1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 4*7c478bd9Sstevel@tonic-gate */ 5*7c478bd9Sstevel@tonic-gate 6*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 7*7c478bd9Sstevel@tonic-gate 8*7c478bd9Sstevel@tonic-gate /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- 9*7c478bd9Sstevel@tonic-gate * 10*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the Netscape Public License 11*7c478bd9Sstevel@tonic-gate * Version 1.0 (the "NPL"); you may not use this file except in 12*7c478bd9Sstevel@tonic-gate * compliance with the NPL. You may obtain a copy of the NPL at 13*7c478bd9Sstevel@tonic-gate * http://www.mozilla.org/NPL/ 14*7c478bd9Sstevel@tonic-gate * 15*7c478bd9Sstevel@tonic-gate * Software distributed under the NPL is distributed on an "AS IS" basis, 16*7c478bd9Sstevel@tonic-gate * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL 17*7c478bd9Sstevel@tonic-gate * for the specific language governing rights and limitations under the 18*7c478bd9Sstevel@tonic-gate * NPL. 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * The Initial Developer of the Original Code is Netscape 21*7c478bd9Sstevel@tonic-gate * Communications Corporation. Portions created by Netscape are 22*7c478bd9Sstevel@tonic-gate * Copyright (C) 1998-1999 Netscape Communications Corporation. All 23*7c478bd9Sstevel@tonic-gate * Rights Reserved. 24*7c478bd9Sstevel@tonic-gate * 25*7c478bd9Sstevel@tonic-gate * Contributor(s): 26*7c478bd9Sstevel@tonic-gate */ 27*7c478bd9Sstevel@tonic-gate #include "ldap-int.h" 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate /* 30*7c478bd9Sstevel@tonic-gate * ldap_sasl_bind - authenticate to the ldap server. The dn, mechanism, 31*7c478bd9Sstevel@tonic-gate * and credentials of the entry to which to bind are supplied. An LDAP 32*7c478bd9Sstevel@tonic-gate * error code is returned and if LDAP_SUCCESS is returned *msgidp is set 33*7c478bd9Sstevel@tonic-gate * to the id of the request initiated. 34*7c478bd9Sstevel@tonic-gate * 35*7c478bd9Sstevel@tonic-gate * Example: 36*7c478bd9Sstevel@tonic-gate * struct berval creds; 37*7c478bd9Sstevel@tonic-gate * LDAPControl **ctrls; 38*7c478bd9Sstevel@tonic-gate * int err, msgid; 39*7c478bd9Sstevel@tonic-gate * ... fill in creds with credentials ... 40*7c478bd9Sstevel@tonic-gate * ... fill in ctrls with server controls ... 