1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <stdlib.h> 29 #include <stdio.h> 30 #include <errno.h> 31 #include <string.h> 32 #include <synch.h> 33 #include <time.h> 34 #include <libintl.h> 35 #include <thread.h> 36 #include <syslog.h> 37 #include <sys/mman.h> 38 #include <nsswitch.h> 39 #include <nss_dbdefs.h> 40 #include "solaris-priv.h" 41 #include "solaris-int.h" 42 #include "ns_sldap.h" 43 #include "ns_internal.h" 44 #include "ns_cache_door.h" 45 #include "ns_connmgmt.h" 46 #include "ldappr.h" 47 #include <sys/stat.h> 48 #include <fcntl.h> 49 #include <procfs.h> 50 #include <unistd.h> 51 52 #define USE_DEFAULT_PORT 0 53 54 static ns_ldap_return_code performBind(const ns_cred_t *, 55 LDAP *, 56 int, 57 ns_ldap_error_t **, 58 int, 59 int); 60 static ns_ldap_return_code createSession(const ns_cred_t *, 61 const char *, 62 uint16_t, 63 int, 64 LDAP **, 65 ns_ldap_error_t **); 66 67 extern int ldap_sasl_cram_md5_bind_s(LDAP *, char *, struct berval *, 68 LDAPControl **, LDAPControl **); 69 extern int ldapssl_install_gethostbyaddr(LDAP *ld, const char *skip); 70 71 static int openConnection(LDAP **, const char *, const ns_cred_t *, 72 int, ns_ldap_error_t **, int, int, ns_conn_user_t *); 73 static void 74 _DropConnection(ConnectionID cID, int flag, int fini); 75 76 static mutex_t sessionPoolLock = DEFAULTMUTEX; 77 78 static Connection **sessionPool = NULL; 79 static int sessionPoolSize = 0; 80 81 /* 82 * SSF values are for SASL integrity & privacy. 83 * JES DS5.2 does not support this feature but DS6 does. 84 * The values between 0 and 65535 can work with both server versions. 85 */ 86 #define MAX_SASL_SSF 65535 87 #define MIN_SASL_SSF 0 88 89 /* Number of hostnames to allocate memory for */ 90 #define NUMTOMALLOC 32 91 92 /* 93 * This function get the servers from the lists and returns 94 * the first server with the empty lists of server controls and 95 * SASL mechanisms. It is invoked if it is not possible to obtain a server 96 * from ldap_cachemgr or the local list. 97 */ 98 static 99 ns_ldap_return_code 100 getFirstFromConfig(ns_server_info_t *ret, ns_ldap_error_t **error) 101 { 102 char **servers = NULL; 103 ns_ldap_return_code ret_code; 104 char errstr[MAXERROR]; 105 106 /* get first server from config list unavailable otherwise */ 107 ret_code = __s_api_getServers(&servers, error); 108 if (ret_code != NS_LDAP_SUCCESS) { 109 if (servers != NULL) { 110 __s_api_free2dArray(servers); 111 } 112 return (ret_code); 113 } 114 115 if (servers == NULL || servers[0] == NULL) { 116 __s_api_free2dArray(servers); 117 (void) sprintf(errstr, 118 gettext("No server found in configuration")); 119 MKERROR(LOG_ERR, *error, NS_CONFIG_NODEFAULT, 120 strdup(errstr), NS_LDAP_MEMORY); 121 return (NS_LDAP_CONFIG); 122 } 123 124 ret->server = strdup(servers[0]); 125 if (ret->server == NULL) { 126 __s_api_free2dArray(servers); 127 return (NS_LDAP_MEMORY); 128 } 129 130 ret->saslMechanisms = NULL; 131 ret->controls = NULL; 132 133 __s_api_free2dArray(servers); 134 135 return (NS_LDAP_SUCCESS); 136 } 137 138 /* 139 * This function requests a server from the cache manager through 140 * the door functionality 141 */ 142 143 int 144 __s_api_requestServer(const char *request, const char *server, 145 ns_server_info_t *ret, ns_ldap_error_t **error, const char *addrType) 146 { 147 union { 148 ldap_data_t s_d; 149 char s_b[DOORBUFFERSIZE]; 150 } space; 151 ldap_data_t *sptr; 152 int ndata; 153 int adata; 154 char errstr[MAXERROR]; 155 const char *ireq; 156 char *rbuf, *ptr, *rest; 157 char *dptr; 158 char **mptr, **mptr1, **cptr, **cptr1; 159 int mcnt, ccnt; 160 int len; 161 ns_ldap_return_code ret_code; 162 163 if (ret == NULL || error == NULL) { 164 return (NS_LDAP_OP_FAILED); 165 } 166 (void) memset(ret, 0, sizeof (ns_server_info_t)); 167 *error = NULL; 168 169 if (request == NULL) 170 ireq = NS_CACHE_NEW; 171 else 172 ireq = request; 173 174 /* 175 * In the 'Standalone' mode a server will be obtained 176 * from the local libsldap's list 177 */ 178 if (__s_api_isStandalone()) { 179 if (__s_api_findRootDSE(ireq, 180 server, 181 addrType, 182 ret, 183 error) != NS_LDAP_SUCCESS) { 184 syslog(LOG_WARNING, 185 "libsldap (\"standalone\" mode): " 186 "can not find any available server. " 187 "Return the first one from the lists"); 188 if (*error != NULL) { 189 (void) __ns_ldap_freeError(error); 190 } 191 192 ret_code = getFirstFromConfig(ret, error); 193 if (ret_code != NS_LDAP_SUCCESS) { 194 return (ret_code); 195 } 196 197 if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) { 198 ret_code = __s_api_ip2hostname(ret->server, 199 &ret->serverFQDN); 200 if (ret_code != NS_LDAP_SUCCESS) { 201 (void) snprintf(errstr, 202 sizeof (errstr), 203 gettext("The %s address " 204 "can not be resolved into " 205 "a host name. Returning " 206 "the address as it is."), 207 ret->server); 208 MKERROR(LOG_ERR, 209 *error, 210 NS_CONFIG_NOTLOADED, 211 strdup(errstr), 212 NS_LDAP_MEMORY); 213 free(ret->server); 214 ret->server = NULL; 215 return (NS_LDAP_INTERNAL); 216 } 217 } 218 } 219 220 return (NS_LDAP_SUCCESS); 221 } 222 223 (void) memset(space.s_b, 0, DOORBUFFERSIZE); 224 225 adata = (sizeof (ldap_call_t) + strlen(ireq) + strlen(addrType) + 1); 226 if (server != NULL) { 227 adata += strlen(DOORLINESEP) + 1; 228 adata += strlen(server) + 1; 229 } 230 ndata = sizeof (space); 231 len = sizeof (space) - sizeof (space.s_d.ldap_call.ldap_callnumber); 232 space.s_d.ldap_call.ldap_callnumber = GETLDAPSERVER; 233 if (strlcpy(space.s_d.ldap_call.ldap_u.domainname, ireq, len) >= len) 234 return (NS_LDAP_MEMORY); 235 if (strlcat(space.s_d.ldap_call.ldap_u.domainname, addrType, len) >= 236 len) 237 return (NS_LDAP_MEMORY); 238 if (server != NULL) { 239 if (strlcat(space.s_d.ldap_call.ldap_u.domainname, 240 DOORLINESEP, len) >= len) 241 return (NS_LDAP_MEMORY); 242 if (strlcat(space.s_d.ldap_call.ldap_u.domainname, server, 243 len) >= len) 244 return (NS_LDAP_MEMORY); 245 } 246 sptr = &space.s_d; 247 248 switch (__ns_ldap_trydoorcall(&sptr, &ndata, &adata)) { 249 case NS_CACHE_SUCCESS: 250 break; 251 /* this case is for when the $mgr is not running, but ldapclient */ 252 /* is trying to initialize things */ 253 case NS_CACHE_NOSERVER: 254 ret_code = getFirstFromConfig(ret, error); 255 if (ret_code != NS_LDAP_SUCCESS) { 256 return (ret_code); 257 } 258 259 if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) { 260 ret_code = __s_api_ip2hostname(ret->server, 261 &ret->serverFQDN); 262 if (ret_code != NS_LDAP_SUCCESS) { 263 (void) snprintf(errstr, 264 sizeof (errstr), 265 gettext("The %s address " 266 "can not be resolved into " 267 "a host name. Returning " 268 "the address as it is."), 269 ret->server); 270 MKERROR(LOG_ERR, 271 *error, 272 NS_CONFIG_NOTLOADED, 273 strdup(errstr), 274 NS_LDAP_MEMORY); 275 free(ret->server); 276 ret->server = NULL; 277 return (NS_LDAP_INTERNAL); 278 } 279 } 280 return (NS_LDAP_SUCCESS); 281 case NS_CACHE_NOTFOUND: 282 default: 283 return (NS_LDAP_OP_FAILED); 284 } 285 286 /* copy info from door call return structure here */ 287 rbuf = space.s_d.ldap_ret.ldap_u.config; 288 289 /* Get the host */ 290 ptr = strtok_r(rbuf, DOORLINESEP, &rest); 291 if (ptr == NULL) { 292 (void) sprintf(errstr, gettext("No server returned from " 293 "ldap_cachemgr")); 294 MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR, 295 strdup(errstr), NS_LDAP_MEMORY); 296 return (NS_LDAP_OP_FAILED); 297 } 298 ret->server = strdup(ptr); 299 if (ret->server == NULL) { 300 return (NS_LDAP_MEMORY); 301 } 302 /* Get the host FQDN format */ 303 if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) { 304 ptr = strtok_r(NULL, DOORLINESEP, &rest); 305 if (ptr == NULL) { 306 (void) sprintf(errstr, gettext("No server FQDN format " 307 "returned from ldap_cachemgr")); 308 MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR, 309 strdup(errstr), NULL); 310 free(ret->server); 311 ret->server = NULL; 312 return (NS_LDAP_OP_FAILED); 313 } 314 ret->serverFQDN = strdup(ptr); 315 if (ret->serverFQDN == NULL) { 316 free(ret->server); 317 ret->server = NULL; 318 return (NS_LDAP_MEMORY); 319 } 320 } 321 322 /* get the Supported Controls/SASL mechs */ 323 mptr = NULL; 324 mcnt = 0; 325 cptr = NULL; 326 ccnt = 0; 327 for (;;) { 328 ptr = strtok_r(NULL, DOORLINESEP, &rest); 329 if (ptr == NULL) 330 break; 331 if (strncasecmp(ptr, _SASLMECHANISM, 332 _SASLMECHANISM_LEN) == 0) { 333 dptr = strchr(ptr, '='); 334 if (dptr == NULL) 335 continue; 336 dptr++; 337 mptr1 = (char **)realloc((void *)mptr, 338 sizeof (char *) * (mcnt+2)); 339 if (mptr1 == NULL) { 340 __s_api_free2dArray(mptr); 341 if (sptr != &space.s_d) { 342 (void) munmap((char *)sptr, ndata); 343 } 344 __s_api_free2dArray(cptr); 345 __s_api_free_server_info(ret); 346 return (NS_LDAP_MEMORY); 347 } 348 mptr = mptr1; 349 mptr[mcnt] = strdup(dptr); 350 if (mptr[mcnt] == NULL) { 351 if (sptr != &space.s_d) { 352 (void) munmap((char *)sptr, ndata); 353 } 354 __s_api_free2dArray(cptr); 355 cptr = NULL; 356 __s_api_free2dArray(mptr); 357 mptr = NULL; 358 __s_api_free_server_info(ret); 359 return (NS_LDAP_MEMORY); 360 } 361 mcnt++; 362 mptr[mcnt] = NULL; 363 } 364 if (strncasecmp(ptr, _SUPPORTEDCONTROL, 365 _SUPPORTEDCONTROL_LEN) == 0) { 366 dptr = strchr(ptr, '='); 367 if (dptr == NULL) 368 continue; 369 dptr++; 370 cptr1 = (char **)realloc((void *)cptr, 371 sizeof (char *) * (ccnt+2)); 372 if (cptr1 == NULL) { 373 if (sptr != &space.s_d) { 374 (void) munmap((char *)sptr, ndata); 375 } 376 __s_api_free2dArray(cptr); 377 __s_api_free2dArray(mptr); 378 mptr = NULL; 379 __s_api_free_server_info(ret); 380 return (NS_LDAP_MEMORY); 381 } 382 cptr = cptr1; 383 cptr[ccnt] = strdup(dptr); 384 if (cptr[ccnt] == NULL) { 385 if (sptr != &space.s_d) { 386 (void) munmap((char *)sptr, ndata); 387 } 388 __s_api_free2dArray(cptr); 389 cptr = NULL; 390 __s_api_free2dArray(mptr); 391 mptr = NULL; 392 __s_api_free_server_info(ret); 393 return (NS_LDAP_MEMORY); 394 } 395 ccnt++; 396 cptr[ccnt] = NULL; 397 } 398 } 399 if (mptr != NULL) { 400 ret->saslMechanisms = mptr; 401 } 402 if (cptr != NULL) { 403 ret->controls = cptr; 404 } 405 406 407 /* clean up door call */ 408 if (sptr != &space.s_d) { 409 (void) munmap((char *)sptr, ndata); 410 } 411 *error = NULL; 412 413 return (NS_LDAP_SUCCESS); 414 } 415 416 417 #ifdef DEBUG 418 /* 419 * printCred(): prints the credential structure 420 */ 421 static void 422 printCred(FILE *fp, const ns_cred_t *cred) 423 { 424 thread_t t = thr_self(); 425 426 if (cred == NULL) { 427 (void) fprintf(fp, "tid= %d: printCred: cred is NULL\n", t); 428 return; 429 } 430 431 (void) fprintf(fp, "tid= %d: AuthType=%d", t, cred->auth.type); 432 (void) fprintf(fp, "tid= %d: TlsType=%d", t, cred->auth.tlstype); 433 (void) fprintf(fp, "tid= %d: SaslMech=%d", t, cred->auth.saslmech); 434 (void) fprintf(fp, "tid= %d: SaslOpt=%d", t, cred->auth.saslopt); 435 if (cred->hostcertpath) 436 (void) fprintf(fp, "tid= %d: hostCertPath=%s\n", 437 t, cred->hostcertpath); 438 if (cred->cred.unix_cred.userID) 439 (void) fprintf(fp, "tid= %d: userID=%s\n", 440 t, cred->cred.unix_cred.userID); 441 if (cred->cred.unix_cred.passwd) 442 (void) fprintf(fp, "tid= %d: passwd=%s\n", 443 t, cred->cred.unix_cred.passwd); 444 } 445 446 /* 447 * printConnection(): prints the connection structure 448 */ 449 static void 450 printConnection(FILE *fp, Connection *con) 451 { 452 thread_t t = thr_self(); 453 454 if (con == NULL) 455 return; 456 457 (void) fprintf(fp, "tid= %d: connectionID=%d\n", t, con->connectionId); 458 (void) fprintf(fp, "tid= %d: usedBit=%d\n", t, con->usedBit); 459 (void) fprintf(fp, "tid= %d: threadID=%d\n", t, con->threadID); 460 if (con->serverAddr) { 461 (void) fprintf(fp, "tid= %d: serverAddr=%s\n", 462 t, con->serverAddr); 463 } 464 printCred(fp, con->auth); 465 } 466 #endif 467 468 /* 469 * addConnection(): inserts a connection in the connection list. 470 * It will also sets use bit and the thread Id for the thread 471 * using the connection for the first time. 472 * Returns: -1 = failure, new Connection ID = success 473 */ 474 static int 475 addConnection(Connection *con) 476 { 477 int i; 478 479 if (!con) 480 return (-1); 481 #ifdef DEBUG 482 (void) fprintf(stderr, "Adding connection thrid=%d\n", con->threadID); 483 #endif /* DEBUG */ 484 (void) mutex_lock(&sessionPoolLock); 485 if (sessionPool == NULL) { 486 sessionPoolSize = SESSION_CACHE_INC; 487 sessionPool = calloc(sessionPoolSize, 488 sizeof (Connection *)); 489 if (!sessionPool) { 490 (void) mutex_unlock(&sessionPoolLock); 491 return (-1); 492 } 493 #ifdef DEBUG 494 (void) fprintf(stderr, "Initialized sessionPool\n"); 495 #endif /* DEBUG */ 496 } 497 for (i = 0; (i < sessionPoolSize) && (sessionPool[i] != NULL); ++i) 498 ; 499 if (i == sessionPoolSize) { 500 /* run out of array, need to increase sessionPool */ 501 Connection **cl; 502 cl = (Connection **) realloc(sessionPool, 503 (sessionPoolSize + SESSION_CACHE_INC) * 504 sizeof (Connection *)); 505 if (!cl) { 506 (void) mutex_unlock(&sessionPoolLock); 507 return (-1); 508 } 509 (void) memset(cl + sessionPoolSize, 0, 510 SESSION_CACHE_INC * sizeof (Connection *)); 511 sessionPool = cl; 512 sessionPoolSize += SESSION_CACHE_INC; 513 #ifdef DEBUG 514 (void) fprintf(stderr, "Increased sessionPoolSize to: %d\n", 515 sessionPoolSize); 516 #endif /* DEBUG */ 517 } 518 sessionPool[i] = con; 519 con->usedBit = B_TRUE; 520 (void) mutex_unlock(&sessionPoolLock); 521 con->connectionId = i + CONID_OFFSET; 522 #ifdef DEBUG 523 (void) fprintf(stderr, "Connection added [%d]\n", i); 524 printConnection(stderr, con); 525 #endif /* DEBUG */ 526 return (i + CONID_OFFSET); 527 } 528 529 /* 530 * findConnection(): find an available connection from the list 531 * that matches the criteria specified in Connection structure. 532 * If serverAddr is NULL, then find a connection to any server 533 * as long as it matches the rest of the parameters. 534 * Returns: -1 = failure, the Connection ID found = success. 535 */ 536 static int 537 findConnection(int flags, const char *serverAddr, 538 const ns_cred_t *auth, Connection **conp) 539 { 540 Connection *cp; 541 int i; 542 #ifdef DEBUG 543 thread_t t; 544 #endif /* DEBUG */ 545 546 if (auth == NULL || conp == NULL) 547 return (-1); 548 *conp = NULL; 549 550 /* 551 * If a new connection is requested, no need to continue. 552 * If the process is not nscd and is not requesting keep 553 * connections alive, no need to continue. 554 */ 555 if ((flags & NS_LDAP_NEW_CONN) || (!__s_api_nscd_proc() && 556 !__s_api_peruser_proc() && !(flags & NS_LDAP_KEEP_CONN))) 557 return (-1); 558 559 #ifdef DEBUG 560 t = thr_self(); 561 (void) fprintf(stderr, "tid= %d: Find connection\n", t); 562 (void) fprintf(stderr, "tid= %d: Looking for ....\n", t); 563 if (serverAddr && *serverAddr) 564 (void) fprintf(stderr, "tid= %d: serverAddr=%s\n", 565 t, serverAddr); 566 else 567 (void) fprintf(stderr, "tid= %d: serverAddr=NULL\n", t); 568 printCred(stderr, auth); 569 fflush(stderr); 570 #endif /* DEBUG */ 571 if (sessionPool == NULL) 572 return (-1); 573 (void) mutex_lock(&sessionPoolLock); 574 for (i = 0; i < sessionPoolSize; ++i) { 575 if (sessionPool[i] == NULL) 576 continue; 577 cp = sessionPool[i]; 578 #ifdef DEBUG 579 (void) fprintf(stderr, 580 "tid: %d: checking connection [%d] ....\n", t, i); 581 printConnection(stderr, cp); 582 #endif /* DEBUG */ 583 if ((cp->usedBit) || (serverAddr && *serverAddr && 584 (strcasecmp(serverAddr, cp->serverAddr) != 0))) 585 continue; 586 587 if (__s_api_is_auth_matched(cp->auth, auth) == B_FALSE) 588 continue; 589 590 /* found an available connection */ 591 cp->usedBit = B_TRUE; 592 (void) mutex_unlock(&sessionPoolLock); 593 cp->threadID = thr_self(); 594 *conp = cp; 595 #ifdef DEBUG 596 (void) fprintf(stderr, 597 "tid %d: Connection found cID=%d\n", t, i); 598 fflush(stderr); 599 #endif /* DEBUG */ 600 return (i + CONID_OFFSET); 601 } 602 (void) mutex_unlock(&sessionPoolLock); 603 return (-1); 604 } 605 606 /* 607 * Free a Connection structure 608 */ 609 void 610 __s_api_freeConnection(Connection *con) 611 { 612 if (con == NULL) 613 return; 614 if (con->serverAddr) 615 free(con->serverAddr); 616 if (con->auth) 617 (void) __ns_ldap_freeCred(&(con->auth)); 618 if (con->saslMechanisms) { 619 __s_api_free2dArray(con->saslMechanisms); 620 } 621 if (con->controls) { 622 __s_api_free2dArray(con->controls); 623 } 624 free(con); 625 } 626 627 /* 628 * Find a connection matching the passed in criteria. If an open 629 * connection with that criteria exists use it, otherwise open a 630 * new connection. 631 * Success: returns the pointer to the Connection structure 632 * Failure: returns NULL, error code and message should be in errorp 633 */ 634 635 static int 636 makeConnection(Connection **conp, const char *serverAddr, 637 const ns_cred_t *auth, ConnectionID *cID, int timeoutSec, 638 ns_ldap_error_t **errorp, int fail_if_new_pwd_reqd, 639 int nopasswd_acct_mgmt, int flags, char ***badsrvrs, 640 ns_conn_user_t *conn_user) 641 { 642 Connection *con = NULL; 643 ConnectionID id; 644 char errmsg[MAXERROR]; 645 int rc, exit_rc = NS_LDAP_SUCCESS; 646 ns_server_info_t sinfo; 647 char *hReq, *host = NULL; 648 LDAP *ld = NULL; 649 int passwd_mgmt = 0; 650 int totalbad = 0; /* Number of servers contacted unsuccessfully */ 651 short memerr = 0; /* Variable for tracking memory allocation */ 652 char *serverAddrType = NULL, **bindHost = NULL; 653 654 655 if (conp == NULL || errorp == NULL || auth == NULL) 656 return (NS_LDAP_INVALID_PARAM); 657 *errorp = NULL; 658 *conp = NULL; 659 (void) memset(&sinfo, 0, sizeof (sinfo)); 660 661 if ((id = findConnection(flags, serverAddr, auth, &con)) != -1) { 662 /* connection found in cache */ 663 #ifdef DEBUG 664 (void) fprintf(stderr, "tid= %d: connection found in " 665 "cache %d\n", thr_self(), id); 666 fflush(stderr); 667 #endif /* DEBUG */ 668 *cID = id; 669 *conp = con; 670 return (NS_LDAP_SUCCESS); 671 } 672 673 if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) { 674 serverAddrType = NS_CACHE_ADDR_HOSTNAME; 675 bindHost = &sinfo.serverFQDN; 676 } else { 677 serverAddrType = NS_CACHE_ADDR_IP; 678 bindHost = &sinfo.server; 679 } 680 681 if (serverAddr) { 682 if (__s_api_isInitializing()) { 683 /* 684 * When obtaining the root DSE, connect