upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-21 15:19:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Rework SASL command line arguments. Default is now to authenticate

Browse source 
using best available mechanism.  (authzid prompting to be disabled)
To use simple bind, -x is required (implied if -P 2) with -D/-[Ww]
To use simple "anonymous" bind, just -x will do.
This commit is contained in:
Kurt Zeilenga 2000-07-15 23:25:46 +00:00
parent bab26b3142
commit d2b05a3858
13 changed files with 923 additions and 631 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

312
clients/tools/ldapdelete.c
View file

@ -18,7 +18,9 @@
#include <ldap.h> #include <ldap.h>
#include "lutil_ldap.h" #include "lutil_ldap.h"
#include "ldap_defaults.h"
static char *prog;
static char *binddn = NULL; static char *binddn = NULL;
static struct berval passwd = { 0, NULL }; static struct berval passwd = { 0, NULL };
static char *ldaphost = NULL; static char *ldaphost = NULL;
@ -50,12 +52,14 @@ usage( const char *s )
"usage: %s [options] [dn]...\n" "usage: %s [options] [dn]...\n"
" dn: list of DNs to delete. If not given, it will be readed from stdin\n" " dn: list of DNs to delete. If not given, it will be readed from stdin\n"
" or from the file specified with \"-f file\".\n" " or from the file specified with \"-f file\".\n"
"options:\n" "Delete Options:\n"
" -r\t\tdelete recursively\n"
"Common options:\n"
" -c\t\tcontinuous operation mode (do not stop on errors)\n" " -c\t\tcontinuous operation mode (do not stop on errors)\n"
" -C\t\tchase referrals\n" " -C\t\tchase referrals\n"
" -d level\tset LDAP debugging level to `level'\n" " -d level\tset LDAP debugging level to `level'\n"
" -D binddn\tbind DN\n" " -D binddn\tbind DN\n"
" -f file\t\tdelete DNs listed in `file'\n" " -f file\t\tread operations from `file'\n"
" -h host\t\tLDAP server\n" " -h host\t\tLDAP server\n"
" -k\t\tuse Kerberos authentication\n" " -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
@ -64,11 +68,11 @@ usage( const char *s )
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n" " -P version\tprocotol version (default: 3)\n"
" -r\t\tdelete recursively\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\trun in verbose mode (diagnostics to standard output)\n" " -v\t\trun in verbose mode (diagnostics to standard output)\n"
" -w passwd\tbind passwd (for simple authentication)\n" " -w passwd\tbind passwd (for simple authentication)\n"
" -W\t\tprompt for bind passwd\n" " -W\t\tprompt for bind passwd\n"
" -x\t\tSimple authentication\n"
" -X id\t\tSASL authorization identity (\"dn:<dn>\" or \"u:<user>\")\n" " -X id\t\tSASL authorization identity (\"dn:<dn>\" or \"u:<user>\")\n"
" -Y mech\t\tSASL mechanism\n" " -Y mech\t\tSASL mechanism\n"
" -Z\t\tissue Start TLS request (-ZZ to require successful response)\n" " -Z\t\tissue Start TLS request (-ZZ to require successful response)\n"
@ -87,38 +91,166 @@ main( int argc, char **argv )
not = verbose = contoper = want_bindpw = debug = manageDSAit = referrals = 0; not = verbose = contoper = want_bindpw = debug = manageDSAit = referrals = 0;
fp = NULL; fp = NULL;
authmethod = LDAP_AUTH_SIMPLE; authmethod = -1;
version = -1; version = -1;
while (( i = getopt( argc, argv, "cCD:d:f:h:KMnO:P:p:rU:vWw:X:Y:Z" )) != EOF ) { prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
while (( i = getopt( argc, argv, "cf:r" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) { switch( i ) {
/* Delete Specific Options */
case 'c': /* continuous operation mode */
++contoper;
break;
case 'f': /* read DNs from a file */
if (( fp = fopen( optarg, "r" )) == NULL ) {
perror( optarg );
exit( EXIT_FAILURE );
}
break;
case 'r':
prune = 1;
break;
/* Common Options */
case 'C':
referrals++;
break;
case 'd':
debug |= atoi( optarg );
break;
case 'D': /* bind DN */
binddn = strdup( optarg );
break;
case 'h': /* ldap host */
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */ case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: -k incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV4; authmethod = LDAP_AUTH_KRBV4;
#else #else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return( EXIT_FAILURE ); return EXIT_FAILURE;
#endif #endif
break; break;
case 'K': /* kerberos bind, part one only */ case 'K': /* kerberos bind, part one only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV41; authmethod = LDAP_AUTH_KRBV41;
#else #else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'c': /* continuous operation mode */ case 'M':
++contoper; /* enable Manage DSA IT */
break; if( version == LDAP_VERSION2 ) {
case 'C': fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
referrals++; prog, version );
return EXIT_FAILURE;
}
manageDSAit++;
version = LDAP_VERSION3;
break; break;
case 'h': /* ldap host */ case 'n': /* print deletes, don't actually do them */
ldaphost = strdup( optarg ); ++not;
break; break;
case 'D': /* bind DN */ case 'O':
binddn = strdup( optarg ); #ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'p':
ldapport = atoi( optarg );
break;
case 'P':
switch( atoi(optarg) ) {
case 2:
if( version == LDAP_VERSION3 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION2;
break;
case 3:
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "%s: protocol version should be 2 or 3\n",
prog );
usage( prog );
return( EXIT_FAILURE );
} break;
case 'U':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'v': /* verbose mode */
verbose++;
break; break;
case 'w': /* password */ case 'w': /* password */
passwd.bv_val = strdup( optarg ); passwd.bv_val = strdup( optarg );
@ -131,136 +263,86 @@ main( int argc, char **argv )
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
break; break;
case 'f': /* read DNs from a file */
if (( fp = fopen( optarg, "r" )) == NULL ) {
perror( optarg );
exit( EXIT_FAILURE );
}
break;
case 'd':
debug |= atoi( optarg );
break;
case 'p':
ldapport = atoi( optarg );
break;
case 'n': /* print deletes, don't actually do them */
++not;
break;
case 'r':
prune = 1;
break;
case 'v': /* verbose mode */
verbose++;
break;
case 'M':
/* enable Manage DSA IT */
manageDSAit++;
break;
case 'W': case 'W':
want_bindpw++; want_bindpw++;
break; break;
case 'P':
switch( atoi(optarg) )
{
case 2:
version = LDAP_VERSION2;
break;
case 3:
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "protocol version should be 2 or 3\n" );
usage( argv[0] );
return( EXIT_FAILURE );
}
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { if( version == LDAP_VERSION2 ) {
sasl_mech = strdup( optarg ); fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
} }
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'U': case 'x':
#ifdef HAVE_CYRUS_SASL if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
sasl_authc_id = strdup( optarg ); fprintf( stderr, "%s: incompatible with previous "
authmethod = LDAP_AUTH_SASL; "authentication choice\n", prog );
#else return EXIT_FAILURE;
fprintf( stderr, "%s was not compiled with SASL support\n", }
argv[0] ); authmethod = LDAP_AUTH_SIMPLE;
return( EXIT_FAILURE );
#endif
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: -X incompatible with "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'Z': case 'Z':
#ifdef HAVE_TLS #ifdef HAVE_TLS
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -Z incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
use_tls++; use_tls++;
#else #else
fprintf( stderr, "%s was not compiled with TLS support\n", fprintf( stderr, "%s: not compiled with TLS support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
default: default:
usage( argv[0] ); usage( prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
} }
} }
if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == if (version == -1) {
LDAP_AUTH_KRBV41 ) ) {
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "Kerberos requires LDAPv2\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION2;
}
else if ( authmethod == LDAP_AUTH_SASL ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf( stderr, "SASL requires LDAPv3\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION3; version = LDAP_VERSION3;
} }
if (authmethod == -1 && version > LDAP_VERSION2) {
if( manageDSAit ) { authmethod = LDAP_AUTH_SASL;
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "manage DSA control requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
}
if( use_tls ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "Start TLS requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
} }
if ( fp == NULL ) { if ( fp == NULL ) {
@ -302,10 +384,6 @@ main( int argc, char **argv )
return EXIT_FAILURE; return EXIT_FAILURE;
} }
if (version == -1 ) {
version = 3;
}
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
!= LDAP_OPT_SUCCESS ) != LDAP_OPT_SUCCESS )
{ {