41*7c478bd9Sstevel@tonic-gate * err = ldap_sasl_bind( ld, "cn=manager, o=university of michigan, c=us", 42*7c478bd9Sstevel@tonic-gate * "mechanismname", &creds, ctrls, NULL, &msgid ); 43*7c478bd9Sstevel@tonic-gate */ 44*7c478bd9Sstevel@tonic-gate int 45*7c478bd9Sstevel@tonic-gate LDAP_CALL 46*7c478bd9Sstevel@tonic-gate ldap_sasl_bind( 47*7c478bd9Sstevel@tonic-gate LDAP *ld, 48*7c478bd9Sstevel@tonic-gate const char *dn, 49*7c478bd9Sstevel@tonic-gate const char *mechanism, 50*7c478bd9Sstevel@tonic-gate const struct berval *cred, 51*7c478bd9Sstevel@tonic-gate LDAPControl **serverctrls, 52*7c478bd9Sstevel@tonic-gate LDAPControl **clientctrls, 53*7c478bd9Sstevel@tonic-gate int *msgidp 54*7c478bd9Sstevel@tonic-gate ) 55*7c478bd9Sstevel@tonic-gate { 56*7c478bd9Sstevel@tonic-gate BerElement *ber; 57*7c478bd9Sstevel@tonic-gate int rc, simple, msgid, ldapversion; 58*7c478bd9Sstevel@tonic-gate 59*7c478bd9Sstevel@tonic-gate /* 60*7c478bd9Sstevel@tonic-gate * The ldapv3 bind request looks like this: 61*7c478bd9Sstevel@tonic-gate * BindRequest ::= SEQUENCE { 62*7c478bd9Sstevel@tonic-gate * version INTEGER, 63*7c478bd9Sstevel@tonic-gate * name DistinguishedName, -- who 64*7c478bd9Sstevel@tonic-gate * authentication CHOICE { 65*7c478bd9Sstevel@tonic-gate * simple [0] OCTET STRING, -- passwd 66*7c478bd9Sstevel@tonic-gate * sasl [3] SaslCredentials -- v3 only 67*7c478bd9Sstevel@tonic-gate * } 68*7c478bd9Sstevel@tonic-gate * } 69*7c478bd9Sstevel@tonic-gate * SaslCredentials ::= SEQUENCE { 70*7c478bd9Sstevel@tonic-gate * mechanism LDAPString, 71*7c478bd9Sstevel@tonic-gate * credentials OCTET STRING 72*7c478bd9Sstevel@tonic-gate * } 73*7c478bd9Sstevel@tonic-gate * all wrapped up in an LDAPMessage sequence. 74*7c478bd9Sstevel@tonic-gate */ 75*7c478bd9Sstevel@tonic-gate 76*7c478bd9Sstevel@tonic-gate LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind\n", 0, 0, 0 ); 77*7c478bd9Sstevel@tonic-gate 78*7c478bd9Sstevel@tonic-gate if ( msgidp == NULL ) { 79*7c478bd9Sstevel@tonic-gate LDAP_SET_LDERRNO( ld, LDAP_PARAM_ERROR, NULL, NULL ); 80*7c478bd9Sstevel@tonic-gate return( LDAP_PARAM_ERROR ); 81*7c478bd9Sstevel@tonic-gate } 82*7c478bd9Sstevel@tonic-gate 83*7c478bd9Sstevel@tonic-gate simple = ( mechanism == LDAP_SASL_SIMPLE ); 84*7c478bd9Sstevel@tonic-gate ldapversion = NSLDAPI_LDAP_VERSION( ld ); 85*7c478bd9Sstevel@tonic-gate 86*7c478bd9Sstevel@tonic-gate /* only ldapv3 or higher can do sasl binds */ 87*7c478bd9Sstevel@tonic-gate if ( !simple && ldapversion < LDAP_VERSION3 ) { 88*7c478bd9Sstevel@tonic-gate LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL ); 89*7c478bd9Sstevel@tonic-gate return( LDAP_NOT_SUPPORTED ); 90*7c478bd9Sstevel@tonic-gate } 91*7c478bd9Sstevel@tonic-gate 92*7c478bd9Sstevel@tonic-gate LDAP_MUTEX_LOCK( ld, LDAP_MSGID_LOCK ); 93*7c478bd9Sstevel@tonic-gate msgid = ++ld->ld_msgid; 94*7c478bd9Sstevel@tonic-gate LDAP_MUTEX_UNLOCK( ld, LDAP_MSGID_LOCK ); 95*7c478bd9Sstevel@tonic-gate 