From: Kurt Zeilenga Date: Wed, 3 May 2000 18:59:58 +0000 (+0000) Subject: Error handling changes including separation of client v. server X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~3047 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=d0555fffe65fe7ffe18a3dcd1260d43fdf7572f5;p=openldap Error handling changes including separation of client v. server SASL to LDAP translation. plus comments and other minor changes --- diff --git a/include/ldap.h b/include/ldap.h index 14325afb98..3591417684 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -102,6 +102,8 @@ LDAP_BEGIN_DECL /* 0x34 - 0x0fff not defined by current draft */ +#define LDAP_OPT_PRIVATE_EXTENSION_BASE 0x4000 /* to 0x7FFF inclusive */ + /* private and experimental options */ #define LDAP_OPT_DNS 0x4001 /* use DN & DNS */ @@ -112,7 +114,7 @@ LDAP_BEGIN_DECL #define LDAP_OPT_NETWORK_TIMEOUT 0x5005 /* socket level timeout */ #define LDAP_OPT_URI 0x5006 -/* TLS options */ +/* OpenLDAP TLS options */ #define LDAP_OPT_X_TLS_CACERTFILE 0x6001 #define LDAP_OPT_X_TLS_CACERTDIR 0x6002 #define LDAP_OPT_X_TLS_CERT 0x6003 @@ -129,7 +131,7 @@ LDAP_BEGIN_DECL #define LDAP_OPT_X_TLS_ALLOW 3 #define LDAP_OPT_X_TLS_TRY 4 -/* SASL options */ +/* OpenLDAP SASL options */ #define LDAP_OPT_X_SASL_MINSSF 0x6100 #define LDAP_OPT_X_SASL_MAXSSF 0x6101 #define LDAP_OPT_X_SASL_ACTSSF 0x6102 diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h index 14b6a97bbe..6164c05743 100644 --- a/include/ldap_pvt.h +++ b/include/ldap_pvt.h @@ -113,7 +113,6 @@ LIBLDAP_F (int) ldap_pvt_unhex( int c ); LIBLDAP_F (int) ldap_pvt_sasl_init LDAP_P(( void )); /* clientside init */ LIBLDAP_F (int) ldap_pvt_sasl_install LDAP_P(( Sockbuf *, void * )); -LIBLDAP_F (int) ldap_pvt_sasl_err2ldap LDAP_P(( int )); LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *, LDAP_CONST char *, LDAP_CONST sasl_callback_t *, LDAPControl **, LDAPControl ** )); diff --git a/libraries/libldap/kbind.c b/libraries/libldap/kbind.c index 191ef01a88..35a7e52224 100644 --- a/libraries/libldap/kbind.c +++ b/libraries/libldap/kbind.c @@ -269,7 +269,7 @@ ldap_get_kerberosv4_credentials( fprintf( stderr, "krb_get_tf_realm failed (%s)\n", krb_err_txt[err] ); #endif /* LDAP_LIBUI */ - ld->ld_errno = LDAP_INVALID_CREDENTIALS; + ld->ld_errno = LDAP_AUTH_UNKNOWN; return( NULL ); } @@ -287,7 +287,7 @@ ldap_get_kerberosv4_credentials( #ifdef LDAP_LIBUI fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] ); #endif /* LDAP_LIBUI */ - ld->ld_errno = LDAP_INVALID_CREDENTIALS; + ld->ld_errno = LDAP_AUTH_UNKNOWN; return( NULL ); } diff --git a/libraries/libldap/libldap.dsp b/libraries/libldap/libldap.dsp index a10d119f3e..be68c42fb2 100644 --- a/libraries/libldap/libldap.dsp +++ b/libraries/libldap/libldap.dsp @@ -355,6 +355,10 @@ SOURCE=.\string.c # End Source File # Begin Source File +SOURCE=.\tls.c +# End Source File +# Begin Source File + SOURCE=.\ufn.c # End Source File # Begin Source File diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c index fcf7cc7ca5..d7db40b27e 100644 --- a/libraries/libldap/options.c +++ b/libraries/libldap/options.c @@ -568,7 +568,7 @@ ldap_set_option( default: #ifdef HAVE_TLS if ( ldap_pvt_tls_set_option( lo, option, (void *)invalue ) == 0 ) - return LDAP_OPT_SUCCESS; + return LDAP_OPT_SUCCESS; #endif #ifdef HAVE_CYRUS_SASL if ( ldap_pvt_sasl_set_option( ld, option, (void *)invalue ) == 0 ) diff --git a/libraries/libldap/sasl.c b/libraries/libldap/sasl.c index 31c9e063cb..062d10e383 100644 --- a/libraries/libldap/sasl.c +++ b/libraries/libldap/sasl.c @@ -497,42 +497,43 @@ static int sasl_close( Sockbuf *sb ) (ber_pvt_sb_io_tcp.sbi_close)( sb ); } -int -ldap_pvt_sasl_err2ldap( int saslerr ) +static int +sasl_err2ldap( int saslerr ) { int rc; switch (saslerr) { case SASL_CONTINUE: - rc = LDAP_SASL_BIND_IN_PROGRESS; + rc = LDAP_MORE_RESULTS_TO_RETURN; break; case SASL_OK: rc = LDAP_SUCCESS; break; case SASL_FAIL: - rc = LDAP_OPERATIONS_ERROR; + rc = LDAP_LOCAL_ERROR; break; case SASL_NOMEM: rc = LDAP_NO_MEMORY; break; case SASL_NOMECH: - rc = LDAP_AUTH_METHOD_NOT_SUPPORTED; + rc = LDAP_AUTH_UNKNOWN; break; case SASL_BADAUTH: - rc = LDAP_INVALID_CREDENTIALS; + rc = LDAP_AUTH_UNKNOWN; break; case SASL_NOAUTHZ: - rc = LDAP_INSUFFICIENT_ACCESS; + rc = LDAP_PARAM_ERROR; break; case SASL_TOOWEAK: case SASL_ENCRYPT: - rc = LDAP_INAPPROPRIATE_AUTH; + rc = LDAP_AUTH_UNKNOWN; break; default: - rc = LDAP_OPERATIONS_ERROR; + rc = LDAP_LOCAL_ERROR; break; } + assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) ); return rc; } @@ -656,7 +657,7 @@ ldap_pvt_sasl_bind( if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) { LDAP_FREE( mechlist ); - ld->ld_errno = ldap_pvt_sasl_err2ldap( rc ); + ld->ld_errno = sasl_err2ldap( rc ); sasl_dispose( &ld->ld_sasl_context ); return ld->ld_errno; } @@ -675,7 +676,7 @@ ldap_pvt_sasl_bind( LDAP_FREE( mechlist ); if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) { - ld->ld_errno = ldap_pvt_sasl_err2ldap( saslrc ); + ld->ld_errno = sasl_err2ldap( saslrc ); sasl_dispose( &ld->ld_sasl_context ); return ld->ld_errno; } @@ -711,7 +712,7 @@ ldap_pvt_sasl_bind( ber_bvfree( scred ); if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) { - ld->ld_errno = ldap_pvt_sasl_err2ldap( saslrc ); + ld->ld_errno = sasl_err2ldap( saslrc ); sasl_dispose( &ld->ld_sasl_context ); return ld->ld_errno; } diff --git a/libraries/libldap_r/libldap_r.dsp b/libraries/libldap_r/libldap_r.dsp index 960a823740..76bdfdcf7e 100644 --- a/libraries/libldap_r/libldap_r.dsp +++ b/libraries/libldap_r/libldap_r.dsp @@ -348,6 +348,10 @@ SOURCE=.\thr_stub.c # End Source File # Begin Source File +SOURCE=..\libldap\tls.c +# End Source File +# Begin Source File + SOURCE=..\libldap\ufn.c # End Source File # Begin Source File diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 677805fb17..e51de293a9 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -19,33 +19,73 @@ char **supportedSASLMechanisms = NULL; char *sasl_host = NULL; #ifdef HAVE_CYRUS_SASL -static void *sasl_pvt_mutex_new(void) +static void *slap_sasl_mutex_new(void) { ldap_pvt_thread_mutex_t *mutex; - mutex = (ldap_pvt_thread_mutex_t *)ch_malloc( sizeof(ldap_pvt_thread_mutex_t) ); + mutex = (ldap_pvt_thread_mutex_t *) ch_malloc( sizeof(ldap_pvt_thread_mutex_t) ); if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) { return mutex; } return NULL; } -static int sasl_pvt_mutex_lock(void *mutex) +static int slap_sasl_mutex_lock(void *mutex) { return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex ); } -static int sasl_pvt_mutex_unlock(void *mutex) +static int slap_sasl_mutex_unlock(void *mutex) { return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex ); } -static void sasl_pvt_mutex_dispose(void *mutex) +static void slap_sasl_mutex_dispose(void *mutex) { (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex ); free( mutex ); } +static int +slap_sasl_err2ldap( int saslerr ) +{ + int rc; + + switch (saslerr) { + case SASL_CONTINUE: + rc = LDAP_SASL_BIND_IN_PROGRESS; + break; + case SASL_OK: + rc = LDAP_SUCCESS; + break; + case SASL_FAIL: + rc = LDAP_OTHER; + break; + case SASL_NOMEM: + rc = LDAP_OTHER; + break; + case SASL_NOMECH: + rc = LDAP_AUTH_METHOD_NOT_SUPPORTED; + break; + case SASL_BADAUTH: + rc = LDAP_INVALID_CREDENTIALS; + break; + case SASL_NOAUTHZ: + rc = LDAP_INSUFFICIENT_ACCESS; + break; + case SASL_TOOWEAK: + case SASL_ENCRYPT: + rc = LDAP_INAPPROPRIATE_AUTH; + break; + default: + rc = LDAP_OTHER; + break; + } + + return rc; +} + + int sasl_init( void ) { int rc; @@ -54,8 +94,11 @@ int sasl_init( void ) sasl_set_alloc( ch_malloc, ch_calloc, ch_realloc, ch_free ); - sasl_set_mutex( sasl_pvt_mutex_new, sasl_pvt_mutex_lock, - sasl_pvt_mutex_unlock, sasl_pvt_mutex_dispose ); + sasl_set_mutex( + slap_sasl_mutex_new, + slap_sasl_mutex_lock, + slap_sasl_mutex_unlock, + slap_sasl_mutex_dispose ); rc = sasl_server_init( NULL, "slapd" ); @@ -188,7 +231,7 @@ int sasl_bind( cred->bv_val, cred->bv_len, (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr ); if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) { - send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ), + send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), NULL, errstr, NULL, NULL ); } } @@ -196,7 +239,7 @@ int sasl_bind( sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len, (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr ); if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) { - send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ), + send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), NULL, errstr, NULL, NULL ); } } @@ -206,7 +249,7 @@ int sasl_bind( if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME, (void **)&authzid ) ) != SASL_OK ) { - send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ), + send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), NULL, NULL, NULL, NULL ); } else {