/*
* ldap_sasl_bind_s - bind to the ldap server using sasl authentication
* The dn, mechanism, and credentials of the entry to which to bind are
* supplied. LDAP_SUCCESS is returned upon success, the ldap error code
* otherwise.
*
* Example:
* struct berval creds;
* ... fill in creds with credentials ...
* ldap_sasl_bind_s( ld, "cn=manager, o=university of michigan, c=us",
* "mechanismname", &creds )
*/
int
LDAP_CALL
ldap_sasl_bind_s(
LDAP *ld,
const char *dn,
const char *mechanism,
const struct berval *cred,
LDAPControl **serverctrls,
LDAPControl **clientctrls,
struct berval **servercredp
)
{
int err, msgid;
LDAPMessage *result;
LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind_s\n", 0, 0, 0 );
if ( ( err = ldap_sasl_bind( ld, dn, mechanism, cred, serverctrls,
clientctrls, &msgid )) != LDAP_SUCCESS )
return( err );
if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &result ) == -1 )
return( LDAP_GET_LDERRNO( ld, NULL, NULL ) );
if (( err = ldap_parse_sasl_bind_result( ld, result, servercredp, 0 ))
!= LDAP_SUCCESS ) {
ldap_msgfree( result );
return( err );
}
return( ldap_result2error( ld, result, 1 ) );
}
ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t const *inst, REQUEST *request,
ldap_handle_t *conn, char const *identity,
char const *password, ldap_sasl *sasl,
char const **error, char **extra)
{
ldap_rcode_t status;
int ret = 0;
int msgid;
char const *mech;
LDAPMessage *result = NULL;
rlm_ldap_sasl_ctx_t sasl_ctx; /* SASL defaults */
memset(&sasl_ctx, 0, sizeof(sasl_ctx));
sasl_ctx.inst = inst;
sasl_ctx.request = request;
sasl_ctx.identity = identity;
sasl_ctx.password = password;
ROPTIONAL(RDEBUG2, DEBUG2, "Starting SASL mech(s): %s", sasl->mech);
do {
ret = ldap_sasl_interactive_bind(conn->handle, NULL, sasl->mech,
NULL, NULL, LDAP_SASL_AUTOMATIC,
_sasl_interact, &sasl_ctx, result,
&mech, &msgid);
ldap_msgfree(result); /* We always need to free the old message */
if (ret >= 0) ROPTIONAL(RDEBUG3, DEBUG3, "Continuing SASL mech %s...", mech);
status = rlm_ldap_result(inst, conn, msgid, identity, &result, error, extra);
/*
* Write the servers response to the debug log
*/
if (((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) && result) {
struct berval *srv_cred;
if (ldap_parse_sasl_bind_result(conn->handle, result, &srv_cred, 0) == 0) {
char *escaped;
escaped = fr_aprints(request, srv_cred->bv_val, srv_cred->bv_len, '\0');
ROPTIONAL(RDEBUG3, DEBUG3, "SASL response : %s", escaped);
talloc_free(escaped);
ldap_memfree(srv_cred);
}
}
} while (status == LDAP_PROC_CONTINUE);
ldap_msgfree(result);
return status;
}
static int
nsldapi_sasl_bind_s(
LDAP *ld,
const char *dn,
const char *mechanism,
const struct berval *cred,
LDAPControl **serverctrls,
LDAPControl **clientctrls,
struct berval **servercredp,
LDAPControl ***responsectrls
)
{
int err, msgid;
LDAPMessage *result;
LDAPDebug( LDAP_DEBUG_TRACE, "nsldapi_sasl_bind_s\n", 0, 0, 0 );
if ( !NSLDAPI_VALID_LDAP_POINTER( ld )) {
return( LDAP_PARAM_ERROR );
}
if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) {
LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
return( LDAP_NOT_SUPPORTED );
}
if ( ( err = ldap_sasl_bind( ld, dn, mechanism, cred, serverctrls,
clientctrls, &msgid )) != LDAP_SUCCESS )
return( err );
if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &result ) == -1 )
return( LDAP_GET_LDERRNO( ld, NULL, NULL ) );
/* Get the controls sent by the server if requested */
if ( responsectrls ) {
if ( ( err = ldap_parse_result( ld, result, &err, NULL, NULL,