96*7c478bd9Sstevel@tonic-gate if ( dn == NULL ) 97*7c478bd9Sstevel@tonic-gate dn = ""; 98*7c478bd9Sstevel@tonic-gate 99*7c478bd9Sstevel@tonic-gate if ( ld->ld_cache_on && ld->ld_cache_bind != NULL ) { 100*7c478bd9Sstevel@tonic-gate LDAP_MUTEX_LOCK( ld, LDAP_CACHE_LOCK ); 101*7c478bd9Sstevel@tonic-gate if ( (rc = (ld->ld_cache_bind)( ld, msgid, LDAP_REQ_BIND, dn, 102*7c478bd9Sstevel@tonic-gate cred, LDAP_AUTH_SASL )) != 0 ) { 103*7c478bd9Sstevel@tonic-gate *msgidp = rc; 104*7c478bd9Sstevel@tonic-gate LDAP_MUTEX_UNLOCK( ld, LDAP_CACHE_LOCK ); 105*7c478bd9Sstevel@tonic-gate return( LDAP_SUCCESS ); 106*7c478bd9Sstevel@tonic-gate } 107*7c478bd9Sstevel@tonic-gate LDAP_MUTEX_UNLOCK( ld, LDAP_CACHE_LOCK ); 108*7c478bd9Sstevel@tonic-gate } 109*7c478bd9Sstevel@tonic-gate 110*7c478bd9Sstevel@tonic-gate /* create a message to send */ 111*7c478bd9Sstevel@tonic-gate if (( rc = nsldapi_alloc_ber_with_options( ld, &ber )) 112*7c478bd9Sstevel@tonic-gate != LDAP_SUCCESS ) { 113*7c478bd9Sstevel@tonic-gate return( rc ); 114*7c478bd9Sstevel@tonic-gate } 115*7c478bd9Sstevel@tonic-gate 116*7c478bd9Sstevel@tonic-gate /* fill it in */ 117*7c478bd9Sstevel@tonic-gate if ( simple ) { /* simple bind; works in LDAPv2 or v3 */ 118*7c478bd9Sstevel@tonic-gate struct berval tmpcred; 119*7c478bd9Sstevel@tonic-gate 120*7c478bd9Sstevel@tonic-gate if ( cred == NULL ) { 121*7c478bd9Sstevel@tonic-gate tmpcred.bv_val = ""; 122*7c478bd9Sstevel@tonic-gate tmpcred.bv_len = 0; 123*7c478bd9Sstevel@tonic-gate cred = &tmpcred; 124*7c478bd9Sstevel@tonic-gate } 125*7c478bd9Sstevel@tonic-gate rc = ber_printf( ber, "{it{isto}", msgid, LDAP_REQ_BIND, 126*7c478bd9Sstevel@tonic-gate ldapversion, dn, LDAP_AUTH_SIMPLE, cred->bv_val, 127*7c478bd9Sstevel@tonic-gate (int)cred->bv_len /* XXX lossy cast */ ); 128*7c478bd9Sstevel@tonic-gate 129*7c478bd9Sstevel@tonic-gate } else { /* SASL bind; requires LDAPv3 or better */ 130*7c478bd9Sstevel@tonic-gate if ( cred == NULL ) { 131*7c478bd9Sstevel@tonic-gate rc = ber_printf( ber, "{it{ist{s}}", msgid, 132*7c478bd9Sstevel@tonic-gate LDAP_REQ_BIND, ldapversion, dn, LDAP_AUTH_SASL, 133*7c478bd9Sstevel@tonic-gate mechanism ); 134*7c478bd9Sstevel@tonic-gate } else { 135*7c478bd9Sstevel@tonic-gate rc = ber_printf( ber, "{it{ist{so}}", msgid, 136*7c478bd9Sstevel@tonic-gate LDAP_REQ_BIND, ldapversion, dn, LDAP_AUTH_SASL, 137*7c478bd9Sstevel@tonic-gate mechanism, cred->bv_val, 138*7c478bd9Sstevel@tonic-gate (int)cred->bv_len /* XXX lossy cast */ ); 139*7c478bd9Sstevel@tonic-gate } 140*7c478bd9Sstevel@tonic-gate } 141*7c478bd9Sstevel@tonic-gate 142*7c478bd9Sstevel@tonic-gate if ( rc == -1 ) { 