ns_connect.c revision e8ac3ceaf23133941343ca5905fae80698f6f238
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2005 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <synch.h>
#include <time.h>
#include <libintl.h>
#include <thread.h>
#include <syslog.h>
#include <nsswitch.h>
#include <nss_dbdefs.h>
#include "solaris-priv.h"
#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_cache_door.h"
#include <fcntl.h>
#include <procfs.h>
#include <unistd.h>
extern unsigned int _sleep(unsigned int);
LDAPControl **, LDAPControl **);
int, ns_ldap_error_t **, int, int);
static int sessionPoolSize = 0;
static int nscdChecked = 0;
static int isNscd = 0;
/*
* If it is, treat connection as NS_LDAP_KEEP_CONN, to reduce
* constant reconnects for many operations.
* A more complete solution is to develop true connection pooling.
* However, this is much better than a new connection for every request.
*/
static int
{
int ret;
int fd;
/* Don't bother checking if this process isn't root. */
/* It can't be nscd */
if (getuid() != 0)
return (0);
return (isNscd);
}
(void) mutex_lock(&nscdLock);
(void) mutex_unlock(&nscdLock);
return (isNscd);
}
nscdChecked = 1;
checkedPid = my_pid;
isNscd = 0;
/* process runs as root and is named nscd */
/* that's good enough for now */
isNscd = 1;
}
}
}
(void) mutex_unlock(&nscdLock);
return (isNscd);
}
/*
* This function requests a server from the cache manager through
* the door functionality
*/
static int
{
union {
char s_b[DOORBUFFERSIZE];
} space;
int ndata;
int adata;
const char *ireq;
char *dptr;
char **servers;
int rc;
return (NS_LDAP_OP_FAILED);
}
ireq = NS_CACHE_NEW;
else
}
}
case SUCCESS:
break;
/* this case is for when the $mgr is not running, but ldapclient */
/* is trying to initialize things */
case NOSERVER:
/* get first server from config list unavailable otherwise */
if (rc != NS_LDAP_SUCCESS) {
}
return (rc);
}
gettext("No server found in configuration"));
return (NS_LDAP_CONFIG);
}
return (NS_LDAP_MEMORY);
}
return (NS_LDAP_SUCCESS);
case NOTFOUND:
default:
return (NS_LDAP_OP_FAILED);
}
/* copy info from door call return structure here */
/* Get the host */
"ldap_cachemgr"));
return (NS_LDAP_OP_FAILED);
}
return (NS_LDAP_MEMORY);
}
mcnt = 0;
ccnt = 0;
for (; ; ) {
break;
_SASLMECHANISM_LEN) == 0) {
continue;
dptr++;
sizeof (char *) * (mcnt+2));
}
return (NS_LDAP_MEMORY);
}
}
return (NS_LDAP_MEMORY);
}
mcnt++;
}
_SUPPORTEDCONTROL_LEN) == 0) {
continue;
dptr++;
sizeof (char *) * (ccnt+2));
}
return (NS_LDAP_MEMORY);
}
}
return (NS_LDAP_MEMORY);
}
ccnt++;
}
}
}
}
/* clean up door call */
}
return (NS_LDAP_SUCCESS);
}
#ifdef DEBUG
/*
* printCred(): prints the credential structure
*/
static void
{
return;
}
return;
}
if (cred->hostcertpath)
}
/*
* printConnection(): prints the connection structure
*/
static void
{
return;
if (con->serverAddr) {
}
}
#endif /* DEBUG */
/*
* addConnection(): inserts a connection in the connection list.
* It will also sets use bit and the thread Id for the thread
* using the connection for the first time.
