/* return 0 IFF op_dn is a value in group_at (member) attribute
* of entry with gr_dn AND that entry has an objectClass
* value of group_oc (groupOfNames)
*/
int
ldap_back_group(
Backend *be,
Connection *conn,
Operation *op,
Entry *target,
struct berval *gr_ndn,
struct berval *op_ndn,
ObjectClass *group_oc,
AttributeDescription* group_at
)
{
struct ldapinfo *li = (struct ldapinfo *) be->be_private;
int rc = 1;
Attribute *attr;
LDAPMessage *result;
char *gattr[2];
char *filter = NULL, *ptr;
LDAP *ld;
struct berval mop_ndn = { 0, NULL }, mgr_ndn = { 0, NULL };
AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
struct berval group_oc_name = {0, NULL};
struct berval group_at_name = group_at->ad_cname;
if( group_oc->soc_names && group_oc->soc_names[0] ) {
group_oc_name.bv_val = group_oc->soc_names[0];
} else {
group_oc_name.bv_val = group_oc->soc_oid;
}
if (group_oc_name.bv_val)
group_oc_name.bv_len = strlen(group_oc_name.bv_val);
if (target != NULL && dn_match( &target->e_nname, gr_ndn ) ) {
/* we already have a copy of the entry */
/* attribute and objectclass mapping has already been done */
/*
* first we need to check if the objectClass attribute
* has been retieved; otherwise we need to repeat the search
*/
attr = attr_find( target->e_attrs, ad_objectClass );
if ( attr != NULL ) {
/*
* Now we can check for the group objectClass value
*/
if( !is_entry_objectclass( target, group_oc, 0 ) ) {
return(1);
}
/*
* This part has been reworked: the group attr compare
* fails only if the attribute is PRESENT but the value
* is NOT PRESENT; if the attribute is NOT PRESENT, the
* search must be repeated as well.
* This may happen if a search for an entry has already
* been performed (target is not null) but the group
* attribute has not been required
*/
if ((attr = attr_find(target->e_attrs, group_at)) != NULL) {
if( value_find_ex( group_at, SLAP_MR_VALUE_NORMALIZED_MATCH,
attr->a_vals, op_ndn ) != LDAP_SUCCESS )
return(1);
return(0);
} /* else: repeat the search */
} /* else: repeat the search */
} /* else: do the search */
/*
* Rewrite the op ndn if needed
*/
#ifdef ENABLE_REWRITE
switch ( rewrite_session( li->rwinfo, "bindDn",
op_ndn->bv_val, conn, &mop_ndn.bv_val ) ) {
case REWRITE_REGEXEC_OK:
if ( mop_ndn.bv_val == NULL ) {
mop_ndn = *op_ndn;
}
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDAP, DETAIL1,
"[rw] bindDn (op ndn in group): \"%s\" -> \"%s\"\n",
op_ndn->bv_val, mop_ndn.bv_val, 0 );
#else /* !NEW_LOGGING */
Debug( LDAP_DEBUG_ARGS,
"rw> bindDn (op ndn in group): \"%s\" -> \"%s\"\n%s",
op_ndn->bv_val, mop_ndn.bv_val, "" );
#endif /* !NEW_LOGGING */
break;
case REWRITE_REGEXEC_UNWILLING:
case REWRITE_REGEXEC_ERR:
goto cleanup;
}
/*
* Rewrite the gr ndn if needed
*/
switch ( rewrite_session( li->rwinfo, "searchBase",
gr_ndn->bv_val, conn, &mgr_ndn.bv_val ) ) {
case REWRITE_REGEXEC_OK:
if ( mgr_ndn.bv_val == NULL ) {
mgr_ndn = *gr_ndn;
}
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDAP, DETAIL1,
"[rw] searchBase (gr ndn in group): \"%s\" -> \"%s\"\n%s",
gr_ndn->bv_val, mgr_ndn.bv_val, "" );
#else /* !NEW_LOGGING */
Debug( LDAP_DEBUG_ARGS,
"rw> searchBase (gr ndn in group):"
" \"%s\" -> \"%s\"\n%s",
gr_ndn->bv_val, mgr_ndn.bv_val, "" );
#endif /* !NEW_LOGGING */
break;
case REWRITE_REGEXEC_UNWILLING:
case REWRITE_REGEXEC_ERR:
goto cleanup;
}
#else /* !ENABLE_REWRITE */
ldap_back_dn_massage( li, op_ndn, &mop_ndn, 1, 1 );
