static krb5_error_code
krb5_validate_ldap_context(krb5_context context,
krb5_ldap_context *ldap_context)
{
krb5_error_code st=0;
unsigned char *password=NULL;
if (ldap_context->bind_dn == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, _("LDAP bind dn value missing "));
goto err_out;
}
if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
_("LDAP bind password value missing "));
goto err_out;
}
if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file !=
NULL && ldap_context->service_cert_path == NULL) {
if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) {
prepend_err_str(context, _("Error reading password from stash: "),
st, st);
goto err_out;
}
/* Check if the returned 'password' is actually the path of a certificate */
if (!strncmp("{FILE}", (char *)password, 6)) {
/* 'password' format: <path>\0<password> */
ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}"));
if (password[strlen((char *)password) + 1] == '\0')
ldap_context->service_cert_pass = NULL;
else
ldap_context->service_cert_pass = strdup((char *)password +
strlen((char *)password) + 1);
free(password);
} else {
ldap_context->bind_pwd = (char *)password;
if (ldap_context->bind_pwd == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
_("Error reading password from stash"));
goto err_out;
}
}
}
/* NULL password not allowed */
if (ldap_context->bind_pwd != NULL && strlen(ldap_context->bind_pwd) == 0) {
st = EINVAL;
krb5_set_error_message(context, st,
_("Service password length is zero"));
goto err_out;
}
err_out:
return st;
}
/* Ensure that we have the parameters we need to authenticate to the LDAP
* server. Read the password if necessary. */
static krb5_error_code
validate_context(krb5_context context, krb5_ldap_context *ctx)
{
krb5_error_code ret;
if (ctx->sasl_mech != NULL) {
/* Read the password for use as the SASL secret if we can, but do not
* require one as not all mechanisms need it. */
if (ctx->bind_pwd == NULL && ctx->sasl_authcid != NULL &&
ctx->service_password_file != NULL) {
(void)krb5_ldap_readpassword(context, ctx->service_password_file,
ctx->sasl_authcid, &ctx->bind_pwd);
}
return 0;
}
/* For a simple bind, a DN and password are required. */
if (ctx->bind_dn == NULL) {
k5_setmsg(context, EINVAL, _("LDAP bind dn value missing"));
return EINVAL;
}
if (ctx->bind_pwd == NULL && ctx->service_password_file == NULL) {
k5_setmsg(context, EINVAL, _("LDAP bind password value missing"));
return EINVAL;
}
if (ctx->bind_pwd == NULL && ctx->service_password_file != NULL) {
ret = krb5_ldap_readpassword(context, ctx->service_password_file,
ctx->bind_dn, &ctx->bind_pwd);
if (ret) {
prepend_err_str(context, _("Error reading password from stash: "),
ret, ret);
return ret;
}
}
/* An empty password is not allowed. */
if (*ctx->bind_pwd == '\0') {
k5_setmsg(context, EINVAL, _("Service password length is zero"));
return EINVAL;
}
return 0;
}
