap_get_option( ri->ri_ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, errmsg);
+ *errfree = 1;
} else {
*errmsg = "No modifications to do";
@@ -215,14 +239,15 @@ static int
op_ldap_modify(
Ri *ri,
Re *re,
- char **errmsg
+ char **errmsg,
+ int *errfree
)
{
Mi *mi;
int state; /* This code is a simple-minded state machine */
int nvals; /* Number of values we're modifying */
int nops; /* Number of LDAPMod structs in ldmarr */
- LDAPMod *ldm, **ldmarr;
+ LDAPMod *ldm = NULL, **ldmarr;
int i, len;
char *type, *value;
int rc = 0;
@@ -280,6 +305,16 @@ op_ldap_modify(
nvals = 0;
nops++;
break;
+ case T_MODOPINCREMENT:
+ state = T_MODOPINCREMENT;
+ ldmarr = ( LDAPMod ** )
+ ch_realloc(ldmarr, (( nops + 2 ) * ( sizeof( LDAPMod * ))));
+ ldmarr[ nops ] = ldm = alloc_ldapmod();
+ ldm->mod_op = LDAP_MOD_INCREMENT | LDAP_MOD_BVALUES;
+ ldm->mod_type = value;
+ nvals = 0;
+ nops++;
+ break;
default:
if ( state == AWAITING_OP ) {
Debug( LDAP_DEBUG_ANY,
@@ -288,6 +323,8 @@ op_ldap_modify(
continue;
}
+ assert( ldm != NULL );
+
/*
* We should have an attribute: value pair here.
* Construct the mod_bvalues part of the ldapmod struct.
@@ -316,6 +353,8 @@ op_ldap_modify(
Debug( LDAP_DEBUG_ARGS, "replica %s:%d - modify dn \"%s\"\n",
ri->ri_hostname, ri->ri_port, re->re_dn );
rc = ldap_modify_s( ri->ri_ldp, re->re_dn, ldmarr );
+ ldap_get_option( ri->ri_ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, errmsg);
+ *errfree = 1;
}
free_ldmarr( ldmarr );
return( rc );
@@ -331,7 +370,8 @@ static int
op_ldap_delete(
Ri *ri,
Re *re,
- char **errmsg
+ char **errmsg,
+ int *errfree
)
{
int rc;
@@ -339,6 +379,8 @@ op_ldap_delete(
Debug( LDAP_DEBUG_ARGS, "replica %s:%d - delete dn \"%s\"\n",
ri->ri_hostname, ri->ri_port, re->re_dn );
rc = ldap_delete_s( ri->ri_ldp, re->re_dn );
+ ldap_get_option( ri->ri_ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, errmsg);
+ *errfree = 1;
return( rc );
}
@@ -349,14 +391,18 @@ op_ldap_delete(
/*
* Perform an ldap modrdn operation.
*/
-#define GOT_NEWRDN 1
-#define GOT_DRDNFLAGSTR 2
-#define GOT_ALLNEWRDNFLAGS ( GOT_NEWRDN | GOT_DRDNFLAGSTR )
+#define GOT_NEWRDN 0x1
+#define GOT_DELOLDRDN 0x2
+#define GOT_NEWSUP 0x4
+
+#define GOT_MODDN_REQ (GOT_NEWRDN|GOT_DELOLDRDN)
+#define GOT_ALL_MODDN(f) (((f) & GOT_MODDN_REQ) == GOT_MODDN_REQ)
static int
op_ldap_modrdn(
Ri *ri,
Re *re,
- char **errmsg
+ char **errmsg,
+ int *errfree
)
{
int rc = 0;
@@ -365,7 +411,8 @@ op_ldap_modrdn(
int lderr = 0;
int state = 0;
int drdnflag = -1;
- char *newrdn;
+ char *newrdn = NULL;
+ char *newsup = NULL;
if ( re->re_mods == NULL ) {
*errmsg = "No arguments given";
@@ -379,10 +426,27 @@ op_ldap_modrdn(
*/
for ( mi = re->re_mods, i = 0; mi[ i ].mi_type != NULL; i++ ) {
if ( !strcmp( mi[ i ].mi_type, T_NEWRDNSTR )) {
+ if( state & GOT_NEWRDN ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: op_ldap_modrdn: multiple newrdn arg \"%s\"\n",
+ mi[ i ].mi_val, 0, 0 );
+ *errmsg = "Multiple newrdn argument";
+ return -1;
+ }
+
newrdn = mi[ i ].mi_val;
state |= GOT_NEWRDN;
- } else if ( !strcmp( mi[ i ].mi_type, T_DRDNFLAGSTR )) {
- state |= GOT_DRDNFLAGSTR;
+