* Returns: -1 = failure, new Connection ID = success
*/
static int
{
int i;
if (!con)
return (-1);
#ifdef DEBUG
#endif /* DEBUG */
(void) mutex_lock(&sessionPoolLock);
if (sessionPool == NULL) {
sizeof (struct connection **));
if (!sessionPool) {
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
#ifdef DEBUG
#endif /* DEBUG */
}
;
if (i == sessionPoolSize) {
/* run out of array, need to increase sessionPool */
Connection **cl;
sizeof (Connection *));
if (!cl) {
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
SESSION_CACHE_INC * sizeof (struct connection *));
sessionPool = cl;
#ifdef DEBUG
#endif /* DEBUG */
}
sessionPool[i] = con;
(void) mutex_unlock(&sessionPoolLock);
#ifdef DEBUG
#endif /* DEBUG */
return (i + CONID_OFFSET);
}
/*
* See if the specified session matches a currently available
*/
static int
Connection **conp)
{
Connection *cp;
int id;
return (-1);
if (sessionPool == NULL)
return (-1);
return (-1);
(void) mutex_lock(&sessionPoolLock);
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
/*
* Make sure the connection has the same type of authentication method
*/
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
/* An existing connection is found but it needs to be reset */
if (flags & NS_LDAP_NEW_CONN) {
(void) mutex_unlock(&sessionPoolLock);
DropConnection(cID, 0);
return (-1);
}
/* found an available connection */
(void) mutex_unlock(&sessionPoolLock);
return (cID);
}
/*
* findConnection(): find an available connection from the list
* that matches the criteria specified in Connection structure.
* If serverAddr is NULL, then find a connection to any server
* as long as it matches the rest of the parameters.
* Returns: -1 = failure, the Connection ID found = success.
*/
static int
{
Connection *cp;
int i;
return (-1);
#ifdef DEBUG
if (serverAddr && *serverAddr)
else
#endif /* DEBUG */
if (sessionPool == NULL)
return (-1);
(void) mutex_lock(&sessionPoolLock);
for (i = 0; i < sessionPoolSize; ++i) {
if (sessionPool[i] == NULL)
continue;
cp = sessionPool[i];
#ifdef DEBUG
#endif /* DEBUG */
(serverAddr && *serverAddr &&
continue;
continue;
/* found an available connection */
(void) mutex_unlock(&sessionPoolLock);
#ifdef DEBUG
#endif /* DEBUG */
return (i + CONID_OFFSET);
}
(void) mutex_unlock(&sessionPoolLock);
return (-1);
}
/*
* Free a Connection structure
*/
static void
{
return;
if (con->serverAddr)
if (con->saslMechanisms) {
}
}
}
/*
* Find a connection matching the passed in criteria. If an open
* connection with that criteria exists use it, otherwise open a
* new connection.
* Success: returns the pointer to the Connection structure
* Failure: returns NULL, error code and message should be in errorp
*/
static int
{
int passwd_mgmt = 0;
return (NS_LDAP_INVALID_PARAM);
/* connection found in cache */
#ifdef DEBUG
#endif /* DEBUG */
return (NS_LDAP_SUCCESS);
}
if (serverAddr) {
gettext("makeConnection: unable to get "
"server information for %s"), serverAddr);
return (NS_LDAP_OP_FAILED);
}
goto create_con;
} else {
return (rc);
}
}
/* No cached connection, create one */
for (; ; ) {
hReq = NS_CACHE_NEW;
else
/* Log the error */
if (*errorp) {
"unable to make LDAP connection, "
"request for a server failed"),
}
if (host)
return (NS_LDAP_OP_FAILED);
}
if (host)
return (NS_LDAP_MEMORY);
}
/* check if server supports password management */
/* make the connection */
/* if success, go to create connection structure */
if (rc == NS_LDAP_SUCCESS ||
rc == NS_LDAP_SUCCESS_WITH_INFO) {
break;
}
/*
* If not able to reach the server, inform the ldap
* cache manager that the server should be removed
* from its server list. Thus, the manager will not
* return this server on the next get-server request
* and will also reduce the server list refresh TTL,
* so that it will find out sooner when the server
* is up again.
*/
if (__s_api_removeServer(host) < 0) {
/*
* Couldn't remove server from
* server list. Log a warning.
*/
"not remove %s from servers list",
host);
}
}
}
/* else, cleanup and go for the next server */
}
if (*errorp) {
/*
* If openConnection() failed due to
* password policy, or invalid credential,
* keep *errorp and exit
*/
return (rc);
} else {
(void) __ns_ldap_freeError(errorp);
}
}
}
/* we have created ld, setup con structure */
if (host)
/*
* If password control attached in **errorp,
* e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
* free the error structure
*/
if (*errorp) {
(void) __ns_ldap_freeError(errorp);
}
return (NS_LDAP_MEMORY);
}
/*
* If password control attached in **errorp,
* e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
* free the error structure
*/
if (*errorp) {
(void) __ns_ldap_freeError(errorp);
}
return (NS_LDAP_MEMORY);
}
/*
* If password control attached in **errorp,
* e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
* free the error structure
*/
if (*errorp) {
(void) __ns_ldap_freeError(errorp);
}
return (NS_LDAP_MEMORY);
}
#ifdef DEBUG
#endif /* DEBUG */
return (exit_rc);
}
/*
* Return the specified connection to the pool. If necessary
* delete the connection.
