slapauth.c 3.66 KB
Newer Older
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
1
/* $OpenLDAP$ */
2
3
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
4
 * Copyright 2004-2019 The OpenLDAP Foundation.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 * Portions Copyright 2004 Pierangelo Masarati.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
 */
/* ACKNOWLEDGEMENTS:
 * This work was initially developed by Pierangelo Masarati for inclusion
 * in OpenLDAP Software.
 */

#include "portable.h"

#include <stdio.h>

#include <ac/stdlib.h>

#include <ac/ctype.h>
#include <ac/string.h>
#include <ac/socket.h>
#include <ac/unistd.h>

#include <lber.h>
#include <ldif.h>
#include <lutil.h>

#include "slapcommon.h"

static int
do_check( Connection *c, Operation *op, struct berval *id )
{
Pierangelo Masarati's avatar
Pierangelo Masarati committed
41
	struct berval	authcdn;
42
43
	int		rc;

44
	rc = slap_sasl_getdn( c, op, id, realm, &authcdn, SLAP_GETDN_AUTHCID );
45
46
47
48
49
50
51
52
	if ( rc != LDAP_SUCCESS ) {
		fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
				id->bv_val, rc,
				ldap_err2string( rc ) );
		rc = 1;
			
	} else {
		if ( !BER_BVISNULL( &authzID ) ) {
Pierangelo Masarati's avatar
Pierangelo Masarati committed
53
			rc = slap_sasl_authorized( op, &authcdn, &authzID );
54
55
56
57
58
59
60

			fprintf( stderr,
					"ID:      <%s>\n"
					"authcDN: <%s>\n"
					"authzDN: <%s>\n"
					"authorization %s\n",
					id->bv_val,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
61
					authcdn.bv_val,
62
63
64
65
66
67
68
					authzID.bv_val,
					rc == LDAP_SUCCESS ? "OK" : "failed" );

		} else {
			fprintf( stderr, "ID: <%s> check succeeded\n"
					"authcID:     <%s>\n",
					id->bv_val,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
69
70
					authcdn.bv_val );
			op->o_tmpfree( authcdn.bv_val, op->o_tmpmemctx );
71
72
73
74
75
76
77
78
		}
		rc = 0;
	}

	return rc;
}

int
Kurt Zeilenga's avatar
Kurt Zeilenga committed
79
slapauth( int argc, char **argv )
80
81
{
	int			rc = EXIT_SUCCESS;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
82
	const char		*progname = "slapauth";
83
	Connection		conn = {0};
84
	OperationBuffer	opbuf;
85
	Operation		*op;
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
86
	void			*thrctx;
87

Kurt Zeilenga's avatar
Kurt Zeilenga committed
88
	slap_tool_init( progname, SLAPAUTH, argc, argv );
89
90
91
92

	argv = &argv[ optind ];
	argc -= optind;

Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
93
94
	thrctx = ldap_pvt_thread_pool_context();
	connection_fake_init( &conn, &opbuf, thrctx );
95
	op = &opbuf.ob_op;
96

97
98
	conn.c_sasl_bind_mech = mech;

99
	if ( !BER_BVISNULL( &authzID ) ) {
Pierangelo Masarati's avatar
Pierangelo Masarati committed
100
		struct berval	authzdn;
101
		
102
		rc = slap_sasl_getdn( &conn, op, &authzID, NULL, &authzdn,
103
104
105
106
107
108
109
110
111
112
				SLAP_GETDN_AUTHZID );
		if ( rc != LDAP_SUCCESS ) {
			fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
					authzID.bv_val, rc,
					ldap_err2string( rc ) );
			rc = 1;
			BER_BVZERO( &authzID );
			goto destroy;
		} 

Pierangelo Masarati's avatar
Pierangelo Masarati committed
113
		authzID = authzdn;
114
115
116
117
118
	}


	if ( !BER_BVISNULL( &authcID ) ) {
		if ( !BER_BVISNULL( &authzID ) || argc == 0 ) {
119
			rc = do_check( &conn, op, &authcID );
120
121
122
123
			goto destroy;
		}

		for ( ; argc--; argv++ ) {
Pierangelo Masarati's avatar
Pierangelo Masarati committed
124
			struct berval	authzdn;
125
126
127
		
			ber_str2bv( argv[ 0 ], 0, 0, &authzID );

128
			rc = slap_sasl_getdn( &conn, op, &authzID, NULL, &authzdn,
129
130
131
132
133
					SLAP_GETDN_AUTHZID );
			if ( rc != LDAP_SUCCESS ) {
				fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
						authzID.bv_val, rc,
						ldap_err2string( rc ) );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
134
				rc = -1;
135
				BER_BVZERO( &authzID );
Pierangelo Masarati's avatar
Pierangelo Masarati committed
136
137
138
				if ( !continuemode ) {
					goto destroy;
				}
139
140
			}

Pierangelo Masarati's avatar
Pierangelo Masarati committed
141
			authzID = authzdn;
142

143
			rc = do_check( &conn, op, &authcID );
144

145
			op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
146
147
			BER_BVZERO( &authzID );

Pierangelo Masarati's avatar
Pierangelo Masarati committed
148
			if ( rc && !continuemode ) {
149
150
151
152
153
154
155
156
157
158
159
160
				goto destroy;
			}
		}

		goto destroy;
	}

	for ( ; argc--; argv++ ) {
		struct berval	id;

		ber_str2bv( argv[ 0 ], 0, 0, &id );

161
		rc = do_check( &conn, op, &id );
162

Pierangelo Masarati's avatar
Pierangelo Masarati committed
163
		if ( rc && !continuemode ) {
164
165
166
167
168
169
			goto destroy;
		}
	}

destroy:;
	if ( !BER_BVISNULL( &authzID ) ) {
170
		op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
171
	}
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
172
173
	if ( slap_tool_destroy())
		rc = EXIT_FAILURE;
174
175
176
177

	return rc;
}