dn.c compare.c modify.c delete.c modrdn.c ch_malloc.c \
value.c ava.c bind.c unbind.c abandon.c filterentry.c \
phonetic.c acl.c str2filter.c aclparse.c init.c user.c \
- repl.c lock.c controls.c extended.c kerberos.c passwd.c \
+ repl.c lock.c controls.c extended.c passwd.c \
schema.c schema_check.c schema_init.c schema_prep.c \
schemaparse.c ad.c at.c mr.c syntax.c oc.c saslauthz.c \
oidm.c starttls.c index.c sets.c referral.c root_dse.c \
dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \
value.o ava.o bind.o unbind.o abandon.o filterentry.o \
phonetic.o acl.o str2filter.o aclparse.o init.o user.o \
- repl.o lock.o controls.o extended.o kerberos.o passwd.o \
+ repl.o lock.o controls.o extended.o passwd.o \
schema.o schema_check.o schema_init.o schema_prep.o \
schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o \
oidm.o starttls.o index.o sets.o referral.o root_dse.o \
#include "portable.h"
#include <stdio.h>
-#include <ac/krb.h>
#include <ac/string.h>
#include <ac/unistd.h>
Entry *e;
Attribute *a;
EntryInfo *ei;
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- char krbname[MAX_K_NAME_SZ + 1];
- AttributeDescription *krbattr = slap_schema.si_ad_krbName;
- struct berval krbval;
- AUTH_DAT ad;
-#endif
AttributeDescription *password = slap_schema.si_ad_userPassword;
rs->sr_err = 0;
break;
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- case LDAP_AUTH_KRBV41:
- if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad )
- != LDAP_SUCCESS )
- {
- rs->sr_err = LDAP_INVALID_CREDENTIALS,
- goto done;
- }
-
- rs->sr_err = access_allowed( op, e,
- krbattr, NULL, ACL_AUTH, NULL );
- if ( ! rs->sr_err ) {
- rs->sr_err = LDAP_INSUFFICIENT_ACCESS,
- goto done;
- }
-
- krbval.bv_len = sprintf( krbname, "%s%s%s@%s", ad.pname,
- *ad.pinst ? "." : "", ad.pinst, ad.prealm );
-
- if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
- /*
- * no krbname values present: check against DN
- */
- if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
- rs->sr_err = 0;
- break;
- }
- rs->sr_err = LDAP_INAPPROPRIATE_AUTH,
- goto done;
-
- } else { /* look for krbname match */
- krbval.bv_val = krbname;
-
- if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
- rs->sr_err = LDAP_INVALID_CREDENTIALS;
- goto done;
- }
- }
- rs->sr_err = 0;
- break;
-#endif
-
default:
- assert( 0 ); /* should not be unreachable */
+ assert( 0 ); /* should not be reachable */
rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED;
rs->sr_text = "authentication method not supported";
}
{ "sockbuf_max_incoming_auth", "max", 2, 2, 0, ARG_BER_LEN_T,
&sockbuf_max_incoming_auth, "( OLcfgGlAt:62 NAME 'olcSockbufMaxIncomingAuth' "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
- { "srvtab", "file", 2, 2, 0,
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- ARG_STRING, &ldap_srvtab,
-#else
- ARG_IGNORED, NULL,
-#endif
- "( OLcfgGlAt:63 NAME 'olcSrvtab' "
- "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "subordinate", "[advertise]", 1, 2, 0, ARG_DB|ARG_MAGIC,
&config_subordinate, "( OLcfgDbAt:0.15 NAME 'olcSubordinate' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
"olcRootDSE $ "
"olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
"olcSecurity $ olcSizeLimit $ "
- "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ "
+ "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
slap_verbmasks disallowable_ops[] = {
{ BER_BVC("bind_anon"), SLAP_DISALLOW_BIND_ANON },
{ BER_BVC("bind_simple"), SLAP_DISALLOW_BIND_SIMPLE },
- { BER_BVC("bind_krb4"), SLAP_DISALLOW_BIND_KRBV4 },
{ BER_BVC("tls_2_anon"), SLAP_DISALLOW_TLS_2_ANON },
{ BER_BVC("tls_authc"), SLAP_DISALLOW_TLS_AUTHC },
{ BER_BVNULL, 0 }
* name DistinguishedName, -- dn
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
- * krbv42ldap [1] OCTET STRING
- * krbv42dsa [2] OCTET STRING
+ * krbv42ldap [1] OCTET STRING -- OBSOLETE
+ * krbv42dsa [2] OCTET STRING -- OBSOLETE
* SASL [3] SaslCredentials
* }
* }
goto cleanup;
}
