1 /*-------------------------------------------------------------------------
4 * Routines to handle network authentication
6 * Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
11 * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.152 2007/07/12 14:43:20 mha Exp $
13 *-------------------------------------------------------------------------
18 #include <sys/param.h>
19 #include <sys/socket.h>
20 #if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
22 #include <sys/ucred.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
28 #include "libpq/auth.h"
29 #include "libpq/crypt.h"
31 #include "libpq/libpq.h"
32 #include "libpq/pqformat.h"
33 #include "storage/ipc.h"
36 static void sendAuthRequest(Port *port, AuthRequest areq);
37 static void auth_failed(Port *port, int status);
38 static char *recv_password_packet(Port *port);
39 static int recv_and_check_password_packet(Port *port);
41 char *pg_krb_server_keyfile;
43 bool pg_krb_caseins_users;
44 char *pg_krb_server_hostname = NULL;
47 #ifdef HAVE_PAM_PAM_APPL_H
48 #include <pam/pam_appl.h>
50 #ifdef HAVE_SECURITY_PAM_APPL_H
51 #include <security/pam_appl.h>
54 #define PGSQL_PAM_SERVICE "postgresql" /* Service name passed to PAM */
56 static int CheckPAMAuth(Port *port, char *user, char *password);
57 static int pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
58 struct pam_response ** resp, void *appdata_ptr);
60 static struct pam_conv pam_passw_conv = {
61 &pam_passwd_conv_proc,
65 static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */
66 static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
67 * pam_passwd_conv_proc */
72 /* We use a deprecated function to keep the codepath the same as win32. */
73 #define LDAP_DEPRECATED 1
78 /* Correct header from the Platform SDK */
80 ULONG(*__ldap_start_tls_sA) (
81 IN PLDAP ExternalHandle,
82 OUT PULONG ServerReturnValue,
83 OUT LDAPMessage ** result,
84 IN PLDAPControlA * ServerControls,
85 IN PLDAPControlA * ClientControls
89 static int CheckLDAPAuth(Port *port);
94 /*----------------------------------------------------------------
95 * MIT Kerberos authentication system - protocol version 5
96 *----------------------------------------------------------------
100 /* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
101 #if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
106 * pg_an_to_ln -- return the local name corresponding to an authentication
109 * XXX Assumes that the first aname component is the user name. This is NOT
110 * necessarily so, since an aname can actually be something out of your
111 * worst X.400 nightmare, like
112 * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
113 * Note that the MIT an_to_ln code does the same thing if you don't
114 * provide an aname mapping database...it may be a better idea to use
115 * krb5_an_to_ln, except that it punts if multiple components are found,
116 * and we can't afford to punt.
119 pg_an_to_ln(char *aname)
123 if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
130 * Various krb5 state which is not connection specfic, and a flag to
131 * indicate whether we have initialised it yet.
133 static int pg_krb5_initialised;
134 static krb5_context pg_krb5_context;
135 static krb5_keytab pg_krb5_keytab;
136 static krb5_principal pg_krb5_server;
142 krb5_error_code retval;
145 if (pg_krb5_initialised)
148 retval = krb5_init_context(&pg_krb5_context);
152 (errmsg("Kerberos initialization returned error %d",
154 com_err("postgres", retval, "while initializing krb5");
158 retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
162 (errmsg("Kerberos keytab resolving returned error %d",
164 com_err("postgres", retval, "while resolving keytab file \"%s\"",
165 pg_krb_server_keyfile);
166 krb5_free_context(pg_krb5_context);
171 * If no hostname was specified, pg_krb_server_hostname is already NULL.
172 * If it's set to blank, force it to NULL.
174 khostname = pg_krb_server_hostname;
175 if (khostname && khostname[0] == '\0')
178 retval = krb5_sname_to_principal(pg_krb5_context,
186 (errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
187 khostname ? khostname : "server hostname", pg_krb_srvnam, retval)));
188 com_err("postgres", retval,
189 "while getting server principal for server \"%s\" for service \"%s\"",
190 khostname ? khostname : "server hostname", pg_krb_srvnam);
191 krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
192 krb5_free_context(pg_krb5_context);
196 pg_krb5_initialised = 1;
202 * pg_krb5_recvauth -- server routine to receive authentication information
205 * We still need to compare the username obtained from the client's setup
206 * packet to the authenticated name.
