openldap/servers/lloadd/bind.c

335 lines
10 KiB
C
Raw Normal View History

2017-03-29 01:40:20 +08:00
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2020 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#include "portable.h"
#include <ac/socket.h>
#include <ac/errno.h>
#include <ac/string.h>
#include <ac/time.h>
#include <ac/unistd.h>
#include "lutil.h"
#include "slap.h"
2017-04-14 16:36:42 +08:00
/*
2017-04-21 18:07:43 +08:00
* On entering the function, we've put a reference on both connections and hold
* upstream's c_io_mutex.
2017-04-14 16:36:42 +08:00
*/
2017-03-29 01:40:20 +08:00
static int
2017-09-27 18:01:17 +08:00
client_bind( Operation *op )
2017-03-29 01:40:20 +08:00
{
2017-04-14 16:36:42 +08:00
Connection *client = op->o_client, *upstream = op->o_upstream;
2017-03-29 01:40:20 +08:00
BerElement *ber, *copy = NULL;
BerValue binddn;
ber_tag_t tag;
ber_int_t version;
2017-04-14 16:36:42 +08:00
ber = upstream->c_pendingber;
2017-03-29 01:40:20 +08:00
if ( ber == NULL && (ber = ber_alloc()) == NULL ) {
Debug( LDAP_DEBUG_ANY, "request_bind: "
"ber_alloc failed\n" );
goto fail;
}
2017-04-14 16:36:42 +08:00
upstream->c_pendingber = ber;
2017-03-29 01:40:20 +08:00
if ( (copy = ber_alloc()) == NULL ) {
goto fail;
}
ber_init2( copy, &op->o_request, 0 );
tag = ber_get_int( copy, &version );
if ( tag == LBER_ERROR ) {
2017-06-30 17:10:21 +08:00
Debug( LDAP_DEBUG_PACKETS, "request_bind: "
"failed to parse version field\n" );
2017-03-29 01:40:20 +08:00
goto fail;
} else if ( version != LDAP_VERSION3 ) {
2017-04-14 16:36:42 +08:00
ldap_pvt_thread_mutex_unlock( &upstream->c_io_mutex );
2017-03-29 01:40:20 +08:00
operation_send_reject(
op, LDAP_PROTOCOL_ERROR, "LDAP version unsupported", 1 );
2017-03-29 01:40:20 +08:00
ber_free( copy, 0 );
return 0;
}
tag = ber_get_stringbv( copy, &binddn, LBER_BV_NOTERM );
if ( tag == LBER_ERROR ) {
2017-06-30 17:10:21 +08:00
Debug( LDAP_DEBUG_PACKETS, "request_bind: "
"failed to parse bind name field\n" );
2017-03-29 01:40:20 +08:00
goto fail;
}
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK(client);
2017-04-14 16:36:42 +08:00
if ( !BER_BVISNULL( &client->c_auth ) ) {
ch_free( client->c_auth.bv_val );
2017-03-29 01:40:20 +08:00
}
if ( !BER_BVISEMPTY( &binddn ) ) {
char *ptr;
2017-04-14 16:36:42 +08:00
client->c_auth.bv_len = STRLENOF("dn:") + binddn.bv_len;
client->c_auth.bv_val = ch_malloc( client->c_auth.bv_len + 1 );
2017-03-29 01:40:20 +08:00
2017-04-14 16:36:42 +08:00
ptr = lutil_strcopy( client->c_auth.bv_val, "dn:" );
2017-03-29 01:40:20 +08:00
ptr = lutil_strncopy( ptr, binddn.bv_val, binddn.bv_len );
*ptr = '\0';
} else {
2017-04-14 16:36:42 +08:00
BER_BVZERO( &client->c_auth );
2017-03-29 01:40:20 +08:00
}
2017-04-21 18:07:43 +08:00
CONNECTION_UNLOCK(client);
2017-03-29 01:40:20 +08:00
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK(upstream);
2017-04-14 16:36:42 +08:00
op->o_upstream_msgid = upstream->c_next_msgid++;
2017-03-29 01:40:20 +08:00
ber_printf( ber, "t{titOtO}", LDAP_TAG_MESSAGE,
