/* The caller is responsible for unbinding the connection if ld is not NULL */
static LDAP *
connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
LDAP *ld = NULL;
int ssl = LDAP_OPT_X_TLS_HARD;
int version = LDAP_VERSION3;
int ret;
int ldapdebug = 0;
char *uri;
struct berval bindpw_bv;
if (debug) {
ldapdebug=2;
ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
}
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
goto fail;
ret = asprintf(&uri, "ldaps://%s:636", hostname);
if (ret == -1) {
fprintf(stderr, _("Out of memory!"));
goto fail;
}
ret = ldap_initialize(&ld, uri);
free(uri);
if(ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
ldap_err2string(ret));
goto fail;
}
if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
goto fail;
}
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto fail;
}
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP version\n"));
goto fail;
}
if (bindpw) {
bindpw_bv.bv_val = discard_const(bindpw);
bindpw_bv.bv_len = strlen(bindpw);
} else {
bindpw_bv.bv_val = NULL;
bindpw_bv.bv_len = 0;
}
ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
int err;
ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err);
if (debug)
fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
goto fail;
}
return ld;
fail:
if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL);
}
return NULL;
}
/*
* asyncmeta_single_bind
*
* attempts to perform a bind with creds
*/
static int
asyncmeta_single_bind(
Operation *op,
SlapReply *rs,
a_metaconn_t *mc,
int candidate )
{
a_metainfo_t *mi = mc->mc_info;
a_metatarget_t *mt = mi->mi_targets[ candidate ];
struct berval mdn = BER_BVNULL;
a_metasingleconn_t *msc = &mc->mc_conns[ candidate ];
int msgid;
a_dncookie dc;
struct berval save_o_dn;
int save_o_do_not_cache;
LDAPControl **ctrls = NULL;
if ( !BER_BVISNULL( &msc->msc_bound_ndn ) ) {
ch_free( msc->msc_bound_ndn.bv_val );
BER_BVZERO( &msc->msc_bound_ndn );
}
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
/* destroy sensitive data */
memset( msc->msc_cred.bv_val, 0, msc->msc_cred.bv_len );
ch_free( msc->msc_cred.bv_val );
BER_BVZERO( &msc->msc_cred );
}
/*
* Rewrite the bind dn if needed
*/
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "bindDN";
if ( asyncmeta_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {
rs->sr_text = "DN rewrite error";
rs->sr_err = LDAP_OTHER;
return rs->sr_err;
}
/* don't add proxyAuthz; set the bindDN */
save_o_dn = op->o_dn;
save_o_do_not_cache = op->o_do_not_cache;
op->o_do_not_cache = 1;
op->o_dn = op->o_req_dn;
ctrls = op->o_ctrls;
rs->sr_err = asyncmeta_controls_add( op, rs, mc, candidate, &ctrls );
op->o_dn = save_o_dn;
op->o_do_not_cache = save_o_do_not_cache;
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
/* FIXME: this fixes the bind problem right now; we need
* to use the asynchronous version to get the "matched"
* and more in case of failure ... */
/* FIXME: should we check if at least some of the op->o_ctrls
* can/should be passed? */
for (;;) {
rs->sr_err = ldap_sasl_bind( msc->msc_ld, mdn.bv_val,
LDAP_SASL_SIMPLE, &op->orb_cred,
ctrls, NULL, &msgid );
if ( rs->sr_err != LDAP_X_CONNECTING ) {
break;
}
ldap_pvt_thread_yield();
}
mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
asyncmeta_bind_op_result( op, rs, mc, candidate, msgid, LDAP_BACK_DONTSEND, 1 );
if ( rs->sr_err != LDAP_SUCCESS ) {
goto return_results;
}
/* If defined, proxyAuthz will be used also when
* back-ldap is the authorizing backend; for this
* purpose, a successful bind is followed by a
* bind with the configured identity assertion */
/* NOTE: use with care */
if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) {
asyncmeta_proxy_authz_bind( mc, candidate, op, rs, LDAP_BACK_SENDERR, 1 );
if ( !LDAP_BACK_CONN_ISBOUND( msc ) ) {
goto return_results;
}
goto cache_refresh;
}
ber_bvreplace( &msc->msc_bound_ndn, &op->o_req_ndn );
LDAP_BACK_CONN_ISBOUND_SET( msc );
mc->mc_authz_target = candidate;
if ( META_BACK_TGT_SAVECRED( mt ) ) {
if ( !BER_BVISNULL( &msc->msc_cred ) ) {
memset( msc->msc_cred.bv_val, 0,
msc->msc_cred.bv_len );
}
ber_bvreplace( &msc->msc_cred, &op->orb_cred );
ldap_set_rebind_proc( msc->msc_ld, mt->mt_rebind_f, msc );
}
cache_refresh:;
if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED
&& !BER_BVISEMPTY( &op->o_req_ndn ) )
{
( void )asyncmeta_dncache_update_entry( &mi->mi_cache,
&op->o_req_ndn, candidate );
}
return_results:;
if ( mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
if ( META_BACK_TGT_QUARANTINE( mt ) ) {
asyncmeta_quarantine( op, mi, rs, candidate );
}
ldap_unbind_ext( msc->msc_ld, NULL, NULL );
msc->msc_ld = NULL;
ldap_ld_free( msc->msc_ldr, 0, NULL, NULL );
msc->msc_ldr = NULL;
return rs->sr_err;
}
/*
* Function called during initialization phase => no need to use the GdaWorker object
*
* Using @url and @username, performs the following tasks:
* - bind to the LDAP server anonymously
* - search the directory to identify the entry for the provided user name,
* filter: (&(uid=##uid)(objectclass=inetOrgPerson))
* - if one and only one entry is returned, get the DN of the entry and check that the UID is correct
*
* If all the steps are right, it returns the DN of the identified entry as a new string.
*/
static gchar *
fetch_user_dn (const gchar *url, const gchar *base, const gchar *username, LdapAuthMapping *mapping)
{
LDAP *ld;
int res;
int version = LDAP_VERSION3;
gchar *dn = NULL;
LDAPMessage *msg = NULL;
if (! username)
return NULL;
res = ldap_initialize (&ld, url);
if (res != LDAP_SUCCESS)
return NULL;
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (res != LDAP_SUCCESS) {
if (res == LDAP_PROTOCOL_ERROR) {
version = LDAP_VERSION2;
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
}
if (res != LDAP_SUCCESS)
goto out;
}
struct berval cred;
memset (&cred, 0, sizeof (cred));
res = ldap_sasl_bind_s (ld, NULL, NULL, &cred, NULL, NULL, NULL);
if (res != LDAP_SUCCESS)
goto out;
gchar *filter;
gchar *attributes[] = {NULL, NULL};
attributes[0] = mapping->attribute;
filter = g_strdup_printf (mapping->filter_format, username);
res = ldap_search_ext_s (ld, base, LDAP_SCOPE_SUBTREE,
filter, attributes, 0,
NULL, NULL, NULL, 2, &msg);
g_free (filter);
if (res != LDAP_SUCCESS)
goto out;
LDAPMessage *ldap_row;
for (ldap_row = ldap_first_entry (ld, msg);
ldap_row;
ldap_row = ldap_next_entry (ld, ldap_row)) {
char *attr, *uid;
attr = ldap_get_dn (ld, ldap_row);
if (attr) {
BerElement* ber;
for (uid = ldap_first_attribute (ld, ldap_row, &ber);
uid;
uid = ldap_next_attribute (ld, ldap_row, ber)) {
BerValue **bvals;
bvals = ldap_get_values_len (ld, ldap_row, uid);
if (!bvals || !bvals[0] || bvals[1] || strcmp (bvals[0]->bv_val, username)) {
g_free (dn);
dn = NULL;
}
ldap_value_free_len (bvals);
ldap_memfree (uid);
}
if (dn) {
/* more than 1 entry => unique DN could not be identified */
g_free (dn);
dn = NULL;
goto out;
}
dn = g_strdup (attr);
ldap_memfree (attr);
}
}
out:
if (msg)
ldap_msgfree (msg);
ldap_unbind_ext (ld, NULL, NULL);
/*g_print ("Identified DN: [%s]\n", dn);*/
return dn;
}
static int
libbalsa_address_book_ldap_open_connection(LibBalsaAddressBookLdap * ab)
{
int result;
static const int version = LDAP_VERSION3;
gboolean v3_enabled;
