/* Map API errors to protocol errors... */
int
slap_map_api2result( SlapReply *rs )
{
switch(rs->sr_err) {
case LDAP_SERVER_DOWN:
return LDAP_UNAVAILABLE;
case LDAP_LOCAL_ERROR:
return LDAP_OTHER;
case LDAP_ENCODING_ERROR:
case LDAP_DECODING_ERROR:
return LDAP_PROTOCOL_ERROR;
case LDAP_TIMEOUT:
return LDAP_UNAVAILABLE;
case LDAP_AUTH_UNKNOWN:
return LDAP_AUTH_METHOD_NOT_SUPPORTED;
case LDAP_FILTER_ERROR:
rs->sr_text = "Filter error";
return LDAP_OTHER;
case LDAP_USER_CANCELLED:
rs->sr_text = "User cancelled";
return LDAP_OTHER;
case LDAP_PARAM_ERROR:
return LDAP_PROTOCOL_ERROR;
case LDAP_NO_MEMORY:
return LDAP_OTHER;
case LDAP_CONNECT_ERROR:
return LDAP_UNAVAILABLE;
case LDAP_NOT_SUPPORTED:
return LDAP_UNWILLING_TO_PERFORM;
case LDAP_CONTROL_NOT_FOUND:
return LDAP_PROTOCOL_ERROR;
case LDAP_NO_RESULTS_RETURNED:
return LDAP_NO_SUCH_OBJECT;
case LDAP_MORE_RESULTS_TO_RETURN:
rs->sr_text = "More results to return";
return LDAP_OTHER;
case LDAP_CLIENT_LOOP:
case LDAP_REFERRAL_LIMIT_EXCEEDED:
return LDAP_LOOP_DETECT;
default:
if ( LDAP_API_ERROR(rs->sr_err) ) return LDAP_OTHER;
return rs->sr_err;
}
}
static int
retcode_entry_response( Operation *op, SlapReply *rs, BackendInfo *bi, Entry *e )
{
Attribute *a;
int err;
char *next;
int disconnect = 0;
if ( get_manageDSAit( op ) ) {
return SLAP_CB_CONTINUE;
}
if ( !is_entry_objectclass_or_sub( e, oc_errAbsObject ) ) {
return SLAP_CB_CONTINUE;
}
/* operation */
a = attr_find( e->e_attrs, ad_errOp );
if ( a != NULL ) {
int i,
gotit = 0;
struct berval bv = BER_BVNULL;
(void)retcode_op2str( op->o_tag, &bv );
if ( BER_BVISNULL( &bv ) ) {
return SLAP_CB_CONTINUE;
}
for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
if ( bvmatch( &a->a_nvals[ i ], &bv ) ) {
gotit = 1;
break;
}
}
if ( !gotit ) {
return SLAP_CB_CONTINUE;
}
}
/* disconnect */
a = attr_find( e->e_attrs, ad_errDisconnect );
if ( a != NULL ) {
if ( bvmatch( &a->a_nvals[ 0 ], &slap_true_bv ) ) {
return rs->sr_err = SLAPD_DISCONNECT;
}
disconnect = 1;
}
/* error code */
a = attr_find( e->e_attrs, ad_errCode );
if ( a == NULL ) {
return SLAP_CB_CONTINUE;
}
err = strtol( a->a_nvals[ 0 ].bv_val, &next, 0 );
if ( next == a->a_nvals[ 0 ].bv_val || next[ 0 ] != '\0' ) {
return SLAP_CB_CONTINUE;
}
rs->sr_err = err;
/* sleep time */
a = attr_find( e->e_attrs, ad_errSleepTime );
if ( a != NULL && a->a_nvals[ 0 ].bv_val[ 0 ] != '-' ) {
int sleepTime;
if ( lutil_atoi( &sleepTime, a->a_nvals[ 0 ].bv_val ) == 0 ) {
retcode_sleep( sleepTime );
}
}
if ( rs->sr_err != LDAP_SUCCESS && !LDAP_API_ERROR( rs->sr_err )) {
BackendDB db = *op->o_bd,
*o_bd = op->o_bd;
void *o_callback = op->o_callback;
/* message text */
a = attr_find( e->e_attrs, ad_errText );
if ( a != NULL ) {
rs->sr_text = a->a_vals[ 0 ].bv_val;
}
/* matched DN */
a = attr_find( e->e_attrs, ad_errMatchedDN );
if ( a != NULL ) {
rs->sr_matched = a->a_vals[ 0 ].bv_val;
}
if ( bi == NULL ) {
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
bi = on->on_info->oi_orig;
}
db.bd_info = bi;
op->o_bd = &db;
op->o_callback = NULL;
/* referral */
if ( rs->sr_err == LDAP_REFERRAL ) {
BerVarray refs = default_referral;
