LDAP *
ldap_open( LDAP_CONST char *host, int port )
{
int rc;
LDAP *ld;
Debug( LDAP_DEBUG_TRACE, "ldap_open(%s, %d)\n",
host, port, 0 );
ld = ldap_init( host, port );
if ( ld == NULL ) {
return( NULL );
}
rc = ldap_open_defconn( ld );
if( rc < 0 ) {
ldap_ld_free( ld, 0, NULL, NULL );
ld = NULL;
}
Debug( LDAP_DEBUG_TRACE, "ldap_open: %s\n",
ld != NULL ? "succeeded" : "failed", 0, 0 );
return ld;
}
int
ldap_initialize( LDAP **ldp, LDAP_CONST char *url )
{
int rc;
LDAP *ld;
*ldp = NULL;
rc = ldap_create(&ld);
if ( rc != LDAP_SUCCESS )
return rc;
if (url != NULL) {
rc = ldap_set_option(ld, LDAP_OPT_URI, url);
if ( rc != LDAP_SUCCESS ) {
ldap_ld_free(ld, 1, NULL, NULL);
return rc;
}
#ifdef LDAP_CONNECTIONLESS
if (ldap_is_ldapc_url(url))
LDAP_IS_UDP(ld) = 1;
#endif
}
*ldp = ld;
return LDAP_SUCCESS;
}
LDAP *
ldap_ssl_open(char *host, int port, char *keyname)
{
LDAP *ld;
int rval;
if (port == 0)
port = SSL_LDAP_PORT;
ld = ldap_open(host, port);
Debug(LDAP_DEBUG_TRACE, catgets(slapdcat, 1, 197,
"ldap_ssl_open (after ldap_open)\n"), 0, 0, 0);
if (ld == NULL)
return (NULL);
ld->ld_use_ssl = 1;
if (keyname)
ld->ld_ssl_key = strdup(keyname);
if (establish_ssl_connection(ld) != 0) {
ldap_ld_free(ld, 1);
return (NULL);
}
return (ld);
}
int
ldap_unbind_ext(
LDAP *ld,
LDAPControl **sctrls,
LDAPControl **cctrls )
{
int rc;
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
/* check client controls */
rc = ldap_int_client_controls( ld, cctrls );
if( rc != LDAP_SUCCESS ) return rc;
return ldap_ld_free( ld, 1, sctrls, cctrls );
}
LDAP *LDAP_CALL ldap_open(const char *host, int port) {
LDAP *ld;
LDAPDebug(LDAP_DEBUG_TRACE, "ldap_open\n", 0, 0, 0);
if ((ld = ldap_init(host, port)) == NULL) {
return (NULL);
}
LDAP_MUTEX_LOCK(ld, LDAP_CONN_LOCK);
if (nsldapi_open_ldap_defconn(ld) < 0) {
LDAP_MUTEX_UNLOCK(ld, LDAP_CONN_LOCK);
ldap_ld_free(ld, NULL, NULL, 0);
return (NULL);
}
LDAP_MUTEX_UNLOCK(ld, LDAP_CONN_LOCK);
LDAPDebug(LDAP_DEBUG_TRACE, "ldap_open successful, ld_host is %s\n",
(ld->ld_host == NULL) ? "(null)" : ld->ld_host, 0, 0);
return (ld);
}
/*
* ldap_init - initialize the LDAP library. A magic cookie to be used for
* future communication is returned on success, NULL on failure.
