4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2012 Nexenta Systems, Inc. All rights reserved.
38 #include <nss_dbdefs.h>
39 #include "solaris-priv.h"
40 #include "solaris-int.h"
42 #include "ns_internal.h"
43 #include "ns_cache_door.h"
44 #include "ns_connmgmt.h"
51 #define USE_DEFAULT_PORT 0
53 static ns_ldap_return_code
performBind(const ns_cred_t
*,
59 static ns_ldap_return_code
createSession(const ns_cred_t
*,
66 extern int ldap_sasl_cram_md5_bind_s(LDAP
*, char *, struct berval
*,
67 LDAPControl
**, LDAPControl
**);
68 extern int ldapssl_install_gethostbyaddr(LDAP
*ld
, const char *skip
);
70 extern int __door_getconf(char **buffer
, int *buflen
,
71 ns_ldap_error_t
**error
, int callnumber
);
72 extern int __ns_ldap_freeUnixCred(UnixCred_t
**credp
);
73 extern int SetDoorInfoToUnixCred(char *buffer
,
74 ns_ldap_error_t
**errorp
,
77 static int openConnection(LDAP
**, const char *, const ns_cred_t
*,
78 int, ns_ldap_error_t
**, int, int, ns_conn_user_t
*, int);
80 _DropConnection(ConnectionID cID
, int flag
, int fini
);
82 static mutex_t sessionPoolLock
= DEFAULTMUTEX
;
84 static Connection
**sessionPool
= NULL
;
85 static int sessionPoolSize
= 0;
88 * SSF values are for SASL integrity & privacy.
89 * JES DS5.2 does not support this feature but DS6 does.
90 * The values between 0 and 65535 can work with both server versions.
92 #define MAX_SASL_SSF 65535
93 #define MIN_SASL_SSF 0
95 /* Number of hostnames to allocate memory for */
96 #define NUMTOMALLOC 32
99 * This function get the servers from the lists and returns
100 * the first server with the empty lists of server controls and
101 * SASL mechanisms. It is invoked if it is not possible to obtain a server
102 * from ldap_cachemgr or the local list.
106 getFirstFromConfig(ns_server_info_t
*ret
, ns_ldap_error_t
**error
)
108 char **servers
= NULL
;
109 ns_ldap_return_code ret_code
;
110 char errstr
[MAXERROR
];
112 /* get first server from config list unavailable otherwise */
113 ret_code
= __s_api_getServers(&servers
, error
);
114 if (ret_code
!= NS_LDAP_SUCCESS
) {
115 if (servers
!= NULL
) {
116 __s_api_free2dArray(servers
);
121 if (servers
== NULL
|| servers
[0] == NULL
) {
122 __s_api_free2dArray(servers
);
123 (void) sprintf(errstr
,
124 gettext("No server found in configuration"));
125 MKERROR(LOG_ERR
, *error
, NS_CONFIG_NODEFAULT
,
126 strdup(errstr
), NS_LDAP_MEMORY
);
127 return (NS_LDAP_CONFIG
);
130 ret
->server
= strdup(servers
[0]);
131 if (ret
->server
== NULL
) {
132 __s_api_free2dArray(servers
);
133 return (NS_LDAP_MEMORY
);
136 ret
->saslMechanisms
= NULL
;
137 ret
->controls
= NULL
;
139 __s_api_free2dArray(servers
);
141 return (NS_LDAP_SUCCESS
);
144 /* very similar to __door_getldapconfig() in ns_config.c */
146 __door_getadmincred(char **buffer
, int *buflen
, ns_ldap_error_t
**error
)
148 return (__door_getconf(buffer
, buflen
, error
, GETADMINCRED
));
152 * This function requests Admin credentials from the cache manager through
153 * the door functionality
157 requestAdminCred(UnixCred_t
**cred
, ns_ldap_error_t
**error
)
164 ret
= __door_getadmincred(&buffer
, &buflen
, error
);
166 if (ret
!= NS_LDAP_SUCCESS
) {
167 if (*error
!= NULL
&& (*error
)->message
!= NULL
)
168 syslog(LOG_WARNING
, "libsldap: %s", (*error
)->message
);
172 /* now convert from door format */
173 ret
= SetDoorInfoToUnixCred(buffer
, error
, cred
);
180 * This function requests a server from the cache manager through
181 * the door functionality
185 __s_api_requestServer(const char *request
, const char *server
,
186 ns_server_info_t
*ret
, ns_ldap_error_t
**error
, const char *addrType
)
190 char s_b
[DOORBUFFERSIZE
];
195 char errstr
[MAXERROR
];
197 char *rbuf
, *ptr
, *rest
;
199 char **mptr
, **mptr1
, **cptr
, **cptr1
;
202 ns_ldap_return_code ret_code
;
204 if (ret
== NULL
|| error
== NULL
) {
205 return (NS_LDAP_OP_FAILED
);
207 (void) memset(ret
, 0, sizeof (ns_server_info_t
));
216 * In the 'Standalone' mode a server will be obtained
217 * from the local libsldap's list
219 if (__s_api_isStandalone()) {
220 if ((ret_code
= __s_api_findRootDSE(ireq
,
224 error
)) != NS_LDAP_SUCCESS
) {
226 * get first server from local list only once
229 if (strcmp(ireq
, NS_CACHE_NEW
) != 0)
233 "libsldap (\"standalone\" mode): "
234 "can not find any available server. "
235 "Return the first one from the lists");
236 if (*error
!= NULL
) {
237 (void) __ns_ldap_freeError(error
);
240 ret_code
= getFirstFromConfig(ret
, error
);
241 if (ret_code
!= NS_LDAP_SUCCESS
) {
245 if (strcmp(addrType
, NS_CACHE_ADDR_HOSTNAME
) == 0) {
246 ret_code
= __s_api_ip2hostname(ret
->server
,
248 if (ret_code
!= NS_LDAP_SUCCESS
) {
249 (void) snprintf(errstr
,
251 gettext("The %s address "
252 "can not be resolved into "
253 "a host name. Returning "
254 "the address as it is."),
263 return (NS_LDAP_INTERNAL
);
268 return (NS_LDAP_SUCCESS
);
271 (void) memset(space
.s_b
, 0, DOORBUFFERSIZE
);
273 adata
= (sizeof (ldap_call_t
) + strlen(ireq
) + strlen(addrType
) + 1);
274 if (server
!= NULL
) {
275 adata
+= strlen(DOORLINESEP
) + 1;
276 adata
+= strlen(server
) + 1;
278 ndata
= sizeof (space
);
279 len
= sizeof (space
) - sizeof (space
.s_d
.ldap_call
.ldap_callnumber
);
280 space
.s_d
.ldap_call
.ldap_callnumber
= GETLDAPSERVER
;
281 if (strlcpy(space
.s_d
.ldap_call
.ldap_u
.domainname
, ireq
, len
) >= len
)
282 return (NS_LDAP_MEMORY
);
283 if (strlcat(space
.s_d
.ldap_call
.ldap_u
.domainname
, addrType
, len
) >=
285 return (NS_LDAP_MEMORY
);
286 if (server
!= NULL
) {
287 if (strlcat(space
.s_d
.ldap_call
.ldap_u
.domainname
,
288 DOORLINESEP
, len
) >= len
)
289 return (NS_LDAP_MEMORY
);
290 if (strlcat(space
.s_d
.ldap_call
.ldap_u
.domainname
, server
,
292 return (NS_LDAP_MEMORY
);
296 switch (__ns_ldap_trydoorcall(&sptr
, &ndata
, &adata
)) {
297 case NS_CACHE_SUCCESS
:
299 /* this case is for when the $mgr is not running, but ldapclient */
300 /* is trying to initialize things */
301 case NS_CACHE_NOSERVER
:
302 ret_code
= getFirstFromConfig(ret
, error
);
303 if (ret_code
!= NS_LDAP_SUCCESS
) {
307 if (strcmp(addrType
, NS_CACHE_ADDR_HOSTNAME
) == 0) {
308 ret_code
= __s_api_ip2hostname(ret
->server
,
310 if (ret_code
!= NS_LDAP_SUCCESS
) {
311 (void) snprintf(errstr
,
313 gettext("The %s address "
314 "can not be resolved into "
315 "a host name. Returning "
316 "the address as it is."),
325 return (NS_LDAP_INTERNAL
);
328 return (NS_LDAP_SUCCESS
);
329 case NS_CACHE_NOTFOUND
:
331 return (NS_LDAP_OP_FAILED
);
334 /* copy info from door call return structure here */
335 rbuf
= space
.s_d
.ldap_ret
.ldap_u
.config
;
338 ptr
= strtok_r(rbuf
, DOORLINESEP
, &rest
);
340 (void) sprintf(errstr
, gettext("No server returned from "
342 MKERROR(LOG_WARNING
, *error
, NS_CONFIG_CACHEMGR
,
343 strdup(errstr
), NS_LDAP_MEMORY
);
344 return (NS_LDAP_OP_FAILED
);
346 ret
->server
= strdup(ptr
);
347 if (ret
->server
== NULL
) {
348 return (NS_LDAP_MEMORY
);
350 /* Get the host FQDN format */
351 if (strcmp(addrType
, NS_CACHE_ADDR_HOSTNAME
) == 0) {
352 ptr
= strtok_r(NULL
, DOORLINESEP
, &rest
);
354 (void) sprintf(errstr
, gettext("No server FQDN format "
355 "returned from ldap_cachemgr"));
356 MKERROR(LOG_WARNING
, *error
, NS_CONFIG_CACHEMGR
,
357 strdup(errstr
), NULL
);
360 return (NS_LDAP_OP_FAILED
);
362 ret
->serverFQDN
= strdup(ptr
);
363 if (ret
->serverFQDN
== NULL
) {
366 return (NS_LDAP_MEMORY
);
370 /* get the Supported Controls/SASL mechs */
376 ptr
= strtok_r(NULL
, DOORLINESEP
, &rest
);
379 if (strncasecmp(ptr
, _SASLMECHANISM
,
380 _SASLMECHANISM_LEN
) == 0) {
381 dptr
= strchr(ptr
, '=');
385 mptr1
= (char **)realloc((void *)mptr
,
386 sizeof (char *) * (mcnt
+2));
388 __s_api_free2dArray(mptr
);
389 if (sptr
!= &space
.s_d
) {
390 (void) munmap((char *)sptr
, ndata
);
392 __s_api_free2dArray(cptr
);
393 __s_api_free_server_info(ret
);
394 return (NS_LDAP_MEMORY
);
397 mptr
[mcnt
] = strdup(dptr
);
398 if (mptr
[mcnt
] == NULL
) {
399 if (sptr
!= &space
.s_d
) {
400 (void) munmap((char *)sptr
, ndata
);
402 __s_api_free2dArray(cptr