NULL, responsectrls, 0 )) != LDAP_SUCCESS )
return( err );
}
err = ldap_parse_sasl_bind_result( ld, result, servercredp, 0 );
if (err != LDAP_SUCCESS && err != LDAP_SASL_BIND_IN_PROGRESS) {
ldap_msgfree( result );
return( err );
}
return( ldap_result2error( ld, result, 1 ) );
}
static int
sasl_digest_md5_bind_2(
LDAP *ld,
char *user_name,
struct berval *cred,
LDAPControl **serverctrls,
LDAPControl **clientctrls,
LDAPMessage *result,
int *msgidp)
{
struct berval *challenge = NULL;
struct berval resp;
int errnum;
char *digest = NULL;
int err;
if (ld == NULL || user_name == NULL || cred == NULL ||
cred->bv_val == NULL || result == NULL || msgidp == NULL)
return (LDAP_PARAM_ERROR);
if (ld->ld_version < LDAP_VERSION3)
return (LDAP_PARAM_ERROR);
err = ldap_result2error(ld, result, 0);
if (err != LDAP_SASL_BIND_IN_PROGRESS)
return (err);
if ((err = ldap_parse_sasl_bind_result(ld, result, &challenge, 0))
!= LDAP_SUCCESS)
return (err);
if (challenge == NULL)
return (LDAP_NO_MEMORY);
err = ldap_digest_md5_encode(challenge->bv_val,
user_name, cred->bv_val, &digest);
ber_bvfree(challenge);
if (err == LDAP_SUCCESS) {
resp.bv_val = digest;
resp.bv_len = strlen(digest);
LDAPDebug(LDAP_DEBUG_TRACE, "SASL reply: %s\n",
digest, 0, 0);
err = ldap_sasl_bind(ld, NULL, LDAP_SASL_DIGEST_MD5,
&resp, serverctrls, clientctrls, msgidp);
free(digest);
}
return (err);
}
int
ldap_sasl_bind_s(
LDAP *ld,
LDAP_CONST char *dn,
LDAP_CONST char *mechanism,
struct berval *cred,
LDAPControl **sctrls,
LDAPControl **cctrls,
struct berval **servercredp )
{
int rc, msgid;
LDAPMessage *result;
struct berval *scredp = NULL;
#ifdef NEW_LOGGING
LDAP_LOG ( TRANSPORT, ENTRY, "ldap_sasl_bind_s\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE, "ldap_sasl_bind_s\n", 0, 0, 0 );
#endif
/* do a quick !LDAPv3 check... ldap_sasl_bind will do the rest. */
if( servercredp != NULL ) {
if (ld->ld_version < LDAP_VERSION3) {
ld->ld_errno = LDAP_NOT_SUPPORTED;
return ld->ld_errno;
}
*servercredp = NULL;
}
rc = ldap_sasl_bind( ld, dn, mechanism, cred, sctrls, cctrls, &msgid );
if ( rc != LDAP_SUCCESS ) {
return( rc );
}
#ifdef LDAP_CONNECTIONLESS
if (LDAP_IS_UDP(ld)) {
return( rc );
}
#endif
if ( ldap_result( ld, msgid, 1, NULL, &result ) == -1 ) {
return( ld->ld_errno ); /* ldap_result sets ld_errno */
}
/* parse the results */
scredp = NULL;
if( servercredp != NULL ) {
rc = ldap_parse_sasl_bind_result( ld, result, &scredp, 0 );
}
if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
ldap_msgfree( result );
return( rc );
}
rc = ldap_result2error( ld, result, 1 );
if ( rc == LDAP_SUCCESS || rc == LDAP_SASL_BIND_IN_PROGRESS ) {
if( servercredp != NULL ) {
*servercredp = scredp;
scredp = NULL;
}
}
if ( scredp != NULL ) {
ber_bvfree(scredp);
}
return rc;
}
/** Initiate an LDAP interactive bind
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request, this may be NULL, in which case all debug logging is done with radlog.
* @param[in] conn to use. May change as this function calls functions which auto re-connect.
* @param[in] identity of the user.
* @param[in] password of the user.
* @param[in] sasl mechanism to use for bind, and additional parameters.
* @param[in] serverctrls Search controls to pass to the server. May be NULL.
* @param[in] clientctrls Search controls for ldap_sasl_interactive. May be NULL.
* @param[out] error message resulting from bind.
* @param[out] extra information about the error.
* @return One of the LDAP_PROC_* (#ldap_rcode_t) values.