LibBalsaAddressBook *lbab = LIBBALSA_ADDRESS_BOOK(ab);
g_return_val_if_fail(ab->host != NULL, FALSE);
ldap_initialize(&ab->directory, ab->host);
if (ab->directory == NULL) { /* very unlikely... */
libbalsa_address_book_set_status(lbab, g_strdup("Host not found"));
return LDAP_SERVER_DOWN;
}
/* ignore error if the V3 LDAP cannot be set */
v3_enabled =
ldap_set_option(ab->directory, LDAP_OPT_PROTOCOL_VERSION, &version)
== LDAP_OPT_SUCCESS;
if(!v3_enabled) printf("Too old LDAP server - interaction may fail.\n");
if(v3_enabled && ab->enable_tls) {
#ifdef HAVE_LDAP_TLS
/* turn TLS on but what if we have SSL already on? */
result = ldap_start_tls_s(ab->directory, NULL, NULL);
if(result != LDAP_SUCCESS) {
ldap_unbind_ext(ab->directory, NULL, NULL);
ab->directory = NULL;
libbalsa_address_book_set_status
(lbab, g_strdup(ldap_err2string(result)));
return result;
}
#else /* HAVE_LDAP_TLS */
libbalsa_address_book_set_status(lbab,
_("TLS requested but not compiled in"));
return LDAP_INAPPRIOPRIATE_AUTH;
#endif /* HAVE_LDAP_TLS */
}
#ifdef HAVE_CYRUS_SASL
result = ldap_sasl_interactive_bind_s(ab->directory, ab->bind_dn, NULL,
NULL, NULL,
LDAP_SASL_QUIET, abl_interact, ab);
#else /* HAVE_CYRUS_SASL */
{
struct berval cred;
cred.bv_val = ab->passwd;
cred.bv_len = ab->passwd ? strlen(ab->passwd) : 0;
result = ldap_sasl_bind_s(ab->directory, ab->bind_dn, NULL, &cred,
NULL, NULL, NULL);
}
#endif /* HAVE_CYRUS_SASL */
/* do not follow referrals (OpenLDAP binds anonymously here, which will usually
* fail */
if (result == LDAP_SUCCESS)
result = ldap_set_option(ab->directory, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
if (result != LDAP_SUCCESS) {
libbalsa_address_book_set_status(lbab,
g_strdup(ldap_err2string(result)));
ldap_unbind_ext(ab->directory, NULL, NULL);
ab->directory = NULL;
}
return result;
}
static void
do_random( char *uri, char *manager, struct berval *passwd,
char *sbase, char *filter, char **srchattrs, int noattrs, int nobind,
int innerloop, int maxretries, int delay, int force, int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
char *attrs[ 2 ];
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
int nvalues = 0;
char **values = NULL;
LDAPMessage *res = NULL, *e = NULL;
attrs[ 0 ] = LDAP_NO_ATTRS;
attrs[ 1 ] = NULL;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Read(%d): base=\"%s\", filter=\"%s\".\n",
(long) pid, innerloop, sbase, filter );
}
if ( nobind == 0 ) {
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
}
rc = ldap_search_ext_s( ld, sbase, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res );
switch ( rc ) {
case LDAP_SIZELIMIT_EXCEEDED:
case LDAP_TIMELIMIT_EXCEEDED:
case LDAP_SUCCESS:
nvalues = ldap_count_entries( ld, res );
if ( nvalues == 0 ) {
if ( rc ) {
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
}
break;
}
values = malloc( ( nvalues + 1 ) * sizeof( char * ) );
for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
}
values[ i ] = NULL;
ldap_msgfree( res );
if ( do_retry == maxretries ) {
fprintf( stderr, " PID=%ld - Read base=\"%s\" filter=\"%s\" got %d values.\n",
(long) pid, sbase, filter, nvalues );
}
for ( i = 0; i < innerloop; i++ ) {
#if 0 /* use high-order bits for better randomness (Numerical Recipes in "C") */
int r = rand() % nvalues;
#endif
int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
do_read( uri, manager, passwd, values[ r ], &ld,
srchattrs, noattrs, nobind, 1, maxretries,
delay, force, chaserefs );
}
free( values );
break;
default:
tester_ldap_error( ld, "ldap_search_ext_s", NULL );
break;
}
fprintf( stderr, " PID=%ld - Read done (%d).\n", (long) pid, rc );
if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
}
}
int
ldap_unbind_s( LDAP *ld )
{
return( ldap_unbind_ext( ld, NULL, NULL ) );
}
static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw, LDAP **_ld)
{
char *msg = NULL;
struct berval bv;
int version;
LDAP *ld;
int ssl;
int ret;
/* TODO: support referrals ? */
if (bind_dn) {
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
return ret;
}
ret = ipa_ldap_init(&ld, "ldaps", server_name, 636);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldaps(636) connection\n"));
return ret;
}
ssl = LDAP_OPT_X_TLS_HARD;;
ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
goto done;
}
} else {
ret = ipa_ldap_init(&ld, "ldap", server_name, 389);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldap(389) connection\n"));
return ret;
}
}
if (ld == NULL) {
fprintf(stderr, _("Unable to initialize ldap library!\n"));
return LDAP_OPERATIONS_ERROR;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto done;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
goto done;
}
if (bind_dn) {
bv.bv_val = discard_const(bind_pw);
bv.bv_len = strlen(bind_pw);
ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
&bv, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Simple bind failed\n"));
goto done;
}
} else {
ret = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET,
ldap_sasl_interact, bind_princ);
if (ret != LDAP_SUCCESS) {
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto done;
}
}
ret = LDAP_SUCCESS;
done:
if (ret != LDAP_SUCCESS) {
if (ld) ldap_unbind_ext(ld, NULL, NULL);
} else {
*_ld = ld;
}
return ret;
}
static int
check_auth(LD_session *session, char *login, char *password, char *fullname) {
int rc = 0, count = 0;
char username[MAXFILTERSTR];
char logbuf[MAXLOGBUF];
LDAPMessage *res, *entry;
char *attr;
BerElement * ber;
struct berval **list_of_values;
struct berval value;
char *userdn, *validgroups, *fn;
char filter[MAXFILTERSTR];
/* Check authorization */
memset(filter, 0, 100);
snprintf(filter, MAXLOGBUF, "(&(objectClass=posixGroup)(memberUid=%s))", login);
struct berval cred;
struct berval *msgidp=NULL;
cred.bv_val = password;
cred.bv_len = strlen(password);
#if LDAP_API_VERSION > 3000
if((rc = ldap_sasl_bind_s(session->sess, fullname, ldap_authorization_type, &cred, NULL, NULL, NULL))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate with method %s failed: %s", ldap_authorization_host, ldap_authorization_type, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_FALSE;
};
#else
if((rc = ldap_bind_s(session->sess, fullname, password, LDAP_AUTH_SIMPLE))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate failed: %s", ldap_authorization_host, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_FALSE;
}
#endif
if ((rc = ldap_search_ext_s(session->sess, ldap_authorization_basedn, LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res)) != LDAP_SUCCESS) {
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_TRUE;
}
for (entry = ldap_first_entry(session->sess,res); entry!=NULL && count<ldap_count_messages(session->sess, res); entry=ldap_next_entry(session->sess, res)) {
count++;
for(attr = ldap_first_attribute(session->sess,entry,&ber); attr != NULL ; attr=ldap_next_attribute(session->sess,entry,ber)) {
snprintf(logbuf, MAXLOGBUF, "Found attribute %s", attr);
ldap_log(LOG_DEBUG, logbuf);
if (strcmp(attr, "cn"))
continue;
if ((list_of_values = ldap_get_values_len(session->sess, entry, attr)) != NULL ) {
value = *list_of_values[0];
char temp[MAXGROUPLIST];
memset(temp, 0, MAXGROUPLIST);
if (ldap_authorization_validgroups) {
strcpy(temp, ldap_authorization_validgroups);