if ( mop_ndn.bv_val == NULL ) {
goto cleanup;
}
ldap_back_dn_massage( li, gr_ndn, &mgr_ndn, 1, 1 );
if ( mgr_ndn.bv_val == NULL ) {
goto cleanup;
}
#endif /* !ENABLE_REWRITE */
ldap_back_map(&li->oc_map, &group_oc_name, &group_oc_name,
BACKLDAP_MAP);
if (group_oc_name.bv_val == NULL || group_oc_name.bv_val[0] == '\0')
goto cleanup;
ldap_back_map(&li->at_map, &group_at_name, &group_at_name,
BACKLDAP_MAP);
if (group_at_name.bv_val == NULL || group_at_name.bv_val[0] == '\0')
goto cleanup;
filter = ch_malloc(sizeof("(&(objectclass=)(=))")
+ group_oc_name.bv_len
+ group_at_name.bv_len
+ mop_ndn.bv_len + 1);
if (filter == NULL)
goto cleanup;
if (ldap_initialize(&ld, li->url) != LDAP_SUCCESS) {
goto cleanup;
}
if (ldap_bind_s(ld, li->binddn, li->bindpw, LDAP_AUTH_SIMPLE)
!= LDAP_SUCCESS) {
goto cleanup;
}
ptr = lutil_strcopy(filter, "(&(objectclass=");
ptr = lutil_strcopy(ptr, group_oc_name.bv_val);
ptr = lutil_strcopy(ptr, ")(");
ptr = lutil_strcopy(ptr, group_at_name.bv_val);
ptr = lutil_strcopy(ptr, "=");
ptr = lutil_strcopy(ptr, mop_ndn.bv_val);
strcpy(ptr, "))");
gattr[0] = "objectclass";
gattr[1] = NULL;
if (ldap_search_ext_s(ld, mgr_ndn.bv_val, LDAP_SCOPE_BASE, filter,
gattr, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result) == LDAP_SUCCESS) {
if (ldap_first_entry(ld, result) != NULL)
rc = 0;
ldap_msgfree(result);
}
cleanup:;
if ( ld != NULL ) {
ldap_unbind(ld);
}
ch_free(filter);
if ( mop_ndn.bv_val != op_ndn->bv_val ) {
free( mop_ndn.bv_val );
}
if ( mgr_ndn.bv_val != gr_ndn->bv_val ) {
free( mgr_ndn.bv_val );
}
return(rc);
}
static int
autoca_op_response(
Operation *op,
SlapReply *rs
)
{
slap_overinst *on = op->o_callback->sc_private;
autoca_info *ai = on->on_bi.bi_private;
Attribute *a;
int isusr = 0;
if (rs->sr_type != REP_SEARCH)
return SLAP_CB_CONTINUE;
/* If root or self */
if ( !be_isroot( op ) &&
!dn_match( &rs->sr_entry->e_nname, &op->o_ndn ))
return SLAP_CB_CONTINUE;
isusr = is_entry_objectclass( rs->sr_entry, ai->ai_usrclass, SLAP_OCF_CHECK_SUP );
if ( !isusr )
{
if (!is_entry_objectclass( rs->sr_entry, ai->ai_srvclass, SLAP_OCF_CHECK_SUP ))
return SLAP_CB_CONTINUE;
}
a = attr_find( rs->sr_entry->e_attrs, ad_usrPkey );
if ( !a )
{
Operation op2;
genargs args;
saveargs arg2;
myext extras[2];
int rc;
args.issuer_cert = ai->ai_cert;
args.issuer_pkey = ai->ai_pkey;
args.subjectDN = &rs->sr_entry->e_name;
args.more_exts = NULL;
if ( isusr )
{
args.cert_exts = usrExts;
args.keybits = ai->ai_usrkeybits;
args.days = ai->ai_usrdays;
a = attr_find( rs->sr_entry->e_attrs, ad_mail );
if ( a )
{
extras[0].name = "subjectAltName";
extras[1].name = NULL;
extras[0].value = op->o_tmpalloc( sizeof("email:") + a->a_vals[0].bv_len, op->o_tmpmemctx );
sprintf(extras[0].value, "email:%s", a->a_vals[0].bv_val);
args.more_exts = extras;
}
} else
{
args.cert_exts = srvExts;
args.keybits = ai->ai_srvkeybits;
args.days = ai->ai_srvdays;
if ( ad_ipaddr && (a = attr_find( rs->sr_entry->e_attrs, ad_ipaddr )))
{
extras[0].name = "subjectAltName";
extras[1].name = NULL;
extras[0].value = op->o_tmpalloc( sizeof("IP:") + a->a_vals[0].bv_len, op->o_tmpmemctx );
sprintf(extras[0].value, "IP:%s", a->a_vals[0].bv_val);
args.more_exts = extras;
}
}
rc = autoca_gencert( op, &args );
if ( rc )
return SLAP_CB_CONTINUE;
X509_free( args.newcert );
EVP_PKEY_free( args.newpkey );
if ( is_entry_objectclass( rs->sr_entry, oc_usrObj, 0 ))
arg2.oc = NULL;
else
arg2.oc = oc_usrObj;
