[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help! bind funny?

"Kurt D. Zeilenga" escribió:
> 
> At 11:58 PM 5/14/00 +0200, Juan Gonzalo de Silva Medina wrote:
> >this is the log for slapd -d 1 -d 4 -d 128
> >
> >All execution is with equelas paramenters (except for password...)
> 
> >------------------------------------------------------------
> >slapd 1.2.10-Release (Thu May 11 17:28:45 CEST 2000)
> >
> >gonzalo@localhost.localdomain:/usr/local/traer/curso/tmp/openldap-1.2.10/servers/slapd
> >ACL: access to dn=.*
> >       by dn=^$$
> >       by dn=.*,O=RACF
> >       by dn=.*
> >
> >slapd starting
> >
> >-----[this is with a invalid password]------------------------
> >do_bind
> >do_bind: version 2 dn (CN=S5540,O=RACF) method 128
> >send_ldap_result 49::(03) CLAVE INVALIDA
> >ber_get_next on fd 7 failed errno 0 (Success)
> >*** got 0 of 0 so far
> >
> >-----[this is with a right password]--------------------------
> >do_bind
> >do_bind: version 2 dn (CN=S5540,O=RACF) method 128
> >send_ldap_result 0::
> >do_bind: bound "CN=S5540,O=RACF" to "CN=S5540,O=RACF"
> >send_ldap_result 0::
> >do_search
> 
> Two send_ldap_result is very bad.  Your backend shouldn't send
> a success in this case.

:-?????

What?

Hummm, 

Well, my code is:

---------------------------------------------------------------
/* bind.c - shell backend bind function */

#include "portable.h"
#include <stdio.h>
#include <ac/socket.h>
#include <ac/string.h>

#include "slap.h"
#include "racf.h"

#define MAX_USUARIO	8
#define MAX_PASSWORD	8

int
racf_back_bind(
    Backend		*be,
    Connection		*conn,
    Operation		*op,
    char		*dn,
    int			method,
    struct berval	*cred,
    char		**edn
)
{
/* Defino y obtengo la extructura donde he guardado la configuración */
struct racf_info	*ri = (struct racf_info *) be->be_private;
int			rc;
int			c,d;
char 			usuario[MAX_USUARIO+1];
char			*dntmp;
char			*p;
int 			ldn;
int			lbs;
int			lq;

*edn = NULL;
 
/* al DN recibido le quito el subfijo de la base de datos */
ldn = strlen(dn);
lbs = strlen(be->be_suffix[0]);
lq = ldn - lbs - 1; /* le quito la coma que deve de venir despues del codigo */
if(lq < 4){ /* son 4 ya que ha de tener al menos cn= (tres caracteres) */
	send_ldap_result(conn, op, LDAP_INVALID_DN_SYNTAX, NULL,
		"(101) Parece faltar el codigo de usuario (\"cn=<codigo>,...\")");
		return ( -1 );
}
dntmp=calloc(1, lq+1);
memcpy(dntmp, dn, lq);
if(dntmp[0]!='C' || dntmp[1]!='N' || dntmp[2]!='='){
	free(dntmp);
	send_ldap_result(conn, op, LDAP_INVALID_DN_SYNTAX, NULL,
		"(102) El formato parece incorrecto... (\"cn=<codigo>,...\")");
	return ( -1 );
}
if(lq > MAX_USUARIO + 3){
	free(dntmp);
	send_ldap_result(conn, op, LDAP_INVALID_DN_SYNTAX, NULL,
		"(103) Codigo de usuario demasiado largo");
	return ( -1 );
}
memcpy(usuario, &dntmp[3], lq - 3);
usuario[lq-3]='\0';
free(dntmp);
if(cred->bv_len > MAX_PASSWORD){
	send_ldap_result(conn, op, LDAP_INVALID_DN_SYNTAX, NULL,
		"(104) Clave demasiado larga");
	return ( -1 );
}

/***** FUNCION DE CONEXION CON RACF *****/
rc = conectar(ri->ri_servidor, ri->ri_puerto, ri->ri_transaccion, usuario, cred->bv_val);
/****************************************/

if(rc == 0) {
	send_ldap_result(conn, op, LDAP_SUCCESS, NULL, NULL);
	return( rc );
}
if(rc == 1) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(01) USUARIO INVALIDO");
	return( rc );
}
if(rc == 3) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(03) CLAVE INVALIDA");
	return( rc );
}
if(rc == 4) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(04) CLAVE EXPIRADA");
	return( rc );
}
if(rc == 5) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(05) LA NUEVA CLAVE NO ES VALIDA");
	return( rc );
}
if(rc == 6) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(06) USUARIO REBOCADO");
	return( rc );
}
if(rc == 7) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(07) NO AUTORIZADO A USAR ESTE TERMINAL");
	return( rc );
}
if(rc == 8) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(08) NO AUTORIZADO EN ESTE DIA A ESTA HORA");
	return( rc );
}
if(rc == 9) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(09) NO AUTORIZADO A USAR ESTE TERMINAL EN ESTE DIA A ESTA HORA");
	return( rc );
}
if(rc == 10) {
	send_ldap_result(conn, op, LDAP_INVALID_CREDENTIALS, NULL,
		"(10) USUARIO NO AUTORIZADO A USAR LA APLICACION");
	return( rc );
}
if(rc == 30) {
	send_ldap_result(conn, op, LDAP_OPERATIONS_ERROR, NULL,
		"(30) SERVIDOR DE COMUNICACIONES DESCONOCIDO");
	return( rc );
}
if(rc == 31) {
	send_ldap_result(conn, op, LDAP_OPERATIONS_ERROR, NULL,
		"(31) NO ES POSIBLE CREAR EL SOCKET DE LLAMADA");
	return( rc );
}
if(rc == 32) {
	send_ldap_result(conn, op, LDAP_OPERATIONS_ERROR, NULL,
		"(32) NO HAY CONEXION CON EL SERVIDOR DE COMUNICACIONES");
	return( rc );
}
send_ldap_result( conn, op, LDAP_OPERATIONS_ERROR, NULL,
	"(XX) ERROR EN HOST");
return( rc );
}

-------------------------------------------------------------

rc=conectar(...) is a function for conect to the external site and autenticate the user + password. "conectar" not call to any function of ldap (send_ldap_result or other)...

This is a cut+paste of shell-backend :) (thanks for this).

Only a send_ldap_result is returned and edn is set to NULL (equals to shell-backend)..


> 
> Note that both executions with the right password behave
> as anonymous.  Something is likely a muck with your
> backend bind routine.  In particular, you should look
> at what you return as edn and make sure it's not getting
> clobbered after the call.