/** Query the LDAP directory to check if a user object is a member of a group
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] dn of user object.
* @param[in] check vp containing the group value (name or dn).
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_check_userobj_dynamic(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
char const *dn, VALUE_PAIR *check)
{
rlm_rcode_t rcode = RLM_MODULE_NOTFOUND, ret;
ldap_rcode_t status;
int name_is_dn = false, value_is_dn = false;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
char **vals = NULL;
char const *name = check->vp_strvalue;
char const *attrs[] = { inst->userobj_membership_attr, NULL };
int i, count, ldap_errno;
RDEBUG2("Checking user object membership (%s) attributes", inst->userobj_membership_attr);
status = rlm_ldap_search(inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, &result);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG("Can't check membership attributes, user object not found");
rcode = RLM_MODULE_NOTFOUND;
/* FALL-THROUGH */
default:
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
vals = ldap_get_values((*pconn)->handle, entry, inst->userobj_membership_attr);
if (!vals) {
RDEBUG("No group membership attribute(s) found in user object");
goto finish;
}
/*
* Loop over the list of groups the user is a member of,
* looking for a match.
*/
name_is_dn = rlm_ldap_is_dn(name);
count = ldap_count_values(vals);
for (i = 0; i < count; i++) {
value_is_dn = rlm_ldap_is_dn(vals[i]);
RDEBUG2("Processing group membership value \"%s\"", vals[i]);
/*
* Both literal group names, do case sensitive comparison
*/
if (!name_is_dn && !value_is_dn) {
if (strcmp(vals[i], name) == 0){
RDEBUG("User found. Comparison between membership: name, check: name]");
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* Both DNs, do case insensitive comparison
*/
if (name_is_dn && value_is_dn) {
if (strcasecmp(vals[i], name) == 0){
RDEBUG("User found. Comparison between membership: dn, check: dn");
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* If the value is not a DN, and the name we were given is a dn
* convert the value to a DN and do a comparison.
*/
if (!value_is_dn && name_is_dn) {
char *resolved;
int eq;
ret = rlm_ldap_group_dn2name(inst, request, pconn, name, &resolved);
if (ret != RLM_MODULE_OK) {
rcode = ret;
goto finish;
}
eq = strcmp(vals[i], resolved);
talloc_free(resolved);
if (eq == 0){
RDEBUG("User found. Comparison between membership: name, check: name "
"(resolved from DN)");
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* We have a value which is a DN, and a check item which specifies the name of a group,
* convert the value to a name so we can do a comparison.
*/
if (value_is_dn && !name_is_dn) {
char *resolved;
int eq;
ret = rlm_ldap_group_dn2name(inst, request, pconn, vals[i], &resolved);
if (ret != RLM_MODULE_OK) {
rcode = ret;
goto finish;
}
eq = strcmp(resolved, name);
talloc_free(resolved);
if (eq == 0){
RDEBUG("User found. Comparison between membership: name (resolved from DN), "
"check: name");
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
rad_assert(0);
}
finish:
if (vals) {
ldap_value_free(vals);
}
if (result) {
ldap_msgfree(result);
}
return rcode;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] entry retrieved by rlm_ldap_find_user or rlm_ldap_search.
* @param[in] attr membership attribute to look for in the entry.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_userobj(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
LDAPMessage *entry, char const *attr)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
char **vals;
char *group_name[LDAP_MAX_CACHEABLE + 1];
char **name_p = group_name;
char *group_dn[LDAP_MAX_CACHEABLE + 1];
char **dn_p;
char *name;
int is_dn, i;
rad_assert(entry);
rad_assert(attr);
/*
* Parse the membership information we got in the initial user query.
*/
vals = ldap_get_values((*pconn)->handle, entry, attr);
if (!vals) {
RDEBUG2("No cacheable group memberships found in user object");
return RLM_MODULE_OK;
}
for (i = 0; (vals[i] != NULL) && (i < LDAP_MAX_CACHEABLE); i++) {
is_dn = rlm_ldap_is_dn(vals[i]);
if (inst->cacheable_group_dn) {
/*
* The easy case, were caching DNs and we got a DN.
*/
if (is_dn) {
pairmake(request, &request->config_items, inst->cache_da->name, vals[i], T_OP_ADD);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name, vals[i]);
/*
* We were told to cache DNs but we got a name, we now need to resolve
* this to a DN. Store all the group names in an array so we can do one query.
*/
} else {
*name_p++ = vals[i];
}
}
if (inst->cacheable_group_name) {
/*
* The easy case, were caching names and we got a name.