LDAP_TAG_MSGID, op->o_upstream_msgid,
LDAP_REQ_BIND, &op->o_request,
LDAP_TAG_CONTROLS, BER_BV_OPTIONAL( &op->o_ctrls ) );
Debug( LDAP_DEBUG_TRACE, "request_bind: "
2017-06-20 20:00:31 +08:00
"added bind from client connid=%lu to upstream connid=%lu "
"as msgid=%d\n",
op->o_client_connid, op->o_upstream_connid, op->o_upstream_msgid );
2017-04-14 16:36:42 +08:00
if ( tavl_insert( &upstream->c_ops, op, operation_upstream_cmp,
avl_dup_error ) ) {
2017-03-29 01:40:20 +08:00
assert(0);
}
2017-09-28 17:13:24 +08:00
upstream->c_state = LLOAD_C_ACTIVE;
2017-04-21 18:07:43 +08:00
CONNECTION_UNLOCK(upstream);
2017-03-29 01:40:20 +08:00
2017-04-14 16:36:42 +08:00
ldap_pvt_thread_mutex_unlock( &upstream->c_io_mutex );
2017-03-29 01:40:20 +08:00
ber_free( copy, 0 );
2017-09-22 17:24:52 +08:00
connection_write_cb( -1, 0, upstream );
2017-03-29 01:40:20 +08:00
return 0;
fail:
if ( copy ) {
ber_free( copy, 0 );
}
2017-04-14 16:36:42 +08:00
ldap_pvt_thread_mutex_unlock( &upstream->c_io_mutex );
2017-07-03 23:37:35 +08:00
Debug( LDAP_DEBUG_STATS, "request_bind: "
"connid=%lu bind request processing failed, closing\n",
client->c_connid );
2017-03-29 01:40:20 +08:00
return 1;
}
#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS
2017-04-14 16:36:42 +08:00
/*
2017-04-21 18:07:43 +08:00
* On entering the function, we've put a reference on both connections and hold
* upstream's c_io_mutex.
2017-04-14 16:36:42 +08:00
*/
2017-03-29 01:40:20 +08:00
static int
2017-09-27 18:01:17 +08:00
client_bind_as_vc( Operation *op )
2017-03-29 01:40:20 +08:00
{
2017-04-14 16:36:42 +08:00
Connection *client = op->o_client, *upstream = op->o_upstream;
2017-03-29 01:40:20 +08:00
BerElement *ber, *request, *copy = NULL;
BerValue binddn, auth, mech;
2017-04-14 16:40:44 +08:00
char *msg = "internal error";
int result = LDAP_OTHER;
2017-03-29 01:40:20 +08:00
ber_int_t version;
ber_tag_t tag;
ber_len_t len;
if ( (request = ber_alloc()) == NULL ) {
goto fail;
}
ber_init2( request, &op->o_request, 0 );
tag = ber_scanf( request, "im", &version, &binddn );
if ( tag == LBER_ERROR || version != LDAP_VERSION3 ) {
2017-04-14 16:40:44 +08:00
result = LDAP_PROTOCOL_ERROR;
msg = "version not recognised";
2017-03-29 01:40:20 +08:00
goto fail;
}
copy = ber_dup( request );
if ( !copy ) {
goto fail;
}
tag = ber_skip_element( request, &auth );
if ( tag == LBER_ERROR ) {
2017-04-14 16:40:44 +08:00
result = LDAP_PROTOCOL_ERROR;
msg = "malformed bind request";
2017-03-29 01:40:20 +08:00
goto fail;
}
2017-04-14 16:36:42 +08:00
ber = upstream->c_pendingber;
2017-03-29 01:40:20 +08:00
if ( ber == NULL && (ber = ber_alloc()) == NULL ) {
Debug( LDAP_DEBUG_ANY, "request_bind_as_vc: "
"ber_alloc failed\n" );
goto fail;
}
2017-04-14 16:36:42 +08:00
upstream->c_pendingber = ber;
2017-03-29 01:40:20 +08:00
2017-04-14 16:36:42 +08:00
op->o_upstream_msgid = upstream->c_next_msgid++;
2017-03-29 01:40:20 +08:00
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK(upstream);
2017-03-29 01:40:20 +08:00
ber_printf( ber, "t{tit{tst{{tOOtOtO}}}}", LDAP_TAG_MESSAGE,
