sdap_async_connection.c revision ed80a7f8ff76089bdcfae7007dbdef42d05e2cc8
/*
SSSD
Async LDAP Helper routines
Copyright (C) Simo Sorce <ssorce@redhat.com> - 2009
Copyright (C) 2010, rhafer@suse.de, Novell Inc.
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <unistd.h>
#include <fcntl.h>
#include "util/sss_krb5.h"
#include "util/sss_ldap.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/ldap/ldap_common.h"
{
*val = LDAP_DEREF_NEVER;
*val = LDAP_DEREF_ALWAYS;
} else {
return EINVAL;
}
return EOK;
}
/* ==Connect-to-LDAP-Server=============================================== */
struct sdap_rebind_proc_params {
struct sdap_options *opts;
struct sdap_handle *sh;
bool use_start_tls;
};
struct sdap_connect_state {
struct tevent_context *ev;
struct sdap_options *opts;
struct sdap_handle *sh;
const char *uri;
bool use_start_tls;
int result;
};
struct tevent_context *ev,
struct sdap_options *opts,
const char *uri,
struct sockaddr_storage *sockaddr,
bool use_start_tls)
{
struct tevent_req *req;
struct tevent_req *subreq;
struct sdap_connect_state *state;
int ret;
int timeout;
return NULL;
}
return NULL;
}
sizeof(struct sockaddr_storage),
timeout);
goto fail;
}
return req;
fail:
return req;
}
{
struct tevent_req);
struct sdap_connect_state);
int ver;
int lret;
int optret;
int msgid;
bool ldap_referrals;
const char *ldap_deref;
int ldap_deref_val;
int sd;
bool sasl_nocanon;
return;
}
goto fail;
}
/* If sss_ldap_init_recv() does not return a valid file descriptor we have
* to assume that the connection callback will be called by internally by
* the OpenLDAP client library. */
if (sd != -1) {
goto fail;
}
}
/* Force ldap version to 3 */
ver = LDAP_VERSION3;
if (lret != LDAP_OPT_SUCCESS) {
goto fail;
}
/* TODO: maybe this can be remove when we go async, currently we need it
* to handle EINTR during poll(). */
if (ret != LDAP_OPT_SUCCESS) {
}
/* Set Network Timeout */
if (lret != LDAP_OPT_SUCCESS) {
goto fail;
}
/* Set Default Timeout */
if (lret != LDAP_OPT_SUCCESS) {
goto fail;
}
/* Set Referral chasing */
if (lret != LDAP_OPT_SUCCESS) {
goto fail;
}
if (ldap_referrals) {
struct sdap_rebind_proc_params);
if (rebind_proc_params == NULL) {
goto fail;
}
if (lret != LDAP_SUCCESS) {
goto fail;
}
}
/* Set alias dereferencing */
if (ldap_deref != NULL) {
goto fail;
}
if (lret != LDAP_OPT_SUCCESS) {
goto fail;
}
}
/* Set host name canonicalization for LDAP SASL bind */
if (lret != LDAP_OPT_SUCCESS) {
goto fail;
}
/* if we do not use start_tls the connection is not really connected yet
* just fake an async procedure and leave connection to the bind call */
if (!state->use_start_tls) {
return;
}
if (lret != LDAP_SUCCESS) {
&errmsg);
if (optret == LDAP_SUCCESS) {
errmsg));
}
else {
"Check for certificate issues.");
}
goto fail;
}
/* FIXME: get timeouts from configuration, for now 5 secs. */
if (ret) {
goto fail;
}
return;
fail:
if (ret) {
} else {
if (lret == LDAP_SERVER_DOWN) {
} else {
}
}
return;
}
{
struct sdap_connect_state);
char *tlserr;
int ret;
int optret;
if (error) {
return;
}
if (ret != LDAP_SUCCESS) {
return;
}
return;
}
/* FIXME: take care that ldap_install_tls might block */
if (ret != LDAP_SUCCESS) {
&tlserr);
if (optret == LDAP_SUCCESS) {
tlserr));
}
else {
"Check for certificate issues.");
}
return;
}
}
struct sdap_handle **sh)
{
struct sdap_connect_state);
if (!*sh) {
return ENOMEM;
}
return EOK;
}