*/
if (!is_dn) {
pairmake(request, &request->config_items, inst->cache_da->name, vals[i], T_OP_ADD);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name, vals[i]);
/*
* We were told to cache names but we got a DN, we now need to resolve
* this to a name.
* Only Active Directory supports filtering on DN, so we have to search
* for each individual group.
*/
} else {
rcode = rlm_ldap_group_dn2name(inst, request, pconn, vals[i], &name);
if (rcode != RLM_MODULE_OK) {
ldap_value_free(vals);
return rcode;
}
pairmake(request, &request->config_items, inst->cache_da->name, name, T_OP_ADD);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name, name);
talloc_free(name);
}
}
}
*name_p = NULL;
rcode = rlm_ldap_group_name2dn(inst, request, pconn, group_name, group_dn, sizeof(group_dn));
ldap_value_free(vals);
if (rcode != RLM_MODULE_OK) {
return rcode;
}
dn_p = group_dn;
while(*dn_p) {
pairmake(request, &request->config_items, inst->cache_da->name, *dn_p, T_OP_ADD);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name, *dn_p);
ldap_memfree(*dn_p);
dn_p++;
}
return rcode;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] entry retrieved by rlm_ldap_find_user or rlm_ldap_search.
* @param[in] attr membership attribute to look for in the entry.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_userobj(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
LDAPMessage *entry, char const *attr)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
struct berval **values;
size_t value_len = 0;
TALLOC_CTX *value_pool;
char *group_name[LDAP_MAX_CACHEABLE + 1];
char **name_p = group_name;
char *group_dn[LDAP_MAX_CACHEABLE + 1];
char **dn_p;
char *name;
VALUE_PAIR *vp, **vps;
TALLOC_CTX *ctx;
vp_cursor_t cursor;
int is_dn, i, count;
rad_assert(entry);
rad_assert(attr);
/*
* Parse the membership information we got in the initial user query.
*/
values = ldap_get_values_len((*pconn)->handle, entry, attr);
if (!values) {
RDEBUG2("No cacheable group memberships found in user object");
return RLM_MODULE_OK;
}
count = ldap_count_values_len(values);
vps = radius_list(request, PAIR_LIST_CONTROL);
ctx = radius_list_ctx(request, PAIR_LIST_CONTROL);
fr_cursor_init(&cursor, vps);
/*
* Avoid allocing buffers for each value.
*
* The old code used ldap_get_values, which was likely doing
* a very similar thing internally to produce \0 terminated
* buffers from bervalues.
*/
for (i = 0; (i < LDAP_MAX_CACHEABLE) && (i < count); i++) value_len += values[i]->bv_len + 1;
value_pool = talloc_pool(request, value_len);
for (i = 0; (i < LDAP_MAX_CACHEABLE) && (i < count); i++) {
is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len);
if (inst->cacheable_group_dn) {
/*
* The easy case, we're caching DNs and we got a DN.
*/
if (is_dn) {
MEM(vp = pairalloc(ctx, inst->cache_da));
pairstrncpy(vp, values[i]->bv_val, values[i]->bv_len);
fr_cursor_insert(&cursor, vp);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name,
vp->vp_strvalue);
/*
* We were told to cache DNs but we got a name, we now need to resolve
* this to a DN. Store all the group names in an array so we can do one query.
*/
} else {
*name_p++ = rlm_ldap_berval_to_string(value_pool, values[i]);
}
}
if (inst->cacheable_group_name) {
/*
* The easy case, we're caching names and we got a name.
*/
if (!is_dn) {
MEM(vp = pairalloc(ctx, inst->cache_da));
pairstrncpy(vp, values[i]->bv_val, values[i]->bv_len);
fr_cursor_insert(&cursor, vp);
RDEBUG("Added control:%s with value \"%s\"", inst->cache_da->name,
vp->vp_strvalue);
/*
* We were told to cache names but we got a DN, we now need to resolve
* this to a name.
* Only Active Directory supports filtering on DN, so we have to search
* for each individual group.
