openldap/servers/slapd/bind.c

367 lines
8.5 KiB
C
Raw Normal View History

1998-08-09 08:43:13 +08:00
/* bind.c - decode an ldap bind operation and pass it to a backend db */
/* $OpenLDAP$ */
1999-08-07 07:07:46 +08:00
/*
* Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
1998-08-09 08:43:13 +08:00
/*
* Copyright (c) 1995 Regents of the University of Michigan.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and that due credit is given
* to the University of Michigan at Ann Arbor. The name of the University
* may not be used to endorse or promote products derived from this
* software without specific prior written permission. This software
* is provided ``as is'' without express or implied warranty.
*/
1998-10-25 09:41:42 +08:00
#include "portable.h"
1998-08-09 08:43:13 +08:00
#include <stdio.h>
1998-10-25 09:41:42 +08:00
#include <ac/string.h>
#include <ac/socket.h>
#include "ldap_pvt.h"
1998-08-09 08:43:13 +08:00
#include "slap.h"
int
1998-08-09 08:43:13 +08:00
do_bind(
Connection *conn,
Operation *op
)
{
BerElement *ber = op->o_ber;
ber_int_t version;
ber_tag_t method;
char *mech;
1999-08-21 03:00:44 +08:00
char *dn;
char *ndn;
ber_tag_t tag;
int rc = LDAP_SUCCESS;
char *text;
1998-08-09 08:43:13 +08:00
struct berval cred;
Backend *be;
Debug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
dn = NULL;
ndn = NULL;
mech = NULL;
cred.bv_val = NULL;
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
/* Force to connection to "anonymous" until bind succeeds.
* This may need to be relocated or done on a case by case basis
* to handle certain SASL mechanisms.
*/
if ( conn->c_cdn != NULL ) {
free( conn->c_cdn );
conn->c_cdn = NULL;
}
if ( conn->c_dn != NULL ) {
free( conn->c_dn );
conn->c_dn = NULL;
}
conn->c_authz_backend = NULL;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
if ( op->o_dn != NULL ) {
free( op->o_dn );
op->o_dn = ch_strdup( "" );
}
if ( op->o_ndn != NULL ) {
free( op->o_ndn );
op->o_ndn = ch_strdup( "" );
}
1998-08-09 08:43:13 +08:00
/*
* Parse the bind request. It looks like this:
*
* BindRequest ::= SEQUENCE {
* version INTEGER, -- version
* name DistinguishedName, -- dn
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
* SASL [3] SaslCredentials
1998-08-09 08:43:13 +08:00
* }
* }
*
* SaslCredentials ::= SEQUENCE {
* mechanism LDAPString,
* credentials OCTET STRING OPTIONAL
1998-08-09 08:43:13 +08:00
* }
*/
tag = ber_scanf( ber, "{iat" /*}*/, &version, &dn, &method );
if ( tag == LBER_ERROR ) {
Vienna Bulk Commit This commit includes many changes. All changes compile under NT but have not been tested under UNIX. A Summary of changes (likely incomplete): NT changes: Removed lint. Clean up configuration support for "Debug", "Release", "SDebug", and "SRelease" configurations. Share output directories for clients, libraries, and slapd. (maybe they should be combined further and moved to build/{,S}{Debug,Release}). Enable threading when _MT is defined. Enable debuging when _DEBUG is defined. Disable setting of NDEBUG under Release/SRelease. Asserts are disabled in <ac/assert.h> when LDAP_DEBUG is not defined. Added 'build/main.dsp' Master project. Removed non-slapd projects from slapd.dsp (see main.dsp). Removed replaced many uses of _WIN32 macro with feature based macros. ldap_cdefs.h changes #define LDAP_CONST const (see below) #define LDAP_F(type) LDAP_F_PRE type LDAP_F_POST To allow specifiers to be added before and after the type declaration. (For DLL handling) LBER/LDAP changes Namespace changes: s/lber_/ber_/ for here and there. s/NAME_ERROR/LDAP_NAME_ERROR/g Deleted NULLMSG and other NULL* macros for namespace reasons. "const" libraries. Installed headers (ie: lber.h, ldap.h) use LDAP_CONST macro. Normally set to 'const' when __STDC__. Can be set externally to enable/disable 'constification' of external interface. Internal interface always uses 'const'. Did not fix warnings in -lldif (in lieu of new LDIF parser). Added _ext API implementations (excepting search and bind). Need to implement ldap_int_get_controls() for reponses with controls. Added numberous assert() checks. LDAP_R _MT defines HAVE_NT_THREADS Added numberous assert() checks. Changed ldap_pthread_t back to unsigned long. Used cast to HANDLE in _join(). LDBM Replaced _WIN32 with HAVE_SYSLOG ud Added version string if MKVERSION is not defined. (MKVERSION needs to be set under UNIX). slapd Made connection sockbuf field a pointer to a sockbuf. This removed slap.h dependency on lber-int.h. lber-int.h now only included by those files needing to mess with the sockbuf. Used ber_* functions/macros to access sockbuf internals whenever possible. Added version string if MKVERSION is not defined. (MKVERSION needs to be set under UNIX). Removed FD_SET unsigned lint slapd/tools Used EXEEXT to added ".exe" to routines. Need to define EXEEXT under UNIX. ldappasswd Added ldappasswd.dsp. Ported to NT. Used getpid() to seed rand(). nt_debug Minor cleanup. Added "portable.h" include and used <ac/*.h> where appropriate. Added const to char* format argument.