*/
static void
{
Connection *cp;
int id;
return;
#ifdef DEBUG
#endif /* DEBUG */
if (use_mutex)
(void) mutex_lock(&sessionPoolLock);
/* sanity check before removing */
if (use_mutex)
(void) mutex_unlock(&sessionPoolLock);
return;
}
if (!fini &&
((flag & NS_LDAP_NEW_CONN) == 0) &&
/* release Connection (keep alive) */
if (use_mutex)
(void) mutex_unlock(&sessionPoolLock);
} else {
/* delete Connection (disconnect) */
if (use_mutex)
(void) mutex_unlock(&sessionPoolLock);
}
}
void
{
}
/*
* This routine is called after a bind operation is
* done in openConnection() to process the password
* management information, if any.
*
* Input:
* bind_type: "simple" or "sasl/DIGEST-MD5"
* ldaprc : ldap rc from the ldap bind operation
* controls : controls returned by the server
* errmsg : error message from the server
* fail_if_new_pwd_reqd:
* flag indicating if connection should be open
* when password needs to change immediately
* passwd_mgmt:
* flag indicating if server supports password
*
* Output : ns_ldap_error structure, which may contain
* password status and number of seconds until
* expired
*
* return rc:
* NS_LDAP_EXTERNAL: error, connection should not open
* NS_LDAP_SUCCESS_WITH_INFO: OK to open but password info attached
* NS_LDAP_SUCCESS: OK to open connection
*
*/
static int
int fail_if_new_pwd_reqd,
int passwd_mgmt)
{
int exit_rc;
int sec_until_exp = 0;
/*
* errmsg may be an empty string,
* even if ldaprc is LDAP_SUCCESS,
* free the empty string if that's the case
*/
if (errmsg &&
}
if (ldaprc != LDAP_SUCCESS) {
/*
* try to map ldap rc and error message to
* a password status
*/
if (errmsg) {
if (passwd_mgmt)
}
gettext("openConnection: "
"%s bind failed "
if (pwd_status != NS_PASSWD_GOOD) {
pwd_status, 0, NULL);
} else {
NULL);
}
if (controls)
return (NS_LDAP_INTERNAL);
}
/*
* ldaprc is LDAP_SUCCESS,
* process the password management controls, if any
*/
if (controls && passwd_mgmt) {
/*
* The control with the OID
* 2.16.840.1.113730.3.4.4 (or
* LDAP_CONTROL_PWEXPIRED, as defined
* in the ldap.h header file) is the
* expired password control.
*
* This control is used if the server
* is configured to require users to
* change their passwords when first
* logging in and whenever the
* passwords are reset.
*
* If the user is logging in for the
* first time or if the user's
* password has been reset, the
* server sends this control to
* indicate that the client needs to
* change the password immediately.
*
* At this point, the only operation
* that the client can perform is to
* change the user's password. If the
* client requests any other LDAP
* operation, the server sends back
* an LDAP_UNWILLING_TO_PERFORM
* result code with an expired
* password control.
*
* The control with the OID
* 2.16.840.1.113730.3.4.5 (or
* LDAP_CONTROL_PWEXPIRING, as
* defined in the ldap.h header file)
* is the password expiration warning
* control.
*
* This control is used if the server
* is configured to expire user
* passwords after a certain amount
* of time.
*
* The server sends this control back
* to the client if the client binds
* using a password that will soon
* expire. The ldctl_value field of
* the LDAPControl structure
* specifies the number of seconds
* before the password will expire.
*/
LDAP_CONTROL_PWEXPIRED) == 0) {
/*
* if the caller wants this bind
* to fail, set up the error info.
