LDAP "Verify Credentials" operation

Client library implementation only
2025-01-18 11:05:48 +08:00 · 2010-12-14 20:58:02 +00:00 · 2010-12-14 20:58:02 +00:00 · d3b51f2614
commit d3b51f2614
parent 2be415a0dd
4 changed files with 195 additions and 4 deletions
--- a/include/ldap.h
+++ b/include/ldap.h
@ -385,6 +385,11 @@ typedef struct ldapcontrol {
 #define	LDAP_TAG_EXOP_REFRESH_REQ_TTL	((ber_tag_t) 0x81U)
 #define	LDAP_TAG_EXOP_REFRESH_RES_TTL	((ber_tag_t) 0x80U)

+#define LDAP_EXOP_VERIFY_CREDENTIALS	"1.1.1"
+#define LDAP_EXOP_X_VERIFY_CREDENTIALS	LDAP_EXOP_X_VERIFY_CREDENTIALS
+
+#define LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE	((ber_tag_t) 0x80U)
+
 #define LDAP_EXOP_WHO_AM_I		"1.3.6.1.4.1.4203.1.11.3"		/* RFC 4532 */
 #define LDAP_EXOP_X_WHO_AM_I	LDAP_EXOP_WHO_AM_I

@ -2214,6 +2219,42 @@ ldap_parse_vlvresponse_control LDAP_P((
 	struct berval **contextp,
 	int           *errcodep ));

