static void constraint_free( constraint *cp, int freeme ) { if (cp->restrict_lud) ldap_free_urldesc(cp->restrict_lud); if (!BER_BVISNULL(&cp->restrict_ndn)) ch_free(cp->restrict_ndn.bv_val); if (cp->restrict_filter != NULL && cp->restrict_filter != slap_filter_objectClass_pres) filter_free(cp->restrict_filter); if (!BER_BVISNULL(&cp->restrict_val)) ch_free(cp->restrict_val.bv_val); if (cp->re) { regfree(cp->re); ch_free(cp->re); } if (!BER_BVISNULL(&cp->val)) ch_free(cp->val.bv_val); if (cp->lud) ldap_free_urldesc(cp->lud); if (cp->attrs) ch_free(cp->attrs); if (cp->ap) ch_free(cp->ap); if (freeme) ch_free(cp); }
/* a bit dirty but leak free */ char * ldap_parse_servers(const char * servers) { char * s = NULL; char * tmp = NULL, *urls[32]; unsigned int num = 0 , i = 0 , asize = 0; LDAPURLDesc *urld[32]; if (!servers) return NULL; /* local copy of the arg */ s = strdup(servers); if (!s) return NULL; /* first separate into URL tokens */ if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0) return NULL; i = 0; while (urls[i]) { if (! ldap_is_ldap_url(urls[i]) || (ldap_url_parse(urls[i], &urld[i]) != 0)) { return NULL; } i++; } /* now free(s) */ free (s); /* how much memory do we need */ num = i; for (i = 0 ; i < num ; i++) asize += strlen(urld[i]->lud_host)+11; /* alloc */ s = (char *) calloc( asize+1 , sizeof(char)); if (!s) { for (i = 0 ; i < num ; i++) ldap_free_urldesc(urld[i]); return NULL; } /* then build the final host string */ for (i = 0 ; i < num ; i++) { /* built host part */ tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port); strncat(s, tmp, strlen(tmp)); ldap_free_urldesc(urld[i]); free(tmp); } return s; }
static int get_read_entries( char *filename, char *entries[], char *filters[] ) { FILE *fp; int entry = 0; if ( (fp = fopen( filename, "r" )) != NULL ) { char line[BUFSIZ]; while (( entry < MAXREQS ) && ( fgets( line, BUFSIZ, fp ))) { char *nl; if (( nl = strchr( line, '\r' )) || ( nl = strchr( line, '\n' ))) *nl = '\0'; if ( filters != NULL && line[0] == '+' ) { LDAPURLDesc *lud; if ( ldap_url_parse( &line[1], &lud ) != LDAP_URL_SUCCESS ) { entry = -entry - 1; break; } if ( lud->lud_dn == NULL || lud->lud_dn[ 0 ] == '\0' ) { ldap_free_urldesc( lud ); entry = -entry - 1; break; } entries[entry] = ArgDup( lud->lud_dn ); if ( lud->lud_filter ) { filters[entry] = ArgDup( lud->lud_filter ); } else { filters[entry] = ArgDup( "(objectClass=*)" ); } ldap_free_urldesc( lud ); } else { if ( filters != NULL ) filters[entry] = NULL; entries[entry] = ArgDup( line ); } entry++; } fclose( fp ); } return( entry ); }
int ldap_url_search_async( char* _ldap_url, int* _ld_result_count, int* _msgidp, struct ld_session **ldsp) { LDAPURLDesc *ludp; int rc; if (ldap_url_parse(_ldap_url, &ludp) != 0) { LM_ERR("invalid LDAP URL [%s]\n", ZSW(_ldap_url)); if (ludp != NULL) { ldap_free_urldesc(ludp); } return -2; } if (ludp->lud_host == NULL) { LM_ERR( "no ldap session name found in ldap URL [%s]\n", ZSW(_ldap_url)); return -2; } LM_DBG( "LDAP URL parsed into session_name" " [%s], base [%s], scope [%d], filter [%s]\n", ZSW(ludp->lud_host), ZSW(ludp->lud_dn), ludp->lud_scope, ZSW(ludp->lud_filter)); rc = ldap_params_search_async(_ld_result_count, _msgidp, ludp->lud_host, ludp->lud_dn, ludp->lud_scope, ludp->lud_attrs, ludp->lud_filter); if (rc == 0 && *_msgidp >= 0) { if (get_connected_ldap_session(ludp->lud_host, ldsp)) { LM_ERR("[%s]: couldn't get ldap session\n", ludp->lud_host); return -1; } } ldap_free_urldesc(ludp); return rc; }