a = attr_find( e->e_attrs, slap_schema.si_ad_ref );
if ( a != NULL ) {
refs = a->a_vals;
}
rs->sr_ref = referral_rewrite( refs,
NULL, &op->o_req_dn, op->oq_search.rs_scope );
send_search_reference( op, rs );
ber_bvarray_free( rs->sr_ref );
rs->sr_ref = NULL;
} else {
a = attr_find( e->e_attrs, ad_errUnsolicitedOID );
if ( a != NULL ) {
struct berval oid = BER_BVNULL,
data = BER_BVNULL;
ber_int_t msgid = op->o_msgid;
/* RFC 4511 unsolicited response */
op->o_msgid = 0;
oid = a->a_nvals[ 0 ];
a = attr_find( e->e_attrs, ad_errUnsolicitedData );
if ( a != NULL ) {
data = a->a_nvals[ 0 ];
}
if ( strcmp( oid.bv_val, "0" ) == 0 ) {
send_ldap_result( op, rs );
} else {
ber_tag_t tag = op->o_tag;
op->o_tag = LDAP_REQ_EXTENDED;
rs->sr_rspoid = oid.bv_val;
if ( !BER_BVISNULL( &data ) ) {
rs->sr_rspdata = &data;
}
send_ldap_extended( op, rs );
rs->sr_rspoid = NULL;
rs->sr_rspdata = NULL;
op->o_tag = tag;
}
op->o_msgid = msgid;
} else {
send_ldap_result( op, rs );
}
}
rs->sr_text = NULL;
rs->sr_matched = NULL;
op->o_bd = o_bd;
op->o_callback = o_callback;
}
if ( rs->sr_err != LDAP_SUCCESS ) {
if ( disconnect ) {
return rs->sr_err = SLAPD_DISCONNECT;
}
op->o_abandon = 1;
return rs->sr_err;
}
return SLAP_CB_CONTINUE;
}
/*
* sets last_ldap_result and last_ldap_handle
*/
int lds_search(
char* _lds_name,
char* _dn,
int _scope,
char* _filter,
char** _attrs,
struct timeval* _search_timeout,
int* _ld_result_count,
int* _ld_error)
{
struct ld_session* lds;
#ifdef LDAP_PERF
struct timeval before_search = { 0, 0 }, after_search = { 0, 0 };
#endif
/*
* get ld_handle
*/
if (get_connected_ldap_session(_lds_name, &lds) != 0)
{
LM_ERR("[%s]: couldn't get ldap session\n", _lds_name);
return -1;
}
/*
* free last_ldap_result
*/
if (last_ldap_result != NULL) {
ldap_msgfree(last_ldap_result);
last_ldap_result = NULL;
}
LM_DBG( "[%s]: performing LDAP search: dn [%s],"
" scope [%d], filter [%s], client_timeout [%d] usecs\n",
_lds_name,
_dn,
_scope,
_filter,
(int)(lds->client_search_timeout.tv_sec * 1000000
+ lds->client_search_timeout.tv_usec));
#ifdef LDAP_PERF
gettimeofday(&before_search, NULL);
#endif
/*
* perform ldap search
*/
*_ld_error = ldap_search_ext_s(
lds->handle,
_dn,
_scope,
_filter,
_attrs,
0,
NULL,
NULL,
&lds->client_search_timeout,
0,
&last_ldap_result);
#ifdef LDAP_PERF
gettimeofday(&after_search, NULL);
LM_INFO("[%s]: LDAP search took [%d] usecs\n",
_lds_name,
(int)((after_search.tv_sec * 1000000 + after_search.tv_usec)
- (before_search.tv_sec * 1000000 + before_search.tv_usec)));
#endif
if (*_ld_error != LDAP_SUCCESS)
{
if (last_ldap_result != NULL)
{
ldap_msgfree(last_ldap_result);
last_ldap_result = NULL;
}
if (LDAP_API_ERROR(*_ld_error))
{
ldap_disconnect(_lds_name);
}
LM_DBG( "[%s]: ldap_search_ext_st failed: %s\n",
_lds_name,
ldap_err2string(*_ld_error));
return -1;
}
last_ldap_handle = lds->handle;
*_ld_result_count = ldap_count_entries(lds->handle, last_ldap_result);
if (*_ld_result_count < 0)
{
LM_DBG("[%s]: ldap_count_entries failed\n", _lds_name);
return -1;
}
return 0;
}
int ldap_params_search(
int* _ld_result_count,
char* _lds_name,
char* _dn,
int _scope,
char** _attrs,
char* _filter,
...)