+/*
+ * LDAP Verify Credentials
+ */
+#define LDAP_API_FEATURE_VERIFY_CREDENTIALS 1000
+
+LDAP_F( int )
+ldap_verify_credentials LDAP_P((
+	LDAP		*ld,
+	struct berval	*cookie,
+	LDAP_CONST char	*dn,
+	LDAP_CONST char	*mechanism,
+	struct berval	*cred,
+	LDAPControl	**serverctrls,
+	LDAPControl	**clientctrls,
+	int		*msgidp ));
+
+LDAP_F( int )
+ldap_verify_credentials_s LDAP_P((
+	LDAP		*ld,
+	struct berval	*cookie,
+	LDAP_CONST char	*dn,
+	LDAP_CONST char	*mechanism,
+	struct berval	*cred,
+	LDAPControl	**serverctrls,
+	LDAPControl	**clientctrls,
+	struct berval	**servercredp,
+	struct berval	**authzid ));
+
+LDAP_F( int )
+ldap_parse_verify_credentials_result LDAP_P((
+	LDAP		*ld,
+	LDAPMessage	*res,
+	struct berval	**cookie,
+	struct berval	**servercredp,
+	struct berval	**authzid));
+
 /*
 * LDAP Who Am I?
 *	in whoami.c
--- a/libraries/libldap/Makefile.in
+++ b/libraries/libldap/Makefile.in
@ -21,7 +21,7 @@ SRCS	= bind.c open.c result.c error.c compare.c search.c \
 	controls.c messages.c references.c extended.c cyrus.c \
 	modify.c add.c modrdn.c delete.c abandon.c \
 	sasl.c gssapi.c sbind.c unbind.c cancel.c  \
-	filter.c free.c sort.c passwd.c whoami.c \
+	filter.c free.c sort.c passwd.c whoami.c vc.c \
 	getdn.c getentry.c getattr.c getvalues.c addentry.c \
 	request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \
 	init.c options.c print.c string.c util-int.c schema.c \
@ -34,7 +34,7 @@ OBJS	= bind.lo open.lo result.lo error.lo compare.lo search.lo \
 	controls.lo messages.lo references.lo extended.lo cyrus.lo \
 	modify.lo add.lo modrdn.lo delete.lo abandon.lo \
 	sasl.lo gssapi.lo sbind.lo unbind.lo cancel.lo \
-	filter.lo free.lo sort.lo passwd.lo whoami.lo \
+	filter.lo free.lo sort.lo passwd.lo whoami.lo vc.lo \
 	getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \
 	request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
--- a/libraries/libldap/vc.c
+++ b/libraries/libldap/vc.c
@ -0,0 +1,150 @@
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2010 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This program was orignally developed by Kurt D. Zeilenga for inclusion in
+ * OpenLDAP Software.
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+#include <ac/stdlib.h>
+#include <ac/string.h>
+#include <ac/time.h>
+
+#include "ldap-int.h"
+
+/*
+ * LDAP Verify Credentials
+ */
+
+int ldap_parse_verify_credentials(
+	LDAP *ld,
+	LDAPMessage *res,
+	struct berval **servercred,
+	struct berval **authzid )
+{
+	int rc;
+	char *retoid = NULL;
+	struct berval *reqdata = NULL;
+
+	assert( ld != NULL );
+	assert( LDAP_VALID( ld ) );
+	assert( res != NULL );
+	assert( authzid != NULL );
+
+	*authzid = NULL;
+
+	rc = ldap_parse_extended_result( ld, res, &retoid, &reqdata, 0 );
+
+	if( rc != LDAP_SUCCESS ) {
+		ldap_perror( ld, "ldap_parse_whoami" );
+		return rc;
+	}
+
+	ber_memfree( retoid );
+	return rc;
+}
+
+int
+ldap_verify_credentials( LDAP *ld,
+        struct berval   *cookie,
+        LDAP_CONST char *dn,
+        LDAP_CONST char *mechanism,
+        struct berval   *cred,
+	LDAPControl	**sctrls,
+	LDAPControl	**cctrls,
+	int		*msgidp )
+{
+	int rc;
+	BerElement *ber;
+	struct berval * reqdata;
+
+	assert(ld != NULL);
+	assert(LDAP_VALID(ld));
+	assert(msgidp != NULL);
+
+	ber = ber_alloc_t(LBER_USE_DER);
+	ber_printf(ber, "{");
+	if (dn == NULL) dn = "";
+
+	if (mechanism == LDAP_SASL_SIMPLE) {
+	    assert(!cookie);
+
+	    rc = ber_printf(ber, "{istON}",
+		3, dn, LDAP_AUTH_SIMPLE, cred);
+
+	} else {
+	    if (!cred || BER_BVISNULL(cred)) {
+		if (cookie) {
+	            rc = ber_printf(ber, "{t0ist{sN}N}",
+			LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie,
+		        3, dn, LDAP_AUTH_SASL, mechanism);
+		} else {
+	            rc = ber_printf(ber, "{ist{sN}N}",
+		        3, dn, LDAP_AUTH_SASL, mechanism);
+		}
+	    } else {
+		if (cookie) {
+	            rc = ber_printf(ber, "{tOist{sON}N}",
+			LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie,
+		        3, dn, LDAP_AUTH_SASL, mechanism, cred);
+		} else {
+	            rc = ber_printf(ber, "{ist{sON}N}",
+		        3, dn, LDAP_AUTH_SASL, mechanism, cred);
+		}
+	    }
+	}
+
+	ber_flatten(ber, &reqdata);
+
+	rc = ldap_extended_operation(ld, LDAP_EXOP_VERIFY_CREDENTIALS,
+	    reqdata, sctrls, cctrls, msgidp);
+
+	ber_free(ber, 1);
+	return rc;
+}
+
+int
+ldap_verify_credentials_s(
+	LDAP *ld,
+        struct berval   *cookie,
+        LDAP_CONST char *dn,
+        LDAP_CONST char *mechanism,
+        struct berval   *cred,
+	LDAPControl	**sctrls,
+	LDAPControl	**cctrls,
+	struct berval	**scred,
+	struct berval	**authzid)
+{
+	int		rc;
+	int		msgid;
+	LDAPMessage	*res;
+
+	rc = ldap_verify_credentials(ld, cookie, dn, mechanism, cred, sctrls, cctrls, &msgid);
+	if (rc != LDAP_SUCCESS) return rc;
+
+	if (ldap_result(ld, msgid, LDAP_MSG_ALL, (struct timeval *) NULL, &res) == -1 || !res) {
+		return ld->ld_errno;
+	}
+
+	rc = ldap_parse_verify_credentials(ld, res, scred, authzid);
+	if (rc != LDAP_SUCCESS) {
+		ldap_msgfree(res);
+		return rc;
+	}
+
+	return( ldap_result2error(ld, res, 1));
+}
--- a/libraries/libldap_r/Makefile.in
+++ b/libraries/libldap_r/Makefile.in
@ -23,7 +23,7 @@ XXSRCS    = apitest.c test.c \
 	controls.c messages.c references.c extended.c cyrus.c \
 	modify.c add.c modrdn.c delete.c abandon.c \
 	sasl.c gssapi.c sbind.c unbind.c cancel.c \
-	filter.c free.c sort.c passwd.c whoami.c \
+	filter.c free.c sort.c passwd.c whoami.c vc.c \
 	getdn.c getentry.c getattr.c getvalues.c addentry.c \
 	request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \
 	init.c options.c print.c string.c util-int.c schema.c \
@ -41,7 +41,7 @@ OBJS	= threads.lo rdwr.lo rmutex.lo tpool.lo  rq.lo \
 	controls.lo messages.lo references.lo extended.lo cyrus.lo \
 	modify.lo add.lo modrdn.lo delete.lo abandon.lo \
 	sasl.lo gssapi.lo sbind.lo unbind.lo cancel.lo \
-	filter.lo free.lo sort.lo passwd.lo whoami.lo \
+	filter.lo free.lo sort.lo passwd.lo whoami.lo vc.lo \
 	getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \
 	request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \