sdap_async_connection.c revision bc76428246c4ce532abd0eadcd539069fc1d94a8
e6d40133bc9f858308654afb1262b8b483ec5922Till Mossakowski Async LDAP Helper routines
98890889ffb2e8f6f722b00e265a211f13b5a861Corneliu-Claudiu Prodescu Copyright (C) Simo Sorce <ssorce@redhat.com> - 2009
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder Copyright (C) 2010, rhafer@suse.de, Novell Inc.
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder This program is free software; you can redistribute it and/or modify
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder it under the terms of the GNU General Public License as published by
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder the Free Software Foundation; either version 3 of the License, or
f3a94a197960e548ecd6520bb768cb0d547457bbChristian Maeder (at your option) any later version.
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder This program is distributed in the hope that it will be useful,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder but WITHOUT ANY WARRANTY; without even the implied warranty of
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder GNU General Public License for more details.
0a26144c20fa9cdcd05011ca5019cbac8e4afae0cmaeder You should have received a copy of the GNU General Public License
d1c667fd9445963d9d31e2cf5d0ead15e77082a4cmaeder along with this program. If not, see <http://www.gnu.org/licenses/>.
ea5ccb1c6e89486a54e1f4bd95840147e96093edChristian Maeder#include "providers/ldap/sdap_async_private.h"
85e1d54a475bfc30b3eac5ae6c5e42a2d7e93f10Christian Maedererrno_t deref_string_to_val(const char *str, int *val)
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder } else if (strcasecmp(str, "searching") == 0) {
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder } else if (strcasecmp(str, "finding") == 0) {
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder } else if (strcasecmp(str, "always") == 0) {
0130083f314580170af1195037be3325f125fbceChristian Maeder DEBUG(1, ("Illegal deref option [%s].\n", str));
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder/* ==Connect-to-LDAP-Server=============================================== */
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maederstatic int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederstatic void sdap_sys_connect_done(struct tevent_req *subreq);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederstatic void sdap_connect_done(struct sdap_op *op,
96ae1a1d2197d0e0d5b80da2474b64c456feb1b0Christian Maederstruct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
4eb859461f8fd904f40f57261cf23e5c73cf8ecaChristian Maeder req = tevent_req_create(memctx, &state, struct sdap_connect_state);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder state->reply = talloc(state, struct sdap_msg);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder state->uri = talloc_asprintf(state, "%s", uri);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanu state->sh->page_size = dp_opt_get_int(state->opts->basic,
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maeder timeout = dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT);
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maeder subreq = sss_ldap_init_send(state, ev, state->uri, sockaddr,
33fcc19ef2b59493b4e91eebf701df95fd230765Christian Maeder DEBUG(1, ("sss_ldap_init_send failed.\n"));
d4ebd9e5adc974cfa2bdf4bdd155e07be0e26f75Christian Maeder tevent_req_set_callback(subreq, sdap_sys_connect_done, req);
ce8a93047aaf0dc36fa221642292d47852a9862aChristian Maederstatic void sdap_sys_connect_done(struct tevent_req *subreq)
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder struct tevent_req *req = tevent_req_callback_data(subreq,
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder struct sdap_connect_state *state = tevent_req_data(req,
fdac680252d7347858bd67b4c2a2aaa52e623815Christian Maeder ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder DEBUG(1, ("sdap_async_connect_call request failed.\n"));
8a5c05062ef501bf725a86a370a5145a198e81fdKlaus Luettich ret = setup_ldap_connection_callbacks(state->sh, state->ev);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder DEBUG(1, ("setup_ldap_connection_callbacks failed.\n"));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder /* If sss_ldap_init_recv() does not return a valid file descriptor we have
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * to assume that the connection callback will be called by internally by
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * the OpenLDAP client library. */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ret = sdap_call_conn_cb(state->uri, sd, state->sh);
