From d2b05a3858822df66785b4a0939204b10ac1c47f Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sat, 15 Jul 2000 23:25:46 +0000 Subject: [PATCH] Rework SASL command line arguments. Default is now to authenticate using best available mechanism. (authzid prompting to be disabled) To use simple bind, -x is required (implied if -P 2) with -D/-[Ww] To use simple "anonymous" bind, just -x will do. --- clients/tools/ldapdelete.c | 302 ++++++++++++++++---------- clients/tools/ldapmodify.c | 295 ++++++++++++++++---------- clients/tools/ldapmodrdn.c | 319 +++++++++++++++++----------- clients/tools/ldappasswd.c | 52 ++--- clients/tools/ldapsearch.c | 397 ++++++++++++++++++++--------------- doc/devel/args | 21 +- include/ldap.h | 18 +- libraries/libldap/cyrus.c | 11 +- libraries/libldap/ldap-int.h | 4 +- libraries/libldap/options.c | 11 - libraries/libldap/sasl.c | 5 +- servers/slapd/sasl.c | 1 + servers/slapd/slap.h | 32 ++- 13 files changed, 880 insertions(+), 588 deletions(-) diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c index 092ddcfdd8..1bcde372d2 100644 --- a/clients/tools/ldapdelete.c +++ b/clients/tools/ldapdelete.c @@ -18,7 +18,9 @@ #include #include "lutil_ldap.h" +#include "ldap_defaults.h" +static char *prog; static char *binddn = NULL; static struct berval passwd = { 0, NULL }; static char *ldaphost = NULL; @@ -50,12 +52,14 @@ usage( const char *s ) "usage: %s [options] [dn]...\n" " dn: list of DNs to delete. If not given, it will be readed from stdin\n" " or from the file specified with \"-f file\".\n" -"options:\n" +"Delete Options:\n" +" -r\t\tdelete recursively\n" +"Common options:\n" " -c\t\tcontinuous operation mode (do not stop on errors)\n" " -C\t\tchase referrals\n" " -d level\tset LDAP debugging level to `level'\n" " -D binddn\tbind DN\n" -" -f file\t\tdelete DNs listed in `file'\n" +" -f file\t\tread operations from `file'\n" " -h host\t\tLDAP server\n" " -k\t\tuse Kerberos authentication\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" @@ -64,11 +68,11 @@ usage( const char *s ) " -O secprops\tSASL security properties\n" " -p port\t\tport on LDAP server\n" " -P version\tprocotol version (default: 3)\n" -" -r\t\tdelete recursively\n" " -U user\t\tSASL authentication identity (username)\n" " -v\t\trun in verbose mode (diagnostics to standard output)\n" " -w passwd\tbind passwd (for simple authentication)\n" " -W\t\tprompt for bind passwd\n" +" -x\t\tSimple authentication\n" " -X id\t\tSASL authorization identity (\"dn:\" or \"u:\")\n" " -Y mech\t\tSASL mechanism\n" " -Z\t\tissue Start TLS request (-ZZ to require successful response)\n" @@ -87,180 +91,258 @@ main( int argc, char **argv ) not = verbose = contoper = want_bindpw = debug = manageDSAit = referrals = 0; fp = NULL; - authmethod = LDAP_AUTH_SIMPLE; + authmethod = -1; version = -1; - while (( i = getopt( argc, argv, "cCD:d:f:h:KMnO:P:p:rU:vWw:X:Y:Z" )) != EOF ) { + prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog; + + while (( i = getopt( argc, argv, "cf:r" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) { switch( i ) { - case 'k': /* kerberos bind */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - authmethod = LDAP_AUTH_KRBV4; -#else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); -#endif - break; - case 'K': /* kerberos bind, part one only */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - authmethod = LDAP_AUTH_KRBV41; -#else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); -#endif - break; + /* Delete Specific Options */ case 'c': /* continuous operation mode */ ++contoper; break; - case 'C': - referrals++; - break; - case 'h': /* ldap host */ - ldaphost = strdup( optarg ); - break; - case 'D': /* bind DN */ - binddn = strdup( optarg ); - break; - case 'w': /* password */ - passwd.bv_val = strdup( optarg ); - { - char* p; - - for( p = optarg; *p == '\0'; p++ ) { - *p = '*'; - } - } - passwd.bv_len = strlen( passwd.bv_val ); - break; case 'f': /* read DNs from a file */ if (( fp = fopen( optarg, "r" )) == NULL ) { perror( optarg ); exit( EXIT_FAILURE ); } break; + case 'r': + prune = 1; + break; + + /* Common Options */ + case 'C': + referrals++; + break; case 'd': debug |= atoi( optarg ); break; - case 'p': - ldapport = atoi( optarg ); + case 'D': /* bind DN */ + binddn = strdup( optarg ); break; - case 'n': /* print deletes, don't actually do them */ - ++not; + case 'h': /* ldap host */ + ldaphost = strdup( optarg ); break; - case 'r': - prune = 1; - break; - case 'v': /* verbose mode */ - verbose++; + case 'k': /* kerberos bind */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + + if( authmethod != -1 ) { + fprintf( stderr, "%s: -k incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + + authmethod = LDAP_AUTH_KRBV4; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return EXIT_FAILURE; +#endif + break; + case 'K': /* kerberos bind, part one only */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + + authmethod = LDAP_AUTH_KRBV41; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return( EXIT_FAILURE ); +#endif break; case 'M': /* enable Manage DSA IT */ + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -M incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } manageDSAit++; + version = LDAP_VERSION3; break; - case 'W': - want_bindpw++; + case 'n': /* print deletes, don't actually do them */ + ++not; + break; + case 'O': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -O incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + sasl_secprops = strdup( optarg ); + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif break; + case 'p': + ldapport = atoi( optarg ); + break; case 'P': - switch( atoi(optarg) ) - { + switch( atoi(optarg) ) { case 2: + if( version == LDAP_VERSION3 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION2; break; case 3: + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION3; break; default: - fprintf( stderr, "protocol version should be 2 or 3\n" ); - usage( argv[0] ); + fprintf( stderr, "%s: protocol version should be 2 