static char*
check_ldap_auth(LD_session *session, char *login, unsigned char *password, char *fullname) {
int rc = 0, count = 0;
char logbuf[MAXLOGBUF];
LDAPMessage *res, *entry;
char *attr, *dn;
BerElement * ber;
struct berval **list_of_values;
struct berval value;
char *validgroups;
char filter[MAXFILTERSTR];
struct berval cred_user;
/* Check authorization */
memset(filter, 0, 100);
snprintf(filter, MAXLOGBUF, "(&(objectClass=posixGroup)(memberUid=%s))", login);
cred_user.bv_val = (const char *)password;
cred_user.bv_len = strlen(cred_user.bv_val);
#if LDAP_API_VERSION > 3000
if((rc = ldap_sasl_bind_s(session->sess, fullname, ldap_authorization_type, &cred_user, NULL, NULL, NULL))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate with method %s failed: %s", ldap_authorization_host, ldap_authorization_type, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_TRUE;
};
#else
if((rc = ldap_bind_s(session->sess, fullname, password, LDAP_AUTH_SIMPLE))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate failed: %s", ldap_authorization_host, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_TRUE;
}
#endif
if ((rc = ldap_search_ext_s(session->sess, ldap_authorization_basedn, LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res)) != LDAP_SUCCESS) {
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_TRUE;
}
for (entry = ldap_first_entry(session->sess,res); entry!=NULL && count<=ldap_count_messages(session->sess, res); entry=ldap_next_entry(session->sess, res)) {
count++;
for(attr = ldap_first_attribute(session->sess,entry,&ber); attr != NULL ; attr=ldap_next_attribute(session->sess,entry,ber)) {
snprintf(logbuf, MAXLOGBUF, "Found attribute %s", attr);
ldap_log(LOG_DEBUG, logbuf);
if (strcmp(attr, "cn"))
continue;
if ((list_of_values = ldap_get_values_len(session->sess, entry, attr)) != NULL ) {
value = *list_of_values[0];
char temp[MAXGROUPLIST];
memset(temp, 0, MAXGROUPLIST);
if (ldap_authorization_validgroups) {
strcpy(temp, ldap_authorization_validgroups);
validgroups = strtok(temp, ",");
while (validgroups != NULL)
{
snprintf(logbuf, MAXLOGBUF, "Attribute value validgroups ? value.bv_val >> %s ? %s", validgroups, value.bv_val);
ldap_log(LOG_DEBUG, logbuf);
if (!strcmp(validgroups, value.bv_val))
{
ldap_msgfree(res);
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
dn = malloc((int)strlen(value.bv_val)*sizeof(char));
memset(dn, 0, (int)strlen(value.bv_val)*sizeof(char));
strcpy(dn, value.bv_val);
return dn;
}
validgroups = strtok (NULL, ",");
}
// printf("VAL: %s\n", value.bv_val);
ldap_value_free_len( list_of_values );
}
}
}
res = ldap_next_message(session->sess, res);
};
ldap_msgfree(res);
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_TRUE;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_groupobj(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
LDAPMessage *result = NULL;
LDAPMessage *entry;
char base_dn[LDAP_MAX_DN_STR_LEN];
char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter };
char filter[LDAP_MAX_FILTER_STR_LEN + 1];
char const *attrs[] = { inst->groupobj_name_attr, NULL };
VALUE_PAIR *vp;
char *dn;
rad_assert(inst->groupobj_base_dn);
if (!inst->groupobj_membership_filter) {
RDEBUG2("Skipping caching group objects as directive 'group.membership_filter' is not set");
return RLM_MODULE_OK;
}
if (rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter)) < 0) {
return RLM_MODULE_INVALID;
}
if (radius_xlat(base_dn, sizeof(base_dn), request, inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
status = rlm_ldap_search(inst, request, pconn, base_dn, inst->groupobj_scope, filter, attrs, &result);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG2("No cacheable group memberships found in group objects");
default:
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
goto finish;
}
do {
if (inst->cacheable_group_dn) {
dn = ldap_get_dn((*pconn)->handle, entry);
if (!dn) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno));
goto finish;
}
rlm_ldap_normalise_dn(dn, dn);
MEM(vp = pairmake_config(inst->cache_da->name, NULL, T_OP_ADD));
pairstrcpy(vp, dn);
RDEBUG("Added control:%s with value \"%s\"", inst->cache_da->name, dn);
ldap_memfree(dn);
}
if (inst->cacheable_group_name) {
struct berval **values;
values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr);
if (!values) continue;
MEM(vp = pairmake_config(inst->cache_da->name, NULL, T_OP_ADD));
pairstrncpy(vp, values[0]->bv_val, values[0]->bv_len);
RDEBUG("Added control:%s with value \"%.*s\"", inst->cache_da->name,
(int)values[0]->bv_len, values[0]->bv_val);
ldap_value_free_len(values);
}
} while ((entry = ldap_next_entry((*pconn)->handle, entry)));
finish:
if (result) ldap_msgfree(result);
return rcode;
}
static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
{
CURLcode status = CURLE_OK;
int rc = 0;
LDAP *server = NULL;
LDAPURLDesc *ludp = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entryIterator;
int num = 0;
struct SessionHandle *data=conn->data;
int ldap_proto = LDAP_VERSION3;
int ldap_ssl = 0;
char *val_b64 = NULL;
size_t val_b64_sz = 0;
curl_off_t dlsize = 0;
#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval ldap_timeout = {10,0}; /* 10 sec connection/search timeout */
#endif
*done = TRUE; /* unconditionally */
infof(data, "LDAP local: LDAP Vendor = %s ; LDAP Version = %d\n",
LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION);
infof(data, "LDAP local: %s\n", data->change.url);
#ifdef HAVE_LDAP_URL_PARSE
rc = ldap_url_parse(data->change.url, &ludp);
#else
rc = _ldap_url_parse(conn, &ludp);
#endif
if(rc != 0) {
failf(data, "LDAP local: %s", ldap_err2string(rc));
status = CURLE_LDAP_INVALID_URL;
goto quit;
}
/* Get the URL scheme ( either ldap or ldaps ) */
if(conn->given->flags & PROTOPT_SSL)
ldap_ssl = 1;
infof(data, "LDAP local: trying to establish %s connection\n",
ldap_ssl ? "encrypted" : "cleartext");
#ifdef LDAP_OPT_NETWORK_TIMEOUT
ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
#endif
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
if(ldap_ssl) {
#ifdef HAVE_LDAP_SSL
#ifdef CURL_LDAP_WIN
/* Win32 LDAP SDK doesn't support insecure mode without CA! */
server = ldap_sslinit(conn->host.name, (int)conn->port, 1);
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
#else
int ldap_option;
char* ldap_ca = data->set.str[STRING_SSL_CAFILE];
#if defined(CURL_HAS_NOVELL_LDAPSDK)
rc = ldapssl_client_init(NULL, NULL);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ldapssl_client_init %s", ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
if(data->set.ssl.verifypeer) {
/* Novell SDK supports DER or BASE64 files. */
int cert_type = LDAPSSL_CERT_FILETYPE_B64;
if((data->set.str[STRING_CERT_TYPE]) &&
(Curl_raw_equal(data->set.str[STRING_CERT_TYPE], "DER")))
cert_type = LDAPSSL_CERT_FILETYPE_DER;
if(!ldap_ca) {
failf(data, "LDAP local: ERROR %s CA cert not set!",
(cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
infof(data, "LDAP local: using %s CA cert '%s'\n",
(cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"),
ldap_ca);
rc = ldapssl_add_trusted_cert(ldap_ca, cert_type);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting %s CA cert: %s",
(cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"),
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
ldap_option = LDAPSSL_VERIFY_SERVER;
}
else
ldap_option = LDAPSSL_VERIFY_NONE;
rc = ldapssl_set_verify_mode(ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
server = ldapssl_init(conn->host.name, (int)conn->port, 1);
if(server == NULL) {
failf(data, "LDAP local: Cannot connect to %s:%hu",
conn->host.name, conn->port);
status = CURLE_COULDNT_CONNECT;
goto quit;
}
#elif defined(LDAP_OPT_X_TLS)
if(data->set.ssl.verifypeer) {
/* OpenLDAP SDK supports BASE64 files. */
if((data->set.str[STRING_CERT_TYPE]) &&
(!Curl_raw_equal(data->set.str[STRING_CERT_TYPE], "PEM"))) {
failf(data, "LDAP local: ERROR OpenLDAP only supports PEM cert-type!");
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
if(!ldap_ca) {
failf(data, "LDAP local: ERROR PEM CA cert not set!");
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
infof(data, "LDAP local: using PEM CA cert: %s\n", ldap_ca);
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
ldap_option = LDAP_OPT_X_TLS_DEMAND;
}
else
ldap_option = LDAP_OPT_X_TLS_NEVER;
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
server = ldap_init(conn->host.name, (int)conn->port);
if(server == NULL) {
failf(data, "LDAP local: Cannot connect to %s:%hu",
conn->host.name, conn->port);
status = CURLE_COULDNT_CONNECT;
goto quit;
}
ldap_option = LDAP_OPT_X_TLS_HARD;
rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting SSL/TLS mode: %s",
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
/*
rc = ldap_start_tls_s(server, NULL, NULL);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
*/
#else
/* we should probably never come up to here since configure
should check in first place if we can support LDAP SSL/TLS */
failf(data, "LDAP local: SSL/TLS not supported with this version "
"of the OpenLDAP toolkit\n");
status = CURLE_SSL_CERTPROBLEM;
goto quit;
#endif
#endif
#endif /* CURL_LDAP_USE_SSL */
}
else {
server = ldap_init(conn->host.name, (int)conn->port);
if(server == NULL) {
failf(data, "LDAP local: Cannot connect to %s:%hu",
conn->host.name, conn->port);
status = CURLE_COULDNT_CONNECT;
goto quit;
}
}
#ifdef CURL_LDAP_WIN
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
#endif
rc = ldap_simple_bind_s(server,
conn->bits.user_passwd ? conn->user : NULL,
conn->bits.user_passwd ? conn->passwd : NULL);
if(!ldap_ssl && rc != 0) {
ldap_proto = LDAP_VERSION2;
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
rc = ldap_simple_bind_s(server,
conn->bits.user_passwd ? conn->user : NULL,
conn->bits.user_passwd ? conn->passwd : NULL);
}
if(rc != 0) {
failf(data, "LDAP local: ldap_simple_bind_s %s", ldap_err2string(rc));
status = CURLE_LDAP_CANNOT_BIND;
goto quit;
}
rc = ldap_search_s(server, ludp->lud_dn, ludp->lud_scope,
ludp->lud_filter, ludp->lud_attrs, 0, &result);
if(rc != 0 && rc != LDAP_SIZELIMIT_EXCEEDED) {
failf(data, "LDAP remote: %s", ldap_err2string(rc));
status = CURLE_LDAP_SEARCH_FAILED;
goto quit;
}
for(num = 0, entryIterator = ldap_first_entry(server, result);
entryIterator;
entryIterator = ldap_next_entry(server, entryIterator), num++) {
BerElement *ber = NULL;
char *attribute; /*! suspicious that this isn't 'const' */
char *dn = ldap_get_dn(server, entryIterator);
int i;
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"DN: ", 4);
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)dn, 0);
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1);
dlsize += strlen(dn)+5;
for(attribute = ldap_first_attribute(server, entryIterator, &ber);
attribute;
attribute = ldap_next_attribute(server, entryIterator, ber)) {
BerValue **vals = ldap_get_values_len(server, entryIterator, attribute);
if(vals != NULL) {
for(i = 0; (vals[i] != NULL); i++) {
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\t", 1);
Curl_client_write(conn, CLIENTWRITE_BODY, (char *) attribute, 0);
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)": ", 2);
dlsize += strlen(attribute)+3;
if((strlen(attribute) > 7) &&
(strcmp(";binary",
(char *)attribute +
(strlen((char *)attribute) - 7)) == 0)) {
/* Binary attribute, encode to base64. */
CURLcode error = Curl_base64_encode(data,
vals[i]->bv_val,
vals[i]->bv_len,
&val_b64,
&val_b64_sz);
if(error) {
ldap_value_free_len(vals);
ldap_memfree(attribute);
ldap_memfree(dn);
if(ber)
ber_free(ber, 0);
status = error;
goto quit;
}
if(val_b64_sz > 0) {
Curl_client_write(conn, CLIENTWRITE_BODY, val_b64, val_b64_sz);
free(val_b64);
dlsize += val_b64_sz;
}
}
else {
Curl_client_write(conn, CLIENTWRITE_BODY, vals[i]->bv_val,
vals[i]->bv_len);
dlsize += vals[i]->bv_len;
}
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 0);
dlsize++;
}
/* Free memory used to store values */
ldap_value_free_len(vals);
}
Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1);
dlsize++;
Curl_pgrsSetDownloadCounter(data, dlsize);
ldap_memfree(attribute);
}
ldap_memfree(dn);
if(ber)
ber_free(ber, 0);
}
quit:
if(result) {
ldap_msgfree(result);
LDAP_TRACE (("Received %d entries\n", num));
}
if(rc == LDAP_SIZELIMIT_EXCEEDED)
infof(data, "There are more than %d entries\n", num);
if(ludp)
ldap_free_urldesc(ludp);
if(server)
ldap_unbind_s(server);
#if defined(HAVE_LDAP_SSL) && defined(CURL_HAS_NOVELL_LDAPSDK)
if(ldap_ssl)
ldapssl_client_deinit();
#endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */
/* no data to transfer */
Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL);
conn->bits.close = TRUE;
return status;
}
//
// Enumerates the objects at a certain DN. If you just want to verify that the
// user can enumerate but don't care about the actual objects, pass NULL
// for ppObjectList.
//
// NB -- The VMDIR_STRING_LIST returned contains full DNs for the individual
// objects.
//
DWORD
VmDirTestGetObjectList(
LDAP *pLd,
PCSTR pszDn,
PVMDIR_STRING_LIST *ppObjectList /* OPTIONAL */
)
{
DWORD dwError = 0;
DWORD dwObjectCount = 0;
PCSTR ppszAttrs[] = {NULL};
LDAPMessage *pResult = NULL;
PVMDIR_STRING_LIST pObjectList = NULL;
dwError = ldap_search_ext_s(
pLd,
pszDn,
LDAP_SCOPE_SUBTREE,
"(objectClass=*)",
(PSTR*)ppszAttrs,
0,
NULL,
NULL,
NULL,
-1,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
if (ppObjectList != NULL)
{
dwObjectCount = ldap_count_entries(pLd, pResult);
dwError = VmDirStringListInitialize(&pObjectList, dwObjectCount);
BAIL_ON_VMDIR_ERROR(dwError);
if (dwObjectCount > 0)
{
LDAPMessage* pEntry = ldap_first_entry(pLd, pResult);
//
// Grab the next entry. The first one will be the base DN itself.
//
pEntry = ldap_next_entry(pLd, pEntry);
for (; pEntry != NULL; pEntry = ldap_next_entry(pLd, pEntry))
{
dwError = VmDirStringListAddStrClone(ldap_get_dn(pLd, pEntry), pObjectList);
BAIL_ON_VMDIR_ERROR(dwError);
}
}
*ppObjectList = pObjectList;
}
cleanup:
if (pResult)
{
ldap_msgfree(pResult);
}
return dwError;
error:
VmDirStringListFree(pObjectList);
goto cleanup;
}
/*
* ldap_getattr_fromfilter_withbase_scope():
* conflags: KEEPALIVE
* scope: LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL, LDAP_SCOPE_SUBTREE
* result: return unique search result here, allocated here, caller must free
*
* returns: -1 on error
* 0 nothing found
* 1 successfull search, result int 'result'
*
* All connection managment to the LDAP server is done here. Just set KEEPALIVE if you know
* you will be dispatching more than one search in a row, then don't set it with the last search.
* You MUST dispatch the queries timely, otherwise the LDAP handle might timeout.