208 * We have our own keytab file because postgres is unlikely to run as root,
209 * and so cannot read the default keytab.
212 pg_krb5_recvauth(Port *port)
214 krb5_error_code retval;
216 krb5_auth_context auth_context = NULL;
220 if (get_role_line(port->user_name) == NULL)
223 ret = pg_krb5_init();
224 if (ret != STATUS_OK)
227 retval = krb5_recvauth(pg_krb5_context, &auth_context,
228 (krb5_pointer) & port->sock, pg_krb_srvnam,
229 pg_krb5_server, 0, pg_krb5_keytab, &ticket);
233 (errmsg("Kerberos recvauth returned error %d",
235 com_err("postgres", retval, "from krb5_recvauth");
240 * The "client" structure comes out of the ticket and is therefore
241 * authenticated. Use it to check the username obtained from the
242 * postmaster startup packet.
244 * I have no idea why this is considered necessary.
246 #if defined(HAVE_KRB5_TICKET_ENC_PART2)
247 retval = krb5_unparse_name(pg_krb5_context,
248 ticket->enc_part2->client, &kusername);
249 #elif defined(HAVE_KRB5_TICKET_CLIENT)
250 retval = krb5_unparse_name(pg_krb5_context,
251 ticket->client, &kusername);
253 #error "bogus configuration"
258 (errmsg("Kerberos unparse_name returned error %d",
260 com_err("postgres", retval, "while unparsing client name");
261 krb5_free_ticket(pg_krb5_context, ticket);
262 krb5_auth_con_free(pg_krb5_context, auth_context);
266 kusername = pg_an_to_ln(kusername);
267 if (pg_krb_caseins_users)
268 ret = pg_strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
270 ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
274 (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
275 port->user_name, kusername)));
281 krb5_free_ticket(pg_krb5_context, ticket);
282 krb5_auth_con_free(pg_krb5_context, auth_context);
290 pg_krb5_recvauth(Port *port)
293 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
294 errmsg("Kerberos 5 not implemented on this server")));
300 /*----------------------------------------------------------------
301 * GSSAPI authentication system
302 *----------------------------------------------------------------
305 #if defined(HAVE_GSSAPI_H)
308 #include <gssapi/gssapi.h>
311 #if defined(WIN32) && !defined(WIN32_ONLY_COMPILER)
313 * MIT Kerberos GSSAPI DLL doesn't properly export the symbols for MingW
314 * that contain the OIDs required. Redefine here, values copied
315 * from src/athena/auth/krb5/src/lib/gssapi/generic/gssapi_generic.c
317 static const gss_OID_desc GSS_C_NT_USER_NAME_desc =
318 {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
319 static GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_desc;
324 pg_GSS_error(int severity, char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
326 gss_buffer_desc gmsg;
327 OM_uint32 lmaj_s, lmin_s, msg_ctx;
331 /* Fetch major status message */
333 lmaj_s = gss_display_status(&lmin_s, maj_stat, GSS_C_GSS_CODE,
334 GSS_C_NO_OID, &msg_ctx, &gmsg);
335 strlcpy(msg_major, gmsg.value, sizeof(msg_major));
336 gss_release_buffer(&lmin_s, &gmsg);
339 /* More than one message available.
340 * XXX: Should we loop and read all messages?
344 (errmsg_internal("incomplete GSS error report")));
346 /* Fetch mechanism minor status message */
348 lmaj_s = gss_display_status(&lmin_s, min_stat, GSS_C_MECH_CODE,
349 GSS_C_NO_OID, &msg_ctx, &gmsg);
350 strlcpy(msg_minor, gmsg.value, sizeof(msg_minor));
351 gss_release_buffer(&lmin_s, &gmsg);
355 (errmsg_internal("incomplete GSS minor error report")));
357 /* errmsg_internal, since translation of the first part must be
358 * done before calling this function anyway. */
360 (errmsg_internal("%s", errmsg),
361 errdetail("%s: %s", msg_major, msg_minor)));
365 pg_GSS_recvauth(Port *port)
367 OM_uint32 maj_stat, min_stat, lmin_s, gflags;
372 gss_buffer_desc gbuf;
374 if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
377 * Set default Kerberos keytab file for the Krb5 mechanism.