/* ==Simple-Bind========================================================== */
struct simple_bind_state {
struct tevent_context *ev;
struct sdap_handle *sh;
const char *user_dn;
struct sdap_ppolicy_data *ppolicy;
int result;
};
struct tevent_context *ev,
struct sdap_handle *sh,
const char *user_dn,
{
struct tevent_req *req;
struct simple_bind_state *state;
int msgid;
int ldap_err;
return NULL;
}
"Password Policy control.\n"));
goto fail;
}
if (ret != LDAP_OPT_SUCCESS) {
} else {
}
goto fail;
}
}
/* FIXME: get timeouts from configuration, for now 5 secs. */
if (ret) {
goto fail;
}
return req;
fail:
if (ret == LDAP_SERVER_DOWN) {
} else {
}
return req;
}
{
struct simple_bind_state);
int ret;
int c;
if (error) {
return;
}
&response_controls, 0);
if (ret != LDAP_SUCCESS) {
goto done;
}
if (response_controls == NULL) {
} else {
for (c = 0; response_controls[c] != NULL; c++) {
response_controls[c]->ldctl_oid));
LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) {
&pp_error);
if (ret != LDAP_SUCCESS) {
goto done;
}
goto done;
}
if (pp_error == PP_changeAfterReset) {
"User must set a new password.\n"));
} else if (pp_grace > 0) {
"[%d] grace logins remaining.\n", pp_grace));
} else if (pp_expire > 0) {
pp_expire));
}
pp_error == PP_passwordExpired) {
DEBUG(4,
("Password expired user must set a new password.\n"));
}
}
}
}
ret = LDAP_SUCCESS;
done:
if (ret == LDAP_SUCCESS) {
} else {
}
}
int *ldaperr,
struct sdap_ppolicy_data **ppolicy)
{
struct simple_bind_state);
*ldaperr = LDAP_OTHER;
return EOK;
}
/* ==SASL-Bind============================================================ */
struct sasl_bind_state {
struct tevent_context *ev;
struct sdap_handle *sh;
const char *sasl_mech;
const char *sasl_user;
int result;
};
struct tevent_context *ev,
struct sdap_handle *sh,
const char *sasl_mech,
const char *sasl_user,
{
struct tevent_req *req;
struct sasl_bind_state *state;
/* FIXME: Warning, this is a sync call!
* No async variant exist in openldap libraries yet */
(*sdap_sasl_interact), state);
if (ret != LDAP_SUCCESS) {
goto fail;
}
}
return req;
fail:
if (ret == LDAP_SERVER_DOWN) {
} else {
}
return req;
}
{
struct sasl_bind_state);
if (!ld) return LDAP_PARAM_ERROR;
case SASL_CB_GETREALM:
case SASL_CB_USER:
case SASL_CB_PASS:
} else {
}
break;
case SASL_CB_AUTHNAME:
} else {
}
break;
case SASL_CB_NOECHOPROMPT:
case SASL_CB_ECHOPROMPT:
goto fail;
}
in++;
}
return LDAP_SUCCESS;
fail:
return LDAP_UNAVAILABLE;
}
{
struct sasl_bind_state);
enum tevent_req_state tstate;
if (tstate != TEVENT_REQ_IN_PROGRESS) {
*ldaperr = LDAP_OTHER;
return err;
}
}
return EOK;
}
/* ==Perform-Kinit-given-keytab-and-principal============================= */
struct sdap_kinit_state {
const char *keytab;
const char *principal;
const char *realm;
int timeout;
int lifetime;
const char *krb_service_name;
struct tevent_context *ev;
int result;
};
struct tevent_context *ev,
struct sdap_handle *sh,
const char *krb_service_name,
int timeout,
const char *keytab,
const char *principal,
const char *realm,
bool canonicalize,
int lifetime)
{
struct tevent_req *req;
struct tevent_req *subreq;
struct sdap_kinit_state *state;
int ret;
lifetime));
return NULL;
}
if (keytab) {
if (ret == -1) {
return NULL;
}
}
if (canonicalize) {
} else {
}
if (ret == -1) {
return NULL;
}
if (!subreq) {
return NULL;
}
return req;
}
{
struct tevent_req *next_req;
struct sdap_kinit_state);
return NULL;