*/
static int ldap_getattr_fromfilter_withbase_scope( const char *searchbase,
const char *filter,
char *attributes[],
int scope,
ldapcon_t conflags,
char **result) {
int ret;
int ldaperr;
int retrycount = 0;
int desired_version = LDAP_VERSION3;
static int ldapconnected = 0;
static LDAP *ld = NULL;
LDAPMessage* msg = NULL;
LDAPMessage* entry = NULL;
char **attribute_values = NULL;
struct timeval timeout;
LOG(log_maxdebug, logtype_afpd,"ldap: BEGIN");
timeout.tv_sec = 3;
timeout.tv_usec = 0;
/* init LDAP if necessary */
retry:
ret = 0;
if (ld == NULL) {
LOG(log_maxdebug, logtype_default, "ldap: server: \"%s\"",
ldap_server);
if ((ld = ldap_init(ldap_server, LDAP_PORT)) == NULL ) {
LOG(log_error, logtype_default, "ldap: ldap_init error: %s",
strerror(errno));
return -1;
}
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != 0) {
/* LDAP_OPT_SUCCESS is not in the proposed standard, so we check for 0
http://tools.ietf.org/id/draft-ietf-ldapext-ldap-c-api-05.txt */
LOG(log_error, logtype_default, "ldap: ldap_set_option failed!");
free(ld);
ld = NULL;
return -1;
}
}
/* connect */
if (!ldapconnected) {
if (LDAP_AUTH_NONE == ldap_auth_method) {
if (ldap_bind_s(ld, "", "", LDAP_AUTH_SIMPLE) != LDAP_SUCCESS ) {
LOG(log_error, logtype_default, "ldap: ldap_bind failed, auth_method: \'%d\'",
ldap_auth_method);
free(ld);
ld = NULL;
return -1;
}
ldapconnected = 1;
} else if (LDAP_AUTH_SIMPLE == ldap_auth_method) {
if (ldap_bind_s(ld, ldap_auth_dn, ldap_auth_pw, ldap_auth_method) != LDAP_SUCCESS ) {
LOG(log_error, logtype_default,
"ldap: ldap_bind failed: ldap_auth_dn: \'%s\', ldap_auth_pw: \'%s\', ldap_auth_method: \'%d\'",
ldap_auth_dn, ldap_auth_pw, ldap_auth_method);
free(ld);
ld = NULL;
return -1;
}
ldapconnected = 1;
}
}
LOG(log_maxdebug, logtype_afpd, "ldap: start search: base: %s, filter: %s, attr: %s",
searchbase, filter, attributes[0]);
/* start LDAP search */
ldaperr = ldap_search_st(ld, searchbase, scope, filter, attributes, 0, &timeout, &msg);
LOG(log_maxdebug, logtype_default, "ldap: ldap_search_st returned: %s",
ldap_err2string(ldaperr));
if (ldaperr != LDAP_SUCCESS) {
LOG(log_error, logtype_default, "ldap: ldap_search_st failed: %s, retrycount: %i",
ldap_err2string(ldaperr), retrycount);
ret = -1;
goto cleanup;
}
/* parse search result */
LOG(log_maxdebug, logtype_default, "ldap: got %d entries from ldap search",
ldap_count_entries(ld, msg));
if ((ret = ldap_count_entries(ld, msg)) != 1) {
ret = 0;
goto cleanup;
}
entry = ldap_first_entry(ld, msg);
if (entry == NULL) {
LOG(log_error, logtype_default, "ldap: ldap_first_entry error");
ret = -1;
goto cleanup;
}
attribute_values = ldap_get_values(ld, entry, attributes[0]);
if (attribute_values == NULL) {
LOG(log_error, logtype_default, "ldap: ldap_get_values error");
ret = -1;
goto cleanup;
}
LOG(log_maxdebug, logtype_afpd,"ldap: search result: %s: %s",
attributes[0], attribute_values[0]);
/* allocate result */
*result = strdup(attribute_values[0]);
if (*result == NULL) {
LOG(log_error, logtype_default, "ldap: strdup error: %s",strerror(errno));
ret = -1;
goto cleanup;
}
cleanup:
if (attribute_values)
ldap_value_free(attribute_values);
/* FIXME: is there another way to free entry ? */
while (entry != NULL)
entry = ldap_next_entry(ld, entry);
if (msg)
ldap_msgfree(msg);
if (ldapconnected) {
if ((ret == -1) || !(conflags & KEEPALIVE)) {
LOG(log_maxdebug, logtype_default,"ldap: unbind");
if (ldap_unbind_s(ld) != 0) {
LOG(log_error, logtype_default, "ldap: unbind: %s\n", ldap_err2string(ldaperr));
return -1;
}
ld = NULL;
ldapconnected = 0;
/* In case of error we try twice */
if (ret == -1) {
retrycount++;
if (retrycount < 2)
goto retry;
}
}
}
return ret;
}
void run_ldap_tests(service_t *ldaptest, int sslcertcheck, int querytimeout)
{
#ifdef XYMON_LDAP
ldap_data_t *req;
testitem_t *t;
struct timespec starttime;
struct timespec endtime;
/* Pick a sensible default for the timeout setting */
if (querytimeout == 0) querytimeout = 30;
for (t = ldaptest->items; (t); t = t->next) {
LDAPURLDesc *ludp;
LDAP *ld;
int rc, finished;
int msgID = -1;
struct timeval ldaptimeout;
struct timeval openldaptimeout;
LDAPMessage *result;
LDAPMessage *e;
strbuffer_t *response;
char buf[MAX_LINE_LEN];
req = (ldap_data_t *) t->privdata;
if (req->skiptest) continue;
ludp = (LDAPURLDesc *) req->ldapdesc;
getntimer(&starttime);
/* Initiate session with the LDAP server */
dbgprintf("Initiating LDAP session for host %s port %d\n",
ludp->lud_host, ludp->lud_port);
if( (ld = ldap_init(ludp->lud_host, ludp->lud_port)) == NULL ) {
dbgprintf("ldap_init failed\n");
req->ldapstatus = XYMON_LDAP_INITFAIL;
continue;
}
/*
* There is apparently no standard way of defining a network
* timeout for the initial connection setup.
*/
#if (LDAP_VENDOR == OpenLDAP) && defined(LDAP_OPT_NETWORK_TIMEOUT)
/*
* OpenLDAP has an undocumented ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv)
*/
openldaptimeout.tv_sec = querytimeout;
openldaptimeout.tv_usec = 0;
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &openldaptimeout);
#else
/*
* So using an alarm() to interrupt any pending operations
* seems to be the least insane way of doing this.
*
* Note that we must do this right after ldap_init(), as
* any operation on the session handle (ld) may trigger the
* network connection to be established.
*/
connect_timeout = 0;
signal(SIGALRM, ldap_alarmhandler);
alarm(querytimeout);
#endif
/*
* This is completely undocumented in the OpenLDAP docs.
* But apparently it is documented in
* http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-ldapext-ldap-c-api-03.txt
*
* Both of these routines appear in the <ldap.h> file
* from OpenLDAP 2.1.22. Their use to enable TLS has
* been deciphered from the ldapsearch() utility
* sourcecode.
*
* According to Manon Goo <*****@*****.**>, recent (Jan. 2005)
* OpenLDAP implementations refuse to talk LDAPv2.
*/
#ifdef LDAP_OPT_PROTOCOL_VERSION
{
int protocol = LDAP_VERSION3;
dbgprintf("Attempting to select LDAPv3\n");
if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) {
dbgprintf("Failed to select LDAPv3, trying LDAPv2\n");
protocol = LDAP_VERSION2;
if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) {
req->output = strdup(ldap_err2string(rc));
req->ldapstatus = XYMON_LDAP_TLSFAIL;
}
continue;
}
}
#endif
#ifdef XYMON_LDAP_USESTARTTLS
if (req->usetls) {
dbgprintf("Trying to enable TLS for session\n");
if ((rc = ldap_start_tls_s(ld, NULL, NULL)) != LDAP_SUCCESS) {
dbgprintf("ldap_start_tls failed\n");
req->output = strdup(ldap_err2string(rc));
req->ldapstatus = XYMON_LDAP_TLSFAIL;
continue;
}
}
#endif
if (!connect_timeout) {
msgID = ldap_simple_bind(ld, (t->host->ldapuser ? t->host->ldapuser : ""),
(t->host->ldappasswd ? t->host->ldappasswd : ""));
}
/* Cancel any pending alarms */
alarm(0);
signal(SIGALRM, SIG_DFL);
/* Did we connect? */
if (connect_timeout || (msgID == -1)) {
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = "Cannot connect to server";
continue;
}
/* Wait for bind to complete */
rc = 0; finished = 0;
ldaptimeout.tv_sec = querytimeout;
ldaptimeout.tv_usec = 0L;
while( ! finished ) {
int rc2;
rc = ldap_result(ld, msgID, LDAP_MSG_ONE, &ldaptimeout, &result);
dbgprintf("ldap_result returned %d for ldap_simple_bind()\n", rc);
if(rc == -1) {
finished = 1;
req->ldapstatus = XYMON_LDAP_BINDFAIL;
if (result == NULL) {
errprintf("LDAP library problem - NULL result returned\n");
req->output = strdup("LDAP BIND failed\n");
}
else {
rc2 = ldap_result2error(ld, result, 1);
req->output = strdup(ldap_err2string(rc2));
}
ldap_unbind(ld);
}
else if (rc == 0) {
finished = 1;
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = strdup("Connection timeout");
ldap_unbind(ld);
}
else if( rc > 0 ) {
finished = 1;
if (result == NULL) {
errprintf("LDAP library problem - got a NULL resultcode for status %d\n", rc);
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = strdup("LDAP library problem: ldap_result2error returned a NULL result for status %d\n");
ldap_unbind(ld);
}
else {
rc2 = ldap_result2error(ld, result, 1);
if(rc2 != LDAP_SUCCESS) {
req->ldapstatus = XYMON_LDAP_BINDFAIL;
req->output = strdup(ldap_err2string(rc));
ldap_unbind(ld);
}
}
}
} /* ... while() */
/* We're done connecting. If something went wrong, go to next query. */
if (req->ldapstatus != 0) continue;
/* Now do the search. With a timeout */
ldaptimeout.tv_sec = querytimeout;
ldaptimeout.tv_usec = 0L;
rc = ldap_search_st(ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, ludp->lud_attrs, 0, &ldaptimeout, &result);
if(rc == LDAP_TIMEOUT) {
req->ldapstatus = XYMON_LDAP_TIMEOUT;
req->output = strdup(ldap_err2string(rc));
ldap_unbind(ld);
continue;
}
if( rc != LDAP_SUCCESS ) {
req->ldapstatus = XYMON_LDAP_SEARCHFAILED;
req->output = strdup(ldap_err2string(rc));
ldap_unbind(ld);
continue;
}
getntimer(&endtime);
response = newstrbuffer(0);
sprintf(buf, "Searching LDAP for %s yields %d results:\n\n",
t->testspec, ldap_count_entries(ld, result));
addtobuffer(response, buf);
for(e = ldap_first_entry(ld, result); (e != NULL); e = ldap_next_entry(ld, e) ) {
char *dn;
BerElement *ber;
char *attribute;
char **vals;
dn = ldap_get_dn(ld, e);
sprintf(buf, "DN: %s\n", dn);
addtobuffer(response, buf);
/* Addtributes and values */
for (attribute = ldap_first_attribute(ld, e, &ber); (attribute != NULL); attribute = ldap_next_attribute(ld, e, ber) ) {
if ((vals = ldap_get_values(ld, e, attribute)) != NULL) {
int i;
for(i = 0; (vals[i] != NULL); i++) {
sprintf(buf, "\t%s: %s\n", attribute, vals[i]);
addtobuffer(response, buf);
}
}
/* Free memory used to store values */
ldap_value_free(vals);
}
/* Free memory used to store attribute */
ldap_memfree(attribute);
ldap_memfree(dn);
if (ber != NULL) ber_free(ber, 0);
addtobuffer(response, "\n");
}
req->ldapstatus = XYMON_LDAP_OK;
req->output = grabstrbuffer(response);
tvdiff(&starttime, &endtime, &req->duration);
ldap_msgfree(result);
ldap_unbind(ld);
ldap_free_urldesc(ludp);
}
#endif
}
int getGroupname()
{
LDAP *ld;
struct json_object *my_object,*my_array;
const char* split = "CN=,";
char *p;
char*tmp;
char *user;
int i = 0;
int nl ;
int result;
int auth_method = LDAP_AUTH_SIMPLE;
int desired_version = LDAP_VERSION3;
char *ldap_host = "WIN2K82";
char *root_dn = "*****@*****.**";
char *root_pw = "123qwe!@#";
BerElement* ber;
LDAPMessage* msg;
LDAPMessage* entry;
char* base="CN=Users,dc=abc,dc=com";
char* filter="(objectClass=group)";
char* errstring;
char* dn = NULL;
char* attr;
char** vals;
if ((ld = ldap_init(ldap_host, LDAP_PORT)) == NULL ) {
perror( "ldap_init failed" );
exit( EXIT_FAILURE );
}
/* set the LDAP version to be 3 */
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS)
{
ldap_perror(ld, "ldap_set_option");
exit(EXIT_FAILURE);
}
if (ldap_bind_s(ld, root_dn, root_pw, auth_method) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_bind" );
exit( EXIT_FAILURE );
}
if (ldap_search_s(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, 0, &msg) != LDAP_SUCCESS) {
ldap_perror( ld, "ldap_search_s" );
exit(EXIT_FAILURE);
}
my_object = json_object_new_object();
my_array = json_object_new_array();
int n = 0;//find return
/* Iterate through the returned entries */
for(entry = ldap_first_entry(ld, msg); entry != NULL; entry = ldap_next_entry(ld, entry)) {
if((dn = ldap_get_dn(ld, entry)) != NULL) {
//printf("Returned dn: %s\n", dn);
tmp = dn;
p = strtok (tmp,",");
if(p){
p = strtok(p,"=");
p = strtok(NULL, ",");
BlToSl(p);
//if (p)
//printf("p=%s\n",p);
}
i++;
json_object_array_add(my_array, json_object_new_int(i));
json_object_array_put_idx(my_array, i, json_object_new_int(i));
struct json_object *obj = json_object_array_get_idx(my_array, i);
json_object_object_add(my_object, json_object_to_json_string(obj), json_object_new_string(p));
ldap_memfree(dn);
}
}
//second search
base="CN=Builtin,dc=abc,dc=com";
if (ldap_search_s(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, 0, &msg) != LDAP_SUCCESS) {
ldap_perror( ld, "ldap_search_s" );
exit(EXIT_FAILURE);
}
for(entry = ldap_first_entry(ld, msg); entry != NULL; entry = ldap_next_entry(ld, entry)) {
if((dn = ldap_get_dn(ld, entry)) != NULL) {
//printf("Returned dn: %s\n", dn);
tmp = dn;
p = strtok (tmp,",");
if(p){
p = strtok(p,"=");
p = strtok(NULL, ",");
BlToSl(p);
//if (p)
//printf("p=%s\n",p);
}
i++;
json_object_array_add(my_array, json_object_new_int(i));
json_object_array_put_idx(my_array, i, json_object_new_int(i));
struct json_object *obj = json_object_array_get_idx(my_array, i);
json_object_object_add(my_object, json_object_to_json_string(obj), json_object_new_string(p));
ldap_memfree(dn);
}
}
printf("%s\n", json_object_to_json_string(my_object));
/* clean up */
ldap_msgfree(msg);
result = ldap_unbind_s(ld);
if (result != 0) {
fprintf(stderr, "ldap_unbind_s: %s\n", ldap_err2string(result));
exit( EXIT_FAILURE );
}
return EXIT_SUCCESS;
}
char*
ldap_lookup(config_t agent_config, const char *username, char *external_uid)
{
LDAP *ld;
LDAPMessage *result = (LDAPMessage *) 0;
LDAPMessage *e;
BerElement *ber;
char *a, *dn;
char *sane_username = malloc(strlen(username)*2);
char *p = sane_username;
char **vals = NULL;
struct timeval ldaptimeout = {.tv_sec = BIND_TIMEOUT, .tv_usec = 0};
int i, rc=0, num_entries=0;
char *transcoded_query = NULL;
char *ldap_uri = NULL;
char *end_ptr;
char *ldap_host = _ds_read_attribute(agent_config, "ExtLookupServer");
char *port = _ds_read_attribute(agent_config, "ExtLookupPort");
long lldap_port;
int ldap_port = 389;
char *ldap_binddn = _ds_read_attribute(agent_config, "ExtLookupLogin");
char *ldap_passwd = _ds_read_attribute(agent_config, "ExtLookupPassword");
char *ldap_base = _ds_read_attribute(agent_config, "ExtLookupDB");
char *ldap_attrs[] = {_ds_read_attribute(agent_config, "ExtLookupLDAPAttribute"),0};
char *version = _ds_read_attribute(agent_config, "ExtLookupLDAPVersion");
long lldap_version;
int ldap_version = 3;
char *ldap_filter = _ds_read_attribute(agent_config, "ExtLookupQuery");
int ldap_scope;
if (port != NULL) {
errno=0;
lldap_port = strtol(port, &end_ptr, 0);
if ( (errno != 0) || (lldap_port < INT_MIN) || (lldap_port > INT_MAX) || (*end_ptr != '\0')) {
LOG(LOG_ERR, "External Lookup: bad LDAP port number");
return NULL;
} else
ldap_port = (int)lldap_port;
}
/* set ldap protocol version */
if (version != NULL) {
errno=0;