);
404 __s_api_free2dArray(mptr
);
406 __s_api_free_server_info(ret
);
407 return (NS_LDAP_MEMORY
);
412 if (strncasecmp(ptr
, _SUPPORTEDCONTROL
,
413 _SUPPORTEDCONTROL_LEN
) == 0) {
414 dptr
= strchr(ptr
, '=');
418 cptr1
= (char **)realloc((void *)cptr
,
419 sizeof (char *) * (ccnt
+2));
421 if (sptr
!= &space
.s_d
) {
422 (void) munmap((char *)sptr
, ndata
);
424 __s_api_free2dArray(cptr
);
425 __s_api_free2dArray(mptr
);
427 __s_api_free_server_info(ret
);
428 return (NS_LDAP_MEMORY
);
431 cptr
[ccnt
] = strdup(dptr
);
432 if (cptr
[ccnt
] == NULL
) {
433 if (sptr
!= &space
.s_d
) {
434 (void) munmap((char *)sptr
, ndata
);
436 __s_api_free2dArray(cptr
);
438 __s_api_free2dArray(mptr
);
440 __s_api_free_server_info(ret
);
441 return (NS_LDAP_MEMORY
);
448 ret
->saslMechanisms
= mptr
;
451 ret
->controls
= cptr
;
455 /* clean up door call */
456 if (sptr
!= &space
.s_d
) {
457 (void) munmap((char *)sptr
, ndata
);
461 return (NS_LDAP_SUCCESS
);
467 * printCred(): prints the credential structure
470 printCred(FILE *fp
, const ns_cred_t
*cred
)
472 thread_t t
= thr_self();
475 (void) fprintf(fp
, "tid= %d: printCred: cred is NULL\n", t
);
479 (void) fprintf(fp
, "tid= %d: AuthType=%d\n", t
, cred
->auth
.type
);
480 (void) fprintf(fp
, "tid= %d: TlsType=%d\n", t
, cred
->auth
.tlstype
);
481 (void) fprintf(fp
, "tid= %d: SaslMech=%d\n", t
, cred
->auth
.saslmech
);
482 (void) fprintf(fp
, "tid= %d: SaslOpt=%d\n", t
, cred
->auth
.saslopt
);
483 if (cred
->hostcertpath
)
484 (void) fprintf(fp
, "tid= %d: hostCertPath=%s\n",
485 t
, cred
->hostcertpath
);
486 if (cred
->cred
.unix_cred
.userID
)
487 (void) fprintf(fp
, "tid= %d: userID=%s\n",
488 t
, cred
->cred
.unix_cred
.userID
);
489 if (cred
->cred
.unix_cred
.passwd
)
490 (void) fprintf(fp
, "tid= %d: passwd=%s\n",
491 t
, cred
->cred
.unix_cred
.passwd
);
495 * printConnection(): prints the connection structure
498 printConnection(FILE *fp
, Connection
*con
)
500 thread_t t
= thr_self();
505 (void) fprintf(fp
, "tid= %d: connectionID=%d\n", t
, con
->connectionId
);
506 (void) fprintf(fp
, "tid= %d: usedBit=%d\n", t
, con
->usedBit
);
507 (void) fprintf(fp
, "tid= %d: threadID=%d\n", t
, con
->threadID
);
508 if (con
->serverAddr
) {
509 (void) fprintf(fp
, "tid= %d: serverAddr=%s\n",
512 printCred(fp
, con
->auth
);
517 * addConnection(): inserts a connection in the connection list.
518 * It will also sets use bit and the thread Id for the thread
519 * using the connection for the first time.
520 * Returns: -1 = failure, new Connection ID = success
523 addConnection(Connection
*con
)
530 (void) fprintf(stderr
, "Adding connection thrid=%d\n", con
->threadID
);
532 (void) mutex_lock(&sessionPoolLock
);
533 if (sessionPool
== NULL
) {
534 sessionPoolSize
= SESSION_CACHE_INC
;
535 sessionPool
= calloc(sessionPoolSize
,
536 sizeof (Connection
*));
538 (void) mutex_unlock(&sessionPoolLock
);
542 (void) fprintf(stderr
, "Initialized sessionPool\n");
545 for (i
= 0; (i
< sessionPoolSize
) && (sessionPool
[i
] != NULL
); ++i
)
547 if (i
== sessionPoolSize
) {
548 /* run out of array, need to increase sessionPool */
550 cl
= (Connection
**) realloc(sessionPool
,
551 (sessionPoolSize
+ SESSION_CACHE_INC
) *
552 sizeof (Connection
*));
554 (void) mutex_unlock(&sessionPoolLock
);
557 (void) memset(cl
+ sessionPoolSize
, 0,
558 SESSION_CACHE_INC
* sizeof (Connection
*));
560 sessionPoolSize
+= SESSION_CACHE_INC
;
562 (void) fprintf(stderr
, "Increased sessionPoolSize to: %d\n",
566 sessionPool
[i
] = con
;
567 con
->usedBit
= B_TRUE
;
568 (void) mutex_unlock(&sessionPoolLock
);
569 con
->connectionId
= i
+ CONID_OFFSET
;
571 (void) fprintf(stderr
, "Connection added [%d]\n", i
);
572 printConnection(stderr
, con
);
574 return (i
+ CONID_OFFSET
);
578 * findConnection(): find an available connection from the list
579 * that matches the criteria specified in Connection structure.
580 * If serverAddr is NULL, then find a connection to any server
581 * as long as it matches the rest of the parameters.
582 * Returns: -1 = failure, the Connection ID found = success.
585 findConnection(int flags
, const char *serverAddr
,
586 const ns_cred_t
*auth
, Connection
**conp
)
594 if (auth
== NULL
|| conp
== NULL
)
599 * If a new connection is requested, no need to continue.
600 * If the process is not nscd and is not requesting keep
601 * connections alive, no need to continue.
603 if ((flags
& NS_LDAP_NEW_CONN
) || (!__s_api_nscd_proc() &&
604 !__s_api_peruser_proc() && !(flags
& NS_LDAP_KEEP_CONN
)))
609 (void) fprintf(stderr
, "tid= %d: Find connection\n", t
);
610 (void) fprintf(stderr
, "tid= %d: Looking for ....\n", t
);
611 if (serverAddr
&& *serverAddr
)
612 (void) fprintf(stderr
, "tid= %d: serverAddr=%s\n",
615 (void) fprintf(stderr
, "tid= %d: serverAddr=NULL\n", t
);
616 printCred(stderr
, auth
);
619 if (sessionPool
== NULL
)
621 (void) mutex_lock(&sessionPoolLock
);
622 for (i
= 0; i
< sessionPoolSize
; ++i
) {
623 if (sessionPool
[i
] == NULL
)
627 (void) fprintf(stderr
,
628 "tid: %d: checking connection [%d] ....\n", t
, i
);
629 printConnection(stderr
, cp
);
631 if ((cp
->usedBit
) || (serverAddr
&& *serverAddr
&&
632 (strcasecmp(serverAddr
, cp
->serverAddr
) != 0)))
635 if (__s_api_is_auth_matched(cp
->auth
, auth
) == B_FALSE
)
638 /* found an available connection */
639 cp
->usedBit
= B_TRUE
;
640 (void) mutex_unlock(&sessionPoolLock
);
641 cp
->threadID
= thr_self();
644 (void) fprintf(stderr
,
645 "tid %d: Connection found cID=%d\n", t
, i
);
648 return (i
+ CONID_OFFSET
);
650 (void) mutex_unlock(&sessionPoolLock
);
655 * Free a Connection structure
658 __s_api_freeConnection(Connection
*con
)
663 free(con
->serverAddr
);
665 (void) __ns_ldap_freeCred(&(con
->auth
));
666 if (con
->saslMechanisms
) {
667 __s_api_free2dArray(con
->saslMechanisms
);
670 __s_api_free2dArray(con
->controls
);
676 * Find a connection matching the passed in criteria. If an open
677 * connection with that criteria exists use it, otherwise open a
679 * Success: returns the pointer to the Connection structure
680 * Failure: returns NULL, error code and message should be in errorp
684 makeConnection(Connection
**conp
, const char *serverAddr
,
685 const ns_cred_t
*auth
, ConnectionID
*cID
, int timeoutSec
,
686 ns_ldap_error_t
**errorp
, int fail_if_new_pwd_reqd
,
687 int nopasswd_acct_mgmt
, int flags
, char ***badsrvrs
,
688 ns_conn_user_t
*conn_user
)
690 Connection
*con
= NULL
;
692 char errmsg
[MAXERROR
];
693 int rc
, exit_rc
= NS_LDAP_SUCCESS
;
694 ns_server_info_t sinfo
;
695 char *hReq
, *host
= NULL
;
698 int totalbad
= 0; /* Number of servers contacted unsuccessfully */
699 short memerr
= 0; /* Variable for tracking memory allocation */
700 char *serverAddrType
= NULL
, **bindHost
= NULL
;
703 if (conp
== NULL
|| errorp
== NULL
|| auth
== NULL
)
704 return (NS_LDAP_INVALID_PARAM
);
706 (void) __ns_ldap_freeError(errorp
);
708 (void) memset(&sinfo
, 0, sizeof (sinfo
));
710 if ((id
= findConnection(flags
, serverAddr
, auth
, &con
)) != -1) {
711 /* connection found in cache */
713 (void) fprintf(stderr
, "tid= %d: connection found in "
714 "cache %d\n", thr_self(), id
);
719 return (NS_LDAP_SUCCESS
);
722 if (auth
->auth
.saslmech
== NS_LDAP_SASL_GSSAPI
) {
723 serverAddrType
= NS_CACHE_ADDR_HOSTNAME
;
724 bindHost
= &sinfo
.serverFQDN
;
726 serverAddrType
= NS_CACHE_ADDR_IP
;
727 bindHost
= &sinfo
.server
;
731 if (__s_api_isInitializing()) {
733 * When obtaining the root DSE, connect to the server
734 * passed here through the serverAddr parameter
736 sinfo
.server
= strdup(serverAddr
);
737 if (sinfo
.server
== NULL
)
738 return (NS_LDAP_MEMORY
);
739 if (strcmp(serverAddrType
,
740 NS_CACHE_ADDR_HOSTNAME
) == 0) {
741 rc
= __s_api_ip2hostname(sinfo
.server
,
743 if (rc
!= NS_LDAP_SUCCESS
) {
744 (void) snprintf(errmsg
,
746 gettext("The %s address "
747 "can not be resolved into "
748 "a host name. Returning "
749 "the address as it is."),
756 __s_api_free_server_info(&sinfo
);
757 return (NS_LDAP_INTERNAL
);
762 * We're given the server address, just use it.