327
clients/tools/ldapmodify.c
View file

@ -97,15 +97,17 @@ usage( const char *prog )
"usage: %s [options]\n" "usage: %s [options]\n"
" The list of desired operations are read from stdin or from the file\n" " The list of desired operations are read from stdin or from the file\n"
" specified by \"-f file\".\n" " specified by \"-f file\".\n"
"options:\n" "Add or modify options:\n"
" -a\t\tadd values (default%s)\n" " -a\t\tadd values (default%s)\n"
" -b\t\tread values from files (for binary attributes)\n" " -r\t\treplace values\n"
" -c\t\tcontinuous operation\n" " -F\t\tforce all changes records to be used\n"
"common options:\n"
" -c\t\tcontinuous operation (ignore errors)\n"
" -C\t\tchase referrals\n" " -C\t\tchase referrals\n"
" -d level\tset LDAP debugging level to `level'\n" " -d level\tset LDAP debugging level to `level'\n"
" -D dn\t\tbind DN\n" " -D dn\t\tbind DN\n"
" -f file\t\tperform sequence of operations listed in file\n" " -f file\t\tread operations from `file'\n"
" -F\t\tforce all changes records to be used\n"
" -h host\t\tLDAP server\n" " -h host\t\tLDAP server\n"
" -k\t\tuse Kerberos authentication\n" " -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
@ -113,7 +115,6 @@ usage( const char *prog )
" -n\t\tprint changes, don't actually do them\n" " -n\t\tprint changes, don't actually do them\n"
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -r\t\treplace values\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\tverbose mode\n" " -v\t\tverbose mode\n"
" -w passwd\tbind password (for Simple authentication)\n" " -w passwd\tbind password (for Simple authentication)\n"
@ -121,6 +122,7 @@ usage( const char *prog )
" -Y mech\t\tSASL mechanism\n" " -Y mech\t\tSASL mechanism\n"
" -Z\t\tissue Start TLS request (-ZZ to require successful response)\n" " -Z\t\tissue Start TLS request (-ZZ to require successful response)\n"
, prog, (strcmp( prog, "ldapadd" ) ? " is to replace" : "") ); , prog, (strcmp( prog, "ldapadd" ) ? " is to replace" : "") );
exit( EXIT_FAILURE ); exit( EXIT_FAILURE );
} }
@ -146,48 +148,168 @@ main( int argc, char **argv )
infile = NULL; infile = NULL;
not = verbose = want_bindpw = debug = manageDSAit = referrals = 0; not = verbose = want_bindpw = debug = manageDSAit = referrals = 0;
authmethod = LDAP_AUTH_SIMPLE; authmethod = -1;
version = -1; version = -1;
while (( i = getopt( argc, argv, "acCD:d:Ff:h:KkMnO:P:p:rtU:vWw:X:Y:Z" )) != EOF ) { while (( i = getopt( argc, argv, "acrf:F" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) { switch( i ) {
/* Modify Options */
case 'a': /* add */ case 'a': /* add */
ldapadd = 1; ldapadd = 1;
break; break;
case 'c': /* continuous operation */ case 'c': /* continuous operation */
contoper = 1; contoper = 1;
break; break;
case 'C': case 'f': /* read from file */
referrals++; infile = strdup( optarg );
break;
case 'r': /* default is to replace rather than add values */
replace = 1;
break;
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'K': /* kerberos bind, part 1 only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] );
return( EXIT_FAILURE );
#endif
break; break;
case 'F': /* force all changes records to be used */ case 'F': /* force all changes records to be used */
force = 1; force = 1;
break; break;
case 'h': /* ldap host */ case 'r': /* default is to replace rather than add values */
ldaphost = strdup( optarg ); replace = 1;
break;
/* Common Options */
case 'C':
referrals++;
break;
case 'd':
debug |= atoi( optarg );
break; break;
case 'D': /* bind DN */ case 'D': /* bind DN */
binddn = strdup( optarg ); binddn = strdup( optarg );
break; break;
case 'h': /* ldap host */
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: -k incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return EXIT_FAILURE;
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return( EXIT_FAILURE );
#endif
break;
case 'M':
/* enable Manage DSA IT */
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
manageDSAit++;
version = LDAP_VERSION3;
break;
case 'n': /* print deletes, don't actually do them */
++not;
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'p':
ldapport = atoi( optarg );
break;
case 'P':
switch( atoi(optarg) ) {
case 2:
if( version == LDAP_VERSION3 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION2;
break;
case 3:
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "%s: protocol version should be 2 or 3\n",
prog );
usage( prog );
return( EXIT_FAILURE );
} break;
case 'U':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'v': /* verbose mode */
verbose++;
break;
case 'w': /* password */ case 'w': /* password */
passwd.bv_val = strdup( optarg ); passwd.bv_val = strdup( optarg );
{ {
@ -199,90 +321,72 @@ main( int argc, char **argv )
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
break; break;
case 'd':
debug |= atoi( optarg );
break;
case 'f': /* read from file */
infile = strdup( optarg );
break;
case 'p':
ldapport = atoi( optarg );
break;
case 'n': /* print adds, don't actually do them */
++not;
break;
case 'v': /* verbose mode */
verbose++;
break;
case 'M':
/* enable Manage DSA IT */
manageDSAit++;
break;
case 'W': case 'W':
want_bindpw++; want_bindpw++;
break; break;
case 'P':
switch( atoi(optarg) )
{
case 2:
version = LDAP_VERSION2;
break;
case 3:
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "protocol version should be 2 or 3\n" );
usage( argv[0] );
}
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { if( version == LDAP_VERSION2 ) {
sasl_mech = strdup( optarg ); fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
} }
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'U': case 'x':
#ifdef HAVE_CYRUS_SASL if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
sasl_authc_id = strdup( optarg ); fprintf( stderr, "%s: incompatible with previous "
authmethod = LDAP_AUTH_SASL; "authentication choice\n", prog );
#else return EXIT_FAILURE;
fprintf( stderr, "%s was not compiled with SASL support\n", }
argv[0] ); authmethod = LDAP_AUTH_SIMPLE;
return( EXIT_FAILURE );
#endif
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: -X incompatible with "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'Z': case 'Z':
#ifdef HAVE_TLS #ifdef HAVE_TLS
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -Z incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
use_tls++; use_tls++;
#else #else
fprintf( stderr, "%s was not compiled with TLS support\n", fprintf( stderr, "%s: not compiled with TLS support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
@ -291,41 +395,16 @@ main( int argc, char **argv )
} }
} }
if ( argc != optind ) if (version == -1) {
version = LDAP_VERSION3;
}
if (authmethod == -1 && version > LDAP_VERSION2) {
authmethod = LDAP_AUTH_SASL;
}
if ( argc != optind )
usage( prog ); usage( prog );
if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod ==
LDAP_AUTH_KRBV41 ) ) {
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "Kerberos requires LDAPv2\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION2;
}
else if ( authmethod == LDAP_AUTH_SASL ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf( stderr, "SASL requires LDAPv3\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION3;
}
if( manageDSAit ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "manage DSA control requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
}
if( use_tls ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "Start TLS requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
}
if ( infile != NULL ) { if ( infile != NULL ) {
if (( fp = fopen( infile, "r" )) == NULL ) { if (( fp = fopen( infile, "r" )) == NULL ) {
perror( infile ); perror( infile );

