DWORD VMCAGetDefaultDomainName( PSTR pszHostName, DWORD dwPort, PSTR* ppDomainName) { DWORD dwError = 0; // LDAP_SUCCESS PVMCA_LDAP_CONTEXT pLotus = NULL; if (!pszHostName) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } if (strcasecmp(pszHostName, "localhost") == 0) { pszHostName = "127.0.0.1"; } dwError = VMCALdapConnect(pszHostName, dwPort, NULL, NULL, &pLotus); BAIL_ON_ERROR(dwError); dwError = VMCAGetDefaultDomainName2(pLotus, ppDomainName); BAIL_ON_ERROR(dwError); error : if (pLotus) { VMCALdapClose(pLotus); } return dwError; }
DWORD VMCACheckLdapConnection( PSTR pszHostName, DWORD dwPort ) { DWORD dwError = 0; PVMCA_LDAP_CONTEXT pContext = NULL; dwError = VMCALdapConnect(pszHostName, dwPort, NULL, NULL, &pContext); BAIL_ON_ERROR(dwError); error: if (pContext) { VMCALdapClose(pContext); } return dwError; }
static DWORD VMCASrvUpdateRootCerts( PVMCA_DIR_SYNC_PARAMS pDirSyncParams, PBOOLEAN pbSynced ) { DWORD dwError = 0; PVMCA_X509_CA pCA = NULL; PSTR pszAccount = NULL; PSTR pszPassword = NULL; PSTR pszDomainName = NULL; PSTR pszCAContainerDN = NULL; PSTR pszCertificate = NULL; PSTR pszCRL = NULL; X509_CRL* pCrl = NULL; DWORD dwCount = 0; DWORD dwIndex = 0; PVMCA_LDAP_CONTEXT pContext = NULL; PSTR pszUPN = NULL; dwError = VMCASrvValidateCA(); BAIL_ON_VMCA_ERROR(dwError); dwError = VMCASrvGetCA(&pCA); BAIL_ON_VMCA_ERROR(dwError); dwError = VMCASrvGetMachineAccountInfoA( &pszAccount, &pszDomainName, &pszPassword); BAIL_ON_VMCA_ERROR(dwError); dwError = VMCAAllocateStringPrintfA( &pszUPN, "%s@%s", pszAccount, pszDomainName); BAIL_ON_VMCA_ERROR(dwError); dwError = VMCALdapConnect( "localhost", 0, /* use default port */ pszUPN, pszPassword, &pContext); BAIL_ON_VMCA_ERROR(dwError); dwError = VMCAGetDSERootAttribute( pContext, "configurationNamingContext", &pszCAContainerDN); BAIL_ON_VMCA_ERROR(dwError); dwError = VmcaSrvReGenCRL( &pCrl ); BAIL_ON_VMCA_ERROR (dwError); dwError = VMCACRLToPEM( pCrl, &pszCRL ); BAIL_ON_VMCA_ERROR (dwError); dwCount = sk_X509_num(pCA->skCAChain); for (; dwIndex <dwCount; dwIndex++) { X509 *pCert = sk_X509_value( pCA->skCAChain, dwIndex ); dwError = VMCAUpdatePkiCAAttribute( pContext, pszCAContainerDN, pCert ); BAIL_ON_VMCA_ERROR(dwError); } dwError = VMCAUpdateCrlCAAttribute( pContext, pszCAContainerDN, pszCRL ); BAIL_ON_VMCA_ERROR (dwError); *pbSynced = TRUE; cleanup: VMCA_SAFE_FREE_STRINGA(pszUPN); VMCA_SAFE_FREE_STRINGA(pszDomainName); VMCA_SAFE_FREE_STRINGA(pszCertificate); VMCA_SAFE_FREE_STRINGA(pszAccount); VMCA_SAFE_FREE_STRINGA(pszPassword); VMCA_SAFE_FREE_STRINGA(pszCRL); if (pContext) { VMCALdapClose(pContext); } if (pCA) { VMCAReleaseCA(pCA); } return dwError; error: *pbSynced = FALSE; VMCA_LOG_ERROR("Failed to update root certs due to error [%u]", dwError); // TODO : Check specific errors dwError = 0; goto cleanup; }
DWORD VMCAPolicySNValidate( PVMCA_POLICY pPolicy, PSTR pszPKCS10Request, PVMCA_REQ_CONTEXT pReqContext, PBOOLEAN pbBypass, PBOOLEAN pbIsValid ) { DWORD dwError = 0; DWORD dwOrgNamesLen = 0; DWORD dwIdx = 0; int nCount = 0; PSTR *ppszOrgNames = NULL; PSTR pszAuthBaseDN = NULL; PSTR pszAuthDN = NULL; PVMCA_LDAP_CONTEXT pLd = NULL; BOOLEAN bBypass = FALSE; BOOLEAN bIsValid = FALSE; if (!pPolicy || IsNullOrEmptyString(pszPKCS10Request) || !pReqContext || !pbIsValid) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMCA_ERROR(dwError); } dwError = VMCAOpenLocalLdapServer(&pLd); BAIL_ON_VMCA_ERROR(dwError); dwError = VMCAConvertUPNToDN( pLd, pReqContext->pszAuthPrincipal, &pszAuthDN); BAIL_ON_VMCA_ERROR(dwError); if (VMCAStringCompareA(pPolicy->Rules.SN.pMatch->pszData, VMCA_POLICY_REQ_UPN_DN, TRUE) == 0 && VMCAStringCompareA(pPolicy->Rules.SN.pMatch->pszCondition, VMCA_POLICY_COND_BEGINS, TRUE) == 