Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: c2c512e4fa
Branches Tags
389-ds-base
/
ldap
/
servers
/
slapd
/
pw_verify.c

pw_verify.c 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. /** BEGIN COPYRIGHT BLOCK
    2. 

  2.  * Copyright (C) 2016 Red Hat, Inc.
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * License: GPL (version 3 or any later version).
    6. 

  6.  * See LICENSE for details. 
    7. 

  7.  * END COPYRIGHT BLOCK **/
    8. 

  8. 

  9. /*
    10. 

  10.  * pw_verify.c
    11. 

  11.  *
    12. 

  12.  * This contains helpers that take a DN and a password credential from a simple
    13. 

  13.  * bind or SASL PLAIN/LOGIN. It steps through the raw credential and returns
    14. 

  14.  *
    15. 

  15.  * SLAPI_BIND_SUCCESS : The credentials are correct for the DN.
    16. 

  16.  * SLAPI_BIND_ANONYMOUS : The credentials are anonymous.
    17. 

  17.  * SLAPI_BIND_REFERRAL : The DN provided is going to be a referal, go away!
    18. 

  18.  * LDAP_INVALID_CREDENTIALS : The credentials are incorrect for this DN, or not
    19. 

  19.  *                            enough material was provided.
    20. 

  20.  * LDAP_OPERATIONS_ERROR : Something went wrong during verification.
    21. 

  21.  */
    22. 

  22. 

  23. #ifdef HAVE_CONFIG_H
    24. 

  24. #  include <config.h>
    25. 

  25. #endif
    26. 

  26. #include "slap.h"
    27. 

  27. #include "fe.h"
    28. 

  28. 

  29. int
    30. 

  30. pw_verify_root_dn(const char *dn, const Slapi_Value *cred)
    31. 

  31. {
    32. 

  32.     int result = LDAP_OPERATIONS_ERROR;
    33. 

  33.     char *root_pw = config_get_rootpw();
    34. 

  34.     if (root_pw != NULL && slapi_dn_isroot(dn)) {
    35. 

  35.         /* Now build a slapi value to give to slapi_pw_find_sv */
    36. 

  36.         Slapi_Value root_dn_pw_bval;
    37. 

  37.         slapi_value_init_string(&root_dn_pw_bval, root_pw);
    38. 

  38.         Slapi_Value *root_dn_pw_vals[] = {&root_dn_pw_bval, NULL};
    39. 

  39.         result = slapi_pw_find_sv(root_dn_pw_vals, cred);
    40. 

  40.         value_done(&root_dn_pw_bval);
    41. 

  41.     }
    42. 

  42.     slapi_ch_free_string(&root_pw);
    43. 

  43.     return result;
    44. 

  44. }
    45. 

  45. 

  46. /*
    47. 

  47.  * This will work out which backend is needed, and then work from there.
    48. 

  48.  * You must set the SLAPI_BIND_TARGET_SDN, and SLAPI_BIND_CREDENTIALS to
    49. 

  49.  * the pblock for this to operate correctly.
    50. 

  50.  *
    51. 

  51.  * In the future, this will use the credentials and do mfa.
    52. 

  52.  *
    53. 

  53.  * All other results, it's already released.
    54. 

  54.  */
    55. 

  55. int
    56. 

  56. pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
    57. 

  57. {
    58. 

  58.     int rc = 0;
    59. 

  59.     Slapi_Backend *be = NULL;
    60. 

  60. 

  61.     if (slapi_mapping_tree_select(pb, &be, referral, NULL, 0) != LDAP_SUCCESS) {
    62. 

  62.         return SLAPI_BIND_NO_BACKEND;
    63. 

  63.     }
    64. 

  64. 

  65.     if (*referral) {
    66. 

  66.         slapi_be_Unlock(be);
    67. 

  67.         return SLAPI_BIND_REFERRAL;
    68. 

  68.     }
    69. 

  69. 

  70.     slapi_pblock_set( pb, SLAPI_BACKEND, be );
    71. 

  71.     /* Put the credentials into the pb */
    72. 

  72.     if (be->be_bind == NULL) {
    73. 

  73.         /* Selected backend doesn't support binds! */
    74. 

  74.         slapi_be_Unlock(be);
    75. 

  75.         return LDAP_OPERATIONS_ERROR;
    76. 

  76.     }
    77. 

  77.     slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
    78. 

  78.     /* Make sure the result handlers are setup */
    79. 

  79.     set_db_default_result_handlers(pb);
    80. 

  80.     /* now take the dn, and check it */
    81. 

  81.     rc = (*be->be_bind)(pb);
    82. 

  82.     slapi_be_Unlock(be);
    83. 

  83. 

  84.     return rc;
    85. 

  85. }
    86. 

  86. 

  87. /*
    88. 

  88.  * Resolve the dn we have been requested to bind with and verify it's
    89. 

  89.  * valid, and has a backend.
    90. 

  90.  *
    91. 

  91.  * We are checking:
    92. 

  92.  * * is this anonymous?
    93. 

  93.  * * is this the rootdn?
    94. 

  94.  * * is this a real dn, which associates to a real backend.
    95. 

  95.  *
    96. 

  96.  * This is used in SASL autobinds, so we need to handle this validation.
    97. 

  97.  */
    98. 

  98. 

  99. int
    100. 

  100. pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral)
    101. 

  101. {
    102. 

  102.     Slapi_Backend *be = NULL;
    103. 

  103.     Slapi_DN *pb_sdn;
    104. 

  104.     struct berval *cred;
    105. 

  105.     ber_tag_t method;
    106. 

  106. 

  107. 

  108.     slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn);
    109. 

  109.     slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred);
    110. 

  110.     slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
    111. 

  111. 

  112.     if (pb_sdn != NULL || cred != NULL) {
    113. 

  113.         return LDAP_OPERATIONS_ERROR;
    114. 

  114.     }
    115. 

  115. 

  116.     if (*referral) {
    117. 

  117.         return SLAPI_BIND_REFERRAL;
    118. 

  118.     }
    119. 

  119. 

  120.     /* We need a slapi_sdn_isanon? */
    121. 

  121.     if (method == LDAP_AUTH_SIMPLE && (cred == NULL || cred->bv_len == 0)) {
    122. 

  122.         return SLAPI_BIND_ANONYMOUS;
    123. 

  123.     }
    124. 

  124. 

  125.     if (slapi_sdn_isroot(pb_sdn)) {
    126. 

  126.         /* This is a real identity */
    127. 

  127.         return SLAPI_BIND_SUCCESS;
    128. 

  128.     }
    129. 

  129. 

  130.     if (slapi_mapping_tree_select(pb, &be, referral, NULL, 0) != LDAP_SUCCESS) {
    131. 

  131.         return SLAPI_BIND_NO_BACKEND;
    132. 

  132.     }
    133. 

  133.     slapi_be_Unlock(be);
    134. 

  134. 

  135.     slapi_pblock_set(pb, SLAPI_BACKEND, be);
    136. 

  136.     slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
    137. 

  137.     /* Make sure the result handlers are setup */
    138. 

  138.     set_db_default_result_handlers(pb);
    139. 

  139. 

  140.     /* The backend associated with this identity is real. */
    141. 

  141. 

  142.     return SLAPI_BIND_SUCCESS;
    143. 

  143. }
    144.