/**
* compare attribute to LDAP in case of LDAP_INAPPROPRIATE_MATCHING
*
* \param ld AddressBook resource
* \param server Reference to server
* \param dn dn for the entry
* \param attr Attribute
* \param value New value
* \return int, return will be LDAP_MOD_ADD, LDAP_MOD_REPLACE, or LDAP_MOD_DELETE
*/
int ldapsvr_compare_manual_attr(LDAP *ld, LdapServer *server, gchar *dn, char *attr, char *value) {
LDAPMessage *res, *e = NULL;
BerElement *ber;
struct berval **vals;
int rc;
LdapControl *ctl;
gchar *filter;
gchar *attribute;
int retVal = -2, i;
AttrKeyValue *mail;
cm_return_val_if_fail(ld != NULL || server != NULL || attr != NULL, -1);
ctl = server->control;
mail = get_mail(dn);
if (! mail)
return -2;
filter = g_strdup_printf("(&(mail=%s)(%s=*))", mail->value, attr);
attrkeyvalue_free(mail);
if (ctl) {
rc = ldap_search_ext_s(ld, ctl->baseDN, LDAP_SCOPE_ONELEVEL, filter, NULL, 0, NULL, NULL, NULL, 0, &res);
if (rc) {
g_printerr("ldap_search for attr=%s\" failed[0x%x]: %s\n",attr, rc, ldaputil_get_error(ld));
retVal = -2;
}
else {
e = ldap_first_entry(ld, res);
/* entry has this attribute */
if (e) {
attribute = ldap_first_attribute( ld, e, &ber );
if (attribute) {
if (value) {
if( ( vals = ldap_get_values_len( ld, e, attr ) ) != NULL ) {
for( i = 0; vals[i] != NULL; i++ ) {
debug_print("Compare: %s=%s\n", attr, vals[i]->bv_val);
/* attribute has same value */
if (strcmp(vals[i]->bv_val, value) == 0)
retVal = -1;
/* attribute has new value */
else
retVal = LDAP_MOD_REPLACE;
}
}
ldap_value_free_len(vals);
}
else
retVal = LDAP_MOD_DELETE;
}
if( ber != NULL ) {
ber_free( ber, 0 );
}
ldap_memfree(attribute);
}
/* entry does not have this attribute */
else {
/* Only add if this is a real attribute */
if (value)
retVal = LDAP_MOD_ADD;
/* This is dummy value used to avoid ldap_compare error */
else
retVal = -1;
}
}
}
else
retVal = -2;
g_free(filter);
return retVal;
}
DWORD
VMCAConvertUPNToDN(
PVMCA_LDAP_CONTEXT pConnection,
PCSTR pszUPN,
PSTR* ppszOutDN
)
{
DWORD dwError = 0;
LDAPMessage* pEntry = NULL;
LDAPMessage* pResult = NULL;
PSTR pszFilter = NULL;
PSTR pszEntryDN = NULL;
PSTR pszOutDN = NULL;
int iCount = 0;
LDAP *pLd = NULL;
if (!pConnection ||
!pConnection->pConnection ||
IsNullOrEmptyString(pszUPN) ||
!ppszOutDN)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMCA_ERROR(dwError);
}
pLd = pConnection->pConnection;
dwError = VMCAAllocateStringPrintfA(
&pszFilter, "%s=%s",
ATTR_KRB_UPN,
pszUPN);
BAIL_ON_VMCA_ERROR(dwError);
dwError = ldap_search_ext_s(
pLd,
"",
LDAP_SCOPE_SUBTREE,
pszFilter,
NULL,
FALSE, /* get values */
NULL, /* server controls */
NULL, /* client controls */
NULL, /* timeout */
0, /* size limit */
&pResult);
BAIL_ON_VMCA_ERROR(dwError);
iCount = ldap_count_entries(pLd, pResult);
// should have either 0 or 1 result
if (iCount > 1)
{
dwError = VMCA_ERROR_INVALID_STATE;
BAIL_ON_VMCA_ERROR(dwError);
}
else if (iCount == 0)
{
dwError = VMCA_ERROR_ENTRY_NOT_FOUND;
BAIL_ON_VMCA_ERROR(dwError);
}
if ( (pEntry = ldap_first_entry(pLd, pResult)) != NULL )
{
pszEntryDN = ldap_get_dn(pLd, pEntry);
dwError = VMCAAllocateStringA( pszEntryDN, &pszOutDN );
BAIL_ON_VMCA_ERROR(dwError);
*ppszOutDN = pszOutDN;
}
else
{
dwError = VMCA_ERROR_INVALID_ENTRY;
BAIL_ON_VMCA_ERROR(dwError);
}
cleanup:
if (pszEntryDN)
{
ldap_memfree( pszEntryDN );
}
if (pResult)
{
ldap_msgfree( pResult );
}
VMCA_SAFE_FREE_MEMORY(pszFilter);
return dwError;
error:
VMCA_LOG_ERROR("[%s,%d] failed with error (%u)", __FUNCTION__, __LINE__, dwError);
VMCA_SAFE_FREE_MEMORY(pszOutDN);
if (ppszOutDN)
{
*ppszOutDN = NULL;
}
goto cleanup;
}
DWORD
VMCAGetDSERootAttribute(
PVMCA_LDAP_CONTEXT pContext,
PSTR pszAttribute,
PSTR* ppszAttrValue
)
{
DWORD dwError = 0; // LDAP_SUCCESS
PSTR pAttribute = NULL;
BerValue** ppValue = NULL;
BerElement* pBer = NULL;
LDAPMessage* pSearchResult = NULL;
LDAPMessage* pResults = NULL;
PCHAR pszFilter = "(objectClass=*)";
PCHAR ppszAttrs[] = { pszAttribute, NULL };
dwError = ldap_search_ext_s(
pContext->pConnection, // Session handle
"", // DN to start search
LDAP_SCOPE_BASE, // Scope
pszFilter, // Filter
ppszAttrs, // Retrieve list of attributes
0, // Get both attributes and values
NULL,
NULL,
NULL,
0,
&pSearchResult); // [out] Search results
BAIL_ON_ERROR(dwError);
if (ldap_count_entries(pContext->pConnection, pSearchResult) != 1)
{
dwError = ERROR_INVALID_STATE;
BAIL_ON_ERROR(dwError);
}
// There should be only one result for this type
pResults = ldap_first_entry(pContext->pConnection, pSearchResult);
if (pResults == NULL) {
ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError);
BAIL_ON_ERROR(dwError);
}
pAttribute = ldap_first_attribute(pContext->pConnection,pResults,&pBer);
if(pAttribute == NULL) {
ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError);
BAIL_ON_ERROR(dwError);
}
ppValue = ldap_get_values_len(pContext->pConnection, pResults, pszAttribute);
if(ppValue == NULL) {
ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError);
BAIL_ON_ERROR(dwError);
}
dwError = VMCAAllocateStringA(ppValue[0]->bv_val, ppszAttrValue);
BAIL_ON_ERROR(dwError);
error :
if ( ppValue != NULL) {
ldap_value_free_len(ppValue);
}
if(pAttribute != NULL) {
ldap_memfree(pAttribute);
}
if(pBer != NULL) {
ber_free(pBer,0);
}
if(pSearchResult != NULL) {
ldap_msgfree(pSearchResult);
}
return dwError;
}
/** Convert multiple group names into a DNs
*
* Given an array of group names, builds a filter matching all names, then retrieves all group objects
* and stores the DN associated with each group object.
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] names to covert to DNs (NULL terminated).
* @param[out] out Where to write the DNs. DNs must be freed with ldap_memfree(). Will be NULL terminated.
* @param[in] outlen Size of out.
* @return One of the RLM_MODULE_* values.
*/
static rlm_rcode_t rlm_ldap_group_name2dn(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn,
char **names, char **out, size_t outlen)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
unsigned int name_cnt = 0;
unsigned int entry_cnt;
char const *attrs[] = { NULL };
LDAPMessage *result = NULL, *entry;
char **name = names;
char **dn = out;
char const *base_dn = NULL;
char base_dn_buff[LDAP_MAX_DN_STR_LEN];
char buffer[LDAP_MAX_GROUP_NAME_LEN + 1];
char *filter;
*dn = NULL;
if (!*names) {
return RLM_MODULE_OK;
}
if (!inst->groupobj_name_attr) {
REDEBUG("Told to convert group names to DNs but missing 'group.name_attribute' directive");
return RLM_MODULE_INVALID;
}
RDEBUG("Converting group name(s) to group DN(s)");
/*
* It'll probably only save a few ms in network latency, but it means we can send a query
* for the entire group list at once.
*/
filter = talloc_typed_asprintf(request, "%s%s%s",
inst->groupobj_filter ? "(&" : "",
inst->groupobj_filter ? inst->groupobj_filter : "",
names[0] && names[1] ? "(|" : "");
while (*name) {
rlm_ldap_escape_func(request, buffer, sizeof(buffer), *name++, NULL);
filter = talloc_asprintf_append_buffer(filter, "(%s=%s)", inst->groupobj_name_attr, buffer);
name_cnt++;
}
filter = talloc_asprintf_append_buffer(filter, "%s%s",
inst->groupobj_filter ? ")" : "",
names[0] && names[1] ? ")" : "");
if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request,
inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
status = rlm_ldap_search(&result, inst, request, pconn, base_dn, inst->groupobj_scope,
filter, attrs, NULL, NULL);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG("Tried to resolve group name(s) to DNs but got no results");
goto finish;
default:
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry_cnt = ldap_count_entries((*pconn)->handle, result);
if (entry_cnt > name_cnt) {
REDEBUG("Number of DNs exceeds number of names, group and/or dn should be more restrictive");
rcode = RLM_MODULE_INVALID;
goto finish;
}
if (entry_cnt > (outlen - 1)) {
REDEBUG("Number of DNs exceeds limit (%zu)", outlen - 1);
rcode = RLM_MODULE_INVALID;
goto finish;
}
if (entry_cnt < name_cnt) {
RWDEBUG("Got partial mapping of group names (%i) to DNs (%i), membership information may be incomplete",
name_cnt, entry_cnt);
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
do {
*dn = ldap_get_dn((*pconn)->handle, entry);
if (!*dn) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
rlm_ldap_normalise_dn(*dn, *dn);
RDEBUG("Got group DN \"%s\"", *dn);
dn++;
} while((entry = ldap_next_entry((*pconn)->handle, entry)));
*dn = NULL;
finish:
talloc_free(filter);
if (result) {
ldap_msgfree(result);
}
/*
* Be nice and cleanup the output array if we error out.
*/
if (rcode != RLM_MODULE_OK) {
dn = out;
while(*dn) ldap_memfree(*dn++);
*dn = NULL;
}
return rcode;
}
/*
* This function will look in ldap id the token correspond to the
* requested user. It will returns 0 for failure and 1 for success.
*
* For the moment ldaps is not supported. ldap serve can be on a
* remote host.
*
* You need the following parameters in you pam config:
* ldapserver= OR ldap_uri=
* ldapdn=
* user_attr=
* yubi_attr=
*
*/
static int
authorize_user_token_ldap (struct cfg *cfg,
const char *user,
const char *token_id)
{
DBG(("called"));
int retval = 0;
int protocol;
#ifdef HAVE_LIBLDAP
LDAP *ld = NULL;
LDAPMessage *result = NULL, *e;
BerElement *ber;
char *a;
char *attrs[2] = {NULL, NULL};
struct berval **vals;
int i, rc;
char *find = NULL, *sr = NULL;
if (cfg->user_attr == NULL) {
DBG (("Trying to look up user to YubiKey mapping in LDAP, but user_attr not set!"));
return 0;
}
if (cfg->yubi_attr == NULL) {
DBG (("Trying to look up user to YubiKey mapping in LDAP, but yubi_attr not set!"));
return 0;
}
if (cfg->ldapdn == NULL) {
DBG (("Trying to look up user to YubiKey mapping in LDAP, but ldapdn not set!"));
return 0;
}
/* Get a handle to an LDAP connection. */
if (cfg->ldap_uri)
{
rc = ldap_initialize (&ld, cfg->ldap_uri);
if (rc != LDAP_SUCCESS)
{
DBG (("ldap_init: %s", ldap_err2string (rc)));
retval = 0;
goto done;
}
}
else
{
if ((ld = ldap_init (cfg->ldapserver, PORT_NUMBER)) == NULL)
{
DBG (("ldap_init"));
retval = 0;
goto done;
}
}
/* LDAPv2 is historical -- RFC3494. */
protocol = LDAP_VERSION3;
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &protocol);
/* Bind anonymously to the LDAP server. */
rc = ldap_simple_bind_s (ld, NULL, NULL);
if (rc != LDAP_SUCCESS)
{
DBG (("ldap_simple_bind_s: %s", ldap_err2string (rc)));
retval = 0;
goto done;
}
/* Allocation of memory for search strings depending on input size */
find = malloc((strlen(cfg->user_attr)+strlen(cfg->ldapdn)+strlen(user)+3)*sizeof(char));
sprintf (find, "%s=%s,%s", cfg->user_attr, user, cfg->ldapdn);
attrs[0] = (char *) cfg->yubi_attr;
DBG(("LDAP : look up object '%s', ask for attribute '%s'", find, cfg->yubi_attr));
/* Search for the entry. */
if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE,
NULL, attrs, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
{
DBG (("ldap_search_ext_s: %s", ldap_err2string (rc)));
retval = 0;
goto done;
}
e = ldap_first_entry (ld, result);
if (e == NULL)
{
DBG (("No result from LDAP search"));
}
else
{
/* Iterate through each returned attribute. */
for (a = ldap_first_attribute (ld, e, &ber);
a != NULL; a = ldap_next_attribute (ld, e, ber))
{
if ((vals = ldap_get_values_len (ld, e, a)) != NULL)
{
/* Compare each value for the attribute against the token id. */
for (i = 0; vals[i] != NULL; i++)
{
if (!strncmp (token_id, vals[i]->bv_val, strlen (token_id)))
{
DBG (("Token Found :: %s", vals[i]->bv_val));
retval = 1;
}
else
{
DBG (("No match : (%s) %s != %s", a, vals[i]->bv_val, token_id));
}
}
ldap_value_free_len (vals);
}
ldap_memfree (a);
}
if (ber != NULL)
ber_free (ber, 0);
}
done:
if (result != NULL)
ldap_msgfree (result);
if (ld != NULL)
ldap_unbind (ld);
/* free memory allocated for search strings */
if (find != NULL)
free(find);
if (sr != NULL)
free(sr);
#else
DBG (("Trying to use LDAP, but this function is not compiled in pam_yubico!!"));
DBG (("Install libldap-dev and then recompile pam_yubico."));
#endif
return retval;
}
static int
searchaction( LDAP *ld, char *buf, char *base, LDAPMessage *entry, char *dn,
struct ldap_tmplitem *tip, int labelwidth, int rdncount,
writeptype writeproc, void *writeparm, char *eol, char *urlprefix )
{
int err = LDAP_SUCCESS, lderr, i, count, html;
char **vals, **members;
char *value, *filtpattern, *attr, *selectname;
char *retattrs[2], filter[ 256 ];
LDAPMessage *ldmp;
struct timeval timeout;
html = ( urlprefix != NULL );
for ( i = 0; tip->ti_args != NULL && tip->ti_args[ i ] != NULL; ++i ) {
;
}
if ( i < 3 ) {
return( LDAP_PARAM_ERROR );
}
attr = tip->ti_args[ 0 ];
filtpattern = tip->ti_args[ 1 ];
retattrs[ 0 ] = tip->ti_args[ 2 ];
retattrs[ 1 ] = NULL;
selectname = tip->ti_args[ 3 ];
vals = NULL;
if ( attr == NULL ) {
value = NULL;
} else if ( strcasecmp( attr, "-dnb" ) == 0 ) {
return( LDAP_PARAM_ERROR );
} else if ( strcasecmp( attr, "-dnt" ) == 0 ) {
value = dn;
} else if (( vals = ldap_get_values( ld, entry, attr )) != NULL ) {
value = vals[ 0 ];
} else {
value = NULL;
}
ldap_build_filter( filter, sizeof( filter ), filtpattern, NULL, NULL, NULL,
value, NULL );
if ( html ) {
/*
* if we are generating HTML, we add an HREF link that embodies this
* search action as an LDAP URL, instead of actually doing the search
* now.
