/// connects and binds to LDAP server
/// @param[in] cnf reference to common configuration struct
LDAP * ldaputils_initialize(LdapUtilsConfig * cnf)
{
int err;
LDAP * ld;
char uribuff[256];
BerValue cred;
BerValue * servercredp;
const char * mechanism;
const char * uri;
if (cnf->debug)
if ((LDAP_OPT_SUCCESS != ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, (void *)&cnf->debug)))
fprintf(stderr, _("%s: could not set LDAP_OPT_DEBUG_LEVEL\n"), PROGRAM_NAME);
uri = cnf->uri;
if ( (!(uri)) && ((cnf->host)) )
{
if (cnf->port)
snprintf(uribuff, 256, "ldap://%s:%i", cnf->host, cnf->port);
else
snprintf(uribuff, 256, "ldap://%s", cnf->host);
uri = uribuff;
};
ld = NULL;
if (ldap_initialize(&ld, uri))
{
fprintf(stderr, "%s: ldaputils_initialize(): %s\n", PROGRAM_NAME, strerror(errno));
return(NULL);
};
cnf->version = 3;
if (cnf->version)
if ((LDAP_OPT_SUCCESS != ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &cnf->version)))
fprintf(stderr, _("%s: could not set LDAP_OPT_PROTOCOL_VERSION\n"), PROGRAM_NAME);
if (cnf->referrals)
if ((LDAP_OPT_SUCCESS != ldap_set_option(ld, LDAP_OPT_REFERRALS, &cnf->sizelimit)))
fprintf(stderr, _("%s: could not set LDAP_OPT_REFERRALS\n"), PROGRAM_NAME);
if (cnf->sizelimit)
if ((LDAP_OPT_SUCCESS != ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &cnf->sizelimit)))
fprintf(stderr, _("%s: could not set LDAP_OPT_SIZELIMIT\n"), PROGRAM_NAME);
if (cnf->timelimit)
if ((LDAP_OPT_SUCCESS != ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &cnf->timelimit)))
fprintf(stderr, _("%s: could not set LDAP_OPT_TIMELIMIT\n"), PROGRAM_NAME);
//mechanism = (const char *)LDAP_AUTH_SIMPLE;
mechanism = (const char *)LDAP_SASL_SIMPLE;
cred.bv_val = cnf->bindpw;
cred.bv_len = (size_t) strlen(cnf->bindpw);
servercredp = NULL;
if ((err = ldap_sasl_bind_s(ld, cnf->binddn, mechanism, &cred, NULL, NULL, &servercredp)) != LDAP_SUCCESS)
{
fprintf(stderr, "%s: ldap_sasl_bind_s(): %s\n", PROGRAM_NAME, ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(NULL);
};
return(ld);
}
int ldap_connection_release(struct ldap_connections_pool *pool, LDAP *ldap, int close_connection)
{
struct ldap_connection *cur,*prev;
if (ci_thread_mutex_lock(&pool->mutex)!=0)
return 0;
for (prev = NULL, cur = pool->used; cur != NULL;
prev = cur, cur = cur->next) {
if (cur->ldap == ldap) {
if(cur == pool->used)
pool->used = pool->used->next;
else
prev->next = cur->next;
break;
}
}
if (!cur) {
ci_debug_printf(0, "Not ldap connection in used list! THIS IS A BUG! please contact authors\n!");
close_connection = 1;
}
if (close_connection) {
pool->connections--;
ldap_unbind_ext_s(ldap, NULL, NULL);
if (cur)
free(cur);
}
else {
cur->next = pool->inactive;
pool->inactive = cur;
}
ci_thread_mutex_unlock(&pool->mutex);
return 1;
}
static
VOID
_VdcadminClientTestGSSAPIBind(
PCSTR pszLDAPURI
)
{
DWORD dwError = 0;
LDAP * pLD = NULL;
dwError = VmDirSASLGSSAPIBind( &pLD, pszLDAPURI );
BAIL_ON_VMDIR_ERROR(dwError);
printf("%s GSSAPI bind succeeded.\n\n", pszLDAPURI);
cleanup:
if (pLD)
{
dwError = ldap_unbind_ext_s( pLD,
NULL,
NULL);
}
return;
error:
printf("++++++++++++++++++++ %s GSSAPI bind failed. (%d)(%s)\n\n",
pszLDAPURI, dwError, ldap_err2string(dwError));
goto cleanup;
}
void
krb5_ldap_free_server_context_params(krb5_ldap_context *ctx)