1999-05-19 09:12:33 +08:00
Debug( LDAP_DEBUG_ANY, "bind: ber_scanf failed\n", 0, 0, 0 );
send_ldap_disconnect( conn, op,
LDAP_PROTOCOL_ERROR, "decoding error" );
rc = -1;
goto cleanup;
1998-08-09 08:43:13 +08:00
}
1999-07-06 07:01:17 +08:00
op->o_protocol = version;
if( method != LDAP_AUTH_SASL ) {
tag = ber_scanf( ber, /*{*/ "o}", &cred );
} else {
tag = ber_scanf( ber, "{a" /*}*/, &mech );
if ( tag != LBER_ERROR ) {
ber_len_t len;
tag = ber_peek_tag( ber, &len );
if ( tag == LDAP_TAG_LDAPCRED ) {
tag = ber_scanf( ber, "o", &cred );
}
if ( tag != LBER_ERROR ) {
tag = ber_scanf( ber, /*{{*/ "}}" );
}
}
}
if ( tag == LBER_ERROR ) {
send_ldap_disconnect( conn, op,
LDAP_PROTOCOL_ERROR,
"decoding error" );
rc = SLAPD_DISCONNECT;
goto cleanup;
}
if( (rc = get_ctrls( conn, op, 1 )) != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "do_bind: get_ctrls failed\n", 0, 0, 0 );
goto cleanup;
}
ndn = ch_strdup( dn );
if ( dn_normalize( ndn ) == NULL ) {
Debug( LDAP_DEBUG_ANY, "bind: invalid dn (%s)\n", dn, 0, 0 );
send_ldap_result( conn, op, rc = LDAP_INVALID_DN_SYNTAX, NULL,
"invalid DN", NULL, NULL );
goto cleanup;
}
if( method == LDAP_AUTH_SASL ) {
Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n",
dn, mech, NULL );
} else {
1999-08-19 08:40:18 +08:00
Debug( LDAP_DEBUG_TRACE, "do_bind: version=%ld dn=\"%s\" method=%ld\n",
(unsigned long) version, dn, (unsigned long) method );
}
Statslog( LDAP_DEBUG_STATS, "conn=%ld op=%d BIND dn=\"%s\" method=%ld\n",
op->o_connid, op->o_opid, ndn, (unsigned long) method, 0 );
1998-08-09 08:43:13 +08:00
if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
1999-08-19 08:40:18 +08:00
Debug( LDAP_DEBUG_ANY, "do_bind: unknown version=%ld\n",
(unsigned long) version, 0, 0 );
send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR,
NULL, "version not supported", NULL, NULL );
goto cleanup;
1998-08-09 08:43:13 +08:00
}
if ( method == LDAP_AUTH_SASL ) {
if ( version < LDAP_VERSION3 ) {
1999-08-19 08:40:18 +08:00
Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n",
(unsigned long) version, 0, 0 );
send_ldap_disconnect( conn, op,
LDAP_PROTOCOL_ERROR, "sasl bind requires LDAPv3" );
rc = SLAPD_DISCONNECT;
goto cleanup;
1998-08-09 08:43:13 +08:00
}
if( mech == NULL || *mech == '\0' ) {
Debug( LDAP_DEBUG_ANY,
"do_bind: no sasl mechanism provided\n",
1999-08-19 08:40:18 +08:00
0, 0, 0 );
send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
NULL, "no sasl mechanism provided", NULL, NULL );
goto cleanup;
}
if( !charray_inlist( supportedSASLMechanisms, mech ) ) {
Debug( LDAP_DEBUG_ANY,
1999-08-19 08:40:18 +08:00
"do_bind: sasl mechanism=\"%s\" not supported.\n",
mech, 0, 0 );
send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
NULL, "sasl mechanism not supported", NULL, NULL );
goto cleanup;
1998-08-09 08:43:13 +08:00
}
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_authmech != NULL ) {
assert( conn->c_bind_in_progress );
if((strcmp(conn->c_authmech, mech) != 0)) {
/* mechanism changed, cancel in progress bind */
conn->c_bind_in_progress = 0;
if( conn->c_authstate != NULL ) {
free(conn->c_authstate);
conn->c_authstate = NULL;
}
free(conn->c_authmech);
conn->c_authmech = NULL;