validgroups = strtok(temp, ",");
while (validgroups != NULL)
{
snprintf(logbuf, MAXLOGBUF, "Attribute value validgroups ? value.bv_val >> %s ? %s", validgroups, value.bv_val);
ldap_log(LOG_DEBUG, logbuf);
if (!strcmp(validgroups, value.bv_val))
{
ldap_msgfree(res);
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
fn = (char *)malloc(strlen(value.bv_val));
strcpy(fn, value.bv_val);
return RETURN_TRUE;
}
validgroups = strtok (NULL, ",");
}
printf("VAL: %s\n", value.bv_val);
ldap_value_free_len( list_of_values );
}
}
}
res = ldap_next_message(session->sess, res);
};
ldap_msgfree(res);
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_FALSE;
}
int
main( int argc, char **argv )
{
int i;
char *uri = NULL;
char *host = "localhost";
int port = -1;
char *manager = NULL;
struct berval passwd = { 0, NULL };
char outstr[BUFSIZ];
int ptpass;
int testfail = 0;
tester_init( "slapd-mtread", TESTER_READ );
/* by default, tolerate referrals and no such object */
tester_ignore_str2errlist( "REFERRAL,NO_SUCH_OBJECT" );
while ( (i = getopt( argc, argv, "ACc:D:e:Ff:H:h:i:L:l:M:m:p:r:t:T:w:v" )) != EOF ) {
switch ( i ) {
case 'A':
noattrs++;
break;
case 'C':
chaserefs++;
break;
case 'H': /* the server uri */
uri = strdup( optarg );
break;
case 'h': /* the servers host */
host = strdup( optarg );
break;
case 'i':
tester_ignore_str2errlist( optarg );
break;
case 'N':
nobind++;
break;
case 'v':
verbose++;
break;
case 'p': /* the servers port */
if ( lutil_atoi( &port, optarg ) != 0 ) {
usage( argv[0] );
}
break;
case 'D': /* the servers manager */
manager = strdup( optarg );
break;
case 'w': /* the server managers password */
passwd.bv_val = strdup( optarg );
passwd.bv_len = strlen( optarg );
memset( optarg, '*', passwd.bv_len );
break;
case 'c': /* the number of connections */
if ( lutil_atoi( &noconns, optarg ) != 0 ) {
usage( argv[0] );
}
break;
case 'e': /* DN to search for */
entry = strdup( optarg );
break;
case 'f': /* the search request */
filter = strdup( optarg );
break;
case 'F':
force++;
break;
case 'l': /* the number of loops */
if ( lutil_atoi( &loops, optarg ) != 0 ) {
usage( argv[0] );
}
break;
case 'L': /* the number of outerloops */
if ( lutil_atoi( &outerloops, optarg ) != 0 ) {
usage( argv[0] );
}
break;
case 'M': /* the number of R/W threads */
if ( lutil_atoi( &rwthreads, optarg ) != 0 ) {
usage( argv[0] );
}
if (rwthreads > MAX_THREAD)
rwthreads = MAX_THREAD;
break;
case 'm': /* the number of threads */
if ( lutil_atoi( &threads, optarg ) != 0 ) {
usage( argv[0] );
}
if (threads > MAX_THREAD)
threads = MAX_THREAD;
break;
case 'r': /* the number of retries */
if ( lutil_atoi( &retries, optarg ) != 0 ) {
usage( argv[0] );
}
break;
case 't': /* delay in seconds */
if ( lutil_atoi( &delay, optarg ) != 0 ) {
usage( argv[0] );
}
break;
case 'T':
attrs = ldap_str2charray( optarg, "," );
if ( attrs == NULL ) {
usage( argv[0] );
}
break;
default:
usage( argv[0] );
break;
}
}
if (( entry == NULL ) || ( port == -1 && uri == NULL ))
usage( argv[0] );
if ( *entry == '\0' ) {
fprintf( stderr, "%s: invalid EMPTY entry DN.\n",
argv[0] );
exit( EXIT_FAILURE );
}
if ( argv[optind] != NULL ) {
attrs = &argv[optind];
}
if (noconns < 1)
noconns = 1;
if (noconns > MAXCONN)
noconns = MAXCONN;
lds = (LDAP **) calloc( sizeof(LDAP *), noconns);
if (lds == NULL) {
fprintf( stderr, "%s: Memory error: calloc noconns.\n",
argv[0] );
exit( EXIT_FAILURE );
}
uri = tester_uri( uri, host, port );
/* One connection and one connection only */
do_conn( uri, manager, &passwd, &ld, nobind, retries, 0 );
lds[0] = ld;
for(i = 1; i < noconns; i++) {
do_conn( uri, manager, &passwd, &lds[i], nobind, retries, i );
}
ldap_pvt_thread_initialize();
snprintf(outstr, BUFSIZ, "MT Test Start: conns: %d (%s)", noconns, uri);
tester_error(outstr);
snprintf(outstr, BUFSIZ, "Threads: RO: %d RW: %d", threads, rwthreads);
tester_error(outstr);
/* Set up read only threads */
for ( i = 0; i < threads; i++ ) {
ldap_pvt_thread_create( &rtid[i], 0, do_onethread, &rtid[i]);
snprintf(outstr, BUFSIZ, "Created RO thread %d", i);
thread_verbose(-1, outstr);
}
/* Set up read/write threads */
for ( i = 0; i < rwthreads; i++ ) {
ldap_pvt_thread_create( &rwtid[i], 0, do_onerwthread, &rwtid[i]);
snprintf(outstr, BUFSIZ, "Created RW thread %d", i + MAX_THREAD);
thread_verbose(-1, outstr);
}
ptpass = outerloops * loops;
/* wait for read only threads to complete */
for ( i = 0; i < threads; i++ )
ldap_pvt_thread_join(rtid[i], NULL);
/* wait for read/write threads to complete */
for ( i = 0; i < rwthreads; i++ )
ldap_pvt_thread_join(rwtid[i], NULL);
for(i = 0; i < noconns; i++) {
if ( lds[i] != NULL ) {
ldap_unbind_ext( lds[i], NULL, NULL );
}
}
free( lds );
for ( i = 0; i < threads; i++ ) {
snprintf(outstr, BUFSIZ, "RO thread %d pass=%d fail=%d", i,
rt_pass[i], rt_fail[i]);
tester_error(outstr);
if (rt_fail[i] != 0 || rt_pass[i] != ptpass) {
snprintf(outstr, BUFSIZ, "FAIL RO thread %d", i);
tester_error(outstr);
testfail++;
}
}
for ( i = 0; i < rwthreads; i++ ) {
snprintf(outstr, BUFSIZ, "RW thread %d pass=%d fail=%d", i + MAX_THREAD,
rwt_pass[i], rwt_fail[i]);
tester_error(outstr);
if (rwt_fail[i] != 0 || rwt_pass[i] != ptpass) {
snprintf(outstr, BUFSIZ, "FAIL RW thread %d", i);
tester_error(outstr);
testfail++;
}
}
snprintf(outstr, BUFSIZ, "MT Test complete" );
tester_error(outstr);
if (testfail)
exit( EXIT_FAILURE );
exit( EXIT_SUCCESS );
}
static void
do_modrdn( char *uri, char *manager,
struct berval *passwd, char *entry, int maxloop, int maxretries,
int delay, int friendly, int chaserefs )
{
LDAP *ld = NULL;
int i, do_retry = maxretries;
char *DNs[2];
char *rdns[2];
int rc = LDAP_SUCCESS;
char *p1, *p2;
int version = LDAP_VERSION3;
DNs[0] = entry;
DNs[1] = strdup( entry );
/* reverse the RDN, make new DN */
p1 = strchr( entry, '=' ) + 1;
p2 = strchr( p1, ',' );
*p2 = '\0';
rdns[1] = strdup( entry );
*p2-- = ',';
for (i = p1 - entry;p2 >= p1;)
DNs[1][i++] = *p2--;
DNs[1][i] = '\0';
rdns[0] = strdup( DNs[1] );
DNs[1][i] = ',';
i = 0;
retry:;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Modrdn(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
if ( delay > 0) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
for ( ; i < maxloop; i++ ) {
rc = ldap_rename_s( ld, DNs[0], rdns[0], NULL, 0, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_rename_s", NULL );
switch ( rc ) {
case LDAP_NO_SUCH_OBJECT:
/* NOTE: this likely means
* the second modrdn failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
rc = ldap_rename_s( ld, DNs[1], rdns[1], NULL, 1, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_rename_s", NULL );
switch ( rc ) {
case LDAP_NO_SUCH_OBJECT:
/* NOTE: this likely means
* the first modrdn failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
}
done:;
fprintf( stderr, " PID=%ld - Modrdn done (%d).\n", (long) pid, rc );
ldap_unbind_ext( ld, NULL, NULL );
free( DNs[1] );
free( rdns[0] );
free( rdns[1] );
}
int
ldap_unbind_ext_s(LDAP *ld, LDAPControl **sctrls, LDAPControl **cctrls)
{
return ldap_unbind_ext(ld, sctrls, cctrls);
}
/* If we only have a bindpw then try to join in a bit of a degraded mode.
* This is going to duplicate some of the server-side code to determine
* the state of the entry.