763 * In case of sasl/GSSAPI, serverAddr would need
764 * to be a FQDN. We assume this is the case for now.
766 * Only the server address fields of sinfo structure
767 * are filled in since these are the only relevant
768 * data that we have. Other fields of this structure
769 * (controls, saslMechanisms) are kept to NULL.
771 sinfo
.server
= strdup(serverAddr
);
772 if (sinfo
.server
== NULL
) {
773 return (NS_LDAP_MEMORY
);
775 if (auth
->auth
.saslmech
== NS_LDAP_SASL_GSSAPI
) {
776 sinfo
.serverFQDN
= strdup(serverAddr
);
777 if (sinfo
.serverFQDN
== NULL
) {
779 return (NS_LDAP_MEMORY
);
783 rc
= openConnection(&ld
, *bindHost
, auth
, timeoutSec
, errorp
,
784 fail_if_new_pwd_reqd
, passwd_mgmt
, conn_user
, flags
);
785 if (rc
== NS_LDAP_SUCCESS
|| rc
==
786 NS_LDAP_SUCCESS_WITH_INFO
) {
790 if (auth
->auth
.saslmech
== NS_LDAP_SASL_GSSAPI
) {
791 (void) snprintf(errmsg
, sizeof (errmsg
),
792 "%s %s", gettext("makeConnection: "
793 "failed to open connection using "
794 "sasl/GSSAPI to"), *bindHost
);
796 (void) snprintf(errmsg
, sizeof (errmsg
),
797 "%s %s", gettext("makeConnection: "
798 "failed to open connection to"),
801 syslog(LOG_ERR
, "libsldap: %s", errmsg
);
802 __s_api_free_server_info(&sinfo
);
807 /* No cached connection, create one */
812 hReq
= NS_CACHE_NEXT
;
813 rc
= __s_api_requestServer(hReq
, host
, &sinfo
, errorp
,
815 if ((rc
!= NS_LDAP_SUCCESS
) || (sinfo
.server
== NULL
) ||
816 (host
&& (strcasecmp(host
, sinfo
.server
) == 0))) {
819 (void) snprintf(errmsg
, sizeof (errmsg
),
820 "%s: (%s)", gettext("makeConnection: "
821 "unable to make LDAP connection, "
822 "request for a server failed"),
824 syslog(LOG_ERR
, "libsldap: %s", errmsg
);
827 __s_api_free_server_info(&sinfo
);
830 return (NS_LDAP_OP_FAILED
);
834 host
= strdup(sinfo
.server
);
836 __s_api_free_server_info(&sinfo
);
837 return (NS_LDAP_MEMORY
);
840 /* check if server supports password management */
841 passwd_mgmt
= __s_api_contain_passwd_control_oid(
843 /* check if server supports password less account mgmt */
844 if (nopasswd_acct_mgmt
&&
845 !__s_api_contain_account_usable_control_oid(
847 syslog(LOG_WARNING
, "libsldap: server %s does not "
848 "provide account information without password",
851 __s_api_free_server_info(&sinfo
);
852 return (NS_LDAP_OP_FAILED
);
854 /* make the connection */
855 rc
= openConnection(&ld
, *bindHost
, auth
, timeoutSec
, errorp
,
856 fail_if_new_pwd_reqd
, passwd_mgmt
, conn_user
, flags
);
857 /* if success, go to create connection structure */
858 if (rc
== NS_LDAP_SUCCESS
||
859 rc
== NS_LDAP_SUCCESS_WITH_INFO
) {
865 * If not able to reach the server, inform the ldap
866 * cache manager that the server should be removed
867 * from its server list. Thus, the manager will not
868 * return this server on the next get-server request
869 * and will also reduce the server list refresh TTL,
870 * so that it will find out sooner when the server
873 if (rc
== NS_LDAP_INTERNAL
&& *errorp
!= NULL
) {
874 if ((*errorp
)->status
== LDAP_CONNECT_ERROR
||
875 (*errorp
)->status
== LDAP_SERVER_DOWN
) {
876 /* Reset memory allocation error */
879 * We contacted a server that we could
880 * not either authenticate to or contact.
881 * If it is due to authentication, then
882 * we need to try the server again. So,
883 * do not remove the server yet, but
884 * add it to the bad server list.
885 * The caller routine will remove
887 * a). A good server is found or
888 * b). All the possible methods
889 * are tried without finding
892 if (*badsrvrs
== NULL
) {
893 if (!(*badsrvrs
= (char **)malloc
894 (sizeof (char *) * NUMTOMALLOC
))) {
897 /* Allocate memory in chunks of NUMTOMALLOC */
898 } else if ((totalbad
% NUMTOMALLOC
) ==
901 if (!(tmpptr
= (char **)realloc(
903 (sizeof (char *) * NUMTOMALLOC
*
904 ((totalbad
/NUMTOMALLOC
) + 2))))) {
911 * Store host only if there were no unsuccessful
912 * memory allocations above
915 !((*badsrvrs
)[totalbad
++] = strdup(host
))) {
919 (*badsrvrs
)[totalbad
] = NULL
;
923 /* else, cleanup and go for the next server */
924 __s_api_free_server_info(&sinfo
);
926 /* Return if we had memory allocation errors */
928 return (NS_LDAP_MEMORY
);
931 * If openConnection() failed due to
932 * password policy, or invalid credential,
933 * keep *errorp and exit
935 if ((*errorp
)->pwd_mgmt
.status
!= NS_PASSWD_GOOD
||
936 (*errorp
)->status
== LDAP_INVALID_CREDENTIALS
) {
940 (void) __ns_ldap_freeError(errorp
);
947 /* we have created ld, setup con structure */
950 if ((con
= calloc(1, sizeof (Connection
))) == NULL
) {
951 __s_api_free_server_info(&sinfo
);
953 * If password control attached in **errorp,
954 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
955 * free the error structure
958 (void) __ns_ldap_freeError(errorp
);
961 (void) ldap_unbind(ld
);
962 return (NS_LDAP_MEMORY
);
965 con
->serverAddr
= sinfo
.server
; /* Store original format */
966 if (sinfo
.serverFQDN
!= NULL
) {
967 free(sinfo
.serverFQDN
);
968 sinfo
.serverFQDN
= NULL
;
970 con
->saslMechanisms
= sinfo
.saslMechanisms
;
971 con
->controls
= sinfo
.controls
;
973 con
->auth
= __ns_ldap_dupAuth(auth
);
974 if (con
->auth
== NULL
) {
975 (void) ldap_unbind(ld
);
976 __s_api_freeConnection(con
);
978 * If password control attached in **errorp,
979 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
980 * free the error structure
983 (void) __ns_ldap_freeError(errorp
);
986 return (NS_LDAP_MEMORY
);
989 con
->threadID
= thr_self();
993 /* add MT connection to the MT connection pool */
994 if (conn_user
!= NULL
&& conn_user
->conn_mt
!= NULL
) {
995 if (__s_api_conn_mt_add(con
, conn_user
, errorp
) ==
1000 (void) ldap_unbind(ld
);
1001 __s_api_freeConnection(con
);
1002 return ((*errorp
)->status
);
1006 /* MT connection not supported or not required case */
1007 if ((id
= addConnection(con
)) == -1) {
1008 (void) ldap_unbind(ld
);
1009 __s_api_freeConnection(con
);
1011 * If password control attached in **errorp,
1012 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
1013 * free the error structure
1016 (void) __ns_ldap_freeError(errorp
);
1019 return (NS_LDAP_MEMORY
);
1022 (void) fprintf(stderr
, "tid= %d: connection added into "
1023 "cache %d\n", thr_self(), id
);
1032 * Return the specified connection to the pool. If necessary
1033 * delete the connection.
1037 _DropConnection(ConnectionID cID
, int flag
, int fini
)
1041 int use_mutex
= !fini
;
1042 struct timeval zerotime
;
1045 zerotime
.tv_sec
= zerotime
.tv_usec
= 0L;
1047 id
= cID
- CONID_OFFSET
;
1048 if (id
< 0 || id
>= sessionPoolSize
)
1051 (void) fprintf(stderr
,
1052 "tid %d: Dropping connection cID=%d flag=0x%x\n",
1053 thr_self(), cID
, flag
);
1057 (void) mutex_lock(&sessionPoolLock
);
1059 cp
= sessionPool
[id
];
1060 /* sanity check before removing */
1061 if (!cp
|| (!fini
&& (!cp
->usedBit
|| cp
->threadID
!= thr_self()))) {
1063 (void) mutex_unlock(&sessionPoolLock
);
1068 ((flag
& NS_LDAP_NEW_CONN
) == 0) &&
1069 ((flag
& NS_LDAP_KEEP_CONN
) || __s_api_nscd_proc() ||
1070 __s_api_peruser_proc())) {
1071 /* release Connection (keep alive) */
1072 cp
->usedBit
= B_FALSE
;
1073 cp
->threadID
= 0; /* unmark the threadID */
1075 * Do sanity cleanup of remaining results.
1077 while (ldap_result(cp
->ld
, LDAP_RES_ANY
, LDAP_MSG_ALL
,
1078 &zerotime
, &res
) > 0) {
1080 (void) ldap_msgfree(res
);
1083 (void) mutex_unlock(&sessionPoolLock
);
1085 /* delete Connection (disconnect) */
1086 sessionPool
[id
] = NULL
;
1088 (void) mutex_unlock(&sessionPoolLock
);
1089 (void) ldap_unbind(cp
->ld
);
1090 __s_api_freeConnection(cp
);
1095 DropConnection(ConnectionID cID
, int flag
)
1097 _DropConnection(cID
, flag
, 0);
1101 * This routine is called after a bind operation is
1102 * done in openConnection() to process the password
1103 * management information, if any.
