static void ldap_lookup_pass(struct auth_request *auth_request,
struct passdb_ldap_request *request)
{
struct passdb_module *_module = auth_request->passdb->passdb;
struct ldap_passdb_module *module =
(struct ldap_passdb_module *)_module;
struct ldap_connection *conn = module->conn;
struct ldap_request_search *srequest = &request->request.search;
const struct var_expand_table *vars;
const char **attr_names = (const char **)conn->pass_attr_names;
string_t *str;
srequest->request.type = LDAP_REQUEST_TYPE_SEARCH;
vars = auth_request_get_var_expand_table(auth_request, ldap_escape);
str = t_str_new(512);
var_expand(str, conn->set.base, vars);
srequest->base = p_strdup(auth_request->pool, str_c(str));
str_truncate(str, 0);
var_expand(str, conn->set.pass_filter, vars);
srequest->filter = p_strdup(auth_request->pool, str_c(str));
srequest->attr_map = &conn->pass_attr_map;
srequest->attributes = conn->pass_attr_names;
auth_request_log_debug(auth_request, "ldap", "pass search: "
"base=%s scope=%s filter=%s fields=%s",
srequest->base, conn->set.scope,
srequest->filter, attr_names == NULL ? "(all)" :
t_strarray_join(attr_names, ","));
srequest->request.callback = ldap_lookup_pass_callback;
db_ldap_request(conn, &srequest->request);
}
static void ldap_bind_lookup_dn(struct auth_request *auth_request,
struct passdb_ldap_request *request)
{
struct passdb_module *_module = auth_request->passdb->passdb;
struct ldap_passdb_module *module =
(struct ldap_passdb_module *)_module;
struct ldap_connection *conn = module->conn;
struct ldap_request_search *srequest = &request->request.search;
const struct var_expand_table *vars;
string_t *str;
srequest->request.type = LDAP_REQUEST_TYPE_SEARCH;
vars = auth_request_get_var_expand_table(auth_request, ldap_escape);
str = t_str_new(512);
var_expand(str, conn->set.base, vars);
srequest->base = p_strdup(auth_request->pool, str_c(str));
str_truncate(str, 0);
var_expand(str, conn->set.pass_filter, vars);
srequest->filter = p_strdup(auth_request->pool, str_c(str));
/* we don't need the attributes to perform authentication, but they
may contain some extra parameters. if a password is returned,
it's just ignored. */
srequest->attr_map = &conn->pass_attr_map;
srequest->attributes = conn->pass_attr_names;
auth_request_log_debug(auth_request, "ldap",
"bind search: base=%s filter=%s",
srequest->base, srequest->filter);
srequest->request.callback = ldap_bind_lookup_dn_callback;
db_ldap_request(conn, &srequest->request);
}
static struct userdb_iterate_context *
userdb_sql_iterate_init(struct auth_request *auth_request,
userdb_iter_callback_t *callback, void *context)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct sql_userdb_module *module =
(struct sql_userdb_module *)_module;
struct sql_userdb_iterate_context *ctx;
string_t *query;
query = t_str_new(512);
var_expand(query, module->conn->set.iterate_query,
auth_request_get_var_expand_table(auth_request,
userdb_sql_escape));
ctx = i_new(struct sql_userdb_iterate_context, 1);
ctx->ctx.auth_request = auth_request;
ctx->ctx.callback = callback;
ctx->ctx.context = context;
auth_request_ref(auth_request);
sql_query(module->conn->db, str_c(query),
sql_iter_query_callback, ctx);
auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "%s", str_c(query));
return &ctx->ctx;
}
static enum passdb_result
static_save_fields(struct auth_request *request, const char **password_r)
{
struct static_passdb_module *module =
(struct static_passdb_module *)request->passdb->passdb;
const struct var_expand_table *table;
string_t *str = t_str_new(128);
auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup");
passdb_template_export(module->tmpl, request);
if (module->static_password_tmpl != NULL) {
table = auth_request_get_var_expand_table(request, NULL);
var_expand(str, module->static_password_tmpl, table);
*password_r = str_c(str);
