1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 #include <ldap.h> 3 #include <errno.h> 4 #include <krb5.h> 5 #include "ldap_err.h" 6 #ifndef LDAP_X_ERROR 7 #define LDAP_X_ERROR(x) (0) 8 #endif 9 10 #ifndef LDAP_NAME_ERROR 11 #ifdef NAME_ERROR 12 #define LDAP_NAME_ERROR NAME_ERROR 13 #else 14 #define LDAP_NAME_ERROR(x) (0) 15 #endif 16 #endif 17 18 #ifndef LDAP_SECURITY_ERROR 19 #define LDAP_SECURITY_ERROR(x) (0) 20 #endif 21 22 #ifndef LDAP_SERVICE_ERROR 23 #define LDAP_SERVICE_ERROR(x) (0) 24 #endif 25 26 #ifndef LDAP_API_ERROR 27 #define LDAP_API_ERROR(x) (0) 28 #endif 29 30 #ifndef LDAP_UPDATE_ERROR 31 #define LDAP_UPDATE_ERROR(x) (0) 32 #endif 33 34 /* 35 * The possible KDB errors are 36 * 1. KRB5_KDB_UK_RERROR 37 * 2. KRB5_KDB_UK_SERROR 38 * 3. KRB5_KDB_NOENTRY 39 * 4. KRB5_KDB_TRUNCATED_RECORD 40 * 5. KRB5_KDB_UNAUTH 41 * 6. KRB5_KDB_DB_CORRUPT 42 * 7. KRB5_KDB_ACCESS_ERROR (NEW) 43 * 8. KRB5_KDB_INTERNAL_ERROR (NEW) 44 * 9. KRB5_KDB_SERVER_INTERNAL_ERR (NEW) 45 * 10. KRB5_KDB_CONSTRAINT_VIOLATION (NEW) 46 * 47 */ 48 49 /* 50 * op : 51 * 0 => not specified 52 * OP_INIT => ldap_init 53 * OP_BIND => ldap_bind 54 * OP_UNBIND => ldap_unbind 55 * OP_ADD => ldap_add 56 * OP_MOD => ldap_modify 57 * OP_DEL => ldap_delete 58 * OP_SEARCH => ldap_search 59 * OP_CMP => ldap_compare 60 * OP_ABANDON => ldap_abandon 61 */ 62 63 int translate_ldap_error(int err,int op)64translate_ldap_error(int err, int op) { 65 66 switch (err) { 67 case LDAP_SUCCESS: 68 return 0; 69 70 case LDAP_OPERATIONS_ERROR: 71 /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is 72 * unable to respond with a more specific error and is also unable 73 * to properly respond to a request */ 74 case LDAP_UNAVAILABLE_CRITICAL_EXTENSION: 75 /* LDAP server was unable to satisfy a request because one or more 76 * critical extensions were not available */ 77 /* This might mean that the schema was not extended ... */ 78 case LDAP_UNDEFINED_TYPE: 79 /* The attribute specified in the modify or add operation does not 80 * exist in the LDAP server's schema. */ 81 return KRB5_KDB_INTERNAL_ERROR; 82 83 84 case LDAP_INAPPROPRIATE_MATCHING: 85 /* The matching rule specified in the search filter does not match a 86 * rule defined for the attribute's syntax */ 87 return KRB5_KDB_UK_RERROR; 88 89 case LDAP_CONSTRAINT_VIOLATION: 90 /* The attribute value specified in a modify, add, or modify DN 91 * operation violates constraints placed on the attribute */ 92 case LDAP_TYPE_OR_VALUE_EXISTS: 93 /* The attribute value specified in a modify or add operation 94 * already exists as a value for that attribute */ 95 return KRB5_KDB_UK_SERROR; 96 97 case LDAP_INVALID_SYNTAX: 98 /* The attribute value specified in an add, compare, or modify 99 * operation is an unrecognized or invalid syntax for the attribute */ 100 if (op == OP_ADD || op == OP_MOD) 101 return KRB5_KDB_UK_SERROR; 102 else /* OP_CMP */ 103 return KRB5_KDB_UK_RERROR; 104 105 /* Ensure that the following