1106 * bind_type: "simple" or "sasl/DIGEST-MD5"
1107 * ldaprc : ldap rc from the ldap bind operation
1108 * controls : controls returned by the server
1109 * errmsg : error message from the server
1110 * fail_if_new_pwd_reqd:
1111 * flag indicating if connection should be open
1112 * when password needs to change immediately
1114 * flag indicating if server supports password
1117 * Output : ns_ldap_error structure, which may contain
1118 * password status and number of seconds until
1122 * NS_LDAP_EXTERNAL: error, connection should not open
1123 * NS_LDAP_SUCCESS_WITH_INFO: OK to open but password info attached
1124 * NS_LDAP_SUCCESS: OK to open connection
1129 process_pwd_mgmt(char *bind_type
, int ldaprc
,
1130 LDAPControl
**controls
,
1131 char *errmsg
, ns_ldap_error_t
**errorp
,
1132 int fail_if_new_pwd_reqd
,
1135 char errstr
[MAXERROR
];
1136 LDAPControl
**ctrl
= NULL
;
1138 ns_ldap_passwd_status_t pwd_status
= NS_PASSWD_GOOD
;
1139 int sec_until_exp
= 0;
1142 * errmsg may be an empty string,
1143 * even if ldaprc is LDAP_SUCCESS,
1144 * free the empty string if that's the case
1147 (*errmsg
== '\0' || ldaprc
== LDAP_SUCCESS
)) {
1148 ldap_memfree(errmsg
);
1152 if (ldaprc
!= LDAP_SUCCESS
) {
1154 * try to map ldap rc and error message to
1160 __s_api_set_passwd_status(
1162 ldap_memfree(errmsg
);
1165 (void) snprintf(errstr
, sizeof (errstr
),
1166 gettext("openConnection: "
1168 "- %s"), bind_type
, ldap_err2string(ldaprc
));
1170 if (pwd_status
!= NS_PASSWD_GOOD
) {
1171 MKERROR_PWD_MGMT(*errorp
,
1172 ldaprc
, strdup(errstr
),
1173 pwd_status
, 0, NULL
);
1175 MKERROR(LOG_ERR
, *errorp
, ldaprc
, strdup(errstr
),
1179 ldap_controls_free(controls
);
1181 return (NS_LDAP_INTERNAL
);
1185 * ldaprc is LDAP_SUCCESS,
1186 * process the password management controls, if any
1188 exit_rc
= NS_LDAP_SUCCESS
;
1189 if (controls
&& passwd_mgmt
) {
1191 * The control with the OID
1192 * 2.16.840.1.113730.3.4.4 (or
1193 * LDAP_CONTROL_PWEXPIRED, as defined
1194 * in the ldap.h header file) is the
1195 * expired password control.
1197 * This control is used if the server
1198 * is configured to require users to
1199 * change their passwords when first
1200 * logging in and whenever the
1201 * passwords are reset.
1203 * If the user is logging in for the
1204 * first time or if the user's
1205 * password has been reset, the
1206 * server sends this control to
1207 * indicate that the client needs to
1208 * change the password immediately.
1210 * At this point, the only operation
1211 * that the client can perform is to
1212 * change the user's password. If the
1213 * client requests any other LDAP
1214 * operation, the server sends back
1215 * an LDAP_UNWILLING_TO_PERFORM
1216 * result code with an expired
1219 * The control with the OID
1220 * 2.16.840.1.113730.3.4.5 (or
1221 * LDAP_CONTROL_PWEXPIRING, as
1222 * defined in the ldap.h header file)
1223 * is the password expiration warning
1226 * This control is used if the server
1227 * is configured to expire user
1228 * passwords after a certain amount
1231 * The server sends this control back
1232 * to the client if the client binds
1233 * using a password that will soon
1234 * expire. The ldctl_value field of
1235 * the LDAPControl structure
1236 * specifies the number of seconds
1237 * before the password will expire.
1239 for (ctrl
= controls
; *ctrl
; ctrl
++) {
1241 if (strcmp((*ctrl
)->ldctl_oid
,
1242 LDAP_CONTROL_PWEXPIRED
) == 0) {
1244 * if the caller wants this bind
1245 * to fail, set up the error info.
1246 * If call to this function is
1247 * for searching the LDAP directory,
1248 * e.g., __ns_ldap_list(),
1249 * there's really no sense to
1250 * let a connection open and
1251 * then fail immediately afterward
1252 * on the LDAP search operation with
1253 * the LDAP_UNWILLING_TO_PERFORM rc
1256 NS_PASSWD_CHANGE_NEEDED
;
1257 if (fail_if_new_pwd_reqd
) {
1258 (void) snprintf(errstr
,
1269 MKERROR_PWD_MGMT(*errorp
,
1275 exit_rc
= NS_LDAP_INTERNAL
;
1277 MKERROR_PWD_MGMT(*errorp
,
1284 NS_LDAP_SUCCESS_WITH_INFO
;
1287 } else if (strcmp((*ctrl
)->ldctl_oid
,
1288 LDAP_CONTROL_PWEXPIRING
) == 0) {
1290 NS_PASSWD_ABOUT_TO_EXPIRE
;
1292 ldctl_value
.bv_len
> 0 &&
1297 ldctl_value
.bv_val
);
1298 MKERROR_PWD_MGMT(*errorp
,
1305 NS_LDAP_SUCCESS_WITH_INFO
;
1312 ldap_controls_free(controls
);
1318 ldap_in_nss_switch(char *db
)
1320 enum __nsw_parse_err pserr
;
1321 struct __nsw_switchconfig
*conf
;
1322 struct __nsw_lookup
*lkp
;
1326 conf
= __nsw_getconfig(db
, &pserr
);
1331 /* check for skip and count other backends */
1332 for (lkp
= conf
->lookups
; lkp
!= NULL
; lkp
= lkp
->next
) {
1333 name
= lkp
->service_name
;
1334 if (strcmp(name
, "ldap") == 0) {
1339 (void) __nsw_freeconfig(conf
);
1344 openConnection(LDAP
**ldp
, const char *serverAddr
, const ns_cred_t
*auth
,
1345 int timeoutSec
, ns_ldap_error_t
**errorp
,
1346 int fail_if_new_pwd_reqd
, int passwd_mgmt
,
1347 ns_conn_user_t
*conn_user
, int flags
)
1350 int ldapVersion
= LDAP_VERSION3
;
1351 int derefOption
= LDAP_DEREF_ALWAYS
;
1353 int timeoutMilliSec
= timeoutSec
* 1000;
1354 uint16_t port
= USE_DEFAULT_PORT
;
1356 char errstr
[MAXERROR
];
1359 ns_ldap_return_code ret_code
= NS_LDAP_SUCCESS
;
1364 /* determine if the host name contains a port number */
1365 s
= strchr(serverAddr
, ']'); /* skip over ipv6 addr */
1366 s
= strchr(s
!= NULL
? s
: serverAddr
, ':');
1368 if (sscanf(s
+ 1, "%hu", &port
) != 1) {
1369 (void) snprintf(errstr
,
1371 gettext("openConnection: cannot "
1372 "convert %s into a valid "
1373 "port number for the "
1374 "%s server. A default value "
1378 syslog(LOG_ERR
, "libsldap: %s", errstr
);
1384 ret_code
= createSession(auth
,
1393 if (ret_code
!= NS_LDAP_SUCCESS
) {
1397 /* check to see if the underlying libsldap supports MT connection */
1398 if (conn_user
!= NULL
) {
1401 rc
= __s_api_check_libldap_MT_conn_support(conn_user
, ld
,
1403 if (rc
!= NS_LDAP_SUCCESS
) {
1404 (void) ldap_unbind(ld
);
1409 (void) ldap_set_option(ld
, LDAP_OPT_PROTOCOL_VERSION
, &ldapVersion
);
1410 (void) ldap_set_option(ld
, LDAP_OPT_DEREF
, &derefOption
);
1412 * This library will handle the referral itself based on API flags or
1413 * configuration file specification. The LDAP bind operation is an
1414 * exception where we rely on the LDAP library to follow the referal.
1416 * The LDAP follow referral option must be set to OFF for the libldap5
1417 * to pass the referral info up to this library. This option MUST be
1418 * set to OFF after we have performed a sucessful bind. If we are not
1419 * to follow referrals we MUST also set the LDAP follow referral option
1420 * to OFF before we perform an LDAP bind.
1422 ret_code
= __s_api_toFollowReferrals(flags
, &followRef
, errorp
);
1423 if (ret_code
!= NS_LDAP_SUCCESS
) {
1424 (void) ldap_unbind(ld
);
1429 (void) ldap_set_option(ld
, LDAP_OPT_REFERRALS
, LDAP_OPT_ON
);
1431 (void) ldap_set_option(ld
, LDAP_OPT_REFERRALS
, LDAP_OPT_OFF
);
1433 (void) ldap_set_option(ld
, LDAP_OPT_TIMELIMIT
, &zero
);
1434 (void) ldap_set_option(ld
, LDAP_OPT_SIZELIMIT
, &zero
);
1435 /* setup TCP/IP connect timeout */
1436 (void) ldap_set_option(ld
, LDAP_X_OPT_CONNECT_TIMEOUT
,
1438 /* retry if LDAP I/O was interrupted */
1439 (void) ldap_set_option(ld
, LDAP_OPT_RESTART
, LDAP_OPT_ON
);
1441 ret_code
= performBind(auth
,
1445 fail_if_new_pwd_reqd
,
1448 if (ret_code
== NS_LDAP_SUCCESS
||
1449 ret_code
== NS_LDAP_SUCCESS_WITH_INFO
) {
1451 * Turn off LDAP referral following so that this library can
1452 * process referrals.
1454 (void) ldap_set_option(ld
, LDAP_OPT_REFERRALS
, LDAP_OPT_OFF
);
1462 * FUNCTION: __s_api_getDefaultAuth
1464 * Constructs a credential for authentication using the config module.
1468 * NS_LDAP_SUCCESS If successful
1469 * NS_LDAP_CONFIG If there are any config errors.
1470 * NS_LDAP_MEMORY Memory errors.
1471 * NS_LDAP_OP_FAILED If there are no more authentication methods so can
1472 * not build a new authp.
1473 * NS_LDAP_INVALID_PARAM This overloaded return value means that some of the
1474 * necessary fields of a cred for a given auth method
1478 * cLevel Currently requested credential level to be tried
1480 * aMethod Currently requested authentication method to be tried
1482 * getAdmin If non 0, get Admin -i.e., not proxyAgent- DN and password
1486 * authp authentication method to use.