*/
static int
join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, const char **subject, int quiet)
{
LDAP *ld;
char *filter = NULL;
int rval = 0;
char *oidresult = NULL;
struct berval valrequest;
struct berval *valresult = NULL;
int rc, ret;
char *ldap_base = NULL;
char *search_base = NULL;
*binddn = NULL;
*princ = NULL;
*subject = NULL;
if (NULL != basedn) {
ldap_base = strdup(basedn);
if (!ldap_base) {
if (!quiet)
fprintf(stderr, _("Out of memory!\n"));
rval = 3;
goto done;
}
} else {
if (get_root_dn(ipaserver, &ldap_base) != 0) {
if (!quiet)
fprintf(stderr, _("Unable to determine root DN of %s\n"),
ipaserver);
rval = 14;
goto done;
}
}
ret = asprintf(binddn, "fqdn=%s,cn=computers,cn=accounts,%s", hostname, ldap_base);
if (ret == -1)
{
if (!quiet)
fprintf(stderr, _("Out of memory!\n"));
rval = 3;
goto done;
}
ld = connect_ldap(ipaserver, *binddn, bindpw);
if (!ld) {
if (!quiet)
fprintf(stderr, _("Incorrect password.\n"));
rval = 15;
goto done;
}
if (get_subject(ld, ldap_base, subject, quiet) != 0) {
if (!quiet)
fprintf(stderr,
_("Unable to determine certificate subject of %s\n"),
ipaserver);
/* Not a critical failure */
}
valrequest.bv_val = (char *)hostname;
valrequest.bv_len = strlen(hostname);
if ((rc = ldap_extended_operation_s(ld, JOIN_OID, &valrequest, NULL, NULL, &oidresult, &valresult)) != LDAP_SUCCESS) {
char *s = NULL;
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, &s);
#else
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &s);
#endif
if (!quiet)
fprintf(stderr, _("Enrollment failed. %s\n"), s);
if (debug) {
fprintf(stderr, "ldap_extended_operation_s failed: %s",
ldap_err2string(rc));
}
rval = 13;
goto ldap_done;
}
/* Get the value from the result returned by the server. */
*princ = strdup(valresult->bv_val);
ldap_done:
free(filter);
free(search_base);
free(ldap_base);
if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL);
}
done:
if (valresult) ber_bvfree(valresult);
if (oidresult) free(oidresult);
return rval;
}
/*
* Determine the baseDN of the remote server. Look first for a
* defaultNamingContext, otherwise fall back to reviewing each
* namingContext.
*/
static int
get_root_dn(const char *ipaserver, char **ldap_base)
{
LDAP *ld = NULL;
char *root_attrs[] = {"namingContexts", "defaultNamingContext", NULL};
LDAPMessage *entry, *res = NULL;
struct berval **ncvals;
struct berval **defvals;
int ret, rval = 0;
ld = connect_ldap(ipaserver, NULL, NULL);
if (!ld) {
rval = 14;
goto done;
}
ret = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE,
"objectclass=*", root_attrs, 0,
NULL, NULL, NULL, 0, &res);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Search for %1$s on rootdse failed with error %2$d\n"),
root_attrs[0], ret);
rval = 14;
goto done;
}
*ldap_base = NULL;
entry = ldap_first_entry(ld, res);
defvals = ldap_get_values_len(ld, entry, root_attrs[1]);
if (defvals) {
ret = check_ipa_server(ld, ldap_base, defvals);
}
ldap_value_free_len(defvals);
/* loop through to find the IPA context */
if (ret == LDAP_SUCCESS && !*ldap_base) {
ncvals = ldap_get_values_len(ld, entry, root_attrs[0]);
if (!ncvals) {
fprintf(stderr, _("No values for %s"), root_attrs[0]);
rval = 14;
ldap_value_free_len(ncvals);
goto done;
}
ret = check_ipa_server(ld, ldap_base, ncvals);
ldap_value_free_len(ncvals);
}
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Search for IPA namingContext failed with error %d\n"), ret);
rval = 14;
goto done;
}
if (!*ldap_base) {
fprintf(stderr, _("IPA namingContext not found\n"));
rval = 14;
goto done;
}
done:
if (res) ldap_msgfree(res);
if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL);
}
return rval;
}
static void
do_addel(
char *uri,
char *manager,
struct berval *passwd,
char *entry,
LDAPMod **attrs,
int maxloop,
int maxretries,
int delay,
int friendly,
int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
retry:
;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Add/Delete(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
if ( delay != 0 ) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
for ( ; i < maxloop; i++ ) {
/* add the entry */
rc = ldap_add_ext_s( ld, entry, attrs, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_add_ext_s", NULL );
switch ( rc ) {
case LDAP_ALREADY_EXISTS:
/* NOTE: this likely means
* the delete failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
#if 0
/* wait a second for the add to really complete */
/* This masks some race conditions though. */
sleep( 1 );
#endif
/* now delete the entry again */
rc = ldap_delete_ext_s( ld, entry, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_delete_ext_s", NULL );
switch ( rc ) {
case LDAP_NO_SUCH_OBJECT:
/* NOTE: this likely means
* the add failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
}
done:
;
fprintf( stderr, " PID=%ld - Add/Delete done (%d).\n", (long) pid, rc );
ldap_unbind_ext( ld, NULL, NULL );
}
static int ldap_set_keytab(krb5_context krbctx,
const char *servername,
const char *principal_name,
krb5_principal princ,
const char *binddn,
const char *bindpw,
struct keys_container *keys)
{
LDAP *ld = NULL;
BerElement *sctrl = NULL;
struct berval *control = NULL;
LDAPControl **srvctrl = NULL;
int ret;
int kvno, i;
ber_tag_t rtag;
ber_int_t *encs = NULL;
int successful_keys = 0;
/* cant' return more than nkeys, sometimes less */
encs = calloc(keys->nkeys + 1, sizeof(ber_int_t));
if (!encs) {
fprintf(stderr, _("Out of Memory!\n"));
return 0;
}
/* build password change control */
control = create_key_control(keys, principal_name);
if (!control) {
fprintf(stderr, _("Failed to create control!\n"));
goto error_out;
}
ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to bind to server!\n"));
goto error_out;
}
/* perform password change */
ret = ipa_ldap_extended_op(ld, KEYTAB_SET_OID, control, &srvctrl);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to get keytab!\n"));
goto error_out;
}
ber_bvfree(control);
control = NULL;
sctrl = get_control_data(srvctrl, KEYTAB_RET_OID);
if (!sctrl) {
fprintf(stderr, _("ber_init() failed, Invalid control ?!\n"));
goto error_out;
}
/* Format of response
*
* KeytabGetRequest ::= SEQUENCE {
* new_kvno Int32
* SEQUENCE OF KeyTypes
* }
*
* * List of accepted enctypes *
* KeyTypes ::= SEQUENCE {
* enctype Int32
* }
*/
rtag = ber_scanf(sctrl, "{i{", &kvno);
if (rtag == LBER_ERROR) {
fprintf(stderr, _("ber_scanf() failed, unable to find kvno ?!\n"));
goto error_out;
}
for (i = 0; i < keys->nkeys; i++) {
ret = ber_scanf(sctrl, "{i}", &encs[i]);
if (ret == LBER_ERROR) {
char enc[79]; /* fit std terminal or truncate */
krb5_error_code krberr;
krberr = krb5_enctype_to_string(
keys->ksdata[i].enctype, enc, 79);
if (krberr) {
fprintf(stderr, _("Failed to retrieve "
"encryption type type #%d\n"),
keys->ksdata[i].enctype);
} else {
fprintf(stderr, _("Failed to retrieve "
"encryption type %1$s (#%2$d)\n"),
enc, keys->ksdata[i].enctype);
}
} else {
successful_keys++;
}
}
if (successful_keys == 0) {
fprintf(stderr, _("Failed to retrieve any keys"));
goto error_out;
}
ret = filter_keys(krbctx, keys, encs);
if (ret == 0) goto error_out;
ber_free(sctrl, 1);
ldap_controls_free(srvctrl);
ldap_unbind_ext(ld, NULL, NULL);
free(encs);
return kvno;
error_out:
if (sctrl) ber_free(sctrl, 1);