00df6fd583c19393fa141d5a0e21ac74c7bf5b19Christian Maeder /* Force ldap version to 3 */
cb2044812811d66efe038d914966e04290be93faChristian Maeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_PROTOCOL_VERSION, &ver);
96ae1a1d2197d0e0d5b80da2474b64c456feb1b0Christian Maeder DEBUG(1, ("Failed to set ldap version to 3\n"));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder /* TODO: maybe this can be remove when we go async, currently we need it
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * to handle EINTR during poll(). */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ret = ldap_set_option(state->sh->ldap, LDAP_OPT_RESTART, LDAP_OPT_ON);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(1, ("Failed to set restart option.\n"));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder /* Set Network Timeout */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder tv.tv_sec = dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_NETWORK_TIMEOUT, &tv);
966519955f5f7111abac20118563132b9dd41165Christian Maeder DEBUG(1, ("Failed to set network timeout to %d\n",
bbba6dd86153aacb0f662b182b128df0eb09fd54Christian Maeder dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT)));
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maeder /* Set Default Timeout */
d27b1887e61f1dc53d77c37f59dbf5019242a686Christian Maeder tv.tv_sec = dp_opt_get_int(state->opts->basic, SDAP_OPT_TIMEOUT);
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_TIMEOUT, &tv);
d4ebd9e5adc974cfa2bdf4bdd155e07be0e26f75Christian Maeder DEBUG(1, ("Failed to set default timeout to %d\n",
0d79ea4ed8512a802ecb6645edac141e0fbcee3fChristian Maeder dp_opt_get_int(state->opts->basic, SDAP_OPT_TIMEOUT)));
d4ebd9e5adc974cfa2bdf4bdd155e07be0e26f75Christian Maeder /* Set Referral chasing */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ldap_referrals = dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS);
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_REFERRALS,
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder (ldap_referrals ? LDAP_OPT_ON : LDAP_OPT_OFF));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(1, ("Failed to set referral chasing to %s\n",
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder (ldap_referrals ? "LDAP_OPT_ON" : "LDAP_OPT_OFF")));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder rebind_proc_params = talloc_zero(state->sh,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder rebind_proc_params->use_start_tls = state->use_start_tls;
2360728d4185c0c04279c999941c64d36626af79Christian Maeder lret = ldap_set_rebind_proc(state->sh->ldap, sdap_rebind_proc,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(1, ("ldap_set_rebind_proc failed.\n"));
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maeder /* Set alias dereferencing */
966519955f5f7111abac20118563132b9dd41165Christian Maeder ldap_deref = dp_opt_get_string(state->opts->basic, SDAP_DEREF);
5a448e9be8c4482a978b174b744237757335140fChristian Maeder ret = deref_string_to_val(ldap_deref, &ldap_deref_val);
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maeder DEBUG(1, ("deref_string_to_val failed.\n"));
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_DEREF, &ldap_deref_val);
0d79ea4ed8512a802ecb6645edac141e0fbcee3fChristian Maeder DEBUG(1, ("Failed to set deref option to %d\n", ldap_deref_val));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder /* Set host name canonicalization for LDAP SASL bind */
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder sasl_nocanon = !dp_opt_get_bool(state->opts->basic, SDAP_SASL_CANONICALIZE);
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_NOCANON,
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder sasl_nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF);
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder /* Do not fail, just warn into both debug logs and syslog */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ("Failed to set LDAP SASL nocanon option to %s. If your system "
ce8a93047aaf0dc36fa221642292d47852a9862aChristian Maeder "is configured to use SASL, LDAP operations might fail.\n",
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder "Failed to set LDAP SASL nocanon option to %s. If your system "
0b13f102310e03a20b38c870b5acb88712f316a4Christian Maeder "is configured to use SASL, LDAP operations might fail.\n",
dff1de7ad15d1582e25d636c3724dd202874897fChristian Maeder sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
9ee80c455784287a8b5e1b6bac1f8efa6a2f4bb3cmaeder sasl_minssf = (ber_len_t) dp_opt_get_int(state->opts->basic,