*/
ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t const *inst, REQUEST *request,
ldap_handle_t *conn, char const *identity,
char const *password, ldap_sasl *sasl,
LDAPControl **serverctrls, LDAPControl **clientctrls,
char const **error, char **extra)
{
ldap_rcode_t status;
int ret = 0;
int msgid;
char const *mech;
LDAPMessage *result = NULL;
rlm_ldap_sasl_ctx_t sasl_ctx; /* SASL defaults */
LDAPControl *our_serverctrls[LDAP_MAX_CONTROLS];
LDAPControl *our_clientctrls[LDAP_MAX_CONTROLS];
rlm_ldap_control_merge(our_serverctrls, our_clientctrls,
sizeof(our_serverctrls) / sizeof(*our_serverctrls),
sizeof(our_clientctrls) / sizeof(*our_clientctrls),
conn, serverctrls, clientctrls);
/* rlm_ldap_result may not be called */
if (error) *error = NULL;
if (extra) *extra = NULL;
sasl_ctx.inst = inst;
sasl_ctx.request = request;
sasl_ctx.identity = identity;
sasl_ctx.password = password;
sasl_ctx.extra = sasl;
MOD_ROPTIONAL(RDEBUG2, DEBUG2, "Starting SASL mech(s): %s", sasl->mech);
for (;;) {
ret = ldap_sasl_interactive_bind(conn->handle, NULL, sasl->mech,
our_serverctrls, our_clientctrls,
LDAP_SASL_AUTOMATIC,
_sasl_interact, &sasl_ctx, result,
&mech, &msgid);
/*
* If ldap_sasl_interactive_bind indicates it didn't want
* to continue, then we're done.
*
* Calling ldap_result here, results in a timeout in some
* cases, so we need to figure out whether the bind was
* successful without the help of ldap_result.
*/
if (ret != LDAP_SASL_BIND_IN_PROGRESS) {
status = rlm_ldap_result(inst, conn, -1, identity, NULL, error, extra);
break; /* Old result gets freed on after exit */
}
ldap_msgfree(result); /* We always need to free the old message */
/*
* If LDAP parse result indicates there was an error
* then we're done.
*/
status = rlm_ldap_result(inst, conn, msgid, identity, &result, error, extra);
switch (status) {
case LDAP_PROC_SUCCESS: /* ldap_sasl_interactive_bind should have indicated success */
case LDAP_PROC_CONTINUE:
break;
default:
goto done;
}
/*
* ...otherwise, the bind is still in progress.
*/
MOD_ROPTIONAL(RDEBUG3, DEBUG3, "Continuing SASL mech %s...", mech);
/*
* Write the servers response to the debug log
*/
if (((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) && result) {
struct berval *srv_cred;
if (ldap_parse_sasl_bind_result(conn->handle, result, &srv_cred, 0) == 0) {
char *escaped;
escaped = fr_asprint(request, srv_cred->bv_val, srv_cred->bv_len, '\0');
MOD_ROPTIONAL(RDEBUG3, DEBUG3, "SASL response : %s", escaped);
talloc_free(escaped);
ldap_memfree(srv_cred);
}
}
}
done:
ldap_msgfree(result);
return status;
}
// typedef PRBool
// (* nsHashtableEnumFunc)
// (nsHashKey *aKey, void *aData, void* aClosure);
PRBool
CheckLDAPOperationResult(nsHashKey *aKey, void *aData, void* aClosure)
{
int lderrno;
nsresult rv;
PRInt32 returnCode;
LDAPMessage *msgHandle;
nsCOMPtr<nsILDAPMessage> msg;
PRBool operationFinished = PR_TRUE;
struct timeval timeout = { 0, 0 };
PRIntervalTime sleepTime = PR_MillisecondsToInterval(40);
// we need to access some of the connection loop's objects
//
nsLDAPConnectionLoop *loop =
static_cast<nsLDAPConnectionLoop *>(aClosure);
// get the console service so we can log messages
//
nsCOMPtr<nsIConsoleService> consoleSvc =
do_GetService(kConsoleServiceContractId, &rv);
if (NS_FAILED(rv)) {
NS_ERROR("CheckLDAPOperationResult() couldn't get console service");
return NS_ERROR_FAILURE;
}
returnCode = ldap_result(loop->mRawConn->mConnectionHandle,
aKey->HashCode(), LDAP_MSG_ONE,
&timeout, &msgHandle);
// if we didn't error or timeout, create an nsILDAPMessage
//
switch (returnCode) {
case 0: // timeout
// the connection may not exist yet. sleep for a while
// to avoid a problem where the LDAP connection/thread isn't
// ready quite yet, and we want to avoid a very busy loop.
//
PR_Sleep(sleepTime);
return PR_TRUE;
case -1: // something went wrong
lderrno = ldap_get_lderrno(loop->mRawConn->mConnectionHandle, 0, 0);
// Sleep briefly, to avoid a very busy loop again.