*/
sprintf( buf, "<DT><A HREF=\"%s", urlprefix );
if ( base != NULL ) {
strcat_escaped( buf, base );
}
strcat( buf, "??sub?" );
strcat_escaped( buf, filter );
sprintf( buf + strlen( buf ), "\"><B>%s</B></A><DD><BR>%s",
tip->ti_label, eol );
if ((*writeproc)( writeparm, buf, strlen( buf )) < 0 ) {
return( LDAP_LOCAL_ERROR );
}
return( LDAP_SUCCESS );
}
timeout.tv_sec = SEARCH_TIMEOUT_SECS;
timeout.tv_usec = 0;
#ifdef CLDAP
if ( LDAP_IS_CLDAP( ld ))
lderr = cldap_search_s( ld, base, LDAP_SCOPE_SUBTREE, filter, retattrs,
0, &ldmp, NULL );
else
#endif /* CLDAP */
lderr = ldap_search_st( ld, base, LDAP_SCOPE_SUBTREE, filter,
retattrs, 0, &timeout, &ldmp );
if ( lderr == LDAP_SUCCESS || NONFATAL_LDAP_ERR( lderr )) {
if (( count = ldap_count_entries( ld, ldmp )) > 0 ) {
if (( members = (char **)NSLDAPI_MALLOC( (count + 1)
* sizeof(char *))) == NULL ) {
err = LDAP_NO_MEMORY;
} else {
for ( i = 0, entry = ldap_first_entry( ld, ldmp );
entry != NULL;
entry = ldap_next_entry( ld, entry ), ++i ) {
members[ i ] = ldap_get_dn( ld, entry );
}
members[ i ] = NULL;
ldap_sort_values(ld,members, ldap_sort_strcasecmp);
err = do_vals2text( ld, NULL, members, tip->ti_label,
html ? -1 : 0, LDAP_SYN_DN, writeproc, writeparm,
eol, rdncount, urlprefix );
ldap_value_free( members );
}
}
ldap_msgfree( ldmp );
}
if ( vals != NULL ) {
ldap_value_free( vals );
}
return(( err == LDAP_SUCCESS ) ? lderr : err );
}
/** Convert a single group name into a DN
*
* Unlike the inverse conversion of a name to a DN, most LDAP directories don't allow filtering by DN,
* so we need to search for each DN individually.
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] dn to resolve.
* @param[out] out Where to write group name (must be freed with talloc_free).
* @return One of the RLM_MODULE_* values.
*/
static rlm_rcode_t rlm_ldap_group_dn2name(rlm_ldap_t const *inst, REQUEST *request,
ldap_handle_t **pconn, char const *dn, char **out)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
struct berval **values = NULL;
char const *attrs[] = { inst->groupobj_name_attr, NULL };
LDAPMessage *result = NULL, *entry;
*out = NULL;
if (!inst->groupobj_name_attr) {
REDEBUG("Told to resolve group DN to name but missing 'group.name_attribute' directive");
return RLM_MODULE_INVALID;
}
RDEBUG("Resolving group DN \"%s\" to group name", dn);
status = rlm_ldap_search(&result, inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, NULL, NULL);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
REDEBUG("Group DN \"%s\" did not resolve to an object", dn);
return RLM_MODULE_INVALID;
default:
return RLM_MODULE_FAIL;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_INVALID;
goto finish;
}
values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr);
if (!values) {
REDEBUG("No %s attributes found in object", inst->groupobj_name_attr);
rcode = RLM_MODULE_INVALID;
goto finish;
}
*out = rlm_ldap_berval_to_string(request, values[0]);
RDEBUG("Group DN \"%s\" resolves to name \"%s\"", dn, *out);
finish:
if (result) ldap_msgfree(result);
if (values) ldap_value_free_len(values);
return rcode;
}
krb5_error_code
krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
unsigned int flags, krb5_db_entry **entry_ptr)
{
char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_principal cprinc=NULL;
krb5_boolean found=FALSE;
krb5_db_entry *entry = NULL;
*entry_ptr = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
if (searchfor == NULL)
return EINVAL;
dal_handle = context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
st = KRB5_KDB_NOENTRY;
krb5_set_error_message(context, st,
_("Principal does not belong to realm"));
goto cleanup;
}
if ((st=krb5_unparse_name(context, searchfor, &user)) != 0)
goto cleanup;
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
filtuser = ldap_filter_correct(user);
if (filtuser == NULL) {
st = ENOMEM;
goto cleanup;
}
princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
GET_HANDLE();
for (tree=0; tree < ntrees && !found; ++tree) {
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) {
/* get the associated directory user information */
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
int i;
/* a wild-card in a principal name can return a list of kerberos principals.
* Make sure that the correct principal is returned.
* NOTE: a principalname k* in ldap server will return all the principals starting with a k
*/
for (i=0; values[i] != NULL; ++i) {
if (strcmp(values[i], user) == 0) {
found = TRUE;
break;
}
}
ldap_value_free(values);
if (!found) /* no matching principal found */
continue;
}
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
st = krb5_ldap_parse_principal_name(values[0], &cname);
if (st != 0)
goto cleanup;
st = krb5_parse_name(context, cname, &cprinc);
if (st != 0)
goto cleanup;
} else /* No canonicalization, so don't return aliases. */
found = FALSE;
}
ldap_value_free(values);
if (!found)
continue;
}
entry = k5alloc(sizeof(*entry), &st);
if (entry == NULL)
goto cleanup;
if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
cprinc ? cprinc : searchfor,
entry)) != 0)
goto cleanup;
}
ldap_msgfree(result);
result = NULL;
} /* for (tree=0 ... */
if (found) {
*entry_ptr = entry;
entry = NULL;
} else
st = KRB5_KDB_NOENTRY;
cleanup:
ldap_msgfree(result);
krb5_ldap_free_principal(context, entry);
if (filter)
free (filter);
if (subtree) {
for (; ntrees; --ntrees)
if (subtree[ntrees-1])
free (subtree[ntrees-1]);
free (subtree);
}
if (ldap_server_handle)
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
if (user)
free(user);
if (filtuser)
free(filtuser);
if (cname)
free(cname);
if (cprinc)
krb5_free_principal(context, cprinc);
return st;
}
static int ldap_verify_user_password (CcnetUserManager *manager,
const char *uid,
const char *password)
{
LDAP *ld = NULL;
int res;
GString *filter;
char *filter_str = NULL;
char *attrs[2];
LDAPMessage *msg = NULL, *entry;
char *dn = NULL;
int ret = 0;
/* First search for the DN with the given uid. */
ld = ldap_init_and_bind (manager->ldap_host,
#ifdef WIN32
manager->use_ssl,
#endif
manager->user_dn,
manager->password);
if (!ld)
return -1;
filter = g_string_new (NULL);
g_string_printf (filter, "(%s=%s)", manager->login_attr, uid);
filter_str = g_string_free (filter, FALSE);
attrs[0] = manager->login_attr;
attrs[1] = NULL;
res = ldap_search_s (ld, manager->base, LDAP_SCOPE_SUBTREE,
filter_str, attrs, 0, &msg);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res));
ret = -1;
goto out;
}
entry = ldap_first_entry (ld, msg);
if (!entry) {
ccnet_warning ("user with uid %s not found in LDAP.\n", uid);
ret = -1;
goto out;
}
dn = ldap_get_dn (ld, entry);
/* Then bind the DN with password. */
ldap_unbind_s (ld);
ld = ldap_init_and_bind (manager->ldap_host,
#ifdef WIN32
manager->use_ssl,
#endif
dn, password);
if (!ld) {
ccnet_warning ("Password check for %s failed.\n", uid);
ret = -1;
}
out:
ldap_msgfree (msg);
ldap_memfree (dn);
g_free (filter_str);
if (ld) ldap_unbind_s (ld);
return ret;
}
/* Check the userid & password.
* Return 0 on success, 1 on failure
*/
static int
checkLDAP(LDAP * persistent_ld, const char *userid, const char *password, const char *ldapServer, int port)
{
char dn[1024];
int ret = 0;
LDAP *bind_ld = NULL;
if (!*password) {
/* LDAP can't bind with a blank password. Seen as "anonymous"
* and always granted access
*/
if (debug)
fprintf(stderr, "Blank password given\n");
return 1;
}
if (searchfilter) {
char filter[16384];
char escaped_login[1024];
LDAPMessage *res = NULL;
LDAPMessage *entry;
char *searchattr[] =
{(char *)LDAP_NO_ATTRS, NULL};
char *userdn;
int rc;
LDAP *search_ld = persistent_ld;
if (!search_ld)
search_ld = open_ldap_connection(ldapServer, port);
ldap_escape_value(escaped_login, sizeof(escaped_login), userid);
if (binddn) {
rc = ldap_simple_bind_s(search_ld, binddn, bindpasswd);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
ret = 1;
goto search_done;
}
}
snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
if (debug)
fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn);
rc = ldap_search_s(search_ld, basedn, searchscope, filter, searchattr, 1, &res);
if (rc != LDAP_SUCCESS) {
if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
/* Everything is fine. This is expected when referrals
* are disabled.
*/
if (debug)
fprintf(stderr, "noreferrals && rc == LDAP_PARTIAL_RESULTS\n");
} else {
fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
#if defined(NETSCAPE_SSL)
if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
int sslerr = PORT_GetError();
fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
}
#endif
ret = 1;
goto search_done;
}
}
entry = ldap_first_entry(search_ld, res);
if (!entry) {
if (debug)
fprintf(stderr, "Ldap search returned nothing\n");
ret = 1;
goto search_done;
}
userdn = ldap_get_dn(search_ld, entry);
if (!userdn) {
fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid);
ret = 1;
goto search_done;
}
snprintf(dn, sizeof(dn), "%s", userdn);
squid_ldap_memfree(userdn);
if (ret == 0 && (!binddn || !bind_once || passwdattr)) {
/* Reuse the search connection for comparing the user password attribute */
bind_ld = search_ld;
search_ld = NULL;
}
search_done:
if (res) {
ldap_msgfree(res);
res = NULL;
}
if (search_ld && search_ld != persistent_ld) {
ldap_unbind(search_ld);
search_ld = NULL;
}
if (ret != 0)
return ret;
} else {
snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
}
if (debug)
fprintf(stderr, "attempting to authenticate user '%s'\n", dn);
if (!bind_ld && !bind_once)
bind_ld = persistent_ld;
if (!bind_ld)
bind_ld = open_ldap_connection(ldapServer, port);
if (passwdattr) {
if (ldap_compare_s(bind_ld, dn, passwdattr, password) != LDAP_COMPARE_TRUE) {
ret = 1;
}
} else if (ldap_simple_bind_s(bind_ld, dn, password) != LDAP_SUCCESS)
ret = 1;
if (bind_ld != persistent_ld) {
ldap_unbind(bind_ld);
bind_ld = NULL;
}
return ret;
}
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
{
int l=0, kerberos_principal_object_type=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
char **values=NULL, *strval[10]={NULL}, errbuf[1024];
char *filtuser=NULL;
struct berval **bersecretkey=NULL;
LDAPMod **mods=NULL;
krb5_boolean create_standalone_prinicipal=FALSE;
krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
char *standalone_principal_dn=NULL;
krb5_tl_data *tl_data=NULL;
krb5_key_data **keys=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
osa_princ_ent_rec princ_ent;
xargs_t xargs = {0};
char *polname = NULL;
OPERATION optype;
krb5_boolean found_entry = FALSE;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
if (ldap_context->lrparams == NULL || ldap_context->container_dn == NULL)
return EINVAL;
/* get ldap handle */
GET_HANDLE();
if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
st = EINVAL;
krb5_set_error_message(context, st, _("Principal does not belong to "
"the default realm"));
goto cleanup;
}
/* get the principal information to act on */
if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) ||
((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
filtuser = ldap_filter_correct(user);
if (filtuser == NULL) {
st = ENOMEM;
goto cleanup;
}
/* Identity the type of operation, it can be
* add principal or modify principal.