or 3\n", + prog ); + usage( prog ); return( EXIT_FAILURE ); - } - break; - case 'O': + } break; + case 'U': #ifdef HAVE_CYRUS_SASL - sasl_secprops = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -U incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + + sasl_authc_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; + case 'v': /* verbose mode */ + verbose++; + break; + case 'w': /* password */ + passwd.bv_val = strdup( optarg ); + { + char* p; + + for( p = optarg; *p == '\0'; p++ ) { + *p = '*'; + } + } + passwd.bv_len = strlen( passwd.bv_val ); + break; + case 'W': + want_bindpw++; + break; case 'Y': #ifdef HAVE_CYRUS_SASL - if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { - sasl_mech = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Y incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; - case 'U': -#ifdef HAVE_CYRUS_SASL - sasl_authc_id = strdup( optarg ); - authmethod = LDAP_AUTH_SASL; -#else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); - return( EXIT_FAILURE ); -#endif + case 'x': + if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SIMPLE; break; case 'X': #ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: -X incompatible with " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_authz_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; case 'Z': #ifdef HAVE_TLS + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -Z incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION3; use_tls++; #else - fprintf( stderr, "%s was not compiled with TLS support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with TLS support\n", + prog ); return( EXIT_FAILURE ); #endif break; default: - usage( argv[0] ); + usage( prog ); return( EXIT_FAILURE ); } } - if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == - LDAP_AUTH_KRBV41 ) ) { - if( version > LDAP_VERSION2 ) { - fprintf( stderr, "Kerberos requires LDAPv2\n" ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION2; - } - else if ( authmethod == LDAP_AUTH_SASL ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf( stderr, "SASL requires LDAPv3\n" ); - return( EXIT_FAILURE ); - } + if (version == -1) { version = LDAP_VERSION3; } - - if( manageDSAit ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "manage DSA control requires LDAPv3\n"); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; - } - - if( use_tls ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "Start TLS requires LDAPv3\n"); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; + if (authmethod == -1 && version > LDAP_VERSION2) { + authmethod = LDAP_AUTH_SASL; } if ( fp == NULL ) { @@ -302,10 +384,6 @@ main( int argc, char **argv ) return EXIT_FAILURE; } - if (version == -1 ) { - version = 3; - } - if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) != LDAP_OPT_SUCCESS ) { diff --git a/clients/tools/ldapmodify.c b/clients/tools/ldapmodify.c index 27262e80b1..8b6831d981 100644 --- a/clients/tools/ldapmodify.c +++ b/clients/tools/ldapmodify.c @@ -97,15 +97,17 @@ usage( const char *prog ) "usage: %s [options]\n" " The list of desired operations are read from stdin or from the file\n" " specified by \"-f file\".\n" -"options:\n" +"Add or modify options:\n" " -a\t\tadd values (default%s)\n" -" -b\t\tread values from files (for binary attributes)\n" -" -c\t\tcontinuous operation\n" +" -r\t\treplace values\n" +" -F\t\tforce all changes records to be used\n" + +"common options:\n" +" -c\t\tcontinuous operation (ignore errors)\n" " -C\t\tchase referrals\n" " -d level\tset LDAP debugging level to `level'\n" " -D dn\t\tbind DN\n" -" -f file\t\tperform sequence of operations listed in file\n" -" -F\t\tforce all changes records to be used\n" +" -f file\t\tread operations from `file'\n" " -h host\t\tLDAP server\n" " -k\t\tuse Kerberos authentication\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" @@ -113,7 +115,6 @@ usage( const char *prog ) " -n\t\tprint changes, don't actually do them\n" " -O secprops\tSASL security properties\n" " -p port\t\tport on LDAP server\n" -" -r\t\treplace values\n" " -U user\t\tSASL authentication identity (username)\n" " -v\t\tverbose mode\n" " -w passwd\tbind password (for Simple authentication)\n" @@ -121,6 +122,7 @@ usage( const char *prog ) " -Y mech\t\tSASL mechanism\n" " -Z\t\tissue Start TLS request (-ZZ to require successful response)\n" , prog, (strcmp( prog, "ldapadd" ) ? " is to replace" : "") ); + exit( EXIT_FAILURE ); } @@ -146,143 +148,245 @@ main( int argc, char **argv ) infile = NULL; not = verbose = want_bindpw = debug = manageDSAit = referrals = 0; - authmethod = LDAP_AUTH_SIMPLE; + authmethod = -1; version = -1; - while (( i = getopt( argc, argv, "acCD:d:Ff:h:KkMnO:P:p:rtU:vWw:X:Y:Z" )) != EOF ) { + while (( i = getopt( argc, argv, "acrf:F" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) { switch( i ) { + /* Modify Options */ case 'a': /* add */ ldapadd = 1; break; case 'c': /* continuous operation */ contoper = 1; break; + case 'f': /* read from file */ + infile = strdup( optarg ); + break; + case 'F': /* force all changes records to be used */ + force = 1; + break; + case 'r': /* default is to replace rather than add values */ + replace = 1; + break; + + /* Common Options */ case 'C': referrals++; break; - case 'r': /* default is to replace rather than add values */ - replace = 1; + case 'd': + debug |= atoi( optarg ); + break; + case 'D': /* bind DN */ + binddn = strdup( optarg ); + break; + case 'h': /* ldap host */ + ldaphost = strdup( optarg ); break; case 'k': /* kerberos bind */ #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + + if( authmethod != -1 ) { + fprintf( stderr, "%s: -k incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_KRBV4; #else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return EXIT_FAILURE; #endif break; - case 'K': /* kerberos bind, part 1 only */ + case 'K': /* kerberos bind, part one only */ #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_KRBV41; #else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); return( EXIT_FAILURE ); #endif break; - case 'F': /* force all changes records to be used */ - force = 1; - break; - case 'h': /* ldap host */ - ldaphost = strdup( optarg ); - break; - case 'D': /* bind DN */ - binddn = strdup( optarg ); - break; - case 'w': /* password */ - passwd.bv_val = strdup( optarg ); - { - char* p; - - for( p = optarg; *p == '\0'; p++ ) { - *p = '*'; - } - } - passwd.bv_len = strlen( passwd.bv_val ); - break; - case 'd': - debug |= atoi( optarg ); - break; - case 'f': /* read from file */ - infile = strdup( optarg ); - break; - case 'p': - ldapport = atoi( optarg ); - break; - case 'n': /* print adds, don't actually do them */ - ++not; - break; - case 'v': /* verbose mode */ - verbose++; - break; case 'M': /* enable Manage DSA IT */ + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -M incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } manageDSAit++; + version = LDAP_VERSION3; break; - case 'W': - want_bindpw++; + case 'n': /* print deletes, don't actually do them */ + ++not; + break; + case 'O': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -O incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + sasl_secprops = strdup( optarg ); + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif break; + case 'p': + ldapport = atoi( optarg ); + break; case 'P': - switch( atoi(optarg) ) - { + switch( atoi(optarg) ) { case 2: + if( version == LDAP_VERSION3 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION2; break; case 3: + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION3; break; default: - fprintf( stderr, "protocol version should be 2 or 3\n" ); - usage( argv[0] ); - } - break; - case 'O': + fprintf( stderr, "%s: protocol version should be 2 or 3\n", + prog ); + usage( prog ); + return( EXIT_FAILURE ); + } break; + case 'U': #ifdef HAVE_CYRUS_SASL - sasl_secprops = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -U incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + + sasl_authc_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; + case 'v': /* verbose mode */ + verbose++; + break; + case 'w': /* password */ + passwd.bv_val = strdup( optarg ); + { + char* p; + + for( p = optarg; *p == '\0'; p++ ) { + *p = '*'; + } + } + passwd.bv_len = strlen( passwd.bv_val ); + break; + case 'W': + want_bindpw++; + break; case 'Y': #ifdef HAVE_CYRUS_SASL - if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { - sasl_mech = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Y incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; - case 'U': -#ifdef HAVE_CYRUS_SASL - sasl_authc_id = strdup( optarg ); - authmethod = LDAP_AUTH_SASL; -#else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); - return( EXIT_FAILURE ); -#endif + case 'x': + if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SIMPLE; break; case 'X': #ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: -X incompatible with " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_authz_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; case 'Z': #ifdef HAVE_TLS + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -Z incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION3; use_tls++; #else - fprintf( stderr, "%s was not compiled with TLS support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with TLS support\n", + prog ); return( EXIT_FAILURE ); #endif break; @@ -291,40 +395,15 @@ main( int argc, char **argv ) } } - if ( argc != optind ) - usage( prog ); - - if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == - LDAP_AUTH_KRBV41 ) ) { - if( version > LDAP_VERSION2 ) { - fprintf( stderr, "Kerberos requires LDAPv2\n" ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION2; - } - else if ( authmethod == LDAP_AUTH_SASL ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf( stderr, "SASL requires LDAPv3\n" ); - return( EXIT_FAILURE ); - } + if (version == -1) { version = LDAP_VERSION3; } - - if( manageDSAit ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "manage DSA control requires LDAPv3\n"); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; + if (authmethod == -1 && version > LDAP_VERSION2) { + authmethod = LDAP_AUTH_SASL; } - if( use_tls ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "Start TLS requires LDAPv3\n"); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; - } + if ( argc != optind ) + usage( prog ); if ( infile != NULL ) { if (( fp = fopen( infile, "r" )) == NULL ) { diff --git a/clients/tools/ldapmodrdn.c b/clients/tools/ldapmodrdn.c index 96604926c2..4a7b5cfc34 100644 --- a/clients/tools/ldapmodrdn.c +++ b/clients/tools/ldapmodrdn.c @@ -30,6 +30,7 @@ #include #include "lutil_ldap.h" +#include "ldap_defaults.h" static char *binddn = NULL; static struct berval passwd = { 0, NULL }; @@ -61,12 +62,16 @@ usage( const char *s ) " dn rdn: If given, rdn will replace the RDN of the entry specified by DN\n" " If not given, the list of modifications is read from stdin or\n" " from the file specified by \"-f file\" (see man page).\n" -"options:\n" +"Rename options:\n" +" -r\t\tremove old RDN\n" +" -s newsuperior\tnew superior entry\n" + +"common options:\n" " -c\t\tcontinuous operation mode (do not stop on errors)\n" " -C\t\tchase referrals\n" " -d level\tset LDAP debugging level to `level'\n" " -D binddn\tbind DN\n" -" -f file\t\tdo renames listed in `file'\n" +" -f file\t\tread operations from `file'\n" " -h host\t\tLDAP server\n" " -k\t\tuse Kerberos authentication\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" @@ -75,8 +80,6 @@ usage( const char *s ) " -O secprops\tSASL security properties\n" " -p port\t\tport on LDAP server\n" " -P version\tprocotol version (default: 3)\n" -" -r\t\tremove old RDN\n" -" -s newsuperior\tnew superior entry\n" " -U user\t\tSASL authentication identity (username)\n" " -v\t\trun in verbose mode (diagnostics to standard output)\n" " -w passwd\tbind passwd (for simple authentication)\n" @@ -92,7 +95,7 @@ usage( const char *s ) int main(int argc, char **argv) { - char *myname,*infile, *entrydn = NULL, *rdn = NULL, buf[ 4096 ]; + char *prog,*infile, *entrydn = NULL, *rdn = NULL, buf[ 4096 ]; FILE *fp; int rc, i, remove, havedn, authmethod, version, want_bindpw, debug, manageDSAit; int referrals; @@ -104,141 +107,241 @@ main(int argc, char **argv) authmethod = LDAP_AUTH_SIMPLE; version = -1; - myname = (myname = strrchr(argv[0], '/')) == NULL ? argv[0] : ++myname; + prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog; - while (( i = getopt( argc, argv, "cCD:d:f:h:KkMnO:P:p:rs:U:vWw:X:Y:Z" )) != EOF ) { + while (( i = getopt( argc, argv, "rs:" "cCd:D:f:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) { switch( i ) { - case 'k': /* kerberos bind */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - authmethod = LDAP_AUTH_KRBV4; -#else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); -#endif - break; - case 'K': /* kerberos bind, part one only */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - authmethod = LDAP_AUTH_KRBV41; -#else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); -#endif - break; - case 'c': /* continuous operation mode */ - ++contoper; + /* Modrdn Options */ + case 's': /* newSuperior */ + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + newSuperior = strdup( optarg ); + version = LDAP_VERSION3; + break; + case 'r': /* remove old RDN */ + remove++; break; + + /* Common Options */ case 'C': referrals++; break; - case 'h': /* ldap host */ - ldaphost = strdup( optarg ); + case 'd': + debug |= atoi( optarg ); break; case 'D': /* bind DN */ binddn = strdup( optarg ); break; - case 's': /* newSuperior */ - newSuperior = strdup( optarg ); - version = LDAP_VERSION3; /* This option => force V3 */ + case 'h': /* ldap host */ + ldaphost = strdup( optarg ); break; - case 'w': /* password */ - passwd.bv_val = strdup( optarg ); - { - char* p; + case 'k': /* kerberos bind */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } - for( p = optarg; *p == '\0'; p++ ) { - *p = '*'; - } + if( authmethod != -1 ) { + fprintf( stderr, "%s: -k incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; } - passwd.bv_len = strlen( passwd.bv_val ); - break; - case 'd': - debug |= atoi( optarg ); - break; - case 'f': /* read from file */ - infile = strdup( optarg ); - break; - case 'p': - ldapport = atoi( optarg ); - break; - case 'n': /* print adds, don't actually do them */ - ++not; - break; - case 'v': /* verbose mode */ - verbose++; + + authmethod = LDAP_AUTH_KRBV4; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return EXIT_FAILURE; +#endif break; - case 'r': /* remove old RDN */ - remove++; + case 'K': /* kerberos bind, part one only */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + + authmethod = LDAP_AUTH_KRBV41; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return( EXIT_FAILURE ); +#endif break; case 'M': /* enable Manage DSA IT */ + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -M incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } manageDSAit++; + version = LDAP_VERSION3; break; - case 'W': - want_bindpw++; + case 'n': /* print deletes, don't actually do them */ + ++not; + break; + case 'O': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -O incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + sasl_secprops = strdup( optarg ); + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif break; + case 'p': + ldapport = atoi( optarg ); + break; case 'P': - switch( atoi(optarg) ) - { + switch( atoi(optarg) ) { case 2: + if( version == LDAP_VERSION3 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION2; break; case 3: + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION3; break; default: - fprintf( stderr, "protocol version should be 2 or 3\n" ); - usage( argv[0] ); + fprintf( stderr, "%s: protocol version should be 2 or 3\n", + prog ); + usage( prog ); return( EXIT_FAILURE ); - } - break; - case 'O': + } break; + case 'U': #ifdef HAVE_CYRUS_SASL - sasl_secprops = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -U incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + + sasl_authc_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; + case 'v': /* verbose mode */ + verbose++; + break; + case 'w': /* password */ + passwd.bv_val = strdup( optarg ); + { + char* p; + + for( p = optarg; *p == '\0'; p++ ) { + *p = '*'; + } + } + passwd.bv_len = strlen( passwd.bv_val ); + break; + case 'W': + want_bindpw++; + break; case 'Y': #ifdef HAVE_CYRUS_SASL - if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { - sasl_mech = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Y incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); + return EXIT_FAILURE; } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; - case 'U': -#ifdef HAVE_CYRUS_SASL - sasl_authc_id = strdup( optarg ); - authmethod = LDAP_AUTH_SASL; -#else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); - return( EXIT_FAILURE ); -#endif + case 'x': + if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SIMPLE; break; case 'X': #ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: -X incompatible with " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_authz_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; case 'Z': #ifdef HAVE_TLS + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -Z incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION3; use_tls++; #else - fprintf( stderr, "%s was not compiled with TLS support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with TLS support\n", + prog ); return( EXIT_FAILURE ); #endif break; @@ -248,49 +351,13 @@ main(int argc, char **argv) } } - if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == - LDAP_AUTH_KRBV41 ) ) { - if( version > LDAP_VERSION2 ) { - fprintf( stderr, "Kerberos requires LDAPv2\n" ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION2; - } - else if ( authmethod == LDAP_AUTH_SASL ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf( stderr, "SASL requires LDAPv3\n" ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION3; - } - - if( manageDSAit ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "manage