143*7c478bd9Sstevel@tonic-gate LDAP_SET_LDERRNO( ld, LDAP_ENCODING_ERROR, NULL, NULL ); 144*7c478bd9Sstevel@tonic-gate ber_free( ber, 1 ); 145*7c478bd9Sstevel@tonic-gate return( LDAP_ENCODING_ERROR ); 146*7c478bd9Sstevel@tonic-gate } 147*7c478bd9Sstevel@tonic-gate 148*7c478bd9Sstevel@tonic-gate if ( (rc = nsldapi_put_controls( ld, serverctrls, 1, ber )) 149*7c478bd9Sstevel@tonic-gate != LDAP_SUCCESS ) { 150*7c478bd9Sstevel@tonic-gate ber_free( ber, 1 ); 151*7c478bd9Sstevel@tonic-gate return( rc ); 152*7c478bd9Sstevel@tonic-gate } 153*7c478bd9Sstevel@tonic-gate 154*7c478bd9Sstevel@tonic-gate /* send the message */ 155*7c478bd9Sstevel@tonic-gate rc = nsldapi_send_initial_request( ld, msgid, LDAP_REQ_BIND, 156*7c478bd9Sstevel@tonic-gate (char *)dn, ber ); 157*7c478bd9Sstevel@tonic-gate *msgidp = rc; 158*7c478bd9Sstevel@tonic-gate return( rc < 0 ? LDAP_GET_LDERRNO( ld, NULL, NULL ) : LDAP_SUCCESS ); 159*7c478bd9Sstevel@tonic-gate } 160*7c478bd9Sstevel@tonic-gate 161*7c478bd9Sstevel@tonic-gate /* 162*7c478bd9Sstevel@tonic-gate * ldap_sasl_bind_s - bind to the ldap server using sasl authentication 163*7c478bd9Sstevel@tonic-gate * The dn, mechanism, and credentials of the entry to which to bind are 164*7c478bd9Sstevel@tonic-gate * supplied. LDAP_SUCCESS is returned upon success, the ldap error code 165*7c478bd9Sstevel@tonic-gate * otherwise. 166*7c478bd9Sstevel@tonic-gate * 167*7c478bd9Sstevel@tonic-gate * Example: 168*7c478bd9Sstevel@tonic-gate * struct berval creds; 169*7c478bd9Sstevel@tonic-gate * ... fill in creds with credentials ... 170*7c478bd9Sstevel@tonic-gate * ldap_sasl_bind_s( ld, "cn=manager, o=university of michigan, c=us", 171*7c478bd9Sstevel@tonic-gate * "mechanismname", &creds ) 172*7c478bd9Sstevel@tonic-gate */ 173*7c478bd9Sstevel@tonic-gate int 174*7c478bd9Sstevel@tonic-gate LDAP_CALL 175*7c478bd9Sstevel@tonic-gate ldap_sasl_bind_s( 176*7c478bd9Sstevel@tonic-gate LDAP *ld, 177*7c478bd9Sstevel@tonic-gate const char *dn, 178*7c478bd9Sstevel@tonic-gate const char *mechanism, 179*7c478bd9Sstevel@tonic-gate const struct berval *cred, 180*7c478bd9Sstevel@tonic-gate LDAPControl **serverctrls, 181*7c478bd9Sstevel@tonic-gate LDAPControl **clientctrls, 182*7c478bd9Sstevel@tonic-gate struct berval **servercredp 183*7c478bd9Sstevel@tonic-gate ) 184*7c478bd9Sstevel@tonic-gate { 185*7c478bd9Sstevel@tonic-gate int err, msgid; 186*7c478bd9Sstevel@tonic-gate LDAPMessage *result; 187*7c478bd9Sstevel@tonic-gate 188*7c478bd9Sstevel@tonic-gate LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind_s\n", 0, 0, 0 ); 189*7c478bd9Sstevel@tonic-gate 190*7c478bd9Sstevel@tonic-gate