vendor/krb5/1.15.1

1 files changed, 195 insertions, 0 deletions

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c
new file mode 100644
index 000000000000..16f9dccd55a9
--- /dev/null
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c
@@ -0,0 +1,195 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+#include <ldap.h>
+#include <errno.h>
+#include <krb5.h>
+#include "ldap_err.h"
+#ifndef LDAP_X_ERROR
+#define LDAP_X_ERROR(x) (0)
+#endif
+
+#ifndef LDAP_NAME_ERROR
+#ifdef NAME_ERROR
+#define LDAP_NAME_ERROR NAME_ERROR
+#else
+#define LDAP_NAME_ERROR(x) (0)
+#endif
+#endif
+
+#ifndef LDAP_SECURITY_ERROR
+#define LDAP_SECURITY_ERROR(x) (0)
+#endif
+
+#ifndef LDAP_SERVICE_ERROR
+#define LDAP_SERVICE_ERROR(x) (0)
+#endif
+
+#ifndef LDAP_API_ERROR
+#define LDAP_API_ERROR(x) (0)
+#endif
+
+#ifndef LDAP_UPDATE_ERROR
+#define LDAP_UPDATE_ERROR(x) (0)
+#endif
+
+/*
+ * The possible KDB errors are
+ * 1. KRB5_KDB_UK_RERROR
+ * 2. KRB5_KDB_UK_SERROR
+ * 3. KRB5_KDB_NOENTRY
+ * 4. KRB5_KDB_TRUNCATED_RECORD
+ * 5. KRB5_KDB_UNAUTH
+ * 6. KRB5_KDB_DB_CORRUPT
+ * 7. KRB5_KDB_ACCESS_ERROR             (NEW)
+ * 8. KRB5_KDB_INTERNAL_ERROR           (NEW)
+ * 9. KRB5_KDB_SERVER_INTERNAL_ERR      (NEW)
+ * 10. KRB5_KDB_CONSTRAINT_VIOLATION    (NEW)
+ *
+ */
+
+/*
+ * op :
+ *  0          => not specified
+ *  OP_INIT    => ldap_init
+ *  OP_BIND    => ldap_bind
+ *  OP_UNBIND  => ldap_unbind
+ *  OP_ADD     => ldap_add
+ *  OP_MOD     => ldap_modify
+ *  OP_DEL     => ldap_delete
+ *  OP_SEARCH  => ldap_search
+ *  OP_CMP     => ldap_compare
+ *  OP_ABANDON => ldap_abandon
+ */
+
+int
+translate_ldap_error(int err, int op) {
+
+    switch (err) {
+    case LDAP_SUCCESS:
+        return 0;
+
+    case LDAP_OPERATIONS_ERROR:
+        /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
+         * unable to respond with a more specific error and is also unable
+         * to properly respond to a request */
+    case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
+        /* LDAP server was unable to satisfy a request because one or more
+         * critical extensions were not available */
+        /* This might mean that the schema was not extended ... */
+    case LDAP_UNDEFINED_TYPE:
+        /* The attribute specified in the modify or add operation does not
+         * exist in the LDAP server's schema. */
+        return KRB5_KDB_INTERNAL_ERROR;
+
+
+    case LDAP_INAPPROPRIATE_MATCHING:
+        /* The matching rule specified in the search filter does not match a
+         * rule defined for the attribute's syntax */
+        return KRB5_KDB_UK_RERROR;
+
+    case LDAP_CONSTRAINT_VIOLATION:
+        /* The attribute value specified in a modify, add, or modify DN
+         * operation violates constraints placed on the attribute */
+    case LDAP_TYPE_OR_VALUE_EXISTS:
+        /* The attribute value specified in a modify or add operation
+         * already exists as a value for that attribute */
+        return KRB5_KDB_UK_SERROR;
+
+    case LDAP_INVALID_SYNTAX:
+        /* The attribute value specified in an add, compare, or modify
+         * operation is an unrecognized or invalid syntax for the attribute */
+        if (op == OP_ADD || op == OP_MOD)
+            return KRB5_KDB_UK_SERROR;
+        else /* OP_CMP */
+            return KRB5_KDB_UK_RERROR;
+
+        /* Ensure that the following don't occur in the DAL-LDAP code.