{
int rc;
static char filter_str[LDAP_MAX_FILTER_LEN];
va_list filter_vars;
/*
* check _scope
*/
switch (_scope)
{
case LDAP_SCOPE_ONELEVEL:
case LDAP_SCOPE_BASE:
case LDAP_SCOPE_SUBTREE:
break;
default:
LM_ERR("[%s]: invalid scope argument [%d]\n", _lds_name, _scope);
return -1;
}
/*
* vsnprintf
*/
va_start(filter_vars, _filter);
rc = vsnprintf(filter_str, (size_t)LDAP_MAX_FILTER_LEN, _filter,
filter_vars);
if (rc >= LDAP_MAX_FILTER_LEN)
{
LM_ERR( "[%s]: filter string too long (len [%d], max len [%d])\n",
_lds_name,
rc,
LDAP_MAX_FILTER_LEN);
return -1;
}
else if (rc < 0)
{
LM_ERR("vsnprintf failed\n");
return -1;
}
/*
* ldap search
*/
if (lds_search(_lds_name,
_dn,
_scope,
filter_str,
_attrs,
NULL,
_ld_result_count,
&rc)
!= 0)
{
/* try again if LDAP API ERROR */
if (LDAP_API_ERROR(rc) &&
(lds_search(_lds_name,
_dn,
_scope,
filter_str,
_attrs,
NULL,
_ld_result_count,
&rc) != 0))
{
LM_ERR( "[%s]: LDAP search (dn [%s], scope [%d],"
" filter [%s]) failed: %s\n",
_lds_name,
_dn,
_scope,
filter_str,
ldap_err2string(rc));
return -1;
}
}
LM_DBG( "[%s]: [%d] LDAP entries found\n",
_lds_name,
*_ld_result_count);
return 0;
}
char *
ldap_err2string( int err )
{
char *m;
Debug( LDAP_DEBUG_TRACE, "ldap_err2string\n", 0, 0, 0 );
switch ( err ) {
# define C(code, message) case code: m = message; break
/* LDAPv3 (RFC 4511) codes */
C(LDAP_SUCCESS, N_("Success"));
C(LDAP_OPERATIONS_ERROR, N_("Operations error"));
C(LDAP_PROTOCOL_ERROR, N_("Protocol error"));
C(LDAP_TIMELIMIT_EXCEEDED, N_("Time limit exceeded"));
C(LDAP_SIZELIMIT_EXCEEDED, N_("Size limit exceeded"));
C(LDAP_COMPARE_FALSE, N_("Compare False"));
C(LDAP_COMPARE_TRUE, N_("Compare True"));
C(LDAP_STRONG_AUTH_NOT_SUPPORTED,N_("Authentication method not supported"));
C(LDAP_STRONG_AUTH_REQUIRED, N_("Strong(er) authentication required"));
C(LDAP_REFERRAL, N_("Referral"));
C(LDAP_ADMINLIMIT_EXCEEDED, N_("Administrative limit exceeded"));
C(LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
N_("Critical extension is unavailable"));
C(LDAP_CONFIDENTIALITY_REQUIRED,N_("Confidentiality required"));
C(LDAP_SASL_BIND_IN_PROGRESS, N_("SASL bind in progress"));
C(LDAP_NO_SUCH_ATTRIBUTE, N_("No such attribute"));
C(LDAP_UNDEFINED_TYPE, N_("Undefined attribute type"));
C(LDAP_INAPPROPRIATE_MATCHING, N_("Inappropriate matching"));
C(LDAP_CONSTRAINT_VIOLATION, N_("Constraint violation"));
C(LDAP_TYPE_OR_VALUE_EXISTS, N_("Type or value exists"));
C(LDAP_INVALID_SYNTAX, N_("Invalid syntax"));
C(LDAP_NO_SUCH_OBJECT, N_("No such object"));
C(LDAP_ALIAS_PROBLEM, N_("Alias problem"));
C(LDAP_INVALID_DN_SYNTAX, N_("Invalid DN syntax"));
C(LDAP_ALIAS_DEREF_PROBLEM, N_("Alias dereferencing problem"));
C(LDAP_INAPPROPRIATE_AUTH, N_("Inappropriate authentication"));
C(LDAP_INVALID_CREDENTIALS, N_("Invalid credentials"));
C(LDAP_INSUFFICIENT_ACCESS, N_("Insufficient access"));
C(LDAP_BUSY, N_("Server is busy"));
C(LDAP_UNAVAILABLE, N_("Server is unavailable"));