if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) { 191*7c478bd9Sstevel@tonic-gate LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL ); 192*7c478bd9Sstevel@tonic-gate return( LDAP_NOT_SUPPORTED ); 193*7c478bd9Sstevel@tonic-gate } 194*7c478bd9Sstevel@tonic-gate 195*7c478bd9Sstevel@tonic-gate if ( ( err = ldap_sasl_bind( ld, dn, mechanism, cred, serverctrls, 196*7c478bd9Sstevel@tonic-gate clientctrls, &msgid )) != LDAP_SUCCESS ) 197*7c478bd9Sstevel@tonic-gate return( err ); 198*7c478bd9Sstevel@tonic-gate 199*7c478bd9Sstevel@tonic-gate if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &result ) == -1 ) 200*7c478bd9Sstevel@tonic-gate return( LDAP_GET_LDERRNO( ld, NULL, NULL ) ); 201*7c478bd9Sstevel@tonic-gate 202*7c478bd9Sstevel@tonic-gate err = ldap_parse_sasl_bind_result( ld, result, servercredp, 0 ); 203*7c478bd9Sstevel@tonic-gate if (err != LDAP_SUCCESS && err != LDAP_SASL_BIND_IN_PROGRESS) { 204*7c478bd9Sstevel@tonic-gate ldap_msgfree( result ); 205*7c478bd9Sstevel@tonic-gate return( err ); 206*7c478bd9Sstevel@tonic-gate } 207*7c478bd9Sstevel@tonic-gate 208*7c478bd9Sstevel@tonic-gate return( ldap_result2error( ld, result, 1 ) ); 209*7c478bd9Sstevel@tonic-gate } 210*7c478bd9Sstevel@tonic-gate 211*7c478bd9Sstevel@tonic-gate 212*7c478bd9Sstevel@tonic-gate /* returns an LDAP error code that indicates if parse succeeded or not */ 213*7c478bd9Sstevel@tonic-gate int 214*7c478bd9Sstevel@tonic-gate LDAP_CALL 215*7c478bd9Sstevel@tonic-gate ldap_parse_sasl_bind_result( 216*7c478bd9Sstevel@tonic-gate LDAP *ld, 217*7c478bd9Sstevel@tonic-gate LDAPMessage *res, 218*7c478bd9Sstevel@tonic-gate struct berval **servercredp, 219*7c478bd9Sstevel@tonic-gate int freeit 220*7c478bd9Sstevel@tonic-gate ) 221*7c478bd9Sstevel@tonic-gate { 222*7c478bd9Sstevel@tonic-gate BerElement ber; 223*7c478bd9Sstevel@tonic-gate int rc, err; 224*7c478bd9Sstevel@tonic-gate ber_int_t along; 225*7c478bd9Sstevel@tonic-gate ber_len_t len; 226*7c478bd9Sstevel@tonic-gate char *m, *e; 227*7c478bd9Sstevel@tonic-gate 228*7c478bd9Sstevel@tonic-gate LDAPDebug( LDAP_DEBUG_TRACE, "ldap_parse_sasl_bind_result\n", 0, 0, 0 ); 229*7c478bd9Sstevel@tonic-gate 230*7c478bd9Sstevel@tonic-gate /* 231*7c478bd9Sstevel@tonic-gate * the ldapv3 SASL bind response looks like this: 232*7c478bd9Sstevel@tonic-gate * 233*7c478bd9Sstevel@tonic-gate * BindResponse ::= [APPLICATION 1] SEQUENCE { 234*7c478bd9Sstevel@tonic-gate * COMPONENTS OF LDAPResult, 235*7c478bd9Sstevel@tonic-gate * serverSaslCreds [7] OCTET STRING OPTIONAL 236*7c478bd9Sstevel@tonic-gate * } 237*7c478bd9Sstevel@tonic-gate * 238*7c478bd9Sstevel@tonic-gate * all wrapped up in an LDAPMessage sequence. 