lldap_version = strtol(version, &end_ptr, 0);
if ((errno != 0) || (lldap_version < 1) || (lldap_version > 3) || (*end_ptr != '\0')) {
LOG(LOG_ERR, "External Lookup: bad LDAP protocol version");
return NULL;
} else
ldap_version = (int)lldap_version;
}
if (_ds_match_attribute(agent_config, "ExtLookupLDAPScope", "one"))
ldap_scope = LDAP_SCOPE_ONELEVEL;
else /* defaults to sub */
ldap_scope = LDAP_SCOPE_SUBTREE;
/* set alarm handler */
signal(SIGALRM, sig_alrm);
/* sanitize username for filter integration */
for (; *username != '\0'; username++) {
switch(*username) {
case 0x2a: /* '*' */
case 0x28: /* '(' */
case 0x29: /* ')' */
case 0x5c: /* '\' */
case 0x00: /* NUL */
*p++ = 0x5c; /* '\' */
*p++ = *username;
break;
default:
*p++ = *username;
break;
}
}
*p = '\0';
LOGDEBUG("External Lookup: sanitized username is %s\n", sane_username);
/* build proper LDAP filter*/
transcoded_query = strdup(transcode_query(ldap_filter, sane_username, transcoded_query));
free(sane_username);
if (transcoded_query == NULL) {
LOG(LOG_ERR, "External Lookup: %s", ERR_EXT_LOOKUP_MISCONFIGURED);
return NULL;
}
if( ldap_host != NULL || ldap_port ) {
/* construct URL */
LDAPURLDesc url;
memset( &url, 0, sizeof(url));
url.lud_scheme = "ldap";
url.lud_host = ldap_host;
url.lud_port = ldap_port;
url.lud_scope = LDAP_SCOPE_SUBTREE;
ldap_uri = ldap_url_desc2str( &url );
}
rc = ldap_initialize( &ld, ldap_uri );
if( rc != LDAP_SUCCESS ) {
LOG(LOG_ERR, "External Lookup: Could not create LDAP session handle for URI=%s (%d): %s\n", ldap_uri, rc, ldap_err2string(rc));
return NULL;
}
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version ) != LDAP_OPT_SUCCESS ) {
LOG(LOG_ERR, "External Lookup: Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", ldap_version );
return NULL;
}
/* use TLS if configured */
if ( _ds_match_attribute(agent_config, "ExtLookupCrypto", "tls" )) {
if (ldap_version != 3) {
LOG(LOG_ERR, "External Lookup: TLS only supported with LDAP protocol version 3");
return NULL;
}
if ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
LOG(LOG_ERR, "External Lookup: %s: %s (%d)", ERR_EXT_LOOKUP_INIT_FAIL, strerror(errno), errno);
return NULL;
}
}
/* schedules alarm */
alarm(BIND_TIMEOUT);
/* authenticate to the directory */
if ( (rc = ldap_simple_bind_s( ld, ldap_binddn, ldap_passwd )) != LDAP_SUCCESS ) {
/* cancel alarms */
alarm(0);
LOG(LOG_ERR, "External Lookup: %s: %s", ERR_EXT_LOOKUP_INIT_FAIL, ldap_err2string(rc) );
ldap_unbind(ld);
return NULL;
}
/* cancel alarms */
alarm(0);
/* search for all entries matching the filter */
if ( (rc = ldap_search_st( ld,
ldap_base,
ldap_scope,
transcoded_query,
ldap_attrs,
0,
&ldaptimeout,
&result )) != LDAP_SUCCESS ) {
free(transcoded_query);
switch(rc) {
case LDAP_TIMEOUT:
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
case LDAP_UNWILLING_TO_PERFORM:
case LDAP_SERVER_DOWN:
case LDAP_TIMELIMIT_EXCEEDED:
LOG(LOG_ERR, "External Lookup: %s: %s", ERR_EXT_LOOKUP_SEARCH_FAIL, ldap_err2string(ldap_result2error(ld, result, 1)) );
ldap_unbind( ld );
return NULL;
break;
case LDAP_FILTER_ERROR:
LOG(LOG_ERR, "External Lookup: %s: %s", ERR_EXT_LOOKUP_SEARCH_FAIL, ldap_err2string(ldap_result2error(ld, result, 1)) );
ldap_unbind( ld );
return NULL;
break;
case LDAP_SIZELIMIT_EXCEEDED:
if ( result == NULL ) {
LOG(LOG_ERR, "External Lookup: %s: %s", ERR_EXT_LOOKUP_SEARCH_FAIL, ldap_err2string(ldap_result2error(ld, result, 1)) );
ldap_unbind( ld );
return NULL;
}
break;
default:
LOG(LOG_ERR, "External Lookup: %s: code=%d, %s", ERR_EXT_LOOKUP_SEARCH_FAIL, rc, ldap_err2string(ldap_result2error(ld, result, 1)) );
ldap_unbind( ld );
return NULL;
}
}
num_entries=ldap_count_entries(ld,result);
LOGDEBUG("External Lookup: found %d LDAP entries", num_entries);
switch (num_entries) {
case 1: /* only one entry, let's proceed */
break;
case -1: /* an error occured */
LOG(LOG_ERR, "External Lookup: %s: %s", ERR_EXT_LOOKUP_SEARCH_FAIL, ldap_err2string(ldap_result2error(ld, result, 1)));
ldap_unbind( ld );
return NULL ;
case 0: /* no entries found */
LOGDEBUG("External Lookup: %s: no entries found.", ERR_EXT_LOOKUP_SEARCH_FAIL);
ldap_msgfree( result );
ldap_unbind( ld );
return NULL ;
default: /* more than one entry returned */
LOG(LOG_ERR, "External Lookup: %s: more than one entry returned.", ERR_EXT_LOOKUP_SEARCH_FAIL);
ldap_msgfree( result );
ldap_unbind( ld );
return NULL;
}
/* for each entry print out name + all attrs and values */
for ( e = ldap_first_entry( ld, result ); e != NULL;
e = ldap_next_entry( ld, e ) ) {
if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
ldap_memfree( dn );
}
for ( a = ldap_first_attribute( ld, e, &ber );
a != NULL; a = ldap_next_attribute( ld, e, ber ) ) {
if ((vals = ldap_get_values( ld, e, a)) != NULL ) {
for ( i = 0; vals[i] != NULL; i++ ) {
external_uid = strdup(vals[i]);
}
ldap_value_free( vals );
}
ldap_memfree( a );
}
if ( ber != NULL ) {
ber_free( ber, 0 );
}
}
ldap_msgfree( result );
ldap_unbind( ld );
return external_uid;
}
#endif
char*
program_lookup(config_t agent_config, const char *username, char *external_uid)
{
pid_t wstatus, pid;
int i, status;
int fd[2];
char *output = malloc (1024);
char **args = malloc (1024);
char *token;
char *saveptr;
char *str;
char *command_line = 0;
/* build proper command line*/
command_line = strdup(transcode_query(_ds_read_attribute(agent_config, "ExtLookupServer"), username, command_line));
if (command_line == NULL) {
LOG(LOG_ERR, ERR_EXT_LOOKUP_MISCONFIGURED);
free(output);
free(args);
return NULL;
}
LOGDEBUG("command line is %s", command_line);
/* break the command line into arguments */
for (i = 0, str = command_line; ; i++, str = NULL) {
token = strtok_r(str, " ", &saveptr);
if (token == NULL)
break;
args[i] = token;
LOGDEBUG("args[%d] = %s",i,token);
}
args[i] = (char *) 0;
if (pipe(fd) == -1) {
LOG(LOG_ERR, "%s: errno=%i (%s)", ERR_EXT_LOOKUP_INIT_FAIL, errno, strerror(errno));
free(output);
free(args);
return NULL;
}
switch(pid=fork()) {
case -1: /* couldn't fork - something went wrong */
LOG(LOG_ERR, "%s: errno=%i (%s)", ERR_EXT_LOOKUP_INIT_FAIL, errno, strerror(errno));
free(output);
free(args);
return NULL;
case 0: /* execute the command and write to fd */
close(fd[0]);
dup2(fd[1], fileno(stdout));
execve(args[0], args, 0);
exit(EXIT_FAILURE);
default: /* read from fd the first output line */
do {
wstatus = waitpid( pid, &status, WUNTRACED | WCONTINUED);
if (wstatus == -1) {
LOGDEBUG("waitpid() exited with an error: %s: errno=%i", strerror(errno), errno);
free(output);
free(args);
return NULL;
}
if (WIFEXITED(status)) {
LOGDEBUG("exited, status=%d\n", WEXITSTATUS(status));
if (WEXITSTATUS(status)) {
LOGDEBUG("Error running %s. Check path and permissions.\n", args[0]);
}
} else if (WIFSIGNALED(status)) {
LOGDEBUG("killed by signal %d\n", WTERMSIG(status));
} else if (WIFSTOPPED(status)) {
LOGDEBUG("stopped by signal %d\n", WSTOPSIG(status));
} else if (WIFCONTINUED(status)) {
LOGDEBUG("continued\n");
}
} while (!WIFEXITED(status) && !WIFSIGNALED(status));
close(fd[1]);
/* just in case there's no line break at the end of the return... */
memset(output, 0, 1024);
if (read(fd[0], output, 1024) == -1) {
LOG(LOG_ERR, "%s: errno=%i (%s)", ERR_EXT_LOOKUP_INIT_FAIL, errno, strerror(errno));
free(output);
free(args);
return NULL;
}
close(fd[0]);
}
if (strlen(output) == 0) {
free(output);
free(args);
return NULL;
}
/* terminate the output string at the first \n */
token = strchr(output, '\n');
if (token != NULL)
*token = '\0';
external_uid = strdup(output);
free(output);
free(command_line);
free(args);
return external_uid;
}
static void
print_search_entry( LDAP *ld, LDAPMessage *res )
{
BerElement *ber;
char *a, *dn, *ufn;
struct berval **vals;
int i;
LDAPMessage *e;
for ( e = ldap_first_entry( ld, res ); e != NULLMSG;
e = ldap_next_entry( ld, e ) ) {
if ( e->lm_msgtype == LDAP_RES_SEARCH_RESULT )
break;
dn = ldap_get_dn( ld, e );
printf( "\tDN: %s\n", dn );
ufn = ldap_dn2ufn( dn );
printf( "\tUFN: %s\n", ufn );
#ifdef WINSOCK
ldap_memfree( dn );
ldap_memfree( ufn );
#else /* WINSOCK */
free( dn );
free( ufn );
#endif /* WINSOCK */
for ( a = ldap_first_attribute( ld, e, &ber ); a != NULL;
a = ldap_next_attribute( ld, e, ber ) ) {
printf( "\t\tATTR: %s\n", a );
if ( (vals = ldap_get_values_len( ld, e, a ))
== NULL ) {
printf( "\t\t\t(no values)\n" );
} else {
for ( i = 0; vals[i] != NULL; i++ ) {
int j, nonascii;
nonascii = 0;
for ( j = 0; j < vals[i]->bv_len; j++ )
if ( !isascii( vals[i]->bv_val[j] ) ) {
nonascii = 1;
break;
}
if ( nonascii ) {
printf( "\t\t\tlength (%ld) (not ascii)\n", vals[i]->bv_len );
#ifdef BPRINT_NONASCII
lber_bprint( vals[i]->bv_val,
vals[i]->bv_len );
#endif /* BPRINT_NONASCII */
continue;
}
printf( "\t\t\tlength (%ld) %s\n",
vals[i]->bv_len, vals[i]->bv_val );
}
ber_bvecfree( vals );
}
}
}
if ( res->lm_msgtype == LDAP_RES_SEARCH_RESULT
|| res->lm_chain != NULLMSG )
print_ldap_result( ld, res, "search" );
}
static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
struct id_map **ids)
{
NTSTATUS ret;
TALLOC_CTX *memctx;
struct idmap_ldap_context *ctx;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
const char *uidNumber;
const char *gidNumber;
const char **attr_list;
char *filter = NULL;
bool multi = False;
int idx = 0;
int bidx = 0;
int count;
int rc;
int i;
/* Only do query if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
/* Initilization my have been deferred because we were offline */
if ( ! dom->initialized) {
ret = idmap_ldap_db_init(dom);
if ( ! NT_STATUS_IS_OK(ret)) {
return ret;
}
}
ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
memctx = talloc_new(ctx);
if ( ! memctx) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
attr_list = get_attr_list(memctx, sidmap_attr_list);
if ( ! ids[1]) {
/* if we are requested just one mapping use the simple filter */
filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
LDAP_OBJ_IDMAP_ENTRY,
(ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
(unsigned long)ids[0]->xid.id);
CHECK_ALLOC_DONE(filter);
DEBUG(10, ("Filter: [%s]\n", filter));
} else {
/* multiple mappings */
multi = True;
}
for (i = 0; ids[i]; i++) {
ids[i]->status = ID_UNKNOWN;
}
again:
if (multi) {
talloc_free(filter);
filter = talloc_asprintf(memctx,
"(&(objectClass=%s)(|",
LDAP_OBJ_IDMAP_ENTRY);
CHECK_ALLOC_DONE(filter);
bidx = idx;
for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
(ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
(unsigned long)ids[idx]->xid.id);
CHECK_ALLOC_DONE(filter);
}
filter = talloc_asprintf_append_buffer(filter, "))");
CHECK_ALLOC_DONE(filter);
DEBUG(10, ("Filter: [%s]\n", filter));
} else {
bidx = 0;
idx = 1;
}
rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
filter, attr_list, 0, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
if (count == 0) {
DEBUG(10, ("NO SIDs found\n"));
}
for (i = 0; i < count; i++) {
char *sidstr = NULL;
char *tmp = NULL;
enum id_type type;
struct id_map *map;
uint32_t id;
if (i == 0) { /* first entry */
entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
result);
} else { /* following ones */
entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
entry);
}
if ( ! entry) {
DEBUG(2, ("ERROR: Unable to fetch ldap entries "
"from results\n"));
break;
}
/* first check if the SID is present */
sidstr = smbldap_talloc_single_attribute(
ctx->smbldap_state->ldap_struct,
entry, LDAP_ATTRIBUTE_SID, memctx);
if ( ! sidstr) { /* no sid, skip entry */
DEBUG(2, ("WARNING SID not found on entry\n"));
continue;
}
/* now try to see if it is a uid, if not try with a gid
* (gid is more common, but in case both uidNumber and
* gidNumber are returned the SID is mapped to the uid
*not the gid) */
type = ID_TYPE_UID;
tmp = smbldap_talloc_single_attribute(
ctx->smbldap_state->ldap_struct,
entry, uidNumber, memctx);
if ( ! tmp) {
type = ID_TYPE_GID;
tmp = smbldap_talloc_single_attribute(
ctx->smbldap_state->ldap_struct,
entry, gidNumber, memctx);
}
if ( ! tmp) { /* wow very strange entry, how did it match ? */
DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
"nor gidNumber returned\n", sidstr));
TALLOC_FREE(sidstr);
continue;
}
id = strtoul(tmp, NULL, 10);
if ((id == 0) ||
(ctx->filter_low_id && (id < ctx->filter_low_id)) ||
(ctx->filter_high_id && (id > ctx->filter_high_id))) {
DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
"Filtered!\n", id,
ctx->filter_low_id, ctx->filter_high_id));
TALLOC_FREE(sidstr);
TALLOC_FREE(tmp);
continue;
}
TALLOC_FREE(tmp);
map = find_map_by_id(&ids[bidx], type, id);
if (!map) {
DEBUG(2, ("WARNING: couldn't match sid (%s) "
"with requested ids\n", sidstr));
TALLOC_FREE(sidstr);
continue;
}
if ( ! string_to_sid(map->sid, sidstr)) {
DEBUG(2, ("ERROR: Invalid SID on entry\n"));
TALLOC_FREE(sidstr);
continue;
}
TALLOC_FREE(sidstr);
/* mapped */
map->status = ID_MAPPED;
DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
(unsigned long)map->xid.id, map->xid.type));
}
/* free the ldap results */
if (result) {
ldap_msgfree(result);
result = NULL;
}
if (multi && ids[idx]) { /* still some values to map */
goto again;
}
ret = NT_STATUS_OK;
/* mark all unknwon/expired ones as unmapped */
for (i = 0; ids[i]; i++) {
if (ids[i]->status != ID_MAPPED)
ids[i]->status = ID_UNMAPPED;
}
done:
talloc_free(memctx);
return ret;
}
static void
do_random( LDAP *ld,
char *sbase, char *filter, char **srchattrs, int noattrs, int nobind,
int innerloop, int maxretries, int delay, int force, int chaserefs,
int idx )
{
int i = 0, do_retry = maxretries;
char *attrs[ 2 ];
int rc = LDAP_SUCCESS;
int nvalues = 0;
char **values = NULL;
LDAPMessage *res = NULL, *e = NULL;
char thrstr[BUFSIZ];
attrs[ 0 ] = LDAP_NO_ATTRS;
attrs[ 1 ] = NULL;
snprintf( thrstr, BUFSIZ,
"Read(%d): base=\"%s\", filter=\"%s\".\n",
innerloop, sbase, filter );
thread_verbose( idx, thrstr );
rc = ldap_search_ext_s( ld, sbase, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res );
switch ( rc ) {
case LDAP_SIZELIMIT_EXCEEDED:
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SUCCESS:
nvalues = ldap_count_entries( ld, res );
if ( nvalues == 0 ) {
if ( rc ) {
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
}
break;
}
values = malloc( ( nvalues + 1 ) * sizeof( char * ) );
for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
}
values[ i ] = NULL;
ldap_msgfree( res );
if ( do_retry == maxretries ) {