C(LDAP_UNWILLING_TO_PERFORM, N_("Server is unwilling to perform"));
C(LDAP_LOOP_DETECT, N_("Loop detected"));
C(LDAP_NAMING_VIOLATION, N_("Naming violation"));
C(LDAP_OBJECT_CLASS_VIOLATION, N_("Object class violation"));
C(LDAP_NOT_ALLOWED_ON_NONLEAF, N_("Operation not allowed on non-leaf"));
C(LDAP_NOT_ALLOWED_ON_RDN, N_("Operation not allowed on RDN"));
C(LDAP_ALREADY_EXISTS, N_("Already exists"));
C(LDAP_NO_OBJECT_CLASS_MODS, N_("Cannot modify object class"));
C(LDAP_AFFECTS_MULTIPLE_DSAS, N_("Operation affects multiple DSAs"));
/* Virtual List View draft */
C(LDAP_VLV_ERROR, N_("Virtual List View error"));
C(LDAP_OTHER, N_("Other (e.g., implementation specific) error"));
/* LDAPv2 (RFC 1777) codes */
C(LDAP_PARTIAL_RESULTS, N_("Partial results and referral received"));
C(LDAP_IS_LEAF, N_("Entry is a leaf"));
/* Connection-less LDAP (CLDAP - RFC 1798) code */
C(LDAP_RESULTS_TOO_LARGE, N_("Results too large"));
/* Cancel Operation (RFC 3909) codes */
C(LDAP_CANCELLED, N_("Cancelled"));
C(LDAP_NO_SUCH_OPERATION, N_("No Operation to Cancel"));
C(LDAP_TOO_LATE, N_("Too Late to Cancel"));
C(LDAP_CANNOT_CANCEL, N_("Cannot Cancel"));
/* Assert Control (RFC 4528 and old internet-draft) codes */
C(LDAP_ASSERTION_FAILED, N_("Assertion Failed"));
C(LDAP_X_ASSERTION_FAILED, N_("Assertion Failed (X)"));
/* Proxied Authorization Control (RFC 4370 and I-D) codes */
C(LDAP_PROXIED_AUTHORIZATION_DENIED, N_("Proxied Authorization Denied"));
C(LDAP_X_PROXY_AUTHZ_FAILURE, N_("Proxy Authorization Failure (X)"));
/* Content Sync Operation (RFC 4533 and I-D) codes */
C(LDAP_SYNC_REFRESH_REQUIRED, N_("Content Sync Refresh Required"));
C(LDAP_X_SYNC_REFRESH_REQUIRED, N_("Content Sync Refresh Required (X)"));
/* No-Op Control (draft-zeilenga-ldap-noop) code */
C(LDAP_X_NO_OPERATION, N_("No Operation (X)"));
/* Client Update Protocol (RFC 3928) codes */
C(LDAP_CUP_RESOURCES_EXHAUSTED, N_("LCUP Resources Exhausted"));
C(LDAP_CUP_SECURITY_VIOLATION, N_("LCUP Security Violation"));
C(LDAP_CUP_INVALID_DATA, N_("LCUP Invalid Data"));
C(LDAP_CUP_UNSUPPORTED_SCHEME, N_("LCUP Unsupported Scheme"));
C(LDAP_CUP_RELOAD_REQUIRED, N_("LCUP Reload Required"));
#ifdef LDAP_X_TXN
/* Codes related to LDAP Transactions (draft-zeilenga-ldap-txn) */
C(LDAP_X_TXN_SPECIFY_OKAY, N_("TXN specify okay"));
C(LDAP_X_TXN_ID_INVALID, N_("TXN ID is invalid"));
#endif
/* API codes - renumbered since draft-ietf-ldapext-ldap-c-api */
C(LDAP_SERVER_DOWN, N_("Can't contact LDAP server"));
C(LDAP_LOCAL_ERROR, N_("Local error"));
C(LDAP_ENCODING_ERROR, N_("Encoding error"));
C(LDAP_DECODING_ERROR, N_("Decoding error"));
C(LDAP_TIMEOUT, N_("Timed out"));
C(LDAP_AUTH_UNKNOWN, N_("Unknown authentication method"));
C(LDAP_FILTER_ERROR, N_("Bad search filter"));
C(LDAP_USER_CANCELLED, N_("User cancelled operation"));
C(LDAP_PARAM_ERROR, N_("Bad parameter to an ldap routine"));
C(LDAP_NO_MEMORY, N_("Out of memory"));
C(LDAP_CONNECT_ERROR, N_("Connect error"));
