Commit a2e299eb authored by Howard Chu's avatar Howard Chu
Browse files

ITS#4799 remove kerberos / kbind

parent bec25494
......@@ -29,7 +29,7 @@ SRCS = main.c globals.c bconfig.c config.c daemon.c \
dn.c compare.c modify.c delete.c modrdn.c ch_malloc.c \
value.c ava.c bind.c unbind.c abandon.c filterentry.c \
phonetic.c acl.c str2filter.c aclparse.c init.c user.c \
repl.c lock.c controls.c extended.c kerberos.c passwd.c \
repl.c lock.c controls.c extended.c passwd.c \
schema.c schema_check.c schema_init.c schema_prep.c \
schemaparse.c ad.c at.c mr.c syntax.c oc.c saslauthz.c \
oidm.c starttls.c index.c sets.c referral.c root_dse.c \
......@@ -47,7 +47,7 @@ OBJS = main.o globals.o bconfig.o config.o daemon.o \
dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \
value.o ava.o bind.o unbind.o abandon.o filterentry.o \
phonetic.o acl.o str2filter.o aclparse.o init.o user.o \
repl.o lock.o controls.o extended.o kerberos.o passwd.o \
repl.o lock.o controls.o extended.o passwd.o \
schema.o schema_check.o schema_init.o schema_prep.o \
schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o \
oidm.o starttls.o index.o sets.o referral.o root_dse.o \
......
......@@ -17,7 +17,6 @@
#include "portable.h"
#include <stdio.h>
#include <ac/krb.h>
#include <ac/string.h>
#include <ac/unistd.h>
......@@ -30,12 +29,6 @@ bdb_bind( Operation *op, SlapReply *rs )
Entry *e;
Attribute *a;
EntryInfo *ei;
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char krbname[MAX_K_NAME_SZ + 1];
AttributeDescription *krbattr = slap_schema.si_ad_krbName;
struct berval krbval;
AUTH_DAT ad;
#endif
AttributeDescription *password = slap_schema.si_ad_userPassword;
......@@ -144,50 +137,8 @@ dn2entry_retry:
rs->sr_err = 0;
break;
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
case LDAP_AUTH_KRBV41:
if ( krbv4_ldap_auth( op->o_bd, &op->oq_bind.rb_cred, &ad )
!= LDAP_SUCCESS )
{
rs->sr_err = LDAP_INVALID_CREDENTIALS,
goto done;
}
rs->sr_err = access_allowed( op, e,
krbattr, NULL, ACL_AUTH, NULL );
if ( ! rs->sr_err ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS,
goto done;
}
krbval.bv_len = sprintf( krbname, "%s%s%s@%s", ad.pname,
*ad.pinst ? "." : "", ad.pinst, ad.prealm );
if ( (a = attr_find( e->e_attrs, krbattr )) == NULL ) {
/*
* no krbname values present: check against DN
*/
if ( strcasecmp( op->o_req_dn.bv_val, krbname ) == 0 ) {
rs->sr_err = 0;
break;
}
rs->sr_err = LDAP_INAPPROPRIATE_AUTH,
goto done;
} else { /* look for krbname match */
krbval.bv_val = krbname;
if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 ) {
rs->sr_err = LDAP_INVALID_CREDENTIALS;
goto done;
}
}
rs->sr_err = 0;
break;
#endif
default:
assert( 0 ); /* should not be unreachable */
assert( 0 ); /* should not be reachable */
rs->sr_err = LDAP_STRONG_AUTH_NOT_SUPPORTED;
rs->sr_text = "authentication method not supported";
}
......
......@@ -536,14 +536,6 @@ static ConfigTable config_back_cf_table[] = {
{ "sockbuf_max_incoming_auth", "max", 2, 2, 0, ARG_BER_LEN_T,
&sockbuf_max_incoming_auth, "( OLcfgGlAt:62 NAME 'olcSockbufMaxIncomingAuth' "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
{ "srvtab", "file", 2, 2, 0,
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
ARG_STRING, &ldap_srvtab,
#else
ARG_IGNORED, NULL,
#endif
"( OLcfgGlAt:63 NAME 'olcSrvtab' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "subordinate", "[advertise]", 1, 2, 0, ARG_DB|ARG_MAGIC,
&config_subordinate, "( OLcfgDbAt:0.15 NAME 'olcSubordinate' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
......@@ -693,7 +685,7 @@ static ConfigOCs cf_ocs[] = {
"olcRootDSE $ "
"olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
"olcSecurity $ olcSizeLimit $ "
"olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ "
"olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
......@@ -2272,7 +2264,6 @@ config_disallows(ConfigArgs *c) {
slap_verbmasks disallowable_ops[] = {
{ BER_BVC("bind_anon"), SLAP_DISALLOW_BIND_ANON },
{ BER_BVC("bind_simple"), SLAP_DISALLOW_BIND_SIMPLE },
{ BER_BVC("bind_krb4"), SLAP_DISALLOW_BIND_KRBV4 },
{ BER_BVC("tls_2_anon"), SLAP_DISALLOW_TLS_2_ANON },
{ BER_BVC("tls_authc"), SLAP_DISALLOW_TLS_AUTHC },
{ BER_BVNULL, 0 }
......