339
clients/tools/ldapmodrdn.c
View file

@ -30,6 +30,7 @@
#include <ldap.h> #include <ldap.h>
#include "lutil_ldap.h" #include "lutil_ldap.h"
#include "ldap_defaults.h"
static char *binddn = NULL; static char *binddn = NULL;
static struct berval passwd = { 0, NULL }; static struct berval passwd = { 0, NULL };
@ -61,12 +62,16 @@ usage( const char *s )
" dn rdn: If given, rdn will replace the RDN of the entry specified by DN\n" " dn rdn: If given, rdn will replace the RDN of the entry specified by DN\n"
" If not given, the list of modifications is read from stdin or\n" " If not given, the list of modifications is read from stdin or\n"
" from the file specified by \"-f file\" (see man page).\n" " from the file specified by \"-f file\" (see man page).\n"
"options:\n" "Rename options:\n"
" -r\t\tremove old RDN\n"
" -s newsuperior\tnew superior entry\n"
"common options:\n"
" -c\t\tcontinuous operation mode (do not stop on errors)\n" " -c\t\tcontinuous operation mode (do not stop on errors)\n"
" -C\t\tchase referrals\n" " -C\t\tchase referrals\n"
" -d level\tset LDAP debugging level to `level'\n" " -d level\tset LDAP debugging level to `level'\n"
" -D binddn\tbind DN\n" " -D binddn\tbind DN\n"
" -f file\t\tdo renames listed in `file'\n" " -f file\t\tread operations from `file'\n"
" -h host\t\tLDAP server\n" " -h host\t\tLDAP server\n"
" -k\t\tuse Kerberos authentication\n" " -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n" " -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
@ -75,8 +80,6 @@ usage( const char *s )
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n" " -P version\tprocotol version (default: 3)\n"
" -r\t\tremove old RDN\n"
" -s newsuperior\tnew superior entry\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\trun in verbose mode (diagnostics to standard output)\n" " -v\t\trun in verbose mode (diagnostics to standard output)\n"
" -w passwd\tbind passwd (for simple authentication)\n" " -w passwd\tbind passwd (for simple authentication)\n"
@ -92,7 +95,7 @@ usage( const char *s )
int int
main(int argc, char **argv) main(int argc, char **argv)
{ {
char *myname,*infile, *entrydn = NULL, *rdn = NULL, buf[ 4096 ]; char *prog,*infile, *entrydn = NULL, *rdn = NULL, buf[ 4096 ];
FILE *fp; FILE *fp;
int rc, i, remove, havedn, authmethod, version, want_bindpw, debug, manageDSAit; int rc, i, remove, havedn, authmethod, version, want_bindpw, debug, manageDSAit;
int referrals; int referrals;
@ -104,41 +107,163 @@ main(int argc, char **argv)
authmethod = LDAP_AUTH_SIMPLE; authmethod = LDAP_AUTH_SIMPLE;
version = -1; version = -1;
myname = (myname = strrchr(argv[0], '/')) == NULL ? argv[0] : ++myname; prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
while (( i = getopt( argc, argv, "cCD:d:f:h:KkMnO:P:p:rs:U:vWw:X:Y:Z" )) != EOF ) { while (( i = getopt( argc, argv, "rs:" "cCd:D:f:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) { switch( i ) {
case 'k': /* kerberos bind */ /* Modrdn Options */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND case 's': /* newSuperior */
authmethod = LDAP_AUTH_KRBV4; if( version == LDAP_VERSION2 ) {
#else fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] ); prog, version );
return( EXIT_FAILURE ); return EXIT_FAILURE;
#endif }
break; newSuperior = strdup( optarg );
case 'K': /* kerberos bind, part one only */ version = LDAP_VERSION3;
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'c': /* continuous operation mode */
++contoper;
break; break;
case 'r': /* remove old RDN */
remove++;
break;
/* Common Options */
case 'C': case 'C':
referrals++; referrals++;
break; break;
case 'h': /* ldap host */ case 'd':
ldaphost = strdup( optarg ); debug |= atoi( optarg );
break; break;
case 'D': /* bind DN */ case 'D': /* bind DN */
binddn = strdup( optarg ); binddn = strdup( optarg );
break; break;
case 's': /* newSuperior */ case 'h': /* ldap host */
newSuperior = strdup( optarg ); ldaphost = strdup( optarg );
version = LDAP_VERSION3; /* This option => force V3 */ break;
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: -k incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return EXIT_FAILURE;
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return( EXIT_FAILURE );
#endif
break;
case 'M':
/* enable Manage DSA IT */
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
manageDSAit++;
version = LDAP_VERSION3;
break;
case 'n': /* print deletes, don't actually do them */
++not;
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'p':
ldapport = atoi( optarg );
break;
case 'P':
switch( atoi(optarg) ) {
case 2:
if( version == LDAP_VERSION3 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION2;
break;
case 3:
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "%s: protocol version should be 2 or 3\n",
prog );
usage( prog );
return( EXIT_FAILURE );
} break;
case 'U':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'v': /* verbose mode */
verbose++;
break; break;
case 'w': /* password */ case 'w': /* password */
passwd.bv_val = strdup( optarg ); passwd.bv_val = strdup( optarg );
@ -151,94 +276,72 @@ main(int argc, char **argv)
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
break; break;
case 'd':
debug |= atoi( optarg );
break;
case 'f': /* read from file */
infile = strdup( optarg );
break;
case 'p':
ldapport = atoi( optarg );
break;
case 'n': /* print adds, don't actually do them */
++not;
break;
case 'v': /* verbose mode */
verbose++;
break;
case 'r': /* remove old RDN */
remove++;
break;
case 'M':
/* enable Manage DSA IT */
manageDSAit++;
break;
case 'W': case 'W':
want_bindpw++; want_bindpw++;
break; break;
case 'P':
switch( atoi(optarg) )
{
case 2:
version = LDAP_VERSION2;
break;
case 3:
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "protocol version should be 2 or 3\n" );
usage( argv[0] );
return( EXIT_FAILURE );
}
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { if( version == LDAP_VERSION2 ) {
sasl_mech = strdup( optarg ); fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
} }
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'U': case 'x':
#ifdef HAVE_CYRUS_SASL if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
sasl_authc_id = strdup( optarg ); fprintf( stderr, "%s: incompatible with previous "
authmethod = LDAP_AUTH_SASL; "authentication choice\n", prog );
#else return EXIT_FAILURE;
fprintf( stderr, "%s was not compiled with SASL support\n", }
argv[0] ); authmethod = LDAP_AUTH_SIMPLE;
return( EXIT_FAILURE );
#endif
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: -X incompatible with "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'Z': case 'Z':
#ifdef HAVE_TLS #ifdef HAVE_TLS
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -Z incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
use_tls++; use_tls++;
#else #else
fprintf( stderr, "%s was not compiled with TLS support\n", fprintf( stderr, "%s: not compiled with TLS support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
@ -248,49 +351,13 @@ main(int argc, char **argv)
} }
} }
if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == if (version == -1) {
LDAP_AUTH_KRBV41 ) ) {
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "Kerberos requires LDAPv2\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION2;
}
else if ( authmethod == LDAP_AUTH_SASL ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf( stderr, "SASL requires LDAPv3\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION3; version = LDAP_VERSION3;
} }
if (authmethod == -1 && version > LDAP_VERSION2) {
if( manageDSAit ) { authmethod = LDAP_AUTH_SASL;
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "manage DSA control requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
} }
if( use_tls ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "Start TLS requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
}
if (newSuperior != NULL) {
if (version == LDAP_VERSION2) {
fprintf( stderr,
"%s: version conflict!, -s newSuperior requires LDAPv3\n",
myname);
usage( argv[0] );
return( EXIT_FAILURE );
}
version = LDAP_VERSION3;
}
havedn = 0; havedn = 0;
if (argc - optind == 2) { if (argc - optind == 2) {
if (( rdn = strdup( argv[argc - 1] )) == NULL ) { if (( rdn = strdup( argv[argc - 1] )) == NULL ) {
@ -303,7 +370,7 @@ main(int argc, char **argv)
} }
++havedn; ++havedn;
} else if ( argc - optind != 0 ) { } else if ( argc - optind != 0 ) {
fprintf( stderr, "%s: invalid number of arguments, only two allowed\n", myname); fprintf( stderr, "%s: invalid number of arguments, only two allowed\n", prog);
usage( argv[0] ); usage( argv[0] );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
} }
@ -344,10 +411,6 @@ main(int argc, char **argv)
return EXIT_FAILURE; return EXIT_FAILURE;
} }
if (version == -1 ) {
version = 3;
}
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
!= LDAP_OPT_SUCCESS ) != LDAP_OPT_SUCCESS )
{ {

