diff options
Diffstat (limited to 'daemon/ldap.c')
-rw-r--r-- | daemon/ldap.c | 65 |
1 files changed, 25 insertions, 40 deletions
diff --git a/daemon/ldap.c b/daemon/ldap.c index 1df7651..e3f6a5f 100644 --- a/daemon/ldap.c +++ b/daemon/ldap.c @@ -296,7 +296,7 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L const char* p; int type; int res = HA_FALSE; - int unknown = 0; + int foundany = 0; ASSERT(entry && ld && ctx && clearpw && rq); @@ -310,6 +310,11 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L pw = *t; type = parse_ldap_password(&pw); + if(type != LDAP_PW_UNKNOWN) + foundany = 1; + else + continue; + switch(type) { case LDAP_PW_CLEAR: @@ -323,7 +328,7 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L case LDAP_PW_CRYPT: /* Not sure if crypt is thread safe */ ha_lock(NULL); - p = crypt(clearpw, pw); + p = (const char*)crypt(clearpw, pw); ha_unlock(NULL); break; @@ -331,10 +336,6 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L p = make_password_sha(rq->buf, clearpw); break; - case LDAP_PW_UNKNOWN: - unknown = 1; - continue; - default: /* Not reached */ ASSERT(0); @@ -357,7 +358,7 @@ static int validate_ldap_password(const ha_request_t* rq, ldap_context_t* ctx, L ldap_value_free(pws); } - if(res == HA_FALSE && unknown) + if(res == HA_FALSE && !foundany) ha_messagex(rq, LOG_ERR, "server does not contain any compatible passwords for user: %s", user); return res; @@ -596,7 +597,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t* LDAPMessage* results = NULL; /* freed in finally */ LDAPMessage* entry = NULL; /* no need to free */ struct berval** ha1s = NULL; /* freed manually */ - const char** pws; + const char** pws = NULL; /* freed in finally */ int ret = HA_FALSE; const char* dn = NULL; int r; @@ -606,10 +607,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t* ld = get_ldap_connection(rq, ctx); if(!ld) - { - ret = HA_FAILED; - goto finally; - } + RETURN(HA_FAILED); /* * Discover the DN of the user. If there's a DN map string @@ -621,10 +619,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t* /* The map can have %u and %r to denote user and realm */ dn = bd_substitute(rq, user, ctx->dnmap); if(!dn) - { - ret = HA_FAILED; - goto finally; - } + RETURN(HA_CRITERROR); ha_messagex(rq, LOG_INFO, "mapped %s to %s", user, dn); } @@ -632,10 +627,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t* /* Okay now we contact the LDAP server. */ r = retrieve_user_entry(rq, ctx, ld, user, &dn, &entry, &results); if(r != HA_OK) - { - ret = r; - goto finally; - } + RETURN(r); /* Figure out the users ha1 */ if(ctx->ha1_attr) @@ -662,11 +654,11 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t* ret = digest_complete_check(dg, rq->buf); if(ret != HA_FALSE) - goto finally; + RETURN(ret); } else if(r < 0) - goto finally; + RETURN(r); ha1s++; } @@ -691,7 +683,7 @@ static int validate_digest(ha_request_t* rq, const char* user, digest_context_t* ret = digest_complete_check(dg, rq->buf); if(ret != HA_FALSE) - goto finally; + RETURN(ret); } } @@ -730,10 +722,7 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo ld = get_ldap_connection(rq, ctx); if(!ld) - { - ret = HA_FAILED; - goto finally; - } + RETURN(HA_FAILED); /* @@ -746,10 +735,7 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo /* The map can have %u and %r to denote user and realm */ dn = bd_substitute(rq, user, ctx->dnmap); if(!dn) - { - ret = HA_CRITERROR; - goto finally; - } + RETURN(HA_CRITERROR); ha_messagex(rq, LOG_INFO, "mapped %s to %s", user, dn); } @@ -774,10 +760,7 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo { r = retrieve_user_entry(rq, ctx, ld, user, &dn, &entry, &results); if(r != HA_OK) - { - ret = r; - goto finally; - } + RETURN(r); } @@ -790,13 +773,15 @@ static int validate_basic(ha_request_t* rq, const char* user, const char* passwo if(r != LDAP_SUCCESS) { if(r == LDAP_INVALID_CREDENTIALS) - ha_messagex(rq, LOG_WARNING, "basic authentication (via bind) failed for user: %s", - user); - + { + ha_messagex(rq, LOG_WARNING, "basic authentication (via bind) failed for user: %s", user); + RETURN(HA_FALSE); + } else + { report_ldap(rq, "couldn't bind to LDAP server", r); - - goto finally; + RETURN(HA_FAILED); + } } /* It worked! */ |