*/
} else {
char *dn;
dn = rlm_ldap_berval_to_string(value_pool, values[i]);
rcode = rlm_ldap_group_dn2name(inst, request, pconn, dn, &name);
talloc_free(dn);
if (rcode != RLM_MODULE_OK) {
ldap_value_free_len(values);
talloc_free(value_pool);
return rcode;
}
MEM(vp = pairalloc(ctx, inst->cache_da));
pairstrncpy(vp, name, talloc_array_length(name) - 1);
fr_cursor_insert(&cursor, vp);
RDEBUG("Added control:%s with value \"%s\"", inst->cache_da->name, name);
talloc_free(name);
}
}
}
*name_p = NULL;
rcode = rlm_ldap_group_name2dn(inst, request, pconn, group_name, group_dn, sizeof(group_dn));
ldap_value_free_len(values);
talloc_free(value_pool);
if (rcode != RLM_MODULE_OK) return rcode;
dn_p = group_dn;
while (*dn_p) {
MEM(vp = pairalloc(ctx, inst->cache_da));
pairstrcpy(vp, *dn_p);
fr_cursor_insert(&cursor, vp);
RDEBUG("Added control:%s with value \"%s\"", inst->cache_da->name, *dn_p);
ldap_memfree(*dn_p);
dn_p++;
}
return rcode;
}
/** Query the LDAP directory to check if a user object is a member of a group
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] dn of user object.
* @param[in] check vp containing the group value (name or dn).
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_check_userobj_dynamic(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
char const *dn, VALUE_PAIR *check)
{
rlm_rcode_t rcode = RLM_MODULE_NOTFOUND, ret;
ldap_rcode_t status;
bool name_is_dn = false, value_is_dn = false;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
struct berval **values = NULL;
char const *attrs[] = { inst->userobj_membership_attr, NULL };
int i, count, ldap_errno;
RDEBUG2("Checking user object's %s attributes", inst->userobj_membership_attr);
RINDENT();
status = rlm_ldap_search(inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, &result);
REXDENT();
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG("Can't check membership attributes, user object not found");
rcode = RLM_MODULE_NOTFOUND;
/* FALL-THROUGH */
default:
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
values = ldap_get_values_len((*pconn)->handle, entry, inst->userobj_membership_attr);
if (!values) {
RDEBUG("No group membership attribute(s) found in user object");
goto finish;
}
/*
* Loop over the list of groups the user is a member of,
* looking for a match.
*/
name_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length);
count = ldap_count_values_len(values);
for (i = 0; i < count; i++) {
value_is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len);
RDEBUG2("Processing %s value \"%.*s\" as a %s", inst->userobj_membership_attr,
(int)values[i]->bv_len, values[i]->bv_val, value_is_dn ? "DN" : "group name");
/*
* Both literal group names, do case sensitive comparison
*/
if (!name_is_dn && !value_is_dn) {
if ((check->vp_length == values[i]->bv_len) &&
(memcmp(values[i]->bv_val, check->vp_strvalue, values[i]->bv_len) == 0)) {
RDEBUG("User found in group \"%s\". Comparison between membership: name, check: name",
check->vp_strvalue);
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* Both DNs, do case insensitive, binary safe comparison
*/
if (name_is_dn && value_is_dn) {
if (check->vp_length == values[i]->bv_len) {
int j;
for (j = 0; j < (int)values[i]->bv_len; j++) {
if (tolower(values[i]->bv_val[j]) != tolower(check->vp_strvalue[j])) break;
}
if (j == (int)values[i]->bv_len) {
RDEBUG("User found in group DN \"%s\". "
"Comparison between membership: dn, check: dn", check->vp_strvalue);
rcode = RLM_MODULE_OK;
goto finish;
}
}
continue;
}
/*
* If the value is not a DN, and the name we were given is a dn
* convert the value to a DN and do a comparison.
*/
if (!value_is_dn && name_is_dn) {
char *resolved;
bool eq = false;
RINDENT();
ret = rlm_ldap_group_dn2name(inst, request, pconn, check->vp_strvalue, &resolved);
REXDENT();
if (ret != RLM_MODULE_OK) {
rcode = ret;
goto finish;
}
if (((talloc_array_length(resolved) - 1) == values[i]->bv_len) &&
(memcmp(values[i]->bv_val, resolved, values[i]->bv_len) == 0)) eq = true;
talloc_free(resolved);
if (eq) {
RDEBUG("User found in group \"%.*s\". Comparison between membership: name, check: name "
"(resolved from DN \"%s\")", (int)values[i]->bv_len,
values[i]->bv_val, check->vp_strvalue);
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
/*
* We have a value which is a DN, and a check item which specifies the name of a group,
* convert the value to a name so we can do a comparison.
