mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-15 03:01:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
366e8fd5ad
openldap/servers/slapd/back-ldbm/bind.c

327 lines
6.9 KiB
C
Raw Normal View History

Initial revision
1998-08-09 08:43:13 +08:00
/* bind.c - ldbm backend bind and unbind routines */
Add copyright notices.
1999-08-07 07:07:46 +08:00
/*
* Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
Initial revision
1998-08-09 08:43:13 +08:00
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#include "portable.h"
Initial revision
1998-08-09 08:43:13 +08:00
#include <stdio.h>
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
Initial revision
1998-08-09 08:43:13 +08:00
#include "slap.h"
#include "back-ldbm.h"
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
#include "proto-back-ldbm.h"
LDAPworldP20: Patch for comparing crypt()ed passwords (#ifdef LDAP_CRYPT)
1998-08-09 11:34:35 +08:00
Add basic support for MD5 and SHA1 passwords. SHA1 support is contributed by Daniel J. Gregor <dj@gregor.com> MD5 support is contributed by me <kurt@OpenLDAP.org> Uses public domain MD5 routines Uses ISC/IBM freely redistributable Base64 routines SHA1 support requires external SHA1 routines
1998-09-03 05:31:35 +08:00
#include <lutil.h>
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#ifdef HAVE_KERBEROS
Initial revision
1998-08-09 08:43:13 +08:00
extern int krbv4_ldap_auth();
#endif
LDAPworldP20: Patch for comparing crypt()ed passwords (#ifdef LDAP_CRYPT)
1998-08-09 11:34:35 +08:00
static int
crypted_value_find(
struct berval **vals,
struct berval *v,
int syntax,
int normalize,
struct berval *cred
)
{
int i;
for ( i = 0; vals[i] != NULL; i++ ) {
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'.
1998-12-01 11:36:37 +08:00
if ( syntax != SYNTAX_BIN ) {
int result;
Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools.
1998-12-30 05:45:08 +08:00
#ifdef SLAPD_CRYPT
Use -lldap_r instead of -lldap -lthread. Likely broke things for non-posix threadings.... Update -lldap_r implementation to: remove attribute support hide thread detachment provide concurrency accessors provide initialization function fix gethostby{addr,name}_r codes (not coverred by HAVE_REENTRANT_FUNCTIONS) Update servers/libraries to use ldap_pvt_thread_ calls. Cleanup server codes (no #ifdef HAVE_PTHREAD_THIS or _THATs)! Removed -llthread
1999-01-28 12:34:55 +08:00
ldap_pvt_thread_mutex_lock( &crypt_mutex );
Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools.
1998-12-30 05:45:08 +08:00
#endif
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'.
1998-12-01 11:36:37 +08:00
result = lutil_passwd(
(char*) cred->bv_val,
Modify lutil_passwd to accept a third argument char** methods to specific which methods may be used. This will facilate development of a slapd config directive "passwordMethod ..." to specify which methods should be allowed.
1999-06-30 06:24:53 +08:00
(char*) vals[i]->bv_val,
NULL );
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'.
1998-12-01 11:36:37 +08:00
Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools.
1998-12-30 05:45:08 +08:00
#ifdef SLAPD_CRYPT
Use -lldap_r instead of -lldap -lthread. Likely broke things for non-posix threadings.... Update -lldap_r implementation to: remove attribute support hide thread detachment provide concurrency accessors provide initialization function fix gethostby{addr,name}_r codes (not coverred by HAVE_REENTRANT_FUNCTIONS) Update servers/libraries to use ldap_pvt_thread_ calls. Cleanup server codes (no #ifdef HAVE_PTHREAD_THIS or _THATs)! Removed -llthread
1999-01-28 12:34:55 +08:00
ldap_pvt_thread_mutex_unlock( &crypt_mutex );
Fix --disable-crypt and --disable-cleartext mutex declaration should be moved from slapd/main.c to slapd/init.c so we don't have ripple changes through slapd/tools.
1998-12-30 05:45:08 +08:00
#endif
Update slapd to use lutil_passwd() for both user and root passwords. Remove MD5 and SHA1 options (both are now always on). Rename functions to be lutil_ instead of ldap_. Create --enable-cleartext option. Default is currently 'on'.
1998-12-01 11:36:37 +08:00
return result;
LDAPworldP20: Patch for comparing crypt()ed passwords (#ifdef LDAP_CRYPT)
1998-08-09 11:34:35 +08:00
} else {
if ( value_cmp( vals[i], v, syntax, normalize ) == 0 ) {
return( 0 );
}
}
}
return( 1 );
}
Initial revision
1998-08-09 08:43:13 +08:00
int
ldbm_back_bind(
Backend *be,
Connection *conn,
Operation *op,
char *dn,
int method,
Add framework for sasl and controls.
1999-06-29 11:17:22 +08:00
char *mech,
Update slap_conn to maintain client provided dn and bound dn. Update slap_op to maintain dn and ndn (derived from conn->c_dn). Update ldbm_back_bind to return actual bound dn (including rootdn) for use in slapd_conn. Other backends use client dn. Modify other codes to use ndn (normalized uppercase dn) most everywhere. Aliasing, Suffixing and modrdn could use more work. Applied suffixing to compare and modrdn.
