#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <synch.h>
#include <time.h>
#include <libintl.h>
#include <thread.h>
#include <syslog.h>
#include <sys/mman.h>
#include <nsswitch.h>
#include <nss_dbdefs.h>
#include "solaris-priv.h"
#include "solaris-int.h"
#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_cache_door.h"
#include "ns_connmgmt.h"
#include "ldappr.h"
#include <sys/stat.h>
#include <fcntl.h>
#include <procfs.h>
#include <unistd.h>
#define USE_DEFAULT_PORT 0
static ns_ldap_return_code performBind(const ns_cred_t *,
LDAP *,
int,
ns_ldap_error_t **,
int,
int);
static ns_ldap_return_code createSession(const ns_cred_t *,
const char *,
uint16_t,
int,
LDAP **,
ns_ldap_error_t **);
extern int ldap_sasl_cram_md5_bind_s(LDAP *, char *, struct berval *,
LDAPControl **, LDAPControl **);
extern int ldapssl_install_gethostbyaddr(LDAP *ld, const char *skip);
extern int __door_getconf(char **buffer, int *buflen,
ns_ldap_error_t **error, int callnumber);
extern int __ns_ldap_freeUnixCred(UnixCred_t **credp);
extern int SetDoorInfoToUnixCred(char *buffer,
ns_ldap_error_t **errorp,
UnixCred_t **cred);
static int openConnection(LDAP **, const char *, const ns_cred_t *,
int, ns_ldap_error_t **, int, int, ns_conn_user_t *, int);
static void
_DropConnection(ConnectionID cID, int flag, int fini);
static mutex_t sessionPoolLock = DEFAULTMUTEX;
static Connection **sessionPool = NULL;
static int sessionPoolSize = 0;
#define MAX_SASL_SSF 65535
#define MIN_SASL_SSF 0
#define NUMTOMALLOC 32
static
ns_ldap_return_code
getFirstFromConfig(ns_server_info_t *ret, ns_ldap_error_t **error)
{
char **servers = NULL;
ns_ldap_return_code ret_code;
char errstr[MAXERROR];
ret_code = __s_api_getServers(&servers, error);
if (ret_code != NS_LDAP_SUCCESS) {
if (servers != NULL) {
__s_api_free2dArray(servers);
}
return (ret_code);
}
if (servers == NULL || servers[0] == NULL) {
__s_api_free2dArray(servers);
(void) sprintf(errstr,
gettext("No server found in configuration"));
MKERROR(LOG_ERR, *error, NS_CONFIG_NODEFAULT,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_CONFIG);
}
ret->server = strdup(servers[0]);
if (ret->server == NULL) {
__s_api_free2dArray(servers);
return (NS_LDAP_MEMORY);
}
ret->saslMechanisms = NULL;
ret->controls = NULL;
__s_api_free2dArray(servers);
return (NS_LDAP_SUCCESS);
}
static int
__door_getadmincred(char **buffer, int *buflen, ns_ldap_error_t **error)
{
return (__door_getconf(buffer, buflen, error, GETADMINCRED));
}
static int
requestAdminCred(UnixCred_t **cred, ns_ldap_error_t **error)
{
char *buffer = NULL;
int buflen = 0;
int ret;
*error = NULL;
ret = __door_getadmincred(&buffer, &buflen, error);
if (ret != NS_LDAP_SUCCESS) {
if (*error != NULL && (*error)->message != NULL)
syslog(LOG_WARNING, "libsldap: %s", (*error)->message);
return (ret);
}
ret = SetDoorInfoToUnixCred(buffer, error, cred);
free(buffer);
return (ret);
}
int
__s_api_requestServer(const char *request, const char *server,
ns_server_info_t *ret, ns_ldap_error_t **error, const char *addrType)
{
union {
ldap_data_t s_d;
char s_b[DOORBUFFERSIZE];
} space;
ldap_data_t *sptr;
int ndata;
int adata;
char errstr[MAXERROR];
const char *ireq;
char *rbuf, *ptr, *rest;
char *dptr;
char **mptr, **mptr1, **cptr, **cptr1;
int mcnt, ccnt;
int len;
ns_ldap_return_code ret_code;
if (ret == NULL || error == NULL) {
return (NS_LDAP_OP_FAILED);
}
(void) memset(ret, 0, sizeof (ns_server_info_t));
*error = NULL;
if (request == NULL)
ireq = NS_CACHE_NEW;
else
ireq = request;
if (__s_api_isStandalone()) {
if ((ret_code = __s_api_findRootDSE(ireq,
server,
addrType,
ret,
error)) != NS_LDAP_SUCCESS) {
if (strcmp(ireq, NS_CACHE_NEW) != 0)
return (ret_code);
syslog(LOG_WARNING,
"libsldap (\"standalone\" mode): "
"can not find any available server. "
"Return the first one from the lists");
if (*error != NULL) {
(void) __ns_ldap_freeError(error);
}
ret_code = getFirstFromConfig(ret, error);
if (ret_code != NS_LDAP_SUCCESS) {
return (ret_code);
}
if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) {
ret_code = __s_api_ip2hostname(ret->server,
&ret->serverFQDN);
if (ret_code != NS_LDAP_SUCCESS) {
(void) snprintf(errstr,
sizeof (errstr),
gettext("The %s address "
"can not be resolved into "
"a host name. Returning "
"the address as it is."),
ret->server);
MKERROR(LOG_ERR,
*error,
NS_CONFIG_NOTLOADED,
strdup(errstr),
NS_LDAP_MEMORY);
free(ret->server);
ret->server = NULL;
return (NS_LDAP_INTERNAL);
}
}
}
return (NS_LDAP_SUCCESS);
}
(void) memset(space.s_b, 0, DOORBUFFERSIZE);
adata = (sizeof (ldap_call_t) + strlen(ireq) + strlen(addrType) + 1);
if (server != NULL) {
adata += strlen(DOORLINESEP) + 1;
adata += strlen(server) + 1;
}
ndata = sizeof (space);
len = sizeof (space) - sizeof (space.s_d.ldap_call.ldap_callnumber);
space.s_d.ldap_call.ldap_callnumber = GETLDAPSERVER;
if (strlcpy(space.s_d.ldap_call.ldap_u.domainname, ireq, len) >= len)
return (NS_LDAP_MEMORY);
if (strlcat(space.s_d.ldap_call.ldap_u.domainname, addrType, len) >=
len)
return (NS_LDAP_MEMORY);
if (server != NULL) {
if (strlcat(space.s_d.ldap_call.ldap_u.domainname,
DOORLINESEP, len) >= len)
return (NS_LDAP_MEMORY);
if (strlcat(space.s_d.ldap_call.ldap_u.domainname, server,
len) >= len)
return (NS_LDAP_MEMORY);
}
sptr = &space.s_d;
switch (__ns_ldap_trydoorcall(&sptr, &ndata, &adata)) {
case NS_CACHE_SUCCESS:
break;
case NS_CACHE_NOSERVER:
ret_code = getFirstFromConfig(ret, error);
if (ret_code != NS_LDAP_SUCCESS) {
return (ret_code);
}
if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) {
ret_code = __s_api_ip2hostname(ret->server,
&ret->serverFQDN);
if (ret_code != NS_LDAP_SUCCESS) {
(void) snprintf(errstr,
sizeof (errstr),
gettext("The %s address "
"can not be resolved into "
"a host name. Returning "
"the address as it is."),
ret->server);
MKERROR(LOG_ERR,
*error,
NS_CONFIG_NOTLOADED,