52
clients/tools/ldappasswd.c
View file

@ -31,21 +31,20 @@ usage(const char *s)
"Change the password of an LDAP entry\n\n" "Change the password of an LDAP entry\n\n"
"usage: %s [options] dn\n" "usage: %s [options] dn\n"
" dn: the DN of the entry whose password must be changed\n" " dn: the DN of the entry whose password must be changed\n"
"options:\n" "Password change options:\n"
" -a secret\told password\n" " -a secret\told password\n"
" -A\t\tprompt for old password\n" " -A\t\tprompt for old password\n"
" -s secret\tnew password\n"
" -S\t\tprompt for new password\n"
"Common options:\n"
" -d level\tdebugging level\n" " -d level\tdebugging level\n"
" -C\t\tchase referrals\n" " -C\t\tchase referrals\n"
" -D binddn\tbind DN\n" " -D binddn\tbind DN\n"
" -E\t\trequest SASL privacy (-EE to make it critical)\n"
" -h host\t\tLDAP server (default: localhost)\n" " -h host\t\tLDAP server (default: localhost)\n"
" -I\t\trequest SASL integrity checking (-II to make it\n"
" \tcritical)\n"
" -n\t\tmake no modifications\n" " -n\t\tmake no modifications\n"
" -O secprops\tSASL security properties\n" " -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n" " -p port\t\tport on LDAP server\n"
" -S\t\tprompt for new password\n"
" -s secret\tnew password\n"
" -U user\t\tSASL authentication identity (username)\n" " -U user\t\tSASL authentication identity (username)\n"
" -v\t\tverbose mode\n" " -v\t\tverbose mode\n"
" -w passwd\tbind password (for simple authentication)\n" " -w passwd\tbind password (for simple authentication)\n"
@ -80,7 +79,7 @@ main( int argc, char *argv[] )
int ldapport = 0; int ldapport = 0;
int debug = 0; int debug = 0;
int version = -1; int version = -1;
int authmethod = LDAP_AUTH_SIMPLE; int authmethod = -1;
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
char *sasl_authc_id = NULL; char *sasl_authc_id = NULL;
char *sasl_authz_id = NULL; char *sasl_authz_id = NULL;
@ -102,12 +101,14 @@ main( int argc, char *argv[] )
usage (argv[0]); usage (argv[0]);
while( (i = getopt( argc, argv, while( (i = getopt( argc, argv,
"Aa:CD:d:h:nO:p:Ss:U:vWw:X:Y:Z" )) != EOF ) "Aa:Ss:" "Cd:D:h:nO:p:U:vw:WxX:Y:Z" )) != EOF )
{ {
switch (i) { switch (i) {
case 'A': /* prompt for oldr password */ /* Password Options */
case 'A': /* prompt for old password */
want_oldpw++; want_oldpw++;
break; break;
case 'a': /* old password (secret) */ case 'a': /* old password (secret) */
oldpw = strdup (optarg); oldpw = strdup (optarg);
@ -119,9 +120,27 @@ main( int argc, char *argv[] )
} }
} }
break; break;
case 'S': /* prompt for user password */
want_newpw++;
break;
case 's': /* new password (secret) */
newpw = strdup (optarg);
{
char* p;
for( p = optarg; *p == '\0'; p++ ) {
*p = '*';
}
}
break;
/* Common Options */
case 'C': case 'C':
referrals++; referrals++;
break; break;
case 'D': /* bind distinguished name */ case 'D': /* bind distinguished name */
binddn = strdup (optarg); binddn = strdup (optarg);
break; break;
@ -142,21 +161,6 @@ main( int argc, char *argv[] )
ldapport = strtol( optarg, NULL, 10 ); ldapport = strtol( optarg, NULL, 10 );
break; break;
case 'S': /* prompt for user password */
want_newpw++;
break;
case 's': /* new password (secret) */
newpw = strdup (optarg);
{
char* p;
for( p = optarg; *p == '\0'; p++ ) {
*p = '*';
}
}
break;
case 'v': /* verbose */ case 'v': /* verbose */
verbose++; verbose++;
break; break;