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- } else if ( op->orb_method == LDAP_AUTH_KRBV41 ) {
- if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
- /* disallow krbv4 authentication */
- rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
- rs->sr_text = "unwilling to perform Kerberos V4 bind";
-
- send_ldap_result( op, rs );
-
- Debug( LDAP_DEBUG_TRACE,
- "do_bind: v%d Kerberos V4 (step 1) bind refused\n",
- op->o_protocol, 0, 0 );
- goto cleanup;
- }
- BER_BVSTR( &op->orb_tmp_mech, "KRBV4" );
-
- } else if ( op->orb_method == LDAP_AUTH_KRBV42 ) {
- rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
- rs->sr_text = "Kerberos V4 (step 2) bind not supported";
- send_ldap_result( op, rs );
-
- Debug( LDAP_DEBUG_TRACE,
- "do_bind: v%d Kerberos V4 (step 2) bind refused\n",
- op->o_protocol, 0, 0 );
- goto cleanup;
-#endif
-
} else {
rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
rs->sr_text = "unknown authentication method";
#include <stdio.h>
-#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
int global_idletimeout = 0;
char *global_host = NULL;
char *global_realm = NULL;
-char *ldap_srvtab = "";
char **default_passwd_hash = NULL;
struct berval default_search_base = BER_BVNULL;
struct berval default_search_nbase = BER_BVNULL;
+++ /dev/null
-/* kerberos.c - kerberos bind routines */
-/* $OpenLDAP$ */
-/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2007 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-#include "portable.h"
-
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-
-#include <stdio.h>
-
-#include <ac/krb.h>
-#include <ac/socket.h>
-#include <ac/string.h>
-
-#include "slap.h"
-
-#define LDAP_KRB_PRINCIPAL "ldapserver"
-
-krbv4_ldap_auth(
- Backend *be,
- struct berval *cred,
- AUTH_DAT *ad
-)
-{
- KTEXT_ST k;
- KTEXT ktxt = &k;
- char instance[INST_SZ];
- int err;
-
- Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );
-
- if( cred->len > sizeof(ktxt->dat) ) {
- return LDAP_OTHER;
- }
-
- AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );
- ktxt->length = cred->bv_len;
-
- strcpy( instance, "*" );
- if ( (err = krb_rd_req( ktxt, LDAP_KRB_PRINCIPAL, instance, 0L, ad,
- ldap_srvtab )) != KSUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "krb_rd_req failed (%s)\n",
- krb_err_txt[err], 0, 0 );
- return( LDAP_INVALID_CREDENTIALS );
- }
-
- return( LDAP_SUCCESS );
-}
-
-#endif /* kerberos */
#include <stdio.h>
-#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
LDAP_SLAPD_V (char *) slap_known_controls[];
-/*
- * kerberos.c
- */
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-LDAP_SLAPD_V (char *) ldap_srvtab;
-LDAP_SLAPD_V (int) krbv4_ldap_auth();
-#endif
-
/*
* ldapsync.c
*/
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_authPasswordSchemes) },
#endif
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- { "krbName", "( 1.3.6.1.4.1.250.1.32 "
- "NAME ( 'krbName' 'kerberosName' ) "
- "DESC 'Kerberos principal associated with object' "
- "EQUALITY caseIgnoreIA5Match "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 "
- "SINGLE-VALUE )",
- NULL, 0,
- NULL, NULL,
- NULL, NULL, NULL, NULL, NULL,
- offsetof(struct slap_internal_schema, si_ad_krbName) },
-#endif
{ "description", "( 2.5.4.13 NAME 'description' "
"DESC 'RFC4519: descriptive information' "
#ifdef SLAPD_AUTHPASSWD
AttributeDescription *si_ad_authPassword;
AttributeDescription *si_ad_authPasswordSchemes;
-#endif
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
- AttributeDescription *si_ad_krbName;
#endif
AttributeDescription *si_ad_description;
AttributeDescription *si_ad_seeAlso;
#define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */
#define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */
-#define SLAP_DISALLOW_BIND_KRBV4 0x0004U /* Kerberos V4 authentication */
#define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */
#define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */
#include <stdio.h>
-#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
projects / openldap / commitdiff