} else if (auth_fields_exists(request->extra_fields, "nopassword")) {
*password_r = "";
} else {
auth_request_log_info(request, AUTH_SUBSYS_DB,
"No password returned (and no nopassword)");
*password_r = NULL;
return PASSDB_RESULT_PASSWORD_MISMATCH;
}
return PASSDB_RESULT_OK;
}
void passdb_template_export(struct passdb_template *tmpl,
struct auth_request *auth_request)
{
const struct var_expand_table *table;
string_t *str;
const char *const *args, *value;
unsigned int i, count;
str = t_str_new(256);
table = auth_request_get_var_expand_table(auth_request, NULL);
args = array_get(&tmpl->args, &count);
i_assert((count % 2) == 0);
for (i = 0; i < count; i += 2) {
if (args[i+1] == NULL)
value = "";
else {
str_truncate(str, 0);
var_expand(str, args[i+1], table);
value = str_c(str);
}
auth_request_set_field(auth_request, args[i], value,
STATIC_PASS_SCHEME);
}
}
static void passwd_file_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct passwd_file_userdb_module *module =
(struct passwd_file_userdb_module *)_module;
struct passwd_user *pu;
const struct var_expand_table *table;
string_t *str;
const char *key, *value;
char **p;
pu = db_passwd_file_lookup(module->pwf, auth_request,
module->username_format);
if (pu == NULL || pu->uid == 0) {
callback(USERDB_RESULT_USER_UNKNOWN, auth_request);
return;
}
if (pu->uid != (uid_t)-1) {
auth_request_set_userdb_field(auth_request, "uid",
dec2str(pu->uid));
}
if (pu->gid != (gid_t)-1) {
auth_request_set_userdb_field(auth_request, "gid",
dec2str(pu->gid));
}
if (pu->home != NULL)
auth_request_set_userdb_field(auth_request, "home", pu->home);
if (pu->extra_fields != NULL) {
str = t_str_new(512);
table = auth_request_get_var_expand_table(auth_request, NULL);
for (p = pu->extra_fields; *p != NULL; p++) {
if (strncmp(*p, "userdb_", 7) != 0)
continue;
key = *p + 7;
value = strchr(key, '=');
if (value != NULL) {
key = t_strdup_until(key, value);
str_truncate(str, 0);
auth_request_var_expand_with_table(str, value + 1,
auth_request, table, NULL);
value = str_c(str);
} else {
value = "";
}
auth_request_set_userdb_field(auth_request, key, value);
}
}
callback(USERDB_RESULT_OK, auth_request);
}
const char *
checkpassword_get_cmd(struct auth_request *request, const char *args,
const char *checkpassword_reply_path)
{
string_t *str;
str = t_str_new(256);
var_expand(str, args,
auth_request_get_var_expand_table(request, NULL));
return t_strconcat(str_c(str), " ", checkpassword_reply_path, NULL);
}
static void passdb_dict_lookup_pass(struct passdb_dict_request *dict_request)
{
struct auth_request *auth_request = dict_request->auth_request;
struct passdb_module *_module = auth_request->passdb->passdb;
struct dict_passdb_module *module =
(struct dict_passdb_module *)_module;
string_t *key;
const char *password = NULL, *scheme = NULL;
enum passdb_result passdb_result;
int ret;
key = t_str_new(512);
str_append(key, DICT_PATH_SHARED);
var_expand(key, module->conn->set.password_key,
auth_request_get_var_expand_table(auth_request, NULL));
if (*module->conn->set.password_key == '\0') {
auth_request_log_error(auth_request, "dict",
"password_key not specified");
passdb_result = PASSDB_RESULT_INTERNAL_FAILURE;
} else {
passdb_result = passdb_dict_lookup_key(auth_request, module,
str_c(key));
}
if (passdb_result == PASSDB_RESULT_OK) {
/* passdb_password may change on the way,
so we'll need to strdup. */
password = t_strdup(auth_request->passdb_password);
scheme = password_get_scheme(&password);
/* auth_request_set_field() sets scheme */
i_assert(password == NULL || scheme != NULL);
}
if (auth_request->credentials_scheme != NULL) {
passdb_handle_credentials(passdb_result, password, scheme,
dict_request->callback.lookup_credentials,
auth_request);
} else {
if (password != NULL) {
ret = auth_request_password_verify(auth_request,
auth_request->mech_password,
password, scheme, "dict");