419
clients/tools/ldapsearch.c
View file

@ -45,29 +45,16 @@ usage( const char *s )
"\t\t1.1 -- no attributes\n" "\t\t1.1 -- no attributes\n"
"\t\t* -- all user attributes\n" "\t\t* -- all user attributes\n"
"\t\t+ -- all operational attributes\n" "\t\t+ -- all operational attributes\n"
"options:\n"
"Search options:\n"
"\t-a deref\tdereference aliases: never (default), always, search, or find\n" "\t-a deref\tdereference aliases: never (default), always, search, or find\n"
"\t-A\t\tretrieve attribute names only (no values)\n" "\t-A\t\tretrieve attribute names only (no values)\n"
"\t-b basedn\tbase dn for search\n" "\t-b basedn\tbase dn for search\n"
"\t-d level\tset LDAP debugging level to `level'\n"
"\t-D binddn\tbind DN\n"
"\t-E\t\trequest SASL privacy (-EE to make it critical)\n"
"\t-f file\t\tperform sequence of searches listed in `file'\n"
"\t-h host\t\tLDAP server\n"
"\t-I\t\trequest SASL integrity checking (-II to make it\n"
"\t\t\tcritical)\n"
"\t-k\t\tuse Kerberos authentication\n"
"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
"\t-l limit\ttime limit (in seconds) for search\n" "\t-l limit\ttime limit (in seconds) for search\n"
"\t-L\t\tprint responses in LDIFv1 format\n" "\t-L\t\tprint responses in LDIFv1 format\n"
"\t-LL\t\tprint responses in LDIF format without comments\n" "\t-LL\t\tprint responses in LDIF format without comments\n"
"\t-LLL\t\tprint responses in LDIF format without comments\n" "\t-LLL\t\tprint responses in LDIF format without comments\n"
"\t\t\tand version\n" "\t\t\tand version\n"
"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n"
"\t-n\t\tshow what would be done but don't actually search\n"
"\t-O secprops\tSASL security properties\n"
"\t-p port\t\tport on LDAP server\n"
"\t-P version\tprocotol version (default: 3)\n"
"\t-s scope\tone of base, one, or sub (search scope)\n" "\t-s scope\tone of base, one, or sub (search scope)\n"
"\t-S attr\t\tsort the results by attribute `attr'\n" "\t-S attr\t\tsort the results by attribute `attr'\n"
"\t-t\t\twrite binary values to files in temporary directory\n" "\t-t\t\twrite binary values to files in temporary directory\n"
@ -75,11 +62,25 @@ usage( const char *s )
"\t-T path\t\twrite files to directory specified by path (default:\n" "\t-T path\t\twrite files to directory specified by path (default:\n"
"\t\t\t\"" LDAP_TMPDIR "\")\n" "\t\t\t\"" LDAP_TMPDIR "\")\n"
"\t-u\t\tinclude User Friendly entry names in the output\n" "\t-u\t\tinclude User Friendly entry names in the output\n"
"Common options:\n"
"\t-d level\tset LDAP debugging level to `level'\n"
"\t-D binddn\tbind DN\n"
"\t-f file\t\tread operations from `file'\n"
"\t-h host\t\tLDAP server\n"
"\t-k\t\tuse Kerberos authentication\n"
"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n"
"\t-n\t\tshow what would be done but don't actually search\n"
"\t-O secprops\tSASL security properties\n"
"\t-p port\t\tport on LDAP server\n"
"\t-P version\tprocotol version (default: 3)\n"
"\t-U user\t\tSASL authentication identity (username)\n" "\t-U user\t\tSASL authentication identity (username)\n"
"\t-v\t\trun in verbose mode (diagnostics to standard output)\n" "\t-v\t\trun in verbose mode (diagnostics to standard output)\n"
"\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n" "\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n"
"\t-w passwd\tbind passwd (for simple authentication)\n" "\t-w passwd\tbind passwd (for simple authentication)\n"
"\t-W\t\tprompt for bind passwd\n" "\t-W\t\tprompt for bind passwd\n"
"\t-x\t\tSimple authentication\n"
"\t-X id\t\tSASL authorization identity (\"dn:<dn>\" or \"u:<user>\")\n" "\t-X id\t\tSASL authorization identity (\"dn:<dn>\" or \"u:<user>\")\n"
"\t-Y mech\t\tSASL mechanism\n" "\t-Y mech\t\tSASL mechanism\n"
"\t-z limit\tsize limit (in entries) for search\n" "\t-z limit\tsize limit (in entries) for search\n"
@ -154,7 +155,7 @@ static int verbose, not, includeufn, vals2tmp, ldif;
int int
main( int argc, char **argv ) main( int argc, char **argv )
{ {
char *infile, *filtpattern, **attrs, line[BUFSIZ]; char *prog, *infile, *filtpattern, **attrs, line[BUFSIZ];
FILE *fp = NULL; FILE *fp = NULL;
int rc, i, first, scope, deref, attrsonly, manageDSAit; int rc, i, first, scope, deref, attrsonly, manageDSAit;
int referrals, timelimit, sizelimit, debug; int referrals, timelimit, sizelimit, debug;
@ -168,73 +169,13 @@ main( int argc, char **argv )
deref = sizelimit = timelimit = version = -1; deref = sizelimit = timelimit = version = -1;
scope = LDAP_SCOPE_SUBTREE; scope = LDAP_SCOPE_SUBTREE;
authmethod = LDAP_AUTH_SIMPLE; authmethod = -1;
while (( i = getopt( argc, argv, while (( i = getopt( argc, argv,
"Aa:b:CD:d:f:h:KkLl:MnO:P:p:RS:s:T:tU:uV:vWw:X:Y:Zz:")) != EOF ) "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z")) != EOF )
{ {
switch( i ) { switch( i ) {
case 'n': /* do nothing */ /* Search Options */
++not;
break;
case 'v': /* verbose mode */
++verbose;
break;
case 'd':
debug |= atoi( optarg );
break;
case 'k': /* use kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'K': /* use kerberos bind, 1st part only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s was not compiled with Kerberos support\n", argv[0] );
return( EXIT_FAILURE );
#endif
break;
break;
case 'u': /* include UFN */
++includeufn;
break;
case 't': /* write attribute values to TMPDIR files */
++vals2tmp;
break;
case 'M':
/* enable Manage DSA IT */
manageDSAit++;
break;
case 'C':
referrals++;
break;
case 'R': /* ignore */
break;
case 'A': /* retrieve attribute names only -- no values */
++attrsonly;
break;
case 'L': /* print entries in LDIF format */
++ldif;
break;
case 's': /* search scope */
if ( strcasecmp( optarg, "base" ) == 0 ) {
scope = LDAP_SCOPE_BASE;
} else if ( strncasecmp( optarg, "one", sizeof("one")-1 ) == 0 ) {
scope = LDAP_SCOPE_ONELEVEL;
} else if ( strncasecmp( optarg, "sub", sizeof("sub")-1 ) == 0 ) {
scope = LDAP_SCOPE_SUBTREE;
} else {
fprintf( stderr, "scope should be base, one, or sub\n" );
usage( argv[ 0 ] );
}
break;
case 'a': /* set alias deref option */ case 'a': /* set alias deref option */
if ( strcasecmp( optarg, "never" ) == 0 ) { if ( strcasecmp( optarg, "never" ) == 0 ) {
deref = LDAP_DEREF_NEVER; deref = LDAP_DEREF_NEVER;
@ -249,7 +190,39 @@ main( int argc, char **argv )
usage( argv[ 0 ] ); usage( argv[ 0 ] );
} }
break; break;
case 'A': /* retrieve attribute names only -- no values */
++attrsonly;
break;
case 'f': /* input file */
infile = strdup( optarg );
break;
case 'l': /* time limit */
timelimit = atoi( optarg );
break;
case 'L': /* print entries in LDIF format */
++ldif;
break;
case 's': /* search scope */
if ( strcasecmp( optarg, "base" ) == 0 ) {
scope = LDAP_SCOPE_BASE;
} else if ( strncasecmp( optarg, "one", sizeof("one")-1 ) == 0 ) {
scope = LDAP_SCOPE_ONELEVEL;
} else if ( strncasecmp( optarg, "sub", sizeof("sub")-1 ) == 0 ) {
scope = LDAP_SCOPE_SUBTREE;
} else {
fprintf( stderr, "scope should be base, one, or sub\n" );
usage( argv[ 0 ] );
}
break;
case 'S': /* sort attribute */
