/** * compare attribute to LDAP in case of LDAP_INAPPROPRIATE_MATCHING * * \param ld AddressBook resource * \param server Reference to server * \param dn dn for the entry * \param attr Attribute * \param value New value * \return int, return will be LDAP_MOD_ADD, LDAP_MOD_REPLACE, or LDAP_MOD_DELETE */ int ldapsvr_compare_manual_attr(LDAP *ld, LdapServer *server, gchar *dn, char *attr, char *value) { LDAPMessage *res, *e = NULL; BerElement *ber; struct berval **vals; int rc; LdapControl *ctl; gchar *filter; gchar *attribute; int retVal = -2, i; AttrKeyValue *mail; cm_return_val_if_fail(ld != NULL || server != NULL || attr != NULL, -1); ctl = server->control; mail = get_mail(dn); if (! mail) return -2; filter = g_strdup_printf("(&(mail=%s)(%s=*))", mail->value, attr); attrkeyvalue_free(mail); if (ctl) { rc = ldap_search_ext_s(ld, ctl->baseDN, LDAP_SCOPE_ONELEVEL, filter, NULL, 0, NULL, NULL, NULL, 0, &res); if (rc) { g_printerr("ldap_search for attr=%s\" failed[0x%x]: %s\n",attr, rc, ldaputil_get_error(ld)); retVal = -2; } else { e = ldap_first_entry(ld, res); /* entry has this attribute */ if (e) { attribute = ldap_first_attribute( ld, e, &ber ); if (attribute) { if (value) { if( ( vals = ldap_get_values_len( ld, e, attr ) ) != NULL ) { for( i = 0; vals[i] != NULL; i++ ) { debug_print("Compare: %s=%s\n", attr, vals[i]->bv_val); /* attribute has same value */ if (strcmp(vals[i]->bv_val, value) == 0) retVal = -1; /* attribute has new value */ else retVal = LDAP_MOD_REPLACE; } } ldap_value_free_len(vals); } else retVal = LDAP_MOD_DELETE; } if( ber != NULL ) { ber_free( ber, 0 ); } ldap_memfree(attribute); } /* entry does not have this attribute */ else { /* Only add if this is a real attribute */ if (value) retVal = LDAP_MOD_ADD; /* This is dummy value used to avoid ldap_compare error */ else retVal = -1; } } } else retVal = -2; g_free(filter); return retVal; }
DWORD VMCAConvertUPNToDN( PVMCA_LDAP_CONTEXT pConnection, PCSTR pszUPN, PSTR* ppszOutDN ) { DWORD dwError = 0; LDAPMessage* pEntry = NULL; LDAPMessage* pResult = NULL; PSTR pszFilter = NULL; PSTR pszEntryDN = NULL; PSTR pszOutDN = NULL; int iCount = 0; LDAP *pLd = NULL; if (!pConnection || !pConnection->pConnection || IsNullOrEmptyString(pszUPN) || !ppszOutDN) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMCA_ERROR(dwError); } pLd = pConnection->pConnection; dwError = VMCAAllocateStringPrintfA( &pszFilter, "%s=%s", ATTR_KRB_UPN, pszUPN); BAIL_ON_VMCA_ERROR(dwError); dwError = ldap_search_ext_s( pLd, "", LDAP_SCOPE_SUBTREE, pszFilter, NULL, FALSE, /* get values */ NULL, /* server controls */ NULL, /* client controls */ NULL, /* timeout */ 0, /* size limit */ &pResult); BAIL_ON_VMCA_ERROR(dwError); iCount = ldap_count_entries(pLd, pResult); // should have either 0 or 1 result if (iCount > 1) { dwError = VMCA_ERROR_INVALID_STATE; BAIL_ON_VMCA_ERROR(dwError); } else if (iCount == 0) { dwError = VMCA_ERROR_ENTRY_NOT_FOUND; BAIL_ON_VMCA_ERROR(dwError); } if ( (pEntry = ldap_first_entry(pLd, pResult)) != NULL ) { pszEntryDN = ldap_get_dn(pLd, pEntry); dwError = VMCAAllocateStringA( pszEntryDN, &pszOutDN ); BAIL_ON_VMCA_ERROR(dwError); *ppszOutDN = pszOutDN; } else { dwError = VMCA_ERROR_INVALID_ENTRY; BAIL_ON_VMCA_ERROR(dwError); } cleanup: if (pszEntryDN) { ldap_memfree( pszEntryDN ); } if (pResult) { ldap_msgfree( pResult ); } VMCA_SAFE_FREE_MEMORY(pszFilter); return dwError; error: VMCA_LOG_ERROR("[%s,%d] failed with error (%u)", __FUNCTION__, __LINE__, dwError); VMCA_SAFE_FREE_MEMORY(pszOutDN); if (ppszOutDN) { *ppszOutDN = NULL; } goto cleanup; }
DWORD VMCAGetDSERootAttribute( PVMCA_LDAP_CONTEXT pContext, PSTR pszAttribute, PSTR* ppszAttrValue ) { DWORD dwError = 0; // LDAP_SUCCESS PSTR pAttribute = NULL; BerValue** ppValue = NULL; BerElement* pBer = NULL; LDAPMessage* pSearchResult = NULL; LDAPMessage* pResults = NULL; PCHAR pszFilter = "(objectClass=*)"; PCHAR ppszAttrs[] = { pszAttribute, NULL }; dwError = ldap_search_ext_s( pContext->pConnection, // Session handle "", // DN to start search LDAP_SCOPE_BASE, // Scope pszFilter, // Filter ppszAttrs, // Retrieve list of attributes 0, // Get both attributes and values NULL, NULL, NULL, 0, &pSearchResult); // [out] Search results BAIL_ON_ERROR(dwError); if (ldap_count_entries(pContext->pConnection, pSearchResult) != 1) { dwError = ERROR_INVALID_STATE; BAIL_ON_ERROR(dwError); } // There should be only one result for this type pResults = ldap_first_entry(pContext->pConnection, pSearchResult); if (pResults == NULL) { ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError); BAIL_ON_ERROR(dwError); } pAttribute = ldap_first_attribute(pContext->pConnection,pResults,&pBer); if(pAttribute == NULL) { ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError); BAIL_ON_ERROR(dwError); } ppValue = ldap_get_values_len(pContext->pConnection, pResults, pszAttribute); if(ppValue == NULL) { ldap_get_option(pContext->pConnection, LDAP_OPT_ERROR_NUMBER, &dwError); BAIL_ON_ERROR(dwError); } dwError = VMCAAllocateStringA(ppValue[0]->bv_val, ppszAttrValue); BAIL_ON_ERROR(dwError); error : if ( ppValue != NULL) { ldap_value_free_len(ppValue); } if(pAttribute != NULL) { ldap_memfree(pAttribute); } if(pBer != NULL) { ber_free(pBer,0); } if(pSearchResult != NULL) { ldap_msgfree(pSearchResult); } return dwError; }
/** Convert multiple group names into a DNs * * Given an array of group names, builds a filter matching all names, then retrieves all group objects * and stores the DN associated with each group object. * * @param[in] inst rlm_ldap configuration. * @param[in] request Current request. * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. * @param[in] names to covert to DNs (NULL terminated). * @param[out] out Where to write the DNs. DNs must be freed with ldap_memfree(). Will be NULL terminated. * @param[in] outlen Size of out. * @return One of the RLM_MODULE_* values. */ static rlm_rcode_t rlm_ldap_group_name2dn(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char **names, char **out, size_t outlen) { rlm_rcode_t rcode = RLM_MODULE_OK; ldap_rcode_t status; int ldap_errno; unsigned int name_cnt = 0; unsigned int entry_cnt; char const *attrs[] = { NULL }; LDAPMessage *result = NULL, *entry; char **name = names; char **dn = out; char const *base_dn = NULL; char base_dn_buff[LDAP_MAX_DN_STR_LEN]; char buffer[LDAP_MAX_GROUP_NAME_LEN + 1]; char *filter; *dn = NULL; if (!*names) { return RLM_MODULE_OK; } if (!inst->groupobj_name_attr) { REDEBUG("Told to convert group names to DNs but missing 'group.name_attribute' directive"); return RLM_MODULE_INVALID; } RDEBUG("Converting group name(s) to group DN(s)"); /* * It'll probably only save a few ms in network latency, but it means we can send a query * for the entire group list at once. */ filter = talloc_typed_asprintf(request, "%s%s%s", inst->groupobj_filter ? "(&" : "", inst->groupobj_filter ? inst->groupobj_filter : "", names[0] && names[1] ? "(|" : ""); while (*name) { rlm_ldap_escape_func(request, buffer, sizeof(buffer), *name++, NULL); filter = talloc_asprintf_append_buffer(filter, "(%s=%s)", inst->groupobj_name_attr, buffer); name_cnt++; } filter = talloc_asprintf_append_buffer(filter, "%s%s", inst->groupobj_filter ? ")" : "", names[0] && names[1] ? ")" : ""); if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request, inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) { REDEBUG("Failed creating base_dn"); return RLM_MODULE_INVALID; } status = rlm_ldap_search(&result, inst, request, pconn, base_dn, inst->groupobj_scope, filter, attrs, NULL, NULL); switch (status) { case LDAP_PROC_SUCCESS: break; case LDAP_PROC_NO_RESULT: RDEBUG("Tried to resolve group name(s) to DNs but got no results"); goto finish; default: rcode = RLM_MODULE_FAIL; goto finish; } entry_cnt = ldap_count_entries((*pconn)->handle, result); if (entry_cnt > name_cnt) { REDEBUG("Number of DNs exceeds number of names, group and/or dn should be more restrictive"); rcode = RLM_MODULE_INVALID; goto finish; } if (entry_cnt > (outlen - 1)) { REDEBUG("Number of DNs exceeds limit (%zu)", outlen - 1); rcode = RLM_MODULE_INVALID; goto finish; } if (entry_cnt < name_cnt) { RWDEBUG("Got partial mapping of group names (%i) to DNs (%i), membership information may be incomplete", name_cnt, entry_cnt); } entry = ldap_first_entry((*pconn)->handle, result); if (!entry) { ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); rcode = RLM_MODULE_FAIL; goto finish; } do { *dn = ldap_get_dn((*pconn)->handle, entry); if (!*dn) { ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno)); rcode = RLM_MODULE_FAIL; goto finish; } rlm_ldap_normalise_dn(*dn, *dn); RDEBUG("Got group DN \"%s\"", *dn); dn++; } while((entry = ldap_next_entry((*pconn)->handle, entry))); *dn = NULL; finish: talloc_free(filter); if (result) { ldap_msgfree(result); } /* * Be nice and cleanup the output array if we error out. */ if (rcode != RLM_MODULE_OK) { dn = out; while(*dn) ldap_memfree(*dn++); *dn = NULL; } return rcode; }
/* * This function will look in ldap id the token correspond to the * requested user. It will returns 0 for failure and 1 for success. * * For the moment ldaps is not supported. ldap serve can be on a * remote host. * * You need the following parameters in you pam config: * ldapserver= OR ldap_uri= * ldapdn= * user_attr= * yubi_attr= * */ static int authorize_user_token_ldap (struct cfg *cfg, const char *user, const char *token_id) { DBG(("called")); int retval = 0; int protocol; #ifdef HAVE_LIBLDAP LDAP *ld = NULL; LDAPMessage *result = NULL, *e; BerElement *ber; char *a; char *attrs[2] = {NULL, NULL}; struct berval **vals; int i, rc; char *find = NULL, *sr = NULL; if (cfg->user_attr == NULL) { DBG (("Trying to look up user to YubiKey mapping in LDAP, but user_attr not set!")); return 0; } if (cfg->yubi_attr == NULL) { DBG (("Trying to look up user to YubiKey mapping in LDAP, but yubi_attr not set!")); return 0; } if (cfg->ldapdn == NULL) { DBG (("Trying to look up user to YubiKey mapping in LDAP, but ldapdn not set!")); return 0; } /* Get a handle to an LDAP connection. */ if (cfg->ldap_uri) { rc = ldap_initialize (&ld, cfg->ldap_uri); if (rc != LDAP_SUCCESS) { DBG (("ldap_init: %s", ldap_err2string (rc))); retval = 0; goto done; } } else { if ((ld = ldap_init (cfg->ldapserver, PORT_NUMBER)) == NULL) { DBG (("ldap_init")); retval = 0; goto done; } } /* LDAPv2 is historical -- RFC3494. */ protocol = LDAP_VERSION3; ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &protocol); /* Bind anonymously to the LDAP server. */ rc = ldap_simple_bind_s (ld, NULL, NULL); if (rc != LDAP_SUCCESS) { DBG (("ldap_simple_bind_s: %s", ldap_err2string (rc))); retval = 0; goto done; } /* Allocation of memory for search strings depending on input size */ find = malloc((strlen(cfg->user_attr)+strlen(cfg->ldapdn)+strlen(user)+3)*sizeof(char)); sprintf (find, "%s=%s,%s", cfg->user_attr, user, cfg->ldapdn); attrs[0] = (char *) cfg->yubi_attr; DBG(("LDAP : look up object '%s', ask for attribute '%s'", find, cfg->yubi_attr)); /* Search for the entry. */ if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE, NULL, attrs, 0, NULL, NULL, LDAP_NO_LIMIT, LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS) { DBG (("ldap_search_ext_s: %s", ldap_err2string (rc))); retval = 0; goto done; } e = ldap_first_entry (ld, result); if (e == NULL) { DBG (("No result from LDAP search")); } else { /* Iterate through each returned attribute. */ for (a = ldap_first_attribute (ld, e, &ber); a != NULL; a = ldap_next_attribute (ld, e, ber)) { if ((vals = ldap_get_values_len (ld, e, a)) != NULL) { /* Compare each value for the attribute against the token id. */ for (i = 0; vals[i] != NULL; i++) { if (!strncmp (token_id, vals[i]->bv_val, strlen (token_id))) { DBG (("Token Found :: %s", vals[i]->bv_val)); retval = 1; } else { DBG (("No match : (%s) %s != %s", a, vals[i]->bv_val, token_id)); } } ldap_value_free_len (vals); } ldap_memfree (a); } if (ber != NULL) ber_free (ber, 0); } done: if (result != NULL) ldap_msgfree (result); if (ld != NULL) ldap_unbind (ld); /* free memory allocated for search strings */ if (find != NULL) free(find); if (sr != NULL) free(sr); #else DBG (("Trying to use LDAP, but this function is not compiled in pam_yubico!!")); DBG (("Install libldap-dev and then recompile pam_yubico.")); #endif return retval; }