1489 __s_api_getDefaultAuth(
1495 void **paramVal
= NULL
;
1496 char *modparamVal
= NULL
;
1499 int getCertpath
= 0;
1501 ns_ldap_error_t
*errorp
= NULL
;
1502 UnixCred_t
*AdminCred
= NULL
;
1505 (void) fprintf(stderr
, "__s_api_getDefaultAuth START\n");
1508 if (aMethod
== NULL
) {
1509 /* Require an Auth */
1510 return (NS_LDAP_INVALID_PARAM
);
1514 * credential level "self" can work with auth method sasl/GSSAPI only
1516 if (cLevel
&& *cLevel
== NS_LDAP_CRED_SELF
&&
1517 aMethod
->saslmech
!= NS_LDAP_SASL_GSSAPI
)
1518 return (NS_LDAP_INVALID_PARAM
);
1520 *authp
= (ns_cred_t
*)calloc(1, sizeof (ns_cred_t
));
1521 if ((*authp
) == NULL
)
1522 return (NS_LDAP_MEMORY
);
1524 (*authp
)->auth
= *aMethod
;
1526 switch (aMethod
->type
) {
1527 case NS_LDAP_AUTH_NONE
:
1528 return (NS_LDAP_SUCCESS
);
1529 case NS_LDAP_AUTH_SIMPLE
:
1533 case NS_LDAP_AUTH_SASL
:
1534 if ((aMethod
->saslmech
== NS_LDAP_SASL_DIGEST_MD5
) ||
1535 (aMethod
->saslmech
== NS_LDAP_SASL_CRAM_MD5
)) {
1538 } else if (aMethod
->saslmech
!= NS_LDAP_SASL_GSSAPI
) {
1539 (void) __ns_ldap_freeCred(authp
);
1540 return (NS_LDAP_INVALID_PARAM
);
1543 case NS_LDAP_AUTH_TLS
:
1544 if ((aMethod
->tlstype
== NS_LDAP_TLS_SIMPLE
) ||
1545 ((aMethod
->tlstype
== NS_LDAP_TLS_SASL
) &&
1546 ((aMethod
->saslmech
== NS_LDAP_SASL_DIGEST_MD5
) ||
1547 (aMethod
->saslmech
== NS_LDAP_SASL_CRAM_MD5
)))) {
1551 } else if (aMethod
->tlstype
== NS_LDAP_TLS_NONE
) {
1554 (void) __ns_ldap_freeCred(authp
);
1555 return (NS_LDAP_INVALID_PARAM
);
1564 * Assume AdminCred has been retrieved from
1565 * ldap_cachemgr already. It will not work
1566 * without userID or password. Flags getUid
1567 * and getPasswd should always be set
1570 AdminCred
= calloc(1, sizeof (UnixCred_t
));
1571 if (AdminCred
== NULL
) {
1572 (void) __ns_ldap_freeCred(authp
);
1573 return (NS_LDAP_MEMORY
);
1576 rc
= requestAdminCred(&AdminCred
, &errorp
);
1577 if (rc
!= NS_LDAP_SUCCESS
) {
1578 (void) __ns_ldap_freeCred(authp
);
1579 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1580 (void) __ns_ldap_freeError(&errorp
);
1584 if (AdminCred
->userID
== NULL
) {
1585 (void) __ns_ldap_freeCred(authp
);
1586 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1587 return (NS_LDAP_INVALID_PARAM
);
1589 (*authp
)->cred
.unix_cred
.userID
= AdminCred
->userID
;
1590 AdminCred
->userID
= NULL
;
1592 rc
= __ns_ldap_getParam(NS_LDAP_BINDDN_P
,
1593 ¶mVal
, &errorp
);
1594 if (rc
!= NS_LDAP_SUCCESS
) {
1595 (void) __ns_ldap_freeCred(authp
);
1596 (void) __ns_ldap_freeError(&errorp
);
1600 if (paramVal
== NULL
|| *paramVal
== NULL
) {
1601 (void) __ns_ldap_freeCred(authp
);
1602 return (NS_LDAP_INVALID_PARAM
);
1605 (*authp
)->cred
.unix_cred
.userID
=
1606 strdup((char *)*paramVal
);
1607 (void) __ns_ldap_freeParam(¶mVal
);
1609 if ((*authp
)->cred
.unix_cred
.userID
== NULL
) {
1610 (void) __ns_ldap_freeCred(authp
);
1611 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1612 return (NS_LDAP_MEMORY
);
1619 * Assume AdminCred has been retrieved from
1620 * ldap_cachemgr already. It will not work
1621 * without the userID anyway because for
1622 * getting admin credential, flags getUid
1623 * and getPasswd should always be set
1626 if (AdminCred
== NULL
|| AdminCred
->passwd
== NULL
) {
1627 (void) __ns_ldap_freeCred(authp
);
1628 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1629 return (NS_LDAP_INVALID_PARAM
);
1631 modparamVal
= dvalue(AdminCred
->passwd
);
1633 rc
= __ns_ldap_getParam(NS_LDAP_BINDPASSWD_P
,
1634 ¶mVal
, &errorp
);
1635 if (rc
!= NS_LDAP_SUCCESS
) {
1636 (void) __ns_ldap_freeCred(authp
);
1637 (void) __ns_ldap_freeError(&errorp
);
1641 if (paramVal
== NULL
|| *paramVal
== NULL
) {
1642 (void) __ns_ldap_freeCred(authp
);
1643 return (NS_LDAP_INVALID_PARAM
);
1646 modparamVal
= dvalue((char *)*paramVal
);
1647 (void) __ns_ldap_freeParam(¶mVal
);
1650 if (modparamVal
== NULL
|| (strlen((char *)modparamVal
) == 0)) {
1651 (void) __ns_ldap_freeCred(authp
);
1652 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1653 if (modparamVal
!= NULL
)
1655 return (NS_LDAP_INVALID_PARAM
);
1658 (*authp
)->cred
.unix_cred
.passwd
= modparamVal
;
1662 if ((rc
= __ns_ldap_getParam(NS_LDAP_HOST_CERTPATH_P
,
1663 ¶mVal
, &errorp
)) != NS_LDAP_SUCCESS
) {
1664 (void) __ns_ldap_freeCred(authp
);
1665 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1666 (void) __ns_ldap_freeError(&errorp
);
1671 if (paramVal
== NULL
|| *paramVal
== NULL
) {
1672 (void) __ns_ldap_freeCred(authp
);
1673 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1675 return (NS_LDAP_INVALID_PARAM
);
1678 (*authp
)->hostcertpath
= strdup((char *)*paramVal
);
1679 (void) __ns_ldap_freeParam(¶mVal
);
1680 if ((*authp
)->hostcertpath
== NULL
) {
1681 (void) __ns_ldap_freeCred(authp
);
1682 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1684 return (NS_LDAP_MEMORY
);
1687 (void) __ns_ldap_freeUnixCred(&AdminCred
);
1688 return (NS_LDAP_SUCCESS
);
1692 * FUNCTION: getConnection
1694 * internal version of __s_api_getConnection()
1700 const ns_cred_t
*cred
, /* credentials for bind */
1701 ConnectionID
*sessionId
,
1702 Connection
**session
,
1703 ns_ldap_error_t
**errorp
,
1704 int fail_if_new_pwd_reqd
,
1705 int nopasswd_acct_mgmt
,
1706 ns_conn_user_t
*conn_user
)
1708 char errmsg
[MAXERROR
];
1709 ns_auth_t
**aMethod
= NULL
;
1710 ns_auth_t
**aNext
= NULL
;
1711 int **cLevel
= NULL
;
1713 int timeoutSec
= NS_DEFAULT_BIND_TIMEOUT
;
1715 Connection
*con
= NULL
;
1717 ns_cred_t
*authp
= NULL
;
1719 int version
= NS_LDAP_V2
, self_gssapi_only
= 0;
1720 void **paramVal
= NULL
;
1721 char **badSrvrs
= NULL
; /* List of problem hostnames */
1723 if ((session
== NULL
) || (sessionId
== NULL
)) {
1724 return (NS_LDAP_INVALID_PARAM
);
1728 /* reuse MT connection if needed and if available */
1729 if (conn_user
!= NULL
) {
1730 rc
= __s_api_conn_mt_get(server
, flags
, cred
, session
, errorp
,
1732 if (rc
!= NS_LDAP_NOTFOUND
)
1736 /* get profile version number */
1737 if ((rc
= __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P
,
1738 ¶mVal
, errorp
)) != NS_LDAP_SUCCESS
)
1740 if (paramVal
== NULL
) {
1741 (void) sprintf(errmsg
, gettext("getConnection: no file "
1743 MKERROR(LOG_WARNING
, *errorp
, NS_CONFIG_FILE
, strdup(errmsg
),
1745 return (NS_LDAP_CONFIG
);
1747 if (strcasecmp((char *)*paramVal
, NS_LDAP_VERSION_1
) == 0)
1748 version
= NS_LDAP_V1
;
1749 (void) __ns_ldap_freeParam((void ***)¶mVal
);
1751 /* Get the bind timeout value */
1752 (void) __ns_ldap_getParam(NS_LDAP_BIND_TIME_P
, ¶mVal
, errorp
);
1753 if (paramVal
!= NULL
&& *paramVal
!= NULL
) {
1754 timeoutSec
= **((int **)paramVal
);
1755 (void) __ns_ldap_freeParam(¶mVal
);
1758 (void) __ns_ldap_freeError(errorp
);
1761 /* Get the authentication method list */
1762 if ((rc
= __ns_ldap_getParam(NS_LDAP_AUTH_P
,
1763 (void ***)&aMethod
, errorp
)) != NS_LDAP_SUCCESS
)
1765 if (aMethod
== NULL
) {
1766 aMethod
= (ns_auth_t
**)calloc(2, sizeof (ns_auth_t
*));
1767 if (aMethod
== NULL
)
1768 return (NS_LDAP_MEMORY
);
1769 aMethod
[0] = (ns_auth_t
*)calloc(1, sizeof (ns_auth_t
));
1770 if (aMethod
[0] == NULL
) {
1772 return (NS_LDAP_MEMORY
);
1774 if (version
== NS_LDAP_V1
)
1775 (aMethod
[0])->type
= NS_LDAP_AUTH_SIMPLE
;
1777 (aMethod
[0])->type
= NS_LDAP_AUTH_SASL
;
1778 (aMethod
[0])->saslmech
=
1779 NS_LDAP_SASL_DIGEST_MD5
;
1780 (aMethod
[0])->saslopt
= NS_LDAP_SASLOPT_NONE
;
1784 /* Get the credential level list */
1785 if ((rc
= __ns_ldap_getParam(NS_LDAP_CREDENTIAL_LEVEL_P
,
1786 (void ***)&cLevel
, errorp
)) != NS_LDAP_SUCCESS
) {
1787 (void) __ns_ldap_freeParam((void ***)&aMethod
);
1790 if (cLevel
== NULL
) {
1791 cLevel
= (int **)calloc(2, sizeof (int *));
1793 return (NS_LDAP_MEMORY
);
