void Connect()
{
std::string server = config->getString("server");
int i = ldap_initialize(&this->con, server.c_str());
if (i != LDAP_SUCCESS)
throw LDAPException("Unable to connect to LDAP service " + this->name + ": " + ldap_err2string(i));
const int version = LDAP_VERSION3;
i = ldap_set_option(this->con, LDAP_OPT_PROTOCOL_VERSION, &version);
if (i != LDAP_OPT_SUCCESS)
{
ldap_unbind_ext(this->con, NULL, NULL);
this->con = NULL;
throw LDAPException("Unable to set protocol version for " + this->name + ": " + ldap_err2string(i));
}
const struct timeval tv = { 0, 0 };
i = ldap_set_option(this->con, LDAP_OPT_NETWORK_TIMEOUT, &tv);
if (i != LDAP_OPT_SUCCESS)
{
ldap_unbind_ext(this->con, NULL, NULL);
this->con = NULL;
throw LDAPException("Unable to set timeout for " + this->name + ": " + ldap_err2string(i));
}
}
void TlsOptions::getOption( tls_option opt, void* value ) const {
int ret = ldap_get_option( m_ld, optmap[opt].optval, value);
if ( ret != LDAP_OPT_SUCCESS )
{
if ( ret != LDAP_OPT_ERROR ){
throw( LDAPException( ret ));
} else {
throw( LDAPException( LDAP_PARAM_ERROR, "error while reading TLS option" ) );
}
}
}
void TlsOptions::newCtx() const {
int val = 0;
int ret = ldap_set_option( m_ld, LDAP_OPT_X_TLS_NEWCTX, &val);
if ( ret != LDAP_OPT_SUCCESS )
{
if ( ret != LDAP_OPT_ERROR ){
throw( LDAPException( ret ));
} else {
throw( LDAPException( LDAP_LOCAL_ERROR, "error while renewing TLS context" ) );
}
}
}
/*
* Copyright 2010-2013 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
#include "TlsOptions.h"
#include "LDAPException.h"
enum opttype {
INT=0,
STRING,
OTHER
};
typedef struct tls_optmap {
int optval;
opttype type;
} tls_optmap_t;
static tls_optmap_t optmap[] = {
{ LDAP_OPT_X_TLS_CACERTFILE, STRING },
{ LDAP_OPT_X_TLS_CACERTDIR, STRING },
{ LDAP_OPT_X_TLS_CERTFILE, STRING },
{ LDAP_OPT_X_TLS_KEYFILE, STRING },
{ LDAP_OPT_X_TLS_REQUIRE_CERT, INT },
{ LDAP_OPT_X_TLS_PROTOCOL_MIN, INT },
{ LDAP_OPT_X_TLS_CIPHER_SUITE, STRING },
{ LDAP_OPT_X_TLS_RANDOM_FILE, STRING },
{ LDAP_OPT_X_TLS_CRLCHECK, INT },
{ LDAP_OPT_X_TLS_DHFILE, STRING },
{ LDAP_OPT_X_TLS_NEWCTX, INT }
};
#if 0 /* not implemented currently */
static const int TLS_CRLFILE /* GNUtls only */
static const int TLS_SSL_CTX /* OpenSSL SSL* */
static const int TLS_CONNECT_CB
static const int TLS_CONNECT_ARG
#endif
static void checkOpt( TlsOptions::tls_option opt, opttype type ) {
if ( opt < TlsOptions::CACERTFILE || opt >= TlsOptions::LASTOPT ){
throw( LDAPException( LDAP_PARAM_ERROR, "unknown Option" ) );
}
if ( optmap[opt].type != type ){
throw( LDAPException( LDAP_PARAM_ERROR, "not a string option" ) );
}
}
void Connect()
{
int i = ldap_initialize(&this->con, this->server.c_str());
if (i != LDAP_SUCCESS)
throw LDAPException("Unable to connect to LDAP service " + this->GetName() + ": " + ldap_err2string(i));
const int version = LDAP_VERSION3;
i = ldap_set_option(this->con, LDAP_OPT_PROTOCOL_VERSION, &version);
if (i != LDAP_OPT_SUCCESS)
throw LDAPException("Unable to set protocol version for " + this->GetName() + ": " + ldap_err2string(i));
const struct timeval tv = { 0, 0 };
i = ldap_set_option(this->con, LDAP_OPT_NETWORK_TIMEOUT, &tv);
if (i != LDAP_OPT_SUCCESS)
throw LDAPException("Unable to set timeout for " + this->GetName() + ": " + ldap_err2string(i));
}
void Search(LDAPInterface *i, const Anope::string &base, const Anope::string &filter) override
{
if (i == NULL)
throw LDAPException("No interface");
LDAPSearch *s = new LDAPSearch(this, i, base, filter);
QueueRequest(s);
}
void OnNickIdentify(User *u)
{
try
{
if (!this->ldap)
throw LDAPException("No LDAP interface. Is m_ldap loaded and configured correctly?");
else if (this->basedn.empty() || this->filter.empty() || opertype_attribute.empty())
throw LDAPException("Could not search LDAP for opertype settings, invalid configuration.");
if (!this->binddn.empty())
this->ldap->Bind(NULL, this->binddn.replace_all_cs("%a", u->Account()->display), this->password.c_str());
LDAPQuery id = this->ldap->Search(&this->iinterface, this->basedn, this->filter.replace_all_cs("%a", u->Account()->display));
this->iinterface.Add(id, u->nick);
}
catch (const LDAPException &ex)
{
Log() << "m_ldapoper: " << ex.GetReason();
}
}
void Reconnect()
{
/* Only try one connect a minute. It is an expensive blocking operation */
if (last_connect > Anope::CurTime - 60)
throw LDAPException("Unable to connect to LDAP service " + this->GetName() + ": reconnecting too fast");
last_connect = Anope::CurTime;
ldap_unbind_ext(this->con, NULL, NULL);
Connect();
}
void TlsOptions::setOption( tls_option opt, const std::string& value ) const {
checkOpt(opt, STRING);
switch(opt) {
case TlsOptions::CACERTFILE :
case TlsOptions::CERTFILE :
case TlsOptions::KEYFILE :
{
// check if the supplied file is actually readable
std::ifstream ifile(value.c_str());
if ( !ifile ) {
throw( LDAPException( LDAP_LOCAL_ERROR, "Unable to open the supplied file for reading" ) );
}
}
break;
case TlsOptions::CACERTDIR :
{
struct stat st;
std::ostringstream msg;
bool fail=false;
int err = stat(value.c_str(),&st);
if ( err ) {
msg << strerror(errno);
fail = true;
} else {
if ( !S_ISDIR(st.st_mode) ){
msg << "The supplied path is not a directory.";
fail = true;
}
}
if ( fail ) {
std::ostringstream errstr;
errstr << "Error while setting Certificate Directory (" << value << "): " << msg.str();
throw( LDAPException( LDAP_LOCAL_ERROR, errstr.str() ) );
}
}
break;
}
this->setOption( opt, value.empty() ? NULL : (void*) value.c_str() );
}