LDAP_TAG_MSGID, op->o_upstream_msgid,
LDAP_REQ_EXTENDED,
LDAP_TAG_EXOP_REQ_OID, LDAP_EXOP_VERIFY_CREDENTIALS,
LDAP_TAG_EXOP_REQ_VALUE,
2017-04-14 16:36:42 +08:00
LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, BER_BV_OPTIONAL( &upstream->c_vc_cookie ),
2017-03-29 01:40:20 +08:00
&binddn, tag, &auth,
LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS, BER_BV_OPTIONAL( &op->o_ctrls ) );
2017-04-21 18:07:43 +08:00
CONNECTION_UNLOCK(upstream);
2017-03-29 01:40:20 +08:00
tag = ber_peek_tag( copy, &len );
switch ( tag ) {
case LDAP_AUTH_SASL:
ber_get_stringbv( copy, &mech, LBER_BV_NOTERM );
2017-04-14 16:36:42 +08:00
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK(client);
2017-04-14 16:36:42 +08:00
if ( ber_bvcmp( &mech, &client->c_sasl_bind_mech ) ) {
ber_memfree( client->c_sasl_bind_mech.bv_val );
ber_dupbv( &client->c_sasl_bind_mech, &mech );
2017-03-29 01:40:20 +08:00
}
2017-04-21 18:07:43 +08:00
CONNECTION_UNLOCK(client);
2017-03-29 01:40:20 +08:00
/* TODO: extract authzdn from the message */
break;
case LDAP_AUTH_SIMPLE:
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK(client);
2017-04-14 16:36:42 +08:00
if ( !BER_BVISNULL( &client->c_auth ) ) {
ch_free( client->c_auth.bv_val );
2017-03-29 01:40:20 +08:00
}
2017-04-04 22:11:48 +08:00
if ( !BER_BVISEMPTY( &binddn ) ) {
char *ptr;
2017-04-14 16:36:42 +08:00
client->c_auth.bv_len = STRLENOF("dn:") + binddn.bv_len;
client->c_auth.bv_val = ch_malloc( client->c_auth.bv_len + 1 );
2017-04-04 22:11:48 +08:00
2017-04-14 16:36:42 +08:00
ptr = lutil_strcopy( client->c_auth.bv_val, "dn:" );
2017-04-04 22:11:48 +08:00
ptr = lutil_strncopy( ptr, binddn.bv_val, binddn.bv_len );
*ptr = '\0';
} else {
2017-04-14 16:36:42 +08:00
BER_BVZERO( &client->c_auth );
2017-04-04 22:11:48 +08:00
}
2017-04-14 16:36:42 +08:00
if ( !BER_BVISNULL( &client->c_sasl_bind_mech ) ) {
ber_memfree( client->c_sasl_bind_mech.bv_val );
BER_BVZERO( &client->c_sasl_bind_mech );
2017-03-29 01:40:20 +08:00
}
2017-04-21 18:07:43 +08:00
CONNECTION_UNLOCK(client);
2017-03-29 01:40:20 +08:00
break;
default:
2017-04-14 16:40:44 +08:00
result = LDAP_PROTOCOL_ERROR;
msg = "malformed bind request";
2017-03-29 01:40:20 +08:00
goto fail;
}
2017-04-14 16:36:42 +08:00
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK(upstream);
Debug( LDAP_DEBUG_TRACE, "request_bind_as_vc: "
2017-06-20 20:00:31 +08:00
"added bind from client connid=%lu to upstream connid=%lu "
"as VC exop msgid=%d\n",
op->o_client_connid, op->o_upstream_connid, op->o_upstream_msgid );
2017-04-14 16:36:42 +08:00
if ( tavl_insert( &upstream->c_ops, op, operation_upstream_cmp,
avl_dup_error ) ) {
2017-03-29 01:40:20 +08:00
assert(0);
}
2017-04-21 18:07:43 +08:00
CONNECTION_UNLOCK(upstream);
2017-03-29 01:40:20 +08:00
2017-04-14 16:36:42 +08:00
ldap_pvt_thread_mutex_unlock( &upstream->c_io_mutex );
2017-03-29 01:40:20 +08:00
ber_free( copy, 0 );
2017-09-22 17:24:52 +08:00
connection_write_cb( -1, 0, upstream );
2017-04-21 18:07:43 +08:00
2017-03-29 01:40:20 +08:00