1999-01-19 13:10:50 +08:00
struct berval *cred,
char** edn
Initial revision
1998-08-09 08:43:13 +08:00
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
Entry *e;
Attribute *a;
int rc;
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
Entry *matched;
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#ifdef HAVE_KERBEROS
Initial revision
1998-08-09 08:43:13 +08:00
char krbname[MAX_K_NAME_SZ + 1];
AUTH_DAT ad;
#endif
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
Update slap_conn to maintain client provided dn and bound dn. Update slap_op to maintain dn and ndn (derived from conn->c_dn). Update ldbm_back_bind to return actual bound dn (including rootdn) for use in slapd_conn. Other backends use client dn. Modify other codes to use ndn (normalized uppercase dn) most everywhere. Aliasing, Suffixing and modrdn could use more work. Applied suffixing to compare and modrdn.
1999-01-19 13:10:50 +08:00
*edn = NULL;
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
/* get entry with reader lock */
if ( (e = dn2entry_r( be, dn, &matched )) == NULL ) {
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
char *matched_dn = NULL;
struct berval **refs = NULL;
if( matched != NULL ) {
matched_dn = ch_strdup( matched->e_dn );
refs = is_entry_referral( matched )
? get_entry_referrals( be, conn, op, matched )
: NULL;
cache_return_entry_r( &li->li_cache, matched );
} else {
refs = default_referral;
}
Initial revision
1998-08-09 08:43:13 +08:00
/* allow noauth binds */
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
rc = 1;
if ( method == LDAP_AUTH_SIMPLE ) {
if( cred->bv_len == 0 ) {
/* SUCCESS */
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
} else if ( be_isroot_pw( be, dn, cred ) ) {
*edn = ch_strdup( be_root_dn( be ) );
rc = 0; /* front end will send result */
} else {
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_REFERRAL,
matched_dn, NULL, refs, NULL );
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
}
} else if ( method == LDAP_AUTH_SASL ) {
Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.
1999-07-08 02:47:51 +08:00
if( mech != NULL && strcasecmp(mech,"DIGEST-MD5") == 0 ) {
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
/* insert DIGEST calls here */
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
NULL, NULL, NULL, NULL );
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
} else {
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED,
NULL, NULL, NULL, NULL );
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
}
Initial revision
1998-08-09 08:43:13 +08:00
} else {
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_REFERRAL,
matched_dn, NULL, refs, NULL );
Initial revision
1998-08-09 08:43:13 +08:00
}
o_dn/o_ndn must not be NULL. Set to "" upon receiving bind request.
1999-07-05 03:37:25 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
if ( matched != NULL ) {
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
ber_bvecfree( refs );
free( matched_dn );
Initial revision
1998-08-09 08:43:13 +08:00
}
return( rc );
}
Update slap_conn to maintain client provided dn and bound dn. Update slap_op to maintain dn and ndn (derived from conn->c_dn). Update ldbm_back_bind to return actual bound dn (including rootdn) for use in slapd_conn. Other backends use client dn. Modify other codes to use ndn (normalized uppercase dn) most everywhere. Aliasing, Suffixing and modrdn could use more work. Applied suffixing to compare and modrdn.
1999-01-19 13:10:50 +08:00
*edn = ch_strdup( e->e_dn );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
/* check for deleted */
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
if ( ! access_allowed( be, conn, op, e,
"entry", NULL, ACL_AUTH ) )
{
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
rc = 1;
goto return_results;
}
if ( is_entry_alias( e ) ) {
/* entry is an alias, don't allow bind */
Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0,
0, 0 );
send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM,
NULL, NULL, NULL, NULL );
rc = 1;
goto return_results;
}
if ( is_entry_referral( e ) ) {
/* entry is a referral, don't allow bind */
struct berval **refs = get_entry_referrals( be,
conn, op, e );
Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0,
0, 0 );
send_ldap_result( conn, op, LDAP_REFERRAL,
e->e_dn, NULL, refs, NULL );
ber_bvecfree( refs );
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
rc = 1;
goto return_results;
}
Initial revision
1998-08-09 08:43:13 +08:00
switch ( method ) {
case LDAP_AUTH_SIMPLE:
if ( cred->bv_len == 0 ) {
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
/* stop front end from sending result */
rc = 1;
goto return_results;
Fix minor memory leak and remove redundant be_isroot_pw() checks. Suggested by Pierangelo Masarati <pmasarati@bci.it> in post to -bugs.
1999-03-02 03:42:06 +08:00
}
/* check for root dn/passwd */
if ( be_isroot_pw( be, dn, cred ) ) {
Initial revision
1998-08-09 08:43:13 +08:00
/* front end will send result */
Annoying little son of a `free' BUG fixed.