//
PR_Sleep(sleepTime);
switch (lderrno) {
case LDAP_SERVER_DOWN:
// We might want to shutdown the thread here, but it has
// implications to the user of the nsLDAPConnection, so
// for now we just ignore it. It's up to the owner of
// the nsLDAPConnection to detect the error, and then
// create a new connection.
//
PR_LOG(gLDAPLogModule, PR_LOG_DEBUG,
("CheckLDAPOperationResult(): ldap_result returned"
" LDAP_SERVER_DOWN"));
break;
case LDAP_DECODING_ERROR:
consoleSvc->LogStringMessage(
NS_LITERAL_STRING("LDAP: WARNING: decoding error; possible corrupt data received").get());
NS_WARNING("CheckLDAPOperationResult(): ldaperrno = "
"LDAP_DECODING_ERROR after ldap_result()");
break;
case LDAP_NO_MEMORY:
NS_ERROR("CheckLDAPOperationResult(): Couldn't allocate memory"
" while getting async operation result");
// punt and hope things work out better next time around
break;
case LDAP_PARAM_ERROR:
// I think it's possible to hit a race condition where we're
// continuing to poll for a result after the C SDK connection
// has removed the operation because the connection has gone
// dead. In theory we should fix this. Practically, it's
// unclear to me whether it matters.
//
NS_WARNING("CheckLDAPOperationResult(): ldap_result returned"
" LDAP_PARAM_ERROR");
break;
default:
NS_ERROR("CheckLDAPOperationResult(): lderrno set to "
"unexpected value after ldap_result() "
"call in nsLDAPConnection::Run()");
PR_LOG(gLDAPLogModule, PR_LOG_ERROR,
("lderrno = 0x%x", lderrno));
break;
}
break;
case LDAP_RES_SEARCH_ENTRY:
case LDAP_RES_SEARCH_REFERENCE:
// XXX what should we do with LDAP_RES_SEARCH_EXTENDED?
// not done yet, so we shouldn't remove the op from the conn q
operationFinished = PR_FALSE;
// fall through to default case
default: // initialize the message and call the callback
// we want nsLDAPMessage specifically, not a compatible, since
// we're sharing native objects used by the LDAP C SDK
//
nsLDAPMessage *rawMsg;
NS_NEWXPCOM(rawMsg, nsLDAPMessage);
if (!rawMsg) {
NS_ERROR("CheckLDAPOperationResult(): couldn't allocate memory"
" for new LDAP message; search entry dropped");
// punt and hope things work out better next time around
break;
}
// initialize the message, using a protected method not available
// through nsILDAPMessage (which is why we need the raw pointer)
//
rv = rawMsg->Init(loop->mRawConn, msgHandle);
// now let the scoping mechanisms provided by nsCOMPtr manage
// the reference for us.
//
msg = rawMsg;
switch (rv) {
case NS_OK: {
PRInt32 errorCode;
rawMsg->GetErrorCode(&errorCode);
// maybe a version error, e.g., using v3 on a v2 server.
// if we're using v3, try v2.
//
if (errorCode == LDAP_PROTOCOL_ERROR &&
loop->mRawConn->mVersion == nsILDAPConnection::VERSION3) {
nsCAutoString password;
loop->mRawConn->mVersion = nsILDAPConnection::VERSION2;
ldap_set_option(loop->mRawConn->mConnectionHandle,
LDAP_OPT_PROTOCOL_VERSION, &loop->mRawConn->mVersion);
nsCOMPtr <nsILDAPOperation> operation =
static_cast<nsILDAPOperation *>(static_cast<nsISupports *>(aData));
// we pass in an empty password to tell the operation that
// it should use the cached password.
//
rv = operation->SimpleBind(password);
if (NS_SUCCEEDED(rv)) {
operationFinished = PR_FALSE;
// we don't want to notify callers that we're done...
return PR_TRUE;
}
}
// If we're midway through a SASL Bind, we need to continue
// without letting our caller know what we're up to!