if (srvctrl) ldap_controls_free(srvctrl);
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(encs);
return -1;
}
static void
do_modify( char *uri, char *manager,
struct berval *passwd, char *entry, char* attr, char* value,
int maxloop, int maxretries, int delay, int friendly, int chaserefs )
{
LDAP *ld = NULL;
int i = 0, do_retry = maxretries;
int rc = LDAP_SUCCESS;
struct ldapmod mod;
struct ldapmod *mods[2];
char *values[2];
int version = LDAP_VERSION3;
values[0] = value;
values[1] = NULL;
mod.mod_op = LDAP_MOD_ADD;
mod.mod_type = attr;
mod.mod_values = values;
mods[0] = &mod;
mods[1] = NULL;
retry:;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Modify(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
if ( delay > 0 ) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
for ( ; i < maxloop; i++ ) {
mod.mod_op = LDAP_MOD_ADD;
rc = ldap_modify_ext_s( ld, entry, mods, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_modify_ext_s", NULL );
switch ( rc ) {
case LDAP_TYPE_OR_VALUE_EXISTS:
/* NOTE: this likely means
* the second modify failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
mod.mod_op = LDAP_MOD_DELETE;
rc = ldap_modify_ext_s( ld, entry, mods, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_modify_ext_s", NULL );
switch ( rc ) {
case LDAP_NO_SUCH_ATTRIBUTE:
/* NOTE: this likely means
* the first modify failed
* during the previous round... */
if ( !friendly ) {
goto done;
}
break;
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
goto retry;
}
/* fall thru */
default:
goto done;
}
}
}
done:;
fprintf( stderr, " PID=%ld - Modify done (%d).\n", (long) pid, rc );
ldap_unbind_ext( ld, NULL, NULL );
}
static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
const char *enctypes, const char *bind_server,
const char *svc_princ, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw,
struct keys_container *keys, int *kvno,
char **err_msg)
{
struct krb_key_salt *es = NULL;
int num_es = 0;
struct berval *control = NULL;
LDAP *ld = NULL;
LDAPControl **srvctrl = NULL;
struct berval data;
bool res;
int ret;
*err_msg = NULL;
if (enctypes) {
ret = ipa_string_to_enctypes(enctypes, &es, &num_es, err_msg);
if (ret || num_es == 0) {
return LDAP_OPERATIONS_ERROR;
}
}
control = create_getkeytab_control(svc_princ, generate,
password, es, num_es);
if (!control) {
*err_msg = _("Failed to create control!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld);
if (ret != LDAP_SUCCESS) {
*err_msg = _("Failed to bind to server!\n");
goto done;
}
/* perform extedned opt to get keytab */
ret = ipa_ldap_extended_op(ld, KEYTAB_GET_OID, control, &srvctrl);
if (ret != LDAP_SUCCESS) {
goto done;
}
ret = find_control_data(srvctrl, KEYTAB_GET_OID, &data);
if (ret != LDAP_SUCCESS) goto done;
res = ipaasn1_dec_getktreply(data.bv_val, data.bv_len, kvno, keys);
if (!res) {
*err_msg = _("Failed to decode control reply!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = LDAP_SUCCESS;
done:
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(es);
if (ret) {
free_keys_contents(krbctx, keys);
}
return ret;
}
static void
do_read( char *uri, char *manager, struct berval *passwd, char *entry,
LDAP **ldp, char **attrs, int noattrs, int nobind, int maxloop,
int maxretries, int delay, int force, int chaserefs )
{
LDAP *ld = ldp ? *ldp : NULL;
int i = 0, do_retry = maxretries;
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
retry:;
if ( ld == NULL ) {
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Read(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
if ( nobind == 0 ) {
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
do_retry--;
if ( delay != 0 ) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
}
}
for ( ; i < maxloop; i++ ) {
LDAPMessage *res = NULL;
rc = ldap_search_ext_s( ld, entry, LDAP_SCOPE_BASE,
NULL, attrs, noattrs, NULL, NULL, NULL,
LDAP_NO_LIMIT, &res );
if ( res != NULL ) {
ldap_msgfree( res );
}
if ( rc ) {
int first = tester_ignore_err( rc );
char buf[ BUFSIZ ];
snprintf( buf, sizeof( buf ), "ldap_search_ext_s(%s)", entry );
/* if ignore.. */
if ( first ) {
/* only log if first occurrence */
if ( ( force < 2 && first > 0 ) || abs(first) == 1 ) {
tester_ldap_error( ld, buf, NULL );
}
continue;
}
/* busy needs special handling */
tester_ldap_error( ld, buf, NULL );
if ( rc == LDAP_BUSY && do_retry > 0 ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
do_retry--;
goto retry;
}
break;
}
}
if ( ldp != NULL ) {
*ldp = ld;
} else {
fprintf( stderr, " PID=%ld - Read done (%d).\n", (long) pid, rc );
if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
}
}
}
static int l_search_do_filter(struct ldapsearch *s,
int (*callback_func)(const char *utf8_name,
const char *address,
void *callback_arg),
void *callback_arg,
const char *filter,
const char *lookup_key,
int *found)
{
char *kk;
struct timeval tv;
LDAPMessage *result;
char *attrs[3];
int rc_code=0;
int msgidp;
*found=0;
kk=make_search_key(filter, lookup_key);
if (!kk)
return -1;
if (s->handle == NULL)
{
errno=ETIMEDOUT; /* Timeout previously */
return -1;
}
attrs[0]="cn";
attrs[1]="mail";
attrs[2]=NULL;
tv.tv_sec=60*60;
tv.tv_usec=0;
if (ldap_search_ext(s->handle, s->base, LDAP_SCOPE_SUBTREE,
kk, attrs, 0, NULL, NULL, &tv, 1000000, &msgidp)
!= LDAP_SUCCESS)
return -1;
do
{
int rc;
LDAPMessage *msg;
const char *timeout=getenv("LDAP_SEARCH_TIMEOUT");
tv.tv_sec=atoi(timeout ? timeout:"30");
tv.tv_usec=0;
rc=ldap_result(s->handle, msgidp, 0, &tv, &result);
if (rc <= 0)
{
if (rc == 0)
errno=ETIMEDOUT;
ldap_unbind_ext(s->handle, NULL, NULL);
s->handle=NULL;
rc_code= -1;
break;
}
if (rc == LDAP_RES_SEARCH_RESULT)
{
ldap_msgfree(result);
break; /* End of search */
}
if (rc != LDAP_RES_SEARCH_ENTRY)
{
ldap_msgfree(result);
continue;
}
for (msg=ldap_first_message(s->handle, result); msg;
msg=ldap_next_message(s->handle, msg))
{
struct berval **n_val=
ldap_get_values_len(s->handle, msg, "cn");
struct berval **a_val=
ldap_get_values_len(s->handle, msg, "mail");
if (n_val && a_val)
{
size_t i, j;
for (i=0; n_val[i]; i++)
for (j=0; a_val[j]; j++)
{
char *p=malloc(n_val[i]->bv_len
+1);
char *q=malloc(a_val[j]->bv_len
+1);
if (!p || !q)
{
if (p) free(p);
if (q) free(q);
rc_code= -1;
break;
}
memcpy(p, n_val[i]->bv_val,
n_val[i]->bv_len);
p[n_val[i]->bv_len]=0;
memcpy(q, a_val[j]->bv_val,
a_val[j]->bv_len);
q[a_val[j]->bv_len]=0;
rc_code=(*callback_func)
(p, q, callback_arg);
free(p);
free(q);
if (rc_code)
break;
*found=1;
}
}
if (n_val)
ldap_value_free_len(n_val);
if (a_val)
ldap_value_free_len(a_val);
}
ldap_msgfree(result);
} while (rc_code == 0);
return rc_code;
}
static void
do_read( char *uri, char *manager, struct berval *passwd, char *entry,
LDAP **ldp, char **attrs, int noattrs, int nobind, int maxloop,
int maxretries, int delay, int force, int chaserefs )
{
LDAP *ld = ldp ? *ldp : NULL;
int i = 0, do_retry = maxretries;
int rc = LDAP_SUCCESS;
int version = LDAP_VERSION3;
int *msgids = NULL, active = 0;
/* make room for msgid */
if ( swamp > 1 ) {
msgids = (int *)calloc( sizeof(int), maxloop );
}
retry:;
if ( ld == NULL ) {
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
if ( do_retry == maxretries ) {
fprintf( stderr, "PID=%ld - Read(%d): entry=\"%s\".\n",
(long) pid, maxloop, entry );