sortattr = strdup( optarg );
break;
case 'u': /* include UFN */
++includeufn;
break;
case 't': /* write attribute values to TMPDIR files */
++vals2tmp;
break;
case 'T': /* tmpdir */ case 'T': /* tmpdir */
if( tmpdir ) free( tmpdir ); if( tmpdir ) free( tmpdir );
tmpdir = strdup( optarg ); tmpdir = strdup( optarg );
@ -258,23 +231,152 @@ main( int argc, char **argv )
if( urlpre ) free( urlpre ); if( urlpre ) free( urlpre );
urlpre = strdup( optarg ); urlpre = strdup( optarg );
break; break;
case 'f': /* input file */ case 'z': /* size limit */
infile = strdup( optarg ); sizelimit = atoi( optarg );
break; break;
case 'h': /* ldap host */
ldaphost = strdup( optarg ); /* Common Options */
break; case 'C':
case 'b': /* search base */ referrals++;
base = strdup( optarg );
break; break;
case 'd':
debug |= atoi( optarg );
break;
case 'D': /* bind DN */ case 'D': /* bind DN */
binddn = strdup( optarg ); binddn = strdup( optarg );
break;
case 'h': /* ldap host */
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: -k incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV4;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return EXIT_FAILURE;
#endif
break;
case 'K': /* kerberos bind, part one only */
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 ) {
fprintf( stderr, "%s: incompatible with previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_KRBV41;
#else
fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
return( EXIT_FAILURE );
#endif
break;
case 'M':
/* enable Manage DSA IT */
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
manageDSAit++;
version = LDAP_VERSION3;
break; break;
case 'p': /* ldap port */ case 'n': /* print deletes, don't actually do them */
ldapport = atoi( optarg ); ++not;
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break; break;
case 'w': /* bind password */ case 'p':
passwd.bv_val = strdup( optarg ); ldapport = atoi( optarg );
break;
case 'P':
switch( atoi(optarg) ) {
case 2:
if( version == LDAP_VERSION3 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION2;
break;
case 3:
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "%s: protocol version should be 2 or 3\n",
prog );
usage( prog );
return( EXIT_FAILURE );
} break;
case 'U':
#ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible previous "
"authentication choice\n",
prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authc_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
return( EXIT_FAILURE );
#endif
break;
case 'v': /* verbose mode */
verbose++;
break;
case 'w': /* password */
passwd.bv_val = strdup( optarg );
{ {
char* p; char* p;
@ -283,81 +385,73 @@ main( int argc, char **argv )
} }
} }
passwd.bv_len = strlen( passwd.bv_val ); passwd.bv_len = strlen( passwd.bv_val );
break; break;
case 'l': /* time limit */
timelimit = atoi( optarg );
break;
case 'z': /* size limit */
sizelimit = atoi( optarg );
break;
case 'S': /* sort attribute */
sortattr = strdup( optarg );
break;
case 'W': case 'W':
want_bindpw++; want_bindpw++;
break; break;
case 'P':
switch( atoi( optarg ) )
{
case 2:
version = LDAP_VERSION2;
break;
case 3:
version = LDAP_VERSION3;
break;
default:
fprintf( stderr, "protocol version should be 2 or 3\n" );
usage( argv[0] );
}
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s was not compiled with SASL support\n",
argv[0] );
return( EXIT_FAILURE );
#endif
break;
case 'Y': case 'Y':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if ( strcasecmp( optarg, "any" ) && strcmp( optarg, "*" ) ) { if( version == LDAP_VERSION2 ) {
sasl_mech = strdup( optarg ); fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
} }
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: was not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'U': case 'x':
#ifdef HAVE_CYRUS_SASL if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
sasl_authc_id = strdup( optarg ); fprintf( stderr, "%s: incompatible with previous "
authmethod = LDAP_AUTH_SASL; "authentication choice\n", prog );
#else return EXIT_FAILURE;
fprintf( stderr, "%s was not compiled with SASL support\n", }
argv[0] ); authmethod = LDAP_AUTH_SIMPLE;
return( EXIT_FAILURE );
#endif
break; break;
case 'X': case 'X':
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
fprintf( stderr, "%s: -X incompatible with "
"authentication choice\n", prog );
return EXIT_FAILURE;
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
sasl_authz_id = strdup( optarg ); sasl_authz_id = strdup( optarg );
authmethod = LDAP_AUTH_SASL; authmethod = LDAP_AUTH_SASL;
#else #else
fprintf( stderr, "%s was not compiled with SASL support\n", fprintf( stderr, "%s: not compiled with SASL support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
case 'Z': case 'Z':
#ifdef HAVE_TLS #ifdef HAVE_TLS
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s -Z incompatible with version %d\n",
prog, version );
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
use_tls++; use_tls++;
#else #else
fprintf( stderr, "%s was not compiled with TLS support\n", fprintf( stderr, "%s: not compiled with TLS support\n",
argv[0] ); prog );
return( EXIT_FAILURE ); return( EXIT_FAILURE );
#endif #endif
break; break;
@ -366,39 +460,16 @@ main( int argc, char **argv )
} }
} }
if ( ( authmethod == LDAP_AUTH_KRBV4 ) || ( authmethod == if (version == -1) {
LDAP_AUTH_KRBV41 ) ) {
if( version > LDAP_VERSION2 ) {
fprintf( stderr, "Kerberos requires LDAPv2\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION2;
}
else if ( authmethod == LDAP_AUTH_SASL ) {
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf( stderr, "SASL requires LDAPv3\n" );
return( EXIT_FAILURE );
}
version = LDAP_VERSION3; version = LDAP_VERSION3;
} }
if (authmethod == -1 && version > LDAP_VERSION2) {
if( manageDSAit ) { authmethod = LDAP_AUTH_SASL;
if( version != -1 && version != LDAP_VERSION3 ) {
fprintf(stderr, "manage DSA control requires LDAPv3\n");
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
} }
if( use_tls ) { if (( argc - optind < 1 ) ||
if( version != -1 && version != LDAP_VERSION3 ) { ( strchr( argv[optind], '=' ) == NULL ) )
fprintf(stderr, "Start TLS requires LDAPv3\n"); {
return EXIT_FAILURE;
}
version = LDAP_VERSION3;
}
if ( argc - optind < 1 ) {
filtpattern = "(objectclass=*)"; filtpattern = "(objectclass=*)";
} else { } else {
filtpattern = strdup( argv[optind++] ); filtpattern = strdup( argv[optind++] );
@ -522,8 +593,6 @@ main( int argc, char **argv )
if ( authmethod == LDAP_AUTH_SASL ) { if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
ldap_set_sasl_interact_proc( ld, lutil_sasl_interact );
if( sasl_secprops != NULL ) { if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops ); (void *) sasl_secprops );
@ -537,7 +606,7 @@ main( int argc, char **argv )
} }
rc = ldap_sasl_interactive_bind_s( ld, binddn, rc = ldap_sasl_interactive_bind_s( ld, binddn,
sasl_mech, NULL, NULL ); sasl_mech, NULL, NULL, lutil_sasl_interact );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); ldap_perror( ld, "ldap_sasl_interactive_bind_s" );