strdup(errstr),
NS_LDAP_MEMORY);
free(ret->server);
ret->server = NULL;
return (NS_LDAP_INTERNAL);
}
}
return (NS_LDAP_SUCCESS);
case NS_CACHE_NOTFOUND:
default:
return (NS_LDAP_OP_FAILED);
}
rbuf = space.s_d.ldap_ret.ldap_u.config;
ptr = strtok_r(rbuf, DOORLINESEP, &rest);
if (ptr == NULL) {
(void) sprintf(errstr, gettext("No server returned from "
"ldap_cachemgr"));
MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_OP_FAILED);
}
ret->server = strdup(ptr);
if (ret->server == NULL) {
return (NS_LDAP_MEMORY);
}
if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) {
ptr = strtok_r(NULL, DOORLINESEP, &rest);
if (ptr == NULL) {
(void) sprintf(errstr, gettext("No server FQDN format "
"returned from ldap_cachemgr"));
MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR,
strdup(errstr), NS_LDAP_MEMORY);
free(ret->server);
ret->server = NULL;
return (NS_LDAP_OP_FAILED);
}
ret->serverFQDN = strdup(ptr);
if (ret->serverFQDN == NULL) {
free(ret->server);
ret->server = NULL;
return (NS_LDAP_MEMORY);
}
}
mptr = NULL;
mcnt = 0;
cptr = NULL;
ccnt = 0;
for (;;) {
ptr = strtok_r(NULL, DOORLINESEP, &rest);
if (ptr == NULL)
break;
if (strncasecmp(ptr, _SASLMECHANISM,
_SASLMECHANISM_LEN) == 0) {
dptr = strchr(ptr, '=');
if (dptr == NULL)
continue;
dptr++;
mptr1 = (char **)realloc((void *)mptr,
sizeof (char *) * (mcnt+2));
if (mptr1 == NULL) {
__s_api_free2dArray(mptr);
if (sptr != &space.s_d) {
(void) munmap((char *)sptr, ndata);
}
__s_api_free2dArray(cptr);
__s_api_free_server_info(ret);
return (NS_LDAP_MEMORY);
}
mptr = mptr1;
mptr[mcnt] = strdup(dptr);
if (mptr[mcnt] == NULL) {
if (sptr != &space.s_d) {
(void) munmap((char *)sptr, ndata);
}
__s_api_free2dArray(cptr);
cptr = NULL;
__s_api_free2dArray(mptr);
mptr = NULL;
__s_api_free_server_info(ret);
return (NS_LDAP_MEMORY);
}
mcnt++;
mptr[mcnt] = NULL;
}
if (strncasecmp(ptr, _SUPPORTEDCONTROL,
_SUPPORTEDCONTROL_LEN) == 0) {
dptr = strchr(ptr, '=');
if (dptr == NULL)
continue;
dptr++;
cptr1 = (char **)realloc((void *)cptr,
sizeof (char *) * (ccnt+2));
if (cptr1 == NULL) {
if (sptr != &space.s_d) {
(void) munmap((char *)sptr, ndata);
}
__s_api_free2dArray(cptr);
__s_api_free2dArray(mptr);
mptr = NULL;
__s_api_free_server_info(ret);
return (NS_LDAP_MEMORY);
}
cptr = cptr1;
cptr[ccnt] = strdup(dptr);
if (cptr[ccnt] == NULL) {
if (sptr != &space.s_d) {
(void) munmap((char *)sptr, ndata);
}
__s_api_free2dArray(cptr);
cptr = NULL;
__s_api_free2dArray(mptr);
mptr = NULL;
__s_api_free_server_info(ret);
return (NS_LDAP_MEMORY);
}
ccnt++;
cptr[ccnt] = NULL;
}
}
if (mptr != NULL) {
ret->saslMechanisms = mptr;
}
if (cptr != NULL) {
ret->controls = cptr;
}
if (sptr != &space.s_d) {
(void) munmap((char *)sptr, ndata);
}
*error = NULL;
return (NS_LDAP_SUCCESS);
}
#ifdef DEBUG
static void
printCred(FILE *fp, const ns_cred_t *cred)
{
thread_t t = thr_self();
if (cred == NULL) {
(void) fprintf(fp, "tid= %d: printCred: cred is NULL\n", t);
return;
}
(void) fprintf(fp, "tid= %d: AuthType=%d\n", t, cred->auth.type);
(void) fprintf(fp, "tid= %d: TlsType=%d\n", t, cred->auth.tlstype);
(void) fprintf(fp, "tid= %d: SaslMech=%d\n", t, cred->auth.saslmech);
(void) fprintf(fp, "tid= %d: SaslOpt=%d\n", t, cred->auth.saslopt);
if (cred->hostcertpath)
(void) fprintf(fp, "tid= %d: hostCertPath=%s\n",
t, cred->hostcertpath);
if (cred->cred.unix_cred.userID)
(void) fprintf(fp, "tid= %d: userID=%s\n",
t, cred->cred.unix_cred.userID);
if (cred->cred.unix_cred.passwd)
(void) fprintf(fp, "tid= %d: passwd=%s\n",
t, cred->cred.unix_cred.passwd);
}
static void
printConnection(FILE *fp, Connection *con)
{
thread_t t = thr_self();
if (con == NULL)
return;
(void) fprintf(fp, "tid= %d: connectionID=%d\n", t, con->connectionId);
(void) fprintf(fp, "tid= %d: usedBit=%d\n", t, con->usedBit);
(void) fprintf(fp, "tid= %d: threadID=%d\n", t, con->threadID);
if (con->serverAddr) {
(void) fprintf(fp, "tid= %d: serverAddr=%s\n",
t, con->serverAddr);
}
printCred(fp, con->auth);
}
#endif
static int
addConnection(Connection *con)
{
int i;
if (!con)
return (-1);
#ifdef DEBUG
(void) fprintf(stderr, "Adding connection thrid=%d\n", con->threadID);
#endif
(void) mutex_lock(&sessionPoolLock);
if (sessionPool == NULL) {
sessionPoolSize = SESSION_CACHE_INC;
sessionPool = calloc(sessionPoolSize,
sizeof (Connection *));
if (!sessionPool) {
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
#ifdef DEBUG
(void) fprintf(stderr, "Initialized sessionPool\n");
#endif
}
for (i = 0; (i < sessionPoolSize) && (sessionPool[i] != NULL); ++i)
;
if (i == sessionPoolSize) {
Connection **cl;
cl = (Connection **) realloc(sessionPool,
(sessionPoolSize + SESSION_CACHE_INC) *
sizeof (Connection *));
if (!cl) {
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
(void) memset(cl + sessionPoolSize, 0,
SESSION_CACHE_INC * sizeof (Connection *));
sessionPool = cl;
sessionPoolSize += SESSION_CACHE_INC;
#ifdef DEBUG
(void) fprintf(stderr, "Increased sessionPoolSize to: %d\n",
sessionPoolSize);
#endif
}
sessionPool[i] = con;
con->usedBit = B_TRUE;
(void) mutex_unlock(&sessionPoolLock);
con->connectionId = i + CONID_OFFSET;
#ifdef DEBUG
(void) fprintf(stderr, "Connection added [%d]\n", i);
printConnection(stderr, con);
#endif
return (i + CONID_OFFSET);
}
static int
findConnection(int flags, const char *serverAddr,
const ns_cred_t *auth, Connection **conp)
{
Connection *cp;
int i;
#ifdef DEBUG
thread_t t;
#endif
if (auth == NULL || conp == NULL)
return (-1);
*conp = NULL;
if ((flags & NS_LDAP_NEW_CONN) || (!__s_api_nscd_proc() &&
!__s_api_peruser_proc() && !(flags & NS_LDAP_KEEP_CONN)))
return (-1);
#ifdef DEBUG
t = thr_self();
(void) fprintf(stderr, "tid= %d: Find connection\n", t);
(void) fprintf(stderr, "tid= %d: Looking for ....\n", t);
if (serverAddr && *serverAddr)
(void) fprintf(stderr, "tid= %d: serverAddr=%s\n",
t, serverAddr);