379 * setenv("KRB5_KTNAME", pg_krb_server_keyfile, 0);
380 * except setenv() not always available.
382 if (!getenv("KRB5_KTNAME"))
384 kt_path = palloc(MAXPGPATH + 13);
385 snprintf(kt_path, MAXPGPATH + 13,
386 "KRB5_KTNAME=%s", pg_krb_server_keyfile);
392 * We accept any service principal that's present in our
393 * keytab. This increases interoperability between kerberos
394 * implementations that see for example case sensitivity
395 * differently, while not really opening up any vector
398 port->gss->cred = GSS_C_NO_CREDENTIAL;
401 * Initialize sequence with an empty context
403 port->gss->ctx = GSS_C_NO_CONTEXT;
406 * Loop through GSSAPI message exchange. This exchange can consist
407 * of multiple messags sent in both directions. First message is always
408 * from the client. All messages from client to server are password
409 * packets (type 'p').
413 mtype = pq_getbyte();
416 /* Only log error if client didn't disconnect. */
419 (errcode(ERRCODE_PROTOCOL_VIOLATION),
420 errmsg("expected GSS response, got message type %d",
425 /* Get the actual GSS token */
426 initStringInfo(&buf);
427 if (pq_getmessage(&buf, 2000))
429 /* EOF - pq_getmessage already logged error */
434 /* Map to GSSAPI style buffer */
435 gbuf.length = buf.len;
436 gbuf.value = buf.data;
438 elog(DEBUG4, "Processing received GSS token of length %u",
441 maj_stat = gss_accept_sec_context(
446 GSS_C_NO_CHANNEL_BINDINGS,
454 /* gbuf no longer used */
457 elog(DEBUG5, "gss_accept_sec_context major: %i, "
458 "minor: %i, outlen: %u, outflags: %x",
460 port->gss->outbuf.length, gflags);
462 if (port->gss->outbuf.length != 0)
465 * Negotiation generated data to be sent to the client.
467 elog(DEBUG4, "sending GSS response token of length %u",
468 port->gss->outbuf.length);
470 sendAuthRequest(port, AUTH_REQ_GSS_CONT);
473 if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
476 gss_delete_sec_context(&lmin_s, &port->gss->ctx, GSS_C_NO_BUFFER);
478 gettext_noop("accepting GSS security context failed"),
482 if (maj_stat == GSS_S_CONTINUE_NEEDED)
483 elog(DEBUG4, "GSS continue needed");
485 } while (maj_stat == GSS_S_CONTINUE_NEEDED);
487 if (port->gss->cred != GSS_C_NO_CREDENTIAL)
490 * Release service principal credentials
492 gss_release_cred(&min_stat, port->gss->cred);
496 * GSS_S_COMPLETE indicates that authentication is now complete.
498 * Get the name of the user that authenticated, and compare it to the
499 * pg username that was specified for the connection.
501 maj_stat = gss_display_name(&min_stat, port->gss->name, &gbuf, NULL);
502 if (maj_stat != GSS_S_COMPLETE)
504 gettext_noop("retreiving GSS user name failed"),
508 * Compare the part of the username that comes before the @
509 * sign only (ignore realm). The GSSAPI libraries won't have
510 * authenticated the user if he's from an invalid realm.