}
#ifdef LDAP_DEBUG
} else {
assert( !conn->c_bind_in_progress );
assert( conn->c_authmech == NULL );
assert( conn->c_authstate == NULL );
#endif
}
} else {
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
if ( conn->c_authmech != NULL ) {
assert( conn->c_bind_in_progress );
/* cancel in progress bind */
conn->c_bind_in_progress = 0;
if( conn->c_authstate != NULL ) {
free(conn->c_authstate);
conn->c_authstate = NULL;
}
free(conn->c_authmech);
conn->c_authmech = NULL;
}
}
conn->c_protocol = version;
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
/* accept null binds */
if ( ndn == NULL || *ndn == '\0' ) {
/*
* we already forced connection to "anonymous", we just
* need to send success
*/
send_ldap_result( conn, op, LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
goto cleanup;
1998-08-09 08:43:13 +08:00
}
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"
* if we don't hold it.
*/
if ( (be = select_backend( ndn )) == NULL ) {
1998-08-09 08:43:13 +08:00
if ( cred.bv_len == 0 ) {
send_ldap_result( conn, op, LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
} else if ( default_referral ) {
send_ldap_result( conn, op, rc = LDAP_REFERRAL,
NULL, NULL, default_referral, NULL );
1998-08-09 08:43:13 +08:00
} else {
/* noSuchObject is not allowed to be returned by bind */
send_ldap_result( conn, op, rc = LDAP_INVALID_CREDENTIALS,
NULL, NULL, NULL, NULL );
1998-08-09 08:43:13 +08:00
}
goto cleanup;
1998-08-09 08:43:13 +08:00
}
conn->c_authz_backend = be;
/* make sure this backend recongizes critical controls */
rc = backend_check_controls( be, conn, op, &text ) ;
if( rc != LDAP_SUCCESS ) {
send_ldap_result( conn, op, rc,
NULL, text, NULL, NULL );
goto cleanup;
}
if ( be->be_bind ) {
int ret;
/* alias suffix */
char *edn = NULL;
1999-07-28 02:43:30 +08:00
/* deref suffix alias if appropriate */
ndn = suffix_alias( be, ndn );
ret = (*be->be_bind)( be, conn, op, dn, ndn,
method, mech, &cred, &edn );
if ( ret == 0 ) {
#ifdef HAVE_CYRUS_SASL
int ssf = 0;
#endif
ldap_pvt_thread_mutex_lock( &conn->c_mutex );
conn->c_cdn = dn;
dn = NULL;
if(edn != NULL) {
conn->c_dn = edn;
} else {
conn->c_dn = ndn;
ndn = NULL;
}
Debug( LDAP_DEBUG_TRACE, "do_bind: bound \"%s\" to \"%s\"\n",
conn->c_cdn, conn->c_dn, method );
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
1998-08-09 08:43:13 +08:00
/* send this here to avoid a race condition */
send_ldap_result( conn, op, LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
#ifdef HAVE_CYRUS_SASL
if ( conn->c_sasl_context != NULL &&
sasl_getprop( conn->c_sasl_context, SASL_SSF, (void **)&ssf )
== SASL_OK && ssf ) {
/* Enable encode/decode */
ldap_pvt_sasl_install( conn->c_sb, conn->c_sasl_context );
}
#endif
} else if (edn != NULL) {
free( edn );
1998-08-09 08:43:13 +08:00
}
1998-08-09 08:43:13 +08:00
} else {
send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
NULL, "Function not implemented", NULL, NULL );
1998-08-09 08:43:13 +08:00
}
cleanup:
if( dn != NULL ) {
free( dn );
}
if( ndn != NULL ) {
free( ndn );
}
if ( mech != NULL ) {
free( mech );
}
1998-08-09 08:43:13 +08:00
if ( cred.bv_val != NULL ) {
free( cred.bv_val );
}
return rc;
1998-08-09 08:43:13 +08:00
}