else
(void) fprintf(stderr, "tid= %d: serverAddr=NULL\n", t);
printCred(stderr, auth);
fflush(stderr);
#endif
if (sessionPool == NULL)
return (-1);
(void) mutex_lock(&sessionPoolLock);
for (i = 0; i < sessionPoolSize; ++i) {
if (sessionPool[i] == NULL)
continue;
cp = sessionPool[i];
#ifdef DEBUG
(void) fprintf(stderr,
"tid: %d: checking connection [%d] ....\n", t, i);
printConnection(stderr, cp);
#endif
if ((cp->usedBit) || (serverAddr && *serverAddr &&
(strcasecmp(serverAddr, cp->serverAddr) != 0)))
continue;
if (__s_api_is_auth_matched(cp->auth, auth) == B_FALSE)
continue;
cp->usedBit = B_TRUE;
(void) mutex_unlock(&sessionPoolLock);
cp->threadID = thr_self();
*conp = cp;
#ifdef DEBUG
(void) fprintf(stderr,
"tid %d: Connection found cID=%d\n", t, i);
fflush(stderr);
#endif
return (i + CONID_OFFSET);
}
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
void
__s_api_freeConnection(Connection *con)
{
if (con == NULL)
return;
if (con->serverAddr)
free(con->serverAddr);
if (con->auth)
(void) __ns_ldap_freeCred(&(con->auth));
if (con->saslMechanisms) {
__s_api_free2dArray(con->saslMechanisms);
}
if (con->controls) {
__s_api_free2dArray(con->controls);
}
free(con);
}
static int
makeConnection(Connection **conp, const char *serverAddr,
const ns_cred_t *auth, ConnectionID *cID, int timeoutSec,
ns_ldap_error_t **errorp, int fail_if_new_pwd_reqd,
int nopasswd_acct_mgmt, int flags, char ***badsrvrs,
ns_conn_user_t *conn_user)
{
Connection *con = NULL;
ConnectionID id;
char errmsg[MAXERROR];
int rc, exit_rc = NS_LDAP_SUCCESS;
ns_server_info_t sinfo;
char *hReq, *host = NULL;
LDAP *ld = NULL;
int passwd_mgmt = 0;
int totalbad = 0;
short memerr = 0;
char *serverAddrType = NULL, **bindHost = NULL;
if (conp == NULL || errorp == NULL || auth == NULL)
return (NS_LDAP_INVALID_PARAM);
if (*errorp)
(void) __ns_ldap_freeError(errorp);
*conp = NULL;
(void) memset(&sinfo, 0, sizeof (sinfo));
if ((id = findConnection(flags, serverAddr, auth, &con)) != -1) {
#ifdef DEBUG
(void) fprintf(stderr, "tid= %d: connection found in "
"cache %d\n", thr_self(), id);
fflush(stderr);
#endif
*cID = id;
*conp = con;
return (NS_LDAP_SUCCESS);
}
if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) {
serverAddrType = NS_CACHE_ADDR_HOSTNAME;
bindHost = &sinfo.serverFQDN;
} else {
serverAddrType = NS_CACHE_ADDR_IP;
bindHost = &sinfo.server;
}
if (serverAddr) {
if (__s_api_isInitializing()) {
sinfo.server = strdup(serverAddr);
if (sinfo.server == NULL)
return (NS_LDAP_MEMORY);
if (strcmp(serverAddrType,
NS_CACHE_ADDR_HOSTNAME) == 0) {
rc = __s_api_ip2hostname(sinfo.server,
&sinfo.serverFQDN);
if (rc != NS_LDAP_SUCCESS) {
(void) snprintf(errmsg,
sizeof (errmsg),
gettext("The %s address "
"can not be resolved into "
"a host name. Returning "
"the address as it is."),
serverAddr);
MKERROR(LOG_ERR,
*errorp,
NS_CONFIG_NOTLOADED,
strdup(errmsg),
NS_LDAP_MEMORY);
__s_api_free_server_info(&sinfo);
return (NS_LDAP_INTERNAL);
}
}
} else {
sinfo.server = strdup(serverAddr);
if (sinfo.server == NULL) {
return (NS_LDAP_MEMORY);
}
if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) {
sinfo.serverFQDN = strdup(serverAddr);
if (sinfo.serverFQDN == NULL) {
free(sinfo.server);
return (NS_LDAP_MEMORY);
}
}
}
rc = openConnection(&ld, *bindHost, auth, timeoutSec, errorp,
fail_if_new_pwd_reqd, passwd_mgmt, conn_user, flags);
if (rc == NS_LDAP_SUCCESS || rc ==
NS_LDAP_SUCCESS_WITH_INFO) {
exit_rc = rc;
goto create_con;
} else {
if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) {
(void) snprintf(errmsg, sizeof (errmsg),
"%s %s", gettext("makeConnection: "
"failed to open connection using "
"sasl/GSSAPI to"), *bindHost);
} else {
(void) snprintf(errmsg, sizeof (errmsg),
"%s %s", gettext("makeConnection: "
"failed to open connection to"),
*bindHost);
}
syslog(LOG_ERR, "libsldap: %s", errmsg);
__s_api_free_server_info(&sinfo);
return (rc);
}
}
for (; ; ) {
if (host == NULL)
hReq = NS_CACHE_NEW;
else
hReq = NS_CACHE_NEXT;
rc = __s_api_requestServer(hReq, host, &sinfo, errorp,
serverAddrType);
if ((rc != NS_LDAP_SUCCESS) || (sinfo.server == NULL) ||
(host && (strcasecmp(host, sinfo.server) == 0))) {
if (*errorp) {
(void) snprintf(errmsg, sizeof (errmsg),
"%s: (%s)", gettext("makeConnection: "
"unable to make LDAP connection, "
"request for a server failed"),
(*errorp)->message);
syslog(LOG_ERR, "libsldap: %s", errmsg);
}
__s_api_free_server_info(&sinfo);
if (host)
free(host);
return (NS_LDAP_OP_FAILED);
}
if (host)
free(host);
host = strdup(sinfo.server);
if (host == NULL) {
__s_api_free_server_info(&sinfo);
return (NS_LDAP_MEMORY);
}
passwd_mgmt = __s_api_contain_passwd_control_oid(
sinfo.controls);
if (nopasswd_acct_mgmt &&
!__s_api_contain_account_usable_control_oid(
sinfo.controls)) {
syslog(LOG_WARNING, "libsldap: server %s does not "
"provide account information without password",
host);
free(host);
__s_api_free_server_info(&sinfo);
return (NS_LDAP_OP_FAILED);
}
rc = openConnection(&ld, *bindHost, auth, timeoutSec, errorp,
fail_if_new_pwd_reqd, passwd_mgmt, conn_user, flags);
if (rc == NS_LDAP_SUCCESS ||
rc == NS_LDAP_SUCCESS_WITH_INFO) {
exit_rc = rc;
break;
}
if (rc == NS_LDAP_INTERNAL && *errorp != NULL) {
if ((*errorp)->status == LDAP_CONNECT_ERROR ||
(*errorp)->status == LDAP_SERVER_DOWN) {
memerr = 0;
if (*badsrvrs == NULL) {
if (!(*badsrvrs = (char **)malloc
(sizeof (char *) * NUMTOMALLOC))) {
memerr = 1;
}
} else if ((totalbad % NUMTOMALLOC) ==
NUMTOMALLOC - 1) {
char **tmpptr;
if (!(tmpptr = (char **)realloc(
*badsrvrs,
(sizeof (char *) * NUMTOMALLOC *
((totalbad/NUMTOMALLOC) + 2))))) {
memerr = 1;
} else {
*badsrvrs = tmpptr;
}
}
if (!memerr &&
!((*badsrvrs)[totalbad++] = strdup(host))) {
memerr = 1;
totalbad--;
}
(*badsrvrs)[totalbad] = NULL;
}
}
__s_api_free_server_info(&sinfo);
if (memerr)
return (NS_LDAP_MEMORY);
if (*errorp) {