snprintf( thrstr, BUFSIZ,
"Read base=\"%s\" filter=\"%s\" got %d values.\n",
sbase, filter, nvalues );
thread_verbose( idx, thrstr );
}
for ( i = 0; i < innerloop; i++ ) {
int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
do_read( ld, values[ r ],
srchattrs, noattrs, nobind, 1, maxretries,
delay, force, chaserefs, idx );
}
for( i = 0; i < nvalues; i++) {
if (values[i] != NULL)
ldap_memfree( values[i] );
}
free( values );
break;
default:
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
break;
}
snprintf( thrstr, BUFSIZ, "Search done (%d).\n", rc );
thread_verbose( idx, thrstr );
}
krb5_error_code
krb5_ldap_delete_realm (krb5_context context, char *lrealm)
{
LDAP *ld = NULL;
krb5_error_code st = 0, tempst=0;
char **values=NULL, **subtrees=NULL, **policy=NULL;
LDAPMessage **result_arr=NULL, *result = NULL, *ent = NULL;
krb5_principal principal;
int l=0, ntree=0, i=0, j=0, mask=0;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
krb5_ldap_server_handle *ldap_server_handle = NULL;
krb5_ldap_realm_params *rparam=NULL;
SETUP_CONTEXT ();
if (lrealm == NULL) {
st = EINVAL;
krb5_set_error_message(context, st,
_("Realm information not available"));
goto cleanup;
}
if ((st=krb5_ldap_read_realm_params(context, lrealm, &rparam, &mask)) != 0)
goto cleanup;
/* get ldap handle */
GET_HANDLE ();
/* delete all the principals belonging to the realm in the tree */
{
char *attr[] = {"krbprincipalname", NULL}, *realm=NULL, filter[256];
krb5_ldap_context lcontext;
realm = ldap_filter_correct (lrealm);
assert (sizeof (filter) >= sizeof ("(krbprincipalname=)") +
strlen (realm) + 2 /* "*@" */ + 1);
snprintf (filter, sizeof(filter), "(krbprincipalname=*@%s)", realm);
free (realm);
/* LDAP_SEARCH(NULL, LDAP_SCOPE_SUBTREE, filter, attr); */
memset(&lcontext, 0, sizeof(krb5_ldap_context));
lcontext.lrparams = rparam;
if ((st=krb5_get_subtree_info(&lcontext, &subtrees, &ntree)) != 0)
goto cleanup;
result_arr = (LDAPMessage **) calloc((unsigned int)ntree+1,
sizeof(LDAPMessage *));
if (result_arr == NULL) {
st = ENOMEM;
goto cleanup;
}
for (l=0; l < ntree; ++l) {
LDAP_SEARCH(subtrees[l], rparam->search_scope, filter, attr);
result_arr[l] = result;
}
}
/* NOTE: Here all the principals should be cached and the ldap handle should be freed,
* as a DAL-LDAP interface is called right down here. Caching might be constrained by
* availability of the memory. The caching is not done, however there would be limit
* on the minimum number of handles for a server and it is 2. As the DAL-LDAP is not
* thread-safe this should suffice.
*/
for (j=0; (result=result_arr[j]) != NULL; ++j) {
for (ent = ldap_first_entry (ld, result); ent != NULL;
ent = ldap_next_entry (ld, ent)) {
if ((values = ldap_get_values(ld, ent, "krbPrincipalName")) != NULL) {
for (i = 0; values[i] != NULL; ++i) {
krb5_parse_name(context, values[i], &principal);
if (principal_in_realm_2(principal, lrealm) == 0) {
st=krb5_ldap_delete_principal(context, principal);
if (st && st != KRB5_KDB_NOENTRY)
goto cleanup;
}
krb5_free_principal(context, principal);
}
ldap_value_free(values);
}
}
ldap_msgfree(result);
}
/* Delete all password policies */
krb5_ldap_iterate_password_policy (context, "*", delete_password_policy, context);
/* Delete all ticket policies */
{
if ((st = krb5_ldap_list_policy (context, ldap_context->lrparams->realmdn, &policy)) != 0) {
prepend_err_str(context, _("Error reading ticket policy: "), st,
st);
goto cleanup;
}
for (i = 0; policy [i] != NULL; i++)
krb5_ldap_delete_policy(context, policy[i]);
}
/* Delete the realm object */
if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
int ost = st;
st = translate_ldap_error (st, OP_DEL);
krb5_set_error_message(context, st, _("Realm Delete FAILED: %s"),
ldap_err2string(ost));
}
cleanup:
if (subtrees) {
for (l=0; l < ntree; ++l) {
if (subtrees[l])
free (subtrees[l]);
}
free (subtrees);
}
if (policy != NULL) {
for (i = 0; policy[i] != NULL; i++)
free (policy[i]);
free (policy);
}
krb5_ldap_free_realm_params(rparam);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
krb5_error_code
krb5_ldap_list_realm(krb5_context context, char ***realms)
{
char **values = NULL;
unsigned int i = 0;
int count = 0;
krb5_error_code st = 0, tempst = 0;
LDAP *ld = NULL;
LDAPMessage *result = NULL, *ent = NULL;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context = NULL;
krb5_ldap_server_handle *ldap_server_handle = NULL;
SETUP_CONTEXT ();
/* get the kerberos container DN information */
if (ldap_context->krbcontainer == NULL) {
if ((st = krb5_ldap_read_krbcontainer_params(context,
&(ldap_context->krbcontainer))) != 0)
goto cleanup;
}
/* get ldap handle */
GET_HANDLE ();
{
char *cn[] = {"cn", NULL};
LDAP_SEARCH(ldap_context->krbcontainer->DN,
LDAP_SCOPE_ONELEVEL,
"(objectclass=krbRealmContainer)",
cn);
}
*realms = NULL;
count = ldap_count_entries (ld, result);
if (count == -1) {
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &st);
st = set_ldap_error (context, st, OP_SEARCH);
goto cleanup;
}
*realms = calloc((unsigned int) count+1, sizeof (char *));
CHECK_NULL(*realms);
for (ent = ldap_first_entry(ld, result), count = 0; ent != NULL;
ent = ldap_next_entry(ld, ent)) {
if ((values = ldap_get_values (ld, ent, "cn")) != NULL) {
(*realms)[count] = strdup(values[0]);
CHECK_NULL((*realms)[count]);
count += 1;
ldap_value_free(values);
}
} /* for (ent= ... */
ldap_msgfree(result);
cleanup:
/* some error, free up all the memory */
if (st != 0) {
if (*realms) {
for (i=0; (*realms)[i] != NULL; ++i) {
free ((*realms)[i]);
}
free (*realms);
*realms = NULL;
}
}
/* If there are no elements, still return a NULL terminated array */
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
/* LDAP search function for internal use. Returns a Python list of LDAPEntries.
The `basestr` is the base DN of the searching, `scope` is the search scope (BASE|ONELEVEL|SUB),
`filterstr` is the LDAP search filter string, `attrs` is a null-terminated string list of attributes'
names to get only the selected attributes. If `attrsonly` is 1 get only attributes' name without values.
If `firstonly` is 1, get only the first LDAP entry of the messages. The `timeout` is an integer of
seconds for timelimit, `sizelimit` is a limit for size.
*/
PyObject *
LDAPConnection_Searching(LDAPConnection *self, PyObject *iterator) {
int rc;
int num_of_ctrls = 0;
LDAPMessage *res, *entry;
PyObject *entrylist = NULL;
LDAPEntry *entryobj = NULL;
LDAPControl *page_ctrl = NULL;
LDAPControl *sort_ctrl = NULL;
LDAPControl **server_ctrls = NULL;
LDAPControl **returned_ctrls = NULL;
LDAPSearchIter *search_iter = (LDAPSearchIter *)iterator;
entrylist = PyList_New(0);
if (entrylist == NULL) {
return PyErr_NoMemory();
}
/* Check the number of server controls and allocate it. */
if (self->page_size > 1) num_of_ctrls++;
if (self->sort_list != NULL) num_of_ctrls++;
if (num_of_ctrls > 0) {
server_ctrls = (LDAPControl **)malloc(sizeof(LDAPControl *)
* (num_of_ctrls + 1));
if (server_ctrls == NULL) return PyErr_NoMemory();
num_of_ctrls = 0;
}
if (self->page_size > 1) {
/* Create page control and add to the server controls. */
rc = ldap_create_page_control(self->ld, (ber_int_t)(self->page_size),
search_iter->cookie, 0, &page_ctrl);
if (rc != LDAP_SUCCESS) {
PyErr_BadInternalCall();
return NULL;
}
server_ctrls[num_of_ctrls++] = page_ctrl;
server_ctrls[num_of_ctrls] = NULL;
}
if (self->sort_list != NULL) {
rc = ldap_create_sort_control(self->ld, self->sort_list, 0, &sort_ctrl);
if (rc != LDAP_SUCCESS) {
PyErr_BadInternalCall();
return NULL;
}
server_ctrls[num_of_ctrls++] = sort_ctrl;
server_ctrls[num_of_ctrls] = NULL;
}
rc = ldap_search_ext_s(self->ld, search_iter->base,
search_iter->scope,
search_iter->filter,
search_iter->attrs,
search_iter->attrsonly,
server_ctrls, NULL,
search_iter->timeout,
search_iter->sizelimit, &res);
if (rc == LDAP_NO_SUCH_OBJECT) {
return entrylist;
}
if (rc != LDAP_SUCCESS && rc != LDAP_PARTIAL_RESULTS) {
Py_DECREF(entrylist);
PyObject *ldaperror = get_error_by_code(rc);
PyErr_SetString(ldaperror, ldap_err2string(rc));
Py_DECREF(ldaperror);
return NULL;
}
rc = ldap_parse_result(self->ld, res, NULL, NULL, NULL, NULL, &returned_ctrls, 0);
#if defined(WIN32) || defined(_WIN32) || defined(__WIN32__)
if (search_iter->cookie != NULL && search_iter->cookie->bv_val != NULL) {
ber_bvfree(search_iter->cookie);
search_iter->cookie = NULL;
}
rc = ldap_parse_page_control(self->ld, returned_ctrls, NULL, &(search_iter->cookie));
#else
rc = ldap_parse_pageresponse_control(self->ld,
ldap_control_find(LDAP_CONTROL_PAGEDRESULTS, returned_ctrls, NULL),
NULL, search_iter->cookie);
#endif
/* Iterate over the response LDAP messages. */
for (entry = ldap_first_entry(self->ld, res);
entry != NULL;
entry = ldap_next_entry(self->ld, entry)) {
entryobj = LDAPEntry_FromLDAPMessage(entry, self);
if (entryobj == NULL) {
Py_DECREF(entrylist);
return NULL;
}
if ((entryobj == NULL) ||
(PyList_Append(entrylist, (PyObject *)entryobj)) != 0) {
Py_XDECREF(entryobj);
Py_DECREF(entrylist);
return PyErr_NoMemory();
}
Py_DECREF(entryobj);
}
/* Cleanup. */
if (returned_ctrls != NULL) ldap_controls_free(returned_ctrls);
if (page_ctrl != NULL) ldap_control_free(page_ctrl);
if (sort_ctrl != NULL) ldap_control_free(sort_ctrl);
if (server_ctrls != NULL) free(server_ctrls);
ldap_msgfree(res);
return entrylist;
}
int main()
{
LDAP *ld; /* LDAP resource handle */
LDAPMessage *result, *e; /* LDAP result handle */
BerElement *ber; /* array of attributes */
char *attribute;
char **vals;
int i,rc=0;
char *attribs[3]; /* attribute array for search */
attribs[0]=strdup("uid"); /* return uid and cn of entries */
attribs[1]=strdup("cn");
attribs[2]=NULL; /* array must be NULL terminated */
/* setup LDAP connection */
if ((ld=ldap_init(LDAP_HOST, LDAP_PORT)) == NULL)
{
perror("ldap_init failed");
return EXIT_FAILURE;
}
printf("connected to LDAP server %s on port %d\n",LDAP_HOST,LDAP_PORT);
/* anonymous bind */
rc = ldap_simple_bind_s(ld,BIND_USER,BIND_PW);
if (rc != LDAP_SUCCESS)
{
fprintf(stderr,"LDAP error: %s\n",ldap_err2string(rc));
return EXIT_FAILURE;
}
else
{
printf("bind successful\n");
}
/* perform ldap search */
rc = ldap_search_s(ld, SEARCHBASE, SCOPE, FILTER, attribs, 0, &result);
if (rc != LDAP_SUCCESS)
{
fprintf(stderr,"LDAP search error: %s\n",ldap_err2string(rc));
return EXIT_FAILURE;
}
printf("Total results: %d\n", ldap_count_entries(ld, result));
for (e = ldap_first_entry(ld, result); e != NULL; e = ldap_next_entry(ld,e))
{
printf("DN: %s\n", ldap_get_dn(ld,e));
// ab hier kann abgebrochen werden für unser ftp-server
/* Now print the attributes and values of each found entry */
for (attribute = ldap_first_attribute(ld,e,&ber); attribute!=NULL; attribute = ldap_next_attribute(ld,e,ber))
{
if ((vals=ldap_get_values(ld,e,attribute)) != NULL)
{
for (i=0;vals[i]!=NULL;i++)
{
printf("\t%s: %s\n",attribute,vals[i]);
}
/* free memory used to store the values of the attribute */
ldap_value_free(vals);
}
/* free memory used to store the attribute */
ldap_memfree(attribute);
}
/* free memory used to store the value structure */
if (ber != NULL) ber_free(ber,0);
printf("\n");
}
/* free memory used for result */
ldap_msgfree(result);
free(attribs[0]);
free(attribs[1]);
printf("LDAP search suceeded\n");
ldap_unbind(ld);
return EXIT_SUCCESS;
}
char *
gfarm_generic_info_get_all(
char *dn,
int scope, /* LDAP_SCOPE_ONELEVEL or LDAP_SCOPE_SUBTREE */
char *query,
int *np,
void *infosp,
const struct gfarm_generic_info_ops *ops)
{
LDAPMessage *res, *e;
int i, n, rv;
char *a;
BerElement *ber;
char **vals;
char *infos, *tmp_info;
/* search for entries, return all attrs */
rv = ldap_search_s(gfarm_ldap_server, dn, scope, query, NULL, 0, &res);
if (rv != LDAP_SUCCESS) {
if (rv == LDAP_NO_SUCH_OBJECT)
return (GFARM_ERR_NO_SUCH_OBJECT);
return (ldap_err2string(rv));
}
n = ldap_count_entries(gfarm_ldap_server, res);
if (n == 0) {
/* free the search results */
ldap_msgfree(res);
return (GFARM_ERR_NO_SUCH_OBJECT);
}
infos = malloc(ops->info_size * n);
if (infos == NULL) {
/* free the search results */
ldap_msgfree(res);
return (GFARM_ERR_NO_MEMORY);
}
/* use last element as temporary buffer */
tmp_info = infos + ops->info_size * (n - 1);
/* step through each entry returned */
for (i = 0, e = ldap_first_entry(gfarm_ldap_server, res); e != NULL;
e = ldap_next_entry(gfarm_ldap_server, e)) {
ops->clear(tmp_info);
ber = NULL;
for (a = ldap_first_attribute(gfarm_ldap_server, e, &ber);
a != NULL;
a = ldap_next_attribute(gfarm_ldap_server, e, ber)) {
vals = ldap_get_values(gfarm_ldap_server, e, a);
if (vals[0] != NULL)
ops->set_field(tmp_info, a, vals);
ldap_value_free(vals);
ldap_memfree(a);
}
if (ber != NULL)
ber_free(ber, 0);
if (!ops->validate(tmp_info)) {
/* invalid record */
ops->free(tmp_info);
continue;
}
if (i < n - 1) { /* if (i == n - 1), do not have to copy */
memcpy(infos + ops->info_size * i, tmp_info,
ops->info_size);
}
i++;
}
/* free the search results */
ldap_msgfree(res);
if (i == 0) {
free(infos);
/* XXX - data were all invalid */
return (GFARM_ERR_NO_SUCH_OBJECT);
}
/* XXX - if (i < n), element from (i+1) to (n-1) may be wasted */
*np = i;
*(char **)infosp = infos;
return (NULL);
}
static isc_result_t
ldap_process_results (LDAP * dbc, LDAPMessage * msg, char **attrs, void *ptr, isc_boolean_t allnodes)
{
isc_result_t result = ISC_R_SUCCESS;
int i = 0;
int j;
int len;
char *attribute = NULL;
LDAPMessage *entry;
char *endp = NULL;
char *host = NULL;
char *type = NULL;
char *data = NULL;
char **vals = NULL;
int ttl;
/* make sure there are at least some attributes to process. */
REQUIRE (attrs != NULL || attrs[0] != NULL);
/* get the first entry to process */
entry = ldap_first_entry (dbc, msg);
if (entry == NULL)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_INFO, "LDAP no entries to process.");
return (ISC_R_FAILURE);
}
/* loop through all entries returned */
while (entry != NULL)
{
/* reset for this loop */
ttl = 0;
len = 0;
i = 0;
attribute = attrs[i];
/* determine how much space we need for data string */
for (j = 0; attrs[j] != NULL; j++)
{
/* get the list of values for this attribute. */
vals = ldap_get_values (dbc, entry, attrs[j]);
/* skip empty attributes. */
if (vals == NULL || ldap_count_values (vals) < 1)
continue;
/*
* we only use the first value. this driver
* does not support multi-valued attributes.