* hack if the entry->mask has KRB_PRINCIPAL flag set
* then it is a add operation
*/
if (entry->mask & KADM5_PRINCIPAL)
optype = ADD_PRINCIPAL;
else
optype = MODIFY_PRINCIPAL;
if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) ||
((st=krb5_get_userdn(context, entry, &principal_dn)) != 0))
goto cleanup;
if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
goto cleanup;
if (entry->mask & KADM5_LOAD) {
unsigned int tree = 0, ntrees = 0;
int numlentries = 0;
char **subtreelist = NULL, *filter = NULL;
/* A load operation is special, will do a mix-in (add krbprinc
* attrs to a non-krb object entry) if an object exists with a
* matching krbprincipalname attribute so try to find existing
* object and set principal_dn. This assumes that the
* krbprincipalname attribute is unique (only one object entry has
* a particular krbprincipalname attribute).
*/
if (asprintf(&filter, FILTER"%s))", filtuser) < 0) {
filter = NULL;
st = ENOMEM;
goto cleanup;
}
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
found_entry = FALSE;
/* search for entry with matching krbprincipalname attribute */
for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
result = NULL;
if (principal_dn == NULL) {
LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
} else {
/* just look for entry with principal_dn */
LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
}
if (st == LDAP_SUCCESS) {
numlentries = ldap_count_entries(ld, result);
if (numlentries > 1) {
ldap_msgfree(result);
free(filter);
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, "
"more than one entry with "
"principal name \"%s\" found"),
user);
goto cleanup;
} else if (numlentries == 1) {
found_entry = TRUE;
if (principal_dn == NULL) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
/* setting principal_dn will cause that entry to be modified further down */
if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
st = set_ldap_error (context, st, 0);
ldap_msgfree(result);
free(filter);
goto cleanup;
}
}
}
}
if (result)
ldap_msgfree(result);
} else if (st != LDAP_NO_SUCH_OBJECT) {
/* could not perform search, return with failure */
st = set_ldap_error (context, st, 0);
free(filter);
goto cleanup;
}
/*
* If it isn't found then assume a standalone princ entry is to
* be created.
*/
} /* end for (tree = 0; principal_dn == ... */
free(filter);
if (found_entry == FALSE && principal_dn != NULL) {
/*
* if principal_dn is null then there is code further down to
* deal with setting standalone_principal_dn. Also note that
* this will set create_standalone_prinicipal true for
* non-mix-in entries which is okay if loading from a dump.
*/
create_standalone_prinicipal = TRUE;
standalone_principal_dn = strdup(principal_dn);
CHECK_NULL(standalone_principal_dn);
}
} /* end if (entry->mask & KADM5_LOAD */
/* time to generate the DN information with the help of
* containerdn, principalcontainerreference or
* realmcontainerdn information
*/
if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
/* get the subtree information */
if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") &&
strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) {
/* if the principal is a inter-realm principal, always created in the realm container */
subtree = strdup(ldap_context->lrparams->realmdn);
} else if (xargs.containerdn) {
if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
snprintf(errbuf, sizeof(errbuf), _("'%s' not found: "),
xargs.containerdn);
prepend_err_str(context, errbuf, st, ost);
}
goto cleanup;
}
subtree = strdup(xargs.containerdn);
} else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
/*
* Here the subtree should be changed with
* principalcontainerreference attribute value
*/
subtree = strdup(ldap_context->lrparams->containerref);
} else {
subtree = strdup(ldap_context->lrparams->realmdn);
}
CHECK_NULL(subtree);
if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
filtuser, subtree) < 0)
standalone_principal_dn = NULL;
CHECK_NULL(standalone_principal_dn);
/*
* free subtree when you are done using the subtree
* set the boolean create_standalone_prinicipal to TRUE
*/
create_standalone_prinicipal = TRUE;
free(subtree);
subtree = NULL;
}
/*
* If the DN information is presented by the user, time to
* validate the input to ensure that the DN falls under
* any of the subtrees
*/
if (xargs.dn_from_kbd == TRUE) {
/* make sure the DN falls in the subtree */
unsigned int tre=0, ntrees=0;
int dnlen=0, subtreelen=0;
char **subtreelist=NULL;
char *dn=NULL;
krb5_boolean outofsubtree=TRUE;
if (xargs.dn != NULL) {
dn = xargs.dn;
} else if (xargs.linkdn != NULL) {
dn = xargs.linkdn;
} else if (standalone_principal_dn != NULL) {
/*
* Even though the standalone_principal_dn is constructed
* within this function, there is the containerdn input
* from the user that can become part of the it.
*/
dn = standalone_principal_dn;
}
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
for (tre=0; tre<ntrees; ++tre) {
if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
outofsubtree = FALSE;
break;
} else {
dnlen = strlen (dn);
subtreelen = strlen(subtreelist[tre]);
if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
outofsubtree = FALSE;
break;
}
}
}
for (tre=0; tre < ntrees; ++tre) {
free(subtreelist[tre]);
}
if (outofsubtree == TRUE) {
st = EINVAL;
krb5_set_error_message(context, st,
_("DN is out of the realm subtree"));
goto cleanup;
}
/*
* dn value will be set either by dn, linkdn or the standalone_principal_dn
* In the first 2 cases, the dn should be existing and in the last case we
* are supposed to create the ldap object. so the below should not be
* executed for the last case.
*/
if (standalone_principal_dn == NULL) {
/*
* If the ldap object is missing, this results in an error.
*/
/*
* Search for krbprincipalname attribute here.
* This is to find if a kerberos identity is already present
* on the ldap object, in which case adding a kerberos identity
* on the ldap object should result in an error.
*/
char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
if (st == LDAP_SUCCESS) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
ldap_value_free(values);
}
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
krb_identity_exists = TRUE;
ldap_value_free(values);
}
}
ldap_msgfree(result);
} else {
st = set_ldap_error(context, st, OP_SEARCH);
goto cleanup;
}
}
}
/*
* If xargs.dn is set then the request is to add a
* kerberos principal on a ldap object, but if
* there is one already on the ldap object this
* should result in an error.
*/
if (xargs.dn != NULL && krb_identity_exists == TRUE) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("ldap object is already kerberized"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (xargs.linkdn != NULL) {
/*
* link information can be changed using modprinc.
* However, link information can be changed only on the
* standalone kerberos principal objects. A standalone
* kerberos principal object is of type krbprincipal
* structural objectclass.
*
* NOTE: kerberos principals on an ldap object can't be
* linked to other ldap objects.
*/
if (optype == MODIFY_PRINCIPAL &&
kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("link information can not be set/updated as the "
"kerberos principal belongs to an ldap object"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
/*
* Check the link information. If there is already a link
* existing then this operation is not allowed.
*/
{
char **linkdns=NULL;
int j=0;
if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
snprintf(errbuf, sizeof(errbuf),
_("Failed getting object references"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (linkdns != NULL) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("kerberos principal is already linked to a ldap "
"object"));
krb5_set_error_message(context, st, "%s", errbuf);
for (j=0; linkdns[j] != NULL; ++j)
free (linkdns[j]);
free (linkdns);
goto cleanup;
}
}
establish_links = TRUE;
}
if (entry->mask & KADM5_LAST_SUCCESS) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_success)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_LAST_FAILED) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_failed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free(strval[0]);
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT) {
krb5_kvno fail_auth_count;
fail_auth_count = entry->fail_auth_count;
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
fail_auth_count++;
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_REPLACE,
fail_auth_count);
if (st != 0)
goto cleanup;
} else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
int attr_mask = 0;
krb5_boolean has_fail_count;
/* Check if the krbLoginFailedCount attribute exists. (Through
* krb5 1.8.1, it wasn't set in new entries.) */
st = krb5_get_attributes_mask(context, entry, &attr_mask);
if (st != 0)
goto cleanup;
has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
/*
* If the client library and server supports RFC 4525,
* then use it to increment by one the value of the
* krbLoginFailedCount attribute. Otherwise, assert the
* (provided) old value by deleting it before adding.
*/
#ifdef LDAP_MOD_INCREMENT
if (ldap_server_handle->server_info->modify_increment &&
has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_INCREMENT, 1);
if (st != 0)
goto cleanup;
} else {
#endif /* LDAP_MOD_INCREMENT */
if (has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods,
"krbLoginFailedCount",
LDAP_MOD_DELETE,
entry->fail_auth_count);
if (st != 0)
goto cleanup;
}
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD,
entry->fail_auth_count + 1);
if (st != 0)
goto cleanup;
#ifdef LDAP_MOD_INCREMENT
}
#endif
} else if (optype == ADD_PRINCIPAL) {
/* Initialize krbLoginFailedCount in new entries to help avoid a
* race during the first failed login. */
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD, 0);
}
if (entry->mask & KADM5_MAX_LIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_MAX_RLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
entry->max_renewable_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_ATTRIBUTES) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
entry->attributes)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINCIPAL) {
memset(strval, 0, sizeof(strval));
strval[0] = user;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINC_EXPIRE_TIME) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_PW_EXPIRATION) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
LDAP_MOD_REPLACE,
strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_POLICY) {
memset(&princ_ent, 0, sizeof(princ_ent));
for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
/* FIX ME: I guess the princ_ent should be freed after this call */
if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
goto cleanup;
}
}
}
if (princ_ent.aux_attributes & KADM5_POLICY) {
memset(strval, 0, sizeof(strval));
if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
goto cleanup;
strval[0] = polname;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
st = EINVAL;
krb5_set_error_message(context, st, "Password policy value null");
goto cleanup;
}
} else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
/*
* a load is special in that existing entries must have attrs that
* removed.
*/
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_POLICY_CLR) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) {
krb5_kvno mkvno;
if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0)
goto cleanup;
bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
entry->n_key_data, mkvno);
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
goto cleanup;
if (!(entry->mask & KADM5_PRINCIPAL)) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods,
"krbpasswordexpiration",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
/* Update last password change whenever a new key is set */
{
krb5_timestamp last_pw_changed;
if ((st=krb5_dbe_lookup_last_pwd_change(context, entry,
&last_pw_changed)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
} /* Modify Key data ends here */
/* Set tl_data */
if (entry->tl_data != NULL) {
int count = 0;
struct berval **ber_tl_data = NULL;
krb5_tl_data *ptr;
krb5_timestamp unlock_time;
for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
count++;
}
if (count != 0) {
int j;
ber_tl_data = (struct berval **) calloc (count + 1,
sizeof (struct berval*));
if (ber_tl_data == NULL) {
st = ENOMEM;
goto cleanup;
}
for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
/* Ignore tl_data that are stored in separate directory
* attributes */
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
}
if (st == 0) {
ber_tl_data[count] = NULL;
st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
LDAP_MOD_REPLACE |
LDAP_MOD_BVALUES, ber_tl_data);
}
for (j = 0; ber_tl_data[j] != NULL; j++) {
free(ber_tl_data[j]->bv_val);
free(ber_tl_data[j]);
}
free(ber_tl_data);
if (st != 0)
goto cleanup;
}
if ((st=krb5_dbe_lookup_last_admin_unlock(context, entry,
&unlock_time)) != 0)
goto cleanup;
if (unlock_time != 0) {
/* Update last admin unlock */
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(unlock_time)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastAdminUnlock",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
}
/* Directory specific attribute */
if (xargs.tktpolicydn != NULL) {
int tmask=0;
if (strlen(xargs.tktpolicydn) != 0) {
st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
CHECK_CLASS_VALIDITY(st, tmask, _("ticket policy object value: "));
strval[0] = xargs.tktpolicydn;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
/* if xargs.tktpolicydn is a empty string, then delete
* already existing krbticketpolicyreference attr */
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
}
if (establish_links == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = xargs.linkdn;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
/*
* in case mods is NULL then return
* not sure but can happen in a modprinc
* so no need to return an error
* addprinc will at least have the principal name
* and the keys passed in
*/
if (mods == NULL)
goto cleanup;
if (create_standalone_prinicipal == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = "krbprincipal";
strval[1] = "krbprincipalaux";
strval[2] = "krbTicketPolicyAux";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) {
/* a load operation must replace an existing entry */
st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf),
_("Principal delete failed (trying to replace "
"entry): %s"), ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
} else {
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
}
}
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
} else {
/*
* Here existing ldap object is modified and can be related
* to any attribute, so always ensure that the ldap
* object is extended with all the kerberos related
* objectclasses so that there are no constraint
* violations.