1794 cLevel
[0] = (int *)calloc(1, sizeof (int));
1795 if (cLevel
[0] == NULL
)
1796 return (NS_LDAP_MEMORY
);
1797 if (version
== NS_LDAP_V1
)
1798 *(cLevel
[0]) = NS_LDAP_CRED_PROXY
;
1800 *(cLevel
[0]) = NS_LDAP_CRED_ANON
;
1804 /* setup the anon credential for anonymous connection */
1805 (void) memset(&anon
, 0, sizeof (ns_cred_t
));
1806 anon
.auth
.type
= NS_LDAP_AUTH_NONE
;
1810 /* using specified auth method */
1811 rc
= makeConnection(&con
, server
, cred
,
1812 sessionId
, timeoutSec
, errorp
,
1813 fail_if_new_pwd_reqd
,
1814 nopasswd_acct_mgmt
, flags
, &badSrvrs
, conn_user
);
1815 /* not using bad server if credentials were supplied */
1816 if (badSrvrs
&& *badSrvrs
) {
1817 __s_api_free2dArray(badSrvrs
);
1820 if (rc
== NS_LDAP_SUCCESS
||
1821 rc
== NS_LDAP_SUCCESS_WITH_INFO
) {
1826 self_gssapi_only
= __s_api_self_gssapi_only_get();
1827 /* for every cred level */
1828 for (cNext
= cLevel
; *cNext
!= NULL
; cNext
++) {
1829 if (self_gssapi_only
&&
1830 **cNext
!= NS_LDAP_CRED_SELF
)
1832 if (**cNext
== NS_LDAP_CRED_ANON
) {
1834 * make connection anonymously
1835 * Free the down server list before
1838 if (badSrvrs
&& *badSrvrs
) {
1839 __s_api_free2dArray(badSrvrs
);
1842 rc
= makeConnection(&con
, server
, &anon
,
1843 sessionId
, timeoutSec
, errorp
,
1844 fail_if_new_pwd_reqd
,
1845 nopasswd_acct_mgmt
, flags
,
1846 &badSrvrs
, conn_user
);
1847 if (rc
== NS_LDAP_SUCCESS
||
1849 NS_LDAP_SUCCESS_WITH_INFO
) {
1855 /* for each cred level */
1856 for (aNext
= aMethod
; *aNext
!= NULL
; aNext
++) {
1857 if (self_gssapi_only
&&
1858 (*aNext
)->saslmech
!=
1859 NS_LDAP_SASL_GSSAPI
)
1862 * self coexists with sasl/GSSAPI only
1863 * and non-self coexists with non-gssapi
1866 if ((**cNext
== NS_LDAP_CRED_SELF
&&
1867 (*aNext
)->saslmech
!=
1868 NS_LDAP_SASL_GSSAPI
) ||
1869 (**cNext
!= NS_LDAP_CRED_SELF
&&
1870 (*aNext
)->saslmech
==
1871 NS_LDAP_SASL_GSSAPI
))
1873 /* make connection and authenticate */
1874 /* with default credentials */
1876 rc
= __s_api_getDefaultAuth(*cNext
,
1878 flags
& NS_LDAP_READ_SHADOW
);
1879 if (rc
!= NS_LDAP_SUCCESS
) {
1883 * Free the down server list before
1886 if (badSrvrs
&& *badSrvrs
) {
1887 __s_api_free2dArray(badSrvrs
);
1890 rc
= makeConnection(&con
, server
, authp
,
1891 sessionId
, timeoutSec
, errorp
,
1892 fail_if_new_pwd_reqd
,
1893 nopasswd_acct_mgmt
, flags
,
1894 &badSrvrs
, conn_user
);
1895 (void) __ns_ldap_freeCred(&authp
);
1896 if (rc
== NS_LDAP_SUCCESS
||
1898 NS_LDAP_SUCCESS_WITH_INFO
) {
1905 if (flags
& NS_LDAP_HARD
) {
1906 if (sec
< LDAPMAXHARDLOOKUPTIME
)
1915 if (self_gssapi_only
&& rc
== NS_LDAP_SUCCESS
&& *session
== NULL
) {
1917 * self_gssapi_only is true but no self/sasl/gssapi is
1920 rc
= NS_LDAP_CONFIG
;
1923 (void) __ns_ldap_freeParam((void ***)&aMethod
);
1924 (void) __ns_ldap_freeParam((void ***)&cLevel
);
1926 if (badSrvrs
&& *badSrvrs
) {
1928 * At this point, either we have a successful
1929 * connection or exhausted all the possible auths.
1930 * and creds. Mark the problem servers as down
1931 * so that the problem servers are not contacted
1932 * again until the refresh_ttl expires.
1934 (void) __s_api_removeBadServers(badSrvrs
);
1935 __s_api_free2dArray(badSrvrs
);
1941 * FUNCTION: __s_api_getConnection
1943 * Bind to the specified server or one from the server
1944 * list and return the pointer.
1946 * This function can rebind or not (NS_LDAP_HARD), it can require a
1947 * credential or bind anonymously
1949 * This function follows the DUA configuration schema algorithm
1953 * NS_LDAP_SUCCESS A connection was made successfully.
1954 * NS_LDAP_SUCCESS_WITH_INFO
1955 * A connection was made successfully, but with
1956 * password management info in *errorp
1957 * NS_LDAP_INVALID_PARAM If any invalid arguments were passed to the function.
1958 * NS_LDAP_CONFIG If there are any config errors.
1959 * NS_LDAP_MEMORY Memory errors.
1960 * NS_LDAP_INTERNAL If there was a ldap error.
1964 * server Bind to this LDAP server only
1965 * flags If NS_LDAP_HARD is set function will not return until it has
1966 * a connection unless there is a authentication problem.
1967 * If NS_LDAP_NEW_CONN is set the function must force a new
1968 * connection to be created
1969 * If NS_LDAP_KEEP_CONN is set the connection is to be kept open
1970 * auth Credentials for bind. This could be NULL in which case
1971 * a default cred built from the config module is used.
1972 * sessionId cookie that points to a previous session
1973 * fail_if_new_pwd_reqd
1974 * a flag indicating this function should fail if the passwd
1975 * in auth needs to change immediately
1976 * nopasswd_acct_mgmt
1977 * a flag indicating that makeConnection should check before
1978 * binding if server supports LDAP V3 password less
1979 * account management
1983 * session pointer to a session with connection information
1984 * errorp Set if there are any INTERNAL, or CONFIG error.
1987 __s_api_getConnection(
1990 const ns_cred_t
*cred
, /* credentials for bind */
1991 ConnectionID
*sessionId
,
1992 Connection
**session
,
1993 ns_ldap_error_t
**errorp
,
1994 int fail_if_new_pwd_reqd
,
1995 int nopasswd_acct_mgmt
,
1996 ns_conn_user_t
*conn_user
)
2000 rc
= getConnection(server
, flags
, cred
, sessionId
, session
,
2001 errorp
, fail_if_new_pwd_reqd
, nopasswd_acct_mgmt
,
2004 if (rc
!= NS_LDAP_SUCCESS
&& rc
!= NS_LDAP_SUCCESS_WITH_INFO
) {
2005 if (conn_user
!= NULL
&& conn_user
->conn_mt
!= NULL
)
2006 __s_api_conn_mt_remove(conn_user
, rc
, errorp
);
2013 __s_api_free_sessionPool()
2017 (void) mutex_lock(&sessionPoolLock
);
2019 if (sessionPool
!= NULL
) {
2020 for (id
= 0; id
< sessionPoolSize
; id
++)
2021 _DropConnection(id
+ CONID_OFFSET
, 0, 1);
2024 sessionPoolSize
= 0;
2026 (void) mutex_unlock(&sessionPoolLock
);
2030 * This function initializes a TLS LDAP session. On success LDAP* is returned
2031 * (pointed by *ldp). Otherwise, the function returns an NS error code and
2032 * provide an additional info pointed by *errorp.
2036 createTLSSession(const ns_cred_t
*auth
, const char *serverAddr
,
2037 uint16_t port
, int timeoutMilliSec
,
2038 LDAP
**ldp
, ns_ldap_error_t
**errorp
)
2040 const char *hostcertpath
;
2041 char *alloc_hcp
= NULL
, errstr
[MAXERROR
];
2045 (void) fprintf(stderr
, "tid= %d: +++TLS transport\n",
2049 if (prldap_set_session_option(NULL
, NULL
,
2050 PRLDAP_OPT_IO_MAX_TIMEOUT
,
2051 timeoutMilliSec
) != LDAP_SUCCESS
) {
2052 (void) snprintf(errstr
, sizeof (errstr
),
2053 gettext("createTLSSession: failed to initialize "
2055 MKERROR(LOG_WARNING
, *errorp
, LDAP_CONNECT_ERROR
,
2056 strdup(errstr
), NS_LDAP_MEMORY
);
2057 return (NS_LDAP_INTERNAL
);
2060 hostcertpath
= auth
->hostcertpath
;
2061 if (hostcertpath
== NULL
) {
2062 alloc_hcp
= __s_get_hostcertpath();
2063 hostcertpath
= alloc_hcp
;
2066 if (hostcertpath
== NULL
)
2067 return (NS_LDAP_MEMORY
);
2069 if ((ldap_rc
= ldapssl_client_init(hostcertpath
, NULL
)) < 0) {
2070 if (alloc_hcp
!= NULL
) {
2073 (void) snprintf(errstr
, sizeof (errstr
),
2074 gettext("createTLSSession: failed to initialize "
2075 "TLS security (%s)"),
2076 ldapssl_err2string(ldap_rc
));
2077 MKERROR(LOG_WARNING
, *errorp
, LDAP_CONNECT_ERROR
,
2078 strdup(errstr
), NS_LDAP_MEMORY
);
2079 return (NS_LDAP_INTERNAL
);
2084 *ldp
= ldapssl_init(serverAddr
, port
, 1);
2087 ldapssl_install_gethostbyaddr(*ldp
, "ldap") != 0) {
2088 (void) snprintf(errstr
, sizeof (errstr
),
2089 gettext("createTLSSession: failed to connect "
2090 "using TLS (%s)"), strerror(errno
));
2091 MKERROR(LOG_WARNING
, *errorp
, LDAP_CONNECT_ERROR
,
2092 strdup(errstr
), NS_LDAP_MEMORY
);
2093 return (NS_LDAP_INTERNAL
);
2096 return (NS_LDAP_SUCCESS
);
2100 * Convert (resolve) hostname to IP address.