static int searchaction( LDAP *ld, char *buf, char *base, LDAPMessage *entry, char *dn, struct ldap_tmplitem *tip, int labelwidth, int rdncount, writeptype writeproc, void *writeparm, char *eol, char *urlprefix ) { int err = LDAP_SUCCESS, lderr, i, count, html; char **vals, **members; char *value, *filtpattern, *attr, *selectname; char *retattrs[2], filter[ 256 ]; LDAPMessage *ldmp; struct timeval timeout; html = ( urlprefix != NULL ); for ( i = 0; tip->ti_args != NULL && tip->ti_args[ i ] != NULL; ++i ) { ; } if ( i < 3 ) { return( LDAP_PARAM_ERROR ); } attr = tip->ti_args[ 0 ]; filtpattern = tip->ti_args[ 1 ]; retattrs[ 0 ] = tip->ti_args[ 2 ]; retattrs[ 1 ] = NULL; selectname = tip->ti_args[ 3 ]; vals = NULL; if ( attr == NULL ) { value = NULL; } else if ( strcasecmp( attr, "-dnb" ) == 0 ) { return( LDAP_PARAM_ERROR ); } else if ( strcasecmp( attr, "-dnt" ) == 0 ) { value = dn; } else if (( vals = ldap_get_values( ld, entry, attr )) != NULL ) { value = vals[ 0 ]; } else { value = NULL; } ldap_build_filter( filter, sizeof( filter ), filtpattern, NULL, NULL, NULL, value, NULL ); if ( html ) { /* * if we are generating HTML, we add an HREF link that embodies this * search action as an LDAP URL, instead of actually doing the search * now. */ sprintf( buf, "<DT><A HREF=\"%s", urlprefix ); if ( base != NULL ) { strcat_escaped( buf, base ); } strcat( buf, "??sub?" ); strcat_escaped( buf, filter ); sprintf( buf + strlen( buf ), "\"><B>%s</B></A><DD><BR>%s", tip->ti_label, eol ); if ((*writeproc)( writeparm, buf, strlen( buf )) < 0 ) { return( LDAP_LOCAL_ERROR ); } return( LDAP_SUCCESS ); } timeout.tv_sec = SEARCH_TIMEOUT_SECS; timeout.tv_usec = 0; #ifdef CLDAP if ( LDAP_IS_CLDAP( ld )) lderr = cldap_search_s( ld, base, LDAP_SCOPE_SUBTREE, filter, retattrs, 0, &ldmp, NULL ); else #endif /* CLDAP */ lderr = ldap_search_st( ld, base, LDAP_SCOPE_SUBTREE, filter, retattrs, 0, &timeout, &ldmp ); if ( lderr == LDAP_SUCCESS || NONFATAL_LDAP_ERR( lderr )) { if (( count = ldap_count_entries( ld, ldmp )) > 0 ) { if (( members = (char **)NSLDAPI_MALLOC( (count + 1) * sizeof(char *))) == NULL ) { err = LDAP_NO_MEMORY; } else { for ( i = 0, entry = ldap_first_entry( ld, ldmp ); entry != NULL; entry = ldap_next_entry( ld, entry ), ++i ) { members[ i ] = ldap_get_dn( ld, entry ); } members[ i ] = NULL; ldap_sort_values(ld,members, ldap_sort_strcasecmp); err = do_vals2text( ld, NULL, members, tip->ti_label, html ? -1 : 0, LDAP_SYN_DN, writeproc, writeparm, eol, rdncount, urlprefix ); ldap_value_free( members ); } } ldap_msgfree( ldmp ); } if ( vals != NULL ) { ldap_value_free( vals ); } return(( err == LDAP_SUCCESS ) ? lderr : err ); }
/** Convert a single group name into a DN * * Unlike the inverse conversion of a name to a DN, most LDAP directories don't allow filtering by DN, * so we need to search for each DN individually. * * @param[in] inst rlm_ldap configuration. * @param[in] request Current request. * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. * @param[in] dn to resolve. * @param[out] out Where to write group name (must be freed with talloc_free). * @return One of the RLM_MODULE_* values. */ static rlm_rcode_t rlm_ldap_group_dn2name(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, char **out) { rlm_rcode_t rcode = RLM_MODULE_OK; ldap_rcode_t status; int ldap_errno; struct berval **values = NULL; char const *attrs[] = { inst->groupobj_name_attr, NULL }; LDAPMessage *result = NULL, *entry; *out = NULL; if (!inst->groupobj_name_attr) { REDEBUG("Told to resolve group DN to name but missing 'group.name_attribute' directive"); return RLM_MODULE_INVALID; } RDEBUG("Resolving group DN \"%s\" to group name", dn); status = rlm_ldap_search(&result, inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, NULL, NULL); switch (status) { case LDAP_PROC_SUCCESS: break; case LDAP_PROC_NO_RESULT: REDEBUG("Group DN \"%s\" did not resolve to an object", dn); return RLM_MODULE_INVALID; default: return RLM_MODULE_FAIL; } entry = ldap_first_entry((*pconn)->handle, result); if (!entry) { ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); rcode = RLM_MODULE_INVALID; goto finish; } values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr); if (!values) { REDEBUG("No %s attributes found in object", inst->groupobj_name_attr); rcode = RLM_MODULE_INVALID; goto finish; } *out = rlm_ldap_berval_to_string(request, values[0]); RDEBUG("Group DN \"%s\" resolves to name \"%s\"", dn, *out); finish: if (result) ldap_msgfree(result); if (values) ldap_value_free_len(values); return rcode; }
krb5_error_code krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, unsigned int flags, krb5_db_entry **entry_ptr) { char *user=NULL, *filter=NULL, *filtuser=NULL; unsigned int tree=0, ntrees=1, princlen=0; krb5_error_code tempst=0, st=0; char **values=NULL, **subtree=NULL, *cname=NULL; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; krb5_ldap_context *ldap_context=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_principal cprinc=NULL; krb5_boolean found=FALSE; krb5_db_entry *entry = NULL; *entry_ptr = NULL; /* Clear the global error string */ krb5_clear_error_message(context); if (searchfor == NULL) return EINVAL; dal_handle = context->dal_handle; ldap_context = (krb5_ldap_context *) dal_handle->db_context; CHECK_LDAP_HANDLE(ldap_context); if (is_principal_in_realm(ldap_context, searchfor) != 0) { st = KRB5_KDB_NOENTRY; krb5_set_error_message(context, st, _("Principal does not belong to realm")); goto cleanup; } if ((st=krb5_unparse_name(context, searchfor, &user)) != 0) goto cleanup; if ((st=krb5_ldap_unparse_principal_name(user)) != 0) goto cleanup; filtuser = ldap_filter_correct(user); if (filtuser == NULL) { st = ENOMEM; goto cleanup; } princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */ if ((filter = malloc(princlen)) == NULL) { st = ENOMEM; goto cleanup; } snprintf(filter, princlen, FILTER"%s))", filtuser); if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0) goto cleanup; GET_HANDLE(); for (tree=0; tree < ntrees && !found; ++tree) { LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) { /* get the associated directory user information */ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { int i; /* a wild-card in a principal name can return a list of kerberos principals. * Make sure that the correct principal is returned. * NOTE: a principalname k* in ldap server will return all the principals starting with a k */ for (i=0; values[i] != NULL; ++i) { if (strcmp(values[i], user) == 0) { found = TRUE; break; } } ldap_value_free(values); if (!found) /* no matching principal found */ continue; } if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ if (flags & KRB5_KDB_FLAG_ALIAS_OK) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; st = krb5_parse_name(context, cname, &cprinc); if (st != 0) goto cleanup; } else /* No canonicalization, so don't return aliases. */ found = FALSE; } ldap_value_free(values); if (!found) continue; } entry = k5alloc(sizeof(*entry), &st); if (entry == NULL) goto cleanup; if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, cprinc ? cprinc : searchfor, entry)) != 0) goto cleanup; } ldap_msgfree(result); result = NULL; } /* for (tree=0 ... */ if (found) { *entry_ptr = entry; entry = NULL; } else st = KRB5_KDB_NOENTRY; cleanup: ldap_msgfree(result); krb5_ldap_free_principal(context, entry); if (filter) free (filter); if (subtree) { for (; ntrees; --ntrees) if (subtree[ntrees-1]) free (subtree[ntrees-1]); free (subtree); } if (ldap_server_handle) krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); if (user) free(user); if (filtuser) free(filtuser); if (cname) free(cname); if (cprinc) krb5_free_principal(context, cprinc); return st; }
static int ldap_verify_user_password (CcnetUserManager *manager, const char *uid, const char *password) { LDAP *ld = NULL; int res; GString *filter; char *filter_str = NULL; char *attrs[2]; LDAPMessage *msg = NULL, *entry; char *dn = NULL; int ret = 0; /* First search for the DN with the given uid. */ ld = ldap_init_and_bind (manager->ldap_host, #ifdef WIN32 manager->use_ssl, #endif manager->user_dn, manager->password); if (!ld) return -1; filter = g_string_new (NULL); g_string_printf (filter, "(%s=%s)", manager->login_attr, uid); filter_str = g_string_free (filter, FALSE); attrs[0] = manager->login_attr; attrs[1] = NULL; res = ldap_search_s (ld, manager->base, LDAP_SCOPE_SUBTREE, filter_str, attrs, 0, &msg); if (res != LDAP_SUCCESS) { ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res)); ret = -1; goto out; } entry = ldap_first_entry (ld, msg); if (!entry) { ccnet_warning ("user with uid %s not found in LDAP.\n", uid); ret = -1; goto out; } dn = ldap_get_dn (ld, entry); /* Then bind the DN with password. */ ldap_unbind_s (ld); ld = ldap_init_and_bind (manager->ldap_host, #ifdef WIN32 manager->use_ssl, #endif dn, password); if (!ld) { ccnet_warning ("Password check for %s failed.\n", uid); ret = -1; } out: ldap_msgfree (msg); ldap_memfree (dn); g_free (filter_str); if (ld) ldap_unbind_s (ld); return ret; }
/* Check the userid & password. * Return 0 on success, 1 on failure */ static int checkLDAP(LDAP * persistent_ld, const char *userid, const char *password, const char *ldapServer, int port) { char dn[1024]; int ret = 0; LDAP *bind_ld = NULL; if (!*password) { /* LDAP can't bind with a blank password. Seen as "anonymous" * and always granted access */ if (debug) fprintf(stderr, "Blank password given\n"); return 1; } if (searchfilter) { char filter[16384]; char escaped_login[1024]; LDAPMessage *res = NULL; LDAPMessage *entry; char *searchattr[] = {(char *)LDAP_NO_ATTRS, NULL}; char *userdn; int rc; LDAP *search_ld = persistent_ld; if (!search_ld) search_ld = open_ldap_connection(ldapServer, port); ldap_escape_value(escaped_login, sizeof(escaped_login), userid); if (binddn) { rc = ldap_simple_bind_s(search_ld, binddn, bindpasswd); if (rc != LDAP_SUCCESS) { fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc)); ret = 1; goto search_done; } } snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); if (debug) fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn); rc = ldap_search_s(search_ld, basedn, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { /* Everything is fine. This is expected when referrals * are disabled. */ if (debug) fprintf(stderr, "noreferrals && rc == LDAP_PARTIAL_RESULTS\n"); } else { fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); #if defined(NETSCAPE_SSL) if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { int sslerr = PORT_GetError(); fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); } #endif ret = 1; goto search_done; } } entry = ldap_first_entry(search_ld, res); if (!entry) { if (debug) fprintf(stderr, "Ldap search returned nothing\n"); ret = 1; goto search_done; } userdn = ldap_get_dn(search_ld, entry); if (!userdn) { fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid); ret = 1; goto search_done; } snprintf(dn, sizeof(dn), "%s", userdn); squid_ldap_memfree(userdn); if (ret == 0 && (!binddn || !bind_once || passwdattr)) { /* Reuse the search connection for comparing the user password attribute */ bind_ld = search_ld; search_ld = NULL; } search_done: if (res) { ldap_msgfree(res); res = NULL; } if (search_ld && search_ld != persistent_ld) { ldap_unbind(search_ld); search_ld = NULL; } if (ret != 0) return ret; } else { snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); } if (debug) fprintf(stderr, "attempting to authenticate user '%s'\n", dn); if (!bind_ld && !bind_once) bind_ld = persistent_ld; if (!bind_ld) bind_ld = open_ldap_connection(ldapServer, port); if (passwdattr) { if (ldap_compare_s(bind_ld, dn, passwdattr, password) != LDAP_COMPARE_TRUE) { ret = 1; } } else if (ldap_simple_bind_s(bind_ld, dn, password) != LDAP_SUCCESS) ret = 1; if (bind_ld != persistent_ld) { ldap_unbind(bind_ld); bind_ld = NULL; } return ret; }