}
if ( nobind == 0 ) {
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
do_retry--;
if ( delay != 0 ) {
sleep( delay );
}
goto retry;
}
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
}
}
if ( swamp > 1 ) {
do {
LDAPMessage *res = NULL;
int j, msgid;
if ( i < maxloop ) {
rc = ldap_search_ext( ld, entry, LDAP_SCOPE_BASE,
NULL, attrs, noattrs, NULL, NULL,
NULL, LDAP_NO_LIMIT, &msgids[i] );
active++;
#if 0
fprintf( stderr,
">>> PID=%ld - Read maxloop=%d cnt=%d active=%d msgid=%d: "
"entry=\"%s\"\n",
(long) pid, maxloop, i, active, msgids[i],
entry );
#endif
i++;
if ( rc ) {
char buf[BUFSIZ];
int first = tester_ignore_err( rc );
/* if ignore.. */
if ( first ) {
/* only log if first occurrence */
if ( ( force < 2 && first > 0 ) || abs(first) == 1 ) {
tester_ldap_error( ld, "ldap_search_ext", NULL );
}
continue;
}
/* busy needs special handling */
snprintf( buf, sizeof( buf ), "entry=\"%s\"\n", entry );
tester_ldap_error( ld, "ldap_search_ext", buf );
if ( rc == LDAP_BUSY && do_retry > 0 ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
do_retry--;
goto retry;
}
break;
}
if ( swamp > 2 ) {
continue;
}
}
rc = ldap_result( ld, LDAP_RES_ANY, 0, NULL, &res );
switch ( rc ) {
case -1:
/* gone really bad */
#if 0
fprintf( stderr,
">>> PID=%ld - Read maxloop=%d cnt=%d active=%d: "
"entry=\"%s\" ldap_result()=%d\n",
(long) pid, maxloop, i, active, entry, rc );
#endif
goto cleanup;
case 0:
/* timeout (impossible) */
break;
case LDAP_RES_SEARCH_ENTRY:
case LDAP_RES_SEARCH_REFERENCE:
/* ignore */
break;
case LDAP_RES_SEARCH_RESULT:
/* just remove, no error checking (TODO?) */
msgid = ldap_msgid( res );
ldap_parse_result( ld, res, &rc, NULL, NULL, NULL, NULL, 1 );
res = NULL;
/* linear search, bah */
for ( j = 0; j < i; j++ ) {
if ( msgids[ j ] == msgid ) {
msgids[ j ] = -1;
active--;
#if 0
fprintf( stderr,
"<<< PID=%ld - ReadDone maxloop=%d cnt=%d active=%d msgid=%d: "
"entry=\"%s\"\n",
(long) pid, maxloop, j, active, msgid, entry );
#endif
break;
}
}
break;
default:
/* other messages unexpected */
fprintf( stderr,
"### PID=%ld - Read(%d): "
"entry=\"%s\" attrs=%s%s. unexpected response tag=%d\n",
(long) pid, maxloop,
entry, attrs[0], attrs[1] ? " (more...)" : "", rc );
break;
}
if ( res != NULL ) {
ldap_msgfree( res );
}
} while ( i < maxloop || active > 0 );
} else {
for ( ; i < maxloop; i++ ) {
LDAPMessage *res = NULL;
if (swamp) {
int msgid;
rc = ldap_search_ext( ld, entry, LDAP_SCOPE_BASE,
NULL, attrs, noattrs, NULL, NULL,
NULL, LDAP_NO_LIMIT, &msgid );
if ( rc == LDAP_SUCCESS ) continue;
else break;
}
rc = ldap_search_ext_s( ld, entry, LDAP_SCOPE_BASE,
NULL, attrs, noattrs, NULL, NULL, NULL,
LDAP_NO_LIMIT, &res );
if ( res != NULL ) {
ldap_msgfree( res );
}
if ( rc ) {
int first = tester_ignore_err( rc );
char buf[ BUFSIZ ];
snprintf( buf, sizeof( buf ), "ldap_search_ext_s(%s)", entry );
/* if ignore.. */
if ( first ) {
/* only log if first occurrence */
if ( ( force < 2 && first > 0 ) || abs(first) == 1 ) {
tester_ldap_error( ld, buf, NULL );
}
continue;
}
/* busy needs special handling */
tester_ldap_error( ld, buf, NULL );
if ( rc == LDAP_BUSY && do_retry > 0 ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
do_retry--;
goto retry;
}
break;
}
}
}
cleanup:;
if ( msgids != NULL ) {
free( msgids );
}
if ( ldp != NULL ) {
*ldp = ld;
} else {
fprintf( stderr, " PID=%ld - Read done (%d).\n", (long) pid, rc );
if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
}
}
}
static int
do_bind( char *uri, char *dn, struct berval *pass, int maxloop,
int force, int chaserefs, int noinit, LDAP **ldp,
int action_type, void *action )
{
LDAP *ld = ldp ? *ldp : NULL;
int i, rc = -1;
/* for internal search */
int timelimit = 0;
int sizelimit = 0;
switch ( action_type ) {
case -1:
break;
case TESTER_SEARCH:
{
LDAPURLDesc *ludp = (LDAPURLDesc *)action;
assert( action != NULL );
if ( ludp->lud_exts != NULL ) {
for ( i = 0; ludp->lud_exts[ i ] != NULL; i++ ) {
char *ext = ludp->lud_exts[ i ];
int crit = 0;
if (ext[0] == '!') {
crit++;
ext++;
}
if ( strncasecmp( ext, "x-timelimit=", STRLENOF( "x-timelimit=" ) ) == 0 ) {
if ( lutil_atoi( &timelimit, &ext[ STRLENOF( "x-timelimit=" ) ] ) && crit ) {
tester_error( "unable to parse critical extension x-timelimit" );
}
} else if ( strncasecmp( ext, "x-sizelimit=", STRLENOF( "x-sizelimit=" ) ) == 0 ) {
if ( lutil_atoi( &sizelimit, &ext[ STRLENOF( "x-sizelimit=" ) ] ) && crit ) {
tester_error( "unable to parse critical extension x-sizelimit" );
}
} else if ( crit ) {
tester_error( "unknown critical extension" );
}
}
}
} break;
default:
/* nothing to do yet */
break;
}
if ( maxloop > 1 ) {
fprintf( stderr, "PID=%ld - Bind(%d): dn=\"%s\".\n",
(long) pid, maxloop, dn );
}
for ( i = 0; i < maxloop; i++ ) {
if ( !noinit || ld == NULL ) {
int version = LDAP_VERSION3;
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
rc = -1;
break;
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
&version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON: LDAP_OPT_OFF );
}
rc = ldap_sasl_bind_s( ld, dn, LDAP_SASL_SIMPLE, pass, NULL, NULL, NULL );
if ( rc ) {
int first = tester_ignore_err( rc );
/* if ignore.. */
if ( first ) {
/* only log if first occurrence */
if ( ( force < 2 && first > 0 ) || abs(first) == 1 ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
}
rc = LDAP_SUCCESS;
} else {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
}
}
switch ( action_type ) {
case -1:
break;
case TESTER_SEARCH:
{
LDAPURLDesc *ludp = (LDAPURLDesc *)action;
LDAPMessage *res = NULL;
struct timeval tv = { 0 }, *tvp = NULL;
if ( timelimit ) {
tv.tv_sec = timelimit;
tvp = &tv;
}
assert( action != NULL );
rc = ldap_search_ext_s( ld,
ludp->lud_dn, ludp->lud_scope,
ludp->lud_filter, ludp->lud_attrs, 0,
NULL, NULL, tvp, sizelimit, &res );
ldap_msgfree( res );
} break;
default:
/* nothing to do yet */
break;
}
if ( !noinit ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
}
if ( rc != LDAP_SUCCESS ) {
break;
}
}
if ( maxloop > 1 ) {
fprintf( stderr, " PID=%ld - Bind done (%d).\n", (long) pid, rc );
}
if ( ldp && noinit ) {
*ldp = ld;
} else if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
}
return rc;
}
int
ldap_init_fd(
ber_socket_t fd,
int proto,
LDAP_CONST char *url,
LDAP **ldp
)
{
int rc;
LDAP *ld;
LDAPConn *conn;
*ldp = NULL;
rc = ldap_create( &ld );
if( rc != LDAP_SUCCESS )
return( rc );
if (url != NULL) {
rc = ldap_set_option(ld, LDAP_OPT_URI, url);
if ( rc != LDAP_SUCCESS ) {
ldap_ld_free(ld, 1, NULL, NULL);
return rc;
}
}
LDAP_MUTEX_LOCK( &ld->ld_conn_mutex );
/* Attach the passed socket as the LDAP's connection */
conn = ldap_new_connection( ld, NULL, 1, 0, NULL, 0, 0 );
if( conn == NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
return( LDAP_NO_MEMORY );
}
if( url )
conn->lconn_server = ldap_url_dup( ld->ld_options.ldo_defludp );
ber_sockbuf_ctrl( conn->lconn_sb, LBER_SB_OPT_SET_FD, &fd );
ld->ld_defconn = conn;
++ld->ld_defconn->lconn_refcnt; /* so it never gets closed/freed */
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
switch( proto ) {
case LDAP_PROTO_TCP:
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"tcp_" );
#endif
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_tcp,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