* If call to this function is
* for searching the LDAP directory,
* e.g., __ns_ldap_list(),
* there's really no sense to
* let a connection open and
* then fail immediately afterward
* on the LDAP search operation with
* the LDAP_UNWILLING_TO_PERFORM rc
*/
if (fail_if_new_pwd_reqd) {
sizeof (errstr),
"openConnection: "
"%s bind "
"failed "
"- password "
"expired. It "
" needs to change "
"immediately!"),
0,
NULL);
} else {
NULL,
0,
NULL);
exit_rc =
}
break;
LDAP_CONTROL_PWEXPIRING) == 0) {
if ((*ctrl)->
ldctl_value.bv_len > 0 &&
(*ctrl)->
NULL,
NULL);
exit_rc =
break;
}
}
}
if (controls)
return (exit_rc);
}
static int
{
enum __nsw_parse_err pserr;
struct __nsw_switchconfig *conf;
struct __nsw_lookup *lkp;
const char *name;
int found = 0;
return (-1);
}
/* check for skip and count other backends */
found = 1;
break;
}
}
return (found);
}
static int
int fail_if_new_pwd_reqd, int passwd_mgmt)
{
char *digest_md5_name;
const char *s;
int ldapVersion = LDAP_VERSION3;
int derefOption = LDAP_DEREF_ALWAYS;
int zero = 0;
int rc;
int errnum = 0;
int msgId;
int useSSL = 0;
char *sslServerAddr;
char *s1;
char *errmsg;
int pwd_rc;
case NS_LDAP_AUTH_NONE:
case NS_LDAP_AUTH_SIMPLE:
case NS_LDAP_AUTH_SASL:
break;
case NS_LDAP_AUTH_TLS:
useSSL = 1;
case NS_LDAP_TLS_NONE:
break;
case NS_LDAP_TLS_SIMPLE:
break;
case NS_LDAP_TLS_SASL:
break;
default:
gettext("openConnection: unsupported "
"TLS authentication method "
return (NS_LDAP_INTERNAL);
}
break;
default:
gettext("openConnection: unsupported "
NULL);
return (NS_LDAP_INTERNAL);
}
if (useSSL) {
const char *hostcertpath;
#ifdef DEBUG
#endif /* DEBUG */
if (hostcertpath == NULL) {
}
if (hostcertpath == NULL)
return (NS_LDAP_MEMORY);
if (alloc_hcp)
gettext("openConnection: failed to initialize "
"TLS security (%s)"),
return (NS_LDAP_INTERNAL);
}
if (alloc_hcp)
/* determine if the host name contains a port number */
if (s == NULL)
s = serverAddr;
s = strchr(s, ':');
if (s != NULL) {
/*
* If we do get a port number, we will try stripping
* it. At present, referrals will always have a
* port number.
*/
if (sslServerAddr == NULL)
return (NS_LDAP_MEMORY);
*s1 = '\0';
gettext("openConnection: cannot use tls with %s. "
"Trying %s"),
} else
sslServerAddr = (char *)serverAddr;
if (sslServerAddr != serverAddr)
gettext("openConnection: failed to connect "
return (NS_LDAP_INTERNAL);
}
} else {
#ifdef DEBUG
#endif /* DEBUG */
/* Warning message IF cannot connect to host(s) */
return (NS_LDAP_INTERNAL);
} else {
/* check and avoid gethostname recursion */
if (ldap_in_hosts_switch() > 0 &&
! __s_api_isipv4((char *)serverAddr) &&
! __s_api_isipv6((char *)serverAddr)) {
/* host: ldap - found, attempt to recover */
"ldap") != 0) {
gettext("openConnection: "
"unrecoverable gethostname "
"recursion detected "
"in /etc/nsswitch.conf"));
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
}
}
}
/*
* set LDAP_OPT_REFERRALS to OFF.
* This library will handle the referral itself
* based on API flags or configuration file
* specification. If this option is not set
* to OFF, libldap will never pass the
* referral info up to this library
*/
/* retry if LDAP I/O was interrupted */
switch (bindType) {
case NS_LDAP_AUTH_NONE:
#ifdef DEBUG
#endif /* DEBUG */
break;
case NS_LDAP_AUTH_SIMPLE:
"missing credentials for Simple bind"));
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
#ifdef DEBUG
#endif /* DEBUG */
if (msgId == -1) {
(void *)&errnum);
gettext("openConnection: simple bind failed "
(void) ldap_unbind(ld);
NULL);
return (NS_LDAP_INTERNAL);
}
(void *)&errnum);
gettext("openConnection: simple bind failed "
(void) ldap_msgfree(resultMsg);
(void) ldap_unbind(ld);
NULL);
return (NS_LDAP_INTERNAL);
}
/*
* get ldaprc, controls, and error msg
*/
if (rc != LDAP_SUCCESS) {
gettext("openConnection: simple bind failed "
"- unable to parse result"));
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
/* process the password management info, if any */
if (pwd_rc == NS_LDAP_INTERNAL) {
(void) ldap_unbind(ld);
return (pwd_rc);
}
if (pwd_rc == NS_LDAP_SUCCESS_WITH_INFO) {
return (pwd_rc);
}
break;
case NS_LDAP_AUTH_SASL:
/* We don't support any sasl options yet */
gettext("openConnection: SASL options are "
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
gettext("openConnection: missing credentials "
"for SASL bind"));
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
case NS_LDAP_SASL_CRAM_MD5:
/*
* NOTE: if iDS changes to support cram_md5,
* please add password management code here.