krb5_error_code krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) { int l=0, kerberos_principal_object_type=0; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; char *user=NULL, *subtree=NULL, *principal_dn=NULL; char **values=NULL, *strval[10]={NULL}, errbuf[1024]; char *filtuser=NULL; struct berval **bersecretkey=NULL; LDAPMod **mods=NULL; krb5_boolean create_standalone_prinicipal=FALSE; krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; char *standalone_principal_dn=NULL; krb5_tl_data *tl_data=NULL; krb5_key_data **keys=NULL; kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; osa_princ_ent_rec princ_ent; xargs_t xargs = {0}; char *polname = NULL; OPERATION optype; krb5_boolean found_entry = FALSE; /* Clear the global error string */ krb5_clear_error_message(context); SETUP_CONTEXT(); if (ldap_context->lrparams == NULL || ldap_context->container_dn == NULL) return EINVAL; /* get ldap handle */ GET_HANDLE(); if (is_principal_in_realm(ldap_context, entry->princ) != 0) { st = EINVAL; krb5_set_error_message(context, st, _("Principal does not belong to " "the default realm")); goto cleanup; } /* get the principal information to act on */ if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) || ((st=krb5_ldap_unparse_principal_name(user)) != 0)) goto cleanup; filtuser = ldap_filter_correct(user); if (filtuser == NULL) { st = ENOMEM; goto cleanup; } /* Identity the type of operation, it can be * add principal or modify principal. * hack if the entry->mask has KRB_PRINCIPAL flag set * then it is a add operation */ if (entry->mask & KADM5_PRINCIPAL) optype = ADD_PRINCIPAL; else optype = MODIFY_PRINCIPAL; if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) || ((st=krb5_get_userdn(context, entry, &principal_dn)) != 0)) goto cleanup; if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) goto cleanup; if (entry->mask & KADM5_LOAD) { unsigned int tree = 0, ntrees = 0; int numlentries = 0; char **subtreelist = NULL, *filter = NULL; /* A load operation is special, will do a mix-in (add krbprinc * attrs to a non-krb object entry) if an object exists with a * matching krbprincipalname attribute so try to find existing * object and set principal_dn. This assumes that the * krbprincipalname attribute is unique (only one object entry has * a particular krbprincipalname attribute). */ if (asprintf(&filter, FILTER"%s))", filtuser) < 0) { filter = NULL; st = ENOMEM; goto cleanup; } /* get the current subtree list */ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) goto cleanup; found_entry = FALSE; /* search for entry with matching krbprincipalname attribute */ for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { result = NULL; if (principal_dn == NULL) { LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); } else { /* just look for entry with principal_dn */ LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); } if (st == LDAP_SUCCESS) { numlentries = ldap_count_entries(ld, result); if (numlentries > 1) { ldap_msgfree(result); free(filter); st = EINVAL; krb5_set_error_message(context, st, _("operation can not continue, " "more than one entry with " "principal name \"%s\" found"), user); goto cleanup; } else if (numlentries == 1) { found_entry = TRUE; if (principal_dn == NULL) { ent = ldap_first_entry(ld, result); if (ent != NULL) { /* setting principal_dn will cause that entry to be modified further down */ if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); st = set_ldap_error (context, st, 0); ldap_msgfree(result); free(filter); goto cleanup; } } } } if (result) ldap_msgfree(result); } else if (st != LDAP_NO_SUCH_OBJECT) { /* could not perform search, return with failure */ st = set_ldap_error (context, st, 0); free(filter); goto cleanup; } /* * If it isn't found then assume a standalone princ entry is to * be created. */ } /* end for (tree = 0; principal_dn == ... */ free(filter); if (found_entry == FALSE && principal_dn != NULL) { /* * if principal_dn is null then there is code further down to * deal with setting standalone_principal_dn. Also note that * this will set create_standalone_prinicipal true for * non-mix-in entries which is okay if loading from a dump. */ create_standalone_prinicipal = TRUE; standalone_principal_dn = strdup(principal_dn); CHECK_NULL(standalone_principal_dn); } } /* end if (entry->mask & KADM5_LOAD */ /* time to generate the DN information with the help of * containerdn, principalcontainerreference or * realmcontainerdn information */ if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ /* get the subtree information */ if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") && strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) { /* if the principal is a inter-realm principal, always created in the realm container */ subtree = strdup(ldap_context->lrparams->realmdn); } else if (xargs.containerdn) { if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { int ost = st; st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("'%s' not found: "), xargs.containerdn); prepend_err_str(context, errbuf, st, ost); } goto cleanup; } subtree = strdup(xargs.containerdn); } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { /* * Here the subtree should be changed with * principalcontainerreference attribute value */ subtree = strdup(ldap_context->lrparams->containerref); } else { subtree = strdup(ldap_context->lrparams->realmdn); } CHECK_NULL(subtree); if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", filtuser, subtree) < 0) standalone_principal_dn = NULL; CHECK_NULL(standalone_principal_dn); /* * free subtree when you are done using the subtree * set the boolean create_standalone_prinicipal to TRUE */ create_standalone_prinicipal = TRUE; free(subtree); subtree = NULL; } /* * If the DN information is presented by the user, time to * validate the input to ensure that the DN falls under * any of the subtrees */ if (xargs.dn_from_kbd == TRUE) { /* make sure the DN falls in the subtree */ unsigned int tre=0, ntrees=0; int dnlen=0, subtreelen=0; char **subtreelist=NULL; char *dn=NULL; krb5_boolean outofsubtree=TRUE; if (xargs.dn != NULL) { dn = xargs.dn; } else if (xargs.linkdn != NULL) { dn = xargs.linkdn; } else if (standalone_principal_dn != NULL) { /* * Even though the standalone_principal_dn is constructed * within this function, there is the containerdn input * from the user that can become part of the it. */ dn = standalone_principal_dn; } /* get the current subtree list */ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) goto cleanup; for (tre=0; tre<ntrees; ++tre) { if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) { outofsubtree = FALSE; break; } else { dnlen = strlen (dn); subtreelen = strlen(subtreelist[tre]); if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { outofsubtree = FALSE; break; } } } for (tre=0; tre < ntrees; ++tre) { free(subtreelist[tre]); } if (outofsubtree == TRUE) { st = EINVAL; krb5_set_error_message(context, st, _("DN is out of the realm subtree")); goto cleanup; } /* * dn value will be set either by dn, linkdn or the standalone_principal_dn * In the first 2 cases, the dn should be existing and in the last case we * are supposed to create the ldap object. so the below should not be * executed for the last case. */ if (standalone_principal_dn == NULL) { /* * If the ldap object is missing, this results in an error. */ /* * Search for krbprincipalname attribute here. * This is to find if a kerberos identity is already present * on the ldap object, in which case adding a kerberos identity * on the ldap object should result in an error. */ char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); if (st == LDAP_SUCCESS) { ent = ldap_first_entry(ld, result); if (ent != NULL) { if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { ldap_value_free(values); } if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { krb_identity_exists = TRUE; ldap_value_free(values); } } ldap_msgfree(result); } else { st = set_ldap_error(context, st, OP_SEARCH); goto cleanup; } } } /* * If xargs.dn is set then the request is to add a * kerberos principal on a ldap object, but if * there is one already on the ldap object this * should result in an error. */ if (xargs.dn != NULL && krb_identity_exists == TRUE) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("ldap object is already kerberized")); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (xargs.linkdn != NULL) { /* * link information can be changed using modprinc. * However, link information can be changed only on the * standalone kerberos principal objects. A standalone * kerberos principal object is of type krbprincipal * structural objectclass. * * NOTE: kerberos principals on an ldap object can't be * linked to other ldap objects. */ if (optype == MODIFY_PRINCIPAL && kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("link information can not be set/updated as the " "kerberos principal belongs to an ldap object")); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } /* * Check the link information. If there is already a link * existing then this operation is not allowed. */ { char **linkdns=NULL; int j=0; if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) { snprintf(errbuf, sizeof(errbuf), _("Failed getting object references")); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (linkdns != NULL) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), _("kerberos principal is already linked to a ldap " "object")); krb5_set_error_message(context, st, "%s", errbuf); for (j=0; linkdns[j] != NULL; ++j) free (linkdns[j]); free (linkdns); goto cleanup; } } establish_links = TRUE; } if (entry->mask & KADM5_LAST_SUCCESS) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->last_success)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } if (entry->mask & KADM5_LAST_FAILED) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->last_failed)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free(strval[0]); } if (entry->mask & KADM5_FAIL_AUTH_COUNT) { krb5_kvno fail_auth_count; fail_auth_count = entry->fail_auth_count; if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) fail_auth_count++; st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_REPLACE, fail_auth_count); if (st != 0) goto cleanup; } else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { int attr_mask = 0; krb5_boolean has_fail_count; /* Check if the krbLoginFailedCount attribute exists. (Through * krb5 1.8.1, it wasn't set in new entries.) */ st = krb5_get_attributes_mask(context, entry, &attr_mask); if (st != 0) goto cleanup; has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0); /* * If the client library and server supports RFC 4525, * then use it to increment by one the value of the * krbLoginFailedCount attribute. Otherwise, assert the * (provided) old value by deleting it before adding. */ #ifdef LDAP_MOD_INCREMENT if (ldap_server_handle->server_info->modify_increment && has_fail_count) { st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_INCREMENT, 1); if (st != 0) goto cleanup; } else { #endif /* LDAP_MOD_INCREMENT */ if (has_fail_count) { st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_DELETE, entry->fail_auth_count); if (st != 0) goto cleanup; } st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_ADD, entry->fail_auth_count + 1); if (st != 0) goto cleanup; #ifdef LDAP_MOD_INCREMENT } #endif } else if (optype == ADD_PRINCIPAL) { /* Initialize krbLoginFailedCount in new entries to help avoid a * race during the first failed login. */ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", LDAP_MOD_ADD, 0); } if (entry->mask & KADM5_MAX_LIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0) goto cleanup; } if (entry->mask & KADM5_MAX_RLIFE) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, entry->max_renewable_life)) != 0) goto cleanup; } if (entry->mask & KADM5_ATTRIBUTES) { if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, entry->attributes)) != 0) goto cleanup; } if (entry->mask & KADM5_PRINCIPAL) { memset(strval, 0, sizeof(strval)); strval[0] = user; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } if (entry->mask & KADM5_PRINC_EXPIRE_TIME) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } if (entry->mask & KADM5_PW_EXPIRATION) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } if (entry->mask & KADM5_POLICY) { memset(&princ_ent, 0, sizeof(princ_ent)); for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) { if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { /* FIX ME: I guess the princ_ent should be freed after this call */ if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { goto cleanup; } } } if (princ_ent.aux_attributes & KADM5_POLICY) { memset(strval, 0, sizeof(strval)); if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) goto cleanup; strval[0] = polname; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } else { st = EINVAL; krb5_set_error_message(context, st, "Password policy value null"); goto cleanup; } } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) { /* * a load is special in that existing entries must have attrs that * removed. */ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) goto cleanup; } if (entry->mask & KADM5_POLICY_CLR) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) { krb5_kvno mkvno; if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0) goto cleanup; bersecretkey = krb5_encode_krbsecretkey (entry->key_data, entry->n_key_data, mkvno); if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) goto cleanup; if (!