int ld_uri(db_uri_t* uri) { struct ld_uri* luri; luri = (struct ld_uri*)pkg_malloc(sizeof(struct ld_uri)); if (luri == NULL) { ERR("ldap: No memory left\n"); goto error; } memset(luri, '\0', sizeof(struct ld_uri)); if (db_drv_init(&luri->drv, ld_uri_free) < 0) goto error; if (parse_ldap_uri(luri, &uri->scheme, &uri->body) < 0) goto error; DB_SET_PAYLOAD(uri, luri); uri->cmp = ld_uri_cmp; return 0; error: if (luri) { if (luri->uri) pkg_free(luri->uri); if (luri->ldap_url) ldap_free_urldesc(luri->ldap_url); db_drv_free(&luri->drv); pkg_free(luri); } return -1; }
static CURLcode ldap_setup_connection(struct connectdata *conn) { ldapconninfo *li; LDAPURLDesc *lud; struct SessionHandle *data=conn->data; int rc, proto; CURLcode status; rc = ldap_url_parse(data->change.url, &lud); if(rc != LDAP_URL_SUCCESS) { const char *msg = "url parsing problem"; status = CURLE_URL_MALFORMAT; if(rc > LDAP_URL_SUCCESS && rc <= LDAP_URL_ERR_BADEXTS) { if(rc == LDAP_URL_ERR_MEM) status = CURLE_OUT_OF_MEMORY; msg = url_errs[rc]; } failf(conn->data, "LDAP local: %s", msg); return status; } proto = ldap_pvt_url_scheme2proto(lud->lud_scheme); ldap_free_urldesc(lud); li = calloc(1, sizeof(ldapconninfo)); if(!li) return CURLE_OUT_OF_MEMORY; li->proto = proto; conn->proto.generic = li; connkeep(conn, "OpenLDAP default"); /* TODO: * - provide option to choose SASL Binds instead of Simple */ return CURLE_OK; }
/// sets LDAP server's URI /// @param[in] cnf reference to common configuration struct /// @param[in] arg value of the command line argument int ldaputils_config_set_uri(LdapUtilsConfig * cnf, const char * arg) { if ((cnf->ludp)) { if (cnf->host == cnf->ludp->lud_host) cnf->host = NULL; ldap_free_urldesc(cnf->ludp); }; cnf->ludp = NULL; if (!(cnf->uri = arg)) return(0); if ((ldap_url_parse(arg, &cnf->ludp))) { // TRANSLATORS: The following strings provide an error message if the // URI provided on the command line is an invalid LDAP URI. fprintf(stderr, _("%s: invalid LDAP URI\n"), PROGRAM_NAME); fprintf(stderr, _("Try `%s --help' for more information.\n"), PROGRAM_NAME); return(1); }; cnf->host = cnf->ludp->lud_host; cnf->port = cnf->ludp->lud_port; return(0); }
int ldap_initialize(LDAP **ldp, char *url) { int rc = 0; LDAP *ld = NULL; LDAPURLDesc *ludp = NULL; /* * For now, we don't use any DN that may be provided. And on Solaris * (based on Mozilla's LDAP client code), we need the _nodn form to parse * "ldap://host" without a trailing slash. * * Also, this version won't handle an input string which contains multiple * URLs, unlike the OpenLDAP ldap_initialize. See * https://bugzilla.mozilla.org/show_bug.cgi?id=353336#c1 . */ #ifdef HAVE_LDAP_URL_PARSE_NODN rc = ldap_url_parse_nodn(url, &ludp); #else rc = ldap_url_parse(url, &ludp); #endif if (rc == 0) { ld = ldap_init(ludp->lud_host, ludp->lud_port); if (ld != NULL) *ldp = ld; else rc = KRB5_KDB_ACCESS_ERROR; ldap_free_urldesc(ludp); } return rc; }
static void map_ldap_free( struct ldap_map_data *data ) { assert( data != NULL ); if ( data->lm_url != NULL ) { free( data->lm_url ); } if ( data->lm_lud != NULL ) { ldap_free_urldesc( data->lm_lud ); } if ( data->lm_binddn != NULL ) { free( data->lm_binddn ); } if ( data->lm_cred.bv_val != NULL ) { memset( data->lm_cred.bv_val, 0, data->lm_cred.bv_len ); free( data->lm_cred.bv_val ); data->lm_cred.bv_val = NULL; data->lm_cred.bv_len = 0; } if ( data->lm_when != MAP_LDAP_EVERYTIME && data->lm_ld != NULL ) { ldap_unbind_ext( data->lm_ld, NULL, NULL ); } free( data ); }
ldap_handle::~ldap_handle() { release_message(); if (ldap) ldap_unbind_ext(ldap, NULL, NULL); if (uri) ldap_free_urldesc(uri); }