to the server 685 * passed here through the serverAddr parameter 686 */ 687 sinfo.server = strdup(serverAddr); 688 if (sinfo.server == NULL) 689 return (NS_LDAP_MEMORY); 690 if (strcmp(serverAddrType, 691 NS_CACHE_ADDR_HOSTNAME) == 0) { 692 rc = __s_api_ip2hostname(sinfo.server, 693 &sinfo.serverFQDN); 694 if (rc != NS_LDAP_SUCCESS) { 695 (void) snprintf(errmsg, 696 sizeof (errmsg), 697 gettext("The %s address " 698 "can not be resolved into " 699 "a host name. Returning " 700 "the address as it is."), 701 serverAddr); 702 MKERROR(LOG_ERR, 703 *errorp, 704 NS_CONFIG_NOTLOADED, 705 strdup(errmsg), 706 NS_LDAP_MEMORY); 707 __s_api_free_server_info(&sinfo); 708 return (NS_LDAP_INTERNAL); 709 } 710 } 711 } else { 712 /* 713 * We're given the server address, just use it. 714 * In case of sasl/GSSAPI, serverAddr would need 715 * to be a FQDN. We assume this is the case for now. 716 * 717 * Only the server address fields of sinfo structure 718 * are filled in since these are the only relevant 719 * data that we have. Other fields of this structure 720 * (controls, saslMechanisms) are kept to NULL. 721 */ 722 sinfo.server = strdup(serverAddr); 723 if (sinfo.server == NULL) { 724 return (NS_LDAP_MEMORY); 725 } 726 if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) { 727 sinfo.serverFQDN = strdup(serverAddr); 728 if (sinfo.serverFQDN == NULL) { 729 free(sinfo.server); 730 return (NS_LDAP_MEMORY); 731 } 732 } 733 } 734 rc = openConnection(&ld, *bindHost, auth, timeoutSec, errorp, 735 fail_if_new_pwd_reqd, passwd_mgmt, conn_user); 736 if (rc == NS_LDAP_SUCCESS || rc == 737 NS_LDAP_SUCCESS_WITH_INFO) { 738 exit_rc = rc; 739 goto create_con; 740 } else { 741 if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) { 742 (void) snprintf(errmsg, sizeof (errmsg), 743 "%s %s", gettext("makeConnection: " 744 "failed to open connection using " 745 "sasl/GSSAPI to"), *bindHost); 746 } else { 747 (void) snprintf(errmsg, sizeof (errmsg), 748 "%s %s", gettext("makeConnection: " 749 "failed to open connection to"), 750 *bindHost); 751 } 752 syslog(LOG_ERR, "libsldap: %s", errmsg); 753 __s_api_free_server_info(&sinfo); 754 return (rc); 755 } 756 } 757 758 /* No cached connection, create one */ 759 for (; ; ) { 760 if (host == NULL) 761 hReq = NS_CACHE_NEW; 762 else 763 hReq = NS_CACHE_NEXT; 764 rc = __s_api_requestServer(hReq, host, &sinfo, errorp, 765 serverAddrType); 766 if ((rc != NS_LDAP_SUCCESS) || (sinfo.server == NULL) || 767 (host && (strcasecmp(host, sinfo.server) == 0))) { 768 /* Log the error */ 769 if (*errorp) { 770 (void) snprintf(errmsg, sizeof (errmsg), 771 "%s: (%s)", gettext("makeConnection: " 772 "unable to make LDAP connection, " 773 "request for a server failed"), 774 (*errorp)->message); 775 syslog(LOG_ERR, "libsldap: %s", errmsg); 776 } 777 778 __s_api_free_server_info(&sinfo); 779 if (host) 780 free(host); 781 return (NS_LDAP_OP_FAILED); 782 } 783 if (host) 784 free(host); 785 host = strdup(sinfo.server); 786 if (host == NULL) { 787 __s_api_free_server_info(&sinfo); 788 return (NS_LDAP_MEMORY); 789 } 790 791 /* check if server supports password management */ 792 passwd_mgmt = __s_api_contain_passwd_control_oid( 793 sinfo.controls); 794 /* check if server supports password less account mgmt */ 795 if (nopasswd_acct_mgmt && 796 !__s_api_contain_account_usable_control_oid( 797 sinfo.controls)) { 798 syslog(LOG_WARNING, "libsldap: server %s does not " 799 "provide account information without password", 800 host); 801 free(host); 802 __s_api_free_server_info(&sinfo); 803 return (NS_LDAP_OP_FAILED); 804 } 805 /* make the connection */ 806 rc = openConnection(&ld, *bindHost, auth, timeoutSec, errorp, 807 fail_if_new_pwd_reqd, passwd_mgmt, conn_user); 808 /* if success, go to create connection structure */ 809 if (rc == NS_LDAP_SUCCESS || 810 rc == NS_LDAP_SUCCESS_WITH_INFO) { 811 exit_rc = rc; 812 break; 813 } 814 815 /* 816 * If not able to reach the server, inform the ldap 817 * cache manager that the server should be removed 818 * from its server list. Thus, the manager will not 819 * return this server on the next get-server request 820 * and will also reduce the server list refresh TTL, 821 * so that it will find out sooner when the server 822 * is up again. 823 */ 824 if (rc == NS_LDAP_INTERNAL && *errorp != NULL) { 825 if ((*errorp)->status == LDAP_CONNECT_ERROR || 826 (*errorp)->status == LDAP_SERVER_DOWN) { 827 /* Reset memory allocation error */ 828 memerr = 0; 829 /* 830 * We contacted a server that we could 831 * not either authenticate to or contact. 832 * If it is due to authentication, then 833 * we need to try the server again. So, 834 * do not remove the server yet, but 835 * add it to the bad server list. 836 * The caller routine will remove 837 * the servers if: 838 * a). A good server is found or 839 * b). All the possible methods 840 * are tried without finding 841 * a good server 842 */ 843 if (*badsrvrs == NULL) { 844 if (!(*badsrvrs = (char **)malloc 845 (sizeof (char *) * NUMTOMALLOC))) { 846 memerr = 1; 847 } 848 /* Allocate memory in chunks of NUMTOMALLOC */ 849 } else if ((totalbad % NUMTOMALLOC) == 850 NUMTOMALLOC - 1) { 851 char **tmpptr; 852 if (!(tmpptr = (char **)realloc( 853 *badsrvrs, 854 (sizeof (char *) * NUMTOMALLOC * 855 ((totalbad/NUMTOMALLOC) + 2))))) { 856 memerr = 1; 857 } else { 858 *badsrvrs = tmpptr; 859 } 860 } 861 /* 862 * Store host only if there were no unsuccessful 863 * memory allocations above 864 */ 865 if (!memerr && 866 !((*badsrvrs)[totalbad++] = strdup(host))) { 867 memerr = 1; 868 totalbad--; 869 } 870 (*badsrvrs)[totalbad] = NULL; 871 } 872 } 873 874 /* else, cleanup and go for the next server */ 875 __s_api_free_server_info(&sinfo); 876 877 /* Return if we had memory allocation errors */ 878 if (memerr) 879 return (NS_LDAP_MEMORY); 880 if (*errorp) { 881 /* 882 * If openConnection() failed due to 883 * password policy, or invalid credential, 884 * keep *errorp and exit 885 */ 886 if ((*errorp)->pwd_mgmt.status != NS_PASSWD_GOOD || 887 (*errorp)->status == LDAP_INVALID_CREDENTIALS) { 888 free(host); 889 return (rc); 890 } else { 891 (void) __ns_ldap_freeError(errorp); 892 *errorp = NULL; 893 } 894 } 895 } 896 897 create_con: 898 /* we have created ld, setup con structure */ 899 if (host) 900 free(host); 901 if ((con = calloc(1, sizeof (Connection))) == NULL) { 902 __s_api_free_server_info(&sinfo); 903 /* 904 * If password control attached in **errorp, 905 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO, 906 * free the error structure 907 */ 908 if (*errorp) { 909 (void) __ns_ldap_freeError(errorp); 910 *errorp = NULL; 911 } 912 (void) ldap_unbind(ld); 913 return (NS_LDAP_MEMORY); 914 } 915 916 con->serverAddr = sinfo.server; /* Store original format */ 917 if (sinfo.serverFQDN != NULL) { 918 free(sinfo.serverFQDN); 919 sinfo.serverFQDN = NULL; 920 } 921 con->saslMechanisms = sinfo.saslMechanisms; 922 con->controls = sinfo.controls; 923 924 con->auth = __ns_ldap_dupAuth(auth); 925 if (con->auth == NULL) { 926 (void) ldap_unbind(ld); 927 __s_api_freeConnection(con); 928 /* 929 * If password control attached in **errorp, 930 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO, 931 * free the error structure 932 */ 933 if (*errorp) { 934 (void) __ns_ldap_freeError(errorp); 935 *errorp = NULL; 936 } 937 return (NS_LDAP_MEMORY); 938 } 939 940 con->threadID = thr_self(); 941 con->pid = getpid(); 942 943 con->ld = ld; 944 /* add MT connection to the MT connection pool */ 945 if (conn_user != NULL && conn_user->conn_mt != NULL) { 946 if (__s_api_conn_mt_add(con, conn_user, errorp) == 947 NS_LDAP_SUCCESS) { 948 *conp = con; 949 return (exit_rc); 950 } else { 951 (void) ldap_unbind(ld); 952 __s_api_freeConnection(con); 953 return ((*errorp)->status); 954 } 955 } 956 957 /* MT connection not supported or not required case */ 958 if ((id = addConnection(con)) == -1) { 959 (void) ldap_unbind(ld); 960 __s_api_freeConnection(con); 961 /* 962 * If password control attached in **errorp, 963 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO, 964 * free the error structure 965 */ 966 if (*errorp) { 967 (void) __ns_ldap_freeError(errorp); 968 *errorp = NULL; 969 } 970 return (NS_LDAP_MEMORY); 971 } 972 #ifdef DEBUG 973 (void) fprintf(stderr, "tid= %d: connection added into " 974 "cache %d\n", thr_self(), id); 975 fflush(stderr); 976 #endif /* DEBUG */ 977 *cID = id; 978 *conp = con; 979 return (exit_rc); 980 } 981 982 /* 983 * Return the specified connection to the pool. If necessary 984 * delete the connection. 985 */ 986 987 static void 988 _DropConnection(ConnectionID cID, int flag, int fini) 989 { 990 Connection *cp; 991 int id; 992 int use_mutex = !fini; 993 struct timeval zerotime; 994 LDAPMessage *res; 995 996 zerotime.tv_sec = zerotime.tv_usec = 0L; 997 998 id = cID - CONID_OFFSET; 999 if (id < 0 || id >= sessionPoolSize) 1000 return; 1001 #ifdef DEBUG 1002 (void) fprintf(stderr, 1003 "tid %d: Dropping connection cID=%d flag=0x%x\n", 1004 thr_self(), cID, flag); 1005 fflush(stderr); 1006 #endif /* DEBUG */ 1007 if (use_mutex) 1008 (void) mutex_lock(&sessionPoolLock); 1009 1010 cp = sessionPool[id]; 1011 /* sanity check before removing */ 1012 if (!cp || (!fini && (!cp->usedBit || cp->threadID != thr_self()))) { 1013 if (use_mutex) 1014 (void) mutex_unlock(&sessionPoolLock); 1015 return; 1016 } 1017 1018 if (!fini && 1019 ((flag & NS_LDAP_NEW_CONN) == 0) && 1020 ((flag & NS_LDAP_KEEP_CONN) || __s_api_nscd_proc() || 1021 __s_api_peruser_proc())) { 1022 /* release Connection (keep alive) */ 1023 cp->usedBit = B_FALSE; 1024 cp->threadID = 0; /* unmark the threadID */ 1025 /* 1026 * Do sanity cleanup of remaining results. 