From: Kurt Zeilenga Date: Mon, 25 Sep 2000 23:46:54 +0000 (+0000) Subject: Add bind() X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~1894 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0518820376dd5498947c47fb898a800c884fef87;p=openldap Add bind() --- diff --git a/servers/slapd/back-bdb/bind.c b/servers/slapd/back-bdb/bind.c new file mode 100644 index 0000000000..88a90ee113 --- /dev/null +++ b/servers/slapd/back-bdb/bind.c @@ -0,0 +1,246 @@ +/* bind.c - bdb backend bind routine */ +/* $OpenLDAP$ */ +/* + * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ + +#include "portable.h" + +#include +#include +#include +#include + +#include "back-bdb.h" + +int +bdb_bind( + Backend *be, + Connection *conn, + Operation *op, + const char *dn, + const char *ndn, + int method, + struct berval *cred, + char** edn +) +{ + struct bdb_info *bdb = (struct bdb_info *) be->be_private; + Entry *e; + Attribute *a; + int rc; + Entry *matched; +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + char krbname[MAX_K_NAME_SZ + 1]; + AttributeDescription *krbattr = slap_schema.si_ad_krbName; + AUTH_DAT ad; +#endif + + AttributeDescription *password = slap_schema.si_ad_userPassword; + + Debug( LDAP_DEBUG_ARGS, "==> bdb_bind: dn: %s\n", dn, 0, 0); + + *edn = NULL; + + /* fetch entry */ + rc = dn2entry_r( be, NULL, ndn, &e, &matched ); + + switch(rc) { + case DB_NOTFOUND: + case 0: + break; + default: + send_ldap_result( conn, op, rc=LDAP_OTHER, + NULL, "internal error", NULL, NULL ); + return rc; + } + + /* get entry with reader lock */ + if ( e == NULL ) { + char *matched_dn = NULL; + struct berval **refs = NULL; + + if( matched != NULL ) { + matched_dn = ch_strdup( matched->e_dn ); + + refs = is_entry_referral( matched ) + ? get_entry_referrals( be, conn, op, matched ) + : NULL; + + bdb_entry_return( be, matched ); + } else { + refs = default_referral; + } + + /* allow noauth binds */ + rc = 1; + if ( method == LDAP_AUTH_SIMPLE ) { + if ( be_isroot_pw( be, conn, ndn, cred ) ) { + *edn = ch_strdup( be_root_dn( be ) ); + rc = LDAP_SUCCESS; /* front end will send result */ + + } else if ( refs != NULL ) { + send_ldap_result( conn, op, rc = LDAP_REFERRAL, + matched_dn, NULL, refs, NULL ); + + } else { + send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS, + NULL, NULL, NULL, NULL ); + } + + } else if ( refs != NULL ) { + send_ldap_result( conn, op, rc = LDAP_REFERRAL, + matched_dn, NULL, refs, NULL ); + + } else { + send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS, + NULL, NULL, NULL, NULL ); + } + + if ( matched != NULL ) { + ber_bvecfree( refs ); + free( matched_dn ); + } + + return rc; + } + + *edn = ch_strdup( e->e_dn ); + + /* check for deleted */ + + if ( is_entry_alias( e ) ) { + /* entry is an alias, don't allow bind */ + Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, + 0, 0 ); + + send_ldap_result( conn, op, rc = LDAP_ALIAS_PROBLEM, + NULL, "entry is alias", NULL, NULL ); + + goto done; + } + + if ( is_entry_referral( e ) ) { + /* entry is a referral, don't allow bind */ + struct berval **refs = get_entry_referrals( be, + conn, op, e ); + + Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, + 0, 0 ); + + if( refs != NULL ) { + send_ldap_result( conn, op, rc = LDAP_REFERRAL, + e->e_dn, NULL, refs, NULL ); + + } else { + send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS, + NULL, NULL, NULL, NULL ); + } + + ber_bvecfree( refs ); + + goto done; + } + + switch ( method ) { + case LDAP_AUTH_SIMPLE: + /* check for root dn/passwd */ + if ( be_isroot_pw( be, conn, dn, cred ) ) { + /* front end will send result */ + if(*edn != NULL) free( *edn ); + *edn = ch_strdup( be_root_dn( be ) ); + rc = LDAP_SUCCESS; + goto done; + } + + if ( ! access_allowed( be, conn, op, e, + password, NULL, ACL_AUTH ) ) + { + send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto done; + } + + if ( (a = attr_find( e->e_attrs, password )) == NULL ) { + send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH, + NULL, NULL, NULL, NULL ); + goto done; + } + + if ( slap_passwd_check( conn, a, cred ) != 0 ) { + send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS, + NULL, NULL, NULL, NULL ); + goto done; + } + + rc = 0; + break; + +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + case LDAP_AUTH_KRBV41: + if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) { + send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS, + NULL, NULL, NULL, NULL ); + goto done; + } + + if ( ! access_allowed( be, conn, op, e, + krbattr, NULL, ACL_AUTH ) ) + { + send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto done; + } + + sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "." + : "", ad.pinst, ad.prealm ); + + if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) { + /* + * no krbname values present: check against DN + */ + if ( strcasecmp( dn, krbname ) == 0 ) { + rc = 0; + break; + } + send_ldap_result( conn, op, rc = LDAP_INAPPROPRIATE_AUTH, + NULL, NULL, NULL, NULL ); + goto done; + + } else { /* look for krbname match */ + struct berval krbval; + + krbval.bv_val = krbname; + krbval.bv_len = strlen( krbname ); + + if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) { + send_ldap_result( conn, op, + rc = LDAP_INVALID_CREDENTIALS, + NULL, NULL, NULL, NULL ); + goto done; + } + } + rc = 0; + break; + + case LDAP_AUTH_KRBV42: + send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, + NULL, "Kerberos bind step 2 not supported", + NULL, NULL ); + goto done; +#endif + + default: + send_ldap_result( conn, op, rc = LDAP_STRONG_AUTH_NOT_SUPPORTED, + NULL, "authentication method not supported", NULL, NULL ); + goto done; + } + +done: + /* free entry and reader lock */ + bdb_entry_return( be, e ); + + /* front end with send result on success (rc==0) */ + return rc; +} \ No newline at end of file