/** Perform LDAP-Group comparison checking * * Attempts to match users to groups using a variety of methods. * * @param instance of the rlm_ldap module. * @param request Current request. * @param thing Unknown. * @param check Which group to check for user membership. * @param check_pairs Unknown. * @param reply_pairs Unknown. * @return 1 on failure (or if the user is not a member), else 0. */ static int rlm_ldap_groupcmp(void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check, UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs) { ldap_instance_t *inst = instance; rlm_rcode_t rcode; bool found = false; bool check_is_dn; ldap_handle_t *conn = NULL; char const *user_dn; rad_assert(inst->groupobj_base_dn); RDEBUG("Searching for user in group \"%s\"", check->vp_strvalue); if (check->vp_length == 0) { REDEBUG("Cannot do comparison (group name is empty)"); return 1; } /* * Check if we can do cached membership verification */ check_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length); if (check_is_dn) { char *norm; MEM(norm = talloc_memdup(check, check->vp_strvalue, talloc_array_length(check->vp_strvalue))); rlm_ldap_normalise_dn(norm, check->vp_strvalue); pairstrsteal(check, norm); } if ((check_is_dn && inst->cacheable_group_dn) || (!check_is_dn && inst->cacheable_group_name)) { switch (rlm_ldap_check_cached(inst, request, check)) { case RLM_MODULE_NOTFOUND: found = false; goto finish; case RLM_MODULE_OK: found = true; goto finish; /* * Fallback to dynamic search on failure */ case RLM_MODULE_FAIL: case RLM_MODULE_INVALID: default: break; } } conn = mod_conn_get(inst, request); if (!conn) return 1; /* * This is used in the default membership filter. */ user_dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode); if (!user_dn) { mod_conn_release(inst, conn); return 1; } rad_assert(conn); /* * Check groupobj user membership */ if (inst->groupobj_membership_filter) { switch (rlm_ldap_check_groupobj_dynamic(inst, request, &conn, check)) { case RLM_MODULE_NOTFOUND: break; case RLM_MODULE_OK: found = true; default: goto finish; } } rad_assert(conn); /* * Check userobj group membership */ if (inst->userobj_membership_attr) { switch (rlm_ldap_check_userobj_dynamic(inst, request, &conn, user_dn, check)) { case RLM_MODULE_NOTFOUND: break; case RLM_MODULE_OK: found = true; default: goto finish; } } rad_assert(conn); finish: if (conn) mod_conn_release(inst, conn); if (!found) { RDEBUG("User is not a member of \"%s\"", check->vp_strvalue); return 1; } return 0; }
/** Perform LDAP-Group comparison checking * * Attempts to match users to groups using a variety of methods. * * @param instance of the rlm_ldap module. * @param request Current request. * @param thing Unknown. * @param check Which group to check for user membership. * @param check_pairs Unknown. * @param reply_pairs Unknown. * @return 1 on failure (or if the user is not a member), else 0. */ static int rlm_ldap_groupcmp(void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check, UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs) { ldap_instance_t *inst = instance; rlm_rcode_t rcode; int found = false; int check_is_dn; ldap_handle_t *conn = NULL; char const *user_dn; if (!inst->groupobj_base_dn) { REDEBUG("Directive 'group.base_dn' must be set'"); return 1; } RDEBUG("Searching for user in group \"%s\"", check->vp_strvalue); if (check->length == 0) { RDEBUG("Cannot do comparison (group name is empty)"); return 1; } /* * Check if we can do cached membership verification */ check_is_dn = rlm_ldap_is_dn(check->vp_strvalue); if ((check_is_dn && inst->cacheable_group_dn) || (!check_is_dn && inst->cacheable_group_name)) { switch(rlm_ldap_check_cached(inst, request, check)) { case RLM_MODULE_NOTFOUND: break; case RLM_MODULE_OK: found = true; default: goto finish; } } conn = rlm_ldap_get_socket(inst, request); if (!conn) return 1; /* * This is used in the default membership filter. */ user_dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode); if (!user_dn) { rlm_ldap_release_socket(inst, conn); return 1; } rad_assert(conn); /* * Check groupobj user membership */ if (inst->groupobj_membership_filter) { switch(rlm_ldap_check_groupobj_dynamic(inst, request, &conn, check)) { case RLM_MODULE_NOTFOUND: break; case RLM_MODULE_OK: found = true; default: goto finish; } } rad_assert(conn); /* * Check userobj group membership */ if (inst->userobj_membership_attr) { switch(rlm_ldap_check_userobj_dynamic(inst, request, &conn, user_dn, check)) { case RLM_MODULE_NOTFOUND: break; case RLM_MODULE_OK: found = true; default: goto finish; } } rad_assert(conn); finish: if (conn) { rlm_ldap_release_socket(inst, conn); } if (!found) { RDEBUG("User is not a member of specified group"); return 1; } return 0; }