/* * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file * * Copyright 2001, Pierangelo Masarati, All rights reserved. * * This work has been developed to fulfill the requirements * of SysNet s.n.c. and it has been donated * to the OpenLDAP Foundation in the hope that it may be useful * to the Open Source community, but WITHOUT ANY WARRANTY. * * Permission is granted to anyone to use this software for any purpose * on any computer system, and to alter it and redistribute it, subject * to the following restrictions: * * 1. The author and SysNet s.n.c. are not responsible for the consequences * of use of this software, no matter how awful, even if they arise from * flaws in it. * * 2. The origin of this software must not be misrepresented, either by * explicit claim or by omission. Since few users ever read sources, * credits should appear in the documentation. * * 3. Altered versions must be plainly marked as such, and must not be * misrepresented as being the original software. Since few users * ever read sources, credits should appear in the documentation. * SysNet s.n.c. cannot be responsible for the consequences of the * alterations. * * 4. This notice may not be removed or altered. * * * This software is based on the backend back-ldap, implemented * by Howard Chu , and modified by Mark Valence * , Pierangelo Masarati and other * contributors. The contribution of the original software to the present * implementation is acknowledged in this copyright statement. * * A special acknowledgement goes to Howard for the overall architecture * (and for borrowing large pieces of code), and to Mark, who implemented * from scratch the attribute/objectclass mapping. * * The original copyright statement follows. * * Copyright 1999, Howard Chu, All rights reserved. * * Permission is granted to anyone to use this software for any purpose * on any computer system, and to alter it and redistribute it, subject * to the following restrictions: * * 1. The author is not responsible for the consequences of use of this * software, no matter how awful, even if they arise from flaws in it. * * 2. The origin of this software must not be misrepresented, either by * explicit claim or by omission. Since few users ever read sources, * credits should appear in the documentation. * * 3. Altered versions must be plainly marked as such, and must not be * misrepresented as being the original software. Since few users * ever read sources, credits should appear in the * documentation. * * 4. This notice may not be removed or altered. * */ #include "portable.h" #include #include #include #define AVL_INTERNAL #include "slap.h" #include "../back-ldap/back-ldap.h" #include "back-meta.h" static LDAP_REBIND_PROC meta_back_rebind; static int meta_back_do_single_bind( struct metainfo *li, struct metaconn *lc, Operation *op, struct berval *dn, struct berval *ndn, struct berval *cred, int method, int candidate ); int meta_back_bind( Backend *be, Connection *conn, Operation *op, struct berval *dn, struct berval *ndn, int method, struct berval *cred, struct berval *edn ) { struct metainfo *li = ( struct metainfo * )be->be_private; struct metaconn *lc; int rc = -1, i, gotit = 0, ndnlen, isroot = 0; int op_type = META_OP_ALLOW_MULTIPLE; int err = LDAP_SUCCESS; struct berval *realdn = dn; struct berval *realndn = ndn; struct berval *realcred = cred; int realmethod = method; #ifdef NEW_LOGGING LDAP_LOG( BACK_META, ENTRY, "meta_back_bind: dn: %s.\n", dn->bv_val, 0, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "meta_back_bind: dn: %s.\n%s%s", dn->bv_val, "", "" ); #endif /* !NEW_LOGGING */ if ( method == LDAP_AUTH_SIMPLE && be_isroot_pw( be, conn, ndn, cred ) ) { isroot = 1; ber_dupbv( edn, be_root_dn( be ) ); op_type = META_OP_REQUIRE_ALL; } lc = meta_back_getconn( li, conn, op, op_type, ndn, NULL ); if ( !lc ) { #ifdef NEW_LOGGING LDAP_LOG( BACK_META, NOTICE, "meta_back_bind: no target for dn %s.\n", dn->bv_val, 0, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ANY, "meta_back_bind: no target for dn %s.\n%s%s", dn->bv_val, "", ""); #endif /* !NEW_LOGGING */ send_ldap_result( conn, op, LDAP_OTHER, NULL, NULL, NULL, NULL ); return -1; } /* * Each target is scanned ... */ lc->bound_target = META_BOUND_NONE; ndnlen = ndn->bv_len; for ( i = 0; i < li->ntargets; i++ ) { int lerr; /* * Skip non-candidates */ if ( lc->conns[ i ].candidate != META_CANDIDATE ) { continue; } if ( gotit == 0 ) { gotit = 1; } else { /* * A bind operation is expected to have * ONE CANDIDATE ONLY! */ #ifdef NEW_LOGGING LDAP_LOG( BACK_META, WARNING, "==>meta_back_bind: more than one" " candidate is attempting to bind" " ...\n" , 0, 0, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ANY, "==>meta_back_bind: more than one" " candidate is attempting to bind" " ...\n%s%s%s", "", "", "" ); #endif /* !NEW_LOGGING */ } if ( isroot && li->targets[ i ]->pseudorootdn.bv_val != NULL ) { realdn = &li->targets[ i ]->pseudorootdn; realndn = &li->targets[ i ]->pseudorootdn; realcred = &li->targets[ i ]->pseudorootpw; realmethod = LDAP_AUTH_SIMPLE; } else { realdn = dn; realndn = ndn; realcred = cred; realmethod = method; } lerr = meta_back_do_single_bind( li, lc, op, realdn, realndn, realcred, realmethod, i ); if ( lerr != LDAP_SUCCESS ) { err = lerr; ( void )meta_clear_one_candidate( &lc->conns[ i ], 1 ); } else { rc = LDAP_SUCCESS; } } if ( isroot ) { lc->bound_target = META_BOUND_ALL; } /* * rc is LDAP_SUCCESS if at least one bind succeeded, * err is the last error that occurred during a bind; * if at least (and at most?) one bind succeedes, fine. */ if ( rc != LDAP_SUCCESS /* && err != LDAP_SUCCESS */ ) { /* * deal with bind failure ... */ /* * no target was found within the naming context, * so bind must fail with invalid credentials */ if ( err == LDAP_SUCCESS && gotit == 0 ) { err = LDAP_INVALID_CREDENTIALS; } err = ldap_back_map_result( err ); send_ldap_result( conn, op, err, NULL, NULL, NULL, NULL ); return -1; } return 0; } /* * meta_back_do_single_bind * * attempts to perform a bind with creds */ static int meta_back_do_single_bind( struct metainfo *li, struct metaconn *lc, Operation *op, struct berval *dn, struct berval *ndn, struct berval *cred, int method, int candidate ) { struct berval mdn = { 0, NULL }; int rc; /* * Rewrite the bind dn if needed */ switch ( rewrite_session( li->targets[ candidate ]->rwinfo, "bindDn", dn->bv_val, lc->conn, &mdn.bv_val ) ) { case REWRITE_REGEXEC_OK: if ( mdn.bv_val == NULL ) { mdn = *dn; } #ifdef NEW_LOGGING LDAP_LOG( BACK_META, DETAIL1, "[rw] bindDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn.bv_val, 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ARGS, "rw> bindDn: \"%s\" -> \"%s\"\n%s", dn->bv_val, mdn.bv_val, "" ); #endif /* !NEW_LOGGING */ break; case REWRITE_REGEXEC_UNWILLING: return LDAP_UNWILLING_TO_PERFORM; case REWRITE_REGEXEC_ERR: return LDAP_OTHER; } if ( op->o_ctrls ) { rc = ldap_set_option( lc->conns[ candidate ].ld, LDAP_OPT_SERVER_CONTROLS, op->o_ctrls ); if ( rc != LDAP_SUCCESS ) { rc = ldap_back_map_result( rc ); goto return_results; } } rc = ldap_bind_s( lc->conns[ candidate ].ld, mdn.bv_val, cred->bv_val, method ); if ( rc != LDAP_SUCCESS ) { rc = ldap_back_map_result( rc ); } else { ber_dupbv( &lc->conns[ candidate ].bound_dn, dn ); lc->conns[ candidate ].bound = META_BOUND; lc->bound_target = candidate; if ( li->savecred ) { if ( lc->conns[ candidate ].cred.bv_val ) ch_free( lc->conns[ candidate ].cred.bv_val ); ber_dupbv( &lc->conns[ candidate ].cred, cred ); ldap_set_rebind_proc( lc->conns[ candidate ].ld, meta_back_rebind, &lc->conns[ candidate ] ); } if ( li->cache.ttl != META_DNCACHE_DISABLED && ndn->bv_len != 0 ) { ( void )meta_dncache_update_entry( &li->cache, ndn, candidate ); } } return_results:; if ( mdn.bv_val != dn->bv_val ) { free( mdn.bv_val ); } return rc; } /* * meta_back_dobind */ int meta_back_dobind( struct metaconn *lc, Operation *op ) { struct metasingleconn *lsc; int bound = 0, i; /* * all the targets are bound as pseudoroot */ if ( lc->bound_target == META_BOUND_ALL ) { return 1; } for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) { int rc; /* * Not a candidate or something wrong with this target ... */ if ( lsc->ld == NULL ) { continue; } /* * If required, set controls */ if ( op->o_ctrls ) { if ( ldap_set_option( lsc->ld, LDAP_OPT_SERVER_CONTROLS, op->o_ctrls ) != LDAP_SUCCESS ) { ( void )meta_clear_one_candidate( lsc, 1 ); continue; } } /* * If the target is already bound it is skipped */ if ( lsc->bound == META_BOUND && lc->bound_target == i ) { ++bound; continue; } /* * Otherwise an anonymous bind is performed * (note: if the target was already bound, the anonymous * bind clears the previous bind). */ if ( lsc->bound_dn.bv_val ) { ch_free( lsc->bound_dn.bv_val ); lsc->bound_dn.bv_val = NULL; lsc->bound_dn.bv_len = 0; } rc = ldap_bind_s( lsc->ld, 0, NULL, LDAP_AUTH_SIMPLE ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG( BACK_META, WARNING, "meta_back_dobind: (anonymous)" " bind failed" " with error %d (%s)\n", rc, ldap_err2string( rc ), 0 ); #else /* !NEW_LOGGING */ Debug( LDAP_DEBUG_ANY, "==>meta_back_dobind: (anonymous)" " bind failed" " with error %d (%s)\n", rc, ldap_err2string( rc ), 0 ); #endif /* !NEW_LOGGING */ /* * null cred bind should always succeed * as anonymous, so a failure means * the target is no longer candidate possibly * due to technical reasons (remote host down?) * so better clear the handle */ ( void )meta_clear_one_candidate( lsc, 1 ); continue; } /* else */ lsc->bound = META_ANONYMOUS; ++bound; } return( bound > 0 ); } /* * */ int meta_back_is_valid( struct metaconn *lc, int candidate ) { struct metasingleconn *lsc; int i; assert( lc ); if ( candidate < 0 ) { return 0; } for ( i = 0, lsc = lc->conns; !META_LAST(lsc) && i < candidate; ++i, ++lsc ); if ( !META_LAST(lsc) ) { return( lsc->ld != NULL ); } return 0; } /* * meta_back_rebind * * This is a callback used for chasing referrals using the same * credentials as the original user on this session. */ static int meta_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *params ) { struct metasingleconn *lc = params; return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE ); } /* * FIXME: error return must be handled in a cleaner way ... */ int meta_back_op_result( struct metaconn *lc, Operation *op ) { int i, rerr = LDAP_SUCCESS; struct metasingleconn *lsc; char *rmsg = NULL; char *rmatch = NULL; for ( i = 0, lsc = lc->conns; !META_LAST(lsc); ++i, ++lsc ) { int err = LDAP_SUCCESS; char *msg = NULL; char *match = NULL; ldap_get_option( lsc->ld, LDAP_OPT_ERROR_NUMBER, &err ); if ( err != LDAP_SUCCESS ) { /* * better check the type of error. In some cases * (search ?) it might be better to return a * success if at least one of the targets gave * positive result ... */ ldap_get_option( lsc->ld, LDAP_OPT_ERROR_STRING, &msg ); ldap_get_option( lsc->ld, LDAP_OPT_MATCHED_DN, &match ); err = ldap_back_map_result( err ); #ifdef NEW_LOGGING LDAP_LOG( BACK_META, RESULTS, "meta_back_op_result: target" " <%d> sending msg \"%s\"" " (matched \"%s\")\n", i, ( msg ? msg : "" ), ( match ? match : "" ) ); #else /* !NEW_LOGGING */ Debug(LDAP_DEBUG_ANY, "==> meta_back_op_result: target" " <%d> sending msg \"%s\"" " (matched \"%s\")\n", i, ( msg ? msg : "" ), ( match ? match : "" ) ); #endif /* !NEW_LOGGING */ /* * FIXME: need to rewrite "match" (need rwinfo) */ switch ( err ) { default: rerr = err; rmsg = msg; msg = NULL; rmatch = match; match = NULL; break; } /* better test the pointers before freeing? */ if ( match ) { free( match ); } if ( msg ) { free( msg ); } } } send_ldap_result( lc->conn, op, rerr, rmatch, rmsg, NULL, NULL ); return ( ( rerr == LDAP_SUCCESS ) ? 0 : -1 ); }