512 if (strchr(gbuf.value, '@'))
514 char *cp = strchr(gbuf.value, '@');
518 if (pg_krb_caseins_users)
519 ret = pg_strcasecmp(port->user_name, gbuf.value);
521 ret = strcmp(port->user_name, gbuf.value);
525 /* GSS name and PGUSER are not equivalent */
527 "provided username (%s) and GSSAPI username (%s) don't match",
528 port->user_name, (char *)gbuf.value);
530 gss_release_buffer(&lmin_s, &gbuf);
534 gss_release_buffer(&lmin_s, &gbuf);
539 #else /* no ENABLE_GSS */
541 pg_GSS_recvauth(Port *port)
544 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
545 errmsg("GSSAPI not implemented on this server.")));
548 #endif /* ENABLE_GSS */
552 * Tell the user the authentication failed, but not (much about) why.
554 * There is a tradeoff here between security concerns and making life
555 * unnecessarily difficult for legitimate users. We would not, for example,
556 * want to report the password we were expecting to receive...
557 * But it seems useful to report the username and authorization method
558 * in use, and these are items that must be presumed known to an attacker
560 * Note that many sorts of failure report additional information in the
561 * postmaster log, which we hope is only readable by good guys.
564 auth_failed(Port *port, int status)
569 * If we failed due to EOF from client, just quit; there's no point in
570 * trying to send a message to the client, and not much point in logging
571 * the failure in the postmaster log. (Logging the failure might be
572 * desirable, were it not for the fact that libpq closes the connection
573 * unceremoniously if challenged for a password when it hasn't got one to
574 * send. We'll get a useless log entry for every psql connection under
575 * password auth, even if it's perfectly successful, if we log STATUS_EOF
578 if (status == STATUS_EOF)
581 switch (port->auth_method)
584 errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
587 errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
590 errstr = gettext_noop("GSSAPI authentication failed for user \"%s\"");
593 errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
596 errstr = gettext_noop("Ident authentication failed for user \"%s\"");
601 errstr = gettext_noop("password authentication failed for user \"%s\"");
605 errstr = gettext_noop("PAM authentication failed for user \"%s\"");
610 errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
612 #endif /* USE_LDAP */
614 errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
619 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
620 errmsg(errstr, port->user_name)));
626 * Client authentication starts here. If there is an error, this
627 * function does not return and the backend process is terminated.
630 ClientAuthentication(Port *port)
632 int status = STATUS_ERROR;
635 * Get the authentication method to use for this frontend/database
636 * combination. Note: a failure return indicates a problem with the hba
637 * config file, not with the request. hba.c should have dropped an error
638 * message into the postmaster logfile if it failed.
640 if (hba_getauthmethod(port) != STATUS_OK)
642 (errcode(ERRCODE_CONFIG_FILE_ERROR),
643 errmsg("missing or erroneous pg_hba.conf file"),
644 errhint("See server log for details.")));
646 switch (port->auth_method)
651 * This could have come from an explicit "reject" entry in
652 * pg_hba.conf, but more likely it means there was no matching
653 * entry. Take pity on the poor user and issue a helpful error
654 * message. NOTE: this is not a security breach, because all the
655 * info reported here is known at the frontend and must be assumed
656 * known to bad guys. We're merely helping out the less clueful
660 char hostinfo[NI_MAXHOST];
662 pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
663 hostinfo, sizeof(hostinfo),
669 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
670 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
671 hostinfo, port->user_name, port->database_name,
672 port->ssl ? _("SSL on") : _("SSL off"))));
675 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
676 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
677 hostinfo, port->user_name, port->database_name)));
683 sendAuthRequest(port, AUTH_REQ_KRB5);
684 status = pg_krb5_recvauth(port);
688 sendAuthRequest(port, AUTH_REQ_GSS);
689 status = pg_GSS_recvauth(port);
695 * If we are doing ident on unix-domain sockets, use SCM_CREDS
696 * only if it is defined and SO_PEERCRED isn't.