2104 * server - \[IPv6_address\][:port]
2105 * - IPv4_address[:port]
2108 * newaddr - Buffer to which this function writes resulting address,
2109 * including the port number, if specified in server argument.
2111 * newaddr_size - Size of the newaddr buffer.
2113 * errstr - Buffer to which error string is written if error occurs.
2115 * errstr_size - Size of the errstr buffer.
2119 * Returns 1 for success, 0 in case of error.
2121 * newaddr - See above (INPUT section).
2123 * errstr - See above (INPUT section).
2126 cvt_hostname2ip(char *server
, char *newaddr
, int newaddr_size
,
2127 char *errstr
, int errstr_size
)
2130 unsigned short port
= 0;
2132 char buffer
[NSS_BUFLEN_HOSTS
];
2133 struct hostent result
;
2135 /* Determine if the host name contains a port number. */
2137 /* Skip over IPv6 address. */
2138 s
= strchr(server
, ']');
2139 s
= strchr(s
!= NULL
? s
: server
, ':');
2141 if (sscanf(s
+ 1, "%hu", &port
) != 1) {
2142 /* Address misformatted. No port number after : */
2143 (void) snprintf(errstr
, errstr_size
, "%s",
2144 gettext("Invalid host:port format"));
2147 /* Cut off the :<port> part. */
2153 * Resolve hostname and fill in hostent structure.
2155 if (!__s_api_hostname2ip(server
, &result
, buffer
, NSS_BUFLEN_HOSTS
,
2158 * The only possible error here could be TRY_AGAIN if buffer was
2159 * not big enough. NSS_BUFLEN_HOSTS should have been enough
2162 (void) snprintf(errstr
, errstr_size
, "%s",
2163 gettext("Unable to resolve address."));
2170 * Convert the address to string.
2172 if (!inet_ntop(result
.h_addrtype
, result
.h_addr_list
[0], buffer
,
2173 NSS_BUFLEN_HOSTS
)) {
2174 /* There's not much we can do. */
2175 (void) snprintf(errstr
, errstr_size
, "%s",
2176 gettext("Unable to convert address to string."));
2180 /* Put together the address and the port */
2182 switch (result
.h_addrtype
) {
2184 (void) snprintf(newaddr
,
2186 1 + strlen(buffer
) + 1 + 1 + 5 + 1,
2193 (void) snprintf(newaddr
,
2195 strlen(buffer
) + 1 + 5 + 1,
2202 (void) strncpy(newaddr
, buffer
, newaddr_size
);
2210 * This finction initializes a none-TLS LDAP session. On success LDAP*
2211 * is returned (pointed by *ldp). Otherwise, the function returns
2212 * an NS error code and provides an additional info pointed by *errorp.
2216 createNonTLSSession(const char *serverAddr
,
2217 uint16_t port
, int gssapi
,
2218 LDAP
**ldp
, ns_ldap_error_t
**errorp
)
2220 char errstr
[MAXERROR
];
2223 /* [INET6_ADDRSTRLEN]:<port>\0 */
2224 char svraddr
[1+INET6_ADDRSTRLEN
+1+1+5+1];
2226 (void) fprintf(stderr
, "tid= %d: +++Unsecure transport\n",
2231 is_ip
= (__s_api_isipv4((char *)serverAddr
) ||
2232 __s_api_isipv6((char *)serverAddr
));
2236 * Let's try to resolve IP address of server.
2238 if (is_ip
== 0 && !gssapi
&& (ldap_in_nss_switch((char *)"hosts") > 0 ||
2239 ldap_in_nss_switch((char *)"ipnodes") > 0)) {
2240 addr
= strdup(serverAddr
);
2242 return (NS_LDAP_MEMORY
);
2244 if (cvt_hostname2ip(addr
, svraddr
, sizeof (svraddr
),
2245 errstr
, MAXERROR
) == 1) {
2246 serverAddr
= svraddr
;
2250 MKERROR(LOG_WARNING
, *errorp
, LDAP_CONNECT_ERROR
,
2251 strdup(errstr
), NS_LDAP_MEMORY
);
2252 return (NS_LDAP_INTERNAL
);
2256 /* Warning message IF cannot connect to host(s) */
2257 if ((*ldp
= ldap_init((char *)serverAddr
, port
)) == NULL
) {
2258 char *p
= strerror(errno
);
2259 MKERROR(LOG_WARNING
, *errorp
, LDAP_CONNECT_ERROR
,
2260 strdup(p
), NS_LDAP_MEMORY
);
2261 return (NS_LDAP_INTERNAL
);
2264 return (NS_LDAP_SUCCESS
);
2268 * This finction initializes an LDAP session.
2271 * auth - a structure specified an authenticastion method and credentials,
2272 * serverAddr - the address of a server to which a connection
2273 * will be established,
2274 * port - a port being listened by the server,
2275 * timeoutMilliSec - a timeout in milliseconds for the Bind operation.
2278 * ldp - a pointer to an LDAP structure which will be used
2279 * for all the subsequent operations against the server.
2280 * If an error occurs, the function returns an NS error code
2281 * and provides an additional info pointed by *errorp.
2285 createSession(const ns_cred_t
*auth
, const char *serverAddr
,
2286 uint16_t port
, int timeoutMilliSec
,
2287 LDAP
**ldp
, ns_ldap_error_t
**errorp
)
2289 int useSSL
= 0, gssapi
= 0;
2290 char errstr
[MAXERROR
];
2292 switch (auth
->auth
.type
) {
2293 case NS_LDAP_AUTH_NONE
:
2294 case NS_LDAP_AUTH_SIMPLE
:
2295 case NS_LDAP_AUTH_SASL
:
2297 case NS_LDAP_AUTH_TLS
:
2301 (void) sprintf(errstr
,
2302 gettext("openConnection: unsupported "
2303 "authentication method (%d)"), auth
->auth
.type
);
2304 MKERROR(LOG_WARNING
, *errorp
,
2305 LDAP_AUTH_METHOD_NOT_SUPPORTED
, strdup(errstr
),
2307 return (NS_LDAP_INTERNAL
);
2310 if (port
== USE_DEFAULT_PORT
) {
2311 port
= useSSL
? LDAPS_PORT
: LDAP_PORT
;
2314 if (auth
->auth
.type
== NS_LDAP_AUTH_SASL
&&
2315 auth
->auth
.saslmech
== NS_LDAP_SASL_GSSAPI
)
2319 return (createTLSSession(auth
, serverAddr
, port
,
2320 timeoutMilliSec
, ldp
, errorp
));
2322 return (createNonTLSSession(serverAddr
, port
, gssapi
,
2327 * This finction performs a non-SASL bind operation. If an error accures,
2328 * the function returns an NS error code and provides an additional info
2329 * pointed by *errorp.
2333 doSimpleBind(const ns_cred_t
*auth
,
2336 ns_ldap_error_t
**errorp
,
2337 int fail_if_new_pwd_reqd
,
2340 char *binddn
, *passwd
, errstr
[MAXERROR
], *errmsg
;
2341 int msgId
, errnum
= 0, ldap_rc
;
2342 ns_ldap_return_code ret_code
;
2343 LDAPMessage
*resultMsg
= NULL
;
2344 LDAPControl
**controls
;
2347 binddn
= auth
->cred
.unix_cred
.userID
;
2348 passwd
= auth
->cred
.unix_cred
.passwd
;
2349 if (passwd
== NULL
|| *passwd
== '\0' ||
2350 binddn
== NULL
|| *binddn
== '\0') {
2351 (void) sprintf(errstr
, gettext("openConnection: "
2352 "missing credentials for Simple bind"));
2353 MKERROR(LOG_WARNING
, *errorp
, LDAP_INVALID_CREDENTIALS
,
2354 strdup(errstr
), NS_LDAP_MEMORY
);
2355 (void) ldap_unbind(ld
);
2356 return (NS_LDAP_INTERNAL
);
2360 (void) fprintf(stderr
, "tid= %d: +++Simple bind\n",
2363 msgId
= ldap_simple_bind(ld
, binddn
, passwd
);
2366 (void) ldap_get_option(ld
, LDAP_OPT_ERROR_NUMBER
,
2368 (void) snprintf(errstr
, sizeof (errstr
),
2369 gettext("openConnection: simple bind failed "
2370 "- %s"), ldap_err2string(errnum
));
2371 (void) ldap_unbind(ld
);
2372 MKERROR(LOG_WARNING
, *errorp
, errnum
, strdup(errstr
),
2374 return (NS_LDAP_INTERNAL
);
2377 tv
.tv_sec
= timeoutSec
;
2379 ldap_rc
= ldap_result(ld
, msgId
, 0, &tv
, &resultMsg
);
2381 if ((ldap_rc
== -1) || (ldap_rc
== 0)) {
2382 (void) ldap_get_option(ld
, LDAP_OPT_ERROR_NUMBER
,
2384 (void) snprintf(errstr
, sizeof (errstr
),
2385 gettext("openConnection: simple bind failed "
2386 "- %s"), ldap_err2string(errnum
));
2387 (void) ldap_msgfree(resultMsg
);
2388 (void) ldap_unbind(ld
);
2389 MKERROR(LOG_WARNING
, *errorp
, errnum
, strdup(errstr
),
2391 return (NS_LDAP_INTERNAL
);
2395 * get ldaprc, controls, and error msg
2397 ldap_rc
= ldap_parse_result(ld
, resultMsg
, &errnum
, NULL
,
2398 &errmsg
, NULL
, &controls
, 1);
2400 if (ldap_rc
!= LDAP_SUCCESS
) {
2401 (void) snprintf(errstr
, sizeof (errstr
),
2402 gettext("openConnection: simple bind failed "
2403 "- unable to parse result"));
2404 (void) ldap_unbind(ld
);
2405 MKERROR(LOG_WARNING
, *errorp
, NS_LDAP_INTERNAL
,
2406 strdup(errstr
), NS_LDAP_MEMORY
);
2407 return (NS_LDAP_INTERNAL
);
2410 /* process the password management info, if any */
2411 ret_code
= process_pwd_mgmt("simple",
2412 errnum
, controls
, errmsg
,
2414 fail_if_new_pwd_reqd
,
2417 if (ret_code
== NS_LDAP_INTERNAL
) {
2418 (void) ldap_unbind(ld
);
2425 * This finction performs a SASL bind operation. If an error accures,
2426 * the function returns an NS error code and provides an additional info
2427 * pointed by *errorp.