}
return next_req;
}
{
struct tevent_req);
struct sdap_kinit_state);
struct tevent_req *tgtreq;
int ret;
/* all servers have been tried and none
* was found good, go offline */
return;
}
if (!tgtreq) {
return;
}
}
{
struct tevent_req);
struct sdap_kinit_state);
int ret;
int result;
struct tevent_req *nextreq;
return;
}
if (ret == -1) {
}
return;
} else {
if (kerr == KRB5_KDC_UNREACH) {
if (!nextreq) {
}
return;
}
}
}
enum sdap_result *result,
{
struct sdap_kinit_state);
enum tevent_req_state tstate;
if (tstate != TEVENT_REQ_IN_PROGRESS) {
*result = SDAP_ERROR;
return err;
}
}
return EOK;
}
/* ==Authenticaticate-User-by-DN========================================== */
struct sdap_auth_state {
const char *user_dn;
struct sdap_ppolicy_data *ppolicy;
int result;
bool is_sasl;
};
const char *authtok_type,
struct dp_opt_blob authtok,
/* TODO: handle sasl_cred */
struct tevent_context *ev,
struct sdap_handle *sh,
const char *sasl_mech,
const char *sasl_user,
const char *user_dn,
const char *authtok_type,
struct dp_opt_blob authtok)
{
struct sdap_auth_state *state;
int ret;
"crypto library compiled with, authentication "
"might fail!\n"));
} else {
}
}
if (sasl_mech) {
if (!subreq) {
}
} else {
if (!subreq) {
}
}
return req;
}
const char *authtok_type,
struct dp_opt_blob authtok,
{
if (!authtok_type) return EOK;
} else {
authtok_type));
return EINVAL;
}
return EOK;
}
{
struct tevent_req);
struct sdap_auth_state);
int ret;
} else {
}
return;
}
}
enum sdap_result *result,
struct sdap_ppolicy_data **ppolicy)
{
struct sdap_auth_state);
*result = SDAP_ERROR;
}
case LDAP_SUCCESS:
break;
case LDAP_INVALID_CREDENTIALS:
break;
break;
default:
break;
}
return EOK;
}
/* ==Client connect============================================ */
struct sdap_cli_connect_state {
struct tevent_context *ev;
struct sdap_options *opts;
struct sdap_service *service;
bool use_rootdse;
struct sdap_handle *sh;
struct sdap_server_opts *srv_opts;
};
struct tevent_context *ev,
struct sdap_options *opts,
struct sdap_service *service,
bool skip_rootdse)
{
struct sdap_cli_connect_state *state;
struct tevent_req *req;
int ret;
if (ret) {
}
return req;
}
{
struct sdap_cli_connect_state);
struct tevent_req *subreq;
/* Before stepping to next server destroy any connection from previous attempt */
/* NOTE: this call may cause service->uri to be refreshed
* with a new valid server. Do not use service->uri before */
if (!subreq) {
return ENOMEM;
}
return EOK;
}
{
struct tevent_req);
struct sdap_cli_connect_state);
int ret;
if (ret) {
/* all servers have been tried and none
* was found good, go offline */
return;
}
use_tls = false;
}
use_tls);
if (!subreq) {
return;
}
}
{
struct tevent_req);
struct sdap_cli_connect_state);
const char *sasl_mech;
int ret;
if (ret) {
}
return;
}
return;
}
if (state->use_rootdse) {
/* fetch the rootDSE this time */
return;
}
/* check if server claims to support GSSAPI */
return;
}
}
return;
}
}
}
{
struct sdap_cli_connect_state);
struct tevent_req *subreq;
int ret;
if (!subreq) {
return;
}
/* this rootdse search is performed before we actually do a bind,
* so we need to set up the callbacks or we will never get notified
* of a reply */
if (ret) {
}
}
}
{
struct tevent_req);
struct sdap_cli_connect_state);
struct sysdb_attrs *rootdse;
const char *sasl_mech;
int ret;
if (ret) {
}
return;
}
/* RootDSE was not available on
* the server.