1999-03-03 04:14:11 +08:00
if(*edn != NULL) free( *edn );
Update slap_conn to maintain client provided dn and bound dn. Update slap_op to maintain dn and ndn (derived from conn->c_dn). Update ldbm_back_bind to return actual bound dn (including rootdn) for use in slapd_conn. Other backends use client dn. Modify other codes to use ndn (normalized uppercase dn) most everywhere. Aliasing, Suffixing and modrdn could use more work. Applied suffixing to compare and modrdn.
1999-01-19 13:10:50 +08:00
*edn = ch_strdup( be_root_dn( be ) );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 0;
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
}
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
if ( ! access_allowed( be, conn, op, e,
"userpassword", NULL, ACL_AUTH ) )
{
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
rc = 1;
goto return_results;
}
Initial revision
1998-08-09 08:43:13 +08:00
if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
NULL, NULL, NULL, NULL );
Fix minor memory leak and remove redundant be_isroot_pw() checks. Suggested by Pierangelo Masarati <pmasarati@bci.it> in post to -bugs.
1999-03-02 03:42:06 +08:00
/* stop front end from sending result */
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 1;
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
}
LDAPworldP20: Patch for comparing crypt()ed passwords (#ifdef LDAP_CRYPT)
1998-08-09 11:34:35 +08:00
if ( crypted_value_find( a->a_vals, cred, a->a_syntax, 0, cred ) != 0 )
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
{
Initial revision
1998-08-09 08:43:13 +08:00
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
NULL, NULL, NULL, NULL );
Fix minor memory leak and remove redundant be_isroot_pw() checks. Suggested by Pierangelo Masarati <pmasarati@bci.it> in post to -bugs.
1999-03-02 03:42:06 +08:00
/* stop front end from sending result */
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 1;
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
}
Fix minor memory leak and remove redundant be_isroot_pw() checks. Suggested by Pierangelo Masarati <pmasarati@bci.it> in post to -bugs.
1999-03-02 03:42:06 +08:00
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 0;
Initial revision
1998-08-09 08:43:13 +08:00
break;
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#ifdef HAVE_KERBEROS
Initial revision
1998-08-09 08:43:13 +08:00
case LDAP_AUTH_KRBV41:
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
if ( ! access_allowed( be, conn, op, e,
"krbname", NULL, ACL_AUTH ) )
{
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
rc = 1;
goto return_results;
}
unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH
1999-07-05 14:26:26 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
NULL, NULL, NULL, NULL );
Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.
1999-07-08 02:47:51 +08:00
rc = 1;
goto return_results;
}
if ( ! access_allowed( be, conn, op, e,
"krbname", NULL, ACL_AUTH ) )
{
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.
1999-07-08 02:47:51 +08:00
rc = 1;
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
}
unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH
1999-07-05 14:26:26 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
: "", ad.pinst, ad.prealm );
unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH
1999-07-05 14:26:26 +08:00
Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.
1999-07-08 02:47:51 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
/*
* no krbName values present: check against DN
*/
if ( strcasecmp( dn, krbname ) == 0 ) {
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
rc = 0;
Initial revision
1998-08-09 08:43:13 +08:00
break;
}
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
NULL, NULL, NULL, NULL );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 1;
goto return_results;
Fix minor memory leak and remove redundant be_isroot_pw() checks. Suggested by Pierangelo Masarati <pmasarati@bci.it> in post to -bugs.
1999-03-02 03:42:06 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
} else { /* look for krbName match */
struct berval krbval;
krbval.bv_val = krbname;
krbval.bv_len = strlen( krbname );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) != 0 ) {
Initial revision
1998-08-09 08:43:13 +08:00
send_ldap_result( conn, op,
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
LDAP_INVALID_CREDENTIALS,
NULL, NULL, NULL, NULL );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 1;
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
}
}
Add rc=0 fix as suggested by Tobias Reber <t.reber@dkfz-heidelberg.de> in ITS#17.
1998-12-23 01:04:34 +08:00
rc = 0;
Initial revision
1998-08-09 08:43:13 +08:00
break;
case LDAP_AUTH_KRBV42:
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
send_ldap_result( conn, op, LDAP_SUCCESS,
NULL, NULL, NULL, NULL );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
/* stop front end from sending result */
rc = 1;
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
#endif
Copy LDBM bind "ACL_AUTH" and SASL framework to bdb2.
1999-07-08 02:47:51 +08:00
case LDAP_AUTH_SASL:
/* insert SASL code here */
Initial revision
1998-08-09 08:43:13 +08:00
default:
send_ldap_result( conn, op, LDAP_STRONG_AUTH_NOT_SUPPORTED,
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
NULL, "auth method not supported", NULL, NULL );
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
rc = 1;
goto return_results;
Initial revision
1998-08-09 08:43:13 +08:00
}
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
return_results:;
/* free entry and reader lock */
cache_return_entry_r( &li->li_cache, e );
Initial revision
1998-08-09 08:43:13 +08:00
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
/* front end with send result on success (rc==0) */
return( rc );
Initial revision
1998-08-09 08:43:13 +08:00
}
Merged in per cache entry reader/writer locks from OPENLDAP_DEVEL_THREAD
1998-09-21 04:22:46 +08:00
Reference in New Issue Copy Permalink