2431 doSASLBind(const ns_cred_t
*auth
,
2434 ns_ldap_error_t
**errorp
,
2435 int fail_if_new_pwd_reqd
,
2438 char *binddn
, *passwd
, *digest_md5_name
,
2439 errstr
[MAXERROR
], *errmsg
;
2441 int ldap_rc
, errnum
= 0;
2442 ns_ldap_return_code ret_code
;
2444 LDAPMessage
*resultMsg
;
2445 LDAPControl
**controls
;
2446 int min_ssf
= MIN_SASL_SSF
, max_ssf
= MAX_SASL_SSF
;
2447 ns_sasl_cb_param_t sasl_param
;
2449 if (auth
->auth
.saslopt
!= NS_LDAP_SASLOPT_NONE
&&
2450 auth
->auth
.saslmech
!= NS_LDAP_SASL_GSSAPI
) {
2451 (void) sprintf(errstr
,
2452 gettext("openConnection: SASL options are "
2453 "not supported (%d) for non-GSSAPI sasl bind"),
2454 auth
->auth
.saslopt
);
2455 MKERROR(LOG_WARNING
, *errorp
,
2456 LDAP_AUTH_METHOD_NOT_SUPPORTED
,
2457 strdup(errstr
), NS_LDAP_MEMORY
);
2458 (void) ldap_unbind(ld
);
2459 return (NS_LDAP_INTERNAL
);
2461 if (auth
->auth
.saslmech
!= NS_LDAP_SASL_GSSAPI
) {
2462 binddn
= auth
->cred
.unix_cred
.userID
;
2463 passwd
= auth
->cred
.unix_cred
.passwd
;
2464 if (passwd
== NULL
|| *passwd
== '\0' ||
2465 binddn
== NULL
|| *binddn
== '\0') {
2466 (void) sprintf(errstr
,
2467 gettext("openConnection: missing credentials "
2469 MKERROR(LOG_WARNING
, *errorp
,
2470 LDAP_INVALID_CREDENTIALS
,
2471 strdup(errstr
), NS_LDAP_MEMORY
);
2472 (void) ldap_unbind(ld
);
2473 return (NS_LDAP_INTERNAL
);
2475 cred
.bv_val
= passwd
;
2476 cred
.bv_len
= strlen(passwd
);
2479 ret_code
= NS_LDAP_SUCCESS
;
2481 switch (auth
->auth
.saslmech
) {
2482 case NS_LDAP_SASL_CRAM_MD5
:
2484 * NOTE: if iDS changes to support cram_md5,
2485 * please add password management code here.
2486 * Since ldap_sasl_cram_md5_bind_s does not
2487 * return anything that could be used to
2488 * extract the ldap rc/errmsg/control to
2489 * determine if bind failed due to password
2490 * policy, a new cram_md5_bind API will need
2491 * to be introduced. See
2492 * ldap_x_sasl_digest_md5_bind() and case
2493 * NS_LDAP_SASL_DIGEST_MD5 below for details.
2495 if ((ldap_rc
= ldap_sasl_cram_md5_bind_s(ld
, binddn
,
2496 &cred
, NULL
, NULL
)) != LDAP_SUCCESS
) {
2497 (void) ldap_get_option(ld
,
2498 LDAP_OPT_ERROR_NUMBER
, (void *)&errnum
);
2499 (void) snprintf(errstr
, sizeof (errstr
),
2500 gettext("openConnection: "
2501 "sasl/CRAM-MD5 bind failed - %s"),
2502 ldap_err2string(errnum
));
2503 MKERROR(LOG_WARNING
, *errorp
, errnum
,
2504 strdup(errstr
), NS_LDAP_MEMORY
);
2505 (void) ldap_unbind(ld
);
2506 return (NS_LDAP_INTERNAL
);
2509 case NS_LDAP_SASL_DIGEST_MD5
:
2510 digest_md5_name
= malloc(strlen(binddn
) + 5);
2511 /* 5 = strlen("dn: ") + 1 */
2512 if (digest_md5_name
== NULL
) {
2513 (void) ldap_unbind(ld
);
2514 return (NS_LDAP_MEMORY
);
2516 (void) strcpy(digest_md5_name
, "dn: ");
2517 (void) strcat(digest_md5_name
, binddn
);
2519 tv
.tv_sec
= timeoutSec
;
2521 ldap_rc
= ldap_x_sasl_digest_md5_bind(ld
,
2522 digest_md5_name
, &cred
, NULL
, NULL
,
2525 if (resultMsg
== NULL
) {
2526 free(digest_md5_name
);
2527 (void) ldap_get_option(ld
,
2528 LDAP_OPT_ERROR_NUMBER
, (void *)&errnum
);
2529 (void) snprintf(errstr
, sizeof (errstr
),
2530 gettext("openConnection: "
2531 "DIGEST-MD5 bind failed - %s"),
2532 ldap_err2string(errnum
));
2533 (void) ldap_unbind(ld
);
2534 MKERROR(LOG_WARNING
, *errorp
, errnum
,
2535 strdup(errstr
), NS_LDAP_MEMORY
);
2536 return (NS_LDAP_INTERNAL
);
2540 * get ldaprc, controls, and error msg
2542 ldap_rc
= ldap_parse_result(ld
, resultMsg
, &errnum
, NULL
,
2543 &errmsg
, NULL
, &controls
, 1);
2545 if (ldap_rc
!= LDAP_SUCCESS
) {
2546 free(digest_md5_name
);
2547 (void) snprintf(errstr
, sizeof (errstr
),
2548 gettext("openConnection: "
2549 "DIGEST-MD5 bind failed "
2550 "- unable to parse result"));
2551 (void) ldap_unbind(ld
);
2552 MKERROR(LOG_WARNING
, *errorp
, NS_LDAP_INTERNAL
,
2553 strdup(errstr
), NS_LDAP_MEMORY
);
2554 return (NS_LDAP_INTERNAL
);
2557 /* process the password management info, if any */
2558 ret_code
= process_pwd_mgmt("sasl/DIGEST-MD5",
2559 errnum
, controls
, errmsg
,
2561 fail_if_new_pwd_reqd
,
2564 if (ret_code
== NS_LDAP_INTERNAL
) {
2565 (void) ldap_unbind(ld
);
2568 free(digest_md5_name
);
2570 case NS_LDAP_SASL_GSSAPI
:
2571 (void) memset(&sasl_param
, 0,
2572 sizeof (ns_sasl_cb_param_t
));
2573 sasl_param
.authid
= NULL
;
2574 sasl_param
.authzid
= "";
2575 (void) ldap_set_option(ld
, LDAP_OPT_X_SASL_SSF_MIN
,
2577 (void) ldap_set_option(ld
, LDAP_OPT_X_SASL_SSF_MAX
,
2580 ldap_rc
= ldap_sasl_interactive_bind_s(
2582 NULL
, NULL
, LDAP_SASL_INTERACTIVE
,
2583 __s_api_sasl_bind_callback
,
2586 if (ldap_rc
!= LDAP_SUCCESS
) {
2587 (void) snprintf(errstr
, sizeof (errstr
),
2588 gettext("openConnection: "
2589 "GSSAPI bind failed "
2592 ldap_err2string(ldap_rc
));
2593 (void) ldap_unbind(ld
);
2594 MKERROR(LOG_WARNING
, *errorp
, NS_LDAP_INTERNAL
,
2595 strdup(errstr
), NS_LDAP_MEMORY
);
2596 return (NS_LDAP_INTERNAL
);
2601 (void) ldap_unbind(ld
);
2602 (void) sprintf(errstr
,
2603 gettext("openConnection: unsupported SASL "
2604 "mechanism (%d)"), auth
->auth
.saslmech
);
2605 MKERROR(LOG_WARNING
, *errorp
,
2606 LDAP_AUTH_METHOD_NOT_SUPPORTED
, strdup(errstr
),
2608 return (NS_LDAP_INTERNAL
);
2615 * This function performs an LDAP Bind operation proceeding
2616 * from a type of the connection specified by auth->auth.type.
2619 * auth - a structure specified an authenticastion method and credentials,
2620 * ld - a pointer returned by the createSession() function,
2621 * timeoutSec - a timeout in seconds for the Bind operation,
2622 * fail_if_new_pwd_reqd - a flag indicating that the call should fail
2623 * if a new password is required,
2624 * passwd_mgmt - a flag indicating that the server supports
2625 * password management.
2628 * If an error accures, the function returns an NS error code
2629 * and provides an additional info pointed by *errorp.
2633 performBind(const ns_cred_t
*auth
,
2636 ns_ldap_error_t
**errorp
,
2637 int fail_if_new_pwd_reqd
,
2641 char errstr
[MAXERROR
];
2643 ns_ldap_return_code (*binder
)(const ns_cred_t
*auth
,
2646 ns_ldap_error_t
**errorp
,
2647 int fail_if_new_pwd_reqd
,
2648 int passwd_mgmt
) = NULL
;
2651 (void) sprintf(errstr
,
2652 "performBind: LDAP session "
2653 "is not initialized.");
2654 MKERROR(LOG_WARNING
, *errorp
,
2655 LDAP_AUTH_METHOD_NOT_SUPPORTED
,
2656 strdup(errstr
), NS_LDAP_MEMORY
);
2657 return (NS_LDAP_INTERNAL
);
2660 bindType
= auth
->auth
.type
== NS_LDAP_AUTH_TLS
?
2661 auth
->auth
.tlstype
: auth
->auth
.type
;
2664 case NS_LDAP_AUTH_NONE
:
2666 (void) fprintf(stderr
, "tid= %d: +++Anonymous bind\n",
2670 case NS_LDAP_AUTH_SIMPLE
:
2671 binder
= doSimpleBind
;
2673 case NS_LDAP_AUTH_SASL
:
2674 binder
= doSASLBind
;
2677 (void) sprintf(errstr
,
2678 gettext("openConnection: unsupported "
2679 "authentication method "
2681 MKERROR(LOG_WARNING
, *errorp
,
2682 LDAP_AUTH_METHOD_NOT_SUPPORTED
,
2683 strdup(errstr
), NS_LDAP_MEMORY
);
2684 (void) ldap_unbind(ld
);
2685 return (NS_LDAP_INTERNAL
);
2688 if (binder
!= NULL
) {
2689 return (*binder
)(auth
,
2693 fail_if_new_pwd_reqd
,
2697 return (NS_LDAP_SUCCESS
);