698 #if !defined(HAVE_GETPEEREID) && !defined(SO_PEERCRED) && \
699 (defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || \
700 (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS)))
701 if (port->raddr.addr.ss_family == AF_UNIX)
703 #if defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
706 * Receive credentials on next message receipt, BSD/OS,
707 * NetBSD. We need to set this before the client sends the
712 if (setsockopt(port->sock, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
714 (errcode_for_socket_access(),
715 errmsg("could not enable credential reception: %m")));
718 sendAuthRequest(port, AUTH_REQ_SCM_CREDS);
721 status = authident(port);
725 sendAuthRequest(port, AUTH_REQ_MD5);
726 status = recv_and_check_password_packet(port);
730 sendAuthRequest(port, AUTH_REQ_CRYPT);
731 status = recv_and_check_password_packet(port);
735 sendAuthRequest(port, AUTH_REQ_PASSWORD);
736 status = recv_and_check_password_packet(port);
741 pam_port_cludge = port;
742 status = CheckPAMAuth(port, port->user_name, "");
748 status = CheckLDAPAuth(port);
757 if (status == STATUS_OK)
758 sendAuthRequest(port, AUTH_REQ_OK);
760 auth_failed(port, status);
765 * Send an authentication request packet to the frontend.
768 sendAuthRequest(Port *port, AuthRequest areq)
772 pq_beginmessage(&buf, 'R');
773 pq_sendint(&buf, (int32) areq, sizeof(int32));
775 /* Add the salt for encrypted passwords. */
776 if (areq == AUTH_REQ_MD5)
777 pq_sendbytes(&buf, port->md5Salt, 4);
778 else if (areq == AUTH_REQ_CRYPT)
779 pq_sendbytes(&buf, port->cryptSalt, 2);
782 /* Add the authentication data for the next step of
783 * the GSSAPI negotiation. */
784 else if (areq == AUTH_REQ_GSS_CONT)
786 if (port->gss->outbuf.length > 0)
790 elog(DEBUG4, "sending GSS token of length %u",
791 port->gss->outbuf.length);
793 pq_sendbytes(&buf, port->gss->outbuf.value, port->gss->outbuf.length);
794 gss_release_buffer(&lmin_s, &port->gss->outbuf);
802 * Flush message so client will see it, except for AUTH_REQ_OK, which need
803 * not be sent until we are ready for queries.
805 if (areq != AUTH_REQ_OK)
813 * PAM conversation function
817 pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
818 struct pam_response ** resp, void *appdata_ptr)
820 if (num_msg != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
822 switch (msg[0]->msg_style)
826 (errmsg("error from underlying PAM layer: %s",
831 (errmsg("unsupported PAM conversation %d/%s",
832 msg[0]->msg_style, msg[0]->msg)));
840 * Workaround for Solaris 2.6 where the PAM library is broken and does
841 * not pass appdata_ptr to the conversation routine
843 appdata_ptr = pam_passwd;
847 * Password wasn't passed to PAM the first time around - let's go ask the
848 * client to send a password, which we then stuff into PAM.
850 if (strlen(appdata_ptr) == 0)
854 sendAuthRequest(pam_port_cludge, AUTH_REQ_PASSWORD);
855 passwd = recv_password_packet(pam_port_cludge);
858 return PAM_CONV_ERR; /* client didn't want to send password */
860 if (strlen(passwd) == 0)
863 (errmsg("empty password returned by client")));
866 appdata_ptr = passwd;
870 * Explicitly not using palloc here - PAM will free this memory in
873 *resp = calloc(num_msg, sizeof(struct pam_response));
877 (errcode(ERRCODE_OUT_OF_MEMORY),
878 errmsg("out of memory")));
882 (*resp)[0].resp = strdup((char *) appdata_ptr);
883 (*resp)[0].resp_retcode = 0;
885 return ((*resp)[0].resp ? PAM_SUCCESS : PAM_CONV_ERR);
890 * Check authentication against PAM.
893 CheckPAMAuth(Port *port, char *user, char *password)
896 pam_handle_t *pamh = NULL;
899 * Apparently, Solaris 2.6 is broken, and needs ugly static variable
902 pam_passwd = password;
905 * Set the application data portion of the conversation struct This is
906 * later used inside the PAM conversation to pass the password to the
907 * authentication module.