21
doc/devel/args
View file

@ -1,9 +1,9 @@
Tools ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz Tools ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
ldapdelete CD K M OP * U WXYZ cd f h k n p vw ldapdelete CD K M OP * U WXYZ cd f h k n p vwx
ldapmodify CD F K M OP * U WXYZabcd f h k n p r t vw ldapmodify CD F K M OP * U WXYZabcd f h k n p r t vwx
ldapmodrdn CD K M OP * U WXYZ cd f h k n p rs vw ldapmodrdn CD K M OP * U WXYZ cd f h k n p rs vwx
ldappasswd A CD O *S U WXYZa d h s vw ldappasswd A CD O *S U WXYZa d h s vwx
ldapsearch A CD KLM OP *STUVWXYZab*d f h kl n p stuvw z ldapsearch A CD KLM OP *STUVWXYZab*d f h kl n p stuvwx z
Other Clients ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz Other Clients ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
fax500 f h m fax500 f h m
@ -17,30 +17,31 @@ ud D V cd f l p s uv
* reserved * reserved
EGHIJNOegijmoqxy EGHIJNOegijmoqy
* General flags: * General flags:
-C Chase Referrals -C Chase Referrals
-D bind DN -D Bind DN
-P protocol version -P protocol version
-R old don't chase referrals -R deprecated (don't chase referrals)
-W prompt for bind password -W prompt for bind password
-d debug -d debug
-h host -h host
-n no-op -n no-op
-p port -p port
-v verbose -v verbose
-w bind password -w Bind password
-x simple bind
* LDAPv3 Only * LDAPv3 Only
-M ManageDSAIT -M ManageDSAIT
-Z StartTLS -Z StartTLS
-Y SASL Mechanism
-O SASL Security Options -O SASL Security Options
-U SASL Authentication Identity (username) -U SASL Authentication Identity (username)
-X SASL Authorization Identity -X SASL Authorization Identity
-Y SASL Mechanism
* LDAPv2+ Only * LDAPv2+ Only
-K LDAPv2 Kerberos Bind (Step 1 only) (depecated) -K LDAPv2 Kerberos Bind (Step 1 only) (depecated)

18
include/ldap.h
View file

@ -562,16 +562,6 @@ ldap_set_rebind_proc LDAP_P((
LDAP *ld, LDAP *ld,
LDAP_REBIND_PROC *ldap_proc)); LDAP_REBIND_PROC *ldap_proc));
/* V3 SASL Interaction Function Callback Prototype */
/* when using Cyrus SASL, interact is pointer to sasl_interact_t */
typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P((
LDAP *ld, void *interact ));
LDAP_F( int )
ldap_set_sasl_interact_proc LDAP_P((
LDAP *ld,
LDAP_SASL_INTERACT_PROC *ldap_proc));
/* /*
* in controls.c: * in controls.c:
*/ */
@ -702,13 +692,19 @@ ldap_sasl_bind LDAP_P((
LDAPControl **clientctrls, LDAPControl **clientctrls,
int *msgidp )); int *msgidp ));
/* V3 SASL Interaction Function Callback Prototype */
/* when using Cyrus SASL, interact is pointer to sasl_interact_t */
typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P((
LDAP *ld, void *interact ));
LDAP_F( int ) LDAP_F( int )
ldap_sasl_interactive_bind_s LDAP_P(( ldap_sasl_interactive_bind_s LDAP_P((
LDAP *ld, LDAP *ld,
LDAP_CONST char *dn, /* usually NULL */ LDAP_CONST char *dn, /* usually NULL */
LDAP_CONST char *saslMechanism, LDAP_CONST char *saslMechanism,
LDAPControl **serverControls, LDAPControl **serverControls,
LDAPControl **clientControls )); LDAPControl **clientControls,
LDAP_SASL_INTERACT_PROC *proc ));
LDAP_F( int ) LDAP_F( int )
ldap_sasl_bind_s LDAP_P(( ldap_sasl_bind_s LDAP_P((

11
libraries/libldap/cyrus.c
View file

@ -454,7 +454,8 @@ ldap_int_sasl_bind(
const char *dn, const char *dn,
const char *mechs, const char *mechs,
LDAPControl **sctrls, LDAPControl **sctrls,
LDAPControl **cctrls ) LDAPControl **cctrls,
LDAP_SASL_INTERACT_PROC *interact )
{ {
char *data; char *data;
const char *mech = NULL; const char *mech = NULL;
@ -523,8 +524,8 @@ ldap_int_sasl_bind(
} }
if( saslrc == SASL_INTERACT ) { if( saslrc == SASL_INTERACT ) {
if( !ld->ld_options.ldo_sasl_interact ) break; if( !interact ) break;
rc = (ld->ld_options.ldo_sasl_interact)( ld, prompts ); rc = (interact)( ld, prompts );
if( rc != LDAP_SUCCESS ) { if( rc != LDAP_SUCCESS ) {
break; break;
} }
@ -572,8 +573,8 @@ ldap_int_sasl_bind(
if( saslrc == SASL_INTERACT ) { if( saslrc == SASL_INTERACT ) {
int res; int res;
if( !ld->ld_options.ldo_sasl_interact ) break; if( !interact ) break;
res = (ld->ld_options.ldo_sasl_interact)( ld, prompts ); res = (interact)( ld, prompts );
if( res != LDAP_SUCCESS ) { if( res != LDAP_SUCCESS ) {
break; break;
} }