(entry->mask & KADM5_PRINCIPAL)) { memset(strval, 0, sizeof(strval)); if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } /* Update last password change whenever a new key is set */ { krb5_timestamp last_pw_changed; if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) goto cleanup; memset(strval, 0, sizeof(strval)); if ((strval[0] = getstringtime(last_pw_changed)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } } /* Modify Key data ends here */ /* Set tl_data */ if (entry->tl_data != NULL) { int count = 0; struct berval **ber_tl_data = NULL; krb5_tl_data *ptr; krb5_timestamp unlock_time; for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif || ptr->tl_data_type == KRB5_TL_KADM_DATA || ptr->tl_data_type == KDB_TL_USER_INFO || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL || ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK) continue; count++; } if (count != 0) { int j; ber_tl_data = (struct berval **) calloc (count + 1, sizeof (struct berval*)); if (ber_tl_data == NULL) { st = ENOMEM; goto cleanup; } for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { /* Ignore tl_data that are stored in separate directory * attributes */ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS #endif || ptr->tl_data_type == KRB5_TL_KADM_DATA || ptr->tl_data_type == KDB_TL_USER_INFO || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL || ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK) continue; if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) break; j++; } if (st == 0) { ber_tl_data[count] = NULL; st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, ber_tl_data); } for (j = 0; ber_tl_data[j] != NULL; j++) { free(ber_tl_data[j]->bv_val); free(ber_tl_data[j]); } free(ber_tl_data); if (st != 0) goto cleanup; } if ((st=krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time)) != 0) goto cleanup; if (unlock_time != 0) { /* Update last admin unlock */ memset(strval, 0, sizeof(strval)); if ((strval[0] = getstringtime(unlock_time)) == NULL) goto cleanup; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastAdminUnlock", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); goto cleanup; } free (strval[0]); } } /* Directory specific attribute */ if (xargs.tktpolicydn != NULL) { int tmask=0; if (strlen(xargs.tktpolicydn) != 0) { st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); CHECK_CLASS_VALIDITY(st, tmask, _("ticket policy object value: ")); strval[0] = xargs.tktpolicydn; strval[1] = NULL; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } else { /* if xargs.tktpolicydn is a empty string, then delete * already existing krbticketpolicyreference attr */ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } } if (establish_links == TRUE) { memset(strval, 0, sizeof(strval)); strval[0] = xargs.linkdn; if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; } /* * in case mods is NULL then return * not sure but can happen in a modprinc * so no need to return an error * addprinc will at least have the principal name * and the keys passed in */ if (mods == NULL) goto cleanup; if (create_standalone_prinicipal == TRUE) { memset(strval, 0, sizeof(strval)); strval[0] = "krbprincipal"; strval[1] = "krbprincipalaux"; strval[2] = "krbTicketPolicyAux"; if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) goto cleanup; st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) { /* a load operation must replace an existing entry */ st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); if (st != LDAP_SUCCESS) { snprintf(errbuf, sizeof(errbuf), _("Principal delete failed (trying to replace " "entry): %s"), ldap_err2string(st)); st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } else { st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); } } if (st != LDAP_SUCCESS) { snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"), ldap_err2string(st)); st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } } else { /* * Here existing ldap object is modified and can be related * to any attribute, so always ensure that the ldap * object is extended with all the kerberos related * objectclasses so that there are no constraint * violations. */ { char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; int p, q, r=0, amask=0; if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, "objectclass", attrvalues, &amask)) != 0) goto cleanup; memset(strval, 0, sizeof(strval)); for (p=1, q=0; p<=2; p<<=1, ++q) { if ((p & amask) == 0) strval[r++] = attrvalues[q]; } if (r != 0) { if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) goto cleanup; } } if (xargs.dn != NULL) st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); else st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); if (st != LDAP_SUCCESS) { snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"), ldap_err2string(st)); st = translate_ldap_error (st, OP_MOD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) entry->fail_auth_count++; } cleanup: if (user) free(user); if (filtuser) free(filtuser); free_xargs(xargs); if (standalone_principal_dn) free(standalone_principal_dn); if (principal_dn) free (principal_dn); if (polname != NULL) free(polname); if (subtree) free (subtree); if (bersecretkey) { for (l=0; bersecretkey[l]; ++l) { if (bersecretkey[l]->bv_val) free (bersecretkey[l]->bv_val); free (bersecretkey[l]); } free (bersecretkey); } if (keys) free (keys); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); return(st); }
/* * Look up a user in the directory to see if this is an account that can be authenticated */ int CtdlTryUserLDAP(char *username, char *found_dn, int found_dn_size, char *fullname, int fullname_size, uid_t *uid, int lookup_based_on_username) { LDAP *ldserver = NULL; int i; LDAPMessage *search_result = NULL; LDAPMessage *entry = NULL; char searchstring[1024]; struct timeval tv; char **values; char *user_dn = NULL; if (fullname) safestrncpy(fullname, username, fullname_size); if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) { return(errno); } ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version); ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF); striplt(CtdlGetConfigStr("c_ldap_bind_dn")); striplt(CtdlGetConfigStr("c_ldap_bind_pw")); syslog(LOG_DEBUG, "LDAP bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn")); i = ldap_simple_bind_s(ldserver, (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL), (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL) ); if (i != LDAP_SUCCESS) { syslog(LOG_ALERT, "LDAP: Cannot bind: %s (%d)", ldap_err2string(i), i); return(i); } tv.tv_sec = 10; tv.tv_usec = 0; if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) { if (lookup_based_on_username != 0) snprintf(searchstring, sizeof(searchstring), "(displayName=%s)",username); else snprintf(searchstring, sizeof(searchstring), "(sAMAccountName=%s)", username); } else { if (lookup_based_on_username != 0) snprintf(searchstring, sizeof(searchstring), "(cn=%s)",username); else snprintf(searchstring, sizeof(searchstring), "(&(objectclass=posixAccount)(uid=%s))", username); } syslog(LOG_DEBUG, "LDAP search: %s", searchstring); (void) ldap_search_ext_s( ldserver, /* ld */ CtdlGetConfigStr("c_ldap_base_dn"), /* base */ LDAP_SCOPE_SUBTREE, /* scope */ searchstring, /* filter */ NULL, /* attrs (all attributes) */ 0, /* attrsonly (attrs + values) */ NULL, /* serverctrls (none) */ NULL, /* clientctrls (none) */ &tv, /* timeout */ 1, /* sizelimit (1 result max) */ &search_result /* res */ ); /* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when * the search succeeds. Instead, we check to see whether search_result is still NULL. */ if (search_result == NULL) { syslog(LOG_DEBUG, "LDAP search: zero results were returned"); ldap_unbind(ldserver); return(2); } /* At this point we've got at least one result from our query. If there are multiple * results, we still only look at the first one. */ entry = ldap_first_entry(ldserver, search_result); if (entry) { user_dn = ldap_get_dn(ldserver, entry); if (user_dn) { syslog(LOG_DEBUG, "dn = %s", user_dn); } if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) { values = ldap_get_values(ldserver, search_result, "displayName"); if (values) { if (values[0]) { if (fullname) safestrncpy(fullname, values[0], fullname_size); syslog(LOG_DEBUG, "displayName = %s", values[0]); } ldap_value_free(values); } } else { values = ldap_get_values(ldserver, search_result, "cn"); if (values) { if (values[0]) { if (fullname) safestrncpy(fullname, values[0], fullname_size); syslog(LOG_DEBUG, "cn = %s", values[0]); } ldap_value_free(values); } } /* If we know the username is the CN/displayName, we already set the uid*/ if (lookup_based_on_username==0) { if (CtdlGetConfigInt("c_auth_mode") == AUTHMODE_LDAP_AD) { values = ldap_get_values(ldserver, search_result, "objectGUID"); if (values) { if (values[0]) { if (uid != NULL) { *uid = abs(HashLittle(values[0], strlen(values[0]))); syslog(LOG_DEBUG, "uid hashed from objectGUID = %d", *uid); } } ldap_value_free(values); } } else { values = ldap_get_values(ldserver, search_result, "uidNumber"); if (values) { if (values[0]) { syslog(LOG_DEBUG, "uidNumber = %s", values[0]); if (uid != NULL) { *uid = atoi(values[0]); } } ldap_value_free(values); } } } } /* free the results */ ldap_msgfree(search_result); /* unbind so we can go back in as the authenticating user */ ldap_unbind(ldserver); if (!user_dn) { syslog(LOG_DEBUG, "No such user was found."); return(4); } if (found_dn) safestrncpy(found_dn, user_dn, found_dn_size); ldap_memfree(user_dn); return(0); }
/* * Learn LDAP attributes and stuff them into the vCard. * Returns nonzero if we changed anything. */ int Ctdl_LDAP_to_vCard(char *ldap_dn, struct vCard *v) { int changed_something = 0; LDAP *ldserver = NULL; int i; struct timeval tv; LDAPMessage *search_result = NULL; LDAPMessage *entry = NULL; char **givenName; char **sn; char **cn; char **initials; char **o; char **street; char **l; char **st; char **postalCode; char **telephoneNumber; char **mobile; char **homePhone; char **facsimileTelephoneNumber; char **mail; char **uid; char **homeDirectory; char **uidNumber; char **loginShell; char **gidNumber; char **c; char **title; char **uuid; char *attrs[] = { "*","+",NULL}; if (!ldap_dn) return(0); if (!v) return(0); if (ctdl_ldap_initialize(&ldserver) != LDAP_SUCCESS) { return(0); } ldap_set_option(ldserver, LDAP_OPT_PROTOCOL_VERSION, &ctdl_require_ldap_version); ldap_set_option(ldserver, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF); striplt(CtdlGetConfigStr("c_ldap_bind_dn")); striplt(CtdlGetConfigStr("c_ldap_bind_pw")); syslog(LOG_DEBUG, "LDAP bind DN: %s", CtdlGetConfigStr("c_ldap_bind_dn")); i = ldap_simple_bind_s(ldserver, (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_dn")) ? CtdlGetConfigStr("c_ldap_bind_dn") : NULL), (!IsEmptyStr(CtdlGetConfigStr("c_ldap_bind_pw")) ? CtdlGetConfigStr("c_ldap_bind_pw") : NULL) ); if (i != LDAP_SUCCESS) { syslog(LOG_ALERT, "LDAP: Cannot bind: %s (%d)", ldap_err2string(i), i); return(0); } tv.tv_sec = 10; tv.tv_usec = 0; syslog(LOG_DEBUG, "LDAP search: %s", ldap_dn); (void) ldap_search_ext_s( ldserver, /* ld */ ldap_dn, /* base */ LDAP_SCOPE_SUBTREE, /* scope */ NULL, /* filter */ attrs, /* attrs (all attributes) */ 0, /* attrsonly (attrs + values) */ NULL, /* serverctrls (none) */ NULL, /* clientctrls (none) */ &tv, /* timeout */ 1, /* sizelimit (1 result max) */ &search_result /* res */ ); /* Ignore the return value of ldap_search_ext_s(). Sometimes it returns an error even when * the search succeeds. Instead, we check to see whether search_result is still NULL. */ if (search_result == NULL) { syslog(LOG_DEBUG, "LDAP search: zero results were returned"); ldap_unbind(ldserver); return(0); } /* At this point we've got at least one result from our query. If there are multiple * results, we still only look at the first one. */ entry = ldap_first_entry(ldserver, search_result); if (entry) { syslog(LOG_DEBUG, "LDAP search, got user details for vcard."); givenName=ldap_get_values(ldserver, search_result, "givenName"); sn=ldap_get_values(ldserver, search_result, "sn"); cn=ldap_get_values(ldserver, search_result, "cn"); initials=ldap_get_values(ldserver, search_result, "initials"); title=ldap_get_values(ldserver, search_result, "title"); o=ldap_get_values(ldserver, search_result, "o"); street=ldap_get_values(ldserver, search_result, "street"); l=ldap_get_values(ldserver, search_result, "l"); st=ldap_get_values(ldserver, search_result, "st"); postalCode=ldap_get_values(ldserver, search_result, "postalCode"); telephoneNumber=ldap_get_values(ldserver, search_result, "telephoneNumber"); mobile=ldap_get_values(ldserver, search_result, "mobile"); homePhone=ldap_get_values(ldserver, search_result, "homePhone"); facsimileTelephoneNumber=ldap_get_values(ldserver, search_result, "facsimileTelephoneNumber"); mail=ldap_get_values(ldserver, search_result, "mail"); uid=ldap_get_values(ldserver, search_result, "uid"); homeDirectory=ldap_get_values(ldserver, search_result, "homeDirectory"); uidNumber=ldap_get_values(ldserver, search_result, "uidNumber"); loginShell=ldap_get_values(ldserver, search_result, "loginShell"); gidNumber=ldap_get_values(ldserver, search_result, "gidNumber"); c=ldap_get_values(ldserver, search_result, "c"); uuid=ldap_get_values(ldserver, search_result, "entryUUID"); if (street && l && st && postalCode && c) changed_something |= vcard_set_one_prop_iff_different(v,"adr",";;%s;%s;%s;%s;%s",street[0],l[0],st[0],postalCode[0],c[0]); if (telephoneNumber) changed_something |= vcard_set_one_prop_iff_different(v,"tel;work","%s",telephoneNumber[0]); if (facsimileTelephoneNumber) changed_something |= vcard_set_one_prop_iff_different(v,"tel;fax","%s",facsimileTelephoneNumber[0]); if (mobile) changed_something |= vcard_set_one_prop_iff_different(v,"tel;cell","%s",mobile[0]); if (homePhone) changed_something |= vcard_set_one_prop_iff_different(v,"tel;home","%s",homePhone[0]); if (givenName && sn) { if (initials) { changed_something |= vcard_set_one_prop_iff_different(v,"n","%s;%s;%s",sn[0],givenName[0],initials[0]); } else { changed_something |= vcard_set_one_prop_iff_different(v,"n","%s;%s",sn[0],givenName[0]); } } if (mail) { changed_something |= vcard_set_props_iff_different(v,"email;internet",ldap_count_values(mail),mail); } if (uuid) changed_something |= vcard_set_one_prop_iff_different(v,"X-uuid","%s",uuid[0]); if (o) changed_something |= vcard_set_one_prop_iff_different(v,"org","%s",o[0]); if (cn) changed_something |= vcard_set_one_prop_iff_different(v,"fn","%s",cn[0]); if (title) changed_something |= vcard_set_one_prop_iff_different(v,"title","%s",title[0]); if (givenName) ldap_value_free(givenName); if (initials) ldap_value_free(initials); if (sn) ldap_value_free(sn); if (cn) ldap_value_free(cn); if (o) ldap_value_free(o); if (street) ldap_value_free(street); if (l) ldap_value_free(l); if (st) ldap_value_free(st); if (postalCode) ldap_value_free(postalCode); if (telephoneNumber) ldap_value_free(telephoneNumber); if (mobile) ldap_value_free(mobile); if (homePhone) ldap_value_free(homePhone); if (facsimileTelephoneNumber) ldap_value_free(facsimileTelephoneNumber); if (mail) ldap_value_free(mail); if (uid) ldap_value_free(uid); if (homeDirectory) ldap_value_free(homeDirectory); if (uidNumber) ldap_value_free(uidNumber); if (loginShell) ldap_value_free(loginShell); if (gidNumber) ldap_value_free(gidNumber); if (c) ldap_value_free(c); if (title) ldap_value_free(title); if (uuid) ldap_value_free(uuid); } /* free the results */ ldap_msgfree(search_result); /* unbind so we can go back in as the authenticating user */ ldap_unbind(ldserver); return(changed_something); /* tell the caller whether we made any changes */ }
void uwsgi_ldap_config(char *url) { LDAP *ldp; LDAPMessage *results, *entry; BerElement *ber; struct berval **bervalues; char *attr; char *uwsgi_attr; char *url_slash; int desired_version = LDAP_VERSION3; int ret; LDAPURLDesc *ldap_url; if (!ldap_is_ldap_url(url)) { uwsgi_log("invalid LDAP url.\n"); exit(1); } if (ldap_url_parse(url, &ldap_url) != LDAP_SUCCESS) { uwsgi_log("unable to parse LDAP url.\n"); exit(1); } uwsgi_log("[uWSGI] getting LDAP configuration from %s\n", url); url_slash = strchr(url, '/'); url_slash = strchr(url_slash + 1, '/'); url_slash = strchr(url_slash + 1, '/'); if (url_slash) { url_slash[0] = 0; } #ifdef UWSGI_DEBUG uwsgi_debug("LDAP URL: %s\n", url); uwsgi_debug("LDAP BASE DN: %s\n", ldap_url->lud_dn); #endif #if LDAP_API_VERSION >= 3000 if ((ret = ldap_initialize(&ldp, url)) != LDAP_SUCCESS) { uwsgi_log("LDAP: %s\n", ldap_err2string(ret)); exit(1); } #else if ((ldp = ldap_init(ldap_url->lud_host, ldap_url->lud_port)) == NULL) { uwsgi_error("ldap_init()"); exit(1); } #endif if ((ret = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &desired_version)) != LDAP_OPT_SUCCESS) { uwsgi_log("LDAP: %s\n", ldap_err2string(ret)); exit(1); } if ((ret = ldap_search_ext_s(ldp, ldap_url->lud_dn, ldap_url->lud_scope, ldap_url->lud_filter, NULL, 0, NULL, NULL, NULL, 1, &results)) != LDAP_SUCCESS) { uwsgi_log("LDAP: %s\n", ldap_err2string(ret)); exit(1); } #ifdef UWSGI_DEBUG uwsgi_debug("LDAP connection initialized %p\n", ldp); #endif free(ldap_url); if (ldap_count_entries(ldp, results) < 1) { uwsgi_log("no LDAP entry found\n"); exit(1); } entry = ldap_first_entry(ldp, results); int found = 0; for (attr = ldap_first_attribute(ldp, entry, &ber); attr != NULL; attr = ldap_next_attribute(ldp, entry, ber)) { if (!strncmp(attr, "uWSGI", 5)) { found = 1; uwsgi_attr = malloc(calc_ldap_name(attr) + 1); if (!uwsgi_attr) { uwsgi_error("malloc()"); exit(1); } ldap2uwsgi(attr + 5, uwsgi_attr); #ifdef UWSGI_DEBUG uwsgi_debug("LDAP attribute: %s = --%s\n", attr, uwsgi_attr); #endif bervalues = ldap_get_values_len(ldp, entry, attr); if (bervalues) { // do not free uwsgi_attr/uwsgi_val; char *uwsgi_val = malloc(bervalues[0]->bv_len + 1); if (!uwsgi_val) { uwsgi_error("malloc()"); exit(1); } memcpy(uwsgi_val, bervalues[0]->bv_val, bervalues[0]->bv_len); uwsgi_val[bervalues[0]->bv_len] = 0; add_exported_option((char *) uwsgi_attr, uwsgi_val, 0); free(bervalues); } else { free(uwsgi_attr); } } free(attr); } if (!found) { uwsgi_log("no uWSGI LDAP entry found\n"); exit(1); } free(ber); free(results); ldap_unbind_ext_s(ldp, NULL, NULL); }
int ldapLogin(char *thisUid, char *thisPwd, struct threadInfo * ti) { extern struct threadInfo *pMainThreadInfo; int (*dbConnect)(struct threadStorageInfo *); void (*dbDisconnect)(struct threadStorageInfo *); int (*dbCookie)(char *, int, struct threadStorageInfo *); int (*dbInsert)(char *, int, struct threadStorageInfo *); dbConnect = pMainThreadInfo->dbInfo.connect; dbDisconnect = pMainThreadInfo->dbInfo.disconnect; dbCookie = pMainThreadInfo->dbInfo.cookie; dbInsert = pMainThreadInfo->dbInfo.insert; if(thisUid == NULL) { return(-1); } if((ti->directoryInfo.ldapUri = configFetch("ldap_uri", &ti->directoryInfo.i)) == NULL) { ti->directoryInfo.ldapUri = LDAP_MYURI; } if((ti->directoryInfo.ldapUsername = configFetch("ldap_username", &ti->directoryInfo.i)) == NULL) { ti->directoryInfo.ldapUsername = LDAP_MYUSERNAME; } if((ti->directoryInfo.ldapPassword = configFetch("ldap_password", &ti->directoryInfo.i)) == NULL) { ti->directoryInfo.ldapPassword = LDAP_MYPASSWORD; } if((ti->directoryInfo.ldapAttr = configFetch("ldap_searchattr", &ti->directoryInfo.i)) == NULL) { ti->directoryInfo.ldapAttr = LDAP_MYATTR; } if((ti->directoryInfo.ldapBase = configFetch("ldap_searchbase", &ti->directoryInfo.i)) == NULL) { ti->directoryInfo.ldapBase = LDAP_MYBASE; } if((ti->directoryInfo.ldapFilter = configFetch("ldap_searchfilter", &ti->directoryInfo.i)) == NULL) { ti->directoryInfo.ldapFilter = LDAP_MYFILTER; } if(ldap_initialize(&ti->directoryInfo.l, ti->directoryInfo.ldapUri) != LDAP_SUCCESS) { ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to initialize LDAP connection", NULL); return(-1); } ti->directoryInfo.v = LDAP_MYVERSION; if(ldap_set_option(ti->directoryInfo.l, LDAP_OPT_PROTOCOL_VERSION, (int *) &ti->directoryInfo.v) != LDAP_OPT_SUCCESS) { ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to initialize LDAP connection", NULL); ldap_unbind(ti->directoryInfo.l); return(-1); } if(ti->directoryInfo.ldapUsername != NULL && ti->directoryInfo.ldapUsername[0] != 0) { if(ldap_bind_s(ti->directoryInfo.l, ti->directoryInfo.ldapUsername, ti->directoryInfo.ldapPassword, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) { ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to establish LDAP connection", ti->directoryInfo.ldapUsername); ldap_unbind(ti->directoryInfo.l); return(-1); } } ti->directoryInfo.timeVal.tv_sec = LDAP_MYTIMEOUT; ti->directoryInfo.timeVal.tv_usec = 0; if(ldap_search_st(ti->directoryInfo.l, ti->directoryInfo.ldapBase, LDAP_SCOPE_SUBTREE, ti->directoryInfo.ldapFilter, NULL, 0, &ti->directoryInfo.timeVal, &ti->directoryInfo.m) != LDAP_SUCCESS) { ldapMessage(ti, ERROR_SLIGHT, "Error occurred while trying to search from LDAP database", ti->directoryInfo.ldapFilter); ldap_unbind(ti->directoryInfo.l); return(-1); } if(ldap_count_entries(ti->directoryInfo.l, ti->directoryInfo.m) <= 0) { ldapMessage(ti, ERROR_SLIGHT, "Search from LDAP database returned no entries", ti->directoryInfo.ldapFilter); ldap_msgfree(ti->directoryInfo.m); ldap_unbind(ti->directoryInfo.l); return(-1); } if((ti->directoryInfo.e = ldap_first_entry(ti->directoryInfo.l, ti->directoryInfo.m)) == NULL) { ldapMessage(ti, ERROR_SLIGHT, "Search from LDAP database returned no entries", ti->directoryInfo.ldapFilter); ldap_msgfree(ti->directoryInfo.m); ldap_unbind(ti->directoryInfo.l); return(-1); } if((ti->directoryInfo.d = ldap_get_dn(ti->directoryInfo.l, ti->directoryInfo.e)) == NULL) { ldapMessage(ti, ERROR_SLIGHT, "Search from LDAP database returned no entries", ti->directoryInfo.ldapFilter); ldap_msgfree(ti->directoryInfo.m); ldap_unbind(ti->directoryInfo.l); return(-1); } snprintf(ti->directoryInfo.dnSpace, sizeof(ti->directoryInfo.dnSpace), "%s=%s,%s%c", ti->directoryInfo.ldapAttr, thisUid, ti->directoryInfo.d, 0); ldap_memfree(ti->directoryInfo.d); ldap_msgfree(ti->directoryInfo.m); if(ldap_bind_s(ti->directoryInfo.l, ti->directoryInfo.dnSpace, thisPwd, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) { ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", ti->directoryInfo.dnSpace); ldap_unbind(ti->directoryInfo.l); return(-1); } ldap_unbind(ti->directoryInfo.l); ti->directoryInfo.l = NULL; if(dbConnect(&ti->storageInfo) == 0) { if(dbCookie(thisUid, strlen(thisUid), &ti->storageInfo) != 0) { ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", "Error occurred while trying to create session"); dbDisconnect(&ti->storageInfo); return(-1); } if(dbInsert(thisUid, strlen(thisUid), &ti->storageInfo) != 0) { ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", "Error occurred while trying to create session"); dbDisconnect(&ti->storageInfo); return(-1); } dbDisconnect(&ti->storageInfo); return(0); } else { ldapMessage(ti, ERROR_SLIGHT, "Authentication against LDAP failed", "Error occurred while trying to create session"); return(-1); } }
/* * @uid: user's uid, list all users if * is passed in. */ static GList *ldap_list_users (CcnetUserManager *manager, const char *uid, int start, int limit) { LDAP *ld = NULL; GList *ret = NULL; int res; GString *filter; char *filter_str; char *attrs[2]; LDAPMessage *msg = NULL, *entry; ld = ldap_init_and_bind (manager->ldap_host, #ifdef WIN32 manager->use_ssl, #endif manager->user_dn, manager->password); if (!ld) return NULL; filter = g_string_new (NULL); g_string_printf (filter, "(%s=%s)", manager->login_attr, uid); filter_str = g_string_free (filter, FALSE); attrs[0] = manager->login_attr; attrs[1] = NULL; res = ldap_search_s (ld, manager->base, LDAP_SCOPE_SUBTREE, filter_str, attrs, 0, &msg); if (res != LDAP_SUCCESS) { ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res)); ret = NULL; goto out; } int i = 0; if (start == -1) start = 0; for (entry = ldap_first_entry (ld, msg); entry != NULL; entry = ldap_next_entry (ld, entry), ++i) { char *attr; char **vals; BerElement *ber; CcnetEmailUser *user; if (i < start) continue; if (limit >= 0 && i >= start + limit) break; attr = ldap_first_attribute (ld, entry, &ber); vals = ldap_get_values (ld, entry, attr); user = g_object_new (CCNET_TYPE_EMAIL_USER, "id", 0, "email", vals[0], "is_staff", FALSE, "is_active", TRUE, "ctime", (gint64)0, NULL); ret = g_list_prepend (ret, user); ldap_memfree (attr); ldap_value_free (vals); ber_free (ber, 0); } out: ldap_msgfree (msg); g_free (filter_str); if (ld) ldap_unbind_s (ld); return ret; }
static void do_random( char *uri, char *manager, struct berval *passwd, char *sbase, int scope, char *filter, char *attr, char **srchattrs, int noattrs, int nobind, int innerloop, int maxretries, int delay, int force, int chaserefs ) { LDAP *ld = NULL; int i = 0, do_retry = maxretries; char *attrs[ 2 ]; int rc = LDAP_SUCCESS; int version = LDAP_VERSION3; int nvalues = 0; char **values = NULL; LDAPMessage *res = NULL, *e = NULL; attrs[ 0 ] = attr; attrs[ 1 ] = NULL; ldap_initialize( &ld, uri ); if ( ld == NULL ) { tester_perror( "ldap_initialize", NULL ); exit( EXIT_FAILURE ); } (void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); (void) ldap_set_option( ld, LDAP_OPT_REFERRALS, chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF ); if ( do_retry == maxretries ) { fprintf( stderr, "PID=%ld - Search(%d): base=\"%s\", filter=\"%s\" attr=\"%s\".\n", (long) pid, innerloop, sbase, filter, attr ); } if ( nobind == 0 ) { rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_sasl_bind_s", NULL ); switch ( rc ) { case LDAP_BUSY: case LDAP_UNAVAILABLE: /* fallthru */ default: break; } exit( EXIT_FAILURE ); } } rc = ldap_search_ext_s( ld, sbase, LDAP_SCOPE_SUBTREE, filter, attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res ); switch ( rc ) { case LDAP_SIZELIMIT_EXCEEDED: case LDAP_TIMELIMIT_EXCEEDED: case LDAP_SUCCESS: if ( ldap_count_entries( ld, res ) == 0 ) { if ( rc ) { tester_ldap_error( ld, "ldap_search_ext_s", NULL ); } break; } for ( e = ldap_first_entry( ld, res ); e != NULL; e = ldap_next_entry( ld, e ) ) { struct berval **v = ldap_get_values_len( ld, e, attr ); if ( v != NULL ) { int n = ldap_count_values_len( v ); int j; values = realloc( values, ( nvalues + n + 1 )*sizeof( char * ) ); for ( j = 0; j < n; j++ ) { values[ nvalues + j ] = strdup( v[ j ]->bv_val ); } values[ nvalues + j ] = NULL; nvalues += n; ldap_value_free_len( v ); } } ldap_msgfree( res ); if ( !values ) { fprintf( stderr, " PID=%ld - Search base=\"%s\" filter=\"%s\" got %d values.\n", (long) pid, sbase, filter, nvalues ); exit(EXIT_FAILURE); } if ( do_retry == maxretries ) { fprintf( stderr, " PID=%ld - Search base=\"%s\" filter=\"%s\" got %d values.\n", (long) pid, sbase, filter, nvalues ); } for ( i = 0; i < innerloop; i++ ) { char buf[ BUFSIZ ]; #if 0 /* use high-order bits for better randomness (Numerical Recipes in "C") */ int r = rand() % nvalues; #endif int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0); snprintf( buf, sizeof( buf ), "(%s=%s)", attr, values[ r ] ); do_search( uri, manager, passwd, sbase, scope, buf, &ld, srchattrs, noattrs, nobind, 1, maxretries, delay, force, chaserefs ); } break; default: tester_ldap_error( ld, "ldap_search_ext_s", NULL ); break; } fprintf( stderr, " PID=%ld - Search done (%d).\n", (long) pid, rc ); if ( ld != NULL ) { ldap_unbind_ext( ld, NULL, NULL ); } }