if ((*errorp)->pwd_mgmt.status != NS_PASSWD_GOOD ||
(*errorp)->status == LDAP_INVALID_CREDENTIALS) {
free(host);
return (rc);
} else {
(void) __ns_ldap_freeError(errorp);
*errorp = NULL;
}
}
}
create_con:
if (host)
free(host);
if ((con = calloc(1, sizeof (Connection))) == NULL) {
__s_api_free_server_info(&sinfo);
if (*errorp) {
(void) __ns_ldap_freeError(errorp);
*errorp = NULL;
}
(void) ldap_unbind(ld);
return (NS_LDAP_MEMORY);
}
con->serverAddr = sinfo.server;
if (sinfo.serverFQDN != NULL) {
free(sinfo.serverFQDN);
sinfo.serverFQDN = NULL;
}
con->saslMechanisms = sinfo.saslMechanisms;
con->controls = sinfo.controls;
con->auth = __ns_ldap_dupAuth(auth);
if (con->auth == NULL) {
(void) ldap_unbind(ld);
__s_api_freeConnection(con);
if (*errorp) {
(void) __ns_ldap_freeError(errorp);
*errorp = NULL;
}
return (NS_LDAP_MEMORY);
}
con->threadID = thr_self();
con->pid = getpid();
con->ld = ld;
if (conn_user != NULL && conn_user->conn_mt != NULL) {
if (__s_api_conn_mt_add(con, conn_user, errorp) ==
NS_LDAP_SUCCESS) {
*conp = con;
return (exit_rc);
} else {
(void) ldap_unbind(ld);
__s_api_freeConnection(con);
return ((*errorp)->status);
}
}
if ((id = addConnection(con)) == -1) {
(void) ldap_unbind(ld);
__s_api_freeConnection(con);
if (*errorp) {
(void) __ns_ldap_freeError(errorp);
*errorp = NULL;
}
return (NS_LDAP_MEMORY);
}
#ifdef DEBUG
(void) fprintf(stderr, "tid= %d: connection added into "
"cache %d\n", thr_self(), id);
fflush(stderr);
#endif
*cID = id;
*conp = con;
return (exit_rc);
}
static void
_DropConnection(ConnectionID cID, int flag, int fini)
{
Connection *cp;
int id;
int use_mutex = !fini;
struct timeval zerotime;
LDAPMessage *res;
zerotime.tv_sec = zerotime.tv_usec = 0L;
id = cID - CONID_OFFSET;
if (id < 0 || id >= sessionPoolSize)
return;
#ifdef DEBUG
(void) fprintf(stderr,
"tid %d: Dropping connection cID=%d flag=0x%x\n",
thr_self(), cID, flag);
fflush(stderr);
#endif
if (use_mutex)
(void) mutex_lock(&sessionPoolLock);
cp = sessionPool[id];
if (!cp || (!fini && (!cp->usedBit || cp->threadID != thr_self()))) {
if (use_mutex)
(void) mutex_unlock(&sessionPoolLock);
return;
}
if (!fini &&
((flag & NS_LDAP_NEW_CONN) == 0) &&
((flag & NS_LDAP_KEEP_CONN) || __s_api_nscd_proc() ||
__s_api_peruser_proc())) {
cp->usedBit = B_FALSE;
cp->threadID = 0;
while (ldap_result(cp->ld, LDAP_RES_ANY, LDAP_MSG_ALL,
&zerotime, &res) > 0) {
if (res != NULL)
(void) ldap_msgfree(res);
}
if (use_mutex)
(void) mutex_unlock(&sessionPoolLock);
} else {
sessionPool[id] = NULL;
if (use_mutex)
(void) mutex_unlock(&sessionPoolLock);
(void) ldap_unbind(cp->ld);
__s_api_freeConnection(cp);
}
}
void
DropConnection(ConnectionID cID, int flag)
{
_DropConnection(cID, flag, 0);
}
static int
process_pwd_mgmt(char *bind_type, int ldaprc,
LDAPControl **controls,
char *errmsg, ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int passwd_mgmt)
{
char errstr[MAXERROR];
LDAPControl **ctrl = NULL;
int exit_rc;
ns_ldap_passwd_status_t pwd_status = NS_PASSWD_GOOD;
int sec_until_exp = 0;
if (errmsg &&
(*errmsg == '\0' || ldaprc == LDAP_SUCCESS)) {
ldap_memfree(errmsg);
errmsg = NULL;
}
if (ldaprc != LDAP_SUCCESS) {
if (errmsg) {
if (passwd_mgmt)
pwd_status =
__s_api_set_passwd_status(
ldaprc, errmsg);
ldap_memfree(errmsg);
}
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: "
"%s bind failed "
"- %s"), bind_type, ldap_err2string(ldaprc));
if (pwd_status != NS_PASSWD_GOOD) {
MKERROR_PWD_MGMT(*errorp,
ldaprc, strdup(errstr),
pwd_status, 0, NS_LDAP_MEMORY);
} else {
MKERROR(LOG_ERR, *errorp, ldaprc, strdup(errstr),
NS_LDAP_MEMORY);
}
if (controls)
ldap_controls_free(controls);
return (NS_LDAP_INTERNAL);
}
exit_rc = NS_LDAP_SUCCESS;
if (controls && passwd_mgmt) {
for (ctrl = controls; *ctrl; ctrl++) {
if (strcmp((*ctrl)->ldctl_oid,
LDAP_CONTROL_PWEXPIRED) == 0) {
pwd_status =
NS_PASSWD_CHANGE_NEEDED;
if (fail_if_new_pwd_reqd) {
(void) snprintf(errstr,
sizeof (errstr),
gettext(
"openConnection: "
"%s bind "
"failed "
"- password "
"expired. It "
" needs to change "
"immediately!"),
bind_type);
MKERROR_PWD_MGMT(*errorp,
LDAP_SUCCESS,
strdup(errstr),
pwd_status,
0,
NS_LDAP_MEMORY);
exit_rc = NS_LDAP_INTERNAL;
} else {
MKERROR_PWD_MGMT(*errorp,
LDAP_SUCCESS,
NULL,
pwd_status,
0,
NS_LDAP_MEMORY);
exit_rc =
NS_LDAP_SUCCESS_WITH_INFO;
}
break;
} else if (strcmp((*ctrl)->ldctl_oid,
LDAP_CONTROL_PWEXPIRING) == 0) {
pwd_status =
NS_PASSWD_ABOUT_TO_EXPIRE;
if ((*ctrl)->
ldctl_value.bv_len > 0 &&
(*ctrl)->
ldctl_value.bv_val)
sec_until_exp =
atoi((*ctrl)->
ldctl_value.bv_val);
MKERROR_PWD_MGMT(*errorp,
LDAP_SUCCESS,
NULL,
pwd_status,
sec_until_exp,
NS_LDAP_MEMORY);
exit_rc =
NS_LDAP_SUCCESS_WITH_INFO;
break;
}
}
}
if (controls)
ldap_controls_free(controls);
return (exit_rc);
}
static int
ldap_in_nss_switch(char *db)
{
enum __nsw_parse_err pserr;
struct __nsw_switchconfig *conf;
struct __nsw_lookup *lkp;
const char *name;
int found = 0;
conf = __nsw_getconfig(db, &pserr);
if (conf == NULL) {
return (-1);
}
for (lkp = conf->lookups; lkp != NULL; lkp = lkp->next) {
name = lkp->service_name;
if (strcmp(name, "ldap") == 0) {
found = 1;
break;
}
}
(void) __nsw_freeconfig(conf);
return (found);
}
static int
openConnection(LDAP **ldp, const char *serverAddr, const ns_cred_t *auth,
int timeoutSec, ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd, int passwd_mgmt,
ns_conn_user_t *conn_user, int flags)
{
LDAP *ld = NULL;
int ldapVersion = LDAP_VERSION3;
int derefOption = LDAP_DEREF_ALWAYS;
int zero = 0;
int timeoutMilliSec = timeoutSec * 1000;
uint16_t port = USE_DEFAULT_PORT;
char *s;
char errstr[MAXERROR];
int followRef;
ns_ldap_return_code ret_code = NS_LDAP_SUCCESS;
*errorp = NULL;
*ldp = NULL;
s = strchr(serverAddr, ']');
s = strchr(s != NULL ? s : serverAddr, ':');
if (s != NULL) {
if (sscanf(s + 1, "%hu", &port) != 1) {
(void) snprintf(errstr,
sizeof (errstr),