*/
{
char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
int p, q, r=0, amask=0;
if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
"objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
for (p=1, q=0; p<=2; p<<=1, ++q) {
if ((p & amask) == 0)
strval[r++] = attrvalues[q];
}
if (r != 0) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
}
}
if (xargs.dn != NULL)
st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
else
st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
entry->fail_auth_count++;
}
cleanup:
if (user)
free(user);
if (filtuser)
free(filtuser);
free_xargs(xargs);
if (standalone_principal_dn)
free(standalone_principal_dn);
if (principal_dn)
free (principal_dn);
if (polname != NULL)
free(polname);
if (subtree)
free (subtree);
if (bersecretkey) {
for (l=0; bersecretkey[l]; ++l) {
if (bersecretkey[l]->bv_val)
free (bersecretkey[l]->bv_val);
free (bersecretkey[l]);
}
free (bersecretkey);
}
if (keys)
free (keys);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
/*
* Look up a user in the directory to see if this is an account that can be authenticated
*/
int CtdlTryUserLDAP(char *username,
char *found_dn, int found_dn_size,
char *fullname, int fullname_size,
uid_t *uid, int lookup_based_on_username)
{
LDAP *ldserver = NULL;
int i;
LDAPMessage *search_result = NULL;
LDAPMessage *entry = NULL;
char searchstring[1024];
struct timeval tv;
char **values;
char *user_dn = NULL;
if (fullname) safestrncpy(fullname, username, fullname_size);
if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) {
return(errno);
}
ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
striplt(CtdlGetConfigStr("c_ldap_bind_dn"));
striplt(CtdlGetConfigStr("c_ldap_bind_pw"));
syslog(LOG_DEBUG, "LDAP bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn"));
i = ldap_simple_bind_s(ldserver,
(!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL),
(!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL)
);
if (i != LDAP_SUCCESS) {
syslog(LOG_ALERT, "LDAP: Cannot bind: %s (%d)", ldap_err2string(i), i);
return(i);
}
tv.tv_sec = 10;
tv.tv_usec = 0;
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
if (lookup_based_on_username != 0)
snprintf(searchstring, sizeof(searchstring), "(displayName=%s)",username);
else
snprintf(searchstring, sizeof(searchstring), "(sAMAccountName=%s)", username);
}
else {
if (lookup_based_on_username != 0)
snprintf(searchstring, sizeof(searchstring), "(cn=%s)",username);
else
snprintf(searchstring, sizeof(searchstring), "(&(objectclass=posixAccount)(uid=%s))", username);
}
syslog(LOG_DEBUG, "LDAP search: %s", searchstring);
(void) ldap_search_ext_s(
ldserver, /* ld */
CtdlGetConfigStr("c_ldap_base_dn"), /* base */
LDAP_SCOPE_SUBTREE, /* scope */
searchstring, /* filter */
NULL, /* attrs (all attributes) */
0, /* attrsonly (attrs + values) */
NULL, /* serverctrls (none) */
NULL, /* clientctrls (none) */
&tv, /* timeout */
1, /* sizelimit (1 result max) */
&search_result /* res */
);
/* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
* the search succeeds. Instead, we check to see whether search_result is still NULL.
*/
if (search_result == NULL) {
syslog(LOG_DEBUG, "LDAP search: zero results were returned");
ldap_unbind(ldserver);
return(2);
}
/* At this point we've got at least one result from our query. If there are multiple
* results, we still only look at the first one.
*/
entry = ldap_first_entry(ldserver, search_result);
if (entry) {
user_dn = ldap_get_dn(ldserver, entry);
if (user_dn) {
syslog(LOG_DEBUG, "dn = %s", user_dn);
}
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
values = ldap_get_values(ldserver, search_result, "displayName");
if (values) {
if (values[0]) {
if (fullname) safestrncpy(fullname, values[0], fullname_size);
syslog(LOG_DEBUG, "displayName = %s", values[0]);
}
ldap_value_free(values);
}
}
else {
values = ldap_get_values(ldserver, search_result, "cn");
if (values) {
if (values[0]) {
if (fullname) safestrncpy(fullname, values[0], fullname_size);
syslog(LOG_DEBUG, "cn = %s", values[0]);
}
ldap_value_free(values);
}
}
/* If we know the username is the CN/displayName, we already set the uid*/
if (lookup_based_on_username==0) {
if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) {
values = ldap_get_values(ldserver, search_result, "objectGUID");
if (values) {
if (values[0]) {
if (uid != NULL) {
*uid = abs(HashLittle(values[0], strlen(values[0])));
syslog(LOG_DEBUG, "uid hashed from objectGUID = %d", *uid);
}
}
ldap_value_free(values);
}
}
else {
values = ldap_get_values(ldserver, search_result, "uidNumber");
if (values) {
if (values[0]) {
syslog(LOG_DEBUG, "uidNumber = %s", values[0]);
if (uid != NULL) {
*uid = atoi(values[0]);
}
}
ldap_value_free(values);
}
}
}
}
/* free the results */
ldap_msgfree(search_result);
/* unbind so we can go back in as the authenticating user */
ldap_unbind(ldserver);
if (!user_dn) {
syslog(LOG_DEBUG, "No such user was found.");
return(4);
}
if (found_dn) safestrncpy(found_dn, user_dn, found_dn_size);
ldap_memfree(user_dn);
return(0);
}
/*
* Learn LDAP attributes and stuff them into the vCard.
* Returns nonzero if we changed anything.
*/
int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v)
{
int changed_something = 0;
LDAP *ldserver = NULL;
int i;
struct timeval tv;
LDAPMessage *search_result = NULL;
LDAPMessage *entry = NULL;
char **givenName;
char **sn;
char **cn;
char **initials;
char **o;
char **street;
char **l;
char **st;
char **postalCode;
char **telephoneNumber;
char **mobile;
char **homePhone;
char **facsimileTelephoneNumber;
char **mail;
char **uid;
char **homeDirectory;
char **uidNumber;
char **loginShell;
char **gidNumber;
char **c;
char **title;
char **uuid;
char *attrs[] = { "*","+",NULL};
if (!ldap_dn) return(0);
if (!v) return(0);
if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) {
return(0);
}
ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version);
ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
striplt(CtdlGetConfigStr("c_ldap_bind_dn"));
striplt(CtdlGetConfigStr("c_ldap_bind_pw"));
syslog(LOG_DEBUG, "LDAP bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn"));
i = ldap_simple_bind_s(ldserver,
(!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL),
(!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL)
);
if (i != LDAP_SUCCESS) {
syslog(LOG_ALERT, "LDAP: Cannot bind: %s (%d)", ldap_err2string(i), i);
return(0);
}
tv.tv_sec = 10;
tv.tv_usec = 0;
syslog(LOG_DEBUG, "LDAP search: %s", ldap_dn);
(void) ldap_search_ext_s(
ldserver, /* ld */
ldap_dn, /* base */
LDAP_SCOPE_SUBTREE, /* scope */
NULL, /* filter */
attrs, /* attrs (all attributes) */
0, /* attrsonly (attrs + values) */
NULL, /* serverctrls (none) */
NULL, /* clientctrls (none) */
&tv, /* timeout */
1, /* sizelimit (1 result max) */
&search_result /* res */
);
/* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when
* the search succeeds. Instead, we check to see whether search_result is still NULL.
*/
if (search_result == NULL) {
syslog(LOG_DEBUG, "LDAP search: zero results were returned");
ldap_unbind(ldserver);
return(0);
}
/* At this point we've got at least one result from our query. If there are multiple
* results, we still only look at the first one.
*/
entry = ldap_first_entry(ldserver, search_result);
if (entry) {
syslog(LOG_DEBUG, "LDAP search, got user details for vcard.");
givenName=ldap_get_values(ldserver, search_result, "givenName");
sn=ldap_get_values(ldserver, search_result, "sn");
cn=ldap_get_values(ldserver, search_result, "cn");
initials=ldap_get_values(ldserver, search_result, "initials");
title=ldap_get_values(ldserver, search_result, "title");
o=ldap_get_values(ldserver, search_result, "o");
street=ldap_get_values(ldserver, search_result, "street");
l=ldap_get_values(ldserver, search_result, "l");
st=ldap_get_values(ldserver, search_result, "st");
postalCode=ldap_get_values(ldserver, search_result, "postalCode");
telephoneNumber=ldap_get_values(ldserver, search_result, "telephoneNumber");
mobile=ldap_get_values(ldserver, search_result, "mobile");
homePhone=ldap_get_values(ldserver, search_result, "homePhone");
facsimileTelephoneNumber=ldap_get_values(ldserver, search_result, "facsimileTelephoneNumber");
mail=ldap_get_values(ldserver, search_result, "mail");
uid=ldap_get_values(ldserver, search_result, "uid");
homeDirectory=ldap_get_values(ldserver, search_result, "homeDirectory");
uidNumber=ldap_get_values(ldserver, search_result, "uidNumber");
loginShell=ldap_get_values(ldserver, search_result, "loginShell");
gidNumber=ldap_get_values(ldserver, search_result, "gidNumber");
c=ldap_get_values(ldserver, search_result, "c");
uuid=ldap_get_values(ldserver, search_result, "entryUUID");
if (street && l && st && postalCode && c) changed_something |= vcard_set_one_prop_iff_different(v,"adr",";;%s;%s;%s;%s;%s",street[0],l[0],st[0],postalCode[0],c[0]);
if (telephoneNumber) changed_something |= vcard_set_one_prop_iff_different(v,"tel;work","%s",telephoneNumber[0]);
if (facsimileTelephoneNumber) changed_something |= vcard_set_one_prop_iff_different(v,"tel;fax","%s",facsimileTelephoneNumber[0]);
if (mobile) changed_something |= vcard_set_one_prop_iff_different(v,"tel;cell","%s",mobile[0]);
if (homePhone) changed_something |= vcard_set_one_prop_iff_different(v,"tel;home","%s",homePhone[0]);
if (givenName && sn) {
if (initials) {
changed_something |= vcard_set_one_prop_iff_different(v,"n","%s;%s;%s",sn[0],givenName[0],initials[0]);
}
else {
changed_something |= vcard_set_one_prop_iff_different(v,"n","%s;%s",sn[0],givenName[0]);
}
}
if (mail) {
changed_something |= vcard_set_props_iff_different(v,"email;internet",ldap_count_values(mail),mail);
}
if (uuid) changed_something |= vcard_set_one_prop_iff_different(v,"X-uuid","%s",uuid[0]);
if (o) changed_something |= vcard_set_one_prop_iff_different(v,"org","%s",o[0]);
if (cn) changed_something |= vcard_set_one_prop_iff_different(v,"fn","%s",cn[0]);
if (title) changed_something |= vcard_set_one_prop_iff_different(v,"title","%s",title[0]);
if (givenName) ldap_value_free(givenName);
if (initials) ldap_value_free(initials);
if (sn) ldap_value_free(sn);
if (cn) ldap_value_free(cn);
if (o) ldap_value_free(o);
if (street) ldap_value_free(street);
if (l) ldap_value_free(l);
if (st) ldap_value_free(st);
if (postalCode) ldap_value_free(postalCode);
if (telephoneNumber) ldap_value_free(telephoneNumber);
if (mobile) ldap_value_free(mobile);
if (homePhone) ldap_value_free(homePhone);
if (facsimileTelephoneNumber) ldap_value_free(facsimileTelephoneNumber);
if (mail) ldap_value_free(mail);
if (uid) ldap_value_free(uid);
if (homeDirectory) ldap_value_free(homeDirectory);
if (uidNumber) ldap_value_free(uidNumber);
if (loginShell) ldap_value_free(loginShell);
if (gidNumber) ldap_value_free(gidNumber);
if (c) ldap_value_free(c);
if (title) ldap_value_free(title);
if (uuid) ldap_value_free(uuid);
}
/* free the results */
ldap_msgfree(search_result);
/* unbind so we can go back in as the authenticating user */
ldap_unbind(ldserver);
return(changed_something); /* tell the caller whether we made any changes */
}
void uwsgi_ldap_config(char *url) {
LDAP *ldp;
LDAPMessage *results, *entry;
BerElement *ber;
struct berval **bervalues;
char *attr;
char *uwsgi_attr;
char *url_slash;
int desired_version = LDAP_VERSION3;
int ret;
LDAPURLDesc *ldap_url;
if (!ldap_is_ldap_url(url)) {
uwsgi_log("invalid LDAP url.\n");
exit(1);
}
if (ldap_url_parse(url, &ldap_url) != LDAP_SUCCESS) {
uwsgi_log("unable to parse LDAP url.\n");
exit(1);
}
uwsgi_log("[uWSGI] getting LDAP configuration from %s\n", url);
url_slash = strchr(url, '/');
url_slash = strchr(url_slash + 1, '/');
url_slash = strchr(url_slash + 1, '/');
if (url_slash) {
url_slash[0] = 0;
}
#ifdef UWSGI_DEBUG
uwsgi_debug("LDAP URL: %s\n", url);
uwsgi_debug("LDAP BASE DN: %s\n", ldap_url->lud_dn);
#endif
#if LDAP_API_VERSION >= 3000
if ((ret = ldap_initialize(&ldp, url)) != LDAP_SUCCESS) {
uwsgi_log("LDAP: %s\n", ldap_err2string(ret));
exit(1);
}
#else
if ((ldp = ldap_init(ldap_url->lud_host, ldap_url->lud_port)) == NULL) {
uwsgi_error("ldap_init()");
exit(1);
}
#endif