* Since ldap_sasl_cram_md5_bind_s does not
* return anything that could be used to
* determine if bind failed due to password
* policy, a new cram_md5_bind API will need
* to be introduced. See
* ldap_x_sasl_digest_md5_bind() and case
* NS_LDAP_SASL_DIGEST_MD5 below for details.
*/
(void) ldap_get_option(ld,
LDAP_OPT_ERROR_NUMBER, (void *)&errnum);
gettext("openConnection: "
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
break;
case NS_LDAP_SASL_DIGEST_MD5:
/* 5 = strlen("dn: ") + 1 */
if (digest_md5_name == NULL) {
(void) ldap_unbind(ld);
return (NS_LDAP_MEMORY);
}
(void) ldap_get_option(ld,
LDAP_OPT_ERROR_NUMBER, (void *)&errnum);
gettext("openConnection: "
"DIGEST-MD5 bind failed - %s"),
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
/*
* get ldaprc, controls, and error msg
*/
if (rc != LDAP_SUCCESS) {
gettext("openConnection: "
"DIGEST-MD5 bind failed "
"- unable to parse result"));
(void) ldap_unbind(ld);
return (NS_LDAP_INTERNAL);
}
/* process the password management info, if any */
if (pwd_rc == NS_LDAP_INTERNAL) {
(void) ldap_unbind(ld);
return (pwd_rc);
}
if (pwd_rc == NS_LDAP_SUCCESS_WITH_INFO) {
return (pwd_rc);
}
break;
default:
(void) ldap_unbind(ld);
gettext("openConnection: unsupported SASL "
NULL);
return (NS_LDAP_INTERNAL);
}
}
return (NS_LDAP_SUCCESS);
}
/*
* FUNCTION: __s_api_getDefaultAuth
*
* Constructs a credential for authentication using the config module.
*
* RETURN VALUES:
*
* NS_LDAP_SUCCESS If successful
* NS_LDAP_CONFIG If there are any config errors.
* NS_LDAP_MEMORY Memory errors.
* NS_LDAP_OP_FAILED If there are no more authentication methods so can
* not build a new authp.
* NS_LDAP_INVALID_PARAM This overloaded return value means that some of the
* necessary fields of a cred for a given auth method
* are not provided.
* INPUT:
*
* cLevel Currently requested credential level to be tried
*
* aMethod Currently requested authentication method to be tried
*
* OUTPUT:
*
* authp authentication method to use.
*/
static int
int *cLevel,
{
char *modparamVal = NULL;
int getUid = 0;
int getPasswd = 0;
int getCertpath = 0;
int rc = 0;
#ifdef DEBUG
#endif
/* Require an Auth */
return (NS_LDAP_INVALID_PARAM);
}
/*
* reject self credential levels at this time
*/
return (NS_LDAP_INVALID_PARAM);
return (NS_LDAP_MEMORY);
case NS_LDAP_AUTH_NONE:
return (NS_LDAP_SUCCESS);
case NS_LDAP_AUTH_SIMPLE:
getUid++;
getPasswd++;
break;
case NS_LDAP_AUTH_SASL:
getUid++;
getPasswd++;
} else {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
break;
case NS_LDAP_AUTH_TLS:
getUid++;
getPasswd++;
getCertpath++;
getCertpath++;
} else {
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
break;
}
if (getUid) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeError(&errorp);
return (rc);
}
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
(void) __ns_ldap_freeParam(¶mVal);
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_MEMORY);
}
}
if (getPasswd) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeError(&errorp);
return (rc);
}
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
(void) __ns_ldap_freeParam(¶mVal);
(void) __ns_ldap_freeCred(authp);
if (modparamVal != NULL)
return (NS_LDAP_INVALID_PARAM);
}
}
if (getCertpath) {
(void) __ns_ldap_freeCred(authp);
(void) __ns_ldap_freeError(&errorp);
return (rc);
}
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_INVALID_PARAM);
}
(void) __ns_ldap_freeParam(¶mVal);
(void) __ns_ldap_freeCred(authp);
return (NS_LDAP_MEMORY);
}
}
return (NS_LDAP_SUCCESS);
}
/*
* FUNCTION: __s_api_getConnection
*
* Bind to the specified server or one from the server
* list and return the pointer.
