From d3b51f2614c787eaad4b156905e78b4b86ba6047 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 14 Dec 2010 20:58:02 +0000 Subject: [PATCH] LDAP "Verify Credentials" operation Client library implementation only --- include/ldap.h | 41 +++++++++ libraries/libldap/Makefile.in | 4 +- libraries/libldap/vc.c | 150 ++++++++++++++++++++++++++++++++ libraries/libldap_r/Makefile.in | 4 +- 4 files changed, 195 insertions(+), 4 deletions(-) create mode 100644 libraries/libldap/vc.c diff --git a/include/ldap.h b/include/ldap.h index 4af25991bf..03f839abbf 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -385,6 +385,11 @@ typedef struct ldapcontrol { #define LDAP_TAG_EXOP_REFRESH_REQ_TTL ((ber_tag_t) 0x81U) #define LDAP_TAG_EXOP_REFRESH_RES_TTL ((ber_tag_t) 0x80U) +#define LDAP_EXOP_VERIFY_CREDENTIALS "1.1.1" +#define LDAP_EXOP_X_VERIFY_CREDENTIALS LDAP_EXOP_X_VERIFY_CREDENTIALS + +#define LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE ((ber_tag_t) 0x80U) + #define LDAP_EXOP_WHO_AM_I "1.3.6.1.4.1.4203.1.11.3" /* RFC 4532 */ #define LDAP_EXOP_X_WHO_AM_I LDAP_EXOP_WHO_AM_I @@ -2214,6 +2219,42 @@ ldap_parse_vlvresponse_control LDAP_P(( struct berval **contextp, int *errcodep )); +/* + * LDAP Verify Credentials + */ +#define LDAP_API_FEATURE_VERIFY_CREDENTIALS 1000 + +LDAP_F( int ) +ldap_verify_credentials LDAP_P(( + LDAP *ld, + struct berval *cookie, + LDAP_CONST char *dn, + LDAP_CONST char *mechanism, + struct berval *cred, + LDAPControl **serverctrls, + LDAPControl **clientctrls, + int *msgidp )); + +LDAP_F( int ) +ldap_verify_credentials_s LDAP_P(( + LDAP *ld, + struct berval *cookie, + LDAP_CONST char *dn, + LDAP_CONST char *mechanism, + struct berval *cred, + LDAPControl **serverctrls, + LDAPControl **clientctrls, + struct berval **servercredp, + struct berval **authzid )); + +LDAP_F( int ) +ldap_parse_verify_credentials_result LDAP_P(( + LDAP *ld, + LDAPMessage *res, + struct berval **cookie, + struct berval **servercredp, + struct berval **authzid)); + /* * LDAP Who Am I? * in whoami.c diff --git a/libraries/libldap/Makefile.in b/libraries/libldap/Makefile.in index 1e83efeee1..c39336ff99 100644 --- a/libraries/libldap/Makefile.in +++ b/libraries/libldap/Makefile.in @@ -21,7 +21,7 @@ SRCS = bind.c open.c result.c error.c compare.c search.c \ controls.c messages.c references.c extended.c cyrus.c \ modify.c add.c modrdn.c delete.c abandon.c \ sasl.c gssapi.c sbind.c unbind.c cancel.c \ - filter.c free.c sort.c passwd.c whoami.c \ + filter.c free.c sort.c passwd.c whoami.c vc.c \ getdn.c getentry.c getattr.c getvalues.c addentry.c \ request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ init.c options.c print.c string.c util-int.c schema.c \ @@ -34,7 +34,7 @@ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ controls.lo messages.lo references.lo extended.lo cyrus.lo \ modify.lo add.lo modrdn.lo delete.lo abandon.lo \ sasl.lo gssapi.lo sbind.lo unbind.lo cancel.lo \ - filter.lo free.lo sort.lo passwd.lo whoami.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo vc.lo \ getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ init.lo options.lo print.lo string.lo util-int.lo schema.lo \ diff --git a/libraries/libldap/vc.c b/libraries/libldap/vc.c new file mode 100644 index 0000000000..d9f4be4372 --- /dev/null +++ b/libraries/libldap/vc.c @@ -0,0 +1,150 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software . + * + * Copyright 1998-2010 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* ACKNOWLEDGEMENTS: + * This program was orignally developed by Kurt D. Zeilenga for inclusion in + * OpenLDAP Software. + */ + +#include "portable.h" + +#include +#include +#include +#include + +#include "ldap-int.h" + +/* + * LDAP