if ((ret = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &desired_version)) != LDAP_OPT_SUCCESS) {
uwsgi_log("LDAP: %s\n", ldap_err2string(ret));
exit(1);
}
if ((ret = ldap_search_ext_s(ldp, ldap_url->lud_dn, ldap_url->lud_scope, ldap_url->lud_filter, NULL, 0, NULL, NULL, NULL, 1, &results)) != LDAP_SUCCESS) {
uwsgi_log("LDAP: %s\n", ldap_err2string(ret));
exit(1);
}
#ifdef UWSGI_DEBUG
uwsgi_debug("LDAP connection initialized %p\n", ldp);
#endif
free(ldap_url);
if (ldap_count_entries(ldp, results) < 1) {
uwsgi_log("no LDAP entry found\n");
exit(1);
}
entry = ldap_first_entry(ldp, results);
int found = 0;
for (attr = ldap_first_attribute(ldp, entry, &ber); attr != NULL; attr = ldap_next_attribute(ldp, entry, ber)) {
if (!strncmp(attr, "uWSGI", 5)) {
found = 1;
uwsgi_attr = malloc(calc_ldap_name(attr) + 1);
if (!uwsgi_attr) {
uwsgi_error("malloc()");
exit(1);
}
ldap2uwsgi(attr + 5, uwsgi_attr);
#ifdef UWSGI_DEBUG
uwsgi_debug("LDAP attribute: %s = --%s\n", attr, uwsgi_attr);
#endif
bervalues = ldap_get_values_len(ldp, entry, attr);
if (bervalues) {
// do not free uwsgi_attr/uwsgi_val;
char *uwsgi_val = malloc(bervalues[0]->bv_len + 1);
if (!uwsgi_val) {
uwsgi_error("malloc()");
exit(1);
}
memcpy(uwsgi_val, bervalues[0]->bv_val, bervalues[0]->bv_len);
uwsgi_val[bervalues[0]->bv_len] = 0;
add_exported_option((char *) uwsgi_attr, uwsgi_val, 0);
free(bervalues);
}
else {
free(uwsgi_attr);
}
}
free(attr);
}
if (!found) {
uwsgi_log("no uWSGI LDAP entry found\n");
exit(1);
}
free(ber);
free(results);
ldap_unbind_ext_s(ldp, NULL, NULL);
}
int ldapLogin(char *thisUid, char *thisPwd, struct threadInfo * ti) {
extern struct threadInfo *pMainThreadInfo;
int (*dbConnect)(struct threadStorageInfo *);
void (*dbDisconnect)(struct threadStorageInfo *);
int (*dbCookie)(char *, int, struct threadStorageInfo *);
int (*dbInsert)(char *, int, struct threadStorageInfo *);
dbConnect = pMainThreadInfo->dbInfo.connect;
dbDisconnect = pMainThreadInfo->dbInfo.disconnect;
dbCookie = pMainThreadInfo->dbInfo.cookie;
dbInsert = pMainThreadInfo->dbInfo.insert;
if(thisUid == NULL) {
return(-1);
}
if((ti->directoryInfo.ldapUri = configFetch("ldap_uri", &ti->directoryInfo.i)) == NULL) {
ti->directoryInfo.ldapUri = LDAP_MYURI;
}
if((ti->directoryInfo.ldapUsername = configFetch("ldap_username", &ti->directoryInfo.i)) == NULL) {
ti->directoryInfo.ldapUsername = LDAP_MYUSERNAME;
}
if((ti->directoryInfo.ldapPassword = configFetch("ldap_password", &ti->directoryInfo.i)) == NULL) {
ti->directoryInfo.ldapPassword = LDAP_MYPASSWORD;
}
if((ti->directoryInfo.ldapAttr = configFetch("ldap_searchattr", &ti->directoryInfo.i)) == NULL) {
ti->directoryInfo.ldapAttr = LDAP_MYATTR;
}
if((ti->directoryInfo.ldapBase = configFetch("ldap_searchbase", &ti->directoryInfo.i)) == NULL) {
ti->directoryInfo.ldapBase = LDAP_MYBASE;
}
if((ti->directoryInfo.ldapFilter = configFetch("ldap_searchfilter", &ti->directoryInfo.i)) == NULL) {
ti->directoryInfo.ldapFilter = LDAP_MYFILTER;
}
if(ldap_initialize(&ti->directoryInfo.l, ti->directoryInfo.ldapUri) != LDAP_SUCCESS) {
ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to initialize LDAP connection", NULL);
return(-1);
}
ti->directoryInfo.v = LDAP_MYVERSION;
if(ldap_set_option(ti->directoryInfo.l, LDAP_OPT_PROTOCOL_VERSION, (int *) &ti->directoryInfo.v) != LDAP_OPT_SUCCESS) {
ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to initialize LDAP connection", NULL);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
if(ti->directoryInfo.ldapUsername != NULL && ti->directoryInfo.ldapUsername[0] != 0) {
if(ldap_bind_s(ti->directoryInfo.l, ti->directoryInfo.ldapUsername, ti->directoryInfo.ldapPassword, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) {
ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to establish LDAP connection", ti->directoryInfo.ldapUsername);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
}
ti->directoryInfo.timeVal.tv_sec = LDAP_MYTIMEOUT;
ti->directoryInfo.timeVal.tv_usec = 0;
if(ldap_search_st(ti->directoryInfo.l, ti->directoryInfo.ldapBase, LDAP_SCOPE_SUBTREE, ti->directoryInfo.ldapFilter, NULL, 0, &ti->directoryInfo.timeVal, &ti->directoryInfo.m) != LDAP_SUCCESS) {
ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to search from LDAP database", ti->directoryInfo.ldapFilter);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
if(ldap_count_entries(ti->directoryInfo.l, ti->directoryInfo.m) <= 0) {
ldapMessage(ti, ERROR_SLIGHT, "Search from LDAP database returned no entries", ti->directoryInfo.ldapFilter);
ldap_msgfree(ti->directoryInfo.m);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
if((ti->directoryInfo.e = ldap_first_entry(ti->directoryInfo.l, ti->directoryInfo.m)) == NULL) {
ldapMessage(ti, ERROR_SLIGHT, "Search from LDAP database returned no entries", ti->directoryInfo.ldapFilter);
ldap_msgfree(ti->directoryInfo.m);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
if((ti->directoryInfo.d = ldap_get_dn(ti->directoryInfo.l, ti->directoryInfo.e)) == NULL) {
ldapMessage(ti, ERROR_SLIGHT, "Search from LDAP database returned no entries", ti->directoryInfo.ldapFilter);
ldap_msgfree(ti->directoryInfo.m);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
snprintf(ti->directoryInfo.dnSpace, sizeof(ti->directoryInfo.dnSpace), "%s=%s,%s%c", ti->directoryInfo.ldapAttr, thisUid, ti->directoryInfo.d, 0);
ldap_memfree(ti->directoryInfo.d);
ldap_msgfree(ti->directoryInfo.m);
if(ldap_bind_s(ti->directoryInfo.l, ti->directoryInfo.dnSpace, thisPwd, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) {
ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", ti->directoryInfo.dnSpace);
ldap_unbind(ti->directoryInfo.l);
return(-1);
}
ldap_unbind(ti->directoryInfo.l);
ti->directoryInfo.l = NULL;
if(dbConnect(&ti->storageInfo) == 0) {
if(dbCookie(thisUid, strlen(thisUid), &ti->storageInfo) != 0) {
ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", "Error occurred while trying to create session");
dbDisconnect(&ti->storageInfo);
return(-1);
}
if(dbInsert(thisUid, strlen(thisUid), &ti->storageInfo) != 0) {
ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", "Error occurred while trying to create session");
dbDisconnect(&ti->storageInfo);
return(-1);
}
dbDisconnect(&ti->storageInfo);
return(0);
}
else {
ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", "Error occurred while trying to create session");
return(-1);
}
}
/*
* @uid: user's uid, list all users if * is passed in.
*/
static GList *ldap_list_users (CcnetUserManager *manager, const char *uid,
int start, int limit)
{
LDAP *ld = NULL;
GList *ret = NULL;
int res;
GString *filter;
char *filter_str;
char *attrs[2];
LDAPMessage *msg = NULL, *entry;
ld = ldap_init_and_bind (manager->ldap_host,
#ifdef WIN32
manager->use_ssl,
#endif
manager->user_dn,
manager->password);
if (!ld)
return NULL;
filter = g_string_new (NULL);
g_string_printf (filter, "(%s=%s)", manager->login_attr, uid);
filter_str = g_string_free (filter, FALSE);
attrs[0] = manager->login_attr;
attrs[1] = NULL;
res = ldap_search_s (ld, manager->base, LDAP_SCOPE_SUBTREE,
filter_str, attrs, 0, &msg);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res));
ret = NULL;
goto out;
}
int i = 0;
if (start == -1)
start = 0;
for (entry = ldap_first_entry (ld, msg);
entry != NULL;
entry = ldap_next_entry (ld, entry), ++i)
{
char *attr;
char **vals;
BerElement *ber;
CcnetEmailUser *user;
if (i < start)
continue;
if (limit >= 0 && i >= start + limit)
break;
attr = ldap_first_attribute (ld, entry, &ber);
vals = ldap_get_values (ld, entry, attr);
user = g_object_new (CCNET_TYPE_EMAIL_USER,
"id", 0,
"email", vals[0],
"is_staff", FALSE,
"is_active", TRUE,
"ctime", (gint64)0,
NULL);
ret = g_list_prepend (ret, user);
ldap_memfree (attr);
ldap_value_free (vals);
ber_free (ber, 0);
}
out:
ldap_msgfree (msg);
g_free (filter_str);
if (ld) ldap_unbind_s (ld);
return ret;
}
static void
do_random( char *uri, char *manager, struct berval *passwd,
char *sbase, int scope, char *filter, char *attr,
char **srchattrs, int noattrs, int nobind,
int innerloop, int maxretries, int delay, int force, int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
char *attrs[ 2 ];
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
int nvalues = 0;
char **values = NULL;
LDAPMessage *res = NULL, *e = NULL;
attrs[ 0 ] = attr;
attrs[ 1 ] = NULL;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Search(%d): base=\"%s\", filter=\"%s\" attr=\"%s\".\n",
(long) pid, innerloop, sbase, filter, attr );
}
if ( nobind == 0 ) {
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
}
rc = ldap_search_ext_s( ld, sbase, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res );
switch ( rc ) {
case LDAP_SIZELIMIT_EXCEEDED:
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SUCCESS:
if ( ldap_count_entries( ld, res ) == 0 ) {
if ( rc ) {
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
}
break;
}
for ( e = ldap_first_entry( ld, res ); e != NULL; e = ldap_next_entry( ld, e ) )
{
struct berval **v = ldap_get_values_len( ld, e, attr );
if ( v != NULL ) {
int n = ldap_count_values_len( v );
int j;
values = realloc( values, ( nvalues + n + 1 )*sizeof( char * ) );
for ( j = 0; j < n; j++ ) {
values[ nvalues + j ] = strdup( v[ j ]->bv_val );
}
values[ nvalues + j ] = NULL;
nvalues += n;
ldap_value_free_len( v );
}
}
ldap_msgfree( res );
if ( !values ) {
fprintf( stderr, " PID=%ld - Search base=\"%s\" filter=\"%s\" got %d values.\n",
(long) pid, sbase, filter, nvalues );
exit(EXIT_FAILURE);
}
if ( do_retry == maxretries ) {
fprintf( stderr, " PID=%ld - Search base=\"%s\" filter=\"%s\" got %d values.\n",
(long) pid, sbase, filter, nvalues );
}
for ( i = 0; i < innerloop; i++ ) {
char buf[ BUFSIZ ];
#if 0 /* use high-order bits for better randomness (Numerical Recipes in "C") */
int r = rand() % nvalues;
#endif
int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
snprintf( buf, sizeof( buf ), "(%s=%s)", attr, values[ r ] );
do_search( uri, manager, passwd,
sbase, scope, buf, &ld,
srchattrs, noattrs, nobind,
1, maxretries, delay, force, chaserefs );
}
break;
default:
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
break;
}
fprintf( stderr, " PID=%ld - Search done (%d).\n", (long) pid, rc );
if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
}
}
void LDAPSession::stringSearch ( string dn,const list<string> &attributes,
string searchParam,
list<LDAPStringEntry>& result )
{
char** attr;
attr= ( char** ) malloc ( sizeof ( char* ) *attributes.size() +1 );
int i=0;
list<string>::const_iterator it=attributes.begin();
list<string>::const_iterator end=attributes.end();
for ( ;it!=end;++it )
{
attr[i]= ( char* ) malloc ( sizeof ( char ) *
( *it ).length() +1 );
strcpy ( attr[i], ( *it ).c_str() );
++i;
}
attr[i]=0l;
LDAPMessage* res;
int errc=ldap_search_s ( ld,dn.c_str(),LDAP_SCOPE_SUBTREE,
searchParam.c_str(),attr,0,&res );
if ( errc != LDAP_SUCCESS )
{
i=0;
it=attributes.begin();
for ( ;it!=end;++it )
{
free ( attr[i] );
++i;
}
free ( attr );
throw LDAPExeption ( "ldap_search_s",ldap_err2string ( errc ) );
}
LDAPMessage *entry=ldap_first_entry ( ld,res );
while ( entry )
{
LDAPStringEntry stringEntry;
it=attributes.begin();
for ( ;it!=end;++it )
{
LDAPStringValue val;
val.attr= ( *it );
char **atr=ldap_get_values ( ld,entry,
( *it ).c_str() );
int count=ldap_count_values ( atr );
for ( i=0;i<count;i++ )
{
val.value.push_back ( atr[i] );
}
ldap_value_free ( atr );
stringEntry.push_back ( val );
}
entry=ldap_next_entry ( ld,entry );
result.push_back ( stringEntry );
}
free ( res );
i=0;
it=attributes.begin();
for ( ;it!=end;++it )
{
free ( attr[i] );
++i;
}
free ( attr );
}
static int
do_entry2text_search(
LDAP *ld,
char *dn, /* if NULL, use entry */
char *base, /* if NULL, no search actions */
LDAPMessage *entry, /* if NULL, use dn */
struct ldap_disptmpl* tmpllist, /* if NULL, no template used */
char **defattrs,
char ***defvals,
writeptype writeproc,
void *writeparm,
char *eol,
int rdncount, /* if 0, display full DN */
unsigned long opts,
char *urlprefix
)
{
int err, freedn, html;
char *buf, **fetchattrs, **vals;
LDAPMessage *ldmp;
struct ldap_disptmpl *tmpl;
struct timeval timeout;
if ( !NSLDAPI_VALID_LDAP_POINTER( ld )) {
return( LDAP_PARAM_ERROR );