gettext("openConnection: cannot "
"convert %s into a valid "
"port number for the "
"%s server. A default value "
"will be used."),
s,
serverAddr);
syslog(LOG_ERR, "libsldap: %s", errstr);
} else {
*s = '\0';
}
}
ret_code = createSession(auth,
serverAddr,
port,
timeoutMilliSec,
&ld,
errorp);
if (s != NULL) {
*s = ':';
}
if (ret_code != NS_LDAP_SUCCESS) {
return (ret_code);
}
if (conn_user != NULL) {
int rc;
rc = __s_api_check_libldap_MT_conn_support(conn_user, ld,
errorp);
if (rc != NS_LDAP_SUCCESS) {
(void) ldap_unbind(ld);
return (rc);
}
}
(void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldapVersion);
(void) ldap_set_option(ld, LDAP_OPT_DEREF, &derefOption);
ret_code = __s_api_toFollowReferrals(flags, &followRef, errorp);
if (ret_code != NS_LDAP_SUCCESS) {
(void) ldap_unbind(ld);
return (ret_code);
}
if (followRef)
(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
else
(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
(void) ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &zero);
(void) ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &zero);
(void) ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT,
&timeoutMilliSec);
(void) ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
ret_code = performBind(auth,
ld,
timeoutSec,
errorp,
fail_if_new_pwd_reqd,
passwd_mgmt);
if (ret_code == NS_LDAP_SUCCESS ||
ret_code == NS_LDAP_SUCCESS_WITH_INFO) {
(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
*ldp = ld;
}
return (ret_code);
}
static int
__s_api_getDefaultAuth(
int *cLevel,
ns_auth_t *aMethod,
ns_cred_t **authp,
int getAdmin)
{
void **paramVal = NULL;
char *modparamVal = NULL;
int getUid = 0;
int getPasswd = 0;
int getCertpath = 0;
int rc = 0;
ns_ldap_error_t *errorp = NULL;
UnixCred_t *AdminCred = NULL;
#ifdef DEBUG
(void) fprintf(stderr, "__s_api_getDefaultAuth START\n");
#endif
if (aMethod == NULL) {
return (NS_LDAP_INVALID_PARAM);
}
if (cLevel && *cLevel == NS_LDAP_CRED_SELF &&
aMethod->saslmech != NS_LDAP_SASL_GSSAPI)
return (NS_LDAP_INVALID_PARAM);
*authp = (ns_cred_t *)calloc(1, sizeof (ns_cred_t));
if ((*authp) == NULL)
return (NS_LDAP_MEMORY);
(*authp)->auth = *aMethod;
switch (aMethod->type) {
case NS_LDAP_AUTH_NONE:
return (NS_LDAP_SUCCESS);
case NS_LDAP_AUTH_SIMPLE:
getUid++;
getPasswd++;
break;
case NS_LDAP_AUTH_SASL:
if ((aMethod->saslmech == NS_LDAP_SASL_DIGEST_MD5) ||
(aMethod->saslmech == NS_LDAP_SASL_CRAM_MD5)) {
getUid++;
getPasswd++;
} else if (aMethod->saslmech != NS_LDAP_SASL_GSSAPI) {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
break;
case NS_LDAP_AUTH_TLS:
if ((aMethod->tlstype == NS_LDAP_TLS_SIMPLE) ||
((aMethod->tlstype == NS_LDAP_TLS_SASL) &&
((aMethod->saslmech == NS_LDAP_SASL_DIGEST_MD5) ||
(aMethod->saslmech == NS_LDAP_SASL_CRAM_MD5)))) {
getUid++;
getPasswd++;
getCertpath++;
} else if (aMethod->tlstype == NS_LDAP_TLS_NONE) {
getCertpath++;
} else {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
break;
}
if (getUid) {
paramVal = NULL;
if (getAdmin) {
AdminCred = calloc(1, sizeof (UnixCred_t));
if (AdminCred == NULL) {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_MEMORY);
}
rc = requestAdminCred(&AdminCred, &errorp);
if (rc != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
(void) __ns_ldap_freeError(&errorp);
return (rc);
}
if (AdminCred->userID == NULL) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
return (NS_LDAP_INVALID_PARAM);
}
(*authp)->cred.unix_cred.userID = AdminCred->userID;
AdminCred->userID = NULL;
} else {
rc = __ns_ldap_getParam(NS_LDAP_BINDDN_P,
¶mVal, &errorp);
if (rc != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeError(&errorp);
return (rc);
}
if (paramVal == NULL || *paramVal == NULL) {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
(*authp)->cred.unix_cred.userID =
strdup((char *)*paramVal);
(void) __ns_ldap_freeParam(¶mVal);
}
if ((*authp)->cred.unix_cred.userID == NULL) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
return (NS_LDAP_MEMORY);
}
}
if (getPasswd) {
paramVal = NULL;
if (getAdmin) {
if (AdminCred == NULL || AdminCred->passwd == NULL) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
return (NS_LDAP_INVALID_PARAM);
}
modparamVal = dvalue(AdminCred->passwd);
} else {
rc = __ns_ldap_getParam(NS_LDAP_BINDPASSWD_P,
¶mVal, &errorp);
if (rc != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeError(&errorp);
return (rc);
}
if (paramVal == NULL || *paramVal == NULL) {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
modparamVal = dvalue((char *)*paramVal);
(void) __ns_ldap_freeParam(¶mVal);
}
if (modparamVal == NULL || (strlen((char *)modparamVal) == 0)) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
if (modparamVal != NULL)
free(modparamVal);
return (NS_LDAP_INVALID_PARAM);
}
(*authp)->cred.unix_cred.passwd = modparamVal;
}
if (getCertpath) {
paramVal = NULL;
if ((rc = __ns_ldap_getParam(NS_LDAP_HOST_CERTPATH_P,
¶mVal, &errorp)) != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
(void) __ns_ldap_freeError(&errorp);
*authp = NULL;
return (rc);
}
if (paramVal == NULL || *paramVal == NULL) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
*authp = NULL;
return (NS_LDAP_INVALID_PARAM);
}
(*authp)->hostcertpath = strdup((char *)*paramVal);
(void) __ns_ldap_freeParam(¶mVal);
if ((*authp)->hostcertpath == NULL) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeUnixCred(&AdminCred);
*authp = NULL;
return (NS_LDAP_MEMORY);
}
}
(void) __ns_ldap_freeUnixCred(&AdminCred);
return (NS_LDAP_SUCCESS);
}
static int
getConnection(
const char *server,
const int flags,
const ns_cred_t *cred,
ConnectionID *sessionId,
Connection **session,
ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int nopasswd_acct_mgmt,
ns_conn_user_t *conn_user)
{
char errmsg[MAXERROR];
ns_auth_t **aMethod = NULL;
ns_auth_t **aNext = NULL;
int **cLevel = NULL;
int **cNext = NULL;