1027 */ 1028 while (ldap_result(cp->ld, LDAP_RES_ANY, LDAP_MSG_ALL, 1029 &zerotime, &res) > 0) { 1030 if (res != NULL) 1031 (void) ldap_msgfree(res); 1032 } 1033 if (use_mutex) 1034 (void) mutex_unlock(&sessionPoolLock); 1035 } else { 1036 /* delete Connection (disconnect) */ 1037 sessionPool[id] = NULL; 1038 if (use_mutex) 1039 (void) mutex_unlock(&sessionPoolLock); 1040 (void) ldap_unbind(cp->ld); 1041 __s_api_freeConnection(cp); 1042 } 1043 } 1044 1045 void 1046 DropConnection(ConnectionID cID, int flag) 1047 { 1048 _DropConnection(cID, flag, 0); 1049 } 1050 1051 /* 1052 * This routine is called after a bind operation is 1053 * done in openConnection() to process the password 1054 * management information, if any. 1055 * 1056 * Input: 1057 * bind_type: "simple" or "sasl/DIGEST-MD5" 1058 * ldaprc : ldap rc from the ldap bind operation 1059 * controls : controls returned by the server 1060 * errmsg : error message from the server 1061 * fail_if_new_pwd_reqd: 1062 * flag indicating if connection should be open 1063 * when password needs to change immediately 1064 * passwd_mgmt: 1065 * flag indicating if server supports password 1066 * policy/management 1067 * 1068 * Output : ns_ldap_error structure, which may contain 1069 * password status and number of seconds until 1070 * expired 1071 * 1072 * return rc: 1073 * NS_LDAP_EXTERNAL: error, connection should not open 1074 * NS_LDAP_SUCCESS_WITH_INFO: OK to open but password info attached 1075 * NS_LDAP_SUCCESS: OK to open connection 1076 * 1077 */ 1078 1079 static int 1080 process_pwd_mgmt(char *bind_type, int ldaprc, 1081 LDAPControl **controls, 1082 char *errmsg, ns_ldap_error_t **errorp, 1083 int fail_if_new_pwd_reqd, 1084 int passwd_mgmt) 1085 { 1086 char errstr[MAXERROR]; 1087 LDAPControl **ctrl = NULL; 1088 int exit_rc; 1089 ns_ldap_passwd_status_t pwd_status = NS_PASSWD_GOOD; 1090 int sec_until_exp = 0; 1091 1092 /* 1093 * errmsg may be an empty string, 1094 * even if ldaprc is LDAP_SUCCESS, 1095 * free the empty string if that's the case 1096 */ 1097 if (errmsg && 1098 (*errmsg == '\0' || ldaprc == LDAP_SUCCESS)) { 1099 ldap_memfree(errmsg); 1100 errmsg = NULL; 1101 } 1102 1103 if (ldaprc != LDAP_SUCCESS) { 1104 /* 1105 * try to map ldap rc and error message to 1106 * a password status 1107 */ 1108 if (errmsg) { 1109 if (passwd_mgmt) 1110 pwd_status = 1111 __s_api_set_passwd_status( 1112 ldaprc, errmsg); 1113 ldap_memfree(errmsg); 1114 } 1115 1116 (void) snprintf(errstr, sizeof (errstr), 1117 gettext("openConnection: " 1118 "%s bind failed " 1119 "- %s"), bind_type, ldap_err2string(ldaprc)); 1120 1121 if (pwd_status != NS_PASSWD_GOOD) { 1122 MKERROR_PWD_MGMT(*errorp, 1123 ldaprc, strdup(errstr), 1124 pwd_status, 0, NULL); 1125 } else { 1126 MKERROR(LOG_ERR, *errorp, ldaprc, strdup(errstr), 1127 NS_LDAP_MEMORY); 1128 } 1129 if (controls) 1130 ldap_controls_free(controls); 1131 1132 return (NS_LDAP_INTERNAL); 1133 } 1134 1135 /* 1136 * ldaprc is LDAP_SUCCESS, 1137 * process the password management controls, if any 1138 */ 1139 exit_rc = NS_LDAP_SUCCESS; 1140 if (controls && passwd_mgmt) { 1141 /* 1142 * The control with the OID 1143 * 2.16.840.1.113730.3.4.4 (or 1144 * LDAP_CONTROL_PWEXPIRED, as defined 1145 * in the ldap.h header file) is the 1146 * expired password control. 1147 * 1148 * This control is used if the server 1149 * is configured to require users to 1150 * change their passwords when first 1151 * logging in and whenever the 1152 * passwords are reset. 1153 * 1154 * If the user is logging in for the 1155 * first time or if the user's 1156 * password has been reset, the 1157 * server sends this control to 1158 * indicate that the client needs to 1159 * change the password immediately. 1160 * 1161 * At this point, the only operation 1162 * that the client can perform is to 1163 * change the user's password. If the 1164 * client requests any other LDAP 1165 * operation, the server sends back 1166 * an LDAP_UNWILLING_TO_PERFORM 1167 * result code with an expired 1168 * password control. 1169 * 1170 * The control with the OID 1171 * 2.16.840.1.113730.3.4.5 (or 1172 * LDAP_CONTROL_PWEXPIRING, as 1173 * defined in the ldap.h header file) 1174 * is the password expiration warning 1175 * control. 1176 * 1177 * This control is used if the server 1178 * is configured to expire user 1179 * passwords after a certain amount 1180 * of time. 1181 * 1182 * The server sends this control back 1183 * to the client if the client binds 1184 * using a password that will soon 1185 * expire. The ldctl_value field of 1186 * the LDAPControl structure 1187 * specifies the number of seconds 1188 * before the password will expire. 1189 */ 1190 for (ctrl = controls; *ctrl; ctrl++) { 1191 1192 if (strcmp((*ctrl)->ldctl_oid, 1193 LDAP_CONTROL_PWEXPIRED) == 0) { 1194 /* 1195 * if the caller wants this bind 1196 * to fail, set up the error info. 1197 * If call to this function is 1198 * for searching the LDAP directory, 1199 * e.g., __ns_ldap_list(), 1200 * there's really no sense to 1201 * let a connection open and 1202 * then fail immediately afterward 1203 * on the LDAP search operation with 1204 * the LDAP_UNWILLING_TO_PERFORM rc 1205 */ 1206 pwd_status = 1207 NS_PASSWD_CHANGE_NEEDED; 1208 if (fail_if_new_pwd_reqd) { 1209 (void) snprintf(errstr, 1210 sizeof (errstr), 1211 gettext( 1212 "openConnection: " 1213 "%s bind " 1214 "failed " 1215 "- password " 1216 "expired. It " 1217 " needs to change " 1218 "immediately!"), 1219 bind_type); 1220 MKERROR_PWD_MGMT(*errorp, 1221 LDAP_SUCCESS, 1222 strdup(errstr), 1223 pwd_status, 1224 0, 1225 NULL); 1226 exit_rc = NS_LDAP_INTERNAL; 1227 } else { 1228 MKERROR_PWD_MGMT(*errorp, 1229 LDAP_SUCCESS, 1230 NULL, 1231 pwd_status, 1232 0, 1233 NULL); 1234 exit_rc = 1235 NS_LDAP_SUCCESS_WITH_INFO; 1236 } 1237 break; 1238 } else if (strcmp((*ctrl)->ldctl_oid, 1239 LDAP_CONTROL_PWEXPIRING) == 0) { 1240 pwd_status = 1241 NS_PASSWD_ABOUT_TO_EXPIRE; 1242 if ((*ctrl)-> 1243 ldctl_value.bv_len > 0 && 1244 (*ctrl)-> 1245 ldctl_value.bv_val) 1246 sec_until_exp = 1247 atoi((*ctrl)-> 1248 ldctl_value.bv_val); 1249 MKERROR_PWD_MGMT(*errorp, 1250 LDAP_SUCCESS, 1251 NULL, 1252 pwd_status, 1253 sec_until_exp, 1254 NULL); 1255 exit_rc = 1256 NS_LDAP_SUCCESS_WITH_INFO; 1257 break; 1258 } 1259 } 1260 } 1261 1262 if (controls) 1263 ldap_controls_free(controls); 1264 1265 return (exit_rc); 1266 } 1267 1268 static int 1269 ldap_in_nss_switch(char *db) 1270 { 1271 enum __nsw_parse_err pserr; 1272 struct __nsw_switchconfig *conf; 1273 struct __nsw_lookup *lkp; 1274 const char *name; 1275 int found = 0; 1276 1277 conf = __nsw_getconfig(db, &pserr); 1278 if (conf == NULL) { 1279 return (-1); 1280 } 1281 1282 /* check for skip and count other backends */ 1283 for (lkp = conf->lookups; lkp != NULL; lkp = lkp->next) { 1284 name = lkp->service_name; 1285 if (strcmp(name, "ldap") == 0) { 1286 found = 1; 1287 break; 1288 } 1289 } 1290 __nsw_freeconfig(conf); 1291 return (found); 1292 } 1293 1294 static int 1295 openConnection(LDAP **ldp, const char *serverAddr, const ns_cred_t *auth, 1296 int timeoutSec, ns_ldap_error_t **errorp, 1297 int fail_if_new_pwd_reqd, int passwd_mgmt, 1298 ns_conn_user_t *conn_user) 1299 { 1300 LDAP *ld = NULL; 1301 int ldapVersion = LDAP_VERSION3; 1302 int derefOption = LDAP_DEREF_ALWAYS; 1303 int zero = 0; 1304 int timeoutMilliSec = timeoutSec * 1000; 1305 uint16_t port = USE_DEFAULT_PORT; 1306 char *s; 1307 char errstr[MAXERROR]; 1308 1309 ns_ldap_return_code ret_code = NS_LDAP_SUCCESS; 1310 1311 *errorp = NULL; 1312 *ldp = NULL; 1313 1314 /* determine if the host name contains a port number */ 1315 s = strchr(serverAddr, ']'); /* skip over ipv6 addr */ 1316 s = strchr(s != NULL ? s : serverAddr, ':'); 1317 if (s != NULL) { 1318 if (sscanf(s + 1, "%hu", &port) != 1) { 1319 (void) snprintf(errstr, 1320 sizeof (errstr), 1321 gettext("openConnection: cannot " 1322 "convert %s into a valid " 1323 "port number for the " 1324 "%s server. A default value " 1325 "will be used."), 1326 s, 1327 serverAddr); 1328 syslog(LOG_ERR, "libsldap: %s", errstr); 1329 } else { 1330 *s = '\0'; 1331 } 1332 } 1333 1334 ret_code = createSession(auth, 1335 serverAddr, 1336 port, 1337 timeoutMilliSec, 1338 &ld, 1339 errorp); 1340 if (s != NULL) { 1341 *s = ':'; 1342 } 1343 if (ret_code != NS_LDAP_SUCCESS) { 1344 return (ret_code); 1345 } 1346 1347 /* check to see if the underlying libsldap supports MT connection */ 1348 if (conn_user != NULL) { 1349 int rc; 1350 1351 rc = __s_api_check_libldap_MT_conn_support(conn_user, ld, 1352 errorp); 1353 if (rc != NS_LDAP_SUCCESS) { 1354 (void) ldap_unbind(ld); 1355 return (rc); 1356 } 1357 } 1358 1359 (void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldapVersion); 1360 (void) ldap_set_option(ld, LDAP_OPT_DEREF, &derefOption); 1361 /* 1362 * set LDAP_OPT_REFERRALS to OFF. 1363 * This library will handle the referral itself 1364 * based on API flags or configuration file 1365 * specification. If this option is not set 1366 * to OFF, libldap will never pass the 1367 * referral info up to this library 1368 */ 1369 (void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 1370 (void) ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &zero); 1371 (void) ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &zero); 1372 /* setup TCP/IP connect timeout */ 1373 (void) ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, 1374 &timeoutMilliSec); 1375 /* retry if LDAP I/O was interrupted */ 1376 (void) ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON); 1377 1378 ret_code = performBind(auth, 1379 ld, 1380 timeoutSec, 1381 errorp, 1382 fail_if_new_pwd_reqd, 1383 passwd_mgmt); 1384 1385 if (ret_code == NS_LDAP_SUCCESS || 1386 ret_code == NS_LDAP_SUCCESS_WITH_INFO) { 1387 *ldp = ld; 1388 } 1389 1390 return (ret_code); 1391 } 1392 1393 /* 1394 * FUNCTION: __s_api_getDefaultAuth 1395 * 1396 * Constructs a credential for authentication using the config module. 