+ } else if ( !strcmp( mi[ i ].mi_type, T_DELOLDRDNSTR )) {
+ if( state & GOT_DELOLDRDN ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: op_ldap_modrdn: multiple deleteoldrdn arg \"%s\"\n",
+ mi[ i ].mi_val, 0, 0 );
+ *errmsg = "Multiple newrdn argument";
+ return -1;
+ }
+
+ state |= GOT_DELOLDRDN;
if ( !strcmp( mi[ i ].mi_val, "0" )) {
drdnflag = 0;
} else if ( !strcmp( mi[ i ].mi_val, "1" )) {
@@ -394,6 +458,19 @@ op_ldap_modrdn(
*errmsg = "Incorrect argument to deleteoldrdn";
return -1;
}
+
+ } else if ( !strcmp( mi[ i ].mi_type, T_NEWSUPSTR )) {
+ if( state & GOT_NEWSUP ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: op_ldap_modrdn: multiple newsuperior arg \"%s\"\n",
+ mi[ i ].mi_val, 0, 0 );
+ *errmsg = "Multiple newsuperior argument";
+ return -1;
+ }
+
+ newsup = mi[ i ].mi_val;
+ state |= GOT_NEWSUP;
+
} else {
Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: bad type \"%s\"\n",
mi[ i ].mi_type, 0, 0 );
@@ -405,7 +482,7 @@ op_ldap_modrdn(
/*
* Punt if we don't have all the args.
*/
- if ( state != GOT_ALLNEWRDNFLAGS ) {
+ if ( !GOT_ALL_MODDN(state) ) {
Debug( LDAP_DEBUG_ANY, "Error: op_ldap_modrdn: missing arguments\n",
0, 0, 0 );
*errmsg = "Missing argument: requires \"newrdn\" and \"deleteoldrdn\"";
@@ -416,10 +493,13 @@ op_ldap_modrdn(
if ( ldap_debug & LDAP_DEBUG_ARGS ) {
char buf[ 256 ];
char *buf2;
- sprintf( buf, "%s:%d", ri->ri_hostname, ri->ri_port );
- buf2 = (char *) ch_malloc( strlen( re->re_dn ) + strlen( mi->mi_val )
- + 10 );
- sprintf( buf2, "(\"%s\" -> \"%s\")", re->re_dn, mi->mi_val );
+ int buf2len = strlen( re->re_dn ) + strlen( mi->mi_val ) + 11;
+
+ snprintf( buf, sizeof(buf), "%s:%d", ri->ri_hostname, ri->ri_port );
+
+ buf2 = (char *) ch_malloc( buf2len );
+ snprintf( buf2, buf2len, "(\"%s\" -> \"%s\")", re->re_dn, mi->mi_val );
+
Debug( LDAP_DEBUG_ARGS,
"replica %s - modify rdn %s (flag: %d)\n",
buf, buf2, drdnflag );
@@ -427,10 +507,14 @@ op_ldap_modrdn(
}
#endif /* LDAP_DEBUG */
+ assert( newrdn != NULL );
+
/* Do the modrdn */
- rc = ldap_modrdn2_s( ri->ri_ldp, re->re_dn, mi->mi_val, drdnflag );
+ rc = ldap_rename2_s( ri->ri_ldp, re->re_dn, newrdn, newsup, drdnflag );
- ldap_get_option( ri->ri_ldp, LDAP_OPT_ERROR_NUMBER, &lderr);
+ ldap_get_option( ri->ri_ldp, LDAP_OPT_RESULT_CODE, &lderr);
+ ldap_get_option( ri->ri_ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, errmsg);
+ *errfree = 1;
return( lderr );
}
@@ -534,6 +618,9 @@ char *type )
if ( !strcmp( type, T_MODOPDELETESTR )) {
return( T_MODOPDELETE );
}
+ if ( !strcmp( type, T_MODOPINCREMENTSTR )) {
+ return( T_MODOPINCREMENT );
+ }
return( T_ERR );
}
@@ -582,16 +669,7 @@ do_bind(
)
{
int ldrc;
-#ifdef HAVE_KERBEROS
- int rc;
- int retval = 0;
- int kni, got_tgt;
- char **krbnames;
- char *skrbnames[ 2 ];
- char realm[ REALM_SZ ];
- char name[ ANAME_SZ ];
- char instance[ INST_SZ ];
-#endif /* HAVE_KERBEROS */
+ int do_tls;
*lderr = 0;
@@ -600,6 +678,9 @@ do_bind(
return( BIND_ERR_BADRI );
}
+ do_tls = ri->ri_tls;
+
+retry:
if ( ri->ri_ldp != NULL ) {
ldrc = ldap_unbind( ri->ri_ldp );
if ( ldrc != LDAP_SUCCESS ) {
@@ -609,117 +690,87 @@ do_bind(
}
ri->ri_ldp = NULL;
}
-