*/
len = len + strlen (vals[0]) + 1;
/* free vals for next loop */
ldap_value_free (vals);
} /* end for (j = 0; attrs[j] != NULL, j++) loop */
/* allocate memory for data string */
data = isc_mem_allocate (ns_g_mctx, len + 1);
if (data == NULL)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
"LDAP driver unable to allocate memory " "while processing results");
result = ISC_R_FAILURE;
goto cleanup;
}
/*
* Make sure data is null termed at the beginning so
* we can check if any data was stored to it later.
*/
data[0] = '\0';
/* reset j to re-use below */
j = 0;
/* loop through the attributes in the order specified. */
while (attribute != NULL)
{
/* get the list of values for this attribute. */
vals = ldap_get_values (dbc, entry, attribute);
/* skip empty attributes. */
if (vals == NULL || vals[0] == NULL)
{
/* increment attibute pointer */
attribute = attrs[++i];
/* start loop over */
continue;
}
/*
* j initially = 0. Increment j each time we
* set a field that way next loop will set
* next field.
*/
switch (j)
{
case 0:
j++;
/*
* convert text to int, make sure it
* worked right
*/
ttl = strtol (vals[0], &endp, 10);
if (*endp != '\0' || ttl < 0)
{
isc_log_write (dns_lctx,
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver ttl must " "be a postive number");
goto cleanup;
}
break;
case 1:
j++;
type = isc_mem_strdup (ns_g_mctx, vals[0]);
break;
case 2:
j++;
if (allnodes == isc_boolean_true)
{
host = isc_mem_strdup (ns_g_mctx, vals[0]);
}
else
{
strcpy (data, vals[0]);
}
break;
case 3:
j++;
if (allnodes == isc_boolean_true)
{
strcpy (data, vals[0]);
}
else
{
strcat (data, " ");
strcat (data, vals[0]);
}
break;
default:
strcat (data, " ");
strcat (data, vals[0]);
break;
} /* end switch(j) */
/* free values */
ldap_value_free (vals);
vals = NULL;
/* increment attibute pointer */
attribute = attrs[++i];
} /* end while (attribute != NULL) */
if (type == NULL)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable " "to retrieve DNS type");
result = ISC_R_FAILURE;
goto cleanup;
}
if (strlen (data) < 1)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable " "to retrieve DNS data");
result = ISC_R_FAILURE;
goto cleanup;
}
if (allnodes == isc_boolean_true)
{
if (strcasecmp (host, "~") == 0)
result = dns_sdlz_putnamedrr ((dns_sdlzallnodes_t *) ptr, "*", type, ttl, data);
else
result = dns_sdlz_putnamedrr ((dns_sdlzallnodes_t *) ptr, host, type, ttl, data);
if (result != ISC_R_SUCCESS)
isc_log_write (dns_lctx,
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
"dlz-ldap: putnamedrr failed "
"for \"%s %s %u %s\", %s", host, type, ttl, data, isc_result_totext (result));
}
else
{
result = dns_sdlz_putrr ((dns_sdlzlookup_t *) ptr, type, ttl, data);
if (result != ISC_R_SUCCESS)
isc_log_write (dns_lctx,
DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
"dlz-ldap: putrr failed "
"for \"%s %u %s\", %s", type, ttl, data, isc_result_totext (result));
}
if (result != ISC_R_SUCCESS)
{
isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE,
DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver failed " "while sending data to BIND.");
goto cleanup;
}
/* free memory for type, data and host for next loop */
isc_mem_free (ns_g_mctx, type);
isc_mem_free (ns_g_mctx, data);
if (host != NULL)
isc_mem_free (ns_g_mctx, host);
/* get the next entry to process */
entry = ldap_next_entry (dbc, entry);
} /* end while (entry != NULL) */
cleanup:
/* de-allocate memory */
if (vals != NULL)
ldap_value_free (vals);
if (host != NULL)
isc_mem_free (ns_g_mctx, host);
if (type != NULL)
isc_mem_free (ns_g_mctx, type);
if (data != NULL)
isc_mem_free (ns_g_mctx, data);
return (result);
}
/** Load clients from LDAP on server start
*
* @param[in] inst rlm_ldap configuration.
* @param[in] cs to load client attribute/LDAP attribute mappings from.
* @return -1 on error else 0.
*/
CC_HINT(nonnull) int rlm_ldap_client_load(ldap_instance_t const *inst, CONF_SECTION *cs)
{
int ret = 0;
ldap_rcode_t status;
ldap_handle_t *conn = NULL;
char const **attrs = NULL;
CONF_PAIR *cp;
int count = 0, idx = 0;
LDAPMessage *result = NULL;
LDAPMessage *entry;
char *dn = NULL;
RADCLIENT *c;
LDAP_DBG("Loading dynamic clients");
rad_assert(inst->clientobj_base_dn);
if (!inst->clientobj_filter) {
LDAP_ERR("Told to load clients but 'client.filter' not specified");
return -1;
}
count = cf_pair_count(cs);
count++;
/*
* Create an array of LDAP attributes to feed to rlm_ldap_search.
*/
attrs = talloc_array(inst, char const *, count);
if (rlm_ldap_client_get_attrs(attrs, &idx, cs) < 0) return -1;
conn = rlm_ldap_get_socket(inst, NULL);
if (!conn) return -1;
/*
* Perform all searches as the admin user.
*/
if (conn->rebound) {
status = rlm_ldap_bind(inst, NULL, &conn, inst->admin_dn, inst->password, true);
if (status != LDAP_PROC_SUCCESS) {
ret = -1;
goto finish;
}
rad_assert(conn);
conn->rebound = false;
}
status = rlm_ldap_search(inst, NULL, &conn, inst->clientobj_base_dn, inst->clientobj_scope,
inst->clientobj_filter, attrs, &result);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
LDAP_INFO("No clients were found in the directory");
ret = 0;
goto finish;
default:
ret = -1;
goto finish;
}
rad_assert(conn);
entry = ldap_first_entry(conn->handle, result);
if (!entry) {
int ldap_errno;
ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
LDAP_ERR("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
ret = -1;
goto finish;
}
do {
CONF_SECTION *cc;
char *id;
char **value;
id = dn = ldap_get_dn(conn->handle, entry);
cp = cf_pair_find(cs, "identifier");
if (cp) {
value = ldap_get_values(conn->handle, entry, cf_pair_value(cp));
if (value) id = value[0];
}
/*
* Iterate over mapping sections
*/
cc = cf_section_alloc(NULL, "client", id);
if (rlm_ldap_client_map_section(inst, cc, cs, conn, entry) < 0) {
talloc_free(cc);
ret = -1;
goto finish;
}
/*
*@todo these should be parented from something
*/
c = client_afrom_cs(NULL, cc, false);
if (!c) {
talloc_free(cc);
ret = -1;
goto finish;
}
/*
* Client parents the CONF_SECTION which defined it
*/
talloc_steal(c, cc);
if (!client_add(NULL, c)) {
LDAP_ERR("Failed to add client \"%s\", possible duplicate?", dn);
ret = -1;
client_free(c);
goto finish;
}
LDAP_DBG("Client \"%s\" added", dn);
ldap_memfree(dn);
dn = NULL;
} while ((entry = ldap_next_entry(conn->handle, entry)));
finish:
talloc_free(attrs);
if (dn) ldap_memfree(dn);
if (result) ldap_msgfree(result);
rlm_ldap_release_socket(inst, conn);
return ret;
}
static void
do_random( char *uri, char *manager, struct berval *passwd,
char *sbase, int scope, char *filter, char *attr,
char **srchattrs, int noattrs, int nobind,
int innerloop, int maxretries, int delay, int force, int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
char *attrs[ 2 ];
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
int nvalues = 0;
char **values = NULL;
LDAPMessage *res = NULL, *e = NULL;
attrs[ 0 ] = attr;
attrs[ 1 ] = NULL;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Search(%d): base=\"%s\", filter=\"%s\" attr=\"%s\".\n",
(long) pid, innerloop, sbase, filter, attr );
}
if ( nobind == 0 ) {
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
}
rc = ldap_search_ext_s( ld, sbase, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res );
switch ( rc ) {
case LDAP_SIZELIMIT_EXCEEDED:
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SUCCESS:
if ( ldap_count_entries( ld, res ) == 0 ) {
if ( rc ) {
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
}
break;
}
for ( e = ldap_first_entry( ld, res ); e != NULL; e = ldap_next_entry( ld, e ) )
{
struct berval **v = ldap_get_values_len( ld, e, attr );
if ( v != NULL ) {
int n = ldap_count_values_len( v );
int j;
values = realloc( values, ( nvalues + n + 1 )*sizeof( char * ) );
for ( j = 0; j < n; j++ ) {
values[ nvalues + j ] = strdup( v[ j ]->bv_val );
}
values[ nvalues + j ] = NULL;
nvalues += n;
ldap_value_free_len( v );
}
}
ldap_msgfree( res );
if ( !values ) {
fprintf( stderr, " PID=%ld - Search base=\"%s\" filter=\"%s\" got %d values.\n",
(long) pid, sbase, filter, nvalues );
exit(EXIT_FAILURE);
}
if ( do_retry == maxretries ) {
fprintf( stderr, " PID=%ld - Search base=\"%s\" filter=\"%s\" got %d values.\n",
(long) pid, sbase, filter, nvalues );
}
for ( i = 0; i < innerloop; i++ ) {
char buf[ BUFSIZ ];
#if 0 /* use high-order bits for better randomness (Numerical Recipes in "C") */
int r = rand() % nvalues;
#endif
int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
snprintf( buf, sizeof( buf ), "(%s=%s)", attr, values[ r ] );
do_search( uri, manager, passwd,
sbase, scope, buf, &ld,
srchattrs, noattrs, nobind,
1, maxretries, delay, force, chaserefs );
}
break;
default:
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
break;
}
fprintf( stderr, " PID=%ld - Search done (%d).\n", (long) pid, rc );
if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
}
}
/*
* Delete all the children of an entry recursively until leaf nodes are reached.
*/
static int deletechildren(
LDAP *ld,
const char *base,
int subentries )
{
LDAPMessage *res, *e;
int entries;
int rc = LDAP_SUCCESS, srch_rc;
static char *attrs[] = { LDAP_NO_ATTRS, NULL };
LDAPControl c, *ctrls[2], **ctrlsp = NULL;
BerElement *ber = NULL;
if ( verbose ) printf ( _("deleting children of: %s\n"), base );
if ( subentries ) {
/*
* Do a one level search at base for subentry children.
*/
if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) {
return EXIT_FAILURE;
}
rc = ber_printf( ber, "b", 1 );
if ( rc == -1 ) {
ber_free( ber, 1 );
fprintf( stderr, _("Subentries control encoding error!\n"));
return EXIT_FAILURE;
}
if ( ber_flatten2( ber, &c.ldctl_value, 0 ) == -1 ) {
return EXIT_FAILURE;
}
c.ldctl_oid = LDAP_CONTROL_SUBENTRIES;
c.ldctl_iscritical = 1;
ctrls[0] = &c;
ctrls[1] = NULL;
ctrlsp = ctrls;
}
/*
* Do a one level search at base for children. For each, delete its children.