DSA control requires LDAPv3\n"); - return EXIT_FAILURE; - } + if (version == -1) { version = LDAP_VERSION3; } - - if( use_tls ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "Start TLS requires LDAPv3\n"); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; + if (authmethod == -1 && version > LDAP_VERSION2) { + authmethod = LDAP_AUTH_SASL; } - if (newSuperior != NULL) { - if (version == LDAP_VERSION2) { - fprintf( stderr, - "%s: version conflict!, -s newSuperior requires LDAPv3\n", - myname); - usage( argv[0] ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION3; - } - havedn = 0; if (argc - optind == 2) { if (( rdn = strdup( argv[argc - 1] )) == NULL ) { @@ -303,7 +370,7 @@ main(int argc, char **argv) } ++havedn; } else if ( argc - optind != 0 ) { - fprintf( stderr, "%s: invalid number of arguments, only two allowed\n", myname); + fprintf( stderr, "%s: invalid number of arguments, only two allowed\n", prog); usage( argv[0] ); return( EXIT_FAILURE ); } @@ -344,10 +411,6 @@ main(int argc, char **argv) return EXIT_FAILURE; } - if (version == -1 ) { - version = 3; - } - if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) != LDAP_OPT_SUCCESS ) { diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c index dc70fcd593..54b2b8290a 100644 --- a/clients/tools/ldappasswd.c +++ b/clients/tools/ldappasswd.c @@ -31,21 +31,20 @@ usage(const char *s) "Change the password of an LDAP entry\n\n" "usage: %s [options] dn\n" " dn: the DN of the entry whose password must be changed\n" -"options:\n" +"Password change options:\n" " -a secret\told password\n" " -A\t\tprompt for old password\n" +" -s secret\tnew password\n" +" -S\t\tprompt for new password\n" + +"Common options:\n" " -d level\tdebugging level\n" " -C\t\tchase referrals\n" " -D binddn\tbind DN\n" -" -E\t\trequest SASL privacy (-EE to make it critical)\n" " -h host\t\tLDAP server (default: localhost)\n" -" -I\t\trequest SASL integrity checking (-II to make it\n" -" \tcritical)\n" " -n\t\tmake no modifications\n" " -O secprops\tSASL security properties\n" " -p port\t\tport on LDAP server\n" -" -S\t\tprompt for new password\n" -" -s secret\tnew password\n" " -U user\t\tSASL authentication identity (username)\n" " -v\t\tverbose mode\n" " -w passwd\tbind password (for simple authentication)\n" @@ -80,7 +79,7 @@ main( int argc, char *argv[] ) int ldapport = 0; int debug = 0; int version = -1; - int authmethod = LDAP_AUTH_SIMPLE; + int authmethod = -1; #ifdef HAVE_CYRUS_SASL char *sasl_authc_id = NULL; char *sasl_authz_id = NULL; @@ -102,12 +101,14 @@ main( int argc, char *argv[] ) usage (argv[0]); while( (i = getopt( argc, argv, - "Aa:CD:d:h:nO:p:Ss:U:vWw:X:Y:Z" )) != EOF ) + "Aa:Ss:" "Cd:D:h:nO:p:U:vw:WxX:Y:Z" )) != EOF ) { switch (i) { - case 'A': /* prompt for oldr password */ + /* Password Options */ + case 'A': /* prompt for old password */ want_oldpw++; break; + case 'a': /* old password (secret) */ oldpw = strdup (optarg); @@ -119,9 +120,27 @@ main( int argc, char *argv[] ) } } break; + + case 'S': /* prompt for user password */ + want_newpw++; + break; + + case 's': /* new password (secret) */ + newpw = strdup (optarg); + { + char* p; + + for( p = optarg; *p == '\0'; p++ ) { + *p = '*'; + } + } + break; + + /* Common Options */ case 'C': referrals++; break; + case 'D': /* bind distinguished name */ binddn = strdup (optarg); break; @@ -142,21 +161,6 @@ main( int argc, char *argv[] ) ldapport = strtol( optarg, NULL, 10 ); break; - case 'S': /* prompt for user password */ - want_newpw++; - break; - - case 's': /* new password (secret) */ - newpw = strdup (optarg); - { - char* p; - - for( p = optarg; *p == '\0'; p++ ) { - *p = '*'; - } - } - break; - case 'v': /* verbose */ verbose++; break; diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c index d5e59a3f69..e07b3ff838 100644 --- a/clients/tools/ldapsearch.c +++ b/clients/tools/ldapsearch.c @@ -45,29 +45,16 @@ usage( const char *s ) "\t\t1.1 -- no attributes\n" "\t\t* -- all user attributes\n" "\t\t+ -- all operational attributes\n" -"options:\n" + +"Search options:\n" "\t-a deref\tdereference aliases: never (default), always, search, or find\n" "\t-A\t\tretrieve attribute names only (no values)\n" "\t-b basedn\tbase dn for search\n" -"\t-d level\tset LDAP debugging level to `level'\n" -"\t-D binddn\tbind DN\n" -"\t-E\t\trequest SASL privacy (-EE to make it critical)\n" -"\t-f file\t\tperform sequence of searches listed in `file'\n" -"\t-h host\t\tLDAP server\n" -"\t-I\t\trequest SASL integrity checking (-II to make it\n" -"\t\t\tcritical)\n" -"\t-k\t\tuse Kerberos authentication\n" -"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n" "\t-l limit\ttime limit (in seconds) for search\n" "\t-L\t\tprint responses in LDIFv1 format\n" "\t-LL\t\tprint responses in LDIF format without comments\n" "\t-LLL\t\tprint responses in LDIF format without comments\n" "\t\t\tand version\n" -"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n" -"\t-n\t\tshow what would be done but don't actually search\n" -"\t-O secprops\tSASL security properties\n" -"\t-p port\t\tport on LDAP server\n" -"\t-P version\tprocotol version (default: 3)\n" "\t-s scope\tone of base, one, or sub (search scope)\n" "\t-S attr\t\tsort the results by attribute `attr'\n" "\t-t\t\twrite binary values to files in temporary directory\n" @@ -75,11 +62,25 @@ usage( const char *s ) "\t-T path\t\twrite files to directory specified by path (default:\n" "\t\t\t\"" LDAP_TMPDIR "\")\n" "\t-u\t\tinclude User Friendly entry names in the output\n" + +"Common options:\n" +"\t-d level\tset LDAP debugging level to `level'\n" +"\t-D binddn\tbind DN\n" +"\t-f file\t\tread operations from `file'\n" +"\t-h host\t\tLDAP server\n" +"\t-k\t\tuse Kerberos authentication\n" +"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n" +"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n" +"\t-n\t\tshow what would be done but don't actually search\n" +"\t-O secprops\tSASL security properties\n" +"\t-p port\t\tport on LDAP server\n" +"\t-P version\tprocotol version (default: 3)\n" "\t-U user\t\tSASL authentication identity (username)\n" "\t-v\t\trun in verbose mode (diagnostics to standard output)\n" "\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n" "\t-w passwd\tbind passwd (for simple authentication)\n" "\t-W\t\tprompt for bind passwd\n" +"\t-x\t\tSimple authentication\n" "\t-X id\t\tSASL authorization identity (\"dn:\" or \"u:\")\n" "\t-Y mech\t\tSASL mechanism\n" "\t-z limit\tsize limit (in entries) for search\n" @@ -154,7 +155,7 @@ static int verbose, not, includeufn, vals2tmp, ldif; int main( int argc, char **argv ) { - char *infile, *filtpattern, **attrs, line[BUFSIZ]; + char *prog, *infile, *filtpattern, **attrs, line[BUFSIZ]; FILE *fp = NULL; int rc, i, first, scope, deref, attrsonly, manageDSAit; int referrals, timelimit, sizelimit, debug; @@ -168,60 +169,39 @@ main( int argc, char **argv ) deref = sizelimit = timelimit = version = -1; scope = LDAP_SCOPE_SUBTREE; - authmethod = LDAP_AUTH_SIMPLE; + authmethod = -1; while (( i = getopt( argc, argv, - "Aa:b:CD:d:f:h:KkLl:MnO:P:p:RS:s:T:tU:uV:vWw:X:Y:Zz:")) != EOF ) + "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z")) != EOF ) { switch( i ) { - case 'n': /* do nothing */ - ++not; - break; - case 'v': /* verbose mode */ - ++verbose; - break; - case 'd': - debug |= atoi( optarg ); - break; - case 'k': /* use kerberos bind */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - authmethod = LDAP_AUTH_KRBV4; -#else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); -#endif - break; - case 'K': /* use kerberos bind, 1st part only */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - authmethod = LDAP_AUTH_KRBV41; -#else - fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); - return( EXIT_FAILURE ); -#endif - break; - break; - case 'u': /* include UFN */ - ++includeufn; - break; - case 't': /* write attribute values to TMPDIR files */ - ++vals2tmp; - break; - case 'M': - /* enable Manage DSA IT */ - manageDSAit++; - break; - case 'C': - referrals++; - break; - case 'R': /* ignore */ + /* Search Options */ + case 'a': /* set alias deref option */ + if ( strcasecmp( optarg, "never" ) == 0 ) { + deref = LDAP_DEREF_NEVER; + } else if ( strncasecmp( optarg, "search", sizeof("search")-1 ) == 0 ) { + deref = LDAP_DEREF_SEARCHING; + } else if ( strncasecmp( optarg, "find", sizeof("find")-1 ) == 0 ) { + deref = LDAP_DEREF_FINDING; + } else if ( strcasecmp( optarg, "always" ) == 0 ) { + deref = LDAP_DEREF_ALWAYS; + } else { + fprintf( stderr, "alias deref should be never, search, find, or always\n" ); + usage( argv[ 0 ] ); + } break; case 'A': /* retrieve attribute names only -- no values */ ++attrsonly; break; + case 'f': /* input file */ + infile = strdup( optarg ); + break; + case 'l': /* time limit */ + timelimit = atoi( optarg ); + break; case 'L': /* print entries in LDIF format */ ++ldif; break; - case 's': /* search scope */ if ( strcasecmp( optarg, "base" ) == 0 ) { scope = LDAP_SCOPE_BASE; @@ -234,22 +214,15 @@ main( int argc, char **argv ) usage( argv[ 0 ] ); } break; - - case 'a': /* set alias deref option */ - if ( strcasecmp( optarg, "never" ) == 0 ) { - deref = LDAP_DEREF_NEVER; - } else if ( strncasecmp( optarg, "search", sizeof("search")-1 ) == 0 ) { - deref = LDAP_DEREF_SEARCHING; - } else if ( strncasecmp( optarg, "find", sizeof("find")-1 ) == 0 ) { - deref = LDAP_DEREF_FINDING; - } else if ( strcasecmp( optarg, "always" ) == 0 ) { - deref = LDAP_DEREF_ALWAYS; - } else { - fprintf( stderr, "alias deref should be never, search, find, or always\n" ); - usage( argv[ 0 ] ); - } + case 'S': /* sort attribute */ + sortattr = strdup( optarg ); + break; + case 'u': /* include UFN */ + ++includeufn; + break; + case 't': /* write attribute values to TMPDIR files */ + ++vals2tmp; break; - case 'T': /* tmpdir */ if( tmpdir ) free( tmpdir ); tmpdir = strdup( optarg ); @@ -258,106 +231,227 @@ main( int argc, char **argv ) if( urlpre ) free( urlpre ); urlpre = strdup( optarg ); break; - case 'f': /* input file */ - infile = strdup( optarg ); - break; - case 'h': /* ldap host */ - ldaphost = strdup( optarg ); + case 'z': /* size limit */ + sizelimit = atoi( optarg ); break; - case 'b': /* search base */ - base = strdup( optarg ); + + /* Common Options */ + case 'C': + referrals++; break; + case 'd': + debug |= atoi( optarg ); + break; case 'D': /* bind DN */ - binddn = strdup( optarg ); - break; - case 'p': /* ldap port */ - ldapport = atoi( optarg ); - break; - case 'w': /* bind password */ - passwd.bv_val = strdup( optarg ); - { - char* p; + binddn = strdup( optarg ); + break; + case 'h': /* ldap host */ + ldaphost = strdup( optarg ); + break; + case 'k': /* kerberos bind */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } - for( p = optarg; *p == '\0'; p++ ) { - *p = '*'; - } + if( authmethod != -1 ) { + fprintf( stderr, "%s: -k incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; } - passwd.bv_len = strlen( passwd.bv_val ); - break; - case 'l': /* time limit */ - timelimit = atoi( optarg ); - break; - case 'z': /* size limit */ - sizelimit = atoi( optarg ); - break; - case 'S': /* sort attribute */ - sortattr = strdup( optarg ); + + authmethod = LDAP_AUTH_KRBV4; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return EXIT_FAILURE; +#endif + break; + case 'K': /* kerberos bind, part one only */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + + authmethod = LDAP_AUTH_KRBV41; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'M': + /* enable Manage DSA IT */ + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -M incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + manageDSAit++; + version = LDAP_VERSION3; break; - case 'W': - want_bindpw++; + case 'n': /* print deletes, don't actually do them */ + ++not; + break; + case 'O': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -O incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + sasl_secprops = strdup( optarg ); + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif break; + case 'p': + ldapport = atoi( optarg ); + break; case 'P': - switch( atoi( optarg ) ) - { + switch( atoi(optarg) ) { case 2: + if( version == LDAP_VERSION3 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION2; break; case 3: + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } version = LDAP_VERSION3; break; default: - fprintf( stderr, "protocol version should be 2 or 3\n" ); - usage( argv[0] ); - } - break; - case 'O': + fprintf( stderr, "%s: protocol version should be 2 or 3\n", + prog ); + usage( prog ); + return( EXIT_FAILURE ); + } break; + case 'U': #ifdef HAVE_CYRUS_SASL - sasl_secprops = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -U incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + + sasl_authc_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; + case 'v': /* verbose mode */ + verbose++; + break; + case 'w': /* password */ + passwd.bv_val = strdup( optarg ); + { + char* p; + + for( p = optarg; *p == '\0'; p++ ) { + *p = '*'; + } + } + passwd.bv_len = strlen( passwd.bv_val ); + break; + case 'W': + want_bindpw++; + break; case 'Y': #ifdef HAVE_CYRUS_SASL - if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { - sasl_mech = strdup( optarg ); + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Y incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); + return EXIT_FAILURE; } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; - case 'U': -#ifdef HAVE_CYRUS_SASL - sasl_authc_id = strdup( optarg ); - authmethod = LDAP_AUTH_SASL; -#else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); - return( EXIT_FAILURE ); -#endif + case 'x': + if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SIMPLE; break; case 'X': #ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: -X incompatible with " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_authz_id = strdup( optarg ); authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); return( EXIT_FAILURE ); #endif break; case 'Z': #ifdef HAVE_TLS + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s -Z incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION3; use_tls++; #else - fprintf( stderr, "%s was not compiled with TLS support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with TLS support\n", + prog ); return( EXIT_FAILURE ); #endif break; @@ -366,39 +460,16 @@ main( int argc, char **argv ) } } - if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == - LDAP_AUTH_KRBV41 ) ) { - if( version > LDAP_VERSION2 ) { - fprintf( stderr, "Kerberos requires LDAPv2\n" ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION2; - } - else if ( authmethod == LDAP_AUTH_SASL ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf( stderr, "SASL requires LDAPv3\n" ); - return( EXIT_FAILURE ); - } - version = LDAP_VERSION3; - } - - if( manageDSAit ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "manage DSA control requires LDAPv3\n"); - return EXIT_FAILURE; - } + if (version == -1) { version = LDAP_VERSION3; } - - if( use_tls ) { - if( version != -1 && version != LDAP_VERSION3 ) { - fprintf(stderr, "Start TLS requires LDAPv3\n"); - return EXIT_FAILURE; - } - version = LDAP_VERSION3; + if (authmethod == -1 && version > LDAP_VERSION2) { + authmethod = LDAP_AUTH_SASL; } - if ( argc - optind < 1 ) { + if (( argc - optind < 1 ) || + ( strchr( argv[optind], '=' ) == NULL ) ) + { filtpattern = "(objectclass=*)"; } else { filtpattern = strdup( argv[optind++] ); @@ -522,8 +593,6 @@ main( int argc, char **argv ) if ( authmethod == LDAP_AUTH_SASL ) { #ifdef HAVE_CYRUS_SASL - ldap_set_sasl_interact_proc( ld, lutil_sasl_interact ); - if( sasl_secprops != NULL ) { rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, (void *) sasl_secprops ); @@ -537,7 +606,7 @@ main( int argc, char **argv ) } rc = ldap_sasl_interactive_bind_s( ld, binddn, - sasl_mech, NULL, NULL ); + sasl_mech, NULL, NULL, lutil_sasl_interact ); if( rc != LDAP_SUCCESS ) { ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); diff --git a/doc/devel/args b/doc/devel/args index 5c2cad4945..ec1069de8a 100644 --- a/doc/devel/args +++ b/doc/devel/args @@ -1,9 +1,9 @@ Tools ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz -ldapdelete CD K M OP * U WXYZ cd f h k n p vw -ldapmodify CD F K M OP * U WXYZabcd f h k n p r t vw -ldapmodrdn CD K M OP * U WXYZ cd f h k n p rs vw -ldappasswd A CD O *S U WXYZa d h s vw -ldapsearch A CD KLM OP *STUVWXYZab*d f h kl n p stuvw z +ldapdelete CD K M OP * U WXYZ cd f h k n p vwx +ldapmodify CD F K M OP * U WXYZabcd f h k n p r t vwx +ldapmodrdn CD K M OP * U WXYZ cd f h k n p rs vwx +ldappasswd A CD O *S U WXYZa d h s vwx +ldapsearch A CD KLM OP *STUVWXYZab*d f h kl n p stuvwx z Other Clients ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz fax500 f h m @@ -17,30 +17,31 @@ ud D V cd f l p s uv * reserved - EGHIJNOegijmoqxy + EGHIJNOegijmoqy * General flags: -C Chase Referrals - -D bind DN + -D Bind DN -P protocol version - -R old don't chase referrals + -R deprecated (don't chase referrals) -W prompt for bind password -d debug -h host -n no-op -p port -v verbose - -w bind password + -w Bind password + -x simple bind * LDAPv3 Only -M ManageDSAIT -Z StartTLS + -Y SASL Mechanism -O SASL Security Options -U SASL Authentication Identity (username) -X SASL Authorization Identity - -Y SASL Mechanism * LDAPv2+ Only -K LDAPv2 Kerberos Bind (Step 1 only) (depecated) diff --git a/include/ldap.h b/include/ldap.h index 56c817b3d7..75322dd8a6 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -562,16 +562,6 @@ ldap_set_rebind_proc LDAP_P(( LDAP *ld, LDAP_REBIND_PROC *ldap_proc)); -/* V3 SASL Interaction Function Callback Prototype */ -/* when using Cyrus SASL, interact is pointer to sasl_interact_t */ -typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P(( - LDAP *ld, void *interact )); - -LDAP_F( int ) -ldap_set_sasl_interact_proc LDAP_P(( - LDAP *ld, - LDAP_SASL_INTERACT_PROC *ldap_proc)); - /* * in controls.c: */ @@ -702,13 +692,19 @@ ldap_sasl_bind LDAP_P(( LDAPControl **clientctrls, int *msgidp )); +/* V3 SASL Interaction Function Callback Prototype */ +/* when