1397 * 1398 * RETURN VALUES: 1399 * 1400 * NS_LDAP_SUCCESS If successful 1401 * NS_LDAP_CONFIG If there are any config errors. 1402 * NS_LDAP_MEMORY Memory errors. 1403 * NS_LDAP_OP_FAILED If there are no more authentication methods so can 1404 * not build a new authp. 1405 * NS_LDAP_INVALID_PARAM This overloaded return value means that some of the 1406 * necessary fields of a cred for a given auth method 1407 * are not provided. 1408 * INPUT: 1409 * 1410 * cLevel Currently requested credential level to be tried 1411 * 1412 * aMethod Currently requested authentication method to be tried 1413 * 1414 * OUTPUT: 1415 * 1416 * authp authentication method to use. 1417 */ 1418 static int 1419 __s_api_getDefaultAuth( 1420 int *cLevel, 1421 ns_auth_t *aMethod, 1422 ns_cred_t **authp) 1423 { 1424 void **paramVal = NULL; 1425 char *modparamVal = NULL; 1426 int getUid = 0; 1427 int getPasswd = 0; 1428 int getCertpath = 0; 1429 int rc = 0; 1430 ns_ldap_error_t *errorp = NULL; 1431 1432 #ifdef DEBUG 1433 (void) fprintf(stderr, "__s_api_getDefaultAuth START\n"); 1434 #endif 1435 1436 if (aMethod == NULL) { 1437 /* Require an Auth */ 1438 return (NS_LDAP_INVALID_PARAM); 1439 1440 } 1441 /* 1442 * credential level "self" can work with auth method sasl/GSSAPI only 1443 */ 1444 if (cLevel && *cLevel == NS_LDAP_CRED_SELF && 1445 aMethod->saslmech != NS_LDAP_SASL_GSSAPI) 1446 return (NS_LDAP_INVALID_PARAM); 1447 1448 *authp = (ns_cred_t *)calloc(1, sizeof (ns_cred_t)); 1449 if ((*authp) == NULL) 1450 return (NS_LDAP_MEMORY); 1451 1452 (*authp)->auth = *aMethod; 1453 1454 switch (aMethod->type) { 1455 case NS_LDAP_AUTH_NONE: 1456 return (NS_LDAP_SUCCESS); 1457 case NS_LDAP_AUTH_SIMPLE: 1458 getUid++; 1459 getPasswd++; 1460 break; 1461 case NS_LDAP_AUTH_SASL: 1462 if ((aMethod->saslmech == NS_LDAP_SASL_DIGEST_MD5) || 1463 (aMethod->saslmech == NS_LDAP_SASL_CRAM_MD5)) { 1464 getUid++; 1465 getPasswd++; 1466 } else if (aMethod->saslmech != NS_LDAP_SASL_GSSAPI) { 1467 (void) __ns_ldap_freeCred(authp); 1468 *authp = NULL; 1469 return (NS_LDAP_INVALID_PARAM); 1470 } 1471 break; 1472 case NS_LDAP_AUTH_TLS: 1473 if ((aMethod->tlstype == NS_LDAP_TLS_SIMPLE) || 1474 ((aMethod->tlstype == NS_LDAP_TLS_SASL) && 1475 ((aMethod->saslmech == NS_LDAP_SASL_DIGEST_MD5) || 1476 (aMethod->saslmech == NS_LDAP_SASL_CRAM_MD5)))) { 1477 getUid++; 1478 getPasswd++; 1479 getCertpath++; 1480 } else if (aMethod->tlstype == NS_LDAP_TLS_NONE) { 1481 getCertpath++; 1482 } else { 1483 (void) __ns_ldap_freeCred(authp); 1484 *authp = NULL; 1485 return (NS_LDAP_INVALID_PARAM); 1486 } 1487 break; 1488 } 1489 1490 if (getUid) { 1491 paramVal = NULL; 1492 if ((rc = __ns_ldap_getParam(NS_LDAP_BINDDN_P, 1493 ¶mVal, &errorp)) != NS_LDAP_SUCCESS) { 1494 (void) __ns_ldap_freeCred(authp); 1495 (void) __ns_ldap_freeError(&errorp); 1496 *authp = NULL; 1497 return (rc); 1498 } 1499 1500 if (paramVal == NULL || *paramVal == NULL) { 1501 (void) __ns_ldap_freeCred(authp); 1502 *authp = NULL; 1503 return (NS_LDAP_INVALID_PARAM); 1504 } 1505 1506 (*authp)->cred.unix_cred.userID = strdup((char *)*paramVal); 1507 (void) __ns_ldap_freeParam(¶mVal); 1508 if ((*authp)->cred.unix_cred.userID == NULL) { 1509 (void) __ns_ldap_freeCred(authp); 1510 *authp = NULL; 1511 return (NS_LDAP_MEMORY); 1512 } 1513 } 1514 if (getPasswd) { 1515 paramVal = NULL; 1516 if ((rc = __ns_ldap_getParam(NS_LDAP_BINDPASSWD_P, 1517 ¶mVal, &errorp)) != NS_LDAP_SUCCESS) { 1518 (void) __ns_ldap_freeCred(authp); 1519 (void) __ns_ldap_freeError(&errorp); 1520 *authp = NULL; 1521 return (rc); 1522 } 1523 1524 if (paramVal == NULL || *paramVal == NULL) { 1525 (void) __ns_ldap_freeCred(authp); 1526 *authp = NULL; 1527 return (NS_LDAP_INVALID_PARAM); 1528 } 1529 1530 modparamVal = dvalue((char *)*paramVal); 1531 (void) __ns_ldap_freeParam(¶mVal); 1532 if (modparamVal == NULL || (strlen((char *)modparamVal) == 0)) { 1533 (void) __ns_ldap_freeCred(authp); 1534 if (modparamVal != NULL) 1535 free(modparamVal); 1536 *authp = NULL; 1537 return (NS_LDAP_INVALID_PARAM); 1538 } 1539 1540 (*authp)->cred.unix_cred.passwd = modparamVal; 1541 } 1542 if (getCertpath) { 1543 paramVal = NULL; 1544 if ((rc = __ns_ldap_getParam(NS_LDAP_HOST_CERTPATH_P, 1545 ¶mVal, &errorp)) != NS_LDAP_SUCCESS) { 1546 (void) __ns_ldap_freeCred(authp); 1547 (void) __ns_ldap_freeError(&errorp); 1548 *authp = NULL; 1549 return (rc); 1550 } 1551 1552 if (paramVal == NULL || *paramVal == NULL) { 1553 (void) __ns_ldap_freeCred(authp); 1554 *authp = NULL; 1555 return (NS_LDAP_INVALID_PARAM); 1556 } 1557 1558 (*authp)->hostcertpath = strdup((char *)*paramVal); 1559 (void) __ns_ldap_freeParam(¶mVal); 1560 if ((*authp)->hostcertpath == NULL) { 1561 (void) __ns_ldap_freeCred(authp); 1562 *authp = NULL; 1563 return (NS_LDAP_MEMORY); 1564 } 1565 } 1566 return (NS_LDAP_SUCCESS); 1567 } 1568 1569 /* 1570 * FUNCTION: getConnection 1571 * 1572 * internal version of __s_api_getConnection() 1573 */ 1574 static int 1575 getConnection( 1576 const char *server, 1577 const int flags, 1578 const ns_cred_t *cred, /* credentials for bind */ 1579 ConnectionID *sessionId, 1580 Connection **session, 1581 ns_ldap_error_t **errorp, 1582 int fail_if_new_pwd_reqd, 1583 int nopasswd_acct_mgmt, 1584 ns_conn_user_t *conn_user) 1585 { 1586 char errmsg[MAXERROR]; 1587 ns_auth_t **aMethod = NULL; 1588 ns_auth_t **aNext = NULL; 1589 int **cLevel = NULL; 1590 int **cNext = NULL; 1591 int timeoutSec = NS_DEFAULT_BIND_TIMEOUT; 1592 int rc; 1593 Connection *con = NULL; 1594 int sec = 1; 1595 ns_cred_t *authp = NULL; 1596 ns_cred_t anon; 1597 int version = NS_LDAP_V2, self_gssapi_only = 0; 1598 void **paramVal = NULL; 1599 char **badSrvrs = NULL; /* List of problem hostnames */ 1600 1601 if ((session == NULL) || (sessionId == NULL)) { 1602 return (NS_LDAP_INVALID_PARAM); 1603 } 1604 *session = NULL; 1605 1606 /* reuse MT connection if needed and if available */ 1607 if (conn_user != NULL) { 1608 rc = __s_api_conn_mt_get(server, flags, cred, session, errorp, 1609 conn_user); 1610 if (rc != NS_LDAP_NOTFOUND) 1611 return (rc); 1612 } 1613 1614 /* get profile version number */ 1615 if ((rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P, 1616 ¶mVal, errorp)) != NS_LDAP_SUCCESS) 1617 return (rc); 1618 if (paramVal == NULL) { 1619 (void) sprintf(errmsg, gettext("getConnection: no file " 1620 "version")); 1621 MKERROR(LOG_WARNING, *errorp, NS_CONFIG_FILE, strdup(errmsg), 1622 NS_LDAP_CONFIG); 1623 return (NS_LDAP_CONFIG); 1624 } 1625 if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_1) == 0) 1626 version = NS_LDAP_V1; 1627 (void) __ns_ldap_freeParam((void ***)¶mVal); 1628 1629 /* Get the bind timeout value */ 1630 (void) __ns_ldap_getParam(NS_LDAP_BIND_TIME_P, ¶mVal, errorp); 1631 if (paramVal != NULL && *paramVal != NULL) { 1632 timeoutSec = **((int **)paramVal); 1633 (void) __ns_ldap_freeParam(¶mVal); 1634 } 1635 if (*errorp) 1636 (void) __ns_ldap_freeError(errorp); 1637 1638 if (cred == NULL) { 1639 /* Get the authentication method list */ 1640 if ((rc = __ns_ldap_getParam(NS_LDAP_AUTH_P, 1641 (void ***)&aMethod, errorp)) != NS_LDAP_SUCCESS) 1642 return (rc); 1643 if (aMethod == NULL) { 1644 aMethod = (ns_auth_t **)calloc(2, sizeof (ns_auth_t *)); 1645 if (aMethod == NULL) 1646 return (NS_LDAP_MEMORY); 1647 aMethod[0] = (ns_auth_t *)calloc(1, sizeof (ns_auth_t)); 1648 if (aMethod[0] == NULL) { 1649 free(aMethod); 1650 return (NS_LDAP_MEMORY); 1651 } 1652 if (version == NS_LDAP_V1) 1653 (aMethod[0])->type = NS_LDAP_AUTH_SIMPLE; 1654 else { 1655 (aMethod[0])->type = NS_LDAP_AUTH_SASL; 1656 (aMethod[0])->saslmech = 1657 NS_LDAP_SASL_DIGEST_MD5; 1658 (aMethod[0])->saslopt = NS_LDAP_SASLOPT_NONE; 1659 } 1660 } 1661 1662 /* Get the credential level list */ 1663 if ((rc = __ns_ldap_getParam(NS_LDAP_CREDENTIAL_LEVEL_P, 1664 (void ***)&cLevel, errorp)) != NS_LDAP_SUCCESS) { 1665 (void) __ns_ldap_freeParam((void ***)&aMethod); 1666 return (rc); 1667 } 1668 if (cLevel == NULL) { 1669 cLevel = (int **)calloc(2, sizeof (int *)); 1670 if (cLevel == NULL) 1671 return (NS_LDAP_MEMORY); 1672 cLevel[0] = (int *)calloc(1, sizeof (int)); 1673 if (cLevel[0] == NULL) 1674 return (NS_LDAP_MEMORY); 1675 if (version == NS_LDAP_V1) 1676 *(cLevel[0]) = NS_LDAP_CRED_PROXY; 1677 else 1678 *(cLevel[0]) = NS_LDAP_CRED_ANON; 1679 } 1680 } 1681 1682 /* setup the anon credential for anonymous connection */ 1683 (void) memset(&anon, 0, sizeof (ns_cred_t)); 1684 anon.auth.type = NS_LDAP_AUTH_NONE; 1685 1686 for (;;) { 1687 if (cred != NULL) { 1688 /* using specified auth method */ 1689 rc = makeConnection(&con, server, cred, 1690 sessionId, timeoutSec, errorp, 1691 fail_if_new_pwd_reqd, 1692 nopasswd_acct_mgmt, flags, &badSrvrs, conn_user); 1693 /* not using bad server if credentials were supplied */ 1694 if (badSrvrs && *badSrvrs) { 1695 __s_api_free2dArray(badSrvrs); 1696 badSrvrs = NULL; 1697 } 1698 if (rc == NS_LDAP_SUCCESS || 1699 rc == NS_LDAP_SUCCESS_WITH_INFO) { 1700 *session = con; 1701 break; 1702 } 1703 } else { 1704 self_gssapi_only = __s_api_self_gssapi_only_get(); 1705 /* for every cred level */ 1706 for (cNext = cLevel; *cNext != NULL; cNext++) { 1707 if (self_gssapi_only && 1708 **cNext != NS_LDAP_CRED_SELF) 1709 continue; 1710 if (**cNext == NS_LDAP_CRED_ANON) { 1711 /* 1712 * make connection anonymously 1713 * Free the down server list before 1714 * looping through 1715 */ 1716 if (badSrvrs && *badSrvrs) { 1717 __s_api_free2dArray(badSrvrs); 1718 badSrvrs = NULL; 1719 } 1720 rc = makeConnection(&con, server, &anon, 1721 sessionId, timeoutSec, errorp, 1722 fail_if_new_pwd_reqd, 1723 nopasswd_acct_mgmt, flags, 1724 &badSrvrs, conn_user); 1725 if (rc == NS_LDAP_SUCCESS || 1726 rc == 1727 NS_LDAP_SUCCESS_WITH_INFO) { 1728 *session = con; 1729 goto done; 1730 } 1731 continue; 1732 } 1733 /* for each cred level */ 1734 for (aNext = aMethod; *aNext != NULL; aNext++) { 1735 if (self_gssapi_only && 1736 (*aNext)->saslmech != 1737 NS_LDAP_SASL_GSSAPI) 1738 continue; 1739 /* 1740 * self coexists with sasl/GSSAPI only 1741 * and non-self coexists with non-gssapi 1742 * only 1743 */ 1744 if ((**cNext == NS_LDAP_CRED_SELF && 1745 (*aNext)->saslmech != 1746 NS_LDAP_SASL_GSSAPI) || 1747 (**cNext != NS_LDAP_CRED_SELF && 1748 (*aNext)->saslmech == 1749 NS_LDAP_SASL_GSSAPI)) 1750 continue; 1751 /* make connection and authenticate */ 1752 /* with default credentials */ 1753 authp = NULL; 1754 rc = __s_api_getDefaultAuth(*cNext, 1755 *aNext, &authp); 1756 if (rc != NS_LDAP_SUCCESS) { 1757 continue; 1758 } 1759 /* 1760 * Free the down server list before 1761 * looping through 1762 */ 1763 if (badSrvrs && *badSrvrs) { 1764 __s_api_free2dArray(badSrvrs); 1765 badSrvrs = NULL; 1766 } 1767 rc = makeConnection(&con, server, authp, 1768 sessionId, timeoutSec, errorp, 1769 fail_if_new_pwd_reqd, 1770 nopasswd_acct_mgmt, flags, 1771 &badSrvrs, conn_user); 1772 (void) __ns_ldap_freeCred(&authp); 1773 if (rc == NS_LDAP_SUCCESS || 1774 rc == 1775 NS_LDAP_SUCCESS_WITH_INFO) { 1776 *session = con; 1777 goto done; 1778 } 1779 } 1780 } 1781 } 1782 if (flags & NS_LDAP_HARD) { 1783 if (sec < LDAPMAXHARDLOOKUPTIME) 1784 sec *= 2; 1785 (void) sleep(sec); 1786 } else { 1787 break; 1788 } 1789 } 1790 1791 done: 1792 if (self_gssapi_only && rc == NS_LDAP_SUCCESS && *session == NULL) { 1793 /* 1794 * self_gssapi_only is true but no self/sasl/gssapi is 1795 * configured 1796 */ 1797 rc = NS_LDAP_CONFIG; 1798 } 1799 1800 (void) __ns_ldap_freeParam((void ***)&aMethod); 1801 (void) __ns_ldap_freeParam((void ***)&cLevel); 1802 1803 if (badSrvrs && *badSrvrs) { 1804 /* 1805 * At this point, either we have a successful 1806 * connection or exhausted all the possible auths. 1807 * and creds. Mark the problem servers as down 1808 * so that the problem servers are not contacted 1809 * again until the refresh_ttl expires. 1810 */ 1811 (void) __s_api_removeBadServers(badSrvrs); 1812 __s_api_free2dArray(badSrvrs); 1813 } 1814 return (rc); 1815 } 1816 1817 /* 1818 * FUNCTION: __s_api_getConnection 1819 * 1820 * Bind to the specified server or one from the server 1821 * list and return the pointer. 1822 * 1823 * This function can rebind or not (NS_LDAP_HARD), it can require a 1824 * credential or bind anonymously 1825 * 1826 * This function follows the DUA configuration schema algorithm 1827 * 1828 * RETURN VALUES: 1829 * 1830 * NS_LDAP_SUCCESS A connection was made successfully. 1831 * NS_LDAP_SUCCESS_WITH_INFO 1832 * A connection was made successfully, but with 1833 * password management info in *errorp 1834 * NS_LDAP_INVALID_PARAM If any invalid arguments were passed to the function. 1835 * NS_LDAP_CONFIG If there are any config errors. 1836 * NS_LDAP_MEMORY Memory errors. 1837 * NS_LDAP_INTERNAL If there was a ldap error. 1838 * 1839 * INPUT: 1840 * 1841 * server Bind to this LDAP server only 1842 * flags If NS_LDAP_HARD is set function will not return until it has 1843 * a connection unless there is a authentication problem. 1844 * If NS_LDAP_NEW_CONN is set the function must force a new 1845 * connection to be created 1846 * If NS_LDAP_KEEP_CONN is set the connection is to be kept open 1847 * auth Credentials for bind. This could be NULL in which case 1848 * a default cred built from the config module is used. 1849 * sessionId cookie that points to a previous session 1850 * fail_if_new_pwd_reqd 1851 * a flag indicating this function should fail if the passwd 1852 * in auth needs to change immediately 1853 * nopasswd_acct_mgmt 1854 * a flag indicating that makeConnection should check before 1855 * binding if server supports LDAP V3 password less 1856 * account management 1857 * 1858 * OUTPUT: 1859 * 1860 * session pointer to a session with connection information 1861 * errorp Set if there are any INTERNAL, or CONFIG error. 1862 */ 1863 int 1864 __s_api_getConnection( 1865 const char *server, 1866 const int flags, 1867 const ns_cred_t *cred, /* credentials for bind */ 1868 ConnectionID *sessionId, 1869 Connection **session, 1870 ns_ldap_error_t **errorp, 1871 int fail_if_new_pwd_reqd, 1872 int nopasswd_acct_mgmt, 1873 ns_conn_user_t *conn_user) 1874 { 1875 int rc; 1876 1877 rc = getConnection(server, flags, cred, sessionId, session, 1878 errorp, fail_if_new_pwd_reqd, nopasswd_acct_mgmt, 1879 conn_user); 1880 1881 if (rc != NS_LDAP_SUCCESS && rc != NS_LDAP_SUCCESS_WITH_INFO) { 1882 if (conn_user != NULL && conn_user->conn_mt != NULL) 1883 __s_api_conn_mt_remove(conn_user, rc, errorp); 1884 } 1885 1886 return (rc); 1887 } 1888 1889 void 1890 __s_api_free_sessionPool() 1891 { 1892 int id; 1893 1894 (void) mutex_lock(&sessionPoolLock); 1895 1896 if (sessionPool != NULL) { 1897 for (id = 0; id < sessionPoolSize; id++) 1898 _DropConnection(id + CONID_OFFSET, 0, 1); 1899 free(sessionPool); 1900 sessionPool = NULL; 1901 sessionPoolSize = 0; 1902 } 1903 (void) mutex_unlock(&sessionPoolLock); 1904 } 1905 1906 /* 1907 * This function initializes a TLS LDAP session. On success LDAP* is returned 1908 * (pointed by *ldp). Otherwise, the function returns an NS error code and 1909 * provide an additional info pointed by *errorp. 1910 */ 1911 static 1912 ns_ldap_return_code 1913 createTLSSession(const ns_cred_t *auth, const char *serverAddr, 1914 uint16_t port, int timeoutMilliSec, 1915 LDAP **ldp, ns_ldap_error_t **errorp) 1916 { 1917 const char *hostcertpath; 1918 char *alloc_hcp = NULL, errstr[MAXERROR]; 1919 int ldap_rc; 1920 1921 #ifdef DEBUG 1922 (void) fprintf(stderr, "tid= %d: +++TLS transport\n", 1923 thr_self()); 1924 #endif /* DEBUG */ 1925 1926 if (prldap_set_session_option(NULL, NULL, 1927 PRLDAP_OPT_IO_MAX_TIMEOUT, 1928 timeoutMilliSec) != LDAP_SUCCESS) { 1929 (void) snprintf(errstr, sizeof (errstr), 1930 gettext("createTLSSession: failed to initialize " 1931 "TLS security")); 1932 MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR, 1933 strdup(errstr), NS_LDAP_MEMORY); 1934 return (NS_LDAP_INTERNAL); 1935 } 1936 1937 hostcertpath = auth->hostcertpath; 1938 if (hostcertpath == NULL) { 1939 alloc_hcp = __s_get_hostcertpath(); 1940 hostcertpath = alloc_hcp; 1941 } 1942 1943 if (hostcertpath == NULL) 1944 return (NS_LDAP_MEMORY); 1945 1946 if ((ldap_rc = ldapssl_client_init(hostcertpath, NULL)) < 0) { 1947 if (alloc_hcp != NULL) { 1948 free(alloc_hcp); 1949 } 1950 (void) snprintf(errstr, sizeof (errstr), 1951 gettext("createTLSSession: failed to initialize " 1952 "TLS security (%s)"), 1953 ldapssl_err2string(ldap_rc)); 1954 MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR, 1955 strdup(errstr), NS_LDAP_MEMORY); 1956 return (NS_LDAP_INTERNAL); 1957 } 1958 if (alloc_hcp) 1959 free(alloc_hcp); 1960 1961 *ldp = ldapssl_init(serverAddr, port, 1); 1962 1963 if (*ldp == NULL || 1964 ldapssl_install_gethostbyaddr(*ldp, "ldap") != 0) { 1965 (void) snprintf(errstr, sizeof (errstr), 1966 gettext("createTLSSession: failed to connect " 1967 "using TLS (%s)"), strerror(errno)); 1968 MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR, 1969 strdup(errstr), NS_LDAP_MEMORY); 1970 return (NS_LDAP_INTERNAL); 1971 } 1972 1973 return (NS_LDAP_SUCCESS); 1974 } 1975 1976 /* 1977 * Convert (resolve) hostname to IP address. 