{
int i;
krb5_ldap_server_info **list;
krb5_ldap_server_handle *h, *next;
if (ctx == NULL)
return;
list = ctx->server_info_list;
for (i = 0; list != NULL && list[i] != NULL; i++) {
free(list[i]->server_name);
for (h = list[i]->ldap_server_handles; h != NULL; h = next) {
next = h->next;
ldap_unbind_ext_s(h->ldap_handle, NULL, NULL);
free(h);
}
free(list[i]);
}
free(list);
ctx->server_info_list = NULL;
free(ctx->sasl_mech);
free(ctx->sasl_authcid);
free(ctx->sasl_authzid);
free(ctx->sasl_realm);
free(ctx->conf_section);
free(ctx->bind_dn);
zapfreestr(ctx->bind_pwd);
free(ctx->service_password_file);
ctx->conf_section = ctx->bind_dn = ctx->bind_pwd = NULL;
ctx->service_password_file = NULL;
}
/** Detach from the LDAP server and cleanup internal state.
*
*/
static int mod_detach(void *instance)
{
ldap_instance_t *inst = instance;
fr_connection_pool_delete(inst->pool);
if (inst->user_map) {
talloc_free(inst->user_map);
}
/*
* Keeping the dummy ld around for the lifetime
* of the module should always work,
* irrespective of what changes happen in libldap.
*/
if (inst->handle) {
#ifdef HAVE_LDAP_UNBIND_EXT_S
ldap_unbind_ext_s(inst->handle, NULL, NULL);
#else
ldap_unbind_s(inst->handle);
#endif
}
return 0;
}
DWORD
VmCASASLSRPBind(
LDAP** ppLd,
PCSTR pszURI,
PCSTR pszUPN,
PCSTR pszPass
)
{
DWORD dwError = 0;
PSTR pszLowerCaseUPN = NULL;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
VMCA_SASL_INTERACTIVE_DEFAULT srpDefault = {0};
if ( ppLd == NULL || pszURI == NULL || pszUPN == NULL || pszPass == NULL )
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
dwError = VMCAStringToLower( (PSTR)pszUPN, &pszLowerCaseUPN );
BAIL_ON_ERROR(dwError);
srpDefault.pszAuthName = pszLowerCaseUPN;
srpDefault.pszPass = pszPass;
dwError = ldap_initialize( &pLd, pszURI);
BAIL_ON_ERROR(dwError);
dwError = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_ERROR(dwError);
dwError = ldap_sasl_interactive_bind_s( pLd,
NULL,
"SRP",
NULL,
NULL,
LDAP_SASL_QUIET,
_VMCASASLSRPInteraction,
&srpDefault);
BAIL_ON_ERROR(dwError);
*ppLd = pLd;
cleanup:
VMCA_SAFE_FREE_STRINGA(pszLowerCaseUPN);
return dwError;
error:
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
DWORD
VmDirSASLGSSAPIBind(
LDAP** ppLd,
PCSTR pszURI
)
{
DWORD dwError = 0;
int retVal = 0;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
if ( ppLd == NULL || pszURI == NULL )
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
retVal = ldap_initialize( &pLd, pszURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_sasl_interactive_bind_s( pLd,
NULL,
"GSSAPI",
NULL,
NULL,
LDAP_SASL_QUIET,
_VmDirSASLGSSAPIInteraction,
NULL);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
*ppLd = pLd;
cleanup:
return dwError;
ldaperror:
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLGSSBind failed. (%d)(%s)",
retVal, ldap_err2string(retVal) );
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLGSSBind failed. (%u)", dwError);
}
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
VOID
VmDirTestLdapUnbind(
LDAP *pLd
)
{
if (pLd)
{
ldap_unbind_ext_s(pLd, NULL, NULL);
}
}
VOID
VdcLdapUnbind(
LDAP *pLd
)
{
if (pLd)
{
ldap_unbind_ext_s(pLd, NULL, NULL);
}
}
/// connects and binds to LDAP server
/// @param[in] ld refernce to LDAP socket data