using Cyrus SASL, interact is pointer to sasl_interact_t */ +typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P(( + LDAP *ld, void *interact )); + LDAP_F( int ) ldap_sasl_interactive_bind_s LDAP_P(( LDAP *ld, LDAP_CONST char *dn, /* usually NULL */ LDAP_CONST char *saslMechanism, LDAPControl **serverControls, - LDAPControl **clientControls )); + LDAPControl **clientControls, + LDAP_SASL_INTERACT_PROC *proc )); LDAP_F( int ) ldap_sasl_bind_s LDAP_P(( diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c index 5f9362e83c..7a34bbe407 100644 --- a/libraries/libldap/cyrus.c +++ b/libraries/libldap/cyrus.c @@ -454,7 +454,8 @@ ldap_int_sasl_bind( const char *dn, const char *mechs, LDAPControl **sctrls, - LDAPControl **cctrls ) + LDAPControl **cctrls, + LDAP_SASL_INTERACT_PROC *interact ) { char *data; const char *mech = NULL; @@ -523,8 +524,8 @@ ldap_int_sasl_bind( } if( saslrc == SASL_INTERACT ) { - if( !ld->ld_options.ldo_sasl_interact ) break; - rc = (ld->ld_options.ldo_sasl_interact)( ld, prompts ); + if( !interact ) break; + rc = (interact)( ld, prompts ); if( rc != LDAP_SUCCESS ) { break; } @@ -572,8 +573,8 @@ ldap_int_sasl_bind( if( saslrc == SASL_INTERACT ) { int res; - if( !ld->ld_options.ldo_sasl_interact ) break; - res = (ld->ld_options.ldo_sasl_interact)( ld, prompts ); + if( !interact ) break; + res = (interact)( ld, prompts ); if( res != LDAP_SUCCESS ) { break; } diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h index 004d68468b..7b196497ab 100644 --- a/libraries/libldap/ldap-int.h +++ b/libraries/libldap/ldap-int.h @@ -148,7 +148,6 @@ struct ldapoptions { #endif #ifdef HAVE_CYRUS_SASL struct sasl_security_properties ldo_sasl_secprops; - LDAP_SASL_INTERACT_PROC *ldo_sasl_interact; #endif LDAP_BOOLEANS ldo_booleans; /* boolean options */ }; @@ -547,7 +546,8 @@ LDAP_F (int) ldap_int_sasl_config LDAP_P(( struct ldapoptions *lo, LDAP_F (int) ldap_int_sasl_bind LDAP_P(( struct ldap *, LDAP_CONST char *, - const char *, LDAPControl **, LDAPControl ** )); + const char *, LDAPControl **, LDAPControl **, + LDAP_SASL_INTERACT_PROC *interact )); /* * in tls.c diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c index 91a10ed54f..515f906b98 100644 --- a/libraries/libldap/options.c +++ b/libraries/libldap/options.c @@ -596,14 +596,3 @@ ldap_set_rebind_proc( LDAP *ld, LDAP_REBIND_PROC *rebind_proc) { return( ldap_set_option( ld, LDAP_OPT_REBIND_PROC, (void *)rebind_proc)); } - -int -ldap_set_sasl_interact_proc( LDAP *ld, LDAP_SASL_INTERACT_PROC *proc) -{ -#ifdef HAVE_CYRUS_SASL - ld->ld_options.ldo_sasl_interact = proc; - return LDAP_OPT_SUCCESS; -#else - return LDAP_OPT_ERROR; -#endif -} diff --git a/libraries/libldap/sasl.c b/libraries/libldap/sasl.c index 3168692582..2660a271aa 100644 --- a/libraries/libldap/sasl.c +++ b/libraries/libldap/sasl.c @@ -409,7 +409,8 @@ ldap_sasl_interactive_bind_s( LDAP_CONST char *dn, /* usually NULL */ LDAP_CONST char *mechs, LDAPControl **serverControls, - LDAPControl **clientControls) + LDAPControl **clientControls, + LDAP_SASL_INTERACT_PROC *interact ) { int rc; @@ -435,7 +436,7 @@ ldap_sasl_interactive_bind_s( } rc = ldap_int_sasl_bind( ld, dn, mechs, - serverControls, clientControls ); + serverControls, clientControls, interact ); return rc; } diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 1e87b0b882..ba0e67d3b5 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -377,6 +377,7 @@ int slap_sasl_close( Connection *conn ) free( conn->c_sasl_extra ); conn->c_sasl_extra = NULL; #endif + return LDAP_SUCCESS; } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 26a6e85b76..65b26db221 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -976,6 +976,23 @@ struct slap_backend_info { void *bi_private; /* anything the backend type needs */ }; +typedef struct slap_authz_info { + unsigned sai_ssf; /* Security Strength Factor */ + ber_tag_t sai_method; /* LDAP_AUTH_* from */ + char * sai_mech; /* SASL Mechanism */ + char * sai_dn; /* DN for reporting purposes */ + char * sai_ndn; /* Normalized DN */ +} AuthorizationInformation; + +#define c_authtype c_authz.sai_method +#define c_authmech c_authz.sai_mech +#define c_dn c_authz.sai_dn + +#define o_authtype o_authz.sai_method +#define o_authmech o_authz.sai_mech +#define o_dn o_authz.sai_dn +#define o_ndn o_authz.sai_ndn + /* * represents an operation pending from an ldap client */ @@ -983,21 +1000,16 @@ typedef struct slap_op { ber_int_t o_opid; /* id of this operation */ ber_int_t o_msgid; /* msgid of the request */ - ldap_pvt_thread_t o_tid; /* thread handling this op */ + ldap_pvt_thread_t o_tid; /* thread handling this op */ BerElement *o_ber; /* ber of the request */ ber_tag_t o_tag; /* tag of the request */ time_t o_time; /* time op was initiated */ - char *o_dn; /* dn bound when op was initiated */ - char *o_ndn; /* normalized dn bound when op was initiated */ + AuthorizationInformation o_authz; ber_int_t o_protocol; /* version of the LDAP protocol used by client */ - ber_tag_t o_authtype; /* auth method used to bind dn */ - /* values taken from ldap.h */ - /* LDAP_AUTH_* */ - char *o_authmech; /* SASL mechanism used to bind dn */ LDAPControl **o_ctrls; /* controls */ @@ -1039,6 +1051,7 @@ typedef struct slap_conn { /* only can be changed by binding thread */ int c_sasl_bind_in_progress; /* multi-op bind in progress */ char *c_sasl_bind_mech; /* mech in progress */ + char *c_cdn; /* authentication backend */ Backend *c_authc_backend; @@ -1046,12 +1059,9 @@ typedef struct slap_conn { /* authorization backend - normally same as c_authc_backend */ Backend *c_authz_backend; - char *c_cdn; /* DN provided by the client */ - char *c_dn; /* DN bound to this conn */ + AuthorizationInformation c_authz; ber_int_t c_protocol; /* version of the LDAP protocol used by client */ - ber_tag_t c_authtype;/* auth method used to bind c_dn */ - char *c_authmech; /* SASL mechanism used to bind c_dn */ Operation *c_ops; /* list of operations being processed */ Operation *c_pending_ops; /* list of pending operations */ -- 2.39.5