909 pam_passw_conv.appdata_ptr = (char *) password; /* from password above,
912 /* Optionally, one can set the service name in pg_hba.conf */
913 if (port->auth_arg && port->auth_arg[0] != '\0')
914 retval = pam_start(port->auth_arg, "pgsql@",
915 &pam_passw_conv, &pamh);
917 retval = pam_start(PGSQL_PAM_SERVICE, "pgsql@",
918 &pam_passw_conv, &pamh);
920 if (retval != PAM_SUCCESS)
923 (errmsg("could not create PAM authenticator: %s",
924 pam_strerror(pamh, retval))));
925 pam_passwd = NULL; /* Unset pam_passwd */
929 retval = pam_set_item(pamh, PAM_USER, user);
931 if (retval != PAM_SUCCESS)
934 (errmsg("pam_set_item(PAM_USER) failed: %s",
935 pam_strerror(pamh, retval))));
936 pam_passwd = NULL; /* Unset pam_passwd */
940 retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
942 if (retval != PAM_SUCCESS)
945 (errmsg("pam_set_item(PAM_CONV) failed: %s",
946 pam_strerror(pamh, retval))));
947 pam_passwd = NULL; /* Unset pam_passwd */
951 retval = pam_authenticate(pamh, 0);
953 if (retval != PAM_SUCCESS)
956 (errmsg("pam_authenticate failed: %s",
957 pam_strerror(pamh, retval))));
958 pam_passwd = NULL; /* Unset pam_passwd */
962 retval = pam_acct_mgmt(pamh, 0);
964 if (retval != PAM_SUCCESS)
967 (errmsg("pam_acct_mgmt failed: %s",
968 pam_strerror(pamh, retval))));
969 pam_passwd = NULL; /* Unset pam_passwd */
973 retval = pam_end(pamh, retval);
975 if (retval != PAM_SUCCESS)
978 (errmsg("could not release PAM authenticator: %s",
979 pam_strerror(pamh, retval))));
982 pam_passwd = NULL; /* Unset pam_passwd */
984 return (retval == PAM_SUCCESS ? STATUS_OK : STATUS_ERROR);
992 CheckLDAPAuth(Port *port)
1002 int ldapversion = LDAP_VERSION3;
1003 int ldapport = LDAP_PORT;
1004 char fulluser[NAMEDATALEN + 256 + 1];
1006 if (!port->auth_arg || port->auth_arg[0] == '\0')
1009 (errmsg("LDAP configuration URL not specified")));
1010 return STATUS_ERROR;
1014 * Crack the LDAP url. We do a very trivial parse..
1015 * ldap[s]://<server>[:<port>]/<basedn>[;prefix[;suffix]]
1023 /* ldap, including port number */
1024 r = sscanf(port->auth_arg,
1025 "ldap://%127[^:]:%i/%127[^;];%127[^;];%127s",
1026 server, &ldapport, basedn, prefix, suffix);
1029 /* ldaps, including port number */
1030 r = sscanf(port->auth_arg,
1031 "ldaps://%127[^:]:%i/%127[^;];%127[^;];%127s",
1032 server, &ldapport, basedn, prefix, suffix);
1038 /* ldap, no port number */
1039 r = sscanf(port->auth_arg,
1040 "ldap://%127[^/]/%127[^;];%127[^;];%127s",
1041 server, basedn, prefix, suffix);
1045 /* ldaps, no port number */
1046 r = sscanf(port->auth_arg,
1047 "ldaps://%127[^/]/%127[^;];%127[^;];%127s",
1048 server, basedn, prefix, suffix);
1055 (errmsg("invalid LDAP URL: \"%s\"",
1057 return STATUS_ERROR;
1060 sendAuthRequest(port, AUTH_REQ_PASSWORD);
1062 passwd = recv_password_packet(port);
1064 return STATUS_EOF; /* client wouldn't send password */
1066 ldap = ldap_init(server, ldapport);
1071 (errmsg("could not initialize LDAP: error code %d",
1075 (errmsg("could not initialize LDAP: error code %d",
1076 (int) LdapGetLastError())));
1078 return STATUS_ERROR;
1081 if ((r = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
1085 (errmsg("could not set LDAP protocol version: error code %d", r)));
1086 return STATUS_ERROR;
1092 if ((r = ldap_start_tls_s(ldap, NULL, NULL)) != LDAP_SUCCESS)
1094 static __ldap_start_tls_sA _ldap_start_tls_sA = NULL;
1096 if (_ldap_start_tls_sA == NULL)
1099 * Need to load this function dynamically because it does not
1100 * exist on Windows 2000, and causes a load error for the whole
1101 * exe if referenced.