void LDAPSession::stringSearch ( string dn,const list<string> &attributes, string searchParam, list<LDAPStringEntry>& result ) { char** attr; attr= ( char** ) malloc ( sizeof ( char* ) *attributes.size() +1 ); int i=0; list<string>::const_iterator it=attributes.begin(); list<string>::const_iterator end=attributes.end(); for ( ;it!=end;++it ) { attr[i]= ( char* ) malloc ( sizeof ( char ) * ( *it ).length() +1 ); strcpy ( attr[i], ( *it ).c_str() ); ++i; } attr[i]=0l; LDAPMessage* res; int errc=ldap_search_s ( ld,dn.c_str(),LDAP_SCOPE_SUBTREE, searchParam.c_str(),attr,0,&res ); if ( errc != LDAP_SUCCESS ) { i=0; it=attributes.begin(); for ( ;it!=end;++it ) { free ( attr[i] ); ++i; } free ( attr ); throw LDAPExeption ( "ldap_search_s",ldap_err2string ( errc ) ); } LDAPMessage *entry=ldap_first_entry ( ld,res ); while ( entry ) { LDAPStringEntry stringEntry; it=attributes.begin(); for ( ;it!=end;++it ) { LDAPStringValue val; val.attr= ( *it ); char **atr=ldap_get_values ( ld,entry, ( *it ).c_str() ); int count=ldap_count_values ( atr ); for ( i=0;i<count;i++ ) { val.value.push_back ( atr[i] ); } ldap_value_free ( atr ); stringEntry.push_back ( val ); } entry=ldap_next_entry ( ld,entry ); result.push_back ( stringEntry ); } free ( res ); i=0; it=attributes.begin(); for ( ;it!=end;++it ) { free ( attr[i] ); ++i; } free ( attr ); }
static int do_entry2text_search( LDAP *ld, char *dn, /* if NULL, use entry */ char *base, /* if NULL, no search actions */ LDAPMessage *entry, /* if NULL, use dn */ struct ldap_disptmpl* tmpllist, /* if NULL, no template used */ char **defattrs, char ***defvals, writeptype writeproc, void *writeparm, char *eol, int rdncount, /* if 0, display full DN */ unsigned long opts, char *urlprefix ) { int err, freedn, html; char *buf, **fetchattrs, **vals; LDAPMessage *ldmp; struct ldap_disptmpl *tmpl; struct timeval timeout; if ( !NSLDAPI_VALID_LDAP_POINTER( ld )) { return( LDAP_PARAM_ERROR ); } if ( dn == NULL && entry == NULLMSG ) { err = LDAP_PARAM_ERROR; LDAP_SET_LDERRNO( ld, err, NULL, NULL ); return( err ); } html = ( urlprefix != NULL ); timeout.tv_sec = SEARCH_TIMEOUT_SECS; timeout.tv_usec = 0; if (( buf = NSLDAPI_MALLOC( LDAP_DTMPL_BUFSIZ )) == NULL ) { err = LDAP_NO_MEMORY; LDAP_SET_LDERRNO( ld, err, NULL, NULL ); return( err ); } freedn = 0; tmpl = NULL; if ( dn == NULL ) { if (( dn = ldap_get_dn( ld, entry )) == NULL ) { NSLDAPI_FREE( buf ); return( LDAP_GET_LDERRNO( ld, NULL, NULL ) ); } freedn = 1; } if ( tmpllist != NULL ) { ldmp = NULLMSG; if ( entry == NULL ) { char *ocattrs[2]; ocattrs[0] = OCATTRNAME; ocattrs[1] = NULL; #ifdef CLDAP if ( LDAP_IS_CLDAP( ld )) err = cldap_search_s( ld, dn, LDAP_SCOPE_BASE, "objectClass=*", ocattrs, 0, &ldmp, NULL ); else #endif /* CLDAP */ err = ldap_search_st( ld, dn, LDAP_SCOPE_BASE, "objectClass=*", ocattrs, 0, &timeout, &ldmp ); if ( err == LDAP_SUCCESS ) { entry = ldap_first_entry( ld, ldmp ); } } if ( entry != NULL ) { vals = ldap_get_values( ld, entry, OCATTRNAME ); tmpl = ldap_oc2template( vals, tmpllist ); if ( vals != NULL ) { ldap_value_free( vals ); } } if ( ldmp != NULL ) { ldap_msgfree( ldmp ); } } entry = NULL; if ( tmpl == NULL ) { fetchattrs = NULL; } else { fetchattrs = ldap_tmplattrs( tmpl, NULL, 1, LDAP_SYN_OPT_DEFER ); } #ifdef CLDAP if ( LDAP_IS_CLDAP( ld )) err = cldap_search_s( ld, dn, LDAP_SCOPE_BASE, "objectClass=*", fetchattrs, 0, &ldmp, NULL ); else #endif /* CLDAP */ err = ldap_search_st( ld, dn, LDAP_SCOPE_BASE, "objectClass=*", fetchattrs, 0, &timeout, &ldmp ); if ( freedn ) { NSLDAPI_FREE( dn ); } if ( fetchattrs != NULL ) { ldap_value_free( fetchattrs ); } if ( err != LDAP_SUCCESS || ( entry = ldap_first_entry( ld, ldmp )) == NULL ) { NSLDAPI_FREE( buf ); return( LDAP_GET_LDERRNO( ld, NULL, NULL ) ); } err = do_entry2text( ld, buf, base, entry, tmpl, defattrs, defvals, writeproc, writeparm, eol, rdncount, opts, urlprefix ); NSLDAPI_FREE( buf ); ldap_msgfree( ldmp ); return( err ); }
int main() { LDAP *ld; /* LDAP resource handle */ LDAPMessage *result, *e; /* LDAP result handle */ BerElement *ber; /* array of attributes */ char *attribute; char **vals; int i,rc=0; char *attribs[3]; /* attribute array for search */ attribs[0]=strdup("uid"); /* return uid and cn of entries */ attribs[1]=strdup("cn"); attribs[2]=NULL; /* array must be NULL terminated */ /* setup LDAP connection */ if ((ld=ldap_init(LDAP_HOST, LDAP_PORT)) == NULL) { perror("ldap_init failed"); return EXIT_FAILURE; } printf("connected to LDAP server %s on port %d\n",LDAP_HOST,LDAP_PORT); /* anonymous bind */ rc = ldap_simple_bind_s(ld,BIND_USER,BIND_PW); if (rc != LDAP_SUCCESS) { fprintf(stderr,"LDAP error: %s\n",ldap_err2string(rc)); return EXIT_FAILURE; } else { printf("bind successful\n"); } /* perform ldap search */ rc = ldap_search_s(ld, SEARCHBASE, SCOPE, FILTER, attribs, 0, &result); if (rc != LDAP_SUCCESS) { fprintf(stderr,"LDAP search error: %s\n",ldap_err2string(rc)); return EXIT_FAILURE; } printf("Total results: %d\n", ldap_count_entries(ld, result)); for (e = ldap_first_entry(ld, result); e != NULL; e = ldap_next_entry(ld,e)) { printf("DN: %s\n", ldap_get_dn(ld,e)); // ab hier kann abgebrochen werden für unser ftp-server /* Now print the attributes and values of each found entry */ for (attribute = ldap_first_attribute(ld,e,&ber); attribute!=NULL; attribute = ldap_next_attribute(ld,e,ber)) { if ((vals=ldap_get_values(ld,e,attribute)) != NULL) { for (i=0;vals[i]!=NULL;i++) { printf("\t%s: %s\n",attribute,vals[i]); } /* free memory used to store the values of the attribute */ ldap_value_free(vals); } /* free memory used to store the attribute */ ldap_memfree(attribute); } /* free memory used to store the value structure */ if (ber != NULL) ber_free(ber,0); printf("\n"); } /* free memory used for result */ ldap_msgfree(result); free(attribs[0]); free(attribs[1]); printf("LDAP search suceeded\n"); ldap_unbind(ld); return EXIT_SUCCESS; }
/** Convert group membership information into attributes * * @param[in] inst rlm_ldap configuration. * @param[in] request Current request. * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. * @return One of the RLM_MODULE_* values. */ rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn) { rlm_rcode_t rcode = RLM_MODULE_OK; ldap_rcode_t status; int ldap_errno; LDAPMessage *result = NULL; LDAPMessage *entry; char const *base_dn; char base_dn_buff[LDAP_MAX_DN_STR_LEN]; char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter }; char filter[LDAP_MAX_FILTER_STR_LEN + 1]; char const *attrs[] = { inst->groupobj_name_attr, NULL }; VALUE_PAIR *vp; char *dn; rad_assert(inst->groupobj_base_dn); if (!inst->groupobj_membership_filter) { RDEBUG2("Skipping caching group objects as directive 'group.membership_filter' is not set"); return RLM_MODULE_OK; } if (rlm_ldap_xlat_filter(request, filters, sizeof(filters) / sizeof(*filters), filter, sizeof(filter)) < 0) { return RLM_MODULE_INVALID; } if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request, inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) { REDEBUG("Failed creating base_dn"); return RLM_MODULE_INVALID; } status = rlm_ldap_search(&result, inst, request, pconn, base_dn, inst->groupobj_scope, filter, attrs, NULL, NULL); switch (status) { case LDAP_PROC_SUCCESS: break; case LDAP_PROC_NO_RESULT: RDEBUG2("No cacheable group memberships found in group objects"); goto finish; default: rcode = RLM_MODULE_FAIL; goto finish; } entry = ldap_first_entry((*pconn)->handle, result); if (!entry) { ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); goto finish; } RDEBUG("Adding cacheable group object memberships"); do { if (inst->cacheable_group_dn) { dn = ldap_get_dn((*pconn)->handle, entry); if (!dn) { ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno)); goto finish; } rlm_ldap_normalise_dn(dn, dn); MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD)); fr_pair_value_strcpy(vp, dn); RINDENT(); RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, dn); REXDENT(); ldap_memfree(dn); } if (inst->cacheable_group_name) { struct berval **values; values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr); if (!values) continue; MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD)); fr_pair_value_bstrncpy(vp, values[0]->bv_val, values[0]->bv_len); RINDENT(); RDEBUG("&control:%s += \"%.*s\"", inst->cache_da->name, (int)values[0]->bv_len, values[0]->bv_val); REXDENT(); ldap_value_free_len(values); } } while ((entry = ldap_next_entry((*pconn)->handle, entry))); finish: if (result) ldap_msgfree(result); return rcode; }
static isc_result_t ldap_process_results (LDAP * dbc, LDAPMessage * msg, char **attrs, void *ptr, isc_boolean_t allnodes) { isc_result_t result = ISC_R_SUCCESS; int i = 0; int j; int len; char *attribute = NULL; LDAPMessage *entry; char *endp = NULL; char *host = NULL; char *type = NULL; char *data = NULL; char **vals = NULL; int ttl; /* make sure there are at least some attributes to process. */ REQUIRE (attrs != NULL || attrs[0] != NULL); /* get the first entry to process */ entry = ldap_first_entry (dbc, msg); if (entry == NULL) { isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_INFO, "LDAP no entries to process."); return (ISC_R_FAILURE); } /* loop through all entries returned */ while (entry != NULL) { /* reset for this loop */ ttl = 0; len = 0; i = 0; attribute = attrs[i]; /* determine how much space we need for data string */ for (j = 0; attrs[j] != NULL; j++) { /* get the list of values for this attribute. */ vals = ldap_get_values (dbc, entry, attrs[j]); /* skip empty attributes. */ if (vals == NULL || ldap_count_values (vals) < 1) continue; /* * we only use the first value. this driver * does not support multi-valued attributes. */ len = len + strlen (vals[0]) + 1; /* free vals for next loop */ ldap_value_free (vals); } /* end for (j = 0; attrs[j] != NULL, j++) loop */ /* allocate memory for data string */ data = isc_mem_allocate (ns_g_mctx, len + 1); if (data == NULL) { isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable to allocate memory " "while processing results"); result = ISC_R_FAILURE; goto cleanup; } /* * Make sure data is null termed at the beginning so * we can check if any data was stored to it later. */ data[0] = '\0'; /* reset j to re-use below */ j = 0; /* loop through the attributes in the order specified. */ while (attribute != NULL) { /* get the list of values for this attribute. */ vals = ldap_get_values (dbc, entry, attribute); /* skip empty attributes. */ if (vals == NULL || vals[0] == NULL) { /* increment attibute pointer */ attribute = attrs[++i]; /* start loop over */ continue; } /* * j initially = 0. Increment j each time we * set a field that way next loop will set * next field. */ switch (j) { case 0: j++; /* * convert text to int, make sure it * worked right */ ttl = strtol (vals[0], &endp, 10); if (*endp != '\0' || ttl < 0) { isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver ttl must " "be a postive number"); goto cleanup; } break; case 1: j++; type = isc_mem_strdup (ns_g_mctx, vals[0]); break; case 2: j++; if (allnodes == isc_boolean_true) { host = isc_mem_strdup (ns_g_mctx, vals[0]); } else { strcpy (data, vals[0]); } break; case 3: j++; if (allnodes == isc_boolean_true) { strcpy (data, vals[0]); } else { strcat (data, " "); strcat (data, vals[0]); } break; default: strcat (data, " "); strcat (data, vals[0]); break; } /* end switch(j) */ /* free values */ ldap_value_free (vals); vals = NULL; /* increment attibute pointer */ attribute = attrs[++i]; } /* end while (attribute != NULL) */ if (type == NULL) { isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable " "to retrieve DNS type"); result = ISC_R_FAILURE; goto cleanup; } if (strlen (data) < 1) { isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver unable " "to retrieve DNS data"); result = ISC_R_FAILURE; goto cleanup; } if (allnodes == isc_boolean_true) { if (strcasecmp (host, "~") == 0) result = dns_sdlz_putnamedrr ((dns_sdlzallnodes_t *) ptr, "*", type, ttl, data); else result = dns_sdlz_putnamedrr ((dns_sdlzallnodes_t *) ptr, host, type, ttl, data); if (result != ISC_R_SUCCESS) isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "dlz-ldap: putnamedrr failed " "for \"%s %s %u %s\", %s", host, type, ttl, data, isc_result_totext (result)); } else { result = dns_sdlz_putrr ((dns_sdlzlookup_t *) ptr, type, ttl, data); if (result != ISC_R_SUCCESS) isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "dlz-ldap: putrr failed " "for \"%s %u %s\", %s", type, ttl, data, isc_result_totext (result)); } if (result != ISC_R_SUCCESS) { isc_log_write (dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DLZ, ISC_LOG_ERROR, "LDAP driver failed " "while sending data to BIND."); goto cleanup; } /* free memory for type, data and host for next loop */ isc_mem_free (ns_g_mctx, type); isc_mem_free (ns_g_mctx, data); if (host != NULL) isc_mem_free (ns_g_mctx, host); /* get the next entry to process */ entry = ldap_next_entry (dbc, entry); } /* end while (entry != NULL) */ cleanup: /* de-allocate memory */ if (vals != NULL) ldap_value_free (vals); if (host != NULL) isc_mem_free (ns_g_mctx, host); if (type != NULL) isc_mem_free (ns_g_mctx, type); if (data != NULL) isc_mem_free (ns_g_mctx, data); return (result); }