/* validate URL for global referral use * LDAP URLs must not have: * DN, attrs, scope, nor filter * Any non-LDAP URL is okay * * XXYYZ: should return an error string */ int validate_global_referral( const char *url ) { int rc; LDAPURLDesc *lurl; rc = ldap_url_parse_ext( url, &lurl, LDAP_PVT_URL_PARSE_NONE ); switch( rc ) { case LDAP_URL_SUCCESS: break; case LDAP_URL_ERR_BADSCHEME: /* not LDAP hence valid */ Debug( LDAP_DEBUG_CONFIG, "referral \"%s\": not LDAP.\n", url, 0, 0 ); return 0; default: /* other error, bail */ Debug( LDAP_DEBUG_ANY, "referral: invalid URL (%s): %s (%d)\n", url, "" /* ldap_url_error2str(rc) */, rc ); return 1; } rc = 0; if( lurl->lud_dn && *lurl->lud_dn ) { Debug( LDAP_DEBUG_ANY, "referral: URL (%s): contains DN\n", url, 0, 0 ); rc = 1; } else if( lurl->lud_attrs ) { Debug( LDAP_DEBUG_ANY, "referral: URL (%s): requests attributes\n", url, 0, 0 ); rc = 1; } else if( lurl->lud_scope != LDAP_SCOPE_DEFAULT ) { Debug( LDAP_DEBUG_ANY, "referral: URL (%s): contains explicit scope\n", url, 0, 0 ); rc = 1; } else if( lurl->lud_filter ) { Debug( LDAP_DEBUG_ANY, "referral: URL (%s): contains explicit filter\n", url, 0, 0 ); rc = 1; } ldap_free_urldesc( lurl ); return rc; }
static void ld_uri_free(db_uri_t* uri, struct ld_uri* payload) { if (payload == NULL) return; if (payload->ldap_url) ldap_free_urldesc(payload->ldap_url); if (payload->uri) pkg_free(payload->uri); if (payload->username) pkg_free(payload->username); if (payload->password) pkg_free(payload->password); if (payload->ca_list) pkg_free(payload->ca_list); if (payload->req_cert) pkg_free(payload->req_cert); db_drv_free(&payload->drv); pkg_free(payload); }
int ldap_url_search( char* _ldap_url, int* _ld_result_count) { LDAPURLDesc *ludp; int rc; if (ldap_url_parse(_ldap_url, &ludp) != 0) { LM_ERR("invalid LDAP URL [%s]\n", ZSW(_ldap_url)); if (ludp != NULL) { ldap_free_urldesc(ludp); } return -2; } if (ludp->lud_host == NULL) { LM_ERR( "no ldap session name found in ldap URL [%s]\n", ZSW(_ldap_url)); return -2; } LM_DBG( "LDAP URL parsed into session_name" " [%s], base [%s], scope [%d], filter [%s]\n", ZSW(ludp->lud_host), ZSW(ludp->lud_dn), ludp->lud_scope, ZSW(ludp->lud_filter)); rc = ldap_params_search(_ld_result_count, ludp->lud_host, ludp->lud_dn, ludp->lud_scope, ludp->lud_attrs, ludp->lud_filter); ldap_free_urldesc(ludp); return rc; }
void be_ldap_destroy(void *handle) { struct ldap_backend *conf = (struct ldap_backend *)handle; if (conf) { ldap_free_urldesc(conf->lud); free(conf->ldap_uri); if (conf->connstr) free(conf->connstr); if (conf->ld) ldap_unbind(conf->ld); free(conf); } }
static int dynlist_db_destroy( BackendDB *be, ConfigReply *cr ) { slap_overinst *on = (slap_overinst *) be->bd_info; if ( on->on_bi.bi_private ) { dynlist_info_t *dli = (dynlist_info_t *)on->on_bi.bi_private, *dli_next; for ( dli_next = dli; dli_next; dli = dli_next ) { dynlist_map_t *dlm; dynlist_map_t *dlm_next; dli_next = dli->dli_next; if ( !BER_BVISNULL( &dli->dli_uri ) ) { ch_free( dli->dli_uri.bv_val ); } if ( dli->dli_lud != NULL ) { ldap_free_urldesc( dli->dli_lud ); } if ( !BER_BVISNULL( &dli->dli_uri_nbase ) ) { ber_memfree( dli->dli_uri_nbase.bv_val ); } if ( dli->dli_uri_filter != NULL ) { filter_free( dli->dli_uri_filter ); } ch_free( dli->dli_default_filter.bv_val ); dlm = dli->dli_dlm; while ( dlm != NULL ) { dlm_next = dlm->dlm_next; ch_free( dlm ); dlm = dlm_next; } ch_free( dli ); } } return 0; }