* "host" may be a space-separated list of hosts or IP addresses
*
* Example:
* LDAP *ld;
* ld = ldap_init( host, port );
*/
LDAP *
ldap_init( LDAP_CONST char *defhost, int defport )
{
LDAP *ld;
int rc;
rc = ldap_create(&ld);
if ( rc != LDAP_SUCCESS )
return NULL;
if (defport != 0)
ld->ld_options.ldo_defport = defport;
if (defhost != NULL) {
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, defhost);
if ( rc != LDAP_SUCCESS ) {
ldap_ld_free(ld, 1, NULL, NULL);
return NULL;
}
}
return( ld );
}
LDAP *
ldap_open(char *host, int port)
{
LDAP *ld;
int err;
if ((ld = ldap_init(host, port)) == NULL) {
return (NULL);
}
Debug(LDAP_DEBUG_TRACE, catgets(slapdcat, 1, 113,
"ldap_open (after ldap_init)\n"), 0, 0, 0);
#ifdef _REENTRANT
LOCK_LDAP(ld);
#endif
if ((err = open_default_ldap_connection(ld)) != LDAP_SUCCESS) {
#ifdef _REENTRANT
UNLOCK_LDAP(ld);
#endif
ldap_ld_free(ld, 0);
Debug(LDAP_DEBUG_ANY, catgets(slapdcat, 1, 1275,
"ldap_open failed, %s\n"),
ldap_err2string(err), 0, 0);
return (NULL);
}
Debug(LDAP_DEBUG_TRACE, catgets(slapdcat, 1, 194,
"ldap_open successful, ld_host is %s\n"),
(ld->ld_host == NULL) ? "(null)" : ld->ld_host, 0, 0);
#ifdef _REENTRANT
UNLOCK_LDAP(ld);
#endif
return (ld);
}
int
ldap_destroy( LDAP *ld )
{
return ( ldap_ld_free( ld, 1, NULL, NULL ) );
}
int
ldap_init_fd(
ber_socket_t fd,
int proto,
LDAP_CONST char *url,
LDAP **ldp
)
{
int rc;
LDAP *ld;
LDAPConn *conn;
*ldp = NULL;
rc = ldap_create( &ld );
if( rc != LDAP_SUCCESS )
return( rc );
if (url != NULL) {
rc = ldap_set_option(ld, LDAP_OPT_URI, url);
if ( rc != LDAP_SUCCESS ) {
ldap_ld_free(ld, 1, NULL, NULL);
return rc;
}
}
/* Attach the passed socket as the LDAP's connection */
conn = ldap_new_connection( ld, NULL, 1, 0, NULL);
if( conn == NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
return( LDAP_NO_MEMORY );
}
ber_sockbuf_ctrl( conn->lconn_sb, LBER_SB_OPT_SET_FD, &fd );
ld->ld_defconn = conn;
++ld->ld_defconn->lconn_refcnt; /* so it never gets closed/freed */
switch( proto ) {
case LDAP_PROTO_TCP:
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"tcp_" );
#endif
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_tcp,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
break;
#ifdef LDAP_CONNECTIONLESS
case LDAP_PROTO_UDP:
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"udp_" );
#endif
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_udp,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_readahead,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
break;
#endif /* LDAP_CONNECTIONLESS */
case LDAP_PROTO_IPC:
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"ipc_" );
#endif
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_fd,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
break;
case LDAP_PROTO_EXT:
/* caller must supply sockbuf handlers */
break;
default:
ldap_unbind_ext( ld, NULL, NULL );
return LDAP_PARAM_ERROR;
}
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
INT_MAX, (void *)"ldap_" );
#endif
/* Add the connection to the *LDAP's select pool */
ldap_mark_select_read( ld, conn->lconn_sb );
ldap_mark_select_write( ld, conn->lconn_sb );
*ldp = ld;
return LDAP_SUCCESS;
}
void
cldap_close( LDAP *ld )
{
ldap_ld_free( ld, 0 );
}
/*
* asyncmeta_single_bind
*
* attempts to perform a bind with creds
*/
static int
asyncmeta_single_bind(
Operation *op,
SlapReply *rs,
a_metaconn_t *mc,
int candidate )
{
a_metainfo_t *mi = mc->mc_info;
a_metatarget_t *mt = mi->mi_targets[ candidate ];
struct berval mdn = BER_BVNULL;
a_metasingleconn_t *msc = &mc->mc_conns[ candidate ];
int msgid;
a_dncookie dc;
struct berval save_o_dn;
int save_o_do_not_cache;
LDAPControl **ctrls = NULL;
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ch_free( msc->msc_bound_ndn.bv_val );
BER_BVZERO( &msc->msc_bound_ndn );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
/* destroy sensitive data */
memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len );
ch_free( msc->msc_cred.bv_val );
BER_BVZERO( &msc->msc_cred );
}
/*