- Debug( LDAP_DEBUG_ARGS, "Open connection to %s:%d\n",
+
+ if ( ri->ri_uri != NULL ) { /* new URI style */
+ Debug( LDAP_DEBUG_ARGS, "Initializing session to %s\n",
+ ri->ri_uri, 0, 0 );
+
+ ldrc = ldap_initialize( &(ri->ri_ldp), ri->ri_uri);
+
+ if (ldrc != LDAP_SUCCESS) {
+ Debug( LDAP_DEBUG_ANY, "Error: ldap_initialize(0, %s) failed: %s\n",
+ ri->ri_uri, ldap_err2string(ldrc), 0 );
+ return( BIND_ERR_OPEN );
+ }
+ } else { /* old HOST style */
+ Debug( LDAP_DEBUG_ARGS, "Initializing session to %s:%d\n",
ri->ri_hostname, ri->ri_port, 0 );
- ri->ri_ldp = ldap_open( ri->ri_hostname, ri->ri_port );
+
+ ri->ri_ldp = ldap_init( ri->ri_hostname, ri->ri_port );
if ( ri->ri_ldp == NULL ) {
- Debug( LDAP_DEBUG_ANY, "Error: ldap_open(%s, %d) failed: %s\n",
- ri->ri_hostname, ri->ri_port, sys_errlist[ errno ] );
- return( BIND_ERR_OPEN );
+ Debug( LDAP_DEBUG_ANY, "Error: ldap_init(%s, %d) failed: %s\n",
+ ri->ri_hostname, ri->ri_port, sys_errlist[ errno ] );
+ return( BIND_ERR_OPEN );
+ }
}
- /*
- * Disable string translation if enabled by default.
- * The replication log is written in the internal format,
- * so this would do another translation, breaking havoc.
- */
-#if defined( STR_TRANSLATION ) && defined( LDAP_DEFAULT_CHARSET )
- ri->ri_ldp->ld_lberoptions &= ~LBER_TRANSLATE_STRINGS;
-#endif /* STR_TRANSLATION && LDAP_DEFAULT_CHARSET */
+ { /* set version 3 */
+ int err, version = LDAP_VERSION3;
+ err = ldap_set_option(ri->ri_ldp,
+ LDAP_OPT_PROTOCOL_VERSION, &version);
+
+ if( err != LDAP_OPT_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_set_option(%s, LDAP_OPT_VERSION, 3) failed!\n",
+ ri->ri_hostname, NULL, NULL );
+
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return BIND_ERR_VERSION;
+ }
+ }
/*
* Set ldap library options to (1) not follow referrals, and
* (2) restart the select() system call.
*/
- ldap_set_option(ri->ri_ldp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+ {
+ int err;
+ err = ldap_set_option(ri->ri_ldp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+
+ if( err != LDAP_OPT_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_set_option(%s,REFERRALS, OFF) failed!\n",
+ ri->ri_hostname, NULL, NULL );
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return BIND_ERR_REFERRALS;
+ }
+ }
ldap_set_option(ri->ri_ldp, LDAP_OPT_RESTART, LDAP_OPT_ON);
- switch ( ri->ri_bind_method ) {
- case AUTH_KERBEROS:
-#ifndef HAVE_KERBEROS
- Debug( LDAP_DEBUG_ANY,
- "Error: Kerberos bind for %s:%d, but not compiled w/kerberos\n",
- ri->ri_hostname, ri->ri_port, 0 );
- return( BIND_ERR_KERBEROS_FAILED );
-#else /* HAVE_KERBEROS */
- /*
- * Bind using kerberos.
- * If "bindprincipal" was given in the config file, then attempt
- * to get a TGT for that principal (via the srvtab file). If only
- * a binddn was given, then we need to read that entry to get
- * the kerberosName attributes, and try to get a TGT for one
- * of them. All are tried. The first one which succeeds is
- * returned. XXX It might be a good idea to just require a
- * bindprincipal. Reading the entry every time might be a significant
- * amount of overhead, if the connection is closed between most
- * updates.