239*7c478bd9Sstevel@tonic-gate */ 240*7c478bd9Sstevel@tonic-gate 241*7c478bd9Sstevel@tonic-gate if ( !NSLDAPI_VALID_LDAP_POINTER( ld ) || 242*7c478bd9Sstevel@tonic-gate !NSLDAPI_VALID_LDAPMESSAGE_BINDRESULT_POINTER( res )) { 243*7c478bd9Sstevel@tonic-gate return( LDAP_PARAM_ERROR ); 244*7c478bd9Sstevel@tonic-gate } 245*7c478bd9Sstevel@tonic-gate 246*7c478bd9Sstevel@tonic-gate /* only ldapv3 or higher can do sasl binds */ 247*7c478bd9Sstevel@tonic-gate if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) { 248*7c478bd9Sstevel@tonic-gate LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL ); 249*7c478bd9Sstevel@tonic-gate return( LDAP_NOT_SUPPORTED ); 250*7c478bd9Sstevel@tonic-gate } 251*7c478bd9Sstevel@tonic-gate 252*7c478bd9Sstevel@tonic-gate if ( servercredp != NULL ) { 253*7c478bd9Sstevel@tonic-gate *servercredp = NULL; 254*7c478bd9Sstevel@tonic-gate } 255*7c478bd9Sstevel@tonic-gate 256*7c478bd9Sstevel@tonic-gate ber = *(res->lm_ber); /* struct copy */ 257*7c478bd9Sstevel@tonic-gate 258*7c478bd9Sstevel@tonic-gate /* skip past message id, matched dn, error message ... */ 259*7c478bd9Sstevel@tonic-gate rc = ber_scanf( &ber, "{iaa}", &along, &m, &e ); 260*7c478bd9Sstevel@tonic-gate 261*7c478bd9Sstevel@tonic-gate if ( rc != LBER_ERROR && 262*7c478bd9Sstevel@tonic-gate ber_peek_tag( &ber, &len ) == LDAP_TAG_SASL_RES_CREDS ) { 263*7c478bd9Sstevel@tonic-gate rc = ber_get_stringal( &ber, servercredp ); 264*7c478bd9Sstevel@tonic-gate } 265*7c478bd9Sstevel@tonic-gate 266*7c478bd9Sstevel@tonic-gate if ( freeit ) { 267*7c478bd9Sstevel@tonic-gate ldap_msgfree( res ); 268*7c478bd9Sstevel@tonic-gate } 269*7c478bd9Sstevel@tonic-gate 270*7c478bd9Sstevel@tonic-gate if ( rc == LBER_ERROR ) { 271*7c478bd9Sstevel@tonic-gate err = LDAP_DECODING_ERROR; 272*7c478bd9Sstevel@tonic-gate } else { 273*7c478bd9Sstevel@tonic-gate err = (int) along; 274*7c478bd9Sstevel@tonic-gate } 275*7c478bd9Sstevel@tonic-gate 276*7c478bd9Sstevel@tonic-gate LDAP_SET_LDERRNO( ld, err, m, e ); 277*7c478bd9Sstevel@tonic-gate /* this is a little kludge for the 3.0 Barracuda/hammerhead relese */ 278*7c478bd9Sstevel@tonic-gate /* the docs state that the return is either LDAP_DECODING_ERROR */ 279*7c478bd9Sstevel@tonic-gate /* or LDAP_SUCCESS. Here we match the docs... it's cleaner in 3.1 */ 280*7c478bd9Sstevel@tonic-gate 281*7c478bd9Sstevel@tonic-gate if ( LDAP_DECODING_ERROR == err ) { 282*7c478bd9Sstevel@tonic-gate return (LDAP_DECODING_ERROR); 283*7c478bd9Sstevel@tonic-gate } else { 284*7c478bd9Sstevel@tonic-gate return( LDAP_SUCCESS ); 285*7c478bd9Sstevel@tonic-gate } 286*7c478bd9Sstevel@tonic-gate } 287