/// @param[in] cnf reference to common configuration struct
int ldaputils_search(LDAP * ld, LdapUtilsConfig * cnf, LDAPMessage ** resp)
{
int rc;
int err;
int msgid;
if ((err = ldap_search_ext(ld, cnf->basedn, cnf->scope, cnf->filter, cnf->attrs, 0, NULL, NULL, NULL, -1, &msgid)))
{
fprintf(stderr, "%s: ldap_search_ext_s(): %s\n", PROGRAM_NAME, ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(-1);
};
switch((err = ldap_result(ld, msgid, LDAP_MSG_ALL, NULL, resp)))
{
case 0:
break;
case -1:
fprintf(stderr, "%s: ldap_result(): %s\n", PROGRAM_NAME, ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(-1);
default:
break;
};
rc = ldap_parse_result(ld, *resp, &err, NULL, NULL, NULL, NULL, 0);
if (rc != LDAP_SUCCESS)
{
fprintf(stderr, "%s: ldap_parse_result(): %s\n", PROGRAM_NAME, ldap_err2string(rc));
ldap_unbind_ext_s(ld, NULL, NULL);
return(-1);
};
if (err != LDAP_SUCCESS)
{
fprintf(stderr, "%s: ldap_parse_result(): %s\n", PROGRAM_NAME, ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(-1);
};
return(0);
}
krb5_error_code
krb5_ldap_rebind(krb5_ldap_context *ldap_context,
krb5_ldap_server_handle **ldap_server_handle)
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
return LDAP_SUCCESS;
}
/*
* Bind to partner via "SRP" mechanism.
*/
DWORD
VmDirSafeLDAPBind(
LDAP** ppLd,
PCSTR pszHost,
PCSTR pszUPN,
PCSTR pszPassword
)
{
DWORD dwError = 0;
LDAP* pLd = NULL;
char ldapURI[VMDIR_MAX_LDAP_URI_LEN + 1] = {0};
if (ppLd == NULL || pszHost == NULL || pszUPN == NULL || pszPassword == NULL)
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
if ( VmDirIsIPV6AddrFormat( pszHost ) )
{
dwError = VmDirStringPrintFA( ldapURI, sizeof(ldapURI)-1, "%s://[%s]:%d",
VMDIR_LDAP_PROTOCOL, pszHost, DEFAULT_LDAP_PORT_NUM);
}
else
{
dwError = VmDirStringPrintFA( ldapURI, sizeof(ldapURI)-1, "%s://%s:%d",
VMDIR_LDAP_PROTOCOL, pszHost, DEFAULT_LDAP_PORT_NUM);
}
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSASLSRPBind( &pLd, &(ldapURI[0]), pszUPN, pszPassword);
BAIL_ON_VMDIR_ERROR(dwError);
*ppLd = pLd;
cleanup:
return dwError;
error:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "VmDirSafeLDAPBind to (%s) failed. SRP(%d)",
ldapURI, dwError );
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
static
DWORD
_OpenLdapConnection(
PCSTR pszFQDomainName,
PCSTR pszUsername,
PCSTR pszPassword,
PCSTR pszReplURI,
LDAP **ppLd
)
{
DWORD dwError = 0;
PSTR pszPartnerHostName = NULL;
PSTR pszUPN = NULL;
LDAP *pLd = NULL;
dwError = VmDirReplURIToHostname((PSTR)pszReplURI, &pszPartnerHostName);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirAllocateStringPrintf(
&pszUPN,
"%s@%s",
pszUsername,
pszFQDomainName);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSafeLDAPBind(
&pLd,
pszPartnerHostName,
pszUPN,
pszPassword);
BAIL_ON_VMDIR_ERROR(dwError);
*ppLd = pLd;
cleanup:
VMDIR_SAFE_FREE_MEMORY(pszPartnerHostName);
VMDIR_SAFE_FREE_MEMORY(pszUPN);
return dwError;
error:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL,
"%s,%d failed, error(%d)", __FUNCTION__, __LINE__, dwError );
if (pLd)
{
ldap_unbind_ext_s(pLd,NULL,NULL);
}
goto cleanup;
}
/***********************************************************************
* ldap_unbind_s (WLDAP32.@)
*
* Close LDAP connection and free resources (synchronous operation).