- */
-
- if ( ri->ri_principal != NULL ) {
- skrbnames[ 0 ] = ri->ri_principal;
- skrbnames[ 1 ] = NULL;
- krbnames = skrbnames;
- } else {
- krbnames = read_krbnames( ri );
- }
-
- if (( krbnames == NULL ) || ( krbnames[ 0 ] == NULL )) {
- Debug( LDAP_DEBUG_ANY,
- "Error: Can't find krbname for binddn \"%s\"\n",
- ri->ri_bind_dn, 0, 0 );
- retval = BIND_ERR_KERBEROS_FAILED;
- goto kexit;
- }
- /*
- * Now we've got one or more kerberos principals. See if any
- * of them are in the srvtab file.
- */
- got_tgt = 0;
- for ( kni = 0; krbnames[ kni ] != NULL; kni++ ) {
- rc = kname_parse( name, instance, realm, krbnames[ kni ]);
- if ( rc != KSUCCESS ) {
- continue;
- }
- upcase( realm );
- rc = krb_get_svc_in_tkt( name, instance, realm, "krbtgt", realm,
- 1, ri->ri_srvtab );
- if ( rc != KSUCCESS) {
- Debug( LDAP_DEBUG_ANY, "Error: Can't get TGT for %s: %s\n",
- krbnames[ kni ], krb_err_txt[ rc ], 0 );
- } else {
- got_tgt = 1;
- break;
- }
- }
- if (!got_tgt) {
- Debug( LDAP_DEBUG_ANY,
- "Error: Could not obtain TGT for DN \"%s\"\n",
- ri->ri_bind_dn, 0, 0 );
- retval = BIND_ERR_KERBEROS_FAILED;
- goto kexit;
- }
- /*
- * We've got a TGT. Do a kerberos bind.
- */
- Debug( LDAP_DEBUG_ARGS, "bind to %s:%d as %s (kerberos)\n",
- ri->ri_hostname, ri->ri_port, ri->ri_bind_dn );
- ldrc = ldap_kerberos_bind_s( ri->ri_ldp, ri->ri_bind_dn );
- ri->ri_principal = strdup( krbnames[ kni ] );
- if ( ldrc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "Error: kerberos bind for %s:%dfailed: %s\n",
- ri->ri_hostname, ri->ri_port, ldap_err2string( ldrc ));
- *lderr = ldrc;
- retval = BIND_ERR_KERBEROS_FAILED;
- goto kexit;
+ if( do_tls ) {
+ int err = ldap_start_tls_s(ri->ri_ldp, NULL, NULL);
+
+ if( err != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: ldap_start_tls failed: %s (%d)\n",
+ ri->ri_tls == TLS_CRITICAL ? "Error" : "Warning",
+ ldap_err2string( err ), err );
+
+ if( ri->ri_tls == TLS_CRITICAL ) {
+ *lderr = err;
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return BIND_ERR_TLS_FAILED;
+ }
+ do_tls = TLS_OFF;
+ goto retry;
+ }
}
-kexit: if ( krbnames != NULL ) {
- ldap_value_free( krbnames );
- }
- return( retval);
- break;
-#endif /* HAVE_KERBEROS */
- case AUTH_SIMPLE:
+
+ switch ( ri->ri_bind_method ) {
+ case LDAP_AUTH_SIMPLE:
/*
* Bind with a plaintext password.