break;
#ifdef LDAP_CONNECTIONLESS
case LDAP_PROTO_UDP:
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"udp_" );
#endif
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_udp,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_readahead,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
break;
#endif /* LDAP_CONNECTIONLESS */
case LDAP_PROTO_IPC:
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"ipc_" );
#endif
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_fd,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
break;
case LDAP_PROTO_EXT:
/* caller must supply sockbuf handlers */
break;
default:
ldap_unbind_ext( ld, NULL, NULL );
return LDAP_PARAM_ERROR;
}
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
INT_MAX, (void *)"ldap_" );
#endif
/* Add the connection to the *LDAP's select pool */
ldap_mark_select_read( ld, conn->lconn_sb );
*ldp = ld;
return LDAP_SUCCESS;
}
static int
do_base( char *uri, char *dn, struct berval *pass, char *base, char *filter, char *pwattr,
int maxloop, int force, int chaserefs, int noinit, int delay,
int action_type, void *action )
{
LDAP *ld = NULL;
int i = 0;
int rc = LDAP_SUCCESS;
ber_int_t msgid;
LDAPMessage *res, *msg;
char **dns = NULL;
struct berval *creds = NULL;
char *attrs[] = { LDAP_NO_ATTRS, NULL };
int ndns = 0;
#ifdef _WIN32
DWORD beg, end;
#else
struct timeval beg, end;
#endif
int version = LDAP_VERSION3;
char *nullstr = "";
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON: LDAP_OPT_OFF );
rc = ldap_sasl_bind_s( ld, dn, LDAP_SASL_SIMPLE, pass, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
exit( EXIT_FAILURE );
}
fprintf( stderr, "PID=%ld - Bind(%d): base=\"%s\", filter=\"%s\" attr=\"%s\".\n",
(long) pid, maxloop, base, filter, pwattr );
if ( pwattr != NULL ) {
attrs[ 0 ] = pwattr;
}
rc = ldap_search_ext( ld, base, LDAP_SCOPE_SUBTREE,
filter, attrs, 0, NULL, NULL, 0, 0, &msgid );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_search_ext", NULL );
exit( EXIT_FAILURE );
}
while ( ( rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ONE, NULL, &res ) ) > 0 )
{
BerElement *ber;
struct berval bv;
int done = 0;
for ( msg = ldap_first_message( ld, res ); msg;
msg = ldap_next_message( ld, msg ) )
{
switch ( ldap_msgtype( msg ) ) {
case LDAP_RES_SEARCH_ENTRY:
rc = ldap_get_dn_ber( ld, msg, &ber, &bv );
dns = realloc( dns, (ndns + 1)*sizeof(char *) );
dns[ndns] = ber_strdup( bv.bv_val );
if ( pwattr != NULL ) {
struct berval **values = ldap_get_values_len( ld, msg, pwattr );
creds = realloc( creds, (ndns + 1)*sizeof(struct berval) );
if ( values == NULL ) {
novals:;
creds[ndns].bv_len = 0;
creds[ndns].bv_val = nullstr;
} else {
static struct berval cleartext = BER_BVC( "{CLEARTEXT} " );
struct berval value = *values[ 0 ];
if ( value.bv_val[ 0 ] == '{' ) {
char *end = ber_bvchr( &value, '}' );
if ( end ) {
if ( ber_bvcmp( &value, &cleartext ) == 0 ) {
value.bv_val += cleartext.bv_len;
value.bv_len -= cleartext.bv_len;
} else {
ldap_value_free_len( values );
goto novals;
}
}
}
ber_dupbv( &creds[ndns], &value );
ldap_value_free_len( values );
}
}
ndns++;
ber_free( ber, 0 );
break;
case LDAP_RES_SEARCH_RESULT:
done = 1;
break;
}
if ( done )
break;
}
ldap_msgfree( res );
if ( done ) break;
}
#ifdef _WIN32
beg = GetTickCount();
#else
gettimeofday( &beg, NULL );
#endif
if ( ndns == 0 ) {
tester_error( "No DNs" );
return 1;
}
fprintf( stderr, " PID=%ld - Bind base=\"%s\" filter=\"%s\" got %d values.\n",
(long) pid, base, filter, ndns );
/* Ok, got list of DNs, now start binding to each */
for ( i = 0; i < maxloop; i++ ) {
int j;
struct berval cred = { 0, NULL };
#if 0 /* use high-order bits for better randomness (Numerical Recipes in "C") */
j = rand() % ndns;
#endif
j = ((double)ndns)*rand()/(RAND_MAX + 1.0);
if ( creds && !BER_BVISEMPTY( &creds[j] ) ) {
cred = creds[j];
}
if ( do_bind( uri, dns[j], &cred, 1, force, chaserefs, noinit, &ld,
action_type, action ) && !force )
{
break;
}
if ( delay ) {
sleep( delay );
}
}
if ( ld != NULL ) {
ldap_unbind_ext( ld, NULL, NULL );
ld = NULL;
}
#ifdef _WIN32
end = GetTickCount();
end -= beg;
fprintf( stderr, " PID=%ld - Bind done %d in %d.%03d seconds.\n",
(long) pid, i, end / 1000, end % 1000 );
#else
gettimeofday( &end, NULL );
end.tv_usec -= beg.tv_usec;
if (end.tv_usec < 0 ) {
end.tv_usec += 1000000;
end.tv_sec -= 1;
}
end.tv_sec -= beg.tv_sec;
fprintf( stderr, " PID=%ld - Bind done %d in %ld.%06ld seconds.\n",
(long) pid, i, (long) end.tv_sec, (long) end.tv_usec );
#endif
if ( dns ) {
for ( i = 0; i < ndns; i++ ) {
ber_memfree( dns[i] );
}
free( dns );
}
if ( creds ) {
for ( i = 0; i < ndns; i++ ) {
if ( creds[i].bv_val != nullstr ) {
ber_memfree( creds[i].bv_val );
}
}
free( creds );
}
return 0;
}
gpointer
worker_gda_ldap_rebind (LdapConnectionData *cdata, GError **error)
{
if (!cdata)
return NULL;
/*g_print ("Trying to reconnect...\n");*/
LDAP *ld;
int res;
res = ldap_initialize (&ld, cdata->url);
if (res != LDAP_SUCCESS) {
g_set_error (error, GDA_CONNECTION_ERROR, GDA_CONNECTION_OPEN_ERROR,
"%s", ldap_err2string (res));
return NULL;
}
/* set protocol version to 3 by default */
int version = LDAP_VERSION3;
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (res != LDAP_SUCCESS) {
if (res == LDAP_PROTOCOL_ERROR) {
version = LDAP_VERSION2;
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
}
if (res != LDAP_SUCCESS) {
g_set_error (error, GDA_CONNECTION_ERROR, GDA_CONNECTION_OPEN_ERROR,
"%s", ldap_err2string (res));
ldap_unbind_ext (ld, NULL, NULL);
return NULL;
}
}
/* authentication */
struct berval cred;
const gchar *pwd = "";
const gchar *user = "";
if (cdata->auth)
pwd = gda_quark_list_find (cdata->auth, "PASSWORD");
memset (&cred, 0, sizeof (cred));
cred.bv_len = pwd && *pwd ? strlen (pwd) : 0;
cred.bv_val = pwd && *pwd ? (char *) pwd : NULL;
if (cdata->auth)
user = gda_quark_list_find (cdata->auth, "USERNAME");
res = ldap_sasl_bind_s (ld, user, NULL, &cred, NULL, NULL, NULL);
if (cdata->auth)
gda_quark_list_protect_values (cdata->auth);
if (res != LDAP_SUCCESS) {
g_set_error (error, GDA_CONNECTION_ERROR, GDA_CONNECTION_OPEN_ERROR,
"%s", ldap_err2string (res));
ldap_unbind_ext (ld, NULL, NULL);
return NULL;
}
/* time limit */
int limit = cdata->time_limit;
res = ldap_set_option (cdata->handle, LDAP_OPT_TIMELIMIT, &limit);
if (res != LDAP_SUCCESS) {
g_set_error (error, GDA_CONNECTION_ERROR, GDA_CONNECTION_OPEN_ERROR,
"%s", ldap_err2string (res));
ldap_unbind_ext (ld, NULL, NULL);
return NULL;
}
/* size limit */
limit = cdata->size_limit;
res = ldap_set_option (cdata->handle, LDAP_OPT_SIZELIMIT, &limit);
if (res != LDAP_SUCCESS) {
g_set_error (error, GDA_CONNECTION_ERROR, GDA_CONNECTION_OPEN_ERROR,
"%s", ldap_err2string (res));
ldap_unbind_ext (ld, NULL, NULL);
return NULL;
}
/* all ok */
if (cdata->handle) {
/* don't call ldap_unbind_ext() as it often crashed the application */
/*ldap_unbind_ext (cdata->handle, NULL, NULL);*/
}
cdata->handle = ld;
/*g_print ("Reconnected!\n");*/
return (gpointer) 0x01;
}
void Ldaplogin::ldapUnbind()
{
// ueberpruefen ob user gebannt ist
ldap_unbind_ext(ld, NULL, NULL);
std::cout << "aus" << std::endl;
}
/* Open LDAP and Notifier connection.
* @return 0 on success, 1 on error.