*/
if (value_is_dn && !name_is_dn) {
char *resolved;
char *value;
bool eq = false;
value = rlm_ldap_berval_to_string(request, values[i]);
RINDENT();
ret = rlm_ldap_group_dn2name(inst, request, pconn, value, &resolved);
REXDENT();
talloc_free(value);
if (ret != RLM_MODULE_OK) {
rcode = ret;
goto finish;
}
if (((talloc_array_length(resolved) - 1) == check->vp_length) &&
(memcmp(check->vp_strvalue, resolved, check->vp_length) == 0)) eq = true;
talloc_free(resolved);
if (eq) {
RDEBUG("User found in group \"%s\". Comparison between membership: name "
"(resolved from DN \"%s\"), check: name", check->vp_strvalue, value);
rcode = RLM_MODULE_OK;
goto finish;
}
continue;
}
rad_assert(0);
}
finish:
if (values) ldap_value_free_len(values);
if (result) ldap_msgfree(result);
return rcode;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] entry retrieved by rlm_ldap_find_user or rlm_ldap_search.
* @param[in] attr membership attribute to look for in the entry.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_userobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn,
LDAPMessage *entry, char const *attr)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
struct berval **values;
char *group_name[LDAP_MAX_CACHEABLE + 1];
char **name_p = group_name;
char *group_dn[LDAP_MAX_CACHEABLE + 1];
char **dn_p;
char *name;
VALUE_PAIR *vp, **list, *groups = NULL;
TALLOC_CTX *list_ctx, *value_ctx;
vp_cursor_t list_cursor, groups_cursor;
int is_dn, i, count;
rad_assert(entry);
rad_assert(attr);
/*
* Parse the membership information we got in the initial user query.
*/
values = ldap_get_values_len((*pconn)->handle, entry, attr);
if (!values) {
RDEBUG2("No cacheable group memberships found in user object");
return RLM_MODULE_OK;
}
count = ldap_count_values_len(values);
list = radius_list(request, PAIR_LIST_CONTROL);
list_ctx = radius_list_ctx(request, PAIR_LIST_CONTROL);
/*
* Simplifies freeing temporary values
*/
value_ctx = talloc_new(request);
/*
* Temporary list to hold new group VPs, will be merged
* once all group info has been gathered/resolved
* successfully.
*/
fr_cursor_init(&groups_cursor, &groups);
for (i = 0; (i < LDAP_MAX_CACHEABLE) && (i < count); i++) {
is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len);
if (inst->cacheable_group_dn) {
/*
* The easy case, we're caching DNs and we got a DN.
*/
if (is_dn) {
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_bstrncpy(vp, values[i]->bv_val, values[i]->bv_len);
fr_cursor_insert(&groups_cursor, vp);
/*
* We were told to cache DNs but we got a name, we now need to resolve
* this to a DN. Store all the group names in an array so we can do one query.
*/
} else {
*name_p++ = rlm_ldap_berval_to_string(value_ctx, values[i]);
}
}
if (inst->cacheable_group_name) {
/*
* The easy case, we're caching names and we got a name.
*/
if (!is_dn) {
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_bstrncpy(vp, values[i]->bv_val, values[i]->bv_len);
fr_cursor_insert(&groups_cursor, vp);
/*
* We were told to cache names but we got a DN, we now need to resolve
* this to a name.
* Only Active Directory supports filtering on DN, so we have to search
* for each individual group.
*/
} else {
char *dn;
dn = rlm_ldap_berval_to_string(value_ctx, values[i]);
rcode = rlm_ldap_group_dn2name(inst, request, pconn, dn, &name);
talloc_free(dn);
if (rcode != RLM_MODULE_OK) {
ldap_value_free_len(values);
talloc_free(value_ctx);
fr_pair_list_free(&groups);
return rcode;
}
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_bstrncpy(vp, name, talloc_array_length(name) - 1);
fr_cursor_insert(&groups_cursor, vp);
talloc_free(name);
}
}
}
*name_p = NULL;
rcode = rlm_ldap_group_name2dn(inst, request, pconn, group_name, group_dn, sizeof(group_dn));
ldap_value_free_len(values);
talloc_free(value_ctx);
if (rcode != RLM_MODULE_OK) return rcode;
fr_cursor_init(&list_cursor, list);
RDEBUG("Adding cacheable user object memberships");
RINDENT();
if (RDEBUG_ENABLED) {
for (vp = fr_cursor_first(&groups_cursor);
vp;
vp = fr_cursor_next(&groups_cursor)) {
RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, vp->vp_strvalue);
}
}
fr_cursor_merge(&list_cursor, groups);
for (dn_p = group_dn; *dn_p; dn_p++) {
MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da));
fr_pair_value_strcpy(vp, *dn_p);
fr_cursor_insert(&list_cursor, vp);
RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, vp->vp_strvalue);
ldap_memfree(*dn_p);
}
REXDENT();
return rcode;
}