4
libraries/libldap/ldap-int.h
View file

@ -148,7 +148,6 @@ struct ldapoptions {
#endif #endif
#ifdef HAVE_CYRUS_SASL #ifdef HAVE_CYRUS_SASL
struct sasl_security_properties ldo_sasl_secprops; struct sasl_security_properties ldo_sasl_secprops;
LDAP_SASL_INTERACT_PROC *ldo_sasl_interact;
#endif #endif
LDAP_BOOLEANS ldo_booleans; /* boolean options */ LDAP_BOOLEANS ldo_booleans; /* boolean options */
}; };
@ -547,7 +546,8 @@ LDAP_F (int) ldap_int_sasl_config LDAP_P(( struct ldapoptions *lo,
LDAP_F (int) ldap_int_sasl_bind LDAP_P(( LDAP_F (int) ldap_int_sasl_bind LDAP_P((
struct ldap *, LDAP_CONST char *, struct ldap *, LDAP_CONST char *,
const char *, LDAPControl **, LDAPControl ** )); const char *, LDAPControl **, LDAPControl **,
LDAP_SASL_INTERACT_PROC *interact ));
/* /*
* in tls.c * in tls.c

11
libraries/libldap/options.c
View file

@ -596,14 +596,3 @@ ldap_set_rebind_proc( LDAP *ld, LDAP_REBIND_PROC *rebind_proc)
{ {
return( ldap_set_option( ld, LDAP_OPT_REBIND_PROC, (void *)rebind_proc)); return( ldap_set_option( ld, LDAP_OPT_REBIND_PROC, (void *)rebind_proc));
} }
int
ldap_set_sasl_interact_proc( LDAP *ld, LDAP_SASL_INTERACT_PROC *proc)
{
#ifdef HAVE_CYRUS_SASL
ld->ld_options.ldo_sasl_interact = proc;
return LDAP_OPT_SUCCESS;
#else
return LDAP_OPT_ERROR;
#endif
}

5
libraries/libldap/sasl.c
View file

@ -409,7 +409,8 @@ ldap_sasl_interactive_bind_s(
LDAP_CONST char *dn, /* usually NULL */ LDAP_CONST char *dn, /* usually NULL */
LDAP_CONST char *mechs, LDAP_CONST char *mechs,
LDAPControl **serverControls, LDAPControl **serverControls,
LDAPControl **clientControls) LDAPControl **clientControls,
LDAP_SASL_INTERACT_PROC *interact )
{ {
int rc; int rc;
@ -435,7 +436,7 @@ ldap_sasl_interactive_bind_s(
} }
rc = ldap_int_sasl_bind( ld, dn, mechs, rc = ldap_int_sasl_bind( ld, dn, mechs,
serverControls, clientControls ); serverControls, clientControls, interact );
return rc; return rc;
} }

1
servers/slapd/sasl.c
View file

@ -377,6 +377,7 @@ int slap_sasl_close( Connection *conn )
free( conn->c_sasl_extra ); free( conn->c_sasl_extra );
conn->c_sasl_extra = NULL; conn->c_sasl_extra = NULL;
#endif #endif
return LDAP_SUCCESS; return LDAP_SUCCESS;
} }

32
servers/slapd/slap.h
View file

@ -976,6 +976,23 @@ struct slap_backend_info {
void *bi_private; /* anything the backend type needs */ void *bi_private; /* anything the backend type needs */
}; };
typedef struct slap_authz_info {
unsigned sai_ssf; /* Security Strength Factor */
ber_tag_t sai_method; /* LDAP_AUTH_* from <ldap.h> */
char * sai_mech; /* SASL Mechanism */
char * sai_dn; /* DN for reporting purposes */
char * sai_ndn; /* Normalized DN */
} AuthorizationInformation;
#define c_authtype c_authz.sai_method
#define c_authmech c_authz.sai_mech
#define c_dn c_authz.sai_dn
#define o_authtype o_authz.sai_method
#define o_authmech o_authz.sai_mech
#define o_dn o_authz.sai_dn
#define o_ndn o_authz.sai_ndn
/* /*
* represents an operation pending from an ldap client * represents an operation pending from an ldap client
*/ */
@ -983,21 +1000,16 @@ typedef struct slap_op {
ber_int_t o_opid; /* id of this operation */ ber_int_t o_opid; /* id of this operation */
ber_int_t o_msgid; /* msgid of the request */ ber_int_t o_msgid; /* msgid of the request */
ldap_pvt_thread_t o_tid; /* thread handling this op */ ldap_pvt_thread_t o_tid; /* thread handling this op */
BerElement *o_ber; /* ber of the request */ BerElement *o_ber; /* ber of the request */
ber_tag_t o_tag; /* tag of the request */ ber_tag_t o_tag; /* tag of the request */
time_t o_time; /* time op was initiated */ time_t o_time; /* time op was initiated */
char *o_dn; /* dn bound when op was initiated */ AuthorizationInformation o_authz;
char *o_ndn; /* normalized dn bound when op was initiated */
ber_int_t o_protocol; /* version of the LDAP protocol used by client */ ber_int_t o_protocol; /* version of the LDAP protocol used by client */
ber_tag_t o_authtype; /* auth method used to bind dn */
/* values taken from ldap.h */
/* LDAP_AUTH_* */
char *o_authmech; /* SASL mechanism used to bind dn */
LDAPControl **o_ctrls; /* controls */ LDAPControl **o_ctrls; /* controls */
@ -1039,6 +1051,7 @@ typedef struct slap_conn {
/* only can be changed by binding thread */ /* only can be changed by binding thread */
int c_sasl_bind_in_progress; /* multi-op bind in progress */ int c_sasl_bind_in_progress; /* multi-op bind in progress */
char *c_sasl_bind_mech; /* mech in progress */ char *c_sasl_bind_mech; /* mech in progress */
char *c_cdn;
/* authentication backend */ /* authentication backend */
Backend *c_authc_backend; Backend *c_authc_backend;
@ -1046,12 +1059,9 @@ typedef struct slap_conn {
/* authorization backend - normally same as c_authc_backend */ /* authorization backend - normally same as c_authc_backend */
Backend *c_authz_backend; Backend *c_authz_backend;
char *c_cdn; /* DN provided by the client */ AuthorizationInformation c_authz;
char *c_dn; /* DN bound to this conn */
ber_int_t c_protocol; /* version of the LDAP protocol used by client */ ber_int_t c_protocol; /* version of the LDAP protocol used by client */
ber_tag_t c_authtype;/* auth method used to bind c_dn */
char *c_authmech; /* SASL mechanism used to bind c_dn */
Operation *c_ops; /* list of operations being processed */ Operation *c_ops; /* list of operations being processed */
Operation *c_pending_ops; /* list of pending operations */ Operation *c_pending_ops; /* list of pending operations */