*
* PARAMS
* ld [I] Pointer to an LDAP context.
*
* RETURNS
* Success: LDAP_SUCCESS
* Failure: An LDAP error code.
*/
ULONG CDECL WLDAP32_ldap_unbind_s( WLDAP32_LDAP *ld )
{
ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED;
#ifdef HAVE_LDAP
TRACE( "(%p)\n", ld );
if (ld)
ret = map_error( ldap_unbind_ext_s( ld, NULL, NULL ));
else
ret = WLDAP32_LDAP_PARAM_ERROR;
#endif
return ret;
}
/** Free any global libldap resources
*
*/
void fr_ldap_free(void)
{
if (--instance_count > 0) return;
/*
* Keeping the dummy ld around for the lifetime
* of the module should always work,
* irrespective of what changes happen in libldap.
*/
#ifdef HAVE_LDAP_UNBIND_EXT_S
ldap_unbind_ext_s(ldap_global_handle, NULL, NULL);
#else
ldap_unbind_s(ldap_global_handle);
#endif
}
static
void
_VmDirClientTestSimpleBind(
PCSTR pszLDAPURI
)
{
DWORD dwError = 0;
int ldap_version_3 = LDAP_VERSION3;
LDAP * pLD = NULL;
BerValue ldapBindPwd = {0};
printf("_VmDirClientTestSimpleBind ldap simple bind initialize %s\n", pszLDAPURI);
dwError = ldap_initialize( &pLD, pszLDAPURI );
/* Set LDAP V3 protocol version */
ldap_set_option( pLD, LDAP_OPT_PROTOCOL_VERSION, &ldap_version_3 );
printf("_VmDirClientTestSimpleBind ldap simple ANONYMOUS bind started.\n");
dwError = ldap_sasl_bind_s(
pLD,
"",
LDAP_SASL_SIMPLE,
&ldapBindPwd, // no credentials
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("_VmDirClientTestSimpleBind ldap simple ANONYMOUS bind succeeded.\n");
cleanup:
if (pLD)
{
dwError = ldap_unbind_ext_s( pLD,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("_VmDirClientTestSimpleBind ldap unbind succeeded.\n\n\n");
}
return;
error:
printf("_VmDirClientTestSimpleBind failed. (%d)(%s)\n\n", dwError, ldap_err2string(dwError));
goto cleanup;
}
static void free_ldapconn(void *data) {
struct ldap_conn *ld = data;
if (ld->uri) {
free(ld->uri);
}
if (ld->ldap) {
ldap_unbind_ext_s(ld->ldap, ld->sctrlsp, NULL);
}
if (ld->sasl) {
objunref(ld->sasl);
}
if (ld->simple) {
objunref(ld->simple);
}
}
static
VOID
_VdcadminClientTestSimpleBind(
PCSTR pszLDAPURI,
PCSTR pszDefaultBindDN,
PCSTR pszDefaultPasswd
)
{
DWORD dwError = 0;
int ldap_version_3 = LDAP_VERSION3;
LDAP * pLD = NULL;
BerValue ldapBindPwd = {0};
dwError = ldap_initialize( &pLD, pszLDAPURI );
/* Set LDAP V3 protocol version */
ldap_set_option( pLD, LDAP_OPT_PROTOCOL_VERSION, &ldap_version_3 );
dwError = ldap_sasl_bind_s( pLD,
"",
LDAP_SASL_SIMPLE,
&ldapBindPwd, // no credentials
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("%s (ANONYMOUS) bind succeeded.\n\n", pszLDAPURI);
cleanup:
if (pLD)
{
dwError = ldap_unbind_ext_s( pLD,
NULL,
NULL);
}
return;
error:
printf("\n\n++++++++++++++++++++ %s SimpleBind failed. (%d)(%s)\n\n",
pszLDAPURI, dwError, ldap_err2string(dwError));
goto cleanup;
}
static void cldap_free(void *arg) /* {{{ */
{
cldap_t *st = arg;
if (st == NULL)
return;
sfree(st->binddn);