* Continue, and just assume that the
* features requested by the config
* work properly.
*/
state->use_rootdse = false;
}
else {
return;
}
}
if (state->use_rootdse) {
/* save rootdse data about supported features */
if (ret) {
return;
}
if (ret) {
return;
}
}
if (ret) {
return;
}
/* check if server claims to support GSSAPI */
return;
}
}
return;
}
}
}
{
struct sdap_cli_connect_state);
struct tevent_req *subreq;
const char *realm;
if (!realm) {
}
if (!subreq) {
return;
}
}
{
struct tevent_req);
struct sdap_cli_connect_state);
enum sdap_result result;
int ret;
if (ret) {
}
return;
}
return;
}
if (result != SDAP_AUTH_SUCCESS) {
return;
}
}
{
struct sdap_cli_connect_state);
struct tevent_req *subreq;
if (!subreq) {
return;
}
}
{
struct tevent_req);
enum sdap_result result;
int ret;
if (ret) {
return;
}
if (result != SDAP_AUTH_SUCCESS) {
return;
}
}
bool *can_retry,
struct sdap_handle **gsh,
struct sdap_server_opts **srv_opts)
{
struct sdap_cli_connect_state);
enum tevent_req_state tstate;
if (can_retry) {
*can_retry = true;
}
/* mark the server as bad if connection failed */
} else {
if (can_retry) {
*can_retry = false;
}
}
if (tstate == TEVENT_REQ_USER_ERROR) {
return err;
}
return EIO;
}
if (gsh) {
if (*gsh) {
talloc_zfree(*gsh);
}
if (!*gsh) {
return ENOMEM;
}
} else {
}
if (srv_opts) {
}
return EOK;
}
{
int lret;
int optret;
int ldaperr;
int msgid;
if (!tmp_ctx) return LDAP_NO_MEMORY;
if (lret != LDAP_SUCCESS) {
if (optret == LDAP_SUCCESS) {
} else {
"Check for certificate issues.");
}
goto done;
}
if (lret != LDAP_RES_EXTENDED) {
goto done;
}
0);
if (lret != LDAP_SUCCESS) {
goto done;
}
if (ldap_tls_inplace(ldap)) {
lret = LDAP_SUCCESS;
goto done;
}
if (lret != LDAP_SUCCESS) {
if (optret == LDAP_SUCCESS) {
} else {
"Check for certificate issues.");
}
goto done;
}
lret = LDAP_SUCCESS;
done:
return lret;
}
{
struct sdap_rebind_proc_params);
const char *sasl_mech;
const char *user_dn;
struct sasl_bind_state *sasl_bind_state;
int ret;
if (p->use_start_tls) {
if (ret != LDAP_SUCCESS) {
return ret;
}
}
return LDAP_NO_MEMORY;
}
"Password Policy control.\n"));
goto done;
}
&password);
goto done;
}
}
if (ret != LDAP_SUCCESS) {
}
} else {
if (sasl_bind_state == NULL) {
goto done;
}
if (ret != LDAP_SUCCESS) {
}
}
done:
return ret;
}