*
* This function can rebind or not (NS_LDAP_HARD), it can require a
* credential or bind anonymously
*
* This function follows the DUA configuration schema algorithm
*
* RETURN VALUES:
*
* NS_LDAP_SUCCESS A connection was made successfully.
* NS_LDAP_SUCCESS_WITH_INFO
* A connection was made successfully, but with
* password management info in *errorp
* NS_LDAP_INVALID_PARAM If any invalid arguments were passed to the function.
* NS_LDAP_CONFIG If there are any config errors.
* NS_LDAP_MEMORY Memory errors.
* NS_LDAP_INTERNAL If there was a ldap error.
*
* INPUT:
*
* server Bind to this LDAP server only
* flags If NS_LDAP_HARD is set function will not return until it has
* a connection unless there is a authentication problem.
* If NS_LDAP_NEW_CONN is set the function must force a new
* connection to be created
* If NS_LDAP_KEEP_CONN is set the connection is to be kept open
* auth Credentials for bind. This could be NULL in which case
* a default cred built from the config module is used.
* sessionId cookie that points to a previous session
* fail_if_new_pwd_reqd
* a flag indicating this function should fail if the passwd
* in auth needs to change immediately
*
* OUTPUT:
*
* session pointer to a session with connection information
* errorp Set if there are any INTERNAL, or CONFIG error.
*/
int
const char *server,
const int flags,
int fail_if_new_pwd_reqd)
{
int rc;
int sec = 1;
int version = NS_LDAP_V2;
return (NS_LDAP_INVALID_PARAM);
}
/* if we already have a session id try to reuse connection */
if (*sessionId > 0) {
return (NS_LDAP_SUCCESS);
}
*sessionId = 0;
}
/* get profile version number */
return (rc);
"version"));
return (NS_LDAP_CONFIG);
}
(void) __ns_ldap_freeParam((void ***)¶mVal);
/* Get the bind timeout value */
timeoutSec = **((int **)paramVal);
(void) __ns_ldap_freeParam(¶mVal);
}
if (*errorp)
(void) __ns_ldap_freeError(errorp);
/* Get the authentication method list */
return (rc);
return (NS_LDAP_MEMORY);
return (NS_LDAP_MEMORY);
}
if (version == NS_LDAP_V1)
else {
}
}
/* Get the credential level list */
(void) __ns_ldap_freeParam((void ***)&aMethod);
return (rc);
}
return (NS_LDAP_MEMORY);
return (NS_LDAP_MEMORY);
if (version == NS_LDAP_V1)
*(cLevel[0]) = NS_LDAP_CRED_PROXY;
else
*(cLevel[0]) = NS_LDAP_CRED_ANON;
}
}
/* setup the anon credential for anonymous connection */
for (; ; ) {
/* using specified auth method */
if (rc == NS_LDAP_SUCCESS ||
rc == NS_LDAP_SUCCESS_WITH_INFO) {
break;
}
} else {
/* for every cred level */
if (**cNext == NS_LDAP_CRED_ANON) {
/* make connection anonymously */
if (rc == NS_LDAP_SUCCESS ||
rc ==
goto done;
}
continue;
}
/* for each cred level */
/* make connection and authenticate */
/* with default credentials */
if (rc != NS_LDAP_SUCCESS) {
continue;
}
(void) __ns_ldap_freeCred(&authp);
if (rc == NS_LDAP_SUCCESS ||
rc ==
goto done;
}
}
}
}
if (flags & NS_LDAP_HARD) {
if (sec < LDAPMAXHARDLOOKUPTIME)
sec *= 2;
} else {
break;
}
}
done:
(void) __ns_ldap_freeParam((void ***)&aMethod);
(void) __ns_ldap_freeParam((void ***)&cLevel);
return (rc);
}
#pragma fini(_free_sessionPool)
static void
{
int id;
(void) mutex_lock(&sessionPoolLock);
if (sessionPool != NULL) {
sessionPool = NULL;
sessionPoolSize = 0;
}
(void) mutex_unlock(&sessionPoolLock);
}