sfree(st->password);
sfree(st->cacert);
sfree(st->host);
sfree(st->name);
sfree(st->url);
if (st->ld)
ldap_unbind_ext_s(st->ld, NULL, NULL);
sfree(st);
} /* }}} void cldap_free */
static void ldap_config_ready(void *unused)
{
int res;
char *p;
static time_t lastwarning;
if (ldap_conn != NULL)
ldap_unbind_ext_s(ldap_conn, NULL, NULL);
ldap_conn = NULL;
if (ldap_config.url == NULL)
{
slog(LG_ERROR, "ldap_config_ready(): ldap {} missing url definition");
return;
}
if ((ldap_config.dnformat == NULL) && ((ldap_config.base == NULL) || (ldap_config.attribute == NULL)))
{
slog(LG_ERROR, "ldap_config_ready(): ldap {} block requires dnformat or base & attribute definition");
return;
}
if (ldap_config.binddn != NULL && ldap_config.bindauth == NULL)
{
slog(LG_ERROR, "ldap_config_ready(): ldap{} block requires bindauth to be defined if binddn is defined");
return;
}
if (ldap_config.dnformat != NULL)
{
ldap_config.useDN = true;
p = strchr(ldap_config.dnformat, '%');
if (p == NULL || p[1] != 's' || strchr(p + 1, '%'))
{
slog(LG_ERROR, "ldap_config_ready(): dnformat must contain exactly one %%s and no other %%");
return;
}
}
else
ldap_config.useDN = false;
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &(const int)
{
3});
static
void
_VmDirClientTestGSSAPIBind(
PCSTR pszLDAPURI
)
{
DWORD dwError = 0;
int ldap_version_3 = LDAP_VERSION3;
LDAP * pLD = NULL;
printf("_VmDirClientTestGSSAPIBind ldap sasl GSSAPI bind initialize %s\n", pszLDAPURI);
dwError = ldap_initialize( &pLD, pszLDAPURI );
/* Set LDAP V3 protocol version */
ldap_set_option( pLD, LDAP_OPT_PROTOCOL_VERSION, &ldap_version_3 );
printf("_VmDirClientTestGSSAPIBind ldap sasl GSSAPI bind started.\n");
dwError = _VmDirSASLGSSBind(pLD);
BAIL_ON_VMDIR_ERROR(dwError);
printf("_VmDirClientTestGSSAPIBind ldap sasl GSSAPI bind succeeded.\n");
cleanup:
if (pLD)
{
dwError = ldap_unbind_ext_s( pLD,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("_VmDirClientTestGSSAPIBind ldap unbind succeeded.\n");
}
return;
error:
printf("_VmDirClientTestGSSAPIBind failed. (%d)(%s)\n\n", dwError, ldap_err2string(dwError));
goto cleanup;
}
/* initialize ldap for each host */
static int cldap_init_host(cldap_t *st) /* {{{ */
{
int rc;
if (st->ld) {
DEBUG("openldap plugin: Already connected to %s", st->url);
return 0;
}
rc = ldap_initialize(&st->ld, st->url);
if (rc != LDAP_SUCCESS) {
ERROR("openldap plugin: ldap_initialize failed: %s", ldap_err2string(rc));
if (st->ld != NULL)
ldap_unbind_ext_s(st->ld, NULL, NULL);
st->ld = NULL;
return (-1);
}
ldap_set_option(st->ld, LDAP_OPT_PROTOCOL_VERSION, &st->version);
ldap_set_option(st->ld, LDAP_OPT_TIMEOUT,
&(const struct timeval){st->timeout, 0});
int tsps_ldap_login(const char *user, const char *pass)
{
char dn[1024];
LDAP *lp;
int res;
int val;
struct berval passwd;
res = ldap_initialize(&lp, server.ldap_uri);
if (res != LDAP_SUCCESS) {