if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ))
{
Entry *e = entry_dup( rs->sr_entry );
rs_replace_entry( op, rs, on, e );
rs->sr_flags |= REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED;
}
arg2.dercert = &args.dercert;
arg2.derpkey = &args.derpkey;
arg2.on = on;
arg2.dn = &rs->sr_entry->e_name;
arg2.ndn = &rs->sr_entry->e_nname;
arg2.isca = 0;
op2 = *op;
rc = autoca_savecert( &op2, &arg2 );
if ( !rc )
{
/* If this is our cert DN, configure it */
if ( dn_match( &rs->sr_entry->e_nname, &ai->ai_localndn ))
autoca_setlocal( &op2, &args.dercert, &args.derpkey );
attr_merge_one( rs->sr_entry, ad_usrCert, &args.dercert, NULL );
attr_merge_one( rs->sr_entry, ad_usrPkey, &args.derpkey, NULL );
}
op->o_tmpfree( args.dercert.bv_val, op->o_tmpmemctx );
op->o_tmpfree( args.derpkey.bv_val, op->o_tmpmemctx );
}
return SLAP_CB_CONTINUE;
}
static int
autoca_db_open(
BackendDB *be,
ConfigReply *cr
)
{
slap_overinst *on = (slap_overinst *)be->bd_info;
autoca_info *ai = on->on_bi.bi_private;
Connection conn = { 0 };
OperationBuffer opbuf;
Operation *op;
void *thrctx;
Entry *e;
Attribute *a;
int rc;
if (slapMode & SLAP_TOOL_MODE)
return 0;
if ( ! *aca_attr2[0].ad ) {
int i, code;
const char *text;
for ( i=0; aca_attr2[i].at; i++ ) {
code = slap_str2ad( aca_attr2[i].at, aca_attr2[i].ad, &text );
if ( code ) return code;
}
/* Schema may not be loaded, ignore if missing */
slap_str2ad( "ipHostNumber", &ad_ipaddr, &text );
for ( i=0; aca_ocs[i].ot; i++ ) {
code = register_oc( aca_ocs[i].ot, aca_ocs[i].oc, 0 );
if ( code ) return code;
}
}
thrctx = ldap_pvt_thread_pool_context();
connection_fake_init2( &conn, &opbuf, thrctx, 0 );
op = &opbuf.ob_op;
op->o_bd = be;
op->o_dn = be->be_rootdn;
op->o_ndn = be->be_rootndn;
rc = overlay_entry_get_ov( op, be->be_nsuffix, NULL,
NULL, 0, &e, on );
if ( e ) {
int gotoc = 0, gotat = 0;
if ( is_entry_objectclass( e, oc_caObj, 0 )) {
gotoc = 1;
a = attr_find( e->e_attrs, ad_caPkey );
if ( a ) {
const unsigned char *pp;
pp = (unsigned char *)a->a_vals[0].bv_val;
ai->ai_pkey = d2i_AutoPrivateKey( NULL, &pp, a->a_vals[0].bv_len );
if ( ai->ai_pkey )
{
a = attr_find( e->e_attrs, ad_caCert );
if ( a )
{
pp = (unsigned char *)a->a_vals[0].bv_val;
ai->ai_cert = d2i_X509( NULL, &pp, a->a_vals[0].bv_len );
/* If TLS wasn't configured yet, set this as our CA */
if ( !slap_tls_ctx )
autoca_setca( a->a_vals );
}
}
gotat = 1;
}
}
overlay_entry_release_ov( op, e, 0, on );
/* generate attrs, store... */
if ( !gotat ) {
genargs args;
saveargs arg2;
args.issuer_cert = NULL;
args.issuer_pkey = NULL;
args.subjectDN = &be->be_suffix[0];
args.cert_exts = CAexts;
args.more_exts = NULL;
args.keybits = ai->ai_cakeybits;
args.days = ai->ai_cadays;
rc = autoca_gencert( op, &args );
if ( rc )
return -1;
ai->ai_cert = args.newcert;
ai->ai_pkey = args.newpkey;
arg2.dn = be->be_suffix;
arg2.ndn = be->be_nsuffix;
arg2.isca = 1;
if ( !gotoc )
arg2.oc = oc_caObj;
else
arg2.oc = NULL;
arg2.on = on;
arg2.dercert = &args.dercert;
arg2.derpkey = &args.derpkey;
autoca_savecert( op, &arg2 );
/* If TLS wasn't configured yet, set this as our CA */
if ( !slap_tls_ctx )
autoca_setca( &args.dercert );
op->o_tmpfree( args.dercert.bv_val, op->o_tmpmemctx );
op->o_tmpfree( args.derpkey.bv_val, op->o_tmpmemctx );
}
}
return 0;
}
/**
* Look for posixAccount adds with no autoPosixIds/gidNumber,
* and add in the next available autoPosixIds/gidNumber as needed.