1978 * 1979 * INPUT: 1980 * 1981 * server - \[IPv6_address\][:port] 1982 * - IPv4_address[:port] 1983 * - hostname[:port] 1984 * 1985 * newaddr - Buffer to which this function writes resulting address, 1986 * including the port number, if specified in server argument. 1987 * 1988 * newaddr_size - Size of the newaddr buffer. 1989 * 1990 * errstr - Buffer to which error string is written if error occurs. 1991 * 1992 * errstr_size - Size of the errstr buffer. 1993 * 1994 * OUTPUT: 1995 * 1996 * Returns 1 for success, 0 in case of error. 1997 * 1998 * newaddr - See above (INPUT section). 1999 * 2000 * errstr - See above (INPUT section). 2001 */ 2002 static int 2003 cvt_hostname2ip(char *server, char *newaddr, int newaddr_size, 2004 char *errstr, int errstr_size) 2005 { 2006 char *s; 2007 unsigned short port = 0; 2008 int err; 2009 char buffer[NSS_BUFLEN_HOSTS]; 2010 struct hostent result; 2011 2012 /* Determine if the host name contains a port number. */ 2013 2014 /* Skip over IPv6 address. */ 2015 s = strchr(server, ']'); 2016 s = strchr(s != NULL ? s : server, ':'); 2017 if (s != NULL) { 2018 if (sscanf(s + 1, "%hu", &port) != 1) { 2019 /* Address misformatted. No port number after : */ 2020 (void) snprintf(errstr, errstr_size, "%s", 2021 gettext("Invalid host:port format")); 2022 return (0); 2023 } else 2024 /* Cut off the :<port> part. */ 2025 *s = '\0'; 2026 } 2027 2028 buffer[0] = '\0'; 2029 /* 2030 * Resolve hostname and fill in hostent structure. 2031 */ 2032 if (!__s_api_hostname2ip(server, &result, buffer, NSS_BUFLEN_HOSTS, 2033 &err)) { 2034 /* 2035 * The only possible error here could be TRY_AGAIN if buffer was 2036 * not big enough. NSS_BUFLEN_HOSTS should have been enough 2037 * though. 2038 */ 2039 (void) snprintf(errstr, errstr_size, "%s", 2040 gettext("Unable to resolve address.")); 2041 return (0); 2042 } 2043 2044 2045 buffer[0] = '\0'; 2046 /* 2047 * Convert the address to string. 2048 */ 2049 if (!inet_ntop(result.h_addrtype, result.h_addr_list[0], buffer, 2050 NSS_BUFLEN_HOSTS)) { 2051 /* There's not much we can do. */ 2052 (void) snprintf(errstr, errstr_size, "%s", 2053 gettext("Unable to convert address to string.")); 2054 return (0); 2055 } 2056 2057 /* Put together the address and the port */ 2058 if (port > 0) { 2059 switch (result.h_addrtype) { 2060 case AF_INET6: 2061 (void) snprintf(newaddr, 2062 /* [IP]:<port>\0 */ 2063 1 + strlen(buffer) + 1 + 1 + 5 + 1, 2064 "[%s]:%hu", 2065 buffer, 2066 port); 2067 break; 2068 /* AF_INET */ 2069 default : 2070 (void) snprintf(newaddr, 2071 /* IP:<port>\0 */ 2072 strlen(buffer) + 1 + 5 + 1, 2073 "%s:%hu", 2074 buffer, 2075 port); 2076 break; 2077 } 2078 } else { 2079 (void) strncpy(newaddr, buffer, newaddr_size); 2080 } 2081 2082 return (1); 2083 } 2084 2085 2086 /* 2087 * This finction initializes a none-TLS LDAP session. On success LDAP* 2088 * is returned (pointed by *ldp). Otherwise, the function returns 2089 * an NS error code and provides an additional info pointed by *errorp. 2090 */ 2091 static 2092 ns_ldap_return_code 2093 createNonTLSSession(const char *serverAddr, 2094 uint16_t port, int gssapi, 2095 LDAP **ldp, ns_ldap_error_t **errorp) 2096 { 2097 char errstr[MAXERROR]; 2098 char *addr; 2099 int is_ip = 0; 2100 /* [INET6_ADDRSTRLEN]:<port>\0 */ 2101 char svraddr[1+INET6_ADDRSTRLEN+1+1+5+1]; 2102 #ifdef DEBUG 2103 (void) fprintf(stderr, "tid= %d: +++Unsecure transport\n", 2104 thr_self()); 2105 #endif /* DEBUG */ 2106 2107 if (gssapi == 0) { 2108 is_ip = (__s_api_isipv4((char *)serverAddr) || 2109 __s_api_isipv6((char *)serverAddr)); 2110 } 2111 2112 /* 2113 * Let's try to resolve IP address of server. 2114 */ 2115 if (is_ip == 0 && !gssapi && (ldap_in_nss_switch((char *)"hosts") > 0 || 2116 ldap_in_nss_switch((char *)"ipnodes") > 0)) { 2117 addr = strdup(serverAddr); 2118 if (addr == NULL) 2119 return (NS_LDAP_MEMORY); 2120 svraddr[0] = '\0'; 2121 if (cvt_hostname2ip(addr, svraddr, sizeof (svraddr), 2122 errstr, MAXERROR) == 1) { 2123 serverAddr = svraddr; 2124 free(addr); 2125 } else { 2126 free(addr); 2127 MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR, 2128 strdup(errstr), NS_LDAP_MEMORY); 2129 return (NS_LDAP_INTERNAL); 2130 } 2131 } 2132 2133 /* Warning message IF cannot connect to host(s) */ 2134 if ((*ldp = ldap_init((char *)serverAddr, port)) == NULL) { 2135 char *p = strerror(errno); 2136 MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR, 2137 strdup(p), NS_LDAP_MEMORY); 2138 return (NS_LDAP_INTERNAL); 2139 } 2140 2141 return (NS_LDAP_SUCCESS); 2142 } 2143 2144 /* 2145 * This finction initializes an LDAP session. 2146 * 2147 * INPUT: 2148 * auth - a structure specified an authenticastion method and credentials, 2149 * serverAddr - the address of a server to which a connection 2150 * will be established, 2151 * port - a port being listened by the server, 2152 * timeoutMilliSec - a timeout in milliseconds for the Bind operation. 2153 * 2154 * OUTPUT: 2155 * ldp - a pointer to an LDAP structure which will be used 2156 * for all the subsequent operations against the server. 2157 * If an error accures, the function returns an NS error code 2158 * and provides an additional info pointed by *errorp. 2159 */ 2160 static 2161 ns_ldap_return_code 2162 createSession(const ns_cred_t *auth, const char *serverAddr, 2163 uint16_t port, int timeoutMilliSec, 2164 LDAP **ldp, ns_ldap_error_t **errorp) 2165 { 2166 int useSSL = 0, gssapi = 0; 2167 char errstr[MAXERROR]; 2168 2169 switch (auth->auth.type) { 2170 case NS_LDAP_AUTH_NONE: 2171 case NS_LDAP_AUTH_SIMPLE: 2172 case NS_LDAP_AUTH_SASL: 2173 break; 2174 case NS_LDAP_AUTH_TLS: 2175 useSSL = 1; 2176 break; 2177 default: 2178 (void) sprintf(errstr, 2179 gettext("openConnection: unsupported " 2180 "authentication method (%d)"), auth->auth.type); 2181 MKERROR(LOG_WARNING, *errorp, 2182 LDAP_AUTH_METHOD_NOT_SUPPORTED, strdup(errstr), 2183 NS_LDAP_MEMORY); 2184 return (NS_LDAP_INTERNAL); 2185 } 2186 2187 if (port == USE_DEFAULT_PORT) { 2188 port = useSSL ? LDAPS_PORT : LDAP_PORT; 2189 } 2190 2191 if (auth->auth.type == NS_LDAP_AUTH_SASL && 2192 auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) 2193 gssapi = 1; 2194 2195 if (useSSL) 2196 return (createTLSSession(auth, serverAddr, port, 2197 timeoutMilliSec, ldp, errorp)); 2198 else 2199 return (createNonTLSSession(serverAddr, port, gssapi, 2200 ldp, errorp)); 2201 } 2202 2203 /* 2204 * This finction performs a non-SASL bind operation. If an error accures, 2205 * the function returns an NS error code and provides an additional info 2206 * pointed by *errorp. 2207 */ 2208 static 2209 ns_ldap_return_code 2210 doSimpleBind(const ns_cred_t *auth, 2211 LDAP *ld, 2212 int timeoutSec, 2213 ns_ldap_error_t **errorp, 2214 int fail_if_new_pwd_reqd, 2215 int passwd_mgmt) 2216 { 2217 char *binddn, *passwd, errstr[MAXERROR], *errmsg; 2218 int msgId, errnum = 0, ldap_rc; 2219 ns_ldap_return_code ret_code; 2220 LDAPMessage *resultMsg = NULL; 2221 LDAPControl **controls; 2222 struct timeval tv; 2223 2224 binddn = auth->cred.unix_cred.userID; 2225 passwd = auth->cred.unix_cred.passwd; 2226 if (passwd == NULL || *passwd == '\0' || 2227 binddn == NULL || *binddn == '\0') { 2228 (void) sprintf(errstr, gettext("openConnection: " 2229 "missing credentials for Simple bind")); 2230 MKERROR(LOG_WARNING, *errorp, LDAP_INVALID_CREDENTIALS, 2231 strdup(errstr), NS_LDAP_MEMORY); 2232 (void) ldap_unbind(ld); 2233 return (NS_LDAP_INTERNAL); 2234 } 2235 2236 #ifdef DEBUG 2237 (void) fprintf(stderr, "tid= %d: +++Simple bind\n", 2238 thr_self()); 2239 #endif /* DEBUG */ 2240 msgId = ldap_simple_bind(ld, binddn, passwd); 2241 2242 if (msgId == -1) { 2243 (void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, 2244 (void *)&errnum); 2245 (void) snprintf(errstr, sizeof (errstr), 2246 gettext("openConnection: simple bind failed " 2247 "- %s"), ldap_err2string(errnum)); 2248 (void) ldap_unbind(ld); 2249 MKERROR(LOG_WARNING, *errorp, errnum, strdup(errstr), 2250 NS_LDAP_MEMORY); 2251 return (NS_LDAP_INTERNAL); 2252 } 2253 2254 tv.tv_sec = timeoutSec; 2255 tv.tv_usec = 0; 2256 ldap_rc = ldap_result(ld, msgId, 0, &tv, &resultMsg); 2257 2258 if ((ldap_rc == -1) || (ldap_rc == 0)) { 2259 (void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, 2260 (void *)&errnum); 2261 (void) snprintf(errstr, sizeof (errstr), 2262 gettext("openConnection: simple bind failed " 2263 "- %s"), ldap_err2string(errnum)); 2264 (void) ldap_msgfree(resultMsg); 2265 (void) ldap_unbind(ld); 2266 MKERROR(LOG_WARNING, *errorp, errnum, strdup(errstr), 2267 NS_LDAP_MEMORY); 2268 return (NS_LDAP_INTERNAL); 2269 } 2270 2271 /* 2272 * get ldaprc, controls, and error msg 2273 */ 2274 ldap_rc = ldap_parse_result(ld, resultMsg, &errnum, NULL, 2275 &errmsg, NULL, &controls, 1); 2276 2277 if (ldap_rc != LDAP_SUCCESS) { 2278 (void) snprintf(errstr, sizeof (errstr), 2279 gettext("openConnection: simple bind failed " 2280 "- unable to parse result")); 2281 (void) ldap_unbind(ld); 2282 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, 2283 strdup(errstr), NS_LDAP_MEMORY); 2284 return (NS_LDAP_INTERNAL); 2285 } 2286 2287 /* process the password management info, if any */ 2288 ret_code = process_pwd_mgmt("simple", 2289 errnum, controls, errmsg, 2290 errorp, 2291 fail_if_new_pwd_reqd, 2292 passwd_mgmt); 2293 2294 if (ret_code == NS_LDAP_INTERNAL) { 2295 (void) ldap_unbind(ld); 2296 } 2297 2298 return (ret_code); 2299 } 2300 2301 /* 2302 * This finction performs a SASL bind operation. If an error accures, 2303 * the function returns an NS error code and provides an additional info 2304 * pointed by *errorp. 