don't occur in the DAL-LDAP code. 106 * Don't rely on the LDAP server to catch it */ 107 case LDAP_SASL_BIND_IN_PROGRESS: 108 /* This is not an error. So, this function should not be called */ 109 case LDAP_COMPARE_FALSE: 110 case LDAP_COMPARE_TRUE: 111 /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This 112 * function should not be invoked for them */ 113 case LDAP_RESULTS_TOO_LARGE: /* CLDAP */ 114 case LDAP_TIMELIMIT_EXCEEDED: 115 case LDAP_SIZELIMIT_EXCEEDED: 116 return KRB5_KDB_SERVER_INTERNAL_ERR; 117 118 case LDAP_INVALID_DN_SYNTAX: 119 /* The syntax of the DN is incorrect */ 120 return EINVAL; 121 122 case LDAP_PROTOCOL_ERROR: 123 /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an 124 * invalid or malformed request from the client */ 125 case LDAP_CONFIDENTIALITY_REQUIRED: 126 127 /* Bind problems ... */ 128 case LDAP_AUTH_METHOD_NOT_SUPPORTED: 129 /* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */ 130 case LDAP_INAPPROPRIATE_AUTH: 131 case LDAP_INVALID_CREDENTIALS: 132 case LDAP_UNAVAILABLE: 133 return KRB5_KDB_ACCESS_ERROR; 134 135 case LDAP_STRONG_AUTH_REQUIRED: 136 if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */ 137 return KRB5_KDB_ACCESS_ERROR; 138 else /* Client requested an operation such that requires strong authentication */ 139 return KRB5_KDB_CONSTRAINT_VIOLATION; 140 141 case LDAP_REFERRAL: 142 return KRB5_KDB_NOENTRY; 143 144 case LDAP_ADMINLIMIT_EXCEEDED: 145 /* An LDAP server limit set by an administrative authority has been 146 * exceeded */ 147 return KRB5_KDB_CONSTRAINT_VIOLATION; 148 case LDAP_UNWILLING_TO_PERFORM: 149 /* The LDAP server cannot process the request because of 150 * server-defined restrictions */ 151 return KRB5_KDB_CONSTRAINT_VIOLATION; 152 153 154 case LDAP_NO_SUCH_ATTRIBUTE: 155 /* Indicates that the attribute specified in the modify or compare 156 * operation does not exist in the entry */ 157 if (op == OP_MOD) 158 return KRB5_KDB_UK_SERROR; 159 else /* OP_CMP */ 160 return KRB5_KDB_TRUNCATED_RECORD; 161 162 163 case LDAP_ALIAS_DEREF_PROBLEM: 164 /* Either the client does not have access rights to read the aliased 165 * object's name or dereferencing is not allowed */ 166 #ifdef LDAP_PROXY_AUTHZ_FAILURE 167 case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ? 168 #endif 169 case LDAP_INSUFFICIENT_ACCESS: 170 /* Caller does not have sufficient rights to perform the requested 171 * operation */ 172 return KRB5_KDB_UNAUTH; 173 174 case LDAP_LOOP_DETECT: 175 /* Client discovered an alias or referral loop */ 176 return KRB5_KDB_DB_CORRUPT; 177 178 default: 179 180 if (LDAP_NAME_ERROR (err)) 181 return KRB5_KDB_NOENTRY; 182 183 if (LDAP_SECURITY_ERROR (err)) 184 return KRB5_KDB_UNAUTH; 185 186 if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err)) 187 return KRB5_KDB_ACCESS_ERROR; 188 189 if (LDAP_UPDATE_ERROR(err)) 190 return KRB5_KDB_UK_SERROR; 191 192 /* LDAP_OTHER */ 193 return KRB5_KDB_SERVER_INTERNAL_ERR; 194 } 195 } 196