*/
static int do_connection(univention_ldap_parameters_t *lp)
{
LDAPMessage *res;
int rc;
struct timeval timeout = {
.tv_sec = 10,
.tv_usec = 0,
};
if (univention_ldap_open(lp) != LDAP_SUCCESS)
goto fail;
if (notifier_client_new(NULL, lp->host, 1) != 0)
goto fail;
/* check if we are connected to an OpenLDAP */
rc = ldap_search_ext_s(lp->ld, lp->base, LDAP_SCOPE_BASE, "objectClass=univentionBase",
NULL, 0, NULL, NULL, &timeout, 0, &res);
ldap_msgfree(res);
switch (rc) {
case LDAP_SUCCESS:
return 0;
case LDAP_NO_SUCH_OBJECT:
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_ERROR,
"Failed to find \"(objectClass=univentionBase)\" on LDAP server %s:%d", lp->host, lp->port);
break;
default:
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_ERROR,
"Failed to search for \"(objectClass=univentionBase)\" on LDAP server %s:%d with message %s", lp->host, lp->port, ldap_err2string(rc));
break;
}
fail:
notifier_client_destroy(NULL);
if (lp->ld)
ldap_unbind_ext(lp->ld, NULL, NULL);
lp->ld = NULL;
return 1;
}
int main(int argc, char* argv[])
{
univention_ldap_parameters_t *lp;
univention_ldap_parameters_t *lp_local;
char *server_role;
#ifdef WITH_KRB5
univention_krb5_parameters_t *kp = NULL;
bool do_kinit = false;
#else
void *kp = NULL ;
#endif
int debugging = 0;
bool from_scratch = false;
bool foreground = false;
bool initialize_only = false;
bool write_transaction_file = false;
int rv;
NotifierID id = -1;
#ifndef WITH_DB42
NotifierID old_id = -1;
#else
CacheMasterEntry master_entry;
#endif
struct stat stbuf;
char *f = NULL;
univention_debug_init("stderr", 1, 1);
if ((lp = univention_ldap_new()) == NULL)
exit(1);
lp->authmethod = LDAP_AUTH_SASL;
if ((lp_local = univention_ldap_new()) == NULL)
exit(1);
#if WITH_KRB5
if ((kp=univention_krb5_new()) == NULL)
exit(1);
#endif
/* parse arguments */
for (;;) {
int c;
c = getopt(argc, argv, "d:FH:h:p:b:D:w:y:xZY:U:R:Km:Bc:giol:");
if (c < 0)
break;
switch (c) {
case 'd':
debugging=atoi(optarg);
break;
case 'F':
foreground = true;
break;
case 'H':
lp->uri=strdup(optarg);
break;
case 'h':
lp->host=strdup(optarg);
break;
case 'p':
lp->port=atoi(optarg);
break;
case 'b':
lp->base=strdup(optarg);
break;
case 'm':
if ((module_dirs = realloc(module_dirs, (module_dir_count+2)*sizeof(char*))) == NULL) {
return 1;
}
module_dirs[module_dir_count] = strdup(optarg);
module_dirs[module_dir_count+1] = NULL;
module_dir_count++;
break;
case 'c':
cache_dir=strdup(optarg);
break;
case 'l':
ldap_dir = strdup(optarg);
if (asprintf(&transaction_file, "%s/listener/listener", ldap_dir) < 0) abort();
break;
case 'D':
lp->binddn=strdup(optarg);
break;
case 'w':
lp->bindpw=strdup(optarg);
#ifdef WITH_KRB5
kp->password=strdup(optarg);
#endif
/* remove password from process list */
memset(optarg, 'X', strlen(optarg));
break;
case 'Z':
lp->start_tls++;
break;
case 'x':
lp->authmethod = LDAP_AUTH_SIMPLE;
break;
case 'y':
lp->bindpw=read_pwd_from_file(optarg);
#ifdef WITH_KRB5
kp->password=strdup(lp->bindpw);
#endif
break;
case 'Y':
lp->sasl_mech=strdup(optarg);
break;
case 'U':
asprintf(&lp->sasl_authzid, "u:%s", optarg);
/* kp->username=strdup(optarg); */
case 'R':
lp->sasl_realm=strdup(optarg);
#ifdef WITH_KRB5
kp->realm=strdup(optarg);
#endif
break;
#ifdef WITH_KRB5
case 'K':
do_kinit = true;
break;
#endif
case 'g':
from_scratch = true;
break;
case 'i':
initialize_only = true;
from_scratch = true;
foreground = true;
break;
case 'o':
write_transaction_file = true;
break;
case 'B':
backup_notifier = 1;
break;
default:
usage();
exit(1);
}
}
if (asprintf(&f, "%s/bad_cache", cache_dir) < 0) abort();
if (stat(f, &stbuf) == 0) {
exit(3);
}
free(f);
univention_debug_set_level(UV_DEBUG_LISTENER, debugging);
univention_debug_set_level(UV_DEBUG_LDAP, debugging);
univention_debug_set_level(UV_DEBUG_KERBEROS, debugging);
snprintf(pidfile, PATH_MAX, "%s/pid", cache_dir);
signals_init();
if (!foreground && daemonize() != 0)
exit(EXIT_FAILURE);
drop_privileges();
if (from_scratch)
purge_cache(cache_dir);
prepare_cache(cache_dir);
/* choose server to connect to */
if (lp->host == NULL && lp->uri == NULL) {
select_server(lp);
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_INFO,
"no server given, choosing one by myself (%s)",
lp->host);
}
#ifdef WITH_KRB5
if (!do_kinit)
kp = NULL;
if (kp != NULL && univention_krb5_init(kp) != 0) {
univention_debug(UV_DEBUG_KERBEROS, UV_DEBUG_ERROR, "kinit failed");
exit(1);
}
#endif
while (do_connection(lp) != 0) {
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_WARN, "can not connect to ldap server %s:%d", lp->host, lp->port);
if (suspend_connect()) {
if (initialize_only) {
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_ERROR,
"can not connect to any ldap server, exit");
exit(1);
}
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_WARN,
"can not connect to any ldap server, retrying in 30 seconds");
sleep(30);
}
select_server(lp);
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_WARN, "chosen server: %s:%d", lp->host, lp->port);
}
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_INFO, "connection okay to host %s:%d", lp->host, lp->port);
/* connect to local LDAP server */
server_role = univention_config_get_string("server/role");
if ( server_role != NULL ) {
if (!strcmp(server_role, "domaincontroller_backup") || !strcmp(server_role, "domaincontroller_slave")) { // if not master
lp_local->host = strdup("localhost"); // or fqdn e.g. from univention_config_get_string("ldap/server/name");
lp_local->base = strdup(lp->base);
lp_local->binddn = strdup(lp->binddn);
lp_local->bindpw = strdup(lp->bindpw);
}
free(server_role);
}
/* XXX: we shouldn't block all signals for so long */
signals_block();
cache_init();
handlers_init();
/* pass data to handlers */
if (lp->base != NULL)
handlers_set_data_all("basedn", lp->base);
if (lp->binddn != NULL)
handlers_set_data_all("binddn", lp->binddn);
if (lp->bindpw != NULL)
handlers_set_data_all("bindpw", lp->bindpw);
if (lp->host != NULL)
handlers_set_data_all("ldapserver", lp->host);
convert_cookie();
if (notifier_get_id_s(NULL, &id) != 0) {
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_ERROR, "failed to receive current ID");
return 1;
}
if (initialize_only) {
INIT_ONLY=1;
}
/* update schema */
if ((rv=change_update_schema(lp)) != LDAP_SUCCESS)
return rv;
/* do initial import of entries */
if ((rv=change_new_modules(lp)) != LDAP_SUCCESS) {
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_ERROR, "change_new_modules: %s", ldap_err2string(rv));
return rv;
}
signals_unblock();
/* if no ID is set, assume the database has just been initialized */
#ifdef WITH_DB42
if ((rv=cache_get_master_entry(&master_entry)) == DB_NOTFOUND) {
master_entry.id = id;
if ((rv=cache_update_master_entry(&master_entry, NULL)) != 0)
exit(1);
} else if (rv != 0)
exit(1);
#else
cache_get_int("notifier_id", &old_id, -1);
if ((long)old_id == -1) {
cache_set_int("notifier_id", id);
}
#endif
if (!initialize_only) {
rv = notifier_listen(lp, kp, write_transaction_file, lp_local);
}
if (rv != 0)
univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_ERROR, "listener: %d", rv);
univention_ldap_close(lp);
univention_ldap_close(lp_local);
exit_handler(0);
}
DWORD
VmAfdLDAPConnect(
PSTR pszHostName,
DWORD dwPort,
PCSTR pszUpn,
PCSTR pszPassword,
LDAP** ppLotus
)
{
DWORD dwError = 0;
LDAP* pDirectory = NULL;
PSTR pszLdapURI = NULL;
if (dwPort == 0)
{
dwPort = LDAP_PORT;
}
if (VmAfdIsIPV6AddrFormat(pszHostName))
{
dwError = VmAfdAllocateStringPrintf(
&pszLdapURI,
"ldap://[%s]:%d",
pszHostName,
dwPort);
}
else
{
dwError = VmAfdAllocateStringPrintf(
&pszLdapURI,
"ldap://%s:%d",
pszHostName,
dwPort);
}
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmDirSafeLDAPBind(
&pDirectory,
pszHostName,
pszUpn,
pszPassword);
BAIL_ON_VMAFD_ERROR(dwError);
*ppLotus = pDirectory;
cleanup:
VMAFD_SAFE_FREE_MEMORY(pszLdapURI);
return dwError;
error:
*ppLotus = NULL;
if (pDirectory != NULL)
{
ldap_unbind_ext(pDirectory, NULL, NULL);
}
goto cleanup;
}