2305 */ 2306 static 2307 ns_ldap_return_code 2308 doSASLBind(const ns_cred_t *auth, 2309 LDAP *ld, 2310 int timeoutSec, 2311 ns_ldap_error_t **errorp, 2312 int fail_if_new_pwd_reqd, 2313 int passwd_mgmt) 2314 { 2315 char *binddn, *passwd, *digest_md5_name, 2316 errstr[MAXERROR], *errmsg; 2317 struct berval cred; 2318 int ldap_rc, errnum = 0; 2319 ns_ldap_return_code ret_code; 2320 struct timeval tv; 2321 LDAPMessage *resultMsg; 2322 LDAPControl **controls; 2323 int min_ssf = MIN_SASL_SSF, max_ssf = MAX_SASL_SSF; 2324 ns_sasl_cb_param_t sasl_param; 2325 2326 if (auth->auth.saslopt != NS_LDAP_SASLOPT_NONE && 2327 auth->auth.saslmech != NS_LDAP_SASL_GSSAPI) { 2328 (void) sprintf(errstr, 2329 gettext("openConnection: SASL options are " 2330 "not supported (%d) for non-GSSAPI sasl bind"), 2331 auth->auth.saslopt); 2332 MKERROR(LOG_WARNING, *errorp, 2333 LDAP_AUTH_METHOD_NOT_SUPPORTED, 2334 strdup(errstr), NS_LDAP_MEMORY); 2335 (void) ldap_unbind(ld); 2336 return (NS_LDAP_INTERNAL); 2337 } 2338 if (auth->auth.saslmech != NS_LDAP_SASL_GSSAPI) { 2339 binddn = auth->cred.unix_cred.userID; 2340 passwd = auth->cred.unix_cred.passwd; 2341 if (passwd == NULL || *passwd == '\0' || 2342 binddn == NULL || *binddn == '\0') { 2343 (void) sprintf(errstr, 2344 gettext("openConnection: missing credentials " 2345 "for SASL bind")); 2346 MKERROR(LOG_WARNING, *errorp, 2347 LDAP_INVALID_CREDENTIALS, 2348 strdup(errstr), NS_LDAP_MEMORY); 2349 (void) ldap_unbind(ld); 2350 return (NS_LDAP_INTERNAL); 2351 } 2352 cred.bv_val = passwd; 2353 cred.bv_len = strlen(passwd); 2354 } 2355 2356 ret_code = NS_LDAP_SUCCESS; 2357 2358 switch (auth->auth.saslmech) { 2359 case NS_LDAP_SASL_CRAM_MD5: 2360 /* 2361 * NOTE: if iDS changes to support cram_md5, 2362 * please add password management code here. 2363 * Since ldap_sasl_cram_md5_bind_s does not 2364 * return anything that could be used to 2365 * extract the ldap rc/errmsg/control to 2366 * determine if bind failed due to password 2367 * policy, a new cram_md5_bind API will need 2368 * to be introduced. See 2369 * ldap_x_sasl_digest_md5_bind() and case 2370 * NS_LDAP_SASL_DIGEST_MD5 below for details. 2371 */ 2372 if ((ldap_rc = ldap_sasl_cram_md5_bind_s(ld, binddn, 2373 &cred, NULL, NULL)) != LDAP_SUCCESS) { 2374 (void) ldap_get_option(ld, 2375 LDAP_OPT_ERROR_NUMBER, (void *)&errnum); 2376 (void) snprintf(errstr, sizeof (errstr), 2377 gettext("openConnection: " 2378 "sasl/CRAM-MD5 bind failed - %s"), 2379 ldap_err2string(errnum)); 2380 MKERROR(LOG_WARNING, *errorp, errnum, 2381 strdup(errstr), NS_LDAP_MEMORY); 2382 (void) ldap_unbind(ld); 2383 return (NS_LDAP_INTERNAL); 2384 } 2385 break; 2386 case NS_LDAP_SASL_DIGEST_MD5: 2387 digest_md5_name = malloc(strlen(binddn) + 5); 2388 /* 5 = strlen("dn: ") + 1 */ 2389 if (digest_md5_name == NULL) { 2390 (void) ldap_unbind(ld); 2391 return (NS_LDAP_MEMORY); 2392 } 2393 (void) strcpy(digest_md5_name, "dn: "); 2394 (void) strcat(digest_md5_name, binddn); 2395 2396 tv.tv_sec = timeoutSec; 2397 tv.tv_usec = 0; 2398 ldap_rc = ldap_x_sasl_digest_md5_bind(ld, 2399 digest_md5_name, &cred, NULL, NULL, 2400 &tv, &resultMsg); 2401 2402 if (resultMsg == NULL) { 2403 free(digest_md5_name); 2404 (void) ldap_get_option(ld, 2405 LDAP_OPT_ERROR_NUMBER, (void *)&errnum); 2406 (void) snprintf(errstr, sizeof (errstr), 2407 gettext("openConnection: " 2408 "DIGEST-MD5 bind failed - %s"), 2409 ldap_err2string(errnum)); 2410 (void) ldap_unbind(ld); 2411 MKERROR(LOG_WARNING, *errorp, errnum, 2412 strdup(errstr), NS_LDAP_MEMORY); 2413 return (NS_LDAP_INTERNAL); 2414 } 2415 2416 /* 2417 * get ldaprc, controls, and error msg 2418 */ 2419 ldap_rc = ldap_parse_result(ld, resultMsg, &errnum, NULL, 2420 &errmsg, NULL, &controls, 1); 2421 2422 if (ldap_rc != LDAP_SUCCESS) { 2423 free(digest_md5_name); 2424 (void) snprintf(errstr, sizeof (errstr), 2425 gettext("openConnection: " 2426 "DIGEST-MD5 bind failed " 2427 "- unable to parse result")); 2428 (void) ldap_unbind(ld); 2429 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, 2430 strdup(errstr), NS_LDAP_MEMORY); 2431 return (NS_LDAP_INTERNAL); 2432 } 2433 2434 /* process the password management info, if any */ 2435 ret_code = process_pwd_mgmt("sasl/DIGEST-MD5", 2436 errnum, controls, errmsg, 2437 errorp, 2438 fail_if_new_pwd_reqd, 2439 passwd_mgmt); 2440 2441 if (ret_code == NS_LDAP_INTERNAL) { 2442 (void) ldap_unbind(ld); 2443 } 2444 2445 free(digest_md5_name); 2446 break; 2447 case NS_LDAP_SASL_GSSAPI: 2448 if (sasl_gssapi_inited == 0) { 2449 ret_code = __s_api_sasl_gssapi_init(); 2450 if (ret_code != NS_LDAP_SUCCESS) { 2451 (void) snprintf(errstr, sizeof (errstr), 2452 gettext("openConnection: " 2453 "GSSAPI initialization " 2454 "failed")); 2455 (void) ldap_unbind(ld); 2456 MKERROR(LOG_WARNING, *errorp, ret_code, 2457 strdup(errstr), NS_LDAP_MEMORY); 2458 return (ret_code); 2459 } 2460 } 2461 (void) memset(&sasl_param, 0, 2462 sizeof (ns_sasl_cb_param_t)); 2463 sasl_param.authid = NULL; 2464 sasl_param.authzid = ""; 2465 (void) ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MIN, 2466 (void *)&min_ssf); 2467 (void) ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, 2468 (void *)&max_ssf); 2469 2470 ldap_rc = ldap_sasl_interactive_bind_s( 2471 ld, NULL, "GSSAPI", 2472 NULL, NULL, LDAP_SASL_INTERACTIVE, 2473 __s_api_sasl_bind_callback, 2474 &sasl_param); 2475 2476 if (ldap_rc != LDAP_SUCCESS) { 2477 (void) snprintf(errstr, sizeof (errstr), 2478 gettext("openConnection: " 2479 "GSSAPI bind failed " 2480 "- %d %s"), 2481 ldap_rc, 2482 ldap_err2string(ldap_rc)); 2483 (void) ldap_unbind(ld); 2484 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, 2485 strdup(errstr), NS_LDAP_MEMORY); 2486 return (NS_LDAP_INTERNAL); 2487 } 2488 2489 break; 2490 default: 2491 (void) ldap_unbind(ld); 2492 (void) sprintf(errstr, 2493 gettext("openConnection: unsupported SASL " 2494 "mechanism (%d)"), auth->auth.saslmech); 2495 MKERROR(LOG_WARNING, *errorp, 2496 LDAP_AUTH_METHOD_NOT_SUPPORTED, strdup(errstr), 2497 NS_LDAP_MEMORY); 2498 return (NS_LDAP_INTERNAL); 2499 } 2500 2501 return (ret_code); 2502 } 2503 2504 /* 2505 * This function performs an LDAP Bind operation proceeding 2506 * from a type of the connection specified by auth->auth.type. 2507 * 2508 * INPUT: 2509 * auth - a structure specified an authenticastion method and credentials, 2510 * ld - a pointer returned by the createSession() function, 2511 * timeoutSec - a timeout in seconds for the Bind operation, 2512 * fail_if_new_pwd_reqd - a flag indicating that the call should fail 2513 * if a new password is required, 2514 * passwd_mgmt - a flag indicating that the server supports 2515 * password management. 2516 * 2517 * OUTPUT: 2518 * If an error accures, the function returns an NS error code 2519 * and provides an additional info pointed by *errorp. 2520 */ 2521 static 2522 ns_ldap_return_code 2523 performBind(const ns_cred_t *auth, 2524 LDAP *ld, 2525 int timeoutSec, 2526 ns_ldap_error_t **errorp, 2527 int fail_if_new_pwd_reqd, 2528 int passwd_mgmt) 2529 { 2530 int bindType; 2531 char errstr[MAXERROR]; 2532 2533 ns_ldap_return_code (*binder)(const ns_cred_t *auth, 2534 LDAP *ld, 2535 int timeoutSec, 2536 ns_ldap_error_t **errorp, 2537 int fail_if_new_pwd_reqd, 2538 int passwd_mgmt) = NULL; 2539 2540 if (!ld) { 2541 (void) sprintf(errstr, 2542 "performBind: LDAP session " 2543 "is not initialized."); 2544 MKERROR(LOG_WARNING, *errorp, 2545 LDAP_AUTH_METHOD_NOT_SUPPORTED, 2546 strdup(errstr), NS_LDAP_MEMORY); 2547 return (NS_LDAP_INTERNAL); 2548 } 2549 2550 bindType = auth->auth.type == NS_LDAP_AUTH_TLS ? 2551 auth->auth.tlstype : auth->auth.type; 2552 2553 switch (bindType) { 2554 case NS_LDAP_AUTH_NONE: 2555 #ifdef DEBUG 2556 (void) fprintf(stderr, "tid= %d: +++Anonymous bind\n", 2557 thr_self()); 2558 #endif /* DEBUG */ 2559 break; 2560 case NS_LDAP_AUTH_SIMPLE: 2561 binder = doSimpleBind; 2562 break; 2563 case NS_LDAP_AUTH_SASL: 2564 binder = doSASLBind; 2565 break; 2566 default: 2567 (void) sprintf(errstr, 2568 gettext("openConnection: unsupported " 2569 "authentication method " 2570 "(%d)"), bindType); 2571 MKERROR(LOG_WARNING, *errorp, 2572 LDAP_AUTH_METHOD_NOT_SUPPORTED, 2573 strdup(errstr), NS_LDAP_MEMORY); 2574 (void) ldap_unbind(ld); 2575 return (NS_LDAP_INTERNAL); 2576 } 2577 2578 if (binder != NULL) { 2579 return (*binder)(auth, 2580 ld, 2581 timeoutSec, 2582 errorp, 2583 fail_if_new_pwd_reqd, 2584 passwd_mgmt); 2585 } 2586 2587 return (NS_LDAP_SUCCESS); 2588 } 2589