static CURLcode ldap_do(struct connectdata *conn, bool *done) { ldapconninfo *li = conn->proto.generic; ldapreqinfo *lr; CURLcode status = CURLE_OK; int rc = 0; LDAPURLDesc *ludp = NULL; int msgid; struct SessionHandle *data=conn->data; connkeep(conn, "OpenLDAP do"); infof(data, "LDAP local: %s\n", data->change.url); rc = ldap_url_parse(data->change.url, &ludp); if(rc != LDAP_URL_SUCCESS) { const char *msg = "url parsing problem"; status = CURLE_URL_MALFORMAT; if(rc > LDAP_URL_SUCCESS && rc <= LDAP_URL_ERR_BADEXTS) { if(rc == LDAP_URL_ERR_MEM) status = CURLE_OUT_OF_MEMORY; msg = url_errs[rc]; } failf(conn->data, "LDAP local: %s", msg); return status; } rc = ldap_search_ext(li->ld, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, ludp->lud_attrs, 0, NULL, NULL, NULL, 0, &msgid); ldap_free_urldesc(ludp); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ldap_search_ext %s", ldap_err2string(rc)); return CURLE_LDAP_SEARCH_FAILED; } lr = calloc(1, sizeof(ldapreqinfo)); if(!lr) return CURLE_OUT_OF_MEMORY; lr->msgid = msgid; data->req.protop = lr; Curl_setup_transfer(conn, FIRSTSOCKET, -1, FALSE, NULL, -1, NULL); *done = TRUE; return CURLE_OK; }
static void ldaphost_free(ldaphost *p) { #ifdef TRACE_BY_LDAP fprintf(stderr, "TRACE_BY_LDAP ldaphost_free:\n"); #endif if (p == NULL) return; if (p->url != NULL) OPENSSL_free(p->url); if (p->binddn != NULL) OPENSSL_free(p->binddn); if (p->bindpw != NULL) OPENSSL_free(p->bindpw); if (p->ldapurl != NULL) { ldap_free_urldesc(p->ldapurl); p->ldapurl = NULL; } if (p->ld != NULL) { /* how to free ld ???*/ p->ld = NULL; } OPENSSL_free(p); }
static void exit_ldap(struct object *o) { if (THIS->server_url) { ldap_free_urldesc(THIS->server_url); THIS->server_url = NULL; } free_string(base_str); free_string(scope_str); free_string(filter_str); free_string(attrs_str); free_string(attrsonly_str); free_string(timeout_str); free_string(empty_str); free_string(modify_op); free_string(modify_type); free_string(modify_values); }
nsresult nsLDAPURL::SetPathInternal(const nsCString &aPath) { LDAPURLDesc *desc; // This is from the LDAP C-SDK, which currently doesn't // support everything from RFC 2255... :( // int err = ldap_url_parse(aPath.get(), &desc); switch (err) { case LDAP_SUCCESS: { // The base URL can pick up the host & port details and deal with them // better than we can mDN = desc->lud_dn; mScope = desc->lud_scope; mFilter = desc->lud_filter; mOptions = desc->lud_options; nsresult rv = SetAttributeArray(desc->lud_attrs); if (NS_FAILED(rv)) return rv; ldap_free_urldesc(desc); return NS_OK; } case LDAP_URL_ERR_NOTLDAP: case LDAP_URL_ERR_NODN: case LDAP_URL_ERR_BADSCOPE: return NS_ERROR_MALFORMED_URI; case LDAP_URL_ERR_MEM: NS_ERROR("nsLDAPURL::SetSpec: out of memory "); return NS_ERROR_OUT_OF_MEMORY; case LDAP_URL_ERR_PARAM: return NS_ERROR_INVALID_POINTER; } // This shouldn't happen... return NS_ERROR_UNEXPECTED; }
/** * seahorse_ldap_is_valid_uri * @uri: The uri to check * * Returns: Whether the passed uri is valid for an ldap key source */ gboolean seahorse_ldap_is_valid_uri (const gchar *uri) { LDAPURLDesc *url; int r; g_return_val_if_fail (uri && *uri, FALSE); r = ldap_url_parse (uri, &url); if (r == LDAP_URL_SUCCESS) { /* Some checks to make sure it's a simple URI */ if (!(url->lud_host && url->lud_host[0]) || (url->lud_dn && url->lud_dn[0]) || (url->lud_attrs || url->lud_attrs)) r = LDAP_URL_ERR_PARAM; ldap_free_urldesc (url); } return r == LDAP_URL_SUCCESS; }