}
if ( dn == NULL && entry == NULLMSG ) {
err = LDAP_PARAM_ERROR;
LDAP_SET_LDERRNO( ld, err, NULL, NULL );
return( err );
}
html = ( urlprefix != NULL );
timeout.tv_sec = SEARCH_TIMEOUT_SECS;
timeout.tv_usec = 0;
if (( buf = NSLDAPI_MALLOC( LDAP_DTMPL_BUFSIZ )) == NULL ) {
err = LDAP_NO_MEMORY;
LDAP_SET_LDERRNO( ld, err, NULL, NULL );
return( err );
}
freedn = 0;
tmpl = NULL;
if ( dn == NULL ) {
if (( dn = ldap_get_dn( ld, entry )) == NULL ) {
NSLDAPI_FREE( buf );
return( LDAP_GET_LDERRNO( ld, NULL, NULL ) );
}
freedn = 1;
}
if ( tmpllist != NULL ) {
ldmp = NULLMSG;
if ( entry == NULL ) {
char *ocattrs[2];
ocattrs[0] = OCATTRNAME;
ocattrs[1] = NULL;
#ifdef CLDAP
if ( LDAP_IS_CLDAP( ld ))
err = cldap_search_s( ld, dn, LDAP_SCOPE_BASE,
"objectClass=*", ocattrs, 0, &ldmp, NULL );
else
#endif /* CLDAP */
err = ldap_search_st( ld, dn, LDAP_SCOPE_BASE,
"objectClass=*", ocattrs, 0, &timeout, &ldmp );
if ( err == LDAP_SUCCESS ) {
entry = ldap_first_entry( ld, ldmp );
}
}
if ( entry != NULL ) {
vals = ldap_get_values( ld, entry, OCATTRNAME );
tmpl = ldap_oc2template( vals, tmpllist );
if ( vals != NULL ) {
ldap_value_free( vals );
}
}
if ( ldmp != NULL ) {
ldap_msgfree( ldmp );
}
}
entry = NULL;
if ( tmpl == NULL ) {
fetchattrs = NULL;
} else {
fetchattrs = ldap_tmplattrs( tmpl, NULL, 1, LDAP_SYN_OPT_DEFER );
}
#ifdef CLDAP
if ( LDAP_IS_CLDAP( ld ))
err = cldap_search_s( ld, dn, LDAP_SCOPE_BASE, "objectClass=*",
fetchattrs, 0, &ldmp, NULL );
else
#endif /* CLDAP */
err = ldap_search_st( ld, dn, LDAP_SCOPE_BASE, "objectClass=*",
fetchattrs, 0, &timeout, &ldmp );
if ( freedn ) {
NSLDAPI_FREE( dn );
}
if ( fetchattrs != NULL ) {
ldap_value_free( fetchattrs );
}
if ( err != LDAP_SUCCESS ||
( entry = ldap_first_entry( ld, ldmp )) == NULL ) {
NSLDAPI_FREE( buf );
return( LDAP_GET_LDERRNO( ld, NULL, NULL ) );
}
err = do_entry2text( ld, buf, base, entry, tmpl, defattrs, defvals,
writeproc, writeparm, eol, rdncount, opts, urlprefix );
NSLDAPI_FREE( buf );
ldap_msgfree( ldmp );
return( err );
}
int main()
{
LDAP *ld; /* LDAP resource handle */
LDAPMessage *result, *e; /* LDAP result handle */
BerElement *ber; /* array of attributes */
char *attribute;
char **vals;
int i,rc=0;
char *attribs[3]; /* attribute array for search */
attribs[0]=strdup("uid"); /* return uid and cn of entries */
attribs[1]=strdup("cn");
attribs[2]=NULL; /* array must be NULL terminated */
/* setup LDAP connection */
if ((ld=ldap_init(LDAP_HOST, LDAP_PORT)) == NULL)
{
perror("ldap_init failed");
return EXIT_FAILURE;
}
printf("connected to LDAP server %s on port %d\n",LDAP_HOST,LDAP_PORT);
/* anonymous bind */
rc = ldap_simple_bind_s(ld,BIND_USER,BIND_PW);
if (rc != LDAP_SUCCESS)
{
fprintf(stderr,"LDAP error: %s\n",ldap_err2string(rc));
return EXIT_FAILURE;
}
else
{
printf("bind successful\n");
}
/* perform ldap search */
rc = ldap_search_s(ld, SEARCHBASE, SCOPE, FILTER, attribs, 0, &result);
if (rc != LDAP_SUCCESS)
{
fprintf(stderr,"LDAP search error: %s\n",ldap_err2string(rc));
return EXIT_FAILURE;
}
printf("Total results: %d\n", ldap_count_entries(ld, result));
for (e = ldap_first_entry(ld, result); e != NULL; e = ldap_next_entry(ld,e))
{
printf("DN: %s\n", ldap_get_dn(ld,e));
// ab hier kann abgebrochen werden für unser ftp-server
/* Now print the attributes and values of each found entry */
for (attribute = ldap_first_attribute(ld,e,&ber); attribute!=NULL; attribute = ldap_next_attribute(ld,e,ber))
{
if ((vals=ldap_get_values(ld,e,attribute)) != NULL)
{
for (i=0;vals[i]!=NULL;i++)
{
printf("\t%s: %s\n",attribute,vals[i]);
}
/* free memory used to store the values of the attribute */
ldap_value_free(vals);
}
/* free memory used to store the attribute */
ldap_memfree(attribute);
}
/* free memory used to store the value structure */
if (ber != NULL) ber_free(ber,0);
printf("\n");
}
/* free memory used for result */
ldap_msgfree(result);
free(attribs[0]);
free(attribs[1]);
printf("LDAP search suceeded\n");
ldap_unbind(ld);
return EXIT_SUCCESS;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
LDAPMessage *result = NULL;
LDAPMessage *entry;
char const *base_dn;
char base_dn_buff[LDAP_MAX_DN_STR_LEN];
char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter };
char filter[LDAP_MAX_FILTER_STR_LEN + 1];
char const *attrs[] = { inst->groupobj_name_attr, NULL };
VALUE_PAIR *vp;
char *dn;
rad_assert(inst->groupobj_base_dn);
if (!inst->groupobj_membership_filter) {
RDEBUG2("Skipping caching group objects as directive 'group.membership_filter' is not set");
return RLM_MODULE_OK;
}
if (rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter)) < 0) {
return RLM_MODULE_INVALID;
}
if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request,
inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
status = rlm_ldap_search(&result, inst, request, pconn, base_dn,
inst->groupobj_scope, filter, attrs, NULL, NULL);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG2("No cacheable group memberships found in group objects");
goto finish;
default:
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
goto finish;
}
RDEBUG("Adding cacheable group object memberships");
do {
if (inst->cacheable_group_dn) {
dn = ldap_get_dn((*pconn)->handle, entry);
if (!dn) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno));
goto finish;
}
rlm_ldap_normalise_dn(dn, dn);
MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD));
fr_pair_value_strcpy(vp, dn);
RINDENT();
RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, dn);
REXDENT();
ldap_memfree(dn);
}
if (inst->cacheable_group_name) {
struct berval **values;
values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr);
if (!values) continue;
MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD));
fr_pair_value_bstrncpy(vp, values[0]->bv_val, values[0]->bv_len);
RINDENT();
RDEBUG("&control:%s += \"%.*s\"", inst->cache_da->name,
(int)values[0]->bv_len, values[0]->bv_val);
REXDENT();
ldap_value_free_len(values);
}
} while ((entry = ldap_next_entry((*pconn)->handle, entry)));
finish:
if (result) ldap_msgfree(result);
return rcode;
}
static isc_result_t
ldap_process_results (LDAP * dbc, LDAPMessage * msg, char **attrs, void *ptr, isc_boolean_t allnodes)
{
isc_result_t result = ISC_R_SUCCESS;
int i = 0;
int j;
int len;
char *attribute = NULL;
LDAPMessage *entry;
char *endp = NULL;
char *host = NULL;
char *type = NULL;
char *data = NULL;
char **vals = NULL;
int ttl;
/* make sure there are at least some attributes to process. */
REQUIRE (attrs != NULL || attrs[0] != NULL);
/* get the first entry to process */
entry = ldap_first_entry (dbc, msg);
if (entry == NULL)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_INFO, "LDAP no entries to process.");
return (ISC_R_FAILURE);
}
/* loop through all entries returned */
while (entry != NULL)
{
/* reset for this loop */
ttl = 0;
len = 0;
i = 0;
attribute = attrs[i];
/* determine how much space we need for data string */
for (j = 0; attrs[j] != NULL; j++)
{
/* get the list of values for this attribute. */
vals = ldap_get_values (dbc, entry, attrs[j]);
/* skip empty attributes. */
if (vals == NULL || ldap_count_values (vals) < 1)
continue;
/*
* we only use the first value. this driver
* does not support multi-valued attributes.
*/
len = len + strlen (vals[0]) + 1;
/* free vals for next loop */
ldap_value_free (vals);
} /* end for (j = 0; attrs[j] != NULL, j++) loop */
/* allocate memory for data string */
data = isc_mem_allocate (ns_g_mctx, len + 1);
if (data == NULL)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
"LDAP driver unable to allocate memory " "while processing results");
result = ISC_R_FAILURE;
goto cleanup;
}
/*
* Make sure data is null termed at the beginning so
* we can check if any data was stored to it later.
*/
data[0] = '\0';
/* reset j to re-use below */
j = 0;
/* loop through the attributes in the order specified. */
while (attribute != NULL)
{
/* get the list of values for this attribute. */
vals = ldap_get_values (dbc, entry, attribute);
/* skip empty attributes. */
if (vals == NULL || vals[0] == NULL)
{
/* increment attibute pointer */
attribute = attrs[++i];
/* start loop over */
continue;
}
/*
* j initially = 0. Increment j each time we
* set a field that way next loop will set
* next field.
*/
switch (j)
{
case 0:
j++;
/*
* convert text to int, make sure it
* worked right
*/
ttl = strtol (vals[0], &endp, 10);
if (*endp != '\0' || ttl < 0)
{
isc_log_write (dns_lctx,
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver ttl must " "be a postive number");
goto cleanup;
}
break;
case 1:
j++;
type = isc_mem_strdup (ns_g_mctx, vals[0]);
break;
case 2:
j++;
if (allnodes == isc_boolean_true)
{
host = isc_mem_strdup (ns_g_mctx, vals[0]);
}
else
{
strcpy (data, vals[0]);
}
break;
case 3:
j++;
if (allnodes == isc_boolean_true)
{
strcpy (data, vals[0]);
}
else
{
strcat (data, " ");
strcat (data, vals[0]);
}
break;
default:
strcat (data, " ");
strcat (data, vals[0]);
break;
} /* end switch(j) */
/* free values */
ldap_value_free (vals);
vals = NULL;
/* increment attibute pointer */
attribute = attrs[++i];
} /* end while (attribute != NULL) */
if (type == NULL)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable " "to retrieve DNS type");
result = ISC_R_FAILURE;
goto cleanup;
}
if (strlen (data) < 1)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable " "to retrieve DNS data");
result = ISC_R_FAILURE;
goto cleanup;
}
if (allnodes == isc_boolean_true)
{
if (strcasecmp (host, "~") == 0)
result = dns_sdlz_putnamedrr ((dns_sdlzallnodes_t *) ptr, "*", type, ttl, data);
else
result = dns_sdlz_putnamedrr ((dns_sdlzallnodes_t *) ptr, host, type, ttl, data);
if (result != ISC_R_SUCCESS)
isc_log_write (dns_lctx,
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
"dlz-ldap: putnamedrr failed "
"for \"%s %s %u %s\", %s", host, type, ttl, data, isc_result_totext (result));
}
else
{
result = dns_sdlz_putrr ((dns_sdlzlookup_t *) ptr, type, ttl, data);
if (result != ISC_R_SUCCESS)
isc_log_write (dns_lctx,
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
"dlz-ldap: putrr failed "
"for \"%s %u %s\", %s", type, ttl, data, isc_result_totext (result));
}
if (result != ISC_R_SUCCESS)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver failed " "while sending data to BIND.");
goto cleanup;
}
/* free memory for type, data and host for next loop */
isc_mem_free (ns_g_mctx, type);
isc_mem_free (ns_g_mctx, data);
if (host != NULL)
isc_mem_free (ns_g_mctx, host);
/* get the next entry to process */
entry = ldap_next_entry (dbc, entry);
} /* end while (entry != NULL) */
cleanup:
/* de-allocate memory */
if (vals != NULL)
ldap_value_free (vals);
if (host != NULL)
isc_mem_free (ns_g_mctx, host);
if (type != NULL)
isc_mem_free (ns_g_mctx, type);
if (data != NULL)
isc_mem_free (ns_g_mctx, data);
return (result);
}
/** Query the LDAP directory to check if a user object is a member of a group
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] dn of user object.
* @param[in] check vp containing the group value (name or dn).
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_check_userobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn,
char const *dn, VALUE_PAIR *check)
{
rlm_rcode_t rcode = RLM_MODULE_NOTFOUND, ret;
ldap_rcode_t status;
bool name_is_dn = false, value_is_dn = false;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
struct berval **values = NULL;
char const *attrs[] = { inst->userobj_membership_attr, NULL };
int i, count, ldap_errno;
RDEBUG2("Checking user object's %s attributes", inst->userobj_membership_attr);
RINDENT();
status = rlm_ldap_search(&result, inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, NULL, NULL);
REXDENT();
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG("Can't check membership attributes, user object not found");
rcode = RLM_MODULE_NOTFOUND;
/* FALL-THROUGH */
default:
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
values = ldap_get_values_len((*pconn)->handle, entry, inst->userobj_membership_attr);
if (!values) {
RDEBUG("No group membership attribute(s) found in user object");
goto finish;
}
/*
* Loop over the list of groups the user is a member of,
* looking for a match.
