diff options
Diffstat (limited to 'src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c')
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 84 |
1 files changed, 62 insertions, 22 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 4b8fcb2..0d86801 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -162,69 +162,68 @@ cleanup: } -/* Function to check if a LDAP server supports the SASL external mechanism - *Return values: - * 0 => supports - * 1 => does not support - * 2 => don't know +/* + * Interrogate the root DSE (zero length DN) for an attribute + * value assertion. */ -#define ERR_MSG1 "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. Proceeding anyway ..." -#define ERR_MSG2 "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform certificate-based bind." - -int -has_sasl_external_mech(context, ldap_server) +static int +has_rootdse_ava(context, ldap_server, attribute, value) krb5_context context; char *ldap_server; + char *attribute; + char *value; { int i=0, flag=0, ret=0, retval=0; - char *attrs[]={"supportedSASLMechanisms", NULL}, **values=NULL; + char *attrs[2], **values=NULL; LDAP *ld=NULL; LDAPMessage *msg=NULL, *res=NULL; + struct berval cred; + + attrs[0] = attribute; + attrs[1] = NULL; retval = ldap_initialize(&ld, ldap_server); if (retval != LDAP_SUCCESS) { - krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } + cred.bv_val = ""; + cred.bv_len = 0; + /* Anonymous bind */ - retval = ldap_sasl_bind_s(ld, NULL, NULL, NULL, NULL, NULL, NULL); + retval = ldap_sasl_bind_s(ld, "", NULL, &cred, NULL, NULL, NULL); if (retval != LDAP_SUCCESS) { - krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } retval = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, NULL, NULL, NULL, 0, &res); if (retval != LDAP_SUCCESS) { - krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } msg = ldap_first_message(ld, res); if (msg == NULL) { - krb5_set_error_message(context, 2, "%s", ERR_MSG1); ret = 2; /* Don't know */ goto cleanup; } - values = ldap_get_values(ld, msg, "supportedSASLMechanisms"); + values = ldap_get_values(ld, msg, attribute); if (values == NULL) { - krb5_set_error_message(context, 1, "%s", ERR_MSG2); ret = 1; /* Not supported */ goto cleanup; } for (i = 0; values[i] != NULL; i++) { - if (strcmp(values[i], "EXTERNAL")) - continue; - flag = 1; + if (strcmp(values[i], value) == 0) { + flag = 1; + break; + } } if (flag != 1) { - krb5_set_error_message(context, 1, "%s", ERR_MSG2); ret = 1; /* Not supported */ goto cleanup; } @@ -243,6 +242,47 @@ cleanup: return ret; } +#define ERR_MSG1 "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. Proceeding anyway ..." +#define ERR_MSG2 "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform certificate-based bind." + +/* Function to check if a LDAP server supports the SASL external mechanism + *Return values: + * 0 => supports + * 1 => does not support + * 2 => don't know + */ +int +has_sasl_external_mech(context, ldap_server) + krb5_context context; + char *ldap_server; +{ + int ret; + + ret = has_rootdse_ava(context, ldap_server, + "supportedSASLMechanisms", "EXTERNAL"); + switch (ret) { + case 1: /* not supported */ + krb5_set_error_message(context, 1, "%s", ERR_MSG2); + break; + case 2: /* don't know */ + krb5_set_error_message(context, 1, "%s", ERR_MSG1); + break; + default: + break; + } + + return ret; +} + +int +has_modify_increment(context, ldap_server) + krb5_context context; + char *ldap_server; +{ + return has_rootdse_ava(context, ldap_server, + "supportedFeatures", "1.3.6.1.1.14"); +} + void * krb5_ldap_alloc(krb5_context context, void *ptr, size_t size) { return realloc(ptr, size); |