+         * Don't rely on the LDAP server to catch it */
+    case LDAP_SASL_BIND_IN_PROGRESS:
+        /* This is not an error. So, this function should not be called */
+    case LDAP_COMPARE_FALSE:
+    case LDAP_COMPARE_TRUE:
+        /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
+         * function should not be invoked for them */
+    case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
+    case LDAP_TIMELIMIT_EXCEEDED:
+    case LDAP_SIZELIMIT_EXCEEDED:
+        return KRB5_KDB_SERVER_INTERNAL_ERR;
+
+    case LDAP_INVALID_DN_SYNTAX:
+        /* The syntax of the DN is incorrect */
+        return EINVAL;
+
+    case LDAP_PROTOCOL_ERROR:
+        /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
+         * invalid or malformed request from the client */
+    case LDAP_CONFIDENTIALITY_REQUIRED:
+
+        /* Bind problems ... */
+    case LDAP_AUTH_METHOD_NOT_SUPPORTED:
+/*      case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */
+    case LDAP_INAPPROPRIATE_AUTH:
+    case LDAP_INVALID_CREDENTIALS:
+    case LDAP_UNAVAILABLE:
+        return KRB5_KDB_ACCESS_ERROR;
+
+    case LDAP_STRONG_AUTH_REQUIRED:
+        if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
+            return KRB5_KDB_ACCESS_ERROR;
+        else /* Client requested an operation such that requires strong authentication */
+            return KRB5_KDB_CONSTRAINT_VIOLATION;
+
+    case LDAP_REFERRAL:
+        return KRB5_KDB_NOENTRY;
+
+    case LDAP_ADMINLIMIT_EXCEEDED:
+        /* An LDAP server limit set by an administrative authority has been
+         * exceeded */
+        return KRB5_KDB_CONSTRAINT_VIOLATION;
+    case LDAP_UNWILLING_TO_PERFORM:
+        /* The LDAP server cannot process the request because of
+         * server-defined restrictions */
+        return KRB5_KDB_CONSTRAINT_VIOLATION;
+
+
+    case LDAP_NO_SUCH_ATTRIBUTE:
+        /* Indicates that the attribute specified in the modify or compare
+         * operation does not exist in the entry */
+        if (op == OP_MOD)
+            return KRB5_KDB_UK_SERROR;
+        else /* OP_CMP */
+            return KRB5_KDB_TRUNCATED_RECORD;
+
+
+    case LDAP_ALIAS_DEREF_PROBLEM:
+        /* Either the client does not have access rights to read the aliased
+         * object's name or dereferencing is not allowed */
+#ifdef LDAP_PROXY_AUTHZ_FAILURE
+    case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
+#endif
+    case LDAP_INSUFFICIENT_ACCESS:
+        /* Caller does not have sufficient rights to perform the requested
+         * operation */
+        return KRB5_KDB_UNAUTH;
+
+    case LDAP_LOOP_DETECT:
+        /* Client discovered an alias or referral loop */
+        return KRB5_KDB_DB_CORRUPT;
+
+    default:
+
+        if (LDAP_NAME_ERROR (err))
+            return KRB5_KDB_NOENTRY;
+
+        if (LDAP_SECURITY_ERROR (err))
+            return KRB5_KDB_UNAUTH;
+
+        if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
+            return KRB5_KDB_ACCESS_ERROR;
+
+        if (LDAP_UPDATE_ERROR(err))
+            return KRB5_KDB_UK_SERROR;
+
+        /* LDAP_OTHER */
+        return KRB5_KDB_SERVER_INTERNAL_ERR;
+    }
+}