* Rewrite the bind dn if needed
*/
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "bindDN";
if ( asyncmeta_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
rs->sr_text = "DN rewrite error";
rs->sr_err = LDAP_OTHER;
return rs->sr_err;
}
/* don't add proxyAuthz; set the bindDN */
save_o_dn = op->o_dn;
save_o_do_not_cache = op->o_do_not_cache;
op->o_do_not_cache = 1;
op->o_dn = op->o_req_dn;
ctrls = op->o_ctrls;
rs->sr_err = asyncmeta_controls_add( op, rs, mc, candidate, &ctrls );
op->o_dn = save_o_dn;
op->o_do_not_cache = save_o_do_not_cache;
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
/* FIXME: this fixes the bind problem right now; we need
* to use the asynchronous version to get the "matched"
* and more in case of failure ... */
/* FIXME: should we check if at least some of the op->o_ctrls
* can/should be passed? */
for (;;) {
rs->sr_err = ldap_sasl_bind( msc->msc_ld, mdn.bv_val,
LDAP_SASL_SIMPLE, &op->orb_cred,
ctrls, NULL, &msgid );
if ( rs->sr_err != LDAP_X_CONNECTING ) {
break;
}
ldap_pvt_thread_yield();
}
mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
asyncmeta_bind_op_result( op, rs, mc, candidate, msgid, LDAP_BACK_DONTSEND, 1 );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
/* If defined, proxyAuthz will be used also when
* back-ldap is the authorizing backend; for this
* purpose, a successful bind is followed by a
* bind with the configured identity assertion */
/* NOTE: use with care */
if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
asyncmeta_proxy_authz_bind( mc, candidate, op, rs, LDAP_BACK_SENDERR, 1 );
if ( !LDAP_BACK_CONN_ISBOUND( msc ) ) {
goto return_results;
}
goto cache_refresh;
}
ber_bvreplace( &msc->msc_bound_ndn, &op->o_req_ndn );
LDAP_BACK_CONN_ISBOUND_SET( msc );
mc->mc_authz_target = candidate;
if ( META_BACK_TGT_SAVECRED( mt ) ) {
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
memset( msc->msc_cred.bv_val, 0,
msc->msc_cred.bv_len );
}
ber_bvreplace( &msc->msc_cred, &op->orb_cred );
ldap_set_rebind_proc( msc->msc_ld, mt->mt_rebind_f, msc );
}
cache_refresh:;
if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED
&& !BER_BVISEMPTY( &op->o_req_ndn ) )
{
( void )asyncmeta_dncache_update_entry( &mi->mi_cache,
&op->o_req_ndn, candidate );
}
return_results:;
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
if ( META_BACK_TGT_QUARANTINE( mt ) ) {
asyncmeta_quarantine( op, mi, rs, candidate );
}
ldap_unbind_ext( msc->msc_ld, NULL, NULL );
msc->msc_ld = NULL;
ldap_ld_free( msc->msc_ldr, 0, NULL, NULL );
msc->msc_ldr = NULL;
return rs->sr_err;
}
static int pam_bindcb(
Operation *op, SlapReply *rs)
{
struct paminfo *pi = op->o_callback->sc_private;
LDAPControl *ctrl = ldap_control_find(LDAP_CONTROL_PASSWORDPOLICYRESPONSE,
rs->sr_ctrls, NULL);
if (ctrl) {
LDAP *ld;
ber_int_t expire, grace;
LDAPPasswordPolicyError error;
ldap_create(&ld);
if (ld) {
int rc = ldap_parse_passwordpolicy_control(ld,ctrl,
&expire,&grace,&error);
if (rc == LDAP_SUCCESS) {
if (expire >= 0) {
char *unit = "seconds";
if (expire > 60) {
expire /= 60;
unit = "minutes";
}
if (expire > 60) {
expire /= 60;
unit = "hours";
}
if (expire > 24) {
expire /= 24;
unit = "days";
}
#if 0 /* Who warns about expiration so far in advance? */
if (expire > 7) {
expire /= 7;
unit = "weeks";
}
if (expire > 4) {
expire /= 4;
unit = "months";
}
if (expire > 12) {
expire /= 12;
unit = "years";
}
#endif
pi->msg.bv_len = sprintf(pi->msg.bv_val,
"\nWARNING: Password expires in %d %s\n", expire, unit);
} else if (grace > 0) {
pi->msg.bv_len = sprintf(pi->msg.bv_val,
"Password expired; %d grace logins remaining",
grace);
pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
} else if (error != PP_noError) {
ber_str2bv(ldap_passwordpolicy_err2txt(error), 0, 0,
&pi->msg);
switch (error) {
case PP_passwordExpired:
/* report this during authz */
rs->sr_err = LDAP_SUCCESS;
/* fallthru */
case PP_changeAfterReset:
pi->authz = NSLCD_PAM_NEW_AUTHTOK_REQD;
}
}
}
ldap_ld_free(ld,0,NULL,NULL);
}
}
return LDAP_SUCCESS;
}