9ee80c455784287a8b5e1b6bac1f8efa6a2f4bb3cmaeder lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MIN,
0b13f102310e03a20b38c870b5acb88712f316a4Christian Maeder ("Failed to set LDAP MIN SSF option to %lu\n", sasl_minssf));
ce8a93047aaf0dc36fa221642292d47852a9862aChristian Maeder /* if we do not use start_tls the connection is not really connected yet
ce8a93047aaf0dc36fa221642292d47852a9862aChristian Maeder * just fake an async procedure and leave connection to the bind call */
ce8a93047aaf0dc36fa221642292d47852a9862aChristian Maeder lret = ldap_start_tls(state->sh->ldap, NULL, NULL, &msgid);
0b13f102310e03a20b38c870b5acb88712f316a4Christian Maeder optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
0b13f102310e03a20b38c870b5acb88712f316a4Christian Maeder DEBUG(3, ("ldap_start_tls failed: [%s] [%s]\n",
8bb80c9684e905de8dcfcfb1291542677e7d77b6Christian Maeder sss_log(SSS_LOG_ERR, "Could not start TLS. %s", errmsg);
8bb80c9684e905de8dcfcfb1291542677e7d77b6Christian Maeder sss_log(SSS_LOG_ERR, "Could not start TLS. "
00df6fd583c19393fa141d5a0e21ac74c7bf5b19Christian Maeder "Check for certificate issues.");
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder ret = sdap_set_connected(state->sh, state->ev);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder /* FIXME: get timeouts from configuration, for now 5 secs. */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ret = sdap_op_add(state, state->ev, state->sh, msgid,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(1, ("Failed to set up operation!\n"));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maederstatic void sdap_connect_done(struct sdap_op *op,
bbba6dd86153aacb0f662b182b128df0eb09fd54Christian Maeder struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maeder struct sdap_connect_state *state = tevent_req_data(req,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder ret = ldap_parse_result(state->sh->ldap, state->reply->msg,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder &state->result, NULL, &errmsg, NULL, NULL, 0);
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder DEBUG(2, ("ldap_parse_result failed (%d)\n", state->op->msgid));
2360728d4185c0c04279c999941c64d36626af79Christian Maeder DEBUG(3, ("START TLS result: %s(%d), %s\n",
9f4902edfa3d477e42343e0ec357a2f93b1119d1Christian Maeder sss_ldap_err2string(state->result), state->result, errmsg));
2360728d4185c0c04279c999941c64d36626af79Christian Maeder DEBUG(9, ("SSL/TLS handler already in place.\n"));
2360728d4185c0c04279c999941c64d36626af79Christian Maeder/* FIXME: take care that ldap_install_tls might block */
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maeder optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
2360728d4185c0c04279c999941c64d36626af79Christian Maeder DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
f39b8dd9651dfcc38b06191cda23cacbfc298323Christian Maeder sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
2360728d4185c0c04279c999941c64d36626af79Christian Maeder DEBUG(3, ("ldap_install_tls failed: [%s]\n",
2360728d4185c0c04279c999941c64d36626af79Christian Maeder sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
2360728d4185c0c04279c999941c64d36626af79Christian Maeder "Check for certificate issues.");
2360728d4185c0c04279c999941c64d36626af79Christian Maederint sdap_connect_recv(struct tevent_req *req,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder struct sdap_connect_state *state = tevent_req_data(req,
91e24fc45834b35f2a3830d72565640251149bf3Christian Maeder/* ==Simple-Bind========================================================== */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maederstatic void simple_bind_done(struct sdap_op *op,
76d027be764e2ff61bef959efb3ac8f56499e646Christian Maederstatic struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
a68ff26ddb1d300f7e16097edef615f130fcd5ceChristian Maeder req = tevent_req_create(memctx, &state, struct simple_bind_state);
6f70475dddc12732bdbef3e3dd116373e34cd6b9Christian Maeder state->reply = talloc(state, struct sdap_msg);
63da71bfb4226f504944b293fb77177ebcaea7d4Ewaryst Schulz ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
9f85afecbd79b3df5a0bb17bd28cd0b288dc3213Kristina Sojakova if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
a166da43d4e8f9dfa7a2651d033c6bea02627ca6Mihai Codescu DEBUG(1, ("sss_ldap_control_create failed to create "
22b772f8753f0cdb4508ba460356c238de2ee375Jonathan von Schroeder "Password Policy control.\n"));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(4, ("Executing simple bind as: %s\n", state->user_dn));