*/
more:;
srch_rc = ldap_search_ext_s( ld, base, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
ctrlsp, NULL, NULL, sizelimit, &res );
switch ( srch_rc ) {
case LDAP_SUCCESS:
case LDAP_SIZELIMIT_EXCEEDED:
break;
default:
tool_perror( "ldap_search", srch_rc, NULL, NULL, NULL, NULL );
return( srch_rc );
}
entries = ldap_count_entries( ld, res );
if ( entries > 0 ) {
int i;
for (e = ldap_first_entry( ld, res ), i = 0; e != NULL;
e = ldap_next_entry( ld, e ), i++ )
{
char *dn = ldap_get_dn( ld, e );
if( dn == NULL ) {
ldap_get_option( ld, LDAP_OPT_RESULT_CODE, &rc );
tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL );
ber_memfree( dn );
return rc;
}
rc = deletechildren( ld, dn, 0 );
if ( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL );
ber_memfree( dn );
return rc;
}
if ( verbose ) {
printf( _("\tremoving %s\n"), dn );
}
rc = ldap_delete_ext_s( ld, dn, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
ber_memfree( dn );
return rc;
}
if ( verbose ) {
printf( _("\t%s removed\n"), dn );
}
ber_memfree( dn );
}
}
ldap_msgfree( res );
if ( srch_rc == LDAP_SIZELIMIT_EXCEEDED ) {
goto more;
}
return rc;
}
DWORD
VmDirTestGetAttributeValue(
LDAP *pLd,
PCSTR pBase,
int ldapScope,
PCSTR pszFilter,
PCSTR pszAttribute,
BYTE **ppbAttributeValue,
PDWORD pdwAttributeLength
)
{
DWORD dwError = 0;
PCSTR ppszAttrs[2] = {0};
LDAPMessage *pResult = NULL;
BerValue** ppBerValues = NULL;
BYTE *pbAttributeValue = NULL;
DWORD dwAttributeLength = 0;
ppszAttrs[0] = pszAttribute;
dwError = ldap_search_ext_s(
pLd,
pBase,
ldapScope,
pszFilter ? pszFilter : "",
(PSTR*)ppszAttrs,
0,
NULL,
NULL,
NULL,
-1,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
if (ldap_count_entries(pLd, pResult) > 0)
{
LDAPMessage* pEntry = ldap_first_entry(pLd, pResult);
for (; pEntry != NULL; pEntry = ldap_next_entry(pLd, pEntry))
{
BerValue** ppBerValues = NULL;
ppBerValues = ldap_get_values_len(pLd, pEntry, pszAttribute);
if (ppBerValues != NULL && ldap_count_values_len(ppBerValues) > 0)
{
dwError = VmDirAllocateAndCopyMemory(
ppBerValues[0][0].bv_val,
ppBerValues[0][0].bv_len,
(PVOID*)&pbAttributeValue);
BAIL_ON_VMDIR_ERROR(dwError);
dwAttributeLength = ppBerValues[0][0].bv_len;
break;
}
}
}
*ppbAttributeValue = pbAttributeValue;
*pdwAttributeLength = dwAttributeLength;
pbAttributeValue = NULL;
cleanup:
VMDIR_SAFE_FREE_MEMORY(pbAttributeValue);
if (ppBerValues)
{
ldap_value_free_len(ppBerValues);
ppBerValues = NULL;
}
if (pResult)
{
ldap_msgfree(pResult);
pResult = NULL;
}
return dwError;
error:
goto cleanup;
}
int main(int argc, char* argv[])
{
DWORD dwError = 0;
const int ldapVer = LDAP_VERSION3;
PVMDIR_QUERY_ARGS pArgs = NULL;
PSTR pszLdapURL = NULL;
LDAP* pLd = NULL;
BerValue ldapBindPwd = {0};
LDAPMessage* pResult = NULL;
PSTR pszDN = NULL;
dwError = VmDirQueryParseArgs(argc, argv, &pArgs);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirAllocateStringAVsnprintf(
&pszLdapURL,
"ldap://%s",
pArgs->pszHostname);
BAIL_ON_VMDIR_ERROR(dwError);
#if 0
dwError = ldap_initialize(&pLd, pszLdapURL);
BAIL_ON_VMDIR_ERROR(dwError);
#else
pLd = ldap_open(pArgs->pszHostname, 389);
if (!pLd)
{
dwError = VMDIR_ERROR_SERVER_DOWN;
BAIL_ON_VMDIR_ERROR(dwError);
}
#endif
dwError = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = ldap_set_option(pLd, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
BAIL_ON_VMDIR_ERROR(dwError);
ldapBindPwd.bv_val = pArgs->pszPassword;
ldapBindPwd.bv_len = strlen(pArgs->pszPassword);
#if 0
dwError = ldap_sasl_bind_s(
pLd,
pArgs->pszBindDN,
LDAP_SASL_SIMPLE,
&ldapBindPwd,
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
#else
dwError = ldap_bind_s(
pLd,
pArgs->pszBindDN,
pArgs->pszPassword,
LDAP_AUTH_SIMPLE);
BAIL_ON_VMDIR_ERROR(dwError);
#endif
#if 0
dwError = ldap_search_ext_s(
pLd,
pArgs->pszBaseDN,
LDAP_SCOPE_SUBTREE,
pArgs->pszFilter,
NULL,
TRUE,
NULL, // server ctrls
NULL, // client ctrls
NULL, // timeout
-1, // size limit,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
#else
dwError = ldap_search_s(
pLd,
pArgs->pszBaseDN,
LDAP_SCOPE_SUBTREE,
pArgs->pszFilter,
NULL,
TRUE,
&pResult);
BAIL_ON_VMDIR_ERROR(dwError);
#endif
if (ldap_count_entries(pLd, pResult) > 0)
{
LDAPMessage* pEntry = ldap_first_entry(pLd, pResult);
for (; pEntry != NULL; pEntry = ldap_next_entry(pLd, pEntry))
{
if (pszDN)
{
ldap_memfree(pszDN);
pszDN = NULL;
}
pszDN = ldap_get_dn(pLd, pEntry);
if (IsNullOrEmptyString(pszDN))
{
dwError = VMDIR_ERROR_INVALID_DN;
BAIL_ON_VMDIR_ERROR(dwError);
}
fprintf(stdout, "DN : %s\n", pszDN);
}
}
cleanup:
if (pArgs)
{
VmDirFreeArgs(pArgs);
}
VMDIR_SAFE_FREE_MEMORY(pszLdapURL);
if (pResult)
{
ldap_msgfree(pResult);
}
if (pszDN)
{
ldap_memfree(pszDN);
}
if (pLd)
{
ldap_unbind_ext_s(pLd, NULL, NULL);
}
return dwError;
error:
goto cleanup;
}
static int
perform_ldap_search(uschar *ldap_url, uschar *server, int s_port, int search_type,
uschar **res, uschar **errmsg, BOOL *defer_break, uschar *user, uschar *password,
int sizelimit, int timelimit, int tcplimit, int dereference, void *referrals)
{
LDAPURLDesc *ludp = NULL;
LDAPMessage *result = NULL;
BerElement *ber;
LDAP_CONNECTION *lcp;
struct timeval timeout;
struct timeval *timeoutptr = NULL;
uschar *attr;
uschar **attrp;
uschar *data = NULL;
uschar *dn = NULL;
uschar *host;
uschar **values;
uschar **firstval;
uschar porttext[16];
uschar *error1 = NULL; /* string representation of errcode (static) */
uschar *error2 = NULL; /* error message from the server */
uschar *matched = NULL; /* partially matched DN */
int attr_count = 0;
int error_yield = DEFER;
int msgid;
int rc, ldap_rc, ldap_parse_rc;
int port;
int ptr = 0;
int rescount = 0;
int size = 0;
BOOL attribute_found = FALSE;
BOOL ldapi = FALSE;
DEBUG(D_lookup)
debug_printf("perform_ldap_search: ldap%s URL = \"%s\" server=%s port=%d "
"sizelimit=%d timelimit=%d tcplimit=%d\n",
(search_type == SEARCH_LDAP_MULTIPLE)? "m" :
(search_type == SEARCH_LDAP_DN)? "dn" :
(search_type == SEARCH_LDAP_AUTH)? "auth" : "",
ldap_url, server, s_port, sizelimit, timelimit, tcplimit);
/* Check if LDAP thinks the URL is a valid LDAP URL. We assume that if the LDAP
library that is in use doesn't recognize, say, "ldapi", it will barf here. */
if (!ldap_is_ldap_url(CS ldap_url))
{
*errmsg = string_sprintf("ldap_is_ldap_url: not an LDAP url \"%s\"\n",
ldap_url);
goto RETURN_ERROR_BREAK;
}
/* Parse the URL */
if ((rc = ldap_url_parse(CS ldap_url, &ludp)) != 0)
{
*errmsg = string_sprintf("ldap_url_parse: (error %d) parsing \"%s\"\n", rc,
ldap_url);
goto RETURN_ERROR_BREAK;
}
/* If the host name is empty, take it from the separate argument, if one is
given. OpenLDAP 2.0.6 sets an unset hostname to "" rather than empty, but
expects NULL later in ldap_init() to mean "default", annoyingly. In OpenLDAP
2.0.11 this has changed (it uses NULL). */
if ((ludp->lud_host == NULL || ludp->lud_host[0] == 0) && server != NULL)
{
host = server;
port = s_port;
}
else
{
host = US ludp->lud_host;
if (host != NULL && host[0] == 0) host = NULL;
port = ludp->lud_port;
}
DEBUG(D_lookup) debug_printf("after ldap_url_parse: host=%s port=%d\n",
host, port);
if (port == 0) port = LDAP_PORT; /* Default if none given */
sprintf(CS porttext, ":%d", port); /* For messages */
/* If the "host name" is actually a path, we are going to connect using a Unix
socket, regardless of whether "ldapi" was actually specified or not. This means
that a Unix socket can be declared in eldap_default_servers, and "traditional"
LDAP queries using just "ldap" can be used ("ldaps" is similarly overridden).
The path may start with "/" or it may already be escaped as "%2F" if it was
actually declared that way in eldap_default_servers. (I did it that way the
first time.) If the host name is not a path, the use of "ldapi" causes an
error, except in the default case. (But lud_scheme doesn't seem to exist in
older libraries.) */
if (host != NULL)
{
if ((host[0] == '/' || Ustrncmp(host, "%2F", 3) == 0))
{
ldapi = TRUE;
porttext[0] = 0; /* Remove port from messages */
}
#if defined LDAP_LIB_OPENLDAP2
else if (strncmp(ludp->lud_scheme, "ldapi", 5) == 0)
{
*errmsg = string_sprintf("ldapi requires an absolute path (\"%s\" given)",
host);
goto RETURN_ERROR;
}
#endif
}
/* Count the attributes; we need this later to tell us how to format results */
for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
attr_count++;
/* See if we can find a cached connection to this host. The port is not
relevant for ldapi. The host name pointer is set to NULL if no host was given
(implying the library default), rather than to the empty string. Note that in
this case, there is no difference between ldap and ldapi. */
for (lcp = ldap_connections; lcp != NULL; lcp = lcp->next)
{
if ((host == NULL) != (lcp->host == NULL) ||
(host != NULL && strcmpic(lcp->host, host) != 0))
continue;
if (ldapi || port == lcp->port) break;
}
/* Use this network timeout in any requests. */
if (tcplimit > 0)
{
timeout.tv_sec = tcplimit;
timeout.tv_usec = 0;
timeoutptr = &timeout;
}
/* If no cached connection found, we must open a connection to the server. If
the server name is actually an absolute path, we set ldapi=TRUE above. This
requests connection via a Unix socket. However, as far as I know, only OpenLDAP
supports the use of sockets, and the use of ldap_initialize(). */
if (lcp == NULL)
{
LDAP *ld;
/* --------------------------- OpenLDAP ------------------------ */
/* There seems to be a preference under OpenLDAP for ldap_initialize()
instead of ldap_init(), though I have as yet been unable to find
documentation that says this. (OpenLDAP documentation is sparse to
non-existent). So we handle OpenLDAP differently here. Also, support for
ldapi seems to be OpenLDAP-only at present. */
#ifdef LDAP_LIB_OPENLDAP2
/* We now need an empty string for the default host. Get some store in which
to build a URL for ldap_initialize(). In the ldapi case, it can't be bigger
than (9 + 3*Ustrlen(shost)), whereas in the other cases it can't be bigger
than the host name + "ldaps:///" plus : and a port number, say 20 + the
length of the host name. What we get should accommodate both, easily. */
uschar *shost = (host == NULL)? US"" : host;
uschar *init_url = store_get(20 + 3 * Ustrlen(shost));
uschar *init_ptr;
/* Handle connection via Unix socket ("ldapi"). We build a basic LDAP URI to
contain the path name, with slashes escaped as %2F. */
if (ldapi)
{
int ch;
init_ptr = init_url + 8;
Ustrcpy(init_url, "ldapi://");
while ((ch = *shost++) != 0)
{
if (ch == '/')
{
Ustrncpy(init_ptr, "%2F", 3);
init_ptr += 3;
}
else *init_ptr++ = ch;
}
*init_ptr = 0;
}
/* This is not an ldapi call. Just build a URI with the protocol type, host
name, and port. */
else
{
init_ptr = Ustrchr(ldap_url, '/');
Ustrncpy(init_url, ldap_url, init_ptr - ldap_url);
init_ptr = init_url + (init_ptr - ldap_url);
sprintf(CS init_ptr, "//%s:%d/", shost, port);
}
/* Call ldap_initialize() and check the result */
DEBUG(D_lookup) debug_printf("ldap_initialize with URL %s\n", init_url);
rc = ldap_initialize(&ld, CS init_url);
if (rc != LDAP_SUCCESS)
{
*errmsg = string_sprintf("ldap_initialize: (error %d) URL \"%s\"\n",
rc, init_url);
goto RETURN_ERROR;
}
store_reset(init_url); /* Might as well save memory when we can */
/* ------------------------- Not OpenLDAP ---------------------- */
/* For libraries other than OpenLDAP, use ldap_init(). */
#else /* LDAP_LIB_OPENLDAP2 */
ld = ldap_init(CS host, port);
#endif /* LDAP_LIB_OPENLDAP2 */
/* -------------------------------------------------------------- */
/* Handle failure to initialize */
if (ld == NULL)
{
*errmsg = string_sprintf("failed to initialize for LDAP server %s%s - %s",
host, porttext, strerror(errno));
goto RETURN_ERROR;
}
/* Set the TCP connect time limit if available. This is something that is
in Netscape SDK v4.1; I don't know about other libraries. */
#ifdef LDAP_X_OPT_CONNECT_TIMEOUT
if (tcplimit > 0)
{
int timeout1000 = tcplimit*1000;
ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
}
else
{
int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)¬imeout);
}
#endif
/* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
#ifdef LDAP_OPT_NETWORK_TIMEOUT
if (tcplimit > 0)
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
#endif
/* I could not get TLS to work until I set the version to 3. That version
seems to be the default nowadays. The RFC is dated 1997, so I would hope
that all the LDAP libraries support it. Therefore, if eldap_version hasn't
been set, go for v3 if we can. */
if (eldap_version < 0)
{
#ifdef LDAP_VERSION3
eldap_version = LDAP_VERSION3;
#else
eldap_version = 2;
#endif
}
#ifdef LDAP_OPT_PROTOCOL_VERSION
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *)&eldap_version);
#endif
DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n",
eldap_version, host, porttext);
/* If not using ldapi and TLS is available, set appropriate TLS options: hard
for "ldaps" and soft otherwise. */
#ifdef LDAP_OPT_X_TLS
if (!ldapi)
{
int tls_option;
if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
{
tls_option = LDAP_OPT_X_TLS_HARD;
DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
}
else
{
tls_option = LDAP_OPT_X_TLS_TRY;
DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
}
ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
}
#endif /* LDAP_OPT_X_TLS */
#ifdef LDAP_OPT_X_TLS_CACERTFILE
if (eldap_ca_cert_file != NULL)
{
ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
}
#endif
#ifdef LDAP_OPT_X_TLS_CACERTDIR
if (eldap_ca_cert_dir != NULL)
{
ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
}
#endif
#ifdef LDAP_OPT_X_TLS_CERTFILE
if (eldap_cert_file != NULL)
{
ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
}
#endif
#ifdef LDAP_OPT_X_TLS_KEYFILE
if (eldap_cert_key != NULL)
{
ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
}
#endif
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
if (eldap_cipher_suite != NULL)
{
ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
}
#endif
#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
if (eldap_require_cert != NULL)
{
int cert_option = LDAP_OPT_X_TLS_NEVER;
if (Ustrcmp(eldap_require_cert, "hard") == 0)
{
cert_option = LDAP_OPT_X_TLS_HARD;
}
else if (Ustrcmp(eldap_require_cert, "demand") == 0)
{
cert_option = LDAP_OPT_X_TLS_DEMAND;
}
else if (Ustrcmp(eldap_require_cert, "allow") == 0)
{
cert_option = LDAP_OPT_X_TLS_ALLOW;
}
else if (Ustrcmp(eldap_require_cert, "try") == 0)
{
cert_option = LDAP_OPT_X_TLS_TRY;
}
ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
}
#endif
/* Now add this connection to the chain of cached connections */
lcp = store_get(sizeof(LDAP_CONNECTION));
lcp->host = (host == NULL)? NULL : string_copy(host);
lcp->bound = FALSE;
lcp->user = NULL;
lcp->password = NULL;
lcp->port = port;
lcp->ld = ld;
lcp->next = ldap_connections;
ldap_connections = lcp;
}
/* Found cached connection */
else
{
DEBUG(D_lookup)
debug_printf("re-using cached connection to LDAP server %s%s\n",
host, porttext);
}
/* Bind with the user/password supplied, or an anonymous bind if these values
are NULL, unless a cached connection is already bound with the same values. */
if (!lcp->bound ||
(lcp->user == NULL && user != NULL) ||
(lcp->user != NULL && user == NULL) ||
(lcp->user != NULL && user != NULL && Ustrcmp(lcp->user, user) != 0) ||
(lcp->password == NULL && password != NULL) ||
(lcp->password != NULL && password == NULL) ||
(lcp->password != NULL && password != NULL &&
Ustrcmp(lcp->password, password) != 0))
{
DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
(lcp->bound)? "re-" : "", user, password);
#ifdef LDAP_OPT_X_TLS
/* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */
if (eldap_start_tls)
{
ldap_start_tls_s(lcp->ld, NULL, NULL);
}
#endif
if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
== -1)
{
*errmsg = string_sprintf("failed to bind the LDAP connection to server "
"%s%s - ldap_bind() returned -1", host, porttext);
goto RETURN_ERROR;
}
if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0)
{
*errmsg = string_sprintf("failed to bind the LDAP connection to server "
"%s%s - LDAP error: %s", host, porttext,
rc == -1 ? "result retrieval failed" : "timeout" );
result = NULL;
goto RETURN_ERROR;
}
rc = ldap_result2error( lcp->ld, result, 0 );
/* Invalid credentials when just checking credentials returns FAIL. This
stops any further servers being tried. */
if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
{
DEBUG(D_lookup)
debug_printf("Invalid credentials: ldapauth returns FAIL\n");
error_yield = FAIL;
goto RETURN_ERROR_NOMSG;
}
/* Otherwise we have a problem that doesn't stop further servers from being
tried. */
if (rc != LDAP_SUCCESS)
{
*errmsg = string_sprintf("failed to bind the LDAP connection to server "
"%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
goto RETURN_ERROR;
}
/* Successful bind */
lcp->bound = TRUE;
lcp->user = (user == NULL)? NULL : string_copy(user);
lcp->password = (password == NULL)? NULL : string_copy(password);
ldap_msgfree(result);
result = NULL;
}
/* If we are just checking credentials, return OK. */
if (search_type == SEARCH_LDAP_AUTH)
{
DEBUG(D_lookup) debug_printf("Bind succeeded: ldapauth returns OK\n");
goto RETURN_OK;
}
/* Before doing the search, set the time and size limits (if given). Here again
the different implementations of LDAP have chosen to do things differently. */
#if defined(LDAP_OPT_SIZELIMIT)
ldap_set_option(lcp->ld, LDAP_OPT_SIZELIMIT, (void *)&sizelimit);
ldap_set_option(lcp->ld, LDAP_OPT_TIMELIMIT, (void *)&timelimit);
#else
lcp->ld->ld_sizelimit = sizelimit;
lcp->ld->ld_timelimit = timelimit;
#endif
/* Similarly for dereferencing aliases. Don't know if this is possible on
an LDAP library without LDAP_OPT_DEREF. */
#if defined(LDAP_OPT_DEREF)
ldap_set_option(lcp->ld, LDAP_OPT_DEREF, (void *)&dereference);
#endif
/* Similarly for the referral setting; should the library follow referrals that
the LDAP server returns? The conditional is just in case someone uses a library
without it. */
#if defined(LDAP_OPT_REFERRALS)
ldap_set_option(lcp->ld, LDAP_OPT_REFERRALS, referrals);
#endif
/* Start the search on the server. */
DEBUG(D_lookup) debug_printf("Start search\n");
msgid = ldap_search(lcp->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter,
ludp->lud_attrs, 0);
if (msgid == -1)
{
#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
int err;
ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
*errmsg = string_sprintf("ldap_search failed: %d, %s", err,
ldap_err2string(err));
#else
*errmsg = string_sprintf("ldap_search failed");
#endif
goto RETURN_ERROR;
}
/* Loop to pick up results as they come in, setting a timeout if one was
given. */
while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
LDAP_RES_SEARCH_ENTRY)
{
LDAPMessage *e;
DEBUG(D_lookup) debug_printf("ldap_result loop\n");
for(e = ldap_first_entry(lcp->ld, result);
e != NULL;
e = ldap_next_entry(lcp->ld, e))
{
uschar *new_dn;
BOOL insert_space = FALSE;
DEBUG(D_lookup) debug_printf("LDAP entry loop\n");
rescount++; /* Count results */
/* Results for multiple entries values are separated by newlines. */
if (data != NULL) data = string_cat(data, &size, &ptr, US"\n", 1);
/* Get the DN from the last result. */
new_dn = US ldap_get_dn(lcp->ld, e);
if (new_dn != NULL)
{
if (dn != NULL)
{
#if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
ldap_memfree(dn);
#else /* OPENLDAP 1, UMich, Solaris */
free(dn);
#endif
}
/* Save for later */
dn = new_dn;
}
/* If the data we want is actually the DN rather than any attribute values,
(an "ldapdn" search) add it to the data string. If there are multiple
entries, the DNs will be concatenated, but we test for this case below, as
for SEARCH_LDAP_SINGLE, and give an error. */
if (search_type == SEARCH_LDAP_DN) /* Do not amalgamate these into one */
{ /* condition, because of the else */
if (new_dn != NULL) /* below, that's for the first only */
{
data = string_cat(data, &size, &ptr, new_dn, Ustrlen(new_dn));
data[ptr] = 0;
attribute_found = TRUE;
}
}
/* Otherwise, loop through the entry, grabbing attribute values. If there's
only one attribute being retrieved, no attribute name is given, and the
result is not quoted. Multiple values are separated by (comma, space).