int timeoutSec = NS_DEFAULT_BIND_TIMEOUT;
int rc;
Connection *con = NULL;
int sec = 1;
ns_cred_t *authp = NULL;
ns_cred_t anon;
int version = NS_LDAP_V2, self_gssapi_only = 0;
void **paramVal = NULL;
char **badSrvrs = NULL;
if ((session == NULL) || (sessionId == NULL)) {
return (NS_LDAP_INVALID_PARAM);
}
*session = NULL;
if (conn_user != NULL) {
rc = __s_api_conn_mt_get(server, flags, cred, session, errorp,
conn_user);
if (rc != NS_LDAP_NOTFOUND)
return (rc);
}
if ((rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P,
¶mVal, errorp)) != NS_LDAP_SUCCESS)
return (rc);
if (paramVal == NULL) {
(void) sprintf(errmsg, gettext("getConnection: no file "
"version"));
MKERROR(LOG_WARNING, *errorp, NS_CONFIG_FILE, strdup(errmsg),
NS_LDAP_CONFIG);
return (NS_LDAP_CONFIG);
}
if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_1) == 0)
version = NS_LDAP_V1;
(void) __ns_ldap_freeParam((void ***)¶mVal);
(void) __ns_ldap_getParam(NS_LDAP_BIND_TIME_P, ¶mVal, errorp);
if (paramVal != NULL && *paramVal != NULL) {
timeoutSec = **((int **)paramVal);
(void) __ns_ldap_freeParam(¶mVal);
}
if (*errorp)
(void) __ns_ldap_freeError(errorp);
if (cred == NULL) {
if ((rc = __ns_ldap_getParam(NS_LDAP_AUTH_P,
(void ***)&aMethod, errorp)) != NS_LDAP_SUCCESS)
return (rc);
if (aMethod == NULL) {
aMethod = (ns_auth_t **)calloc(2, sizeof (ns_auth_t *));
if (aMethod == NULL)
return (NS_LDAP_MEMORY);
aMethod[0] = (ns_auth_t *)calloc(1, sizeof (ns_auth_t));
if (aMethod[0] == NULL) {
free(aMethod);
return (NS_LDAP_MEMORY);
}
if (version == NS_LDAP_V1)
(aMethod[0])->type = NS_LDAP_AUTH_SIMPLE;
else {
(aMethod[0])->type = NS_LDAP_AUTH_SASL;
(aMethod[0])->saslmech =
NS_LDAP_SASL_DIGEST_MD5;
(aMethod[0])->saslopt = NS_LDAP_SASLOPT_NONE;
}
}
if ((rc = __ns_ldap_getParam(NS_LDAP_CREDENTIAL_LEVEL_P,
(void ***)&cLevel, errorp)) != NS_LDAP_SUCCESS) {
(void) __ns_ldap_freeParam((void ***)&aMethod);
return (rc);
}
if (cLevel == NULL) {
cLevel = (int **)calloc(2, sizeof (int *));
if (cLevel == NULL)
return (NS_LDAP_MEMORY);
cLevel[0] = (int *)calloc(1, sizeof (int));
if (cLevel[0] == NULL)
return (NS_LDAP_MEMORY);
if (version == NS_LDAP_V1)
*(cLevel[0]) = NS_LDAP_CRED_PROXY;
else
*(cLevel[0]) = NS_LDAP_CRED_ANON;
}
}
(void) memset(&anon, 0, sizeof (ns_cred_t));
anon.auth.type = NS_LDAP_AUTH_NONE;
for (;;) {
if (cred != NULL) {
rc = makeConnection(&con, server, cred,
sessionId, timeoutSec, errorp,
fail_if_new_pwd_reqd,
nopasswd_acct_mgmt, flags, &badSrvrs, conn_user);
if (badSrvrs && *badSrvrs) {
__s_api_free2dArray(badSrvrs);
badSrvrs = NULL;
}
if (rc == NS_LDAP_SUCCESS ||
rc == NS_LDAP_SUCCESS_WITH_INFO) {
*session = con;
break;
}
} else {
self_gssapi_only = __s_api_self_gssapi_only_get();
for (cNext = cLevel; *cNext != NULL; cNext++) {
if (self_gssapi_only &&
**cNext != NS_LDAP_CRED_SELF)
continue;
if (**cNext == NS_LDAP_CRED_ANON) {
if (badSrvrs && *badSrvrs) {
__s_api_free2dArray(badSrvrs);
badSrvrs = NULL;
}
rc = makeConnection(&con, server, &anon,
sessionId, timeoutSec, errorp,
fail_if_new_pwd_reqd,
nopasswd_acct_mgmt, flags,
&badSrvrs, conn_user);
if (rc == NS_LDAP_SUCCESS ||
rc ==
NS_LDAP_SUCCESS_WITH_INFO) {
*session = con;
goto done;
}
continue;
}
for (aNext = aMethod; *aNext != NULL; aNext++) {
if (self_gssapi_only &&
(*aNext)->saslmech !=
NS_LDAP_SASL_GSSAPI)
continue;
if ((**cNext == NS_LDAP_CRED_SELF &&
(*aNext)->saslmech !=
NS_LDAP_SASL_GSSAPI) ||
(**cNext != NS_LDAP_CRED_SELF &&
(*aNext)->saslmech ==
NS_LDAP_SASL_GSSAPI))
continue;
authp = NULL;
rc = __s_api_getDefaultAuth(*cNext,
*aNext, &authp,
flags & NS_LDAP_READ_SHADOW);
if (rc != NS_LDAP_SUCCESS) {
continue;
}
if (badSrvrs && *badSrvrs) {
__s_api_free2dArray(badSrvrs);
badSrvrs = NULL;
}
rc = makeConnection(&con, server, authp,
sessionId, timeoutSec, errorp,
fail_if_new_pwd_reqd,
nopasswd_acct_mgmt, flags,
&badSrvrs, conn_user);
(void) __ns_ldap_freeCred(&authp);
if (rc == NS_LDAP_SUCCESS ||
rc ==
NS_LDAP_SUCCESS_WITH_INFO) {
*session = con;
goto done;
}
}
}
}
if (flags & NS_LDAP_HARD) {
if (sec < LDAPMAXHARDLOOKUPTIME)
sec *= 2;
(void) sleep(sec);
} else {
break;
}
}
done:
if (self_gssapi_only && rc == NS_LDAP_SUCCESS && *session == NULL) {
rc = NS_LDAP_CONFIG;
}
(void) __ns_ldap_freeParam((void ***)&aMethod);
(void) __ns_ldap_freeParam((void ***)&cLevel);
if (badSrvrs && *badSrvrs) {
(void) __s_api_removeBadServers(badSrvrs);
__s_api_free2dArray(badSrvrs);
}
return (rc);
}
int
__s_api_getConnection(
const char *server,
const int flags,
const ns_cred_t *cred,
ConnectionID *sessionId,
Connection **session,
ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int nopasswd_acct_mgmt,
ns_conn_user_t *conn_user)
{
int rc;
rc = getConnection(server, flags, cred, sessionId, session,
errorp, fail_if_new_pwd_reqd, nopasswd_acct_mgmt,
conn_user);
if (rc != NS_LDAP_SUCCESS && rc != NS_LDAP_SUCCESS_WITH_INFO) {
if (conn_user != NULL && conn_user->conn_mt != NULL)
__s_api_conn_mt_remove(conn_user, rc, errorp);
}
return (rc);
}
void
__s_api_free_sessionPool()
{
int id;
(void) mutex_lock(&sessionPoolLock);
if (sessionPool != NULL) {
for (id = 0; id < sessionPoolSize; id++)
_DropConnection(id + CONID_OFFSET, 0, 1);
free(sessionPool);
sessionPool = NULL;
sessionPoolSize = 0;
}
(void) mutex_unlock(&sessionPoolLock);
}
static
ns_ldap_return_code
createTLSSession(const ns_cred_t *auth, const char *serverAddr,
uint16_t port, int timeoutMilliSec,
LDAP **ldp, ns_ldap_error_t **errorp)
{
const char *hostcertpath;
char *alloc_hcp = NULL, errstr[MAXERROR];
int ldap_rc;
#ifdef DEBUG
(void) fprintf(stderr, "tid= %d: +++TLS transport\n",
thr_self());
#endif
if (prldap_set_session_option(NULL, NULL,
PRLDAP_OPT_IO_MAX_TIMEOUT,
timeoutMilliSec) != LDAP_SUCCESS) {
(void) snprintf(errstr, sizeof (errstr),
gettext("createTLSSession: failed to initialize "
"TLS security"));
MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
hostcertpath = auth->hostcertpath;
if (hostcertpath == NULL) {
alloc_hcp = __s_get_hostcertpath();
hostcertpath = alloc_hcp;
}
if (hostcertpath == NULL)
return (NS_LDAP_MEMORY);
if ((ldap_rc = ldapssl_client_init(hostcertpath, NULL)) < 0) {
if (alloc_hcp != NULL) {
free(alloc_hcp);
}
(void) snprintf(errstr, sizeof (errstr),
gettext("createTLSSession: failed to initialize "
"TLS security (%s)"),
ldapssl_err2string(ldap_rc));
MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
if (alloc_hcp)
free(alloc_hcp);
*ldp = ldapssl_init(serverAddr, port, 1);
if (*ldp == NULL ||
ldapssl_install_gethostbyaddr(*ldp, "ldap") != 0) {
(void) snprintf(errstr, sizeof (errstr),
gettext("createTLSSession: failed to connect "
"using TLS (%s)"), strerror(errno));
MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
return (NS_LDAP_SUCCESS);
}
static int
cvt_hostname2ip(char *server, char *newaddr, int newaddr_size,
char *errstr, int errstr_size)
{
char *s;
unsigned short port = 0;
int err;
char buffer[NSS_BUFLEN_HOSTS];
struct hostent result;
s = strchr(server, ']');
s = strchr(s != NULL ? s : server, ':');
if (s != NULL) {
if (sscanf(s + 1, "%hu", &port) != 1) {
(void) snprintf(errstr, errstr_size, "%s",
gettext("Invalid host:port format"));
return (0);
} else
*s = '\0';
}
buffer[0] = '\0';
if (!__s_api_hostname2ip(server, &result, buffer, NSS_BUFLEN_HOSTS,
&err)) {
(void) snprintf(errstr, errstr_size, "%s",
gettext("Unable to resolve address."));
return (0);
}
buffer[0] = '\0';
if (!inet_ntop(result.h_addrtype, result.h_addr_list[0], buffer,
NSS_BUFLEN_HOSTS)) {
(void) snprintf(errstr, errstr_size, "%s",
gettext("Unable to convert address to string."));
return (0);
}
if (port > 0) {
switch (result.h_addrtype) {
case AF_INET6:
(void) snprintf(newaddr,
1 + strlen(buffer) + 1 + 1 + 5 + 1,
"[%s]:%hu",
buffer,
port);
break;
default :
(void) snprintf(newaddr,
strlen(buffer) + 1 + 5 + 1,
"%s:%hu",
buffer,
port);
break;
}
} else {
(void) strncpy(newaddr, buffer, newaddr_size);
}
return (1);
}
static
ns_ldap_return_code
createNonTLSSession(const char *serverAddr,
uint16_t port, int gssapi,
LDAP **ldp, ns_ldap_error_t **errorp)
{
char errstr[MAXERROR];
char *addr;
int is_ip = 0;
char svraddr[1+INET6_ADDRSTRLEN+1+1+5+1];
#ifdef DEBUG
(void) fprintf(stderr, "tid= %d: +++Unsecure transport\n",
thr_self());
#endif
if (gssapi == 0) {
is_ip = (__s_api_isipv4((char *)serverAddr) ||
__s_api_isipv6((char *)serverAddr));
}
if (is_ip == 0 && !gssapi && (ldap_in_nss_switch((char *)"hosts") > 0 ||
ldap_in_nss_switch((char *)"ipnodes") > 0)) {
addr = strdup(serverAddr);
if (addr == NULL)
return (NS_LDAP_MEMORY);
svraddr[0] = '\0';
if (cvt_hostname2ip(addr, svraddr, sizeof (svraddr),
errstr, MAXERROR) == 1) {
serverAddr = svraddr;
free(addr);
} else {
free(addr);
MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
}
if ((*ldp = ldap_init((char *)serverAddr, port)) == NULL) {
char *p = strerror(errno);
MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
strdup(p), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
return (NS_LDAP_SUCCESS);
}
static
ns_ldap_return_code
createSession(const ns_cred_t *auth, const char *serverAddr,
uint16_t port, int timeoutMilliSec,
LDAP **ldp, ns_ldap_error_t **errorp)
{
int useSSL = 0, gssapi = 0;
char errstr[MAXERROR];
switch (auth->auth.type) {
case NS_LDAP_AUTH_NONE:
case NS_LDAP_AUTH_SIMPLE:
case NS_LDAP_AUTH_SASL:
break;
case NS_LDAP_AUTH_TLS:
useSSL = 1;
break;
default:
(void) sprintf(errstr,
gettext("openConnection: unsupported "
"authentication method (%d)"), auth->auth.type);
MKERROR(LOG_WARNING, *errorp,
LDAP_AUTH_METHOD_NOT_SUPPORTED, strdup(errstr),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
if (port == USE_DEFAULT_PORT) {
port = useSSL ? LDAPS_PORT : LDAP_PORT;
}
if (auth->auth.type == NS_LDAP_AUTH_SASL &&
auth->auth.saslmech == NS_LDAP_SASL_GSSAPI)
gssapi = 1;
if (useSSL)
return (createTLSSession(auth, serverAddr, port,
timeoutMilliSec, ldp, errorp));
else
return (createNonTLSSession(serverAddr, port, gssapi,
ldp, errorp));
}
static
ns_ldap_return_code
doSimpleBind(const ns_cred_t *auth,
LDAP *ld,
int timeoutSec,
ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int passwd_mgmt)
{
char *binddn, *passwd, errstr[MAXERROR], *errmsg;
int msgId, errnum = 0, ldap_rc;
ns_ldap_return_code ret_code;
LDAPMessage *resultMsg = NULL;
LDAPControl **controls;
struct timeval tv;
binddn = auth->cred.unix_cred.userID;
passwd = auth->cred.unix_cred.passwd;
if (passwd == NULL || *passwd == '\0' ||
binddn == NULL || *binddn == '\0') {
(void) sprintf(errstr, gettext("openConnection: "
"missing credentials for Simple bind"));
MKERROR(LOG_WARNING, *errorp, LDAP_INVALID_CREDENTIALS,
strdup(errstr), NS_LDAP_MEMORY);
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
#ifdef DEBUG
(void) fprintf(stderr, "tid= %d: +++Simple bind\n",
thr_self());
#endif
msgId = ldap_simple_bind(ld, binddn, passwd);
if (msgId == -1) {
(void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER,
(void *)&errnum);
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: simple bind failed "
"- %s"), ldap_err2string(errnum));
(void) ldap_unbind(ld);
MKERROR(LOG_WARNING, *errorp, errnum, strdup(errstr),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
tv.tv_sec = timeoutSec;
tv.tv_usec = 0;
ldap_rc = ldap_result(ld, msgId, 0, &tv, &resultMsg);
if ((ldap_rc == -1) || (ldap_rc == 0)) {
(void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER,
(void *)&errnum);
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: simple bind failed "
"- %s"), ldap_err2string(errnum));
(void) ldap_msgfree(resultMsg);
(void) ldap_unbind(ld);
MKERROR(LOG_WARNING, *errorp, errnum, strdup(errstr),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
ldap_rc = ldap_parse_result(ld, resultMsg, &errnum, NULL,