8762d0e3d492aba4d1621fb0de685f0be1372864notanartist ret = ldap_sasl_bind(state->sh->ldap, state->user_dn, LDAP_SASL_SIMPLE,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder DEBUG(1, ("ldap_bind failed (couldn't get ldap error)\n"));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder DEBUG(8, ("ldap simple bind sent, msgid = %d\n", msgid));
1ebf8299efa3cdb39c73d40d15e1d1a8a2246e68notanartist /* FIXME: get timeouts from configuration, for now 5 secs. */
bbba10ee00dcf6bcbc9f22473b1acd0983b10512notanartist struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
df87ff823273ae2969e9d29e833845b4c0a9ee77notanartist struct simple_bind_state *state = tevent_req_data(req,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder lret = ldap_parse_result(state->sh->ldap, state->reply->msg,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ("ldap_parse_result failed (%d)\n", state->op->msgid));
024703c9d1326c23e307c0b0d453ed3358e87fe4cmaeder DEBUG(SSSDBG_TRACE_LIBS, ("Server returned no controls.\n"));
53a3042e1da2253fd3f103bfef4deb47fc0bf6a6Ewaryst Schulz for (c = 0; response_controls[c] != NULL; c++) {
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ("Server returned control [%s].\n",
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder if (strcmp(response_controls[c]->ldctl_oid,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder lret = ldap_parse_passwordpolicy_control(state->sh->ldap,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ("ldap_parse_passwordpolicy_control failed.\n"));
bbba10ee00dcf6bcbc9f22473b1acd0983b10512notanartist DEBUG(7, ("Password Policy Response: expire [%d] grace [%d] "
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ("Password was reset. "
c30231257d9116b514dce02703a515fe21cd427dTill Mossakowski "User must set a new password.\n"));
427ff3172ae2dfebe3c8fc972735158999997e8aChristian Maeder state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
3490b73f69b58ab742417b0867d0e2d4a7778cc0Christian Maeder } else if (pp_grace > 0) {
59aa5703ac7f3b99e97cd5926e77088b256c5f40Christian Maeder ("Password expired. "
bbba10ee00dcf6bcbc9f22473b1acd0983b10512notanartist "[%d] grace logins remaining.\n",
bbba10ee00dcf6bcbc9f22473b1acd0983b10512notanartist } else if (pp_expire > 0) {
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder ("Password will expire in [%d] seconds.\n",
78c294da55788b25e175180168371c9536a6d440Christian Maeder } else if (state->result == LDAP_INVALID_CREDENTIALS &&
8a5c05062ef501bf725a86a370a5145a198e81fdKlaus Luettich ("Password expired user must set a new password.\n"));
b76d27eba526ecac2a20400fa505ec5c642ae7d2Dominik Luecke state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder } else if (strcmp(response_controls[c]->ldctl_oid,
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder ("Password expired user must set a new password.\n"));
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maeder state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder } else if (strcmp(response_controls[c]->ldctl_oid,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder /* ignore controls with suspiciously long values */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder if (response_controls[c]->ldctl_value.bv_len > 32) {
78c294da55788b25e175180168371c9536a6d440Christian Maeder state->ppolicy = talloc(state, struct sdap_ppolicy_data);
511284753313165e629cedf508752d6818ccc4d2Christian Maeder /* ensure that bv_val is a null-terminated string */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder state->ppolicy->expire = strtouint32(nval, NULL, 10);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ("Could not convert control response to an integer. ",
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder ("Password will expire in [%d] seconds.\n",
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(SSSDBG_TRACE_FUNC, ("Bind result: %s(%d), %s\n",
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder sss_ldap_err2string(state->result), state->result,
d1c667fd9445963d9d31e2cf5d0ead15e77082a4cmaeder struct simple_bind_state *state = tevent_req_data(req,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/* ==SASL-Bind============================================================ */
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maederstatic int sdap_sasl_interact(LDAP *ld, unsigned flags,
d1c667fd9445963d9d31e2cf5d0ead15e77082a4cmaederstatic struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx,
818b228955ef40dd5a253bd942dd6ab8779ed713Christian Maeder req = tevent_req_create(memctx, &state, struct sasl_bind_state);
9ee80c455784287a8b5e1b6bac1f8efa6a2f4bb3cmaeder DEBUG(4, ("Executing sasl bind mech: %s, user: %s\n",
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder /* FIXME: Warning, this is a sync call!