fprintf(stderr, "LDAP initialization error: %s\n",
ldap_err2string(res));
return -1;
}
val = LDAP_VERSION3;
res = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &val);
if (res != LDAP_SUCCESS) {
fprintf(stderr, "LDAP set_option error: %s\n",
ldap_err2string(res));
return -1;
}
/*
* Attempt to bind to the ldap server as the user
*/
snprintf(dn, sizeof(dn), "uid=%s,%s", user, server.ldap_user_base);
memset(&passwd, 0, sizeof(passwd));
passwd.bv_val = ber_strdup(pass);
passwd.bv_len = strlen(pass);
res = ldap_sasl_bind_s(lp, dn, LDAP_SASL_SIMPLE, &passwd,
NULL, NULL, NULL);
ldap_unbind_ext_s(lp, NULL, NULL);
if (res != LDAP_SUCCESS) {
fprintf(stderr, "LDAP bind error: %s\n",
ldap_err2string(res));
return -1;
}
return 0;
}
/** Free all memory allocated for a ld_con structure.
* This function function frees all memory that is in use by
* a ld_con structure.
* @param con A generic db_con connection structure.
* @param payload LDAP specific payload to be freed.
*/
static void ld_con_free(db_con_t* con, struct ld_con* payload)
{
struct ld_uri* luri;
int ret;
if (!payload) return;
luri = DB_GET_PAYLOAD(con->uri);
/* Delete the structure only if there are no more references
* to it in the connection pool
*/
if (db_pool_remove((db_pool_entry_t*)payload) == 0) return;
db_pool_entry_free(&payload->gen);
if (payload->con) {
ret = ldap_unbind_ext_s(payload->con, NULL, NULL);
if (ret != LDAP_SUCCESS) {
ERR("ldap: Error while unbinding from %s: %s\n",
luri->uri, ldap_err2string(ret));
}
}
pkg_free(payload);
}
/*The following function is not thread safe! Should called only when c-icap shutdown*/
void ldap_pool_destroy(struct ldap_connections_pool *pool)
{
struct ldap_connection *conn,*prev;
if(pool->used) {
ci_debug_printf(1,"Not released ldap connections for pool %s.This is BUG!\n",
pool->ldap_uri);
}
conn = pool->inactive;
while(conn) {
ldap_unbind_ext_s(conn->ldap, NULL, NULL);
prev = conn;
conn = conn->next;
free(prev);
}
pool->inactive = NULL;
ci_thread_mutex_destroy(&pool->mutex);
#ifdef LDAP_MAX_CONNECTIONS
ci_thread_cond_destroy(&pool->pool_cond);
#endif
free(pool);
}
void ld_con_disconnect(db_con_t* con)
{
struct ld_con* lcon;
struct ld_uri* luri;
int ret;
lcon = DB_GET_PAYLOAD(con);
luri = DB_GET_PAYLOAD(con->uri);
if ((lcon->flags & LD_CONNECTED) == 0) return;
DBG("ldap: Unbinding from %s\n", luri->uri);
if (lcon->con) {
ret = ldap_unbind_ext_s(lcon->con, NULL, NULL);
if (ret) {
ERR("ldap: Error while unbinding from %s: %s\n",
luri->uri, ldap_err2string(ret));
}
}
lcon->con = NULL;
lcon->flags &= ~LD_CONNECTED;
}
static
VOID
_VdcadminClientTestSimpleSSLBind(
PCSTR pszLDAPSURI,
PCSTR pszDefaultBindDN,
PCSTR pszDefaultPasswd
)
{
DWORD dwError = 0;
int ldap_version_3 = LDAP_VERSION3;
int iTLSNever = LDAP_OPT_X_TLS_NEVER;
int iTLSMin = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
LDAP * pLD = NULL;
BerValue ldapBindPwd = {0};