passdb_result = ret > 0 ? PASSDB_RESULT_OK :
PASSDB_RESULT_PASSWORD_MISMATCH;
}
dict_request->callback.verify_plain(passdb_result,
auth_request);
}
}
static void
passdb_imap_verify_plain(struct auth_request *auth_request,
const char *password,
verify_plain_callback_t *callback)
{
struct passdb_module *_module = auth_request->passdb->passdb;
struct imap_passdb_module *module =
(struct imap_passdb_module *)_module;
struct imap_auth_request *request;
struct imapc_client_settings set;
const struct var_expand_table *table;
string_t *str;
set = module->set;
set.debug = auth_request->set->debug;
set.dns_client_socket_path =
t_strconcat(auth_request->set->base_dir, "/",
DNS_CLIENT_SOCKET_NAME, NULL);
set.password = password;
set.max_idle_time = IMAPC_DEFAULT_MAX_IDLE_TIME;
if (module->set_have_vars) {
str = t_str_new(128);
table = auth_request_get_var_expand_table(auth_request, NULL);
var_expand(str, set.username, table);
set.username = t_strdup(str_c(str));
str_truncate(str, 0);
var_expand(str, set.host, table);
set.host = t_strdup(str_c(str));
}
auth_request_log_debug(auth_request, AUTH_SUBSYS_DB,
"lookup host=%s port=%d", set.host, set.port);
request = p_new(auth_request->pool, struct imap_auth_request, 1);
request->client = imapc_client_init(&set);
request->auth_request = auth_request;
request->verify_callback = callback;
auth_request_ref(auth_request);
imapc_client_login(request->client, passdb_imap_login_callback,
request);
}
static void
ldap_verify_plain_auth_bind_userdn(struct auth_request *auth_request,
struct passdb_ldap_request *request)
{
struct passdb_module *_module = auth_request->passdb->passdb;
struct ldap_passdb_module *module =
(struct ldap_passdb_module *)_module;
struct ldap_connection *conn = module->conn;
struct ldap_request_bind *brequest = &request->request.bind;
const struct var_expand_table *vars;
string_t *dn;
brequest->request.type = LDAP_REQUEST_TYPE_BIND;
vars = auth_request_get_var_expand_table(auth_request, ldap_escape);
dn = t_str_new(512);
var_expand(dn, conn->set.auth_bind_userdn, vars);
brequest->dn = p_strdup(auth_request->pool, str_c(dn));
ldap_auth_bind(conn, brequest);
}
static void passwd_file_save_results(struct auth_request *request,
const struct passwd_user *pu,
const char **crypted_pass_r,
const char **scheme_r)
{
const struct var_expand_table *table;
const char *key, *value;
string_t *str;
char **p;
*crypted_pass_r = pu->password != NULL ? pu->password : "";
*scheme_r = password_get_scheme(crypted_pass_r);
if (*scheme_r == NULL)
*scheme_r = request->passdb->passdb->default_pass_scheme;
/* save the password so cache can use it */
auth_request_set_field(request, "password",
*crypted_pass_r, *scheme_r);
if (pu->extra_fields != NULL) {
str = t_str_new(512);
table = auth_request_get_var_expand_table(request, NULL);
for (p = pu->extra_fields; *p != NULL; p++) {
value = strchr(*p, '=');
if (value != NULL) {
key = t_strdup_until(*p, value);
str_truncate(str, 0);
auth_request_var_expand_with_table(str, value + 1,
request, table, NULL);
value = str_c(str);
} else {
key = *p;
value = "";
}
auth_request_set_field(request, key, value, NULL);
}
}
}
static void userdb_sql_lookup(struct auth_request *auth_request,
userdb_callback_t *callback)
{
struct userdb_module *_module = auth_request->userdb->userdb;
struct sql_userdb_module *module =
(struct sql_userdb_module *)_module;
struct userdb_sql_request *sql_request;
string_t *query;
query = t_str_new(512);
var_expand(query, module->conn->set.user_query,
auth_request_get_var_expand_table(auth_request,
userdb_sql_escape));
auth_request_ref(auth_request);
sql_request = i_new(struct userdb_sql_request, 1);
sql_request->callback = callback;
sql_request->auth_request = auth_request;
auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "%s", str_c(query));
sql_query(module->conn->db, str_c(query),
sql_query_callback, sql_request);
}