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder * No async variant exist in openldap libraries yet */
dff1de7ad15d1582e25d636c3724dd202874897fChristian Maeder ret = ldap_sasl_interactive_bind_s(state->sh->ldap, NULL,
1f2c732265a1292f0d7c51a4a7ca6be5dd370df6cmaeder ("ldap_sasl_bind failed (%d)[%s]\n",
8d780c893d6df5dab3dcc7d8444b7517f6547f11Christian Maeder optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap,
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maeder ("Extended failure message: [%s]\n", diag_msg));
d1c667fd9445963d9d31e2cf5d0ead15e77082a4cmaederstatic int sdap_sasl_interact(LDAP *ld, unsigned flags,
d1c667fd9445963d9d31e2cf5d0ead15e77082a4cmaeder struct sasl_bind_state *state = talloc_get_type(defaults,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder sasl_interact_t *in = (sasl_interact_t *)interact;
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederstatic int sasl_bind_recv(struct tevent_req *req, int *ldaperr)
9dd71ac51c9a6e72bcb126224f9c64131698b636Christian Maeder struct sasl_bind_state *state = tevent_req_data(req,
0ea2cddb8715a770e646895e16b7b8085f49167cChristian Maeder if (tevent_req_is_error(req, &tstate, &err)) {
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maeder/* ==Perform-Kinit-given-keytab-and-principal============================= */
0130083f314580170af1195037be3325f125fbceChristian Maederstatic void sdap_kinit_done(struct tevent_req *subreq);
0130083f314580170af1195037be3325f125fbceChristian Maederstatic struct tevent_req *sdap_kinit_next_kdc(struct tevent_req *req);
0130083f314580170af1195037be3325f125fbceChristian Maederstatic void sdap_kinit_kdc_resolved(struct tevent_req *subreq);
057b3bffc58757a98e8e7c1aeaf5cbbc986b3117Christian Maederstruct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(6, ("Attempting kinit (%s, %s, %s, %d)\n",
daec53c285f692c56db0cefe16061b46ba602cf0Christian Maeder if (lifetime < 0 || lifetime > INT32_MAX) {
daec53c285f692c56db0cefe16061b46ba602cf0Christian Maeder DEBUG(1, ("Ticket lifetime out of range.\n"));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder req = tevent_req_create(memctx, &state, struct sdap_kinit_state);
0a64bfd28dff15bc93e1f7a86e0a8052e879636dChristian Maeder state->krb_service_name = krb_service_name;
0b13f102310e03a20b38c870b5acb88712f316a4Christian Maeder DEBUG(2, ("Failed to set KRB5_KTNAME to %s\n", keytab));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder ret = setenv("KRB5_CANONICALIZE", "true", 1);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder ret = setenv("KRB5_CANONICALIZE", "false", 1);
9308cb2aebeae23f49713896e6d7028b0ac0f83enotanartist DEBUG(2, ("Failed to set KRB5_CANONICALIZE to %s\n",
528539f3d544c24afe14e979fe51f03e50aa6e9cChristian Maederstatic struct tevent_req *sdap_kinit_next_kdc(struct tevent_req *req)
0ae7a79e865d4a6022d705d160530682b3c1f825Christian Maeder struct sdap_kinit_state *state = tevent_req_data(req,
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(7, ("Resolving next KDC for service %s\n", state->krb_service_name));
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder next_req = be_resolve_server_send(state, state->ev,
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder DEBUG(1, ("be_resolve_server_send failed.\n"));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder tevent_req_set_callback(next_req, sdap_kinit_kdc_resolved, req);
2353f65833a3da763392f771223250cd50b8d873Christian Maederstatic void sdap_kinit_kdc_resolved(struct tevent_req *subreq)
12aef5992d3af07dee81a4e02cf4be65a83f28bcChristian Maeder struct tevent_req *req = tevent_req_callback_data(subreq,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder struct sdap_kinit_state *state = tevent_req_data(req,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder ret = be_resolve_server_recv(subreq, &state->kdc_srv);
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder /* all servers have been tried and none
057b3bffc58757a98e8e7c1aeaf5cbbc986b3117Christian Maeder * was found good, go offline */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder DEBUG(7, ("KDC resolved, attempting to get TGT...\n"));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder tgtreq = sdap_get_tgt_send(state, state->ev, state->realm,
96ae1a1d2197d0e0d5b80da2474b64c456feb1b0Christian Maeder tevent_req_set_callback(tgtreq, sdap_kinit_done, req);
96ae1a1d2197d0e0d5b80da2474b64c456feb1b0Christian Maederstatic void sdap_kinit_done(struct tevent_req *subreq)