dwError = ldap_initialize( &pLD, pszLDAPSURI );
/* Set LDAP V3 protocol version */
ldap_set_option( pLD, LDAP_OPT_PROTOCOL_VERSION, &ldap_version_3 );
ldap_set_option(NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN, &iTLSMin);
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &iTLSNever);
dwError = ldap_sasl_bind_s( pLD,
"",
LDAP_SASL_SIMPLE,
&ldapBindPwd, // no credentials
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("%s (ANONYMOUS) bind succeeded.\n", pszLDAPSURI);
ldapBindPwd.bv_val = (PSTR)pszDefaultPasswd;
ldapBindPwd.bv_len = strlen( pszDefaultPasswd );
dwError = ldap_sasl_bind_s( pLD,
pszDefaultBindDN,
LDAP_SASL_SIMPLE,
&ldapBindPwd, // ldaps with credentials
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("%s (%s) bind succeeded.\n\n", pszLDAPSURI, VDIR_SAFE_STRING(pszDefaultBindDN) );
cleanup:
if (pLD)
{
dwError = ldap_unbind_ext_s( pLD,
NULL,
NULL);
}
return;
error:
printf("\n\n++++++++++++++++++++ %s SSL bind failed. (%d)(%s)\n\n",
pszLDAPSURI, dwError, ldap_err2string(dwError));
goto cleanup;
}
DWORD
VmDirAnonymousLDAPBindWithTimeout(
LDAP** ppLd,
PCSTR pszLdapURI,
int timeout
)
{
DWORD dwError = 0;
int retVal = 0;
const int ldapVer = LDAP_VERSION3;
BerValue ldapBindPwd = {0};
LDAP* pLocalLd = NULL;
struct timeval nettimeout = {0};
if (ppLd == NULL || pszLdapURI == NULL)
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
retVal = ldap_initialize( &pLocalLd, pszLdapURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option( pLocalLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
if (timeout > 0)
{
nettimeout.tv_sec = timeout;
// timeout connect
retVal = ldap_set_option(pLocalLd, LDAP_OPT_NETWORK_TIMEOUT, (void *)&nettimeout);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
}
ldapBindPwd.bv_val = NULL;
ldapBindPwd.bv_len = 0;
retVal = ldap_sasl_bind_s(
pLocalLd,
"",
LDAP_SASL_SIMPLE,
&ldapBindPwd, // no credentials
NULL,
NULL,
NULL);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
*ppLd = pLocalLd;
cleanup:
return dwError;
ldaperror:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "VmDirAnonymousLDAPBind to (%s) failed. (%d)(%s)",
VDIR_SAFE_STRING(pszLdapURI), retVal, ldap_err2string(retVal) );
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "VmDirAnonymousLDAPBind to (%s) failed. (%u)", VDIR_SAFE_STRING(pszLdapURI), dwError);
}
if (pLocalLd)
{
ldap_unbind_ext_s( pLocalLd, NULL, NULL);
}
goto cleanup;
}
DWORD
VmDirSafeLDAPBindToPort(
LDAP** ppLd,
PCSTR pszHost,
DWORD dwPort,
PCSTR pszUPN,
PCSTR pszPassword,
int iTimeout
)
{
DWORD dwError = 0;
LDAP* pLd = NULL;
char ldapURI[VMDIR_MAX_LDAP_URI_LEN + 1] = {0};
DWORD dwLdapPort = DEFAULT_LDAP_PORT_NUM;
DWORD dwTmpLdapPort = 0;
if (ppLd == NULL || pszHost == NULL || pszUPN == NULL || pszPassword == NULL)
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
if (dwPort)
{
dwLdapPort = dwPort;
}