*/
name_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length);
count = ldap_count_values_len(values);
for (i = 0; i < count; i++) {
value_is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len);
RDEBUG2("Processing %s value \"%.*s\" as a %s", inst->userobj_membership_attr,
(int)values[i]->bv_len, values[i]->bv_val, value_is_dn ? "DN" : "group name");
/*
* Both literal group names, do case sensitive comparison
*/
if (!name_is_dn && !value_is_dn) {
if ((check->vp_length == values[i]->bv_len) &&
(memcmp(values[i]->bv_val, check->vp_strvalue, values[i]->bv_len) == 0)) {
RDEBUG("User found in group \"%s\". Comparison between membership: name, check: name",
check->vp_strvalue);
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* Both DNs, do case insensitive, binary safe comparison
*/
if (name_is_dn && value_is_dn) {
if (check->vp_length == values[i]->bv_len) {
int j;
for (j = 0; j < (int)values[i]->bv_len; j++) {
if (tolower(values[i]->bv_val[j]) != tolower(check->vp_strvalue[j])) break;
}
if (j == (int)values[i]->bv_len) {
RDEBUG("User found in group DN \"%s\". "
"Comparison between membership: dn, check: dn", check->vp_strvalue);
rcode = RLM_MODULE_OK;
goto finish;
}
}
continue;
}
/*
* If the value is not a DN, and the name we were given is a dn
* convert the value to a DN and do a comparison.
*/
if (!value_is_dn && name_is_dn) {
char *resolved;
bool eq = false;
RINDENT();
ret = rlm_ldap_group_dn2name(inst, request, pconn, check->vp_strvalue, &resolved);
REXDENT();
if (ret != RLM_MODULE_OK) {
rcode = ret;
goto finish;
}
if (((talloc_array_length(resolved) - 1) == values[i]->bv_len) &&
(memcmp(values[i]->bv_val, resolved, values[i]->bv_len) == 0)) eq = true;
talloc_free(resolved);
if (eq) {
RDEBUG("User found in group \"%.*s\". Comparison between membership: name, check: name "
"(resolved from DN \"%s\")", (int)values[i]->bv_len,
values[i]->bv_val, check->vp_strvalue);
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* We have a value which is a DN, and a check item which specifies the name of a group,
* convert the value to a name so we can do a comparison.
*/
if (value_is_dn && !name_is_dn) {
char *resolved;
char *value;
bool eq = false;
value = rlm_ldap_berval_to_string(request, values[i]);
RINDENT();
ret = rlm_ldap_group_dn2name(inst, request, pconn, value, &resolved);
REXDENT();
talloc_free(value);
if (ret != RLM_MODULE_OK) {
rcode = ret;
goto finish;
}
if (((talloc_array_length(resolved) - 1) == check->vp_length) &&
(memcmp(check->vp_strvalue, resolved, check->vp_length) == 0)) eq = true;
talloc_free(resolved);
if (eq) {
RDEBUG("User found in group \"%s\". Comparison between membership: name "
"(resolved from DN \"%s\"), check: name", check->vp_strvalue, value);
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
rad_assert(0);
}
finish:
if (values) ldap_value_free_len(values);
if (result) ldap_msgfree(result);
return rcode;
}
/*
* Map key -> value resolution
* NOTE: these are old-fashion maps; new maps will be parsed on separate
* config lines, and referred by name.
*/
int
rewrite_xmap_apply(
struct rewrite_info *info,
struct rewrite_op *op,
struct rewrite_map *map,
struct berval *key,
struct berval *val
)
{
int rc = REWRITE_SUCCESS;
assert( info != NULL );
assert( op != NULL );
assert( map != NULL );
assert( key != NULL );
assert( val != NULL );
val->bv_val = NULL;
val->bv_len = 0;
switch ( map->lm_type ) {
#ifdef HAVE_GETPWNAM
case REWRITE_MAP_XPWDMAP: {
struct passwd *pwd;
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_lock( &xpasswd_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
pwd = getpwnam( key->bv_val );
if ( pwd == NULL ) {
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_unlock( &xpasswd_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
rc = LDAP_NO_SUCH_OBJECT;
break;
}
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
if ( pwd->pw_gecos != NULL && pwd->pw_gecos[0] != '\0' ) {
int l = strlen( pwd->pw_gecos );
val->bv_val = strdup( pwd->pw_gecos );
val->bv_len = l;
} else
#endif /* HAVE_STRUCT_PASSWD_PW_GECOS */
{
val->bv_val = strdup( key->bv_val );
val->bv_len = key->bv_len;
}
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_unlock( &xpasswd_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
if ( val->bv_val == NULL ) {
rc = REWRITE_ERR;
}
break;
}
#endif /* HAVE_GETPWNAM*/
case REWRITE_MAP_XFILEMAP: {
char buf[1024];
if ( map->lm_args == NULL ) {
rc = REWRITE_ERR;
break;
}
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_lock( &map->lm_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
rewind( ( FILE * )map->lm_args );
while ( fgets( buf, sizeof( buf ), ( FILE * )map->lm_args ) ) {
char *p;
int blen;
blen = strlen( buf );
if ( buf[ blen - 1 ] == '\n' ) {
buf[ blen - 1 ] = '\0';
}
p = strtok( buf, " " );
if ( p == NULL ) {
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_unlock( &map->lm_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
rc = REWRITE_ERR;
goto rc_return;
}
if ( strcasecmp( p, key->bv_val ) == 0
&& ( p = strtok( NULL, "" ) ) ) {
val->bv_val = strdup( p );
if ( val->bv_val == NULL ) {
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_unlock( &map->lm_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
rc = REWRITE_ERR;
goto rc_return;
}
val->bv_len = strlen( p );
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_unlock( &map->lm_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
goto rc_return;
}
}
#ifdef USE_REWRITE_LDAP_PVT_THREADS
ldap_pvt_thread_mutex_unlock( &map->lm_mutex );
#endif /* USE_REWRITE_LDAP_PVT_THREADS */
rc = REWRITE_ERR;
break;
}
case REWRITE_MAP_XLDAPMAP: {
LDAP *ld;
char filter[1024];
LDAPMessage *res = NULL, *entry;
LDAPURLDesc *lud = ( LDAPURLDesc * )map->lm_args;
int attrsonly = 0;
char **values;
assert( lud != NULL );
/*
* No mutex because there is no write on the map data
*/
ld = ldap_init( lud->lud_host, lud->lud_port );
if ( ld == NULL ) {
rc = REWRITE_ERR;
goto rc_return;
}
snprintf( filter, sizeof( filter ), lud->lud_filter,
key->bv_val );
if ( strcasecmp( lud->lud_attrs[ 0 ], "dn" ) == 0 ) {
attrsonly = 1;
}
rc = ldap_search_s( ld, lud->lud_dn, lud->lud_scope,
filter, lud->lud_attrs, attrsonly, &res );
if ( rc != LDAP_SUCCESS ) {
ldap_unbind( ld );
rc = REWRITE_ERR;
goto rc_return;
}
if ( ldap_count_entries( ld, res ) != 1 ) {
ldap_unbind( ld );
rc = REWRITE_ERR;
goto rc_return;
}
entry = ldap_first_entry( ld, res );
if ( entry == NULL ) {
ldap_msgfree( res );
ldap_unbind( ld );
rc = REWRITE_ERR;
goto rc_return;
}
if ( attrsonly == 1 ) {
val->bv_val = ldap_get_dn( ld, entry );
} else {
values = ldap_get_values( ld, entry,
lud->lud_attrs[0] );
if ( values != NULL ) {
val->bv_val = strdup( values[ 0 ] );
ldap_value_free( values );
}
}
ldap_msgfree( res );
ldap_unbind( ld );
if ( val->bv_val == NULL ) {
rc = REWRITE_ERR;
goto rc_return;
}
val->bv_len = strlen( val->bv_val );
rc = REWRITE_SUCCESS;
} break;
}
rc_return:;
return rc;
}
static
DWORD
VMCALdapFindObject(
PVMCA_LDAP_CONTEXT pContext,
PCSTR pszBaseDN,
ber_int_t scope,
PCSTR pszAttribute,
PCSTR pszValue,
PSTR *ppszObjectDN
)
{
DWORD dwError = 0;
DWORD dwNumEntries = 0;
LDAPMessage* pResult = NULL;
LDAPMessage* pEntry = NULL;
PSTR pszFilter = NULL;
PSTR pszObjectDN = NULL;
if (pszAttribute && pszValue)
{
VMCAAllocateStringPrintfA(&pszFilter, "(%s=%s)", pszAttribute, pszValue);
}
dwError = ldap_search_ext_s(
pContext->pConnection,
(PSTR)pszBaseDN,
scope,
pszFilter,
NULL, /* attributes */
TRUE,
NULL, /* server controls */
NULL, /* client controls */
NULL, /* timeout */
0,
&pResult);
BAIL_ON_ERROR(dwError);
dwNumEntries = ldap_count_entries(pContext->pConnection, pResult);
if (dwNumEntries > 1)
{
dwError = ERROR_INVALID_STATE;
BAIL_ON_ERROR(dwError);
}
else if (dwNumEntries == 0)
{
dwError = ERROR_NOT_FOUND;
BAIL_ON_ERROR(dwError);
}
else
{
pEntry = ldap_first_entry(pContext->pConnection, pResult);
if (!pEntry)
{
dwError = ERROR_INVALID_STATE;
BAIL_ON_ERROR(dwError);
}
pszObjectDN = ldap_get_dn(pContext->pConnection, pEntry);
if (IsNullOrEmptyString(pszObjectDN))
{
dwError = ERROR_INVALID_STATE;
BAIL_ON_ERROR(dwError);
}
*ppszObjectDN = pszObjectDN;
}
cleanup:
if (pResult)
{
ldap_msgfree(pResult);
}
VMCA_SAFE_FREE_STRINGA(pszFilter);
return dwError;
error :
VMCA_SAFE_FREE_STRINGA(pszObjectDN);
if (dwError == LDAP_NO_SUCH_OBJECT)
{
dwError = 0;
}
goto cleanup;
}
static void *search_thread(char *id) {
LDAPMessage *res, *entry;
char *dn, filter[40];
int rc, opcount;
void *voidrc = (void *)0;
printf("Starting search_thread %s.\n", id);
opcount = 0;
tsd_setup();
for (;;) {
if (range_filters) {
switch (get_random_id() % 3) {
case 0:
sprintf(filter, "(cn>=%d)", get_random_id());
break;
case 1:
sprintf(filter, "(cn<=%d)", get_random_id());
break;
case 2:
sprintf(filter, "(&(cn>=%d)(cn<=%d))", get_random_id(),
get_random_id());
break;
}
} else {
sprintf(filter, "cn=%d", get_random_id());
}
printf("Thread %s: Searching for entry (%s)\n", id, filter);
res = NULL;
if ((rc = ldap_search_ext_s(ld, BASE, SCOPE, filter, NULL, 0, NULL, NULL,
NULL, 0, &res)) != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_search_ext_s");
if (rc == LDAP_SERVER_DOWN) {
perror("ldap_search_ext_s");
voidrc = (void *)1;
goto search_cleanup_and_return;
}
}
if (res != NULL) {
entry = ldap_first_entry(ld, res);
if (entry == NULL) {
printf("Thread %s: found no entries\n", id);
} else {
dn = ldap_get_dn(ld, entry);
printf("Thread %s: found entry (%s); %d total\n", id,
dn == NULL ? "(Null)" : dn, ldap_count_entries(ld, res));
ldap_memfree(dn);
}
ldap_msgfree(res);
}
++opcount;
if (maxops != 0 && opcount >= maxops) {
break;
}
}
search_cleanup_and_return:
printf("Thread %s: attempted %d search operations\n", id, opcount);
set_ld_error(0, NULL, NULL, NULL); /* disposes of memory */
tsd_cleanup();
free(id);
return voidrc;
}
DWORD
VMCALdapGetMemberships(
PVMCA_LDAP_CONTEXT pConnection,
PCSTR pszUPNName,
PSTR **pppszMemberships,
PDWORD pdwMemberships
)
{
DWORD dwError = 0;
PSTR pszFilter = NULL;
PSTR pszAttrMemberOf = ATTR_MEMBEROF; // memberOf
PSTR ppszAttrs[] = { pszAttrMemberOf, NULL};
DWORD dwCount = 0;
LDAPMessage *pResult = NULL;
LDAPMessage *pEntry = NULL;
struct berval** ppValues = NULL;
PSTR *ppszMemberships = NULL;
DWORD dwMemberships = 0;
DWORD i = 0;
LDAP *pLd = NULL;
if (pConnection == NULL ||
pConnection->pConnection == NULL ||
IsNullOrEmptyString(pszUPNName) ||
pppszMemberships == NULL ||
pdwMemberships == NULL)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMCA_ERROR(dwError);
}
pLd = pConnection->pConnection;
dwError = VMCAAllocateStringPrintfA(&pszFilter, "(%s=%s)", ATTR_KRB_UPN, pszUPNName); // userPrincipalName
BAIL_ON_VMCA_ERROR(dwError);
dwError = ldap_search_ext_s(
pLd,
"",
LDAP_SCOPE_SUBTREE,
pszFilter,
(PSTR*)ppszAttrs,
0,
NULL,
NULL,
NULL,
-1,
&pResult);
BAIL_ON_VMCA_ERROR(dwError);
dwCount = ldap_count_entries(pLd, pResult);
if (dwCount == 0)
{
dwError = LDAP_NO_SUCH_OBJECT;
BAIL_ON_VMCA_ERROR(dwError);
}
else if (dwCount > 1)
{
dwError = LDAP_OPERATIONS_ERROR;
BAIL_ON_VMCA_ERROR(dwError);
}
pEntry = ldap_first_entry(pLd, pResult);
if (!pEntry)
{
dwError = LDAP_NO_SUCH_OBJECT;
BAIL_ON_VMCA_ERROR(dwError);
}
ppValues = ldap_get_values_len(pLd, pEntry, pszAttrMemberOf);
if (!ppValues)
{
dwMemberships = 0;
}
else
{
dwMemberships = ldap_count_values_len(ppValues);
}
if (dwMemberships)
{
dwError = VMCAAllocateMemory(dwMemberships * sizeof(PSTR), (PVOID*)&ppszMemberships);
BAIL_ON_VMCA_ERROR(dwError);
for (i = 0; ppValues[i] != NULL; i++)
{
PCSTR pszMemberOf = ppValues[i]->bv_val;
dwError = VMCAAllocateStringA(pszMemberOf, &ppszMemberships[i]);
BAIL_ON_VMCA_ERROR(dwError);
}
}
*pppszMemberships = ppszMemberships;
*pdwMemberships = dwMemberships;
cleanup:
if(ppValues)
{
ldap_value_free_len(ppValues);
}
if (pResult)
{
ldap_msgfree(pResult);
}
VMCA_SAFE_FREE_MEMORY(pszFilter);
return dwError;
error:
if (ppszMemberships != NULL && dwMemberships > 0)
{
for (i = 0; i < dwMemberships; i++)
{
VMCA_SAFE_FREE_STRINGA(ppszMemberships[i]);
}
VMCA_SAFE_FREE_MEMORY(ppszMemberships);
}
goto cleanup;
}
void run_ldap_tests(service_t *ldaptest, int sslcertcheck, int querytimeout)
{
#ifdef XYMON_LDAP
ldap_data_t *req;
testitem_t *t;
struct timespec starttime;
struct timespec endtime;
/* Pick a sensible default for the timeout setting */
if (querytimeout == 0) querytimeout = 30;
for (t = ldaptest->items; (t); t = t->next) {
LDAPURLDesc *ludp;
LDAP *ld;
int rc, finished;
int msgID = -1;
struct timeval ldaptimeout;
struct timeval openldaptimeout;
LDAPMessage *result;
LDAPMessage *e;
strbuffer_t *response;
char buf[MAX_LINE_LEN];
req = (ldap_data_t *) t->privdata;
if (req->skiptest) continue;
ludp = (LDAPURLDesc *) req->ldapdesc;
getntimer(&starttime);
/* Initiate session with the LDAP server */
dbgprintf("Initiating LDAP session for host %s port %d\n",
ludp->lud_host, ludp->lud_port);
if( (ld = ldap_init(ludp->lud_host, ludp->lud_port)) == NULL ) {
dbgprintf("ldap_init failed\n");
req->ldapstatus = XYMON_LDAP_INITFAIL;
continue;
}
/*
* There is apparently no standard way of defining a network
* timeout for the initial connection setup.
