diff options
Diffstat (limited to 'src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c')
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c | 195 |
1 files changed, 195 insertions, 0 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c new file mode 100644 index 000000000000..16f9dccd55a9 --- /dev/null +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_err.c @@ -0,0 +1,195 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +#include <ldap.h> +#include <errno.h> +#include <krb5.h> +#include "ldap_err.h" +#ifndef LDAP_X_ERROR +#define LDAP_X_ERROR(x) (0) +#endif + +#ifndef LDAP_NAME_ERROR +#ifdef NAME_ERROR +#define LDAP_NAME_ERROR NAME_ERROR +#else +#define LDAP_NAME_ERROR(x) (0) +#endif +#endif + +#ifndef LDAP_SECURITY_ERROR +#define LDAP_SECURITY_ERROR(x) (0) +#endif + +#ifndef LDAP_SERVICE_ERROR +#define LDAP_SERVICE_ERROR(x) (0) +#endif + +#ifndef LDAP_API_ERROR +#define LDAP_API_ERROR(x) (0) +#endif + +#ifndef LDAP_UPDATE_ERROR +#define LDAP_UPDATE_ERROR(x) (0) +#endif + +/* + * The possible KDB errors are + * 1. KRB5_KDB_UK_RERROR + * 2. KRB5_KDB_UK_SERROR + * 3. KRB5_KDB_NOENTRY + * 4. KRB5_KDB_TRUNCATED_RECORD + * 5. KRB5_KDB_UNAUTH + * 6. KRB5_KDB_DB_CORRUPT + * 7. KRB5_KDB_ACCESS_ERROR (NEW) + * 8. KRB5_KDB_INTERNAL_ERROR (NEW) + * 9. KRB5_KDB_SERVER_INTERNAL_ERR (NEW) + * 10. KRB5_KDB_CONSTRAINT_VIOLATION (NEW) + * + */ + +/* + * op : + * 0 => not specified + * OP_INIT => ldap_init + * OP_BIND => ldap_bind + * OP_UNBIND => ldap_unbind + * OP_ADD => ldap_add + * OP_MOD => ldap_modify + * OP_DEL => ldap_delete + * OP_SEARCH => ldap_search + * OP_CMP => ldap_compare + * OP_ABANDON => ldap_abandon + */ + +int +translate_ldap_error(int err, int op) { + + switch (err) { + case LDAP_SUCCESS: + return 0; + + case LDAP_OPERATIONS_ERROR: + /* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is + * unable to respond with a more specific error and is also unable + * to properly respond to a request */ + case LDAP_UNAVAILABLE_CRITICAL_EXTENSION: + /* LDAP server was unable to satisfy a request because one or more + * critical extensions were not available */ + /* This might mean that the schema was not extended ... */ + case LDAP_UNDEFINED_TYPE: + /* The attribute specified in the modify or add operation does not + * exist in the LDAP server's schema. */ + return KRB5_KDB_INTERNAL_ERROR; + + + case LDAP_INAPPROPRIATE_MATCHING: + /* The matching rule specified in the search filter does not match a + * rule defined for the attribute's syntax */ + return KRB5_KDB_UK_RERROR; + + case LDAP_CONSTRAINT_VIOLATION: + /* The attribute value specified in a modify, add, or modify DN + * operation violates constraints placed on the attribute */ + case LDAP_TYPE_OR_VALUE_EXISTS: + /* The attribute value specified in a modify or add operation + * already exists as a value for that attribute */ + return KRB5_KDB_UK_SERROR; + + case LDAP_INVALID_SYNTAX: + /* The attribute value specified in an add, compare, or modify + * operation is an unrecognized or invalid syntax for the attribute */ + if (op == OP_ADD || op == OP_MOD) + return KRB5_KDB_UK_SERROR; + else /* OP_CMP */ + return KRB5_KDB_UK_RERROR; + + /* Ensure that the following don't occur in the DAL-LDAP code. + * Don't rely on the LDAP server to catch it */ + case LDAP_SASL_BIND_IN_PROGRESS: + /* This is not an error. So, this function should not be called */ + case LDAP_COMPARE_FALSE: + case LDAP_COMPARE_TRUE: + /* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This + * function should not be invoked for them */ + case LDAP_RESULTS_TOO_LARGE: /* CLDAP */ + case LDAP_TIMELIMIT_EXCEEDED: + case LDAP_SIZELIMIT_EXCEEDED: + return KRB5_KDB_SERVER_INTERNAL_ERR; + + case LDAP_INVALID_DN_SYNTAX: + /* The syntax of the DN is incorrect */ + return EINVAL; + + case LDAP_PROTOCOL_ERROR: + /* LDAP_PROTOCOL_ERROR: Indicates that the server has received an + * invalid or malformed request from the client */ + case LDAP_CONFIDENTIALITY_REQUIRED: + + /* Bind problems ... */ + case LDAP_AUTH_METHOD_NOT_SUPPORTED: +/* case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ? */ + case LDAP_INAPPROPRIATE_AUTH: + case LDAP_INVALID_CREDENTIALS: + case LDAP_UNAVAILABLE: + return KRB5_KDB_ACCESS_ERROR; + + case LDAP_STRONG_AUTH_REQUIRED: + if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */ + return KRB5_KDB_ACCESS_ERROR; + else /* Client requested an operation such that requires strong authentication */ + return KRB5_KDB_CONSTRAINT_VIOLATION; + + case LDAP_REFERRAL: + return KRB5_KDB_NOENTRY; + + case LDAP_ADMINLIMIT_EXCEEDED: + /* An LDAP server limit set by an administrative authority has been + * exceeded */ + return KRB5_KDB_CONSTRAINT_VIOLATION; + case LDAP_UNWILLING_TO_PERFORM: + /* The LDAP server cannot process the request because of + * server-defined restrictions */ + return KRB5_KDB_CONSTRAINT_VIOLATION; + + + case LDAP_NO_SUCH_ATTRIBUTE: + /* Indicates that the attribute specified in the modify or compare + * operation does not exist in the entry */ + if (op == OP_MOD) + return KRB5_KDB_UK_SERROR; + else /* OP_CMP */ + return KRB5_KDB_TRUNCATED_RECORD; + + + case LDAP_ALIAS_DEREF_PROBLEM: + /* Either the client does not have access rights to read the aliased + * object's name or dereferencing is not allowed */ +#ifdef LDAP_PROXY_AUTHZ_FAILURE + case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ? +#endif + case LDAP_INSUFFICIENT_ACCESS: + /* Caller does not have sufficient rights to perform the requested + * operation */ + return KRB5_KDB_UNAUTH; + + case LDAP_LOOP_DETECT: + /* Client discovered an alias or referral loop */ + return KRB5_KDB_DB_CORRUPT; + + default: + + if (LDAP_NAME_ERROR (err)) + return KRB5_KDB_NOENTRY; + + if (LDAP_SECURITY_ERROR (err)) + return KRB5_KDB_UNAUTH; + + if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err)) + return KRB5_KDB_ACCESS_ERROR; + + if (LDAP_UPDATE_ERROR(err)) + return KRB5_KDB_UK_SERROR; + + /* LDAP_OTHER */ + return KRB5_KDB_SERVER_INTERNAL_ERR; + } +} |