&errmsg, NULL, &controls, 1);
if (ldap_rc != LDAP_SUCCESS) {
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: simple bind failed "
"- unable to parse result"));
(void) ldap_unbind(ld);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
ret_code = process_pwd_mgmt("simple",
errnum, controls, errmsg,
errorp,
fail_if_new_pwd_reqd,
passwd_mgmt);
if (ret_code == NS_LDAP_INTERNAL) {
(void) ldap_unbind(ld);
}
return (ret_code);
}
static
ns_ldap_return_code
doSASLBind(const ns_cred_t *auth,
LDAP *ld,
int timeoutSec,
ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int passwd_mgmt)
{
char *binddn, *passwd, *digest_md5_name,
errstr[MAXERROR], *errmsg;
struct berval cred;
int ldap_rc, errnum = 0;
ns_ldap_return_code ret_code;
struct timeval tv;
LDAPMessage *resultMsg;
LDAPControl **controls;
int min_ssf = MIN_SASL_SSF, max_ssf = MAX_SASL_SSF;
ns_sasl_cb_param_t sasl_param;
if (auth->auth.saslopt != NS_LDAP_SASLOPT_NONE &&
auth->auth.saslmech != NS_LDAP_SASL_GSSAPI) {
(void) sprintf(errstr,
gettext("openConnection: SASL options are "
"not supported (%d) for non-GSSAPI sasl bind"),
auth->auth.saslopt);
MKERROR(LOG_WARNING, *errorp,
LDAP_AUTH_METHOD_NOT_SUPPORTED,
strdup(errstr), NS_LDAP_MEMORY);
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
if (auth->auth.saslmech != NS_LDAP_SASL_GSSAPI) {
binddn = auth->cred.unix_cred.userID;
passwd = auth->cred.unix_cred.passwd;
if (passwd == NULL || *passwd == '\0' ||
binddn == NULL || *binddn == '\0') {
(void) sprintf(errstr,
gettext("openConnection: missing credentials "
"for SASL bind"));
MKERROR(LOG_WARNING, *errorp,
LDAP_INVALID_CREDENTIALS,
strdup(errstr), NS_LDAP_MEMORY);
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
cred.bv_val = passwd;
cred.bv_len = strlen(passwd);
}
ret_code = NS_LDAP_SUCCESS;
switch (auth->auth.saslmech) {
case NS_LDAP_SASL_CRAM_MD5:
if ((ldap_rc = ldap_sasl_cram_md5_bind_s(ld, binddn,
&cred, NULL, NULL)) != LDAP_SUCCESS) {
(void) ldap_get_option(ld,
LDAP_OPT_ERROR_NUMBER, (void *)&errnum);
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: "
"sasl/CRAM-MD5 bind failed - %s"),
ldap_err2string(errnum));
MKERROR(LOG_WARNING, *errorp, errnum,
strdup(errstr), NS_LDAP_MEMORY);
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
break;
case NS_LDAP_SASL_DIGEST_MD5:
digest_md5_name = malloc(strlen(binddn) + 5);
if (digest_md5_name == NULL) {
(void) ldap_unbind(ld);
return (NS_LDAP_MEMORY);
}
(void) strcpy(digest_md5_name, "dn: ");
(void) strcat(digest_md5_name, binddn);
tv.tv_sec = timeoutSec;
tv.tv_usec = 0;
ldap_rc = ldap_x_sasl_digest_md5_bind(ld,
digest_md5_name, &cred, NULL, NULL,
&tv, &resultMsg);
if (resultMsg == NULL) {
free(digest_md5_name);
(void) ldap_get_option(ld,
LDAP_OPT_ERROR_NUMBER, (void *)&errnum);
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: "
"DIGEST-MD5 bind failed - %s"),
ldap_err2string(errnum));
(void) ldap_unbind(ld);
MKERROR(LOG_WARNING, *errorp, errnum,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
ldap_rc = ldap_parse_result(ld, resultMsg, &errnum, NULL,
&errmsg, NULL, &controls, 1);
if (ldap_rc != LDAP_SUCCESS) {
free(digest_md5_name);
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: "
"DIGEST-MD5 bind failed "
"- unable to parse result"));
(void) ldap_unbind(ld);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
ret_code = process_pwd_mgmt("sasl/DIGEST-MD5",
errnum, controls, errmsg,
errorp,
fail_if_new_pwd_reqd,
passwd_mgmt);
if (ret_code == NS_LDAP_INTERNAL) {
(void) ldap_unbind(ld);
}
free(digest_md5_name);
break;
case NS_LDAP_SASL_GSSAPI:
(void) memset(&sasl_param, 0,
sizeof (ns_sasl_cb_param_t));
sasl_param.authid = NULL;
sasl_param.authzid = "";
(void) ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MIN,
(void *)&min_ssf);
(void) ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX,
(void *)&max_ssf);
ldap_rc = ldap_sasl_interactive_bind_s(
ld, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_INTERACTIVE,
__s_api_sasl_bind_callback,
&sasl_param);
if (ldap_rc != LDAP_SUCCESS) {
(void) snprintf(errstr, sizeof (errstr),
gettext("openConnection: "
"GSSAPI bind failed "
"- %d %s"),
ldap_rc,
ldap_err2string(ldap_rc));
(void) ldap_unbind(ld);
MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
break;
default:
(void) ldap_unbind(ld);
(void) sprintf(errstr,
gettext("openConnection: unsupported SASL "
"mechanism (%d)"), auth->auth.saslmech);
MKERROR(LOG_WARNING, *errorp,
LDAP_AUTH_METHOD_NOT_SUPPORTED, strdup(errstr),
NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
return (ret_code);
}
static
ns_ldap_return_code
performBind(const ns_cred_t *auth,
LDAP *ld,
int timeoutSec,
ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int passwd_mgmt)
{
int bindType;
char errstr[MAXERROR];
ns_ldap_return_code (*binder)(const ns_cred_t *auth,
LDAP *ld,
int timeoutSec,
ns_ldap_error_t **errorp,
int fail_if_new_pwd_reqd,
int passwd_mgmt) = NULL;
if (!ld) {
(void) sprintf(errstr,
"performBind: LDAP session "
"is not initialized.");
MKERROR(LOG_WARNING, *errorp,
LDAP_AUTH_METHOD_NOT_SUPPORTED,
strdup(errstr), NS_LDAP_MEMORY);
return (NS_LDAP_INTERNAL);
}
bindType = auth->auth.type == NS_LDAP_AUTH_TLS ?
auth->auth.tlstype : auth->auth.type;
switch (bindType) {
case NS_LDAP_AUTH_NONE:
#ifdef DEBUG
(void) fprintf(stderr, "tid= %d: +++Anonymous bind\n",
thr_self());
#endif
break;
case NS_LDAP_AUTH_SIMPLE:
binder = doSimpleBind;
break;
case NS_LDAP_AUTH_SASL:
binder = doSASLBind;
break;
default:
(void) sprintf(errstr,
gettext("openConnection: unsupported "
"authentication method "
"(%d)"), bindType);
MKERROR(LOG_WARNING, *errorp,
LDAP_AUTH_METHOD_NOT_SUPPORTED,
strdup(errstr), NS_LDAP_MEMORY);
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
if (binder != NULL) {
return (*binder)(auth,
ld,
timeoutSec,
errorp,
fail_if_new_pwd_reqd,
passwd_mgmt);
}
return (NS_LDAP_SUCCESS);
}