*/
#if (LDAP_VENDOR == OpenLDAP) && defined(LDAP_OPT_NETWORK_TIMEOUT)
/*
* OpenLDAP has an undocumented ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv)
*/
openldaptimeout.tv_sec = querytimeout;
openldaptimeout.tv_usec = 0;
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &openldaptimeout);
#else
/*
* So using an alarm() to interrupt any pending operations
* seems to be the least insane way of doing this.
*
* Note that we must do this right after ldap_init(), as
* any operation on the session handle (ld) may trigger the
* network connection to be established.
*/
connect_timeout = 0;
signal(SIGALRM, ldap_alarmhandler);
alarm(querytimeout);
#endif
/*
* This is completely undocumented in the OpenLDAP docs.
* But apparently it is documented in
* http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-ldapext-ldap-c-api-03.txt
*
* Both of these routines appear in the <ldap.h> file
* from OpenLDAP 2.1.22. Their use to enable TLS has
* been deciphered from the ldapsearch() utility
* sourcecode.
*
* According to Manon Goo <*****@*****.**>, recent (Jan. 2005)
* OpenLDAP implementations refuse to talk LDAPv2.
*/
#ifdef LDAP_OPT_PROTOCOL_VERSION
{
int protocol = LDAP_VERSION3;
dbgprintf("Attempting to select LDAPv3\n");
if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) {
dbgprintf("Failed to select LDAPv3, trying LDAPv2\n");
protocol = LDAP_VERSION2;
if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) {
req->output = strdup(ldap_err2string(rc));
req->ldapstatus = XYMON_LDAP_TLSFAIL;
}
continue;
}
}
#endif
#ifdef XYMON_LDAP_USESTARTTLS
if (req->usetls) {
dbgprintf("Trying to enable TLS for session\n");
if ((rc = ldap_start_tls_s(ld, NULL, NULL)) != LDAP_SUCCESS) {
dbgprintf("ldap_start_tls failed\n");
req->output = strdup(ldap_err2string(rc));
req->ldapstatus = XYMON_LDAP_TLSFAIL;
continue;
}
}
#endif
if (!connect_timeout) {
msgID = ldap_simple_bind(ld, (t->host->ldapuser ? t->host->ldapuser : ""),
(t->host->ldappasswd ? t->host->ldappasswd : ""));
}
/* Cancel any pending alarms */
alarm(0);
signal(SIGALRM, SIG_DFL);
/* Did we connect? */
if (connect_timeout || (msgID == -1)) {
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = "Cannot connect to server";
continue;
}
/* Wait for bind to complete */
rc = 0; finished = 0;
ldaptimeout.tv_sec = querytimeout;
ldaptimeout.tv_usec = 0L;
while( ! finished ) {
int rc2;
rc = ldap_result(ld, msgID, LDAP_MSG_ONE, &ldaptimeout, &result);
dbgprintf("ldap_result returned %d for ldap_simple_bind()\n", rc);
if(rc == -1) {
finished = 1;
req->ldapstatus = XYMON_LDAP_BINDFAIL;
if (result == NULL) {
errprintf("LDAP library problem - NULL result returned\n");
req->output = strdup("LDAP BIND failed\n");
}
else {
rc2 = ldap_result2error(ld, result, 1);
req->output = strdup(ldap_err2string(rc2));
}
ldap_unbind(ld);
}
else if (rc == 0) {
finished = 1;
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = strdup("Connection timeout");
ldap_unbind(ld);
}
else if( rc > 0 ) {
finished = 1;
if (result == NULL) {
errprintf("LDAP library problem - got a NULL resultcode for status %d\n", rc);
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = strdup("LDAP library problem: ldap_result2error returned a NULL result for status %d\n");
ldap_unbind(ld);
}
else {
rc2 = ldap_result2error(ld, result, 1);
if(rc2 != LDAP_SUCCESS) {
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = strdup(ldap_err2string(rc));
ldap_unbind(ld);
}
}
}
} /* ... while() */
/* We're done connecting. If something went wrong, go to next query. */
if (req->ldapstatus != 0) continue;
/* Now do the search. With a timeout */
ldaptimeout.tv_sec = querytimeout;
ldaptimeout.tv_usec = 0L;
rc = ldap_search_st(ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, ludp->lud_attrs, 0, &ldaptimeout, &result);
if(rc == LDAP_TIMEOUT) {
req->ldapstatus = XYMON_LDAP_TIMEOUT;
req->output = strdup(ldap_err2string(rc));
ldap_unbind(ld);
continue;
}
if( rc != LDAP_SUCCESS ) {
req->ldapstatus = XYMON_LDAP_SEARCHFAILED;
req->output = strdup(ldap_err2string(rc));
ldap_unbind(ld);
continue;
}
getntimer(&endtime);
response = newstrbuffer(0);
sprintf(buf, "Searching LDAP for %s yields %d results:\n\n",
t->testspec, ldap_count_entries(ld, result));
addtobuffer(response, buf);
for(e = ldap_first_entry(ld, result); (e != NULL); e = ldap_next_entry(ld, e) ) {
char *dn;
BerElement *ber;
char *attribute;
char **vals;
dn = ldap_get_dn(ld, e);
sprintf(buf, "DN: %s\n", dn);
addtobuffer(response, buf);
/* Addtributes and values */
for (attribute = ldap_first_attribute(ld, e, &ber); (attribute != NULL); attribute = ldap_next_attribute(ld, e, ber) ) {
if ((vals = ldap_get_values(ld, e, attribute)) != NULL) {
int i;
for(i = 0; (vals[i] != NULL); i++) {
sprintf(buf, "\t%s: %s\n", attribute, vals[i]);
addtobuffer(response, buf);
}
}
/* Free memory used to store values */
ldap_value_free(vals);
}
/* Free memory used to store attribute */
ldap_memfree(attribute);
ldap_memfree(dn);
if (ber != NULL) ber_free(ber, 0);
addtobuffer(response, "\n");
}
req->ldapstatus = XYMON_LDAP_OK;
req->output = grabstrbuffer(response);
tvdiff(&starttime, &endtime, &req->duration);
ldap_msgfree(result);
ldap_unbind(ld);
ldap_free_urldesc(ludp);
}
#endif
}
//get username
int getUsername()
{
LDAP *ld;
struct json_object *my_object,*my_array;
const char* split = "CN=,";
char *p;
char*tmp;
char *user;
int i = 0;
int nl ;
int result;
int auth_method = LDAP_AUTH_SIMPLE;
int desired_version = LDAP_VERSION3;
char *ldap_host = "WIN2K82";
char *root_dn = "*****@*****.**";
char *root_pw = "123qwe!@#";
BerElement* ber;
LDAPMessage* msg;
LDAPMessage* entry;
char* base="CN=Users,dc=abc,dc=com";
char* filter="(objectClass=user)";
char* errstring;
char* dn = NULL;
char* attr;
char** vals;
if ((ld = ldap_init(ldap_host, LDAP_PORT)) == NULL ) {
perror( "ldap_init failed" );
exit( EXIT_FAILURE );
}
/* set the LDAP version to be 3 */
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS)
{
ldap_perror(ld, "ldap_set_option");
exit(EXIT_FAILURE);
}
if (ldap_bind_s(ld, root_dn, root_pw, auth_method) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_bind" );
exit( EXIT_FAILURE );
}
if (ldap_search_s(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, 0, &msg) != LDAP_SUCCESS) {
ldap_perror( ld, "ldap_search_s" );
exit(EXIT_FAILURE);
}
my_object = json_object_new_object();
my_array = json_object_new_array();
int n = 0;//find return
/* Iterate through the returned entries */
for(entry = ldap_first_entry(ld, msg); entry != NULL; entry = ldap_next_entry(ld, entry)) {
if((dn = ldap_get_dn(ld, entry)) != NULL) {
//printf("Returned dn: %s\n", dn);
tmp = dn;
p = strtok (tmp,",");
if(p){
p = strtok(p,"=");
p = strtok(NULL, ",");
BlToSl(p);
//if (p)
//printf("p=%s\n",p);
}
i++;
json_object_array_add(my_array, json_object_new_int(i));
json_object_array_put_idx(my_array, i, json_object_new_int(i));
struct json_object *obj = json_object_array_get_idx(my_array, i);
json_object_object_add(my_object, json_object_to_json_string(obj), json_object_new_string(p));
ldap_memfree(dn);
}
}
printf("%s\n", json_object_to_json_string(my_object));
/* clean up */
ldap_msgfree(msg);
result = ldap_unbind_s(ld);
if (result != 0) {
fprintf(stderr, "ldap_unbind_s: %s\n", ldap_err2string(result));
exit( EXIT_FAILURE );
}
return EXIT_SUCCESS;
}
int main(int argc, char* argv[])
{
DWORD dwError = 0;
const int ldapVer = LDAP_VERSION3;
PVMDIR_QUERY_ARGS pArgs = NULL;
PSTR pszLdapURL = NULL;
LDAP* pLd = NULL;
BerValue ldapBindPwd = {0};
LDAPMessage* pResult = NULL;
PSTR pszDN = NULL;
dwError = VmDirQueryParseArgs(argc, argv, &pArgs);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirAllocateStringAVsnprintf(
&pszLdapURL,
"ldap://%s",
pArgs->pszHostname);
BAIL_ON_VMDIR_ERROR(dwError);
#if 0
dwError = ldap_initialize(&pLd, pszLdapURL);
BAIL_ON_VMDIR_ERROR(dwError);
#else
pLd = ldap_open(pArgs->pszHostname, 389);
if (!pLd)
{
dwError = VMDIR_ERROR_SERVER_DOWN;
BAIL_ON_VMDIR_ERROR(dwError);
}
#endif
dwError = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = ldap_set_option(pLd, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
BAIL_ON_VMDIR_ERROR(dwError);
ldapBindPwd.bv_val = pArgs->pszPassword;
ldapBindPwd.bv_len = strlen(pArgs->pszPassword);
#if 0
dwError = ldap_sasl_bind_s(
pLd,
pArgs->pszBindDN,
LDAP_SASL_SIMPLE,
&ldapBindPwd,
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
#else
dwError = ldap_bind_s(
pLd,
pArgs->pszBindDN,
pArgs->pszPassword,
LDAP_AUTH_SIMPLE);
BAIL_ON_VMDIR_ERROR(dwError);
#endif
#if 0
dwError = ldap_search_ext_s(
pLd,
pArgs->pszBaseDN,
LDAP_SCOPE_SUBTREE,
pArgs->pszFilter,
NULL,
TRUE,
NULL, // server ctrls
NULL, // client ctrls
NULL, // timeout
-1, // size limit,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
#else
dwError = ldap_search_s(
pLd,
pArgs->pszBaseDN,
LDAP_SCOPE_SUBTREE,
pArgs->pszFilter,
NULL,
TRUE,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
#endif
if (ldap_count_entries(pLd, pResult) > 0)
{
LDAPMessage* pEntry = ldap_first_entry(pLd, pResult);
for (; pEntry != NULL; pEntry = ldap_next_entry(pLd, pEntry))
{
if (pszDN)
{
ldap_memfree(pszDN);
pszDN = NULL;
}
pszDN = ldap_get_dn(pLd, pEntry);
if (IsNullOrEmptyString(pszDN))
{
dwError = VMDIR_ERROR_INVALID_DN;
BAIL_ON_VMDIR_ERROR(dwError);
}
fprintf(stdout, "DN : %s\n", pszDN);
}
}
cleanup:
if (pArgs)
{
VmDirFreeArgs(pArgs);
}
VMDIR_SAFE_FREE_MEMORY(pszLdapURL);
if (pResult)
{
ldap_msgfree(pResult);
}
if (pszDN)
{
ldap_memfree(pszDN);
}
if (pLd)
{
ldap_unbind_ext_s(pLd, NULL, NULL);
}
return dwError;
error:
goto cleanup;
}