/** Query the LDAP directory to check if a user object is a member of a group * * @param[in] inst rlm_ldap configuration. * @param[in] request Current request. * @param[in,out] pconn to use. May change as this function calls functions which auto re-connect. * @param[in] dn of user object. * @param[in] check vp containing the group value (name or dn). * @return One of the RLM_MODULE_* values. */ rlm_rcode_t rlm_ldap_check_userobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, VALUE_PAIR *check) { rlm_rcode_t rcode = RLM_MODULE_NOTFOUND, ret; ldap_rcode_t status; bool name_is_dn = false, value_is_dn = false; LDAPMessage *result = NULL; LDAPMessage *entry = NULL; struct berval **values = NULL; char const *attrs[] = { inst->userobj_membership_attr, NULL }; int i, count, ldap_errno; RDEBUG2("Checking user object's %s attributes", inst->userobj_membership_attr); RINDENT(); status = rlm_ldap_search(&result, inst, request, pconn, dn, LDAP_SCOPE_BASE, NULL, attrs, NULL, NULL); REXDENT(); switch (status) { case LDAP_PROC_SUCCESS: break; case LDAP_PROC_NO_RESULT: RDEBUG("Can't check membership attributes, user object not found"); rcode = RLM_MODULE_NOTFOUND; /* FALL-THROUGH */ default: goto finish; } entry = ldap_first_entry((*pconn)->handle, result); if (!entry) { ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); rcode = RLM_MODULE_FAIL; goto finish; } values = ldap_get_values_len((*pconn)->handle, entry, inst->userobj_membership_attr); if (!values) { RDEBUG("No group membership attribute(s) found in user object"); goto finish; } /* * Loop over the list of groups the user is a member of, * looking for a match. */ name_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length); count = ldap_count_values_len(values); for (i = 0; i < count; i++) { value_is_dn = rlm_ldap_is_dn(values[i]->bv_val, values[i]->bv_len); RDEBUG2("Processing %s value \"%.*s\" as a %s", inst->userobj_membership_attr, (int)values[i]->bv_len, values[i]->bv_val, value_is_dn ? "DN" : "group name"); /* * Both literal group names, do case sensitive comparison */ if (!name_is_dn && !value_is_dn) { if ((check->vp_length == values[i]->bv_len) && (memcmp(values[i]->bv_val, check->vp_strvalue, values[i]->bv_len) == 0)) { RDEBUG("User found in group \"%s\". Comparison between membership: name, check: name", check->vp_strvalue); rcode = RLM_MODULE_OK; goto finish; } continue; } /* * Both DNs, do case insensitive, binary safe comparison */ if (name_is_dn && value_is_dn) { if (check->vp_length == values[i]->bv_len) { int j; for (j = 0; j < (int)values[i]->bv_len; j++) { if (tolower(values[i]->bv_val[j]) != tolower(check->vp_strvalue[j])) break; } if (j == (int)values[i]->bv_len) { RDEBUG("User found in group DN \"%s\". " "Comparison between membership: dn, check: dn", check->vp_strvalue); rcode = RLM_MODULE_OK; goto finish; } } continue; } /* * If the value is not a DN, and the name we were given is a dn * convert the value to a DN and do a comparison. */ if (!value_is_dn && name_is_dn) { char *resolved; bool eq = false; RINDENT(); ret = rlm_ldap_group_dn2name(inst, request, pconn, check->vp_strvalue, &resolved); REXDENT(); if (ret != RLM_MODULE_OK) { rcode = ret; goto finish; } if (((talloc_array_length(resolved) - 1) == values[i]->bv_len) && (memcmp(values[i]->bv_val, resolved, values[i]->bv_len) == 0)) eq = true; talloc_free(resolved); if (eq) { RDEBUG("User found in group \"%.*s\". Comparison between membership: name, check: name " "(resolved from DN \"%s\")", (int)values[i]->bv_len, values[i]->bv_val, check->vp_strvalue); rcode = RLM_MODULE_OK; goto finish; } continue; } /* * We have a value which is a DN, and a check item which specifies the name of a group, * convert the value to a name so we can do a comparison. */ if (value_is_dn && !name_is_dn) { char *resolved; char *value; bool eq = false; value = rlm_ldap_berval_to_string(request, values[i]); RINDENT(); ret = rlm_ldap_group_dn2name(inst, request, pconn, value, &resolved); REXDENT(); talloc_free(value); if (ret != RLM_MODULE_OK) { rcode = ret; goto finish; } if (((talloc_array_length(resolved) - 1) == check->vp_length) && (memcmp(check->vp_strvalue, resolved, check->vp_length) == 0)) eq = true; talloc_free(resolved); if (eq) { RDEBUG("User found in group \"%s\". Comparison between membership: name " "(resolved from DN \"%s\"), check: name", check->vp_strvalue, value); rcode = RLM_MODULE_OK; goto finish; } continue; } rad_assert(0); } finish: if (values) ldap_value_free_len(values); if (result) ldap_msgfree(result); return rcode; }
/* * Map key -> value resolution * NOTE: these are old-fashion maps; new maps will be parsed on separate * config lines, and referred by name. */ int rewrite_xmap_apply( struct rewrite_info *info, struct rewrite_op *op, struct rewrite_map *map, struct berval *key, struct berval *val ) { int rc = REWRITE_SUCCESS; assert( info != NULL ); assert( op != NULL ); assert( map != NULL ); assert( key != NULL ); assert( val != NULL ); val->bv_val = NULL; val->bv_len = 0; switch ( map->lm_type ) { #ifdef HAVE_GETPWNAM case REWRITE_MAP_XPWDMAP: { struct passwd *pwd; #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_lock( &xpasswd_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ pwd = getpwnam( key->bv_val ); if ( pwd == NULL ) { #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &xpasswd_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ rc = LDAP_NO_SUCH_OBJECT; break; } #ifdef HAVE_STRUCT_PASSWD_PW_GECOS if ( pwd->pw_gecos != NULL && pwd->pw_gecos[0] != '\0' ) { int l = strlen( pwd->pw_gecos ); val->bv_val = strdup( pwd->pw_gecos ); val->bv_len = l; } else #endif /* HAVE_STRUCT_PASSWD_PW_GECOS */ { val->bv_val = strdup( key->bv_val ); val->bv_len = key->bv_len; } #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &xpasswd_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ if ( val->bv_val == NULL ) { rc = REWRITE_ERR; } break; } #endif /* HAVE_GETPWNAM*/ case REWRITE_MAP_XFILEMAP: { char buf[1024]; if ( map->lm_args == NULL ) { rc = REWRITE_ERR; break; } #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_lock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ rewind( ( FILE * )map->lm_args ); while ( fgets( buf, sizeof( buf ), ( FILE * )map->lm_args ) ) { char *p; int blen; blen = strlen( buf ); if ( buf[ blen - 1 ] == '\n' ) { buf[ blen - 1 ] = '\0'; } p = strtok( buf, " " ); if ( p == NULL ) { #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ rc = REWRITE_ERR; goto rc_return; } if ( strcasecmp( p, key->bv_val ) == 0 && ( p = strtok( NULL, "" ) ) ) { val->bv_val = strdup( p ); if ( val->bv_val == NULL ) { #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ rc = REWRITE_ERR; goto rc_return; } val->bv_len = strlen( p ); #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ goto rc_return; } } #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ rc = REWRITE_ERR; break; } case REWRITE_MAP_XLDAPMAP: { LDAP *ld; char filter[1024]; LDAPMessage *res = NULL, *entry; LDAPURLDesc *lud = ( LDAPURLDesc * )map->lm_args; int attrsonly = 0; char **values; assert( lud != NULL ); /* * No mutex because there is no write on the map data */ ld = ldap_init( lud->lud_host, lud->lud_port ); if ( ld == NULL ) { rc = REWRITE_ERR; goto rc_return; } snprintf( filter, sizeof( filter ), lud->lud_filter, key->bv_val ); if ( strcasecmp( lud->lud_attrs[ 0 ], "dn" ) == 0 ) { attrsonly = 1; } rc = ldap_search_s( ld, lud->lud_dn, lud->lud_scope, filter, lud->lud_attrs, attrsonly, &res ); if ( rc != LDAP_SUCCESS ) { ldap_unbind( ld ); rc = REWRITE_ERR; goto rc_return; } if ( ldap_count_entries( ld, res ) != 1 ) { ldap_unbind( ld ); rc = REWRITE_ERR; goto rc_return; } entry = ldap_first_entry( ld, res ); if ( entry == NULL ) { ldap_msgfree( res ); ldap_unbind( ld ); rc = REWRITE_ERR; goto rc_return; } if ( attrsonly == 1 ) { val->bv_val = ldap_get_dn( ld, entry ); } else { values = ldap_get_values( ld, entry, lud->lud_attrs[0] ); if ( values != NULL ) { val->bv_val = strdup( values[ 0 ] ); ldap_value_free( values ); } } ldap_msgfree( res ); ldap_unbind( ld ); if ( val->bv_val == NULL ) { rc = REWRITE_ERR; goto rc_return; } val->bv_len = strlen( val->bv_val ); rc = REWRITE_SUCCESS; } break; } rc_return:; return rc; }
static DWORD VMCALdapFindObject( PVMCA_LDAP_CONTEXT pContext, PCSTR pszBaseDN, ber_int_t scope, PCSTR pszAttribute, PCSTR pszValue, PSTR *ppszObjectDN ) { DWORD dwError = 0; DWORD dwNumEntries = 0; LDAPMessage* pResult = NULL; LDAPMessage* pEntry = NULL; PSTR pszFilter = NULL; PSTR pszObjectDN = NULL; if (pszAttribute && pszValue) { VMCAAllocateStringPrintfA(&pszFilter, "(%s=%s)", pszAttribute, pszValue); } dwError = ldap_search_ext_s( pContext->pConnection, (PSTR)pszBaseDN, scope, pszFilter, NULL, /* attributes */ TRUE, NULL, /* server controls */ NULL, /* client controls */ NULL, /* timeout */ 0, &pResult); BAIL_ON_ERROR(dwError); dwNumEntries = ldap_count_entries(pContext->pConnection, pResult); if (dwNumEntries > 1) { dwError = ERROR_INVALID_STATE; BAIL_ON_ERROR(dwError); } else if (dwNumEntries == 0) { dwError = ERROR_NOT_FOUND; BAIL_ON_ERROR(dwError); } else { pEntry = ldap_first_entry(pContext->pConnection, pResult); if (!pEntry) { dwError = ERROR_INVALID_STATE; BAIL_ON_ERROR(dwError); } pszObjectDN = ldap_get_dn(pContext->pConnection, pEntry); if (IsNullOrEmptyString(pszObjectDN)) { dwError = ERROR_INVALID_STATE; BAIL_ON_ERROR(dwError); } *ppszObjectDN = pszObjectDN; } cleanup: if (pResult) { ldap_msgfree(pResult); } VMCA_SAFE_FREE_STRINGA(pszFilter); return dwError; error : VMCA_SAFE_FREE_STRINGA(pszObjectDN); if (dwError == LDAP_NO_SUCH_OBJECT) { dwError = 0; } goto cleanup; }
static void *search_thread(char *id) { LDAPMessage *res, *entry; char *dn, filter[40]; int rc, opcount; void *voidrc = (void *)0; printf("Starting search_thread %s.\n", id); opcount = 0; tsd_setup(); for (;;) { if (range_filters) { switch (get_random_id() % 3) { case 0: sprintf(filter, "(cn>=%d)", get_random_id()); break; case 1: sprintf(filter, "(cn<=%d)", get_random_id()); break; case 2: sprintf(filter, "(&(cn>=%d)(cn<=%d))", get_random_id(), get_random_id()); break; } } else { sprintf(filter, "cn=%d", get_random_id()); } printf("Thread %s: Searching for entry (%s)\n", id, filter); res = NULL; if ((rc = ldap_search_ext_s(ld, BASE, SCOPE, filter, NULL, 0, NULL, NULL, NULL, 0, &res)) != LDAP_SUCCESS) { ldap_perror(ld, "ldap_search_ext_s"); if (rc == LDAP_SERVER_DOWN) { perror("ldap_search_ext_s"); voidrc = (void *)1; goto search_cleanup_and_return; } } if (res != NULL) { entry = ldap_first_entry(ld, res); if (entry == NULL) { printf("Thread %s: found no entries\n", id); } else { dn = ldap_get_dn(ld, entry); printf("Thread %s: found entry (%s); %d total\n", id, dn == NULL ? "(Null)" : dn, ldap_count_entries(ld, res)); ldap_memfree(dn); } ldap_msgfree(res); } ++opcount; if (maxops != 0 && opcount >= maxops) { break; } } search_cleanup_and_return: printf("Thread %s: attempted %d search operations\n", id, opcount); set_ld_error(0, NULL, NULL, NULL); /* disposes of memory */ tsd_cleanup(); free(id); return voidrc; }