else if (VmDirGetRegKeyValueDword(
VMDIR_CONFIG_PARAMETER_V1_KEY_PATH,
VMDIR_REG_KEY_LDAP_PORT,
&dwTmpLdapPort,
DEFAULT_LDAP_PORT_NUM) == ERROR_SUCCESS)
{
dwLdapPort = dwTmpLdapPort;
}
if ( VmDirIsIPV6AddrFormat( pszHost ) )
{
dwError = VmDirStringPrintFA( ldapURI, sizeof(ldapURI)-1, "%s://[%s]:%d",
VMDIR_LDAP_PROTOCOL, pszHost, dwLdapPort);
}
else
{
dwError = VmDirStringPrintFA( ldapURI, sizeof(ldapURI)-1, "%s://%s:%d",
VMDIR_LDAP_PROTOCOL, pszHost, dwLdapPort);
}
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSASLSRPBindExt1( &pLd, &(ldapURI[0]), pszUPN, pszPassword, iTimeout);
BAIL_ON_VMDIR_ERROR(dwError);
*ppLd = pLd;
cleanup:
return dwError;
error:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "%s to (%s) failed. SRP(%d)",
__FUNCTION__, ldapURI, dwError );
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
/*
* Bind to a LDAP server via SSL port.
* Require server certificate verification.
*
* In 5.5. mix mode, replication goes through ldaps port.
*/
DWORD
VmDirSSLBind(
LDAP** ppLd,
PCSTR pszURI,
PCSTR pszDN,
PCSTR pszPassword
)
{
DWORD dwError = 0;
int retVal = 0;
LDAP* pLd = NULL;
BerValue ldapBindPwd = {0};
const int ldapVer = LDAP_VERSION3;
int iTLSDEMAND = LDAP_OPT_X_TLS_DEMAND;
int iTLSMin = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
PSTR pszTrustCertFile = NULL;
SSL_CTX* pSslCtx = NULL;
if ( ppLd == NULL || pszURI == NULL )
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
// only allow ldaps traffic over SSL port
if ( VmDirStringNCompareA( pszURI, VMDIR_LDAPS_PROTOCOL, 5, FALSE) != 0 )
{
dwError = VMDIR_ERROR_ACCESS_DENIED;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirPrepareOpensslClientCtx( &pSslCtx, &pszTrustCertFile, pszURI );
BAIL_ON_VMDIR_ERROR(dwError);
retVal = ldap_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &iTLSDEMAND);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN, &iTLSMin);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_initialize(&pLd, pszURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option( pLd, LDAP_OPT_X_TLS_CTX, pSslCtx);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
ldapBindPwd.bv_val = 0;
ldapBindPwd.bv_len = 0;
if (pszPassword)
{
ldapBindPwd.bv_val = (PSTR) pszPassword;
ldapBindPwd.bv_len = (ULONG) VmDirStringLenA(pszPassword);
}
retVal = ldap_sasl_bind_s( pLd,
pszDN,
LDAP_SASL_SIMPLE,
&ldapBindPwd, // ldaps with credentials
NULL,
NULL,
NULL);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
*ppLd = pLd;
cleanup:
if (pSslCtx)
{
SSL_CTX_free(pSslCtx);
}
VMDIR_SAFE_FREE_MEMORY(pszTrustCertFile);
return dwError;
ldaperror:
VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "VmDirSSLBind failed for %s %s. (%d)(%s)",
pszURI, pszDN,
retVal, ldap_err2string(retVal));
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSSLBind failed. (%u)", dwError);
}
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