C(LDAP_NOT_SUPPORTED, N_("Not Supported"));
C(LDAP_CONTROL_NOT_FOUND, N_("Control not found"));
C(LDAP_NO_RESULTS_RETURNED, N_("No results returned"));
C(LDAP_MORE_RESULTS_TO_RETURN, N_("More results to return"));
C(LDAP_CLIENT_LOOP, N_("Client Loop"));
C(LDAP_REFERRAL_LIMIT_EXCEEDED, N_("Referral Limit Exceeded"));
# undef C
default:
m = (LDAP_API_ERROR(err) ? N_("Unknown API error")
: LDAP_E_ERROR(err) ? N_("Unknown (extension) error")
: LDAP_X_ERROR(err) ? N_("Unknown (private extension) error")
: N_("Unknown error"));
break;
}
return _(m);
}
void
slap_send_ldap_result( Operation *op, SlapReply *rs )
{
char *tmp = NULL;
const char *otext = rs->sr_text;
BerVarray oref = rs->sr_ref;
rs->sr_type = REP_RESULT;
/* Propagate Abandons so that cleanup callbacks can be processed */
if ( rs->sr_err == SLAPD_ABANDON || op->o_abandon )
goto abandon;
Debug( LDAP_DEBUG_TRACE,
"send_ldap_result: %s p=%d\n",
op->o_log_prefix, op->o_protocol );
Debug( LDAP_DEBUG_ARGS,
"send_ldap_result: err=%d matched=\"%s\" text=\"%s\"\n",
rs->sr_err, rs->sr_matched ? rs->sr_matched : "",
rs->sr_text ? rs->sr_text : "" );
if( rs->sr_ref ) {
Debug( LDAP_DEBUG_ARGS,
"send_ldap_result: referral=\"%s\"\n",
rs->sr_ref[0].bv_val ? rs->sr_ref[0].bv_val : "NULL" );
}
assert( !LDAP_API_ERROR( rs->sr_err ) );
assert( rs->sr_err != LDAP_PARTIAL_RESULTS );
if ( rs->sr_err == LDAP_REFERRAL ) {
if( op->o_domain_scope ) rs->sr_ref = NULL;
if( rs->sr_ref == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else if ( op->o_protocol < LDAP_VERSION3 ) {
rs->sr_err = LDAP_PARTIAL_RESULTS;
}
}
if ( op->o_protocol < LDAP_VERSION3 ) {
tmp = v2ref( rs->sr_ref, rs->sr_text );
rs->sr_text = tmp;
rs->sr_ref = NULL;
}
abandon:
rs->sr_tag = slap_req2res( op->o_tag );
rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
if ( rs->sr_flags & REP_REF_MUSTBEFREED ) {
if ( rs->sr_ref == NULL ) {
rs->sr_flags ^= REP_REF_MUSTBEFREED;
ber_bvarray_free( oref );
}
oref = NULL; /* send_ldap_response() will free rs->sr_ref if != NULL */
}
if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
if ( op->o_tag == LDAP_REQ_SEARCH ) {
Statslog( LDAP_DEBUG_STATS,
"%s SEARCH RESULT tag=%lu err=%d nentries=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_nentries, rs->sr_text ? rs->sr_text : "" );
} else {
Statslog( LDAP_DEBUG_STATS,
"%s RESULT tag=%lu err=%d text=%s\n",
op->o_log_prefix, rs->sr_tag, rs->sr_err,
rs->sr_text ? rs->sr_text : "" );
}
}
if( tmp != NULL ) ch_free(tmp);
rs->sr_text = otext;
rs->sr_ref = oref;
}
int translate_ldap_error(int err, int op) {
switch (err) {
case LDAP_SUCCESS:
return 0;
case LDAP_OPERATIONS_ERROR:
/* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
* unable to respond with a more specific error and is also unable
* to properly respond to a request */
case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
/* LDAP server was unable to satisfy a request because one or more
* critical extensions were not available */