0) { dwError = VMCAStringCountSubstring( pszAuthDN, pPolicy->Rules.SN.pMatch->pszWith, &nCount); BAIL_ON_VMCA_ERROR(dwError); if (nCount == 0) { VMCA_LOG_INFO( "[%s,%d] CSR requestor (%s) is not a member of policy baseDN...bypassing enforcement", __FUNCTION__, __LINE__, pszAuthDN); bIsValid = TRUE; bBypass = TRUE; goto ret; } } else { VMCA_LOG_INFO( "[%s,%d] Unknown SN policy match rules", __FUNCTION__, __LINE__); dwError = VMCA_POLICY_CONFIG_ERROR; BAIL_ON_VMCA_ERROR(dwError); } for (dwIdx = 0; dwIdx < pPolicy->Rules.SN.dwValidateLen; ++dwIdx) { if (!VMCAStringCompareA( pPolicy->Rules.SN.ppValidate[dwIdx]->pszData, VMCA_POLICY_REQ_CSR_SUBJ_ORGS, TRUE)) { dwError = VMCAOpenSSLGetValuesFromSubjectName( pszPKCS10Request, VMCA_OPENSSL_NID_O, &dwOrgNamesLen, &ppszOrgNames); BAIL_ON_VMCA_ERROR(dwError); if (!VMCAStringCompareA( pPolicy->Rules.SN.ppValidate[dwIdx]->pszWith, VMCA_POLICY_REQ_UPN_RDN, TRUE)) { dwError = VMCAPolicySNMatchAuthOUWithCSR( pszAuthDN, pPolicy->Rules.SN.pMatch->pszWith, dwOrgNamesLen, ppszOrgNames); BAIL_ON_VMCA_ERROR(dwError); } else { VMCA_LOG_INFO( "[%s,%d] Unknown SN policy validate rules", __FUNCTION__, __LINE__); dwError = VMCA_POLICY_CONFIG_ERROR; BAIL_ON_VMCA_ERROR(dwError); } VMCAFreeStringArrayA(ppszOrgNames, dwOrgNamesLen); ppszOrgNames = NULL; dwOrgNamesLen = 0; } else { VMCA_LOG_INFO( "[%s,%d] Unknown SN policy validate rules", __FUNCTION__, __LINE__); dwError = VMCA_POLICY_CONFIG_ERROR; BAIL_ON_VMCA_ERROR(dwError); } } bIsValid = TRUE; ret: *pbBypass = bBypass; *pbIsValid = bIsValid; cleanup: VMCA_SAFE_FREE_STRINGA(pszAuthDN); VMCA_SAFE_FREE_STRINGA(pszAuthBaseDN); VMCAFreeStringArrayA(ppszOrgNames, dwOrgNamesLen); if (pLd) { VMCALdapClose(pLd); pLd = NULL; } return dwError; error: if (pbBypass) { *pbBypass = FALSE; } if (pbIsValid) { *pbIsValid = FALSE; } goto cleanup; }
DWORD VMCALdapConnect( PSTR pszHostName, DWORD dwPort, PSTR pszUsername, PSTR pszPassword, PVMCA_LDAP_CONTEXT* ppLotus ) { DWORD dwError = 0; PVMCA_LDAP_CONTEXT pContext = NULL; PSTR pszUrl = NULL; BerValue ldapBindPwd = {0}; //LDAP_SUCCESS is defined as Zero in the Standard // Which plays well with our BAIL_ON_ERROR macro DWORD dwVersion = LDAP_VERSION3; DWORD dwReturns = 20; if(dwPort == 0) { // Let us use the default LDAP_PORT, 389 dwPort = LDAP_PORT; } dwError = VMCAAllocateMemory(sizeof(*pContext), (PVOID*)&pContext); BAIL_ON_ERROR(dwError); if (VMCAIsIPV6AddrFormat(pszHostName)) { dwError = VMCAAllocateStringPrintfA( &pszUrl, "ldap://[%s]:%d", pszHostName, dwPort); } else { dwError = VMCAAllocateStringPrintfA( &pszUrl, "ldap://%s:%d", pszHostName, dwPort); } BAIL_ON_ERROR(dwError); if(IsNullOrEmptyString(pszPassword)) { // no credentials, do anonymous bind. dwError = ldap_initialize(&pContext->pConnection, pszUrl); BAIL_ON_ERROR(dwError); if (pContext->pConnection == NULL) { ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError); //dwError = ld_errno; //LdapGetLastError(); BAIL_ON_ERROR(dwError); } dwError = ldap_set_option(pContext->pConnection, LDAP_OPT_PROTOCOL_VERSION, (void*)&dwVersion); BAIL_ON_ERROR(dwError); dwError = ldap_set_option(pContext->pConnection, LDAP_OPT_SIZELIMIT, (void*)& dwReturns); BAIL_ON_ERROR(dwError); dwError = ldap_sasl_bind_s( pContext->pConnection, pszUsername, LDAP_SASL_SIMPLE, &ldapBindPwd, // no credentials NULL, NULL, NULL); } else { dwError = VmCASASLSRPBind( &pContext->pConnection, pszUrl, pszUsername, pszPassword); } #ifdef LDAP_ERROR_MESSAGE if(dwError != 0) { printf("Error :%s\n",ldap_err2string(dwError)); } #endif BAIL_ON_ERROR(dwError); *ppLotus = pContext; cleanup: VMCA_SAFE_FREE_STRINGA(pszUrl); return dwError; error: if ((dwError != 0) && pContext) { VMCALdapClose(pContext); } goto cleanup; }