*/
static int autoPosixIds_add( Operation *op, SlapReply *rs ) {
Entry* to_add = NULL;
AttributeDescription* ad = NULL;
AttributeDescription* ad2 = NULL;
Attribute* attr = NULL;
char uidstr[64];
char gidstr[64];
struct berval uidbv = BER_BVNULL;
struct berval gidbv = BER_BVNULL;
unsigned long uid;
const char* text;
const char* text2;
int rc;
int rc2;
to_add = op->oq_add.rs_e;
// if the user doesn't have access, default through to the normal ADD
if( !access_allowed( op, to_add, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL ) )
return SLAP_CB_CONTINUE;
// only interested in posixAccounts
if( !is_entry_objectclass( (to_add), oc_posix_account, 0) ) {
Debug( LDAP_DEBUG_TRACE, "%s: entry %s is not of objectclass posixAccount\n", autoPosixIds.on_bi.bi_type, to_add->e_nname.bv_val, 0 );
return SLAP_CB_CONTINUE;
}
// if autoPosixIds present, no further processing required
for( attr = to_add->e_attrs; attr; attr = attr->a_next ) {
if( !strcmp( attr->a_desc->ad_cname.bv_val, uid_attr_name ) ) {
Debug(LDAP_DEBUG_TRACE, "%s: ignoring %s due to present uidNumber attribute\n", autoPosixIds.on_bi.bi_type, to_add->e_nname.bv_val, 0 );
return SLAP_CB_CONTINUE;
}
}
// get next assignable number
uid = autoPosixIds_next_available( op );
// add autoPosixIds
rc = slap_str2ad( uid_attr_name, &ad, &text );
if( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s: failed to add uidNumber attribute to entry\n", autoPosixIds.on_bi.bi_type, 0, 0 );
return SLAP_CB_CONTINUE;
}
sprintf( uidstr, "%lu", uid );
ber_str2bv( uidstr, 0, 0, &uidbv );
attr_merge_one( to_add, ad, &uidbv, 0 );
Debug( LDAP_DEBUG_ANY, "%s: added uidNumber %s to entry\n", autoPosixIds.on_bi.bi_type, uidstr, 0 );
// if gidNumber present, no further processing required
for( attr = to_add->e_attrs; attr; attr = attr->a_next ) {
if( !strcmp( attr->a_desc->ad_cname.bv_val, gid_attr_name ) ) {
Debug( LDAP_DEBUG_TRACE, "%s: ignoring %s due to present gidNumber attribute\n", autoPosixIds.on_bi.bi_type, to_add->e_nname.bv_val, 0 );
return SLAP_CB_CONTINUE;
}
}
// add gidNumber
rc2 = slap_str2ad( gid_attr_name, &ad2, &text2 );
if( rc2 != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY, "%s: failed to add gidNumber attribute to entry\n", autoPosixIds.on_bi.bi_type, 0, 0 );
return SLAP_CB_CONTINUE;
}
sprintf( gidstr, "%lu", uid );
ber_str2bv( gidstr, 0, 0, &gidbv );
attr_merge_one( to_add, ad2, &gidbv, 0 );
Debug( LDAP_DEBUG_ANY, "%s: added gidNumber %s to entry\n", autoPosixIds.on_bi.bi_type, gidstr, 0 );
return SLAP_CB_CONTINUE;
}