......@@ -86,8 +86,8 @@ do_bind(
* name DistinguishedName, -- dn
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
* krbv42ldap [1] OCTET STRING -- OBSOLETE
* krbv42dsa [2] OCTET STRING -- OBSOLETE
* SASL [3] SaslCredentials
* }
* }
......@@ -340,33 +340,6 @@ fe_op_bind( Operation *op, SlapReply *rs )
goto cleanup;
}
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
} else if ( op->orb_method == LDAP_AUTH_KRBV41 ) {
if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
/* disallow krbv4 authentication */
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "unwilling to perform Kerberos V4 bind";
send_ldap_result( op, rs );
Debug( LDAP_DEBUG_TRACE,
"do_bind: v%d Kerberos V4 (step 1) bind refused\n",
op->o_protocol, 0, 0 );
goto cleanup;
}
BER_BVSTR( &op->orb_tmp_mech, "KRBV4" );
} else if ( op->orb_method == LDAP_AUTH_KRBV42 ) {
rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
rs->sr_text = "Kerberos V4 (step 2) bind not supported";
send_ldap_result( op, rs );
Debug( LDAP_DEBUG_TRACE,
"do_bind: v%d Kerberos V4 (step 2) bind refused\n",
op->o_protocol, 0, 0 );
goto cleanup;
#endif
} else {
rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
rs->sr_text = "unknown authentication method";
......
......@@ -18,7 +18,6 @@
#include <stdio.h>
#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
......
......@@ -68,7 +68,6 @@ int global_gentlehup = 0;
int global_idletimeout = 0;
char *global_host = NULL;
char *global_realm = NULL;
char *ldap_srvtab = "";
char **default_passwd_hash = NULL;
struct berval default_search_base = BER_BVNULL;
struct berval default_search_nbase = BER_BVNULL;
......
/* kerberos.c - kerberos bind routines */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 1998-2007 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#include "portable.h"
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#include <stdio.h>
#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include "slap.h"
#define LDAP_KRB_PRINCIPAL "ldapserver"
krbv4_ldap_auth(
Backend *be,
struct berval *cred,
AUTH_DAT *ad
)
{
KTEXT_ST k;
KTEXT ktxt = &k;
char instance[INST_SZ];
int err;
Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );
if( cred->len > sizeof(ktxt->dat) ) {
return LDAP_OTHER;
}
AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );
ktxt->length = cred->bv_len;
strcpy( instance, "*" );
if ( (err = krb_rd_req( ktxt, LDAP_KRB_PRINCIPAL, instance, 0L, ad,
ldap_srvtab )) != KSUCCESS ) {
Debug( LDAP_DEBUG_ANY, "krb_rd_req failed (%s)\n",
krb_err_txt[err], 0, 0 );
return( LDAP_INVALID_CREDENTIALS );
}
return( LDAP_SUCCESS );
}
#endif /* kerberos */
......@@ -18,7 +18,6 @@
#include <stdio.h>
#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
......
......@@ -1009,14 +1009,6 @@ LDAP_SLAPD_F (int) slap_destroy LDAP_P((void));
LDAP_SLAPD_V (char *) slap_known_controls[];
/*
* kerberos.c
*/
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
LDAP_SLAPD_V (char *) ldap_srvtab;
LDAP_SLAPD_V (int) krbv4_ldap_auth();
#endif
/*
* ldapsync.c
*/
......
......@@ -986,18 +986,6 @@ static struct slap_schema_ad_map {
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_authPasswordSchemes) },
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
{ "krbName", "( 1.3.6.1.4.1.250.1.32 "
"NAME ( 'krbName' 'kerberosName' ) "
"DESC 'Kerberos principal associated with object' "
"EQUALITY caseIgnoreIA5Match "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 "
"SINGLE-VALUE )",
NULL, 0,
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_krbName) },
#endif
{ "description", "( 2.5.4.13 NAME 'description' "
"DESC 'RFC4519: descriptive information' "
......
......@@ -900,9 +900,6 @@ struct slap_internal_schema {
#ifdef SLAPD_AUTHPASSWD
AttributeDescription *si_ad_authPassword;
AttributeDescription *si_ad_authPasswordSchemes;
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
AttributeDescription *si_ad_krbName;
#endif
AttributeDescription *si_ad_description;
AttributeDescription *si_ad_seeAlso;
......@@ -1815,7 +1812,6 @@ struct slap_backend_db {
#define SLAP_DISALLOW_BIND_ANON 0x0001U /* no anonymous */
#define SLAP_DISALLOW_BIND_SIMPLE 0x0002U /* simple authentication */
#define SLAP_DISALLOW_BIND_KRBV4 0x0004U /* Kerberos V4 authentication */
#define SLAP_DISALLOW_TLS_2_ANON 0x0010U /* StartTLS -> Anonymous */
#define SLAP_DISALLOW_TLS_AUTHC 0x0020U /* TLS while authenticated */
......
......@@ -18,7 +18,6 @@
#include <stdio.h>
#include <ac/krb.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment