summaryrefslogtreecommitdiff
path: root/daemon/ldap.c
diff options
context:
space:
mode:
Diffstat (limited to 'daemon/ldap.c')
-rw-r--r--daemon/ldap.c65
1 files changed, 25 insertions, 40 deletions
diff --git a/daemon/ldap.c b/daemon/ldap.c
index 1df7651..e3f6a5f 100644
--- a/daemon/ldap.c
+++ b/daemon/ldap.c
@@ -296,7 +296,7 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L
const char* p;
int type;
int res = HA_FALSE;
- int unknown = 0;
+ int foundany = 0;
ASSERT(entry && ld && ctx && clearpw && rq);
@@ -310,6 +310,11 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L
pw = *t;
type = parse_ldap_password(&pw);
+ if(type != LDAP_PW_UNKNOWN)
+ foundany = 1;
+ else
+ continue;
+
switch(type)
{
case LDAP_PW_CLEAR:
@@ -323,7 +328,7 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L
case LDAP_PW_CRYPT:
/* Not sure if crypt is thread safe */
ha_lock(NULL);
- p = crypt(clearpw, pw);
+ p = (const char*)crypt(clearpw, pw);
ha_unlock(NULL);
break;
@@ -331,10 +336,6 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L
p = make_password_sha(rq->buf, clearpw);
break;
- case LDAP_PW_UNKNOWN:
- unknown = 1;
- continue;
-
default:
/* Not reached */
ASSERT(0);
@@ -357,7 +358,7 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L
ldap_value_free(pws);
}
- if(res == HA_FALSE && unknown)
+ if(res == HA_FALSE && !foundany)
ha_messagex(rq, LOG_ERR, "server does not contain any compatible passwords for user: %s", user);
return res;
@@ -596,7 +597,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t*
LDAPMessage* results = NULL; /* freed in finally */
LDAPMessage* entry = NULL; /* no need to free */
struct berval** ha1s = NULL; /* freed manually */
- const char** pws;
+ const char** pws = NULL; /* freed in finally */
int ret = HA_FALSE;
const char* dn = NULL;
int r;
@@ -606,10 +607,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t*
ld = get_ldap_connection(rq, ctx);
if(!ld)
- {
- ret = HA_FAILED;
- goto finally;
- }
+ RETURN(HA_FAILED);
/*
* Discover the DN of the user. If there's a DN map string
@@ -621,10 +619,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t*
/* The map can have %u and %r to denote user and realm */
dn = bd_substitute(rq, user, ctx->dnmap);
if(!dn)
- {
- ret = HA_FAILED;
- goto finally;
- }
+ RETURN(HA_CRITERROR);
ha_messagex(rq, LOG_INFO, "mapped %s to %s", user, dn);
}
@@ -632,10 +627,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t*
/* Okay now we contact the LDAP server. */
r = retrieve_user_entry(rq, ctx, ld, user, &dn, &entry, &results);
if(r != HA_OK)
- {
- ret = r;
- goto finally;
- }
+ RETURN(r);
/* Figure out the users ha1 */
if(ctx->ha1_attr)
@@ -662,11 +654,11 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t*
ret = digest_complete_check(dg, rq->buf);
if(ret != HA_FALSE)
- goto finally;
+ RETURN(ret);
}
else if(r < 0)
- goto finally;
+ RETURN(r);
ha1s++;
}
@@ -691,7 +683,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t*
ret = digest_complete_check(dg, rq->buf);
if(ret != HA_FALSE)
- goto finally;
+ RETURN(ret);
}
}
@@ -730,10 +722,7 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo
ld = get_ldap_connection(rq, ctx);
if(!ld)
- {
- ret = HA_FAILED;
- goto finally;
- }
+ RETURN(HA_FAILED);
/*
@@ -746,10 +735,7 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo
/* The map can have %u and %r to denote user and realm */
dn = bd_substitute(rq, user, ctx->dnmap);
if(!dn)
- {
- ret = HA_CRITERROR;
- goto finally;
- }
+ RETURN(HA_CRITERROR);
ha_messagex(rq, LOG_INFO, "mapped %s to %s", user, dn);
}
@@ -774,10 +760,7 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo
{
r = retrieve_user_entry(rq, ctx, ld, user, &dn, &entry, &results);
if(r != HA_OK)
- {
- ret = r;
- goto finally;
- }
+ RETURN(r);
}
@@ -790,13 +773,15 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo
if(r != LDAP_SUCCESS)
{
if(r == LDAP_INVALID_CREDENTIALS)
- ha_messagex(rq, LOG_WARNING, "basic authentication (via bind) failed for user: %s",
- user);
-
+ {
+ ha_messagex(rq, LOG_WARNING, "basic authentication (via bind) failed for user: %s", user);
+ RETURN(HA_FALSE);
+ }
else
+ {
report_ldap(rq, "couldn't bind to LDAP server", r);
-
- goto finally;
+ RETURN(HA_FAILED);
+ }
}
/* It worked! */