Verify Credentials + */ + +int ldap_parse_verify_credentials( + LDAP *ld, + LDAPMessage *res, + struct berval **servercred, + struct berval **authzid ) +{ + int rc; + char *retoid = NULL; + struct berval *reqdata = NULL; + + assert( ld != NULL ); + assert( LDAP_VALID( ld ) ); + assert( res != NULL ); + assert( authzid != NULL ); + + *authzid = NULL; + + rc = ldap_parse_extended_result( ld, res, &retoid, &reqdata, 0 ); + + if( rc != LDAP_SUCCESS ) { + ldap_perror( ld, "ldap_parse_whoami" ); + return rc; + } + + ber_memfree( retoid ); + return rc; +} + +int +ldap_verify_credentials( LDAP *ld, + struct berval *cookie, + LDAP_CONST char *dn, + LDAP_CONST char *mechanism, + struct berval *cred, + LDAPControl **sctrls, + LDAPControl **cctrls, + int *msgidp ) +{ + int rc; + BerElement *ber; + struct berval * reqdata; + + assert(ld != NULL); + assert(LDAP_VALID(ld)); + assert(msgidp != NULL); + + ber = ber_alloc_t(LBER_USE_DER); + ber_printf(ber, "{"); + if (dn == NULL) dn = ""; + + if (mechanism == LDAP_SASL_SIMPLE) { + assert(!cookie); + + rc = ber_printf(ber, "{istON}", + 3, dn, LDAP_AUTH_SIMPLE, cred); + + } else { + if (!cred || BER_BVISNULL(cred)) { + if (cookie) { + rc = ber_printf(ber, "{t0ist{sN}N}", + LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie, + 3, dn, LDAP_AUTH_SASL, mechanism); + } else { + rc = ber_printf(ber, "{ist{sN}N}", + 3, dn, LDAP_AUTH_SASL, mechanism); + } + } else { + if (cookie) { + rc = ber_printf(ber, "{tOist{sON}N}", + LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie, + 3, dn, LDAP_AUTH_SASL, mechanism, cred); + } else { + rc = ber_printf(ber, "{ist{sON}N}", + 3, dn, LDAP_AUTH_SASL, mechanism, cred); + } + } + } + + ber_flatten(ber, &reqdata); + + rc = ldap_extended_operation(ld, LDAP_EXOP_VERIFY_CREDENTIALS, + reqdata, sctrls, cctrls, msgidp); + + ber_free(ber, 1); + return rc; +} + +int +ldap_verify_credentials_s( + LDAP *ld, + struct berval *cookie, + LDAP_CONST char *dn, + LDAP_CONST char *mechanism, + struct berval *cred, + LDAPControl **sctrls, + LDAPControl **cctrls, + struct berval **scred, + struct berval **authzid) +{ + int rc; + int msgid; + LDAPMessage *res; + + rc = ldap_verify_credentials(ld, cookie, dn, mechanism, cred, sctrls, cctrls, &msgid); + if (rc != LDAP_SUCCESS) return rc; + + if (ldap_result(ld, msgid, LDAP_MSG_ALL, (struct timeval *) NULL, &res) == -1 || !res) { + return ld->ld_errno; + } + + rc = ldap_parse_verify_credentials(ld, res, scred, authzid); + if (rc != LDAP_SUCCESS) { + ldap_msgfree(res); + return rc; + } + + return( ldap_result2error(ld, res, 1)); +} diff --git a/libraries/libldap_r/Makefile.in b/libraries/libldap_r/Makefile.in index 7093221557..b8e2e552b7 100644 --- a/libraries/libldap_r/Makefile.in +++ b/libraries/libldap_r/Makefile.in @@ -23,7 +23,7 @@ XXSRCS = apitest.c test.c \ controls.c messages.c references.c extended.c cyrus.c \ modify.c add.c modrdn.c delete.c abandon.c \ sasl.c gssapi.c sbind.c unbind.c cancel.c \ - filter.c free.c sort.c passwd.c whoami.c \ + filter.c free.c sort.c passwd.c whoami.c vc.c \ getdn.c getentry.c getattr.c getvalues.c addentry.c \ request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ init.c options.c print.c string.c util-int.c schema.c \ @@ -41,7 +41,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpool.lo rq.lo \ controls.lo messages.lo references.lo extended.lo cyrus.lo \ modify.lo add.lo modrdn.lo delete.lo abandon.lo \ sasl.lo gssapi.lo sbind.lo unbind.lo cancel.lo \ - filter.lo free.lo sort.lo passwd.lo whoami.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo vc.lo \ getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ init.lo options.lo print.lo string.lo util-int.lo schema.lo \ -- 2.39.5