1105 ldaphandle = LoadLibrary("WLDAP32.DLL");
1106 if (ldaphandle == NULL)
1109 * should never happen since we import other files from
1110 * wldap32, but check anyway
1114 (errmsg("could not load wldap32.dll")));
1115 return STATUS_ERROR;
1117 _ldap_start_tls_sA = (__ldap_start_tls_sA) GetProcAddress(ldaphandle, "ldap_start_tls_sA");
1118 if (_ldap_start_tls_sA == NULL)
1122 (errmsg("could not load function _ldap_start_tls_sA in wldap32.dll"),
1123 errdetail("LDAP over SSL is not supported on this platform.")));
1124 return STATUS_ERROR;
1128 * Leak LDAP handle on purpose, because we need the library to stay
1129 * open. This is ok because it will only ever be leaked once per
1130 * process and is automatically cleaned up on process exit.
1133 if ((r = _ldap_start_tls_sA(ldap, NULL, NULL, NULL, NULL)) != LDAP_SUCCESS)
1138 (errmsg("could not start LDAP TLS session: error code %d", r)));
1139 return STATUS_ERROR;
1143 snprintf(fulluser, sizeof(fulluser), "%s%s%s",
1144 prefix, port->user_name, suffix);
1145 fulluser[sizeof(fulluser) - 1] = '\0';
1147 r = ldap_simple_bind_s(ldap, fulluser, passwd);
1150 if (r != LDAP_SUCCESS)
1153 (errmsg("LDAP login failed for user \"%s\" on server \"%s\": error code %d",
1154 fulluser, server, r)));
1155 return STATUS_ERROR;
1160 #endif /* USE_LDAP */
1163 * Collect password response packet from frontend.
1165 * Returns NULL if couldn't get password, else palloc'd string.
1168 recv_password_packet(Port *port)
1172 if (PG_PROTOCOL_MAJOR(port->proto) >= 3)
1174 /* Expect 'p' message type */
1177 mtype = pq_getbyte();
1181 * If the client just disconnects without offering a password,
1182 * don't make a log entry. This is legal per protocol spec and in
1183 * fact commonly done by psql, so complaining just clutters the
1188 (errcode(ERRCODE_PROTOCOL_VIOLATION),
1189 errmsg("expected password response, got message type %d",
1191 return NULL; /* EOF or bad message type */
1196 /* For pre-3.0 clients, avoid log entry if they just disconnect */
1197 if (pq_peekbyte() == EOF)
1198 return NULL; /* EOF */
1201 initStringInfo(&buf);
1202 if (pq_getmessage(&buf, 1000)) /* receive password */
1204 /* EOF - pq_getmessage already logged a suitable message */
1210 * Apply sanity check: password packet length should agree with length of
1211 * contained string. Note it is safe to use strlen here because
1212 * StringInfo is guaranteed to have an appended '\0'.
1214 if (strlen(buf.data) + 1 != buf.len)
1216 (errcode(ERRCODE_PROTOCOL_VIOLATION),
1217 errmsg("invalid password packet size")));
1219 /* Do not echo password to logs, for security. */
1221 (errmsg("received password packet")));
1224 * Return the received string. Note we do not attempt to do any
1225 * character-set conversion on it; since we don't yet know the client's
1226 * encoding, there wouldn't be much point.
1233 * Called when we have sent an authorization request for a password.
1234 * Get the response and check it.
1237 recv_and_check_password_packet(Port *port)
1242 passwd = recv_password_packet(port);
1245 return STATUS_EOF; /* client wouldn't send password */
1247 result = md5_crypt_verify(port, port->user_name, passwd);