#include "slapi/slapi.h"
#endif
#include "lutil.h"
+#include "lutil_ldap.h"
#include "config.h"
#ifdef HAVE_TLS
}
#endif
+/*
+ * connect to a client using the bindconf data
+ * note: should move "version" into bindconf...
+ */
+int
+slap_client_connect( LDAP **ldp, slap_bindconf *sb, int version )
+{
+ LDAP *ld = NULL;
+ int rc;
+
+ /* Init connection to master */
+ rc = ldap_initialize( &ld, sb->sb_uri.bv_val );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "slap_client_connect: "
+ "ldap_initialize(%s) failed (%d)\n",
+ sb->sb_uri.bv_val, rc, 0 );
+ return rc;
+ }
+
+ if ( version != 0 ) {
+ ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
+ (const void *)&version );
+ }
+
+#ifdef HAVE_TLS
+ if ( sb->sb_tls_do_init ) {
+ rc = bindconf_tls_set( sb, ld );
+
+ } else if ( sb->sb_tls_ctx ) {
+ rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX,
+ sb->sb_tls_ctx );
+ }
+
+ if ( rc ) {
+ Debug( LDAP_DEBUG_ANY,
+ "slap_client_connect: "
+ "TLS context initialization failed\n",
+ 0, 0, 0 );
+ return rc;
+ }
+#endif
+
+ /* Bind */
+ if ( sb->sb_tls ) {
+ rc = ldap_start_tls_s( ld, NULL, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "slap_client_connect: "
+ "%s, ldap_start_tls failed (%d)\n",
+ sb->sb_tls == SB_TLS_CRITICAL ?
+ "Error" : "Warning",
+ rc, 0 );
+ if ( sb->sb_tls == SB_TLS_CRITICAL ) {
+ goto done;
+ }
+ }
+ }
+
+ if ( sb->sb_method == LDAP_AUTH_SASL ) {
+#ifdef HAVE_CYRUS_SASL
+ void *defaults;
+
+ if ( sb->sb_secprops != NULL ) {
+ rc = ldap_set_option( ld,
+ LDAP_OPT_X_SASL_SECPROPS, sb->sb_secprops);
+
+ if( rc != LDAP_OPT_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY,
+ "slap_client_connect: "
+ "error, ldap_set_option "
+ "(%s,SECPROPS,\"%s\") failed!\n",
+ sb->sb_uri.bv_val, sb->sb_secprops, 0 );
+ goto done;
+ }
+ }
+
+ defaults = lutil_sasl_defaults( ld,
+ sb->sb_saslmech.bv_val,
+ sb->sb_realm.bv_val,
+ sb->sb_authcId.bv_val,
+ sb->sb_cred.bv_val,
+ sb->sb_authzId.bv_val );
+
+ rc = ldap_sasl_interactive_bind_s( ld,
+ sb->sb_binddn.bv_val,
+ sb->sb_saslmech.bv_val,
+ NULL, NULL,
+ LDAP_SASL_QUIET,
+ lutil_sasl_interact,
+ defaults );
+
+ lutil_sasl_freedefs( defaults );
+
+ /* FIXME: different error behaviors according to
+ * 1) return code
+ * 2) on err policy : exit, retry, backoff ...
+ */
+ if ( rc != LDAP_SUCCESS ) {
+ static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" );
+
+ Debug( LDAP_DEBUG_ANY, "do_syncrep1: "
+ "ldap_sasl_interactive_bind_s failed (%d)\n",
+ rc, 0, 0 );
+
+ /* FIXME (see above comment) */
+ /* if Kerberos credentials cache is not active, retry */
+ if ( ber_bvcmp( &sb->sb_saslmech, &bv_GSSAPI ) == 0 &&
+ rc == LDAP_LOCAL_ERROR )
+ {
+ rc = LDAP_SERVER_DOWN;
+ }
+
+ goto done;
+ }
+#else /* HAVE_CYRUS_SASL */
+ /* Should never get here, we trapped this at config time */
+ assert(0);
+ Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 );
+ rc = LDAP_OTHER;
+ goto done;
+#endif
+
+ } else if ( sb->sb_method == LDAP_AUTH_SIMPLE ) {
+ rc = ldap_sasl_bind_s( ld,
+ sb->sb_binddn.bv_val, LDAP_SASL_SIMPLE,
+ &sb->sb_cred, NULL, NULL, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ Debug( LDAP_DEBUG_ANY, "do_syncrep1: "
+ "ldap_sasl_bind_s failed (%d)\n", rc, 0, 0 );
+ goto done;
+ }
+ }
+
+done:;
+ if ( rc ) {
+ if ( ld ) {
+ ldap_unbind_ext( ld, NULL, NULL );
+ *ldp = NULL;
+ }
+
+ } else {
+ *ldp = ld;
+ }
+
+ return rc;
+}
+
/* -------------------------------------- */
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
slap_bindconf *bc, LDAP *ld ));
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
+LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb, int version ));