*/
@@ -732,17 +783,95 @@ kexit: if ( krbnames != NULL ) {
"Error: ldap_simple_bind_s for %s:%d failed: %s\n",
ri->ri_hostname, ri->ri_port, ldap_err2string( ldrc ));
*lderr = ldrc;
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
return( BIND_ERR_SIMPLE_FAILED );
- } else {
- return( BIND_OK );
}
break;
+
+ case LDAP_AUTH_SASL:
+ Debug( LDAP_DEBUG_ARGS, "bind to %s as %s via %s (SASL)\n",
+ ri->ri_hostname,
+ ri->ri_authcId ? ri->ri_authcId : "-",
+ ri->ri_saslmech );
+
+#ifdef HAVE_CYRUS_SASL
+ if( ri->ri_secprops != NULL ) {
+ int err = ldap_set_option(ri->ri_ldp,
+ LDAP_OPT_X_SASL_SECPROPS, ri->ri_secprops);
+
+ if( err != LDAP_OPT_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "Error: ldap_set_option(%s,SECPROPS,\"%s\") failed!\n",
+ ri->ri_hostname, ri->ri_secprops, NULL );
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return BIND_ERR_SASL_FAILED;
+ }
+ }
+
+ {
+ void *defaults = lutil_sasl_defaults( ri->ri_ldp, ri->ri_saslmech,
+ ri->ri_realm, ri->ri_authcId, ri->ri_password, ri->ri_authzId );
+
+ ldrc = ldap_sasl_interactive_bind_s( ri->ri_ldp, ri->ri_bind_dn,
+ ri->ri_saslmech, NULL, NULL,
+ LDAP_SASL_QUIET, lutil_sasl_interact, defaults );
+
+ lutil_sasl_freedefs( defaults );
+ if ( ldrc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "Error: LDAP SASL for %s:%d failed: %s\n",
+ ri->ri_hostname, ri->ri_port, ldap_err2string( ldrc ));
+ *lderr = ldrc;
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return( BIND_ERR_SASL_FAILED );
+ }
+ }
+ break;
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Error: do_bind: SASL not supported %s:%d\n",
+ ri->ri_hostname, ri->ri_port, NULL );
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return( BIND_ERR_BAD_ATYPE );
+#endif
+
default:
Debug( LDAP_DEBUG_ANY,
"Error: do_bind: unknown auth type \"%d\" for %s:%d\n",
ri->ri_bind_method, ri->ri_hostname, ri->ri_port );
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
return( BIND_ERR_BAD_ATYPE );
}
+
+ {
+ int err;
+ LDAPControl c;
+ LDAPControl *ctrls[2];
+ ctrls[0] = &c;
+ ctrls[1] = NULL;
+
+ c.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
+ c.ldctl_value.bv_val = NULL;
+ c.ldctl_value.bv_len = 0;
+ c.ldctl_iscritical = 0;
+
+ err = ldap_set_option(ri->ri_ldp, LDAP_OPT_SERVER_CONTROLS, &ctrls);
+
+ if( err != LDAP_OPT_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "Error: "
+ "ldap_set_option(%s, SERVER_CONTROLS, ManageDSAit) failed!\n",
+ ri->ri_hostname, NULL, NULL );
+ ldap_unbind( ri->ri_ldp );
+ ri->ri_ldp = NULL;
+ return BIND_ERR_MANAGEDSAIT;
+ }
+ }
+
+ return( BIND_OK );
}
@@ -752,6 +881,7 @@ kexit: if ( krbnames != NULL ) {
/*
* For debugging. Print the contents of an ldmarr array.
*/
+#ifdef SLAPD_UNUSED
static void
dump_ldm_array(
LDAPMod **ldmarr
@@ -785,78 +915,4 @@ dump_ldm_array(
}
}
}
-
-
-/*
- * Get the kerberos names from the binddn for "replica" via an ldap search.
- * Returns a null-terminated array of char *, or NULL if the entry could
- * not be found or there were no kerberosName attributes. The caller is
- * responsible for freeing the returned array and strings it points to.
- */
-static char **
-read_krbnames(
- Ri *ri
-)
-{
- int rc;
- char **krbnames;
- int ne;
- LDAPMessage *result, *entry;
-
- /* First need to bind as NULL */
- rc = ldap_simple_bind_s( ri->ri_ldp, NULL, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: null bind failed getting krbnames for %s:%d: %s\n",
- ri->ri_hostname, ri->ri_port, ldap_err2string( rc ));
- return( NULL );
- }
- rc = ldap_search_st( ri->ri_ldp, ri->ri_bind_dn, LDAP_SCOPE_BASE,
- "objectclass=*", kattrs, 0, &kst, &result );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: search failed getting krbnames for %s:%d: %s\n",
- ri->ri_hostname, ri->ri_port, ldap_err2string( rc ));
- return( NULL );
- }
- ne = ldap_count_entries( ri->ri_ldp, result );
- if ( ne == 0 ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: Can't find entry \"%s\" for %s:%d kerberos bind\n",
- ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
- return( NULL );
- }
- if ( ne > 1 ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: Kerberos binddn \"%s\" for %s:%dis ambiguous\n",
- ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
- return( NULL );
- }
- entry = ldap_first_entry( ri->ri_ldp, result );
- if ( entry == NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "Error: Can't find \"%s\" for kerberos binddn for %s:%d\n",
- ri->ri_bind_dn, ri->ri_hostname, ri->ri_port );
- return( NULL );
- }
- krbnames = ldap_get_values( ri->ri_ldp, entry, "kerberosName" );
- ldap_msgfree( result );
- return( krbnames );
-}
-
-
-
-/*
- * upcase a string
- */
-static void
-upcase(
- char *s
-)
-{
- char *p;
-
- for ( p = s; ( p != NULL ) && ( *p != '\0' ); p++ ) {
- *p = TOUPPER( (unsigned char) *p );
- }
-}
+#endif