/
ldap_err.c
168 lines (140 loc) · 5.16 KB
/
ldap_err.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#include <ldap.h>
#include <errno.h>
#include <kdb5_err.h>
#include "ldap_err.h"
#ifndef LDAP_X_ERROR
#define LDAP_X_ERROR(x) (0)
#endif
/*
* The possible KDB errors are
* 1. KRB5_KDB_UK_RERROR
* 2. KRB5_KDB_UK_SERROR
* 3. KRB5_KDB_NOENTRY
* 4. KRB5_KDB_TRUNCATED_RECORD
* 5. KRB5_KDB_UNAUTH
* 6. KRB5_KDB_DB_CORRUPT
* 7. KRB5_KDB_ACCESS_ERROR (NEW)
* 8. KRB5_KDB_INTERNAL_ERROR (NEW)
* 9. KRB5_KDB_SERVER_INTERNAL_ERR (NEW)
* 10. KRB5_KDB_CONSTRAINT_VIOLATION (NEW)
*
*/
/*
* op :
* 0 => not specified
* OP_INIT => ldap_init
* OP_BIND => ldap_bind
* OP_UNBIND => ldap_unbind
* OP_ADD => ldap_add
* OP_MOD => ldap_modify
* OP_DEL => ldap_delete
* OP_SEARCH => ldap_search
* OP_CMP => ldap_compare
* OP_ABANDON => ldap_abandon
*/
int translate_ldap_error(int err, int op){
switch (err) {
case LDAP_SUCCESS:
return 0;
case LDAP_OPERATIONS_ERROR:
/* LDAP_OPERATIONS_ERROR: Indicates an internal error. The server is
* unable to respond with a more specific error and is also unable
* to properly respond to a request */
case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
/* LDAP server was unable to satisfy a request because one or more
* critical extensions were not available */
/* This might mean that the schema was not extended ... */
case LDAP_UNDEFINED_TYPE:
/* The attribute specified in the modify or add operation does not
* exist in the LDAP server's schema. */
return KRB5_KDB_INTERNAL_ERROR;
case LDAP_INAPPROPRIATE_MATCHING:
/* The matching rule specified in the search filter does not match a
* rule defined for the attribute's syntax */
return KRB5_KDB_UK_RERROR;
case LDAP_CONSTRAINT_VIOLATION:
/* The attribute value specified in a modify, add, or modify DN
* operation violates constraints placed on the attribute */
case LDAP_TYPE_OR_VALUE_EXISTS:
/* The attribute value specified in a modify or add operation
* already exists as a value for that attribute */
return KRB5_KDB_UK_SERROR;
case LDAP_INVALID_SYNTAX:
/* The attribute value specified in an add, compare, or modify
* operation is an unrecognized or invalid syntax for the attribute */
if (op == OP_ADD || op == OP_MOD)
return KRB5_KDB_UK_SERROR;
else /* OP_CMP */
return KRB5_KDB_UK_RERROR;
/* Ensure that the following don't occur in the DAL-LDAP code.
* Don't rely on the LDAP server to catch it */
case LDAP_SASL_BIND_IN_PROGRESS:
/* This is not an error. So, this function should not be called */
case LDAP_COMPARE_FALSE:
case LDAP_COMPARE_TRUE:
/* LDAP_COMPARE_FALSE and LDAP_COMPARE_TRUE are not errors. This
* function should not be invoked for them */
case LDAP_RESULTS_TOO_LARGE: /* CLDAP */
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SIZELIMIT_EXCEEDED:
return KRB5_KDB_SERVER_INTERNAL_ERR;
case LDAP_INVALID_DN_SYNTAX:
/* The syntax of the DN is incorrect */
return EINVAL;
case LDAP_PROTOCOL_ERROR:
/* LDAP_PROTOCOL_ERROR: Indicates that the server has received an
* invalid or malformed request from the client */
case LDAP_CONFIDENTIALITY_REQUIRED:
/* Bind problems ... */
case LDAP_AUTH_METHOD_NOT_SUPPORTED:
// case LDAP_STRONG_AUTH_NOT_SUPPORTED: // Is this a bind error ?
case LDAP_INAPPROPRIATE_AUTH:
case LDAP_INVALID_CREDENTIALS:
case LDAP_UNAVAILABLE:
return KRB5_KDB_ACCESS_ERROR;
case LDAP_STRONG_AUTH_REQUIRED:
if (op == OP_BIND) /* the LDAP server accepts only strong authentication. */
return KRB5_KDB_ACCESS_ERROR;
else /* Client requested an operation such that requires strong authentication */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_REFERRAL:
return KRB5_KDB_NOENTRY;
case LDAP_ADMINLIMIT_EXCEEDED:
/* An LDAP server limit set by an administrative authority has been
* exceeded */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_UNWILLING_TO_PERFORM:
/* The LDAP server cannot process the request because of
* server-defined restrictions */
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_NO_SUCH_ATTRIBUTE:
/* Indicates that the attribute specified in the modify or compare
* operation does not exist in the entry */
if (op == OP_MOD)
return KRB5_KDB_UK_SERROR;
else /* OP_CMP */
return KRB5_KDB_TRUNCATED_RECORD;
case LDAP_ALIAS_DEREF_PROBLEM:
/* Either the client does not have access rights to read the aliased
* object's name or dereferencing is not allowed */
case LDAP_PROXY_AUTHZ_FAILURE: // Is this correct ?
case LDAP_INSUFFICIENT_ACCESS:
/* Caller does not have sufficient rights to perform the requested
* operation */
return KRB5_KDB_UNAUTH;
case LDAP_LOOP_DETECT:
/* Client discovered an alias or referral loop */
return KRB5_KDB_DB_CORRUPT;
default:
if (LDAP_NAME_ERROR (err))
return KRB5_KDB_NOENTRY;
if (LDAP_SECURITY_ERROR (err))
return KRB5_KDB_UNAUTH;
if (LDAP_SERVICE_ERROR (err) || LDAP_API_ERROR (err) || LDAP_X_ERROR (err))
return KRB5_KDB_ACCESS_ERROR;
if (LDAP_UPDATE_ERROR(err))
return KRB5_KDB_UK_SERROR;
/* LDAP_OTHER */
return KRB5_KDB_SERVER_INTERNAL_ERR;
}
}