DWORD VMCALdapGetMemberships( PVMCA_LDAP_CONTEXT pConnection, PCSTR pszUPNName, PSTR **pppszMemberships, PDWORD pdwMemberships ) { DWORD dwError = 0; PSTR pszFilter = NULL; PSTR pszAttrMemberOf = ATTR_MEMBEROF; // memberOf PSTR ppszAttrs[] = { pszAttrMemberOf, NULL}; DWORD dwCount = 0; LDAPMessage *pResult = NULL; LDAPMessage *pEntry = NULL; struct berval** ppValues = NULL; PSTR *ppszMemberships = NULL; DWORD dwMemberships = 0; DWORD i = 0; LDAP *pLd = NULL; if (pConnection == NULL || pConnection->pConnection == NULL || IsNullOrEmptyString(pszUPNName) || pppszMemberships == NULL || pdwMemberships == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMCA_ERROR(dwError); } pLd = pConnection->pConnection; dwError = VMCAAllocateStringPrintfA(&pszFilter, "(%s=%s)", ATTR_KRB_UPN, pszUPNName); // userPrincipalName BAIL_ON_VMCA_ERROR(dwError); dwError = ldap_search_ext_s( pLd, "", LDAP_SCOPE_SUBTREE, pszFilter, (PSTR*)ppszAttrs, 0, NULL, NULL, NULL, -1, &pResult); BAIL_ON_VMCA_ERROR(dwError); dwCount = ldap_count_entries(pLd, pResult); if (dwCount == 0) { dwError = LDAP_NO_SUCH_OBJECT; BAIL_ON_VMCA_ERROR(dwError); } else if (dwCount > 1) { dwError = LDAP_OPERATIONS_ERROR; BAIL_ON_VMCA_ERROR(dwError); } pEntry = ldap_first_entry(pLd, pResult); if (!pEntry) { dwError = LDAP_NO_SUCH_OBJECT; BAIL_ON_VMCA_ERROR(dwError); } ppValues = ldap_get_values_len(pLd, pEntry, pszAttrMemberOf); if (!ppValues) { dwMemberships = 0; } else { dwMemberships = ldap_count_values_len(ppValues); } if (dwMemberships) { dwError = VMCAAllocateMemory(dwMemberships * sizeof(PSTR), (PVOID*)&ppszMemberships); BAIL_ON_VMCA_ERROR(dwError); for (i = 0; ppValues[i] != NULL; i++) { PCSTR pszMemberOf = ppValues[i]->bv_val; dwError = VMCAAllocateStringA(pszMemberOf, &ppszMemberships[i]); BAIL_ON_VMCA_ERROR(dwError); } } *pppszMemberships = ppszMemberships; *pdwMemberships = dwMemberships; cleanup: if(ppValues) { ldap_value_free_len(ppValues); } if (pResult) { ldap_msgfree(pResult); } VMCA_SAFE_FREE_MEMORY(pszFilter); return dwError; error: if (ppszMemberships != NULL && dwMemberships > 0) { for (i = 0; i < dwMemberships; i++) { VMCA_SAFE_FREE_STRINGA(ppszMemberships[i]); } VMCA_SAFE_FREE_MEMORY(ppszMemberships); } goto cleanup; }
void run_ldap_tests(service_t *ldaptest, int sslcertcheck, int querytimeout) { #ifdef XYMON_LDAP ldap_data_t *req; testitem_t *t; struct timespec starttime; struct timespec endtime; /* Pick a sensible default for the timeout setting */ if (querytimeout == 0) querytimeout = 30; for (t = ldaptest->items; (t); t = t->next) { LDAPURLDesc *ludp; LDAP *ld; int rc, finished; int msgID = -1; struct timeval ldaptimeout; struct timeval openldaptimeout; LDAPMessage *result; LDAPMessage *e; strbuffer_t *response; char buf[MAX_LINE_LEN]; req = (ldap_data_t *) t->privdata; if (req->skiptest) continue; ludp = (LDAPURLDesc *) req->ldapdesc; getntimer(&starttime); /* Initiate session with the LDAP server */ dbgprintf("Initiating LDAP session for host %s port %d\n", ludp->lud_host, ludp->lud_port); if( (ld = ldap_init(ludp->lud_host, ludp->lud_port)) == NULL ) { dbgprintf("ldap_init failed\n"); req->ldapstatus = XYMON_LDAP_INITFAIL; continue; } /* * There is apparently no standard way of defining a network * timeout for the initial connection setup. */ #if (LDAP_VENDOR == OpenLDAP) && defined(LDAP_OPT_NETWORK_TIMEOUT) /* * OpenLDAP has an undocumented ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv) */ openldaptimeout.tv_sec = querytimeout; openldaptimeout.tv_usec = 0; ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &openldaptimeout); #else /* * So using an alarm() to interrupt any pending operations * seems to be the least insane way of doing this. * * Note that we must do this right after ldap_init(), as * any operation on the session handle (ld) may trigger the * network connection to be established. */ connect_timeout = 0; signal(SIGALRM, ldap_alarmhandler); alarm(querytimeout); #endif /* * This is completely undocumented in the OpenLDAP docs. * But apparently it is documented in * http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-ldapext-ldap-c-api-03.txt * * Both of these routines appear in the <ldap.h> file * from OpenLDAP 2.1.22. Their use to enable TLS has * been deciphered from the ldapsearch() utility * sourcecode. * * According to Manon Goo <*****@*****.**>, recent (Jan. 2005) * OpenLDAP implementations refuse to talk LDAPv2. */ #ifdef LDAP_OPT_PROTOCOL_VERSION { int protocol = LDAP_VERSION3; dbgprintf("Attempting to select LDAPv3\n"); if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) { dbgprintf("Failed to select LDAPv3, trying LDAPv2\n"); protocol = LDAP_VERSION2; if ((rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) { req->output = strdup(ldap_err2string(rc)); req->ldapstatus = XYMON_LDAP_TLSFAIL; } continue; } } #endif #ifdef XYMON_LDAP_USESTARTTLS if (req->usetls) { dbgprintf("Trying to enable TLS for session\n"); if ((rc = ldap_start_tls_s(ld, NULL, NULL)) != LDAP_SUCCESS) { dbgprintf("ldap_start_tls failed\n"); req->output = strdup(ldap_err2string(rc)); req->ldapstatus = XYMON_LDAP_TLSFAIL; continue; } } #endif if (!connect_timeout) { msgID = ldap_simple_bind(ld, (t->host->ldapuser ? t->host->ldapuser : ""), (t->host->ldappasswd ? t->host->ldappasswd : "")); } /* Cancel any pending alarms */ alarm(0); signal(SIGALRM, SIG_DFL); /* Did we connect? */ if (connect_timeout || (msgID == -1)) { req->ldapstatus = XYMON_LDAP_BINDFAIL; req->output = "Cannot connect to server"; continue; } /* Wait for bind to complete */ rc = 0; finished = 0; ldaptimeout.tv_sec = querytimeout; ldaptimeout.tv_usec = 0L; while( ! finished ) { int rc2; rc = ldap_result(ld, msgID, LDAP_MSG_ONE, &ldaptimeout, &result); dbgprintf("ldap_result returned %d for ldap_simple_bind()\n", rc); if(rc == -1) { finished = 1; req->ldapstatus = XYMON_LDAP_BINDFAIL; if (result == NULL) { errprintf("LDAP library problem - NULL result returned\n"); req->output = strdup("LDAP BIND failed\n"); } else { rc2 = ldap_result2error(ld, result, 1); req->output = strdup(ldap_err2string(rc2)); } ldap_unbind(ld); } else if (rc == 0) { finished = 1; req->ldapstatus = XYMON_LDAP_BINDFAIL; req->output = strdup("Connection timeout"); ldap_unbind(ld); } else if( rc > 0 ) { finished = 1; if (result == NULL) { errprintf("LDAP library problem - got a NULL resultcode for status %d\n", rc); req->ldapstatus = XYMON_LDAP_BINDFAIL; req->output = strdup("LDAP library problem: ldap_result2error returned a NULL result for status %d\n"); ldap_unbind(ld); } else { rc2 = ldap_result2error(ld, result, 1); if(rc2 != LDAP_SUCCESS) { req->ldapstatus = XYMON_LDAP_BINDFAIL; req->output = strdup(ldap_err2string(rc)); ldap_unbind(ld); } } } } /* ... while() */ /* We're done connecting. If something went wrong, go to next query. */ if (req->ldapstatus != 0) continue; /* Now do the search. With a timeout */ ldaptimeout.tv_sec = querytimeout; ldaptimeout.tv_usec = 0L; rc = ldap_search_st(ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, ludp->lud_attrs, 0, &ldaptimeout, &result); if(rc == LDAP_TIMEOUT) { req->ldapstatus = XYMON_LDAP_TIMEOUT; req->output = strdup(ldap_err2string(rc)); ldap_unbind(ld); continue; } if( rc != LDAP_SUCCESS ) { req->ldapstatus = XYMON_LDAP_SEARCHFAILED; req->output = strdup(ldap_err2string(rc)); ldap_unbind(ld); continue; } getntimer(&endtime); response = newstrbuffer(0); sprintf(buf, "Searching LDAP for %s yields %d results:\n\n", t->testspec, ldap_count_entries(ld, result)); addtobuffer(response, buf); for(e = ldap_first_entry(ld, result); (e != NULL); e = ldap_next_entry(ld, e) ) { char *dn; BerElement *ber; char *attribute; char **vals; dn = ldap_get_dn(ld, e); sprintf(buf, "DN: %s\n", dn); addtobuffer(response, buf); /* Addtributes and values */ for (attribute = ldap_first_attribute(ld, e, &ber); (attribute != NULL); attribute = ldap_next_attribute(ld, e, ber) ) { if ((vals = ldap_get_values(ld, e, attribute)) != NULL) { int i; for(i = 0; (vals[i] != NULL); i++) { sprintf(buf, "\t%s: %s\n", attribute, vals[i]); addtobuffer(response, buf); } } /* Free memory used to store values */ ldap_value_free(vals); } /* Free memory used to store attribute */ ldap_memfree(attribute); ldap_memfree(dn); if (ber != NULL) ber_free(ber, 0); addtobuffer(response, "\n"); } req->ldapstatus = XYMON_LDAP_OK; req->output = grabstrbuffer(response); tvdiff(&starttime, &endtime, &req->duration); ldap_msgfree(result); ldap_unbind(ld); ldap_free_urldesc(ludp); } #endif }
//get username int getUsername() { LDAP *ld; struct json_object *my_object,*my_array; const char* split = "CN=,"; char *p; char*tmp; char *user; int i = 0; int nl ; int result; int auth_method = LDAP_AUTH_SIMPLE; int desired_version = LDAP_VERSION3; char *ldap_host = "WIN2K82"; char *root_dn = "*****@*****.**"; char *root_pw = "123qwe!@#"; BerElement* ber; LDAPMessage* msg; LDAPMessage* entry; char* base="CN=Users,dc=abc,dc=com"; char* filter="(objectClass=user)"; char* errstring; char* dn = NULL; char* attr; char** vals; if ((ld = ldap_init(ldap_host, LDAP_PORT)) == NULL ) { perror( "ldap_init failed" ); exit( EXIT_FAILURE ); } /* set the LDAP version to be 3 */ if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS) { ldap_perror(ld, "ldap_set_option"); exit(EXIT_FAILURE); } if (ldap_bind_s(ld, root_dn, root_pw, auth_method) != LDAP_SUCCESS ) { ldap_perror( ld, "ldap_bind" ); exit( EXIT_FAILURE ); } if (ldap_search_s(ld, base, LDAP_SCOPE_SUBTREE, filter, NULL, 0, &msg) != LDAP_SUCCESS) { ldap_perror( ld, "ldap_search_s" ); exit(EXIT_FAILURE); } my_object = json_object_new_object(); my_array = json_object_new_array(); int n = 0;//find return /* Iterate through the returned entries */ for(entry = ldap_first_entry(ld, msg); entry != NULL; entry = ldap_next_entry(ld, entry)) { if((dn = ldap_get_dn(ld, entry)) != NULL) { //printf("Returned dn: %s\n", dn); tmp = dn; p = strtok (tmp,","); if(p){ p = strtok(p,"="); p = strtok(NULL, ","); BlToSl(p); //if (p) //printf("p=%s\n",p); } i++; json_object_array_add(my_array, json_object_new_int(i)); json_object_array_put_idx(my_array, i, json_object_new_int(i)); struct json_object *obj = json_object_array_get_idx(my_array, i); json_object_object_add(my_object, json_object_to_json_string(obj), json_object_new_string(p)); ldap_memfree(dn); } } printf("%s\n", json_object_to_json_string(my_object)); /* clean up */ ldap_msgfree(msg); result = ldap_unbind_s(ld); if (result != 0) { fprintf(stderr, "ldap_unbind_s: %s\n", ldap_err2string(result)); exit( EXIT_FAILURE ); } return EXIT_SUCCESS; }
int main(int argc, char* argv[]) { DWORD dwError = 0; const int ldapVer = LDAP_VERSION3; PVMDIR_QUERY_ARGS pArgs = NULL; PSTR pszLdapURL = NULL; LDAP* pLd = NULL; BerValue ldapBindPwd = {0}; LDAPMessage* pResult = NULL; PSTR pszDN = NULL; dwError = VmDirQueryParseArgs(argc, argv, &pArgs); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirAllocateStringAVsnprintf( &pszLdapURL, "ldap://%s", pArgs->pszHostname); BAIL_ON_VMDIR_ERROR(dwError); #if 0 dwError = ldap_initialize(&pLd, pszLdapURL); BAIL_ON_VMDIR_ERROR(dwError); #else pLd = ldap_open(pArgs->pszHostname, 389); if (!pLd) { dwError = VMDIR_ERROR_SERVER_DOWN; BAIL_ON_VMDIR_ERROR(dwError); } #endif dwError = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer); BAIL_ON_VMDIR_ERROR(dwError); dwError = ldap_set_option(pLd, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); BAIL_ON_VMDIR_ERROR(dwError); ldapBindPwd.bv_val = pArgs->pszPassword; ldapBindPwd.bv_len = strlen(pArgs->pszPassword); #if 0 dwError = ldap_sasl_bind_s( pLd, pArgs->pszBindDN, LDAP_SASL_SIMPLE, &ldapBindPwd, NULL, NULL, NULL); BAIL_ON_VMDIR_ERROR(dwError); #else dwError = ldap_bind_s( pLd, pArgs->pszBindDN, pArgs->pszPassword, LDAP_AUTH_SIMPLE); BAIL_ON_VMDIR_ERROR(dwError); #endif #if 0 dwError = ldap_search_ext_s( pLd, pArgs->pszBaseDN, LDAP_SCOPE_SUBTREE, pArgs->pszFilter, NULL, TRUE, NULL, // server ctrls NULL, // client ctrls NULL, // timeout -1, // size limit, &pResult); BAIL_ON_VMDIR_ERROR(dwError); #else dwError = ldap_search_s( pLd, pArgs->pszBaseDN, LDAP_SCOPE_SUBTREE, pArgs->pszFilter, NULL, TRUE, &pResult); BAIL_ON_VMDIR_ERROR(dwError); #endif if (ldap_count_entries(pLd, pResult) > 0) { LDAPMessage* pEntry = ldap_first_entry(pLd, pResult); for (; pEntry != NULL; pEntry = ldap_next_entry(pLd, pEntry)) { if (pszDN) { ldap_memfree(pszDN); pszDN = NULL; } pszDN = ldap_get_dn(pLd, pEntry); if (IsNullOrEmptyString(pszDN)) { dwError = VMDIR_ERROR_INVALID_DN; BAIL_ON_VMDIR_ERROR(dwError); } fprintf(stdout, "DN : %s\n", pszDN); } } cleanup: if (pArgs) { VmDirFreeArgs(pArgs); } VMDIR_SAFE_FREE_MEMORY(pszLdapURL); if (pResult) { ldap_msgfree(pResult); } if (pszDN) { ldap_memfree(pszDN); } if (pLd) { ldap_unbind_ext_s(pLd, NULL, NULL); } return dwError; error: goto cleanup; }