return 0;
fail:
if ( copy ) {
ber_free( copy, 0 );
}
2017-04-14 16:36:42 +08:00
ldap_pvt_thread_mutex_unlock( &upstream->c_io_mutex );
2017-07-03 23:37:35 +08:00
Debug( LDAP_DEBUG_STATS, "request_bind_as_vc: "
"connid=%lu bind request processing failed, closing\n",
client->c_connid );
2017-04-14 16:40:44 +08:00
operation_send_reject( op, result, msg, 1 );
2017-03-29 01:40:20 +08:00
return 1;
}
#endif /* LDAP_API_FEATURE_VERIFY_CREDENTIALS */
2017-03-29 01:40:20 +08:00
int
2017-09-27 18:01:17 +08:00
request_bind( Connection *client, Operation *op )
2017-03-29 01:40:20 +08:00
{
Connection *upstream;
int rc = LDAP_SUCCESS;
2017-03-29 01:40:20 +08:00
/* protect the Bind operation */
2017-05-03 18:31:40 +08:00
op->o_client_refcnt++;
tavl_delete( &client->c_ops, op, operation_client_cmp );
2017-04-21 18:07:43 +08:00
client_reset( client );
2017-09-28 17:13:24 +08:00
client->c_state = LLOAD_C_BINDING;
client->c_type = LLOAD_C_OPEN;
rc = tavl_insert( &client->c_ops, op, operation_client_cmp, avl_dup_error );
assert( rc == LDAP_SUCCESS );
CONNECTION_UNLOCK_INCREF(client);
2017-03-29 01:40:20 +08:00
upstream = backend_select( op );
if ( !upstream ) {
Debug( LDAP_DEBUG_STATS, "client_bind: "
2017-05-18 23:48:12 +08:00
"connid=%lu, msgid=%d no available connection found\n",
op->o_client_connid, op->o_client_msgid );
2017-03-29 01:40:20 +08:00
operation_send_reject(
op, LDAP_UNAVAILABLE, "no connections available", 1 );
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK_DECREF(client);
2017-05-03 18:31:40 +08:00
op->o_client_refcnt--;
operation_destroy_from_client( op );
return rc;
2017-03-29 01:40:20 +08:00
}
op->o_upstream = upstream;
op->o_upstream_connid = upstream->c_connid;
#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS
2017-04-04 22:09:45 +08:00
if ( lload_features & LLOAD_FEATURE_VC ) {
2017-09-27 18:01:17 +08:00
rc = client_bind_as_vc( op );
} else
#endif /* LDAP_API_FEATURE_VERIFY_CREDENTIALS */
{
2017-09-27 18:01:17 +08:00
rc = client_bind( op );
2017-03-29 01:40:20 +08:00
}
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK_DECREF(upstream);
2017-09-22 17:24:52 +08:00
CONNECTION_UNLOCK_OR_DESTROY(upstream);
2017-04-21 18:07:43 +08:00
CONNECTION_LOCK_DECREF(client);
2017-03-29 01:40:20 +08:00
if ( rc ) {
2017-05-03 18:31:40 +08:00
op->o_client_refcnt--;
operation_destroy_from_client( op );
2017-09-22 17:24:52 +08:00
CONNECTION_DESTROY(client);
return -1;
2017-03-29 01:40:20 +08:00
}
2017-05-03 18:31:40 +08:00
if ( !--op->o_client_refcnt ) {
operation_destroy_from_client( op );
2017-09-28 17:13:24 +08:00
if ( client->c_state == LLOAD_C_BINDING ) {
client->c_state = LLOAD_C_READY;
client->c_type = LLOAD_C_OPEN;
if ( !BER_BVISNULL( &client->c_auth ) ) {
ber_memfree( client->c_auth.bv_val );
BER_BVZERO( &client->c_auth );
}
if ( !BER_BVISNULL( &client->c_sasl_bind_mech ) ) {
ber_memfree( client->c_sasl_bind_mech.bv_val );
BER_BVZERO( &client->c_sasl_bind_mech );
}
}
2017-05-03 18:31:40 +08:00
}
2017-03-29 01:40:20 +08:00
return rc;
2017-03-29 01:40:20 +08:00
}