If more than one attribute is being retrieved, the data is given as a
sequence of name=value pairs, with the value always in quotes. If there are
multiple values, they are given within the quotes, comma separated. */
else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
attr != NULL;
attr = US ldap_next_attribute(lcp->ld, e, ber))
{
if (attr[0] != 0)
{
/* Get array of values for this attribute. */
if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))
!= NULL)
{
if (attr_count != 1)
{
if (insert_space)
data = string_cat(data, &size, &ptr, US" ", 1);
else
insert_space = TRUE;
data = string_cat(data, &size, &ptr, attr, Ustrlen(attr));
data = string_cat(data, &size, &ptr, US"=\"", 2);
}
while (*values != NULL)
{
uschar *value = *values;
int len = Ustrlen(value);
DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value);
if (values != firstval)
data = string_cat(data, &size, &ptr, US", ", 2);
/* For multiple attributes, the data is in quotes. We must escape
internal quotes, backslashes, newlines. */
if (attr_count != 1)
{
int j;
for (j = 0; j < len; j++)
{
if (value[j] == '\n')
data = string_cat(data, &size, &ptr, US"\\n", 2);
else
{
if (value[j] == '\"' || value[j] == '\\')
data = string_cat(data, &size, &ptr, US"\\", 1);
data = string_cat(data, &size, &ptr, value+j, 1);
}
}
}
/* For single attributes, copy the value verbatim */
else data = string_cat(data, &size, &ptr, value, len);
/* Move on to the next value */
values++;
attribute_found = TRUE;
}
/* Closing quote at the end of the data for a named attribute. */
if (attr_count != 1)
data = string_cat(data, &size, &ptr, US"\"", 1);
/* Free the values */
ldap_value_free(CSS firstval);
}
}
#if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
/* Netscape and OpenLDAP2 LDAP's attrs are dynamically allocated and need
to be freed. UMich LDAP stores them in static storage and does not require
this. */
ldap_memfree(attr);
#endif
} /* End "for" loop for extracting attributes from an entry */
} /* End "for" loop for extracting entries from a result */
/* Free the result */
ldap_msgfree(result);
result = NULL;
} /* End "while" loop for multiple results */
/* Terminate the dynamic string that we have built and reclaim unused store */
if (data != NULL)
{
data[ptr] = 0;
store_reset(data + ptr + 1);
}
/* Copy the last dn into eldap_dn */
if (dn != NULL)
{
eldap_dn = string_copy(dn);
#if defined LDAP_LIB_NETSCAPE || defined LDAP_LIB_OPENLDAP2
ldap_memfree(dn);
#else /* OPENLDAP 1, UMich, Solaris */
free(dn);
#endif
}
DEBUG(D_lookup) debug_printf("search ended by ldap_result yielding %d\n",rc);
if (rc == 0)
{
*errmsg = US"ldap_result timed out";
goto RETURN_ERROR;
}
/* A return code of -1 seems to mean "ldap_result failed internally or couldn't
provide you with a message". Other error states seem to exist where
ldap_result() didn't give us any message from the server at all, leaving result
set to NULL. Apparently, "the error parameters of the LDAP session handle will
be set accordingly". That's the best we can do to retrieve an error status; we
can't use functions like ldap_result2error because they parse a message from
the server, which we didn't get.
Annoyingly, the different implementations of LDAP have gone for different
methods of handling error codes and generating error messages. */
if (rc == -1 || result == NULL)
{
int err;
DEBUG(D_lookup) debug_printf("ldap_result failed\n");
#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
*errmsg = string_sprintf("ldap_result failed: %d, %s",
err, ldap_err2string(err));
#elif defined LDAP_LIB_NETSCAPE
/* Dubious (surely 'matched' is spurious here?) */
(void)ldap_get_lderrno(lcp->ld, &matched, &error1);
*errmsg = string_sprintf("ldap_result failed: %s (%s)", error1, matched);
#else /* UMich LDAP aka OpenLDAP 1.x */
*errmsg = string_sprintf("ldap_result failed: %d, %s",
lcp->ld->ld_errno, ldap_err2string(lcp->ld->ld_errno));
#endif
goto RETURN_ERROR;
}
/* A return code that isn't -1 doesn't necessarily mean there were no problems
with the search. The message must be an LDAP_RES_SEARCH_RESULT or
LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
we don't provide that functionality when we can't. :-) */
if (rc != LDAP_RES_SEARCH_RESULT
#ifdef LDAP_RES_SEARCH_REFERENCE
&& rc != LDAP_RES_SEARCH_REFERENCE
#endif
)
{
*errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
goto RETURN_ERROR;
}
/* We have a result message from the server. This doesn't yet mean all is well.
We need to parse the message to find out exactly what's happened. */
#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
ldap_rc = rc;
ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
CSS &error2, NULL, NULL, 0);
DEBUG(D_lookup) debug_printf("ldap_parse_result: %d\n", ldap_parse_rc);
if (ldap_parse_rc < 0 &&
(ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
#ifdef LDAP_RES_SEARCH_REFERENCE
|| ldap_rc != LDAP_RES_SEARCH_REFERENCE
#endif
))
{
*errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
goto RETURN_ERROR;
}
error1 = US ldap_err2string(rc);
#elif defined LDAP_LIB_NETSCAPE
/* Dubious (it doesn't reference 'result' at all!) */
rc = ldap_get_lderrno(lcp->ld, &matched, &error1);
#else /* UMich LDAP aka OpenLDAP 1.x */
rc = ldap_result2error(lcp->ld, result, 0);
error1 = ldap_err2string(rc);
error2 = lcp->ld->ld_error;
matched = lcp->ld->ld_matched;
#endif
/* Process the status as follows:
(1) If we get LDAP_SIZELIMIT_EXCEEDED, just carry on, to return the
truncated result list.
(2) If we get LDAP_RES_SEARCH_REFERENCE, also just carry on. This was a
submitted patch that is reported to "do the right thing" with Solaris
LDAP libraries. (The problem it addresses apparently does not occur with
Open LDAP.)
(3) The range of errors defined by LDAP_NAME_ERROR generally mean "that
object does not, or cannot, exist in the database". For those cases we
fail the lookup.
(4) All other non-successes here are treated as some kind of problem with
the lookup, so return DEFER (which is the default in error_yield).
*/
DEBUG(D_lookup) debug_printf("ldap_parse_result yielded %d: %s\n",
rc, ldap_err2string(rc));
if (rc != LDAP_SUCCESS && rc != LDAP_SIZELIMIT_EXCEEDED
#ifdef LDAP_RES_SEARCH_REFERENCE
&& rc != LDAP_RES_SEARCH_REFERENCE
#endif
)
{
*errmsg = string_sprintf("LDAP search failed - error %d: %s%s%s%s%s",
rc,
(error1 != NULL)? error1 : US"",
(error2 != NULL && error2[0] != 0)? US"/" : US"",
(error2 != NULL)? error2 : US"",
(matched != NULL && matched[0] != 0)? US"/" : US"",
(matched != NULL)? matched : US"");
#if defined LDAP_NAME_ERROR
if (LDAP_NAME_ERROR(rc))
#elif defined NAME_ERROR /* OPENLDAP1 calls it this */
if (NAME_ERROR(rc))
#else
if (rc == LDAP_NO_SUCH_OBJECT)
#endif
{
DEBUG(D_lookup) debug_printf("lookup failure forced\n");
error_yield = FAIL;
}
goto RETURN_ERROR;
}
/* The search succeeded. Check if we have too many results */
if (search_type != SEARCH_LDAP_MULTIPLE && rescount > 1)
{
*errmsg = string_sprintf("LDAP search: more than one entry (%d) was returned "
"(filter not specific enough?)", rescount);
goto RETURN_ERROR_BREAK;
}
/* Check if we have too few (zero) entries */
if (rescount < 1)
{
*errmsg = string_sprintf("LDAP search: no results");
error_yield = FAIL;
goto RETURN_ERROR_BREAK;
}
/* If an entry was found, but it had no attributes, we behave as if no entries
were found, that is, the lookup failed. */
if (!attribute_found)
{
*errmsg = US"LDAP search: found no attributes";
error_yield = FAIL;
goto RETURN_ERROR;
}
/* Otherwise, it's all worked */
DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
*res = data;
RETURN_OK:
if (result != NULL) ldap_msgfree(result);
ldap_free_urldesc(ludp);
return OK;
/* Error returns */
RETURN_ERROR_BREAK:
*defer_break = TRUE;
RETURN_ERROR:
DEBUG(D_lookup) debug_printf("%s\n", *errmsg);
RETURN_ERROR_NOMSG:
if (result != NULL) ldap_msgfree(result);
if (ludp != NULL) ldap_free_urldesc(ludp);
#if defined LDAP_LIB_OPENLDAP2
if (error2 != NULL) ldap_memfree(error2);
if (matched != NULL) ldap_memfree(matched);
#endif
return error_yield;
}
krb5_error_code
krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
unsigned int flags, krb5_db_entry **entry_ptr)
{
char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_principal cprinc=NULL;
krb5_boolean found=FALSE;
krb5_db_entry *entry = NULL;
*entry_ptr = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
if (searchfor == NULL)
return EINVAL;
dal_handle = context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
st = KRB5_KDB_NOENTRY;
krb5_set_error_message(context, st,
_("Principal does not belong to realm"));
goto cleanup;
}
if ((st=krb5_unparse_name(context, searchfor, &user)) != 0)
goto cleanup;
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
filtuser = ldap_filter_correct(user);
if (filtuser == NULL) {
st = ENOMEM;
goto cleanup;
}
princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
GET_HANDLE();
for (tree=0; tree < ntrees && !found; ++tree) {
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) {
/* get the associated directory user information */
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
int i;
/* a wild-card in a principal name can return a list of kerberos principals.
* Make sure that the correct principal is returned.
* NOTE: a principalname k* in ldap server will return all the principals starting with a k
*/
for (i=0; values[i] != NULL; ++i) {
if (strcmp(values[i], user) == 0) {
found = TRUE;
break;
}
}
ldap_value_free(values);
if (!found) /* no matching principal found */
continue;
}
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
st = krb5_ldap_parse_principal_name(values[0], &cname);
if (st != 0)
goto cleanup;
st = krb5_parse_name(context, cname, &cprinc);
if (st != 0)
goto cleanup;
} else /* No canonicalization, so don't return aliases. */
found = FALSE;
}
ldap_value_free(values);
if (!found)
continue;
}
entry = k5alloc(sizeof(*entry), &st);
if (entry == NULL)
goto cleanup;
if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
cprinc ? cprinc : searchfor,
entry)) != 0)
goto cleanup;
}
ldap_msgfree(result);
result = NULL;
} /* for (tree=0 ... */
if (found) {
*entry_ptr = entry;
entry = NULL;
} else
st = KRB5_KDB_NOENTRY;
cleanup:
ldap_msgfree(result);
krb5_ldap_free_principal(context, entry);
if (filter)
free (filter);
if (subtree) {
for (; ntrees; --ntrees)
if (subtree[ntrees-1])
free (subtree[ntrees-1]);
free (subtree);
}
if (ldap_server_handle)
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
if (user)
free(user);
if (filtuser)
free(filtuser);
if (cname)
free(cname);
if (cprinc)
krb5_free_principal(context, cprinc);
return st;
}
static int
searchaction( LDAP *ld, char *buf, char *base, LDAPMessage *entry, char *dn,
struct ldap_tmplitem *tip, int labelwidth, int rdncount,
writeptype writeproc, void *writeparm, char *eol, char *urlprefix )
{
int err, lderr, i, count, html;
char **vals, **members;
char *value, *filtpattern, *attr, *selectname;
char *retattrs[2], filter[ 256 ];
LDAPMessage *ldmp;
struct timeval timeout;
html = ( urlprefix != NULL );
for ( i = 0; tip->ti_args != NULL && tip->ti_args[ i ] != NULL; ++i ) {
;
}
if ( i < 3 ) {
return( LDAP_PARAM_ERROR );
}
attr = tip->ti_args[ 0 ];
filtpattern = tip->ti_args[ 1 ];
retattrs[ 0 ] = tip->ti_args[ 2 ];
retattrs[ 1 ] = NULL;
selectname = tip->ti_args[ 3 ];
vals = NULL;
if ( attr == NULL ) {
value = NULL;
} else if ( strcasecmp( attr, "-dnb" ) == 0 ) {
return( LDAP_PARAM_ERROR );
} else if ( strcasecmp( attr, "-dnt" ) == 0 ) {
value = dn;
} else if (( vals = ldap_get_values( ld, entry, attr )) != NULL ) {
value = vals[ 0 ];
} else {
value = NULL;
}
ldap_build_filter( filter, sizeof( filter ), filtpattern, NULL, NULL, NULL,
value, NULL );
if ( html ) {
/*
* if we are generating HTML, we add an HREF link that embodies this
* search action as an LDAP URL, instead of actually doing the search
* now.