/* This might mean that the schema was not extended ... */
case LDAP_UNDEFINED_TYPE:
/* The attribute specified in the modify or add operation does not
* exist in the LDAP server's schema. */
return KRB5_KDB_INTERNAL_ERROR;
case LDAP_INAPPROPRIATE_MATCHING:
/* The matching rule specified in the search filter does not match a
* rule defined for the attribute's syntax */
return KRB5_KDB_UK_RERROR;
case LDAP_CONSTRAINT_VIOLATION:
/* The attribute value specified in a modify, add, or modify DN
* operation violates constraints placed on the attribute */
case LDAP_TYPE_OR_VALUE_EXISTS:
/* The attribute value specified in a modify or add operation
* already exists as a value for that attribute */
return KRB5_KDB_UK_SERROR;
case LDAP_INVALID_SYNTAX:
/* The attribute value specified in an add, compare, or modify
* operation is an unrecognized or invalid syntax for the attribute */
if (op == OP_ADD || op == OP_MOD)
return KRB5_KDB_UK_SERROR;
else /* OP_CMP */
return KRB5_KDB_UK_RERROR;
/* Ensure that the following don't occur in the DAL-LDAP code.
* Don't rely on the LDAP server to catch it */
case LDAP_SASL_BIND_IN_PROGRESS:
/* This is not an error. So, this function should not be called */
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
/* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
* function should not be invoked for them */
case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SIZELIMIT_EXCEEDED:
return KRB5_KDB_SERVER_INTERNAL_ERR;
case LDAP_INVALID_DN_SYNTAX:
/* The syntax of the DN is incorrect */
return EINVAL;
case LDAP_PROTOCOL_ERROR:
/* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
* invalid or malformed request from the client */
case LDAP_CONFIDENTIALITY_REQUIRED:
/* Bind problems ... */
case LDAP_AUTH_METHOD_NOT_SUPPORTED:
/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */
case LDAP_INAPPROPRIATE_AUTH:
case LDAP_INVALID_CREDENTIALS:
case LDAP_UNAVAILABLE:
case LDAP_SERVER_DOWN: /* Solaris Kerberos */
case LDAP_CONNECT_ERROR: /* Solaris Kerberos */
return KRB5_KDB_ACCESS_ERROR;
case LDAP_STRONG_AUTH_REQUIRED:
if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
return KRB5_KDB_ACCESS_ERROR;
else /* Client requested an operation such that requires strong authentication */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_REFERRAL:
return KRB5_KDB_NOENTRY;
case LDAP_ADMINLIMIT_EXCEEDED:
/* An LDAP server limit set by an administrative authority has been
* exceeded */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_UNWILLING_TO_PERFORM:
/* The LDAP server cannot process the request because of
* server-defined restrictions */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_NO_SUCH_ATTRIBUTE:
/* Indicates that the attribute specified in the modify or compare
* operation does not exist in the entry */
if (op == OP_MOD)
return KRB5_KDB_UK_SERROR;
else /* OP_CMP */
return KRB5_KDB_TRUNCATED_RECORD;
case LDAP_ALIAS_DEREF_PROBLEM:
/* Either the client does not have access rights to read the aliased
* object's name or dereferencing is not allowed */
#ifdef LDAP_PROXY_AUTHZ_FAILURE
case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
#endif
case LDAP_INSUFFICIENT_ACCESS:
/* Caller does not have sufficient rights to perform the requested
* operation */
return KRB5_KDB_UNAUTH;
case LDAP_LOOP_DETECT:
/* Client discovered an alias or referral loop */
return KRB5_KDB_DB_CORRUPT;
default:
if (LDAP_NAME_ERROR (err))
return KRB5_KDB_NOENTRY;
/*LINTED*/
if (LDAP_SECURITY_ERROR (err))
return KRB5_KDB_UNAUTH;
/*LINTED*/
if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
return KRB5_KDB_ACCESS_ERROR;
/*LINTED*/
if (LDAP_UPDATE_ERROR(err))
return KRB5_KDB_UK_SERROR;
/* LDAP_OTHER */
return KRB5_KDB_SERVER_INTERNAL_ERR;
}
}
int lds_search_async(
char* _lds_name,
char* _dn,
int _scope,
char* _filter,
char** _attrs,
struct timeval* _search_timeout,
int* _ld_result_count,
int* _ld_error,
int* _msgidp)
{
struct ld_session* lds;
struct timeval zerotime;
#ifdef LDAP_PERF
struct timeval before_search = { 0, 0 }, after_search = { 0, 0 };
#endif
/*
* get ld_handle
*/
if (get_connected_ldap_session(_lds_name, &lds) != 0)
{
LM_ERR("[%s]: couldn't get ldap session\n", _lds_name);
return -1;
}
/*
* free last_ldap_result
*/
if (last_ldap_result != NULL) {
ldap_msgfree(last_ldap_result);
last_ldap_result = NULL;
}
LM_DBG( "[%s]: performing LDAP search: dn [%s],"
" scope [%d], filter [%s], client_timeout [%d] usecs\n",
_lds_name,
_dn,
_scope,
_filter,
(int)(lds->client_search_timeout.tv_sec * 1000000
+ lds->client_search_timeout.tv_usec));
#ifdef LDAP_PERF
gettimeofday(&before_search, NULL);
#endif
/*
* perform ldap search
*/
*_ld_error = ldap_search_ext(
lds->handle,
_dn,
_scope,
_filter,
_attrs,
0,
NULL,
NULL,
&lds->client_search_timeout,
0,
_msgidp);
#ifdef LDAP_PERF
gettimeofday(&after_search, NULL);
LM_INFO("[%s]: LDAP search took [%d] usecs\n",
_lds_name,
(int)((after_search.tv_sec * 1000000 + after_search.tv_usec)
- (before_search.tv_sec * 1000000 + before_search.tv_usec)));
#endif
if (*_ld_error != LDAP_SUCCESS)
{
if (last_ldap_result != NULL)
{
ldap_msgfree(last_ldap_result);
last_ldap_result = NULL;
}
if (LDAP_API_ERROR(*_ld_error))
{
ldap_disconnect(_lds_name);
}
LM_DBG( "[%s]: ldap_search_ext_st failed: %s\n",
_lds_name,
ldap_err2string(*_ld_error));
return -1;
}
zerotime.tv_sec = zerotime.tv_usec = 0L;
*_ld_error = ldap_result(lds->handle, *_msgidp, LDAP_MSG_ALL,
&zerotime, &last_ldap_result);
switch (*_ld_error) {
case -1:
LM_ERR("[%s]: ldap result failed\n", _lds_name);
return -1;
case 0:
/* receive did not succeed; reactor needed */
return 0;
default:
/* receive successfull */
*_msgidp = -1;
break;
}
last_ldap_handle = lds->handle;
*_ld_result_count = ldap_count_entries(lds->handle, last_ldap_result);
if (*_ld_result_count < 0)
{
LM_DBG("[%s]: ldap_count_entries failed\n", _lds_name);
return -1;
}
return 0;
}