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
const char *fname, int lineno, int argc, char **argv ));
LDAP_SLAPD_F (char *) anlist_unparse LDAP_P(( AttributeName *, char *, ber_len_t buflen ));
psub = &si->si_be->be_nsuffix[0];
- /* Init connection to master */
- rc = ldap_initialize( &si->si_ld, si->si_bindconf.sb_uri.bv_val );
+ rc = slap_client_connect( &si->si_ld, &si->si_bindconf, LDAP_VERSION3 );
if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "do_syncrep1: ldap_initialize failed (%s)\n",
- si->si_bindconf.sb_uri.bv_val, 0, 0 );
- return rc;
- }
-
- op->o_protocol = LDAP_VERSION3;
- ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION,
- (const void *)&op->o_protocol );
-
-#ifdef HAVE_TLS
- if ( si->si_bindconf.sb_tls_do_init ) {
- rc = bindconf_tls_set( &si->si_bindconf, si->si_ld );
- } else if ( si->si_bindconf.sb_tls_ctx ) {
- rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX,
- si->si_bindconf.sb_tls_ctx );
- }
- if ( rc ) {
- Debug( LDAP_DEBUG_ANY,
- "do_syncrep1: TLS context initialization failed\n", 0, 0, 0 );
- return rc;
- }
-#endif
-
- /* Bind to master */
-
- if ( si->si_bindconf.sb_tls ) {
- rc = ldap_start_tls_s( si->si_ld, NULL, NULL );
- if( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: ldap_start_tls failed (%d)\n",
- si->si_bindconf.sb_tls == SB_TLS_CRITICAL ? "Error" : "Warning",
- rc, 0 );
- if( si->si_bindconf.sb_tls == SB_TLS_CRITICAL ) goto done;
- }
- }
-
- if ( si->si_bindconf.sb_method == LDAP_AUTH_SASL ) {
-#ifdef HAVE_CYRUS_SASL
- void *defaults;
-
- if ( si->si_bindconf.sb_secprops != NULL ) {
- rc = ldap_set_option( si->si_ld,
- LDAP_OPT_X_SASL_SECPROPS, si->si_bindconf.sb_secprops);
-
- if( rc != LDAP_OPT_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "Error: ldap_set_option "
- "(%s,SECPROPS,\"%s\") failed!\n",
- si->si_bindconf.sb_uri.bv_val, si->si_bindconf.sb_secprops, 0 );
- goto done;
- }
- }
-
- defaults = lutil_sasl_defaults( si->si_ld,
- si->si_bindconf.sb_saslmech.bv_val,
- si->si_bindconf.sb_realm.bv_val,
- si->si_bindconf.sb_authcId.bv_val,
- si->si_bindconf.sb_cred.bv_val,
- si->si_bindconf.sb_authzId.bv_val );
-
- rc = ldap_sasl_interactive_bind_s( si->si_ld,
- si->si_bindconf.sb_binddn.bv_val,
- si->si_bindconf.sb_saslmech.bv_val,
- NULL, NULL,
- LDAP_SASL_QUIET,
- lutil_sasl_interact,
- defaults );
-
- lutil_sasl_freedefs( defaults );
-
- /* FIXME: different error behaviors according to
- * 1) return code
- * 2) on err policy : exit, retry, backoff ...
- */
- if ( rc != LDAP_SUCCESS ) {
- static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" );
-
- Debug( LDAP_DEBUG_ANY, "do_syncrep1: "
- "ldap_sasl_interactive_bind_s failed (%d)\n",
- rc, 0, 0 );
-
- /* FIXME (see above comment) */
- /* if Kerberos credentials cache is not active, retry */
- if ( ber_bvcmp( &si->si_bindconf.sb_saslmech, &bv_GSSAPI ) == 0 &&
- rc == LDAP_LOCAL_ERROR )
- {
- rc = LDAP_SERVER_DOWN;
- }
-
- goto done;
- }
-#else /* HAVE_CYRUS_SASL */
- /* Should never get here, we trapped this at config time */
- assert(0);
- Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 );
- rc = LDAP_OTHER;
goto done;
-#endif
-
- } else if ( si->si_bindconf.sb_method == LDAP_AUTH_SIMPLE ) {
- rc = ldap_sasl_bind_s( si->si_ld,
- si->si_bindconf.sb_binddn.bv_val, LDAP_SASL_SIMPLE,
- &si->si_bindconf.sb_cred, NULL, NULL, NULL );
- if ( rc != LDAP_SUCCESS ) {
- Debug( LDAP_DEBUG_ANY, "do_syncrep1: "
- "ldap_sasl_bind_s failed (%d)\n", rc, 0, 0 );
- goto done;
- }
}
+ op->o_protocol = LDAP_VERSION3;
/* Set SSF to strongest of TLS, SASL SSFs */
op->o_sasl_ssf = 0;
projects / openldap / commitdiff