*/
sprintf( buf, "<DT><A HREF=\"%s", urlprefix );
if ( base != NULL ) {
strcat_escaped( buf, base );
}
strcat( buf, "??sub?" );
strcat_escaped( buf, filter );
sprintf( buf + strlen( buf ), "\"><B>%s</B></A><DD><BR>%s",
tip->ti_label, eol );
if ((*writeproc)( writeparm, buf, strlen( buf )) < 0 ) {
return( LDAP_LOCAL_ERROR );
}
return( LDAP_SUCCESS );
}
timeout.tv_sec = SEARCH_TIMEOUT_SECS;
timeout.tv_usec = 0;
#ifdef CLDAP
if ( LDAP_IS_CLDAP( ld ))
lderr = cldap_search_s( ld, base, LDAP_SCOPE_SUBTREE, filter, retattrs,
0, &ldmp, NULL );
else
#endif /* CLDAP */
lderr = ldap_search_st( ld, base, LDAP_SCOPE_SUBTREE, filter, retattrs,
0, &timeout, &ldmp );
if ( lderr == LDAP_SUCCESS || NONFATAL_LDAP_ERR( lderr )) {
if (( count = ldap_count_entries( ld, ldmp )) > 0 ) {
if (( members = (char **)malloc( (count + 1) * sizeof(char *)))
== NULL ) {
err = LDAP_NO_MEMORY;
} else {
for ( i = 0, entry = ldap_first_entry( ld, ldmp );
entry != NULL;
entry = ldap_next_entry( ld, entry ), ++i ) {
members[ i ] = ldap_get_dn( ld, entry );
}
members[ i ] = NULL;
ldap_sort_values( ld, members, ldap_sort_strcasecmp );
err = do_vals2text( ld, NULL, members, tip->ti_label,
html ? -1 : 0, LDAP_SYN_DN, writeproc, writeparm,
eol, rdncount, urlprefix );
ldap_value_free( members );
}
}
ldap_msgfree( ldmp );
}
if ( vals != NULL ) {
ldap_value_free( vals );
}
return(( err == LDAP_SUCCESS ) ? lderr : err );
}
/*
* @uid: user's uid, list all users if * is passed in.
*/
static GList *ldap_list_users (CcnetUserManager *manager, const char *uid,
int start, int limit)
{
LDAP *ld = NULL;
GList *ret = NULL;
int res;
GString *filter;
char *filter_str;
char *attrs[2];
LDAPMessage *msg = NULL, *entry;
ld = ldap_init_and_bind (manager->ldap_host,
#ifdef WIN32
manager->use_ssl,
#endif
manager->user_dn,
manager->password);
if (!ld)
return NULL;
filter = g_string_new (NULL);
g_string_printf (filter, "(%s=%s)", manager->login_attr, uid);
filter_str = g_string_free (filter, FALSE);
attrs[0] = manager->login_attr;
attrs[1] = NULL;
res = ldap_search_s (ld, manager->base, LDAP_SCOPE_SUBTREE,
filter_str, attrs, 0, &msg);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res));
ret = NULL;
goto out;
}
int i = 0;
if (start == -1)
start = 0;
for (entry = ldap_first_entry (ld, msg);
entry != NULL;
entry = ldap_next_entry (ld, entry), ++i)
{
char *attr;
char **vals;
BerElement *ber;
CcnetEmailUser *user;
if (i < start)
continue;
if (limit >= 0 && i >= start + limit)
break;
attr = ldap_first_attribute (ld, entry, &ber);
vals = ldap_get_values (ld, entry, attr);
user = g_object_new (CCNET_TYPE_EMAIL_USER,
"id", 0,
"email", vals[0],
"is_staff", FALSE,
"is_active", TRUE,
"ctime", (gint64)0,
NULL);
ret = g_list_prepend (ret, user);
ldap_memfree (attr);
ldap_value_free (vals);
ber_free (ber, 0);
}
out:
ldap_msgfree (msg);
g_free (filter_str);
if (ld) ldap_unbind_s (ld);
return ret;
}
/** Convert multiple group names into a DNs
*
* Given an array of group names, builds a filter matching all names, then retrieves all group objects
* and stores the DN associated with each group object.
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] names to covert to DNs (NULL terminated).
* @param[out] out Where to write the DNs. DNs must be freed with ldap_memfree(). Will be NULL terminated.
* @param[in] outlen Size of out.
* @return One of the RLM_MODULE_* values.
*/
static rlm_rcode_t rlm_ldap_group_name2dn(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
char **names, char **out, size_t outlen)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
unsigned int name_cnt = 0;
unsigned int entry_cnt;
char const *attrs[] = { NULL };
LDAPMessage *result = NULL, *entry;
char **name = names;
char **dn = out;
char buffer[LDAP_MAX_GROUP_NAME_LEN + 1];
char *filter;
*dn = NULL;
if (!*names) {
return RLM_MODULE_OK;
}
if (!inst->groupobj_name_attr) {
REDEBUG("Told to convert group names to DNs but missing 'group.name_attribute' directive");
return RLM_MODULE_INVALID;
}
RDEBUG("Converting group name(s) to group DN(s)");
/*
* It'll probably only save a few ms in network latency, but it means we can send a query
* for the entire group list at once.
*/
filter = talloc_typed_asprintf(request, "%s%s%s",
inst->groupobj_filter ? "(&" : "",
inst->groupobj_filter ? inst->groupobj_filter : "",
names[0] && names[1] ? "(|" : "");
while (*name) {
rlm_ldap_escape_func(request, buffer, sizeof(buffer), *name++, NULL);
filter = talloc_asprintf_append_buffer(filter, "(%s=%s)", inst->groupobj_name_attr, buffer);
name_cnt++;
}
filter = talloc_asprintf_append_buffer(filter, "%s%s",
inst->groupobj_filter ? ")" : "",
names[0] && names[1] ? ")" : "");
status = rlm_ldap_search(inst, request, pconn, inst->groupobj_base_dn, inst->groupobj_scope,
filter, attrs, &result);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG("Tried to resolve group name(s) to DNs but got no results");
goto finish;
default:
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry_cnt = ldap_count_entries((*pconn)->handle, result);
if (entry_cnt > name_cnt) {
REDEBUG("Number of DNs exceeds number of names, group and/or dn should be more restrictive");
rcode = RLM_MODULE_INVALID;
goto finish;
}
if (entry_cnt > (outlen - 1)) {
REDEBUG("Number of DNs exceeds limit (%zu)", outlen - 1);
rcode = RLM_MODULE_INVALID;
goto finish;
}
if (entry_cnt < name_cnt) {
RWDEBUG("Got partial mapping of group names (%i) to DNs (%i), membership information may be incomplete",
name_cnt, entry_cnt);
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
do {
*dn = ldap_get_dn((*pconn)->handle, entry);
if (!*dn) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
rlm_ldap_normalise_dn(*dn, *dn);
RDEBUG("Got group DN \"%s\"", *dn);
dn++;
} while((entry = ldap_next_entry((*pconn)->handle, entry)));
*dn = NULL;
finish:
talloc_free(filter);
if (result) {
ldap_msgfree(result);
}
/*
* Be nice and cleanup the output array if we error out.
*/
if (rcode != RLM_MODULE_OK) {
dn = out;
while(*dn) ldap_memfree(*dn++);
*dn = NULL;
}
return rcode;
}
void LDAPSession::stringSearch ( string dn,const list<string> &attributes,
string searchParam,
list<LDAPStringEntry>& result )
{
char** attr;
attr= ( char** ) malloc ( sizeof ( char* ) *attributes.size() +1 );
int i=0;
list<string>::const_iterator it=attributes.begin();
list<string>::const_iterator end=attributes.end();
for ( ;it!=end;++it )
{
attr[i]= ( char* ) malloc ( sizeof ( char ) *
( *it ).length() +1 );
strcpy ( attr[i], ( *it ).c_str() );
++i;
}
attr[i]=0l;
LDAPMessage* res;
int errc=ldap_search_s ( ld,dn.c_str(),LDAP_SCOPE_SUBTREE,
searchParam.c_str(),attr,0,&res );
if ( errc != LDAP_SUCCESS )
{
i=0;
it=attributes.begin();
for ( ;it!=end;++it )
{
free ( attr[i] );
++i;
}
free ( attr );
throw LDAPExeption ( "ldap_search_s",ldap_err2string ( errc ) );
}
LDAPMessage *entry=ldap_first_entry ( ld,res );
while ( entry )
{
LDAPStringEntry stringEntry;
it=attributes.begin();
for ( ;it!=end;++it )
{
LDAPStringValue val;
val.attr= ( *it );
char **atr=ldap_get_values ( ld,entry,
( *it ).c_str() );
int count=ldap_count_values ( atr );
for ( i=0;i<count;i++ )
{
val.value.push_back ( atr[i] );
}
ldap_value_free ( atr );
stringEntry.push_back ( val );
}
entry=ldap_next_entry ( ld,entry );
result.push_back ( stringEntry );
}
free ( res );
i=0;
it=attributes.begin();
for ( ;it!=end;++it )
{
free ( attr[i] );
++i;
}
free ( attr );
}
LUA_EXPORT(int openldap_uv_lua_search(lua_State *L))
{
openldap_uv_lua_handle_t *ldap = luaL_checkudata(L, 1, META_TABLE);
if(!ldap->ldap)
{
luaL_error(L, "Handle is not connected");
}
const char *dn = openldap_uv_lua__string_or_null(L, 2);
const char *scope = luaL_checkstring(L, 3);
int _scope;
if(strcmp(scope, "LDAP_SCOPE_BASE") == 0 || strcmp(scope, "LDAP_SCOPE_BASEOBJECT") == 0) _scope = LDAP_SCOPE_BASEOBJECT;
else if(strcmp(scope, "LDAP_SCOPE_ONE") == 0 || strcasecmp(scope, "LDAP_SCOPE_ONELEVEL") == 0) _scope = LDAP_SCOPE_ONELEVEL;
else if(strcmp(scope, "LDAP_SCOPE_SUB") == 0 || strcasecmp(scope, "LDAP_SCOPE_SUBTREE") == 0) _scope = LDAP_SCOPE_SUBTREE;
else if(strcmp(scope, "LDAP_SCOPE_CHILDREN") == 0 || strcasecmp(scope, "LDAP_SCOPE_SUBORDINATE") == 0) _scope = LDAP_SCOPE_CHILDREN;
else luaL_error(L, "Unsupported scope %s", scope);
const char *filter = openldap_uv_lua__string_or_null(L, 4);
char **fieldSelector = NULL;
if(!lua_isnil(L, 5))
{
luaL_checktype(L, 5, LUA_TTABLE);
int size = lua_objlen(L, 5);
fieldSelector = malloc(sizeof(*fieldSelector) * (size + 1));
lua_pushnil(L);
for(int i = 0; lua_next(L, 5); i++)
{
fieldSelector[i] = (char *)lua_tostring(L, -1);
fieldSelector[i+1] = 0;
lua_pop(L, 1);
}
lua_pop(L, 1);
}
int onlyFieldNames = lua_toboolean(L, 6) ? 1 : 0;
LDAPMessage *message = 0;
int err = ldap_search_ext_s(ldap->ldap, dn, _scope, filter, fieldSelector, onlyFieldNames, 0, 0, 0, LDAP_NO_LIMIT, &message);
if(err != 0)
{
ldap_msgfree(message);
openldap_uv_lua__check_error(L, ldap, err);
}
LDAPMessage *entry = ldap_first_entry(ldap->ldap, message);
lua_newtable(L);
while(entry)
{
char *dn = ldap_get_dn(ldap->ldap, entry);
lua_pushstring(L, dn);
free(dn);
lua_newtable(L);
BerElement *ber;
char *attr = ldap_first_attribute(ldap->ldap, entry, &ber);
int j = 0;
while(attr)
{
struct berval **vals = ldap_get_values_len(ldap->ldap, entry, attr );
if(vals)
{
for(int i = 0; vals[i]; i++)
{
lua_pushnumber(L, ++j);
lua_newtable(L);
lua_pushnumber(L, 1);
lua_pushstring(L, attr);
lua_rawset(L, -3);
lua_pushnumber(L, 2);
lua_pushlstring(L, vals[i]->bv_val, vals[i]->bv_len);
lua_rawset(L, -3);
lua_rawset(L, -3);
}
ldap_value_free_len( vals );
}
ldap_memfree( attr );
attr = ldap_next_attribute( ldap->ldap, entry, ber);
}
lua_rawset(L, -3);
entry = ldap_next_entry(ldap->ldap, entry);
}
ldap_msgfree(message);
return 1;
}
extern int ldap_search_a(char *ldap_host, char *root_dn, char *root_pw, char *base, char *filter)
{
LDAP *ld;
int result;
int auth_method = LDAP_AUTH_SIMPLE;
int desired_version = LDAP_VERSION3;
BerElement* ber;
LDAPMessage* msg;
LDAPMessage* entry;
char* errstring;
char* dn = NULL;
char* attr;
char** vals;
int i, msgid;
struct timeval tm;
if ((ld = ldap_init(ldap_host, LDAP_PORT)) == NULL ) {
perror( "ldap_init failed" );
exit( EXIT_FAILURE );
}
/* set the LDAP version to be 3 */
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS)
{
ldap_perror(ld, "ldap_set_option");
exit(EXIT_FAILURE);
}
if (ldap_bind_s(ld, root_dn, root_pw, auth_method) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_bind" );
exit( EXIT_FAILURE );
}
/* ldap_search() returns -1 if there is an error, otherwise the msgid */
if ((msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, 0)) == -1) {
ldap_perror( ld, "ldap_search" );
exit(EXIT_FAILURE);
}
/* block forever */
result = ldap_result(ld, msgid, 1, NULL, &msg);
switch(result)
{
case(-1):
ldap_perror(ld, "ldap_result");
exit(EXIT_FAILURE);
break;
case(0):
printf("Timeout exceeded in ldap_result()");
exit(EXIT_FAILURE);
break;
case(LDAP_RES_SEARCH_RESULT):
printf("Search result returned\n");
break;
default:
printf("Unknown result : %x\n", result);
exit(EXIT_FAILURE);
break;
}
printf("The number of entries returned was %d\n\n", ldap_count_entries(ld, msg));
/* Iterate through the returned entries */
for(entry = ldap_first_entry(ld, msg); entry != NULL; entry = ldap_next_entry(ld, entry)) {
if((dn = ldap_get_dn(ld, entry)) != NULL) {
printf("Returned dn: %s\n", dn);
ldap_memfree(dn);
}
for( attr = ldap_first_attribute(ld, entry, &ber);
attr != NULL;
attr = ldap_next_attribute(ld, entry, ber)) {
if ((vals = ldap_get_values(ld, entry, attr)) != NULL) {
for(i = 0; vals[i] != NULL; i++) {
printf("%s:%s\n", attr, vals[i]);
}
ldap_value_free(vals);
}
ldap_memfree(attr);
}
if (ber != NULL) {
ber_free(ber,0);
}
printf("\n");
}
/* clean up */
ldap_msgfree(msg);
result = ldap_unbind_s(ld);
if (result != 0) {
fprintf(stderr, "ldap_unbind_s: %s\n", ldap_err2string(result));
exit( EXIT_FAILURE );
}
return EXIT_SUCCESS;
}