/** Perform LDAP-Group comparison checking
*
* Attempts to match users to groups using a variety of methods.
*
* @param instance of the rlm_ldap module.
* @param request Current request.
* @param thing Unknown.
* @param check Which group to check for user membership.
* @param check_pairs Unknown.
* @param reply_pairs Unknown.
* @return 1 on failure (or if the user is not a member), else 0.
*/
static int rlm_ldap_groupcmp(void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check,
UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs)
{
ldap_instance_t *inst = instance;
rlm_rcode_t rcode;
bool found = false;
bool check_is_dn;
ldap_handle_t *conn = NULL;
char const *user_dn;
rad_assert(inst->groupobj_base_dn);
RDEBUG("Searching for user in group \"%s\"", check->vp_strvalue);
if (check->vp_length == 0) {
REDEBUG("Cannot do comparison (group name is empty)");
return 1;
}
/*
* Check if we can do cached membership verification
*/
check_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length);
if (check_is_dn) {
char *norm;
MEM(norm = talloc_memdup(check, check->vp_strvalue, talloc_array_length(check->vp_strvalue)));
rlm_ldap_normalise_dn(norm, check->vp_strvalue);
pairstrsteal(check, norm);
}
if ((check_is_dn && inst->cacheable_group_dn) || (!check_is_dn && inst->cacheable_group_name)) {
switch (rlm_ldap_check_cached(inst, request, check)) {
case RLM_MODULE_NOTFOUND:
found = false;
goto finish;
case RLM_MODULE_OK:
found = true;
goto finish;
/*
* Fallback to dynamic search on failure
*/
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
default:
break;
}
}
conn = mod_conn_get(inst, request);
if (!conn) return 1;
/*
* This is used in the default membership filter.
*/
user_dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode);
if (!user_dn) {
mod_conn_release(inst, conn);
return 1;
}
rad_assert(conn);
/*
* Check groupobj user membership
*/
if (inst->groupobj_membership_filter) {
switch (rlm_ldap_check_groupobj_dynamic(inst, request, &conn, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
rad_assert(conn);
/*
* Check userobj group membership
*/
if (inst->userobj_membership_attr) {
switch (rlm_ldap_check_userobj_dynamic(inst, request, &conn, user_dn, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
rad_assert(conn);
finish:
if (conn) mod_conn_release(inst, conn);
if (!found) {
RDEBUG("User is not a member of \"%s\"", check->vp_strvalue);
return 1;
}
return 0;
}
/** Perform LDAP-Group comparison checking
*
* Attempts to match users to groups using a variety of methods.
*
* @param instance of the rlm_ldap module.
* @param request Current request.
* @param thing Unknown.
* @param check Which group to check for user membership.
* @param check_pairs Unknown.
* @param reply_pairs Unknown.
* @return 1 on failure (or if the user is not a member), else 0.
*/
static int rlm_ldap_groupcmp(void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check,
UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs)
{
ldap_instance_t *inst = instance;
rlm_rcode_t rcode;
int found = false;
int check_is_dn;
ldap_handle_t *conn = NULL;
char const *user_dn;
if (!inst->groupobj_base_dn) {
REDEBUG("Directive 'group.base_dn' must be set'");
return 1;
}
RDEBUG("Searching for user in group \"%s\"", check->vp_strvalue);
if (check->length == 0) {
RDEBUG("Cannot do comparison (group name is empty)");
return 1;
}
/*
* Check if we can do cached membership verification
*/
check_is_dn = rlm_ldap_is_dn(check->vp_strvalue);
if ((check_is_dn && inst->cacheable_group_dn) || (!check_is_dn && inst->cacheable_group_name)) {
switch(rlm_ldap_check_cached(inst, request, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
conn = rlm_ldap_get_socket(inst, request);
if (!conn) return 1;
/*
* This is used in the default membership filter.
*/
user_dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode);
if (!user_dn) {
rlm_ldap_release_socket(inst, conn);
return 1;
}
rad_assert(conn);
/*
* Check groupobj user membership
*/
if (inst->groupobj_membership_filter) {
switch(rlm_ldap_check_groupobj_dynamic(inst, request, &conn, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
rad_assert(conn);
/*
* Check userobj group membership
*/
if (inst->userobj_membership_attr) {
switch(rlm_ldap_check_userobj_dynamic(inst, request, &conn, user_dn, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
rad_assert(conn);
finish:
if (conn) {
rlm_ldap_release_socket(inst, conn);
}
if (!found) {
RDEBUG("User is not a member of specified group");
return 1;
}
return 0;
}