//
if (errorCode == LDAP_SASL_BIND_IN_PROGRESS) {
struct berval *creds;
ldap_parse_sasl_bind_result(
loop->mRawConn->mConnectionHandle, msgHandle,
&creds, 0);
nsCOMPtr <nsILDAPOperation> operation =
static_cast<nsILDAPOperation *>
(static_cast<nsISupports *>(aData));
rv = operation->SaslStep(creds->bv_val, creds->bv_len);
if (NS_SUCCEEDED(rv)) {
return PR_TRUE;
}
}
}
break;
case NS_ERROR_LDAP_DECODING_ERROR:
consoleSvc->LogStringMessage(
NS_LITERAL_STRING("LDAP: WARNING: decoding error; possible corrupt data received").get());
NS_WARNING("CheckLDAPOperationResult(): ldaperrno = "
"LDAP_DECODING_ERROR after ldap_result()");
return PR_TRUE;
case NS_ERROR_OUT_OF_MEMORY:
// punt and hope things work out better next time around
return PR_TRUE;
case NS_ERROR_ILLEGAL_VALUE:
case NS_ERROR_UNEXPECTED:
default:
// shouldn't happen; internal error
//
NS_ERROR("CheckLDAPOperationResult(): nsLDAPMessage::Init() "
"returned unexpected value.");
// punt and hope things work out better next time around
return PR_TRUE;
}
// invoke the callback on the nsILDAPOperation corresponding to
// this message
//
rv = loop->mRawConn->InvokeMessageCallback(msgHandle, msg,
operationFinished);
if (NS_FAILED(rv)) {
NS_ERROR("CheckLDAPOperationResult(): error invoking message"
" callback");
// punt and hope things work out better next time around
return PR_TRUE;
}
break;
}
return PR_TRUE;
}
static int
ldap_connection_connect_parse(struct ldap_connection *conn,
struct ldap_op_queue_entry *req,
LDAPMessage *message, bool *finished_r)
{
int ret, result_err;
char *retoid, *result_errmsg;
int msgtype = ldap_msgtype(message);
*finished_r = TRUE;
ret = ldap_parse_result(conn->conn, message, &result_err, NULL,
&result_errmsg, NULL, NULL, 0);
switch(conn->state) {
case LDAP_STATE_TLS:
if (msgtype != LDAP_RES_EXTENDED) {
*finished_r = FALSE;
return LDAP_SUCCESS;
}
if (ret != 0) {
ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
"ldap_start_tls(uri=%s) failed: %s",
conn->set.uri, ldap_err2string(ret)));
return ret;
} else if (result_err != 0) {
if (conn->set.require_ssl) {
ldap_connection_result_failure(conn, req, result_err, t_strdup_printf(
"ldap_start_tls(uri=%s) failed: %s",
conn->set.uri, result_errmsg));
ldap_memfree(result_errmsg);
return LDAP_INVALID_CREDENTIALS; /* make sure it disconnects */
}
} else {
ret = ldap_parse_extended_result(conn->conn, message, &retoid, NULL, 0);
/* retoid can be NULL even if ret == 0 */
if (ret == 0) {
ret = ldap_install_tls(conn->conn);
if (ret != 0) {
// if this fails we have to abort
ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
"ldap_start_tls(uri=%s) failed: %s",
conn->set.uri, ldap_err2string(ret)));
return LDAP_INVALID_CREDENTIALS;
}
}
if (ret != LDAP_SUCCESS) {
if (conn->set.require_ssl) {
ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
"ldap_start_tls(uri=%s) failed: %s",
conn->set.uri, ldap_err2string(ret)));
return LDAP_UNAVAILABLE;
}
} else {
if (conn->set.debug > 0)
i_debug("Using TLS connection to remote LDAP server");
}
ldap_memfree(retoid);
}
conn->state = LDAP_STATE_AUTH;
return ldap_connect_next_message(conn, req, finished_r);
case LDAP_STATE_AUTH:
if (ret != LDAP_SUCCESS) {
ldap_connection_result_failure(conn, req, ret, t_strdup_printf(
"ldap_parse_result() failed for connect: %s",
ldap_err2string(ret)));
return ret;
}
if (result_err != LDAP_SUCCESS) {
const char *error = result_errmsg != NULL ?
result_errmsg : ldap_err2string(result_err);
ldap_connection_result_failure(conn, req, result_err, t_strdup_printf(
"Connect failed: %s", error));
ldap_memfree(result_errmsg);
return result_err;
}
if (msgtype != LDAP_RES_BIND) return 0;
ret = ldap_parse_sasl_bind_result(conn->conn, message, &(conn->scred), 0);
if (ret != LDAP_SUCCESS) {
const char *error = t_strdup_printf(
"Cannot bind with server: %s", ldap_err2string(ret));
ldap_connection_result_failure(conn, req, ret, error);
return 1;
}
conn->state = LDAP_STATE_CONNECT;
return ldap_connect_next_message(conn, req, finished_r);
default:
i_unreached();
}
return LDAP_SUCCESS;
}