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maeder struct tevent_req *req = tevent_req_callback_data(subreq,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder struct sdap_kinit_state *state = tevent_req_data(req,
2353f65833a3da763392f771223250cd50b8d873Christian Maeder ret = sdap_get_tgt_recv(subreq, state, &result,
9d6562465b41f17c7967d4e5678f34811d958cb2Christian Maeder /* The child didn't even respond. Perhaps the KDC is too busy,
9d6562465b41f17c7967d4e5678f34811d958cb2Christian Maeder * retry with another KDC */
c5a4c5f506ea34fa527065b4187127a18c6e2418Christian Maeder ("Communication with KDC timed out, trying the next one\n"));
c5a4c5f506ea34fa527065b4187127a18c6e2418Christian Maeder be_fo_set_port_status(state->be, state->kdc_srv, PORT_NOT_WORKING);
cb2044812811d66efe038d914966e04290be93faChristian Maeder /* A severe error while executing the child. Abort the operation. */
0130083f314580170af1195037be3325f125fbceChristian Maeder DEBUG(1, ("child failed (%d [%s])\n", ret, strerror(ret)));
0130083f314580170af1195037be3325f125fbceChristian Maeder DEBUG(2, ("Unable to set env. variable KRB5CCNAME!\n"));
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder be_fo_set_port_status(state->be, state->kdc_srv, PORT_NOT_WORKING);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder DEBUG(4, ("Could not get TGT: %d [%s]\n", result, strerror(result)));
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder struct sdap_kinit_state *state = tevent_req_data(req,
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maeder if (tevent_req_is_error(req, &tstate, &err)) {
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder/* ==Authenticaticate-User-by-DN========================================== */
502483734c83d0bf1eadcc94113d0362f8713784Christian Maederstatic void sdap_auth_done(struct tevent_req *subreq);
502483734c83d0bf1eadcc94113d0362f8713784Christian Maederstatic int sdap_auth_get_authtok(const char *authtok_type,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/* TODO: handle sasl_cred */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederstruct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder req = tevent_req_create(memctx, &state, struct sdap_auth_state);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder ret = sdap_auth_get_authtok(authtok_type, authtok, &state->pw);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder DEBUG(1, ("Getting authtok is not supported with the "
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder "crypto library compiled with, authentication "
5941ba0b9a99ac98f78a89a9f3303102657e36ccChristian Maeder "might fail!\n"));
if (sasl_mech) {
if (!subreq) {
if (!subreq) {
return req;
authtok_type));
return EINVAL;
return EOK;
struct tevent_req);
struct sdap_auth_state);
int ret;
struct sdap_auth_state);
case LDAP_SUCCESS:
case LDAP_INVALID_CREDENTIALS:
return EOK;
struct sdap_cli_connect_state {
bool use_rootdse;
bool do_auth;
bool skip_rootdse,
bool skip_auth)
int ret;
if (ret) {
return req;
struct sdap_cli_connect_state);
if (!subreq) {
return ENOMEM;
return EOK;
struct tevent_req);
struct sdap_cli_connect_state);
int ret;
bool use_tls;
case CON_TLS_DFL:
case CON_TLS_ON:
use_tls = true;
case CON_TLS_OFF:
use_tls = false;
if (ret) {
use_tls = false;
use_tls);
if (!subreq) {
struct tevent_req);
struct sdap_cli_connect_state);
const char *sasl_mech;
int ret;
if (ret) {
struct sdap_cli_connect_state);
int ret;
if (!subreq) {
if (ret) {
struct tevent_req);
struct sdap_cli_connect_state);
const char *sasl_mech;
int ret;
if (ret) {
if (ret) {
return ret;
if (ret) {
return ret;
if (ret) {
return ret;
return EOK;
struct sdap_cli_connect_state);
const char *realm;
if (!realm) {
if (!subreq) {
struct tevent_req);
struct sdap_cli_connect_state);
int ret;
struct sdap_cli_connect_state);
int expire_timeout;
if (!subreq) {
struct tevent_req);
struct sdap_cli_connect_state);
int ret;
if (ret) {
if (!subreq) {
struct tevent_req);
struct sdap_cli_connect_state);
if (ret) {
bool *can_retry,
struct sdap_cli_connect_state);
if (can_retry) {
*can_retry = true;
if (can_retry) {
*can_retry = false;
return err;
return EIO;
if (gsh) {
if (*gsh) {
if (!*gsh) {
return ENOMEM;
if (srv_opts) {
return EOK;
int lret;
int optret;
int ldaperr;
int msgid;
char *diag_msg;
goto done;
goto done;
goto done;
goto done;
goto done;
done:
return lret;
struct sdap_rebind_proc_params);
const char *sasl_mech;
const char *user_dn;
int ret;
if (p->use_start_tls) {
return ret;
return LDAP_NO_MEMORY;
goto done;
&password);
goto done;
goto done;
done:
return ret;