/** Instantiate the module * * Creates a new instance of the module reading parameters from a configuration section. * * @param conf to parse. * @param instance Where to write pointer to configuration data. * @return 0 on success < 0 on failure. */ static int mod_instantiate(CONF_SECTION *conf, void *instance) { static bool version_done; CONF_SECTION *options; ldap_instance_t *inst = instance; inst->cs = conf; options = cf_section_sub_find(conf, "options"); if (!options || !cf_pair_find(options, "chase_referrals")) { inst->chase_referrals_unset = true; /* use OpenLDAP defaults */ } inst->xlat_name = cf_section_name2(conf); if (!inst->xlat_name) { inst->xlat_name = cf_section_name1(conf); } /* * Only needs to be done once, prevents races in environment * initialisation within libldap. * * See: https://github.com/arr2036/ldapperf/issues/2 */ #ifdef HAVE_LDAP_INITIALIZE ldap_initialize(&inst->handle, ""); #else inst->handle = ldap_init("", 0); #endif /* * Get version info from the LDAP API. */ if (!version_done) { static LDAPAPIInfo info; /* static to quiet valgrind about this being uninitialised */ int ldap_errno; version_done = true; ldap_errno = ldap_get_option(NULL, LDAP_OPT_API_INFO, &info); if (ldap_errno == LDAP_OPT_SUCCESS) { if (strcmp(info.ldapai_vendor_name, LDAP_VENDOR_NAME) != 0) { WARN("rlm_ldap: libldap vendor changed since the server was built"); WARN("rlm_ldap: linked: %s, built: %s", info.ldapai_vendor_name, LDAP_VENDOR_NAME); } if (info.ldapai_vendor_version != LDAP_VENDOR_VERSION) { WARN("rlm_ldap: libldap version changed since the server was built"); WARN("rlm_ldap: linked: %i, built: %i", info.ldapai_vendor_version, LDAP_VENDOR_VERSION); } INFO("rlm_ldap: libldap vendor: %s, version: %i", info.ldapai_vendor_name, info.ldapai_vendor_version); ldap_memfree(info.ldapai_vendor_name); ldap_memfree(info.ldapai_extensions); } else { DEBUG("rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO " "returned: %i", ldap_errno); INFO("rlm_ldap: libldap vendor: %s, version: %i.%i.%i", LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION_MAJOR, LDAP_VENDOR_VERSION_MINOR, LDAP_VENDOR_VERSION_PATCH); } } /* * If the configuration parameters can't be parsed, then fail. */ if ((parse_sub_section(inst, conf, &inst->accounting, RLM_COMPONENT_ACCT) < 0) || (parse_sub_section(inst, conf, &inst->postauth, RLM_COMPONENT_POST_AUTH) < 0)) { cf_log_err_cs(conf, "Failed parsing configuration"); goto error; } /* * Sanity checks for cacheable groups code. */ if (inst->cacheable_group_name && inst->groupobj_membership_filter) { if (!inst->groupobj_name_attr) { cf_log_err_cs(conf, "Directive 'group.name_attribute' must be set if cacheable " "group names are enabled"); goto error; } } /* * Split original server value out into URI, server and port * so whatever initialization function we use later will have * the server information in the format it needs. */ if (ldap_is_ldap_url(inst->server)) { LDAPURLDesc *ldap_url; int port; if (ldap_url_parse(inst->server, &ldap_url)){ cf_log_err_cs(conf, "Parsing LDAP URL \"%s\" failed", inst->server); return -1; } /* * Figure out the port from the URL */ if (ldap_url->lud_port == 0) { if (strcmp(ldap_url->lud_scheme, "ldaps://") == 0) { if (inst->start_tls == true) { start_tls_error: cf_log_err_cs(conf, "ldaps:// scheme is not compatible with 'start_tls'"); return -1; } port = 636; } else { port = 384; } } else { port = ldap_url->lud_port; } inst->uri = inst->server; inst->server = talloc_strdup(inst, ldap_url->lud_host); if ((inst->port != 384) && (port != inst->port)) { WARN("Non-default 'port' directive %i set to %i by LDAP URI", inst->port, port); } inst->port = port; /* * @todo We could set a few other top level * directives using the URL, like base_dn * and scope. */ ldap_free_urldesc(ldap_url); /* * We need to construct an LDAP URI */ } else { switch (inst->port) { default: case 384: inst->uri = talloc_asprintf(inst, "ldap://%s:%i/", inst->server, inst->port); break; case 636: if (inst->start_tls == true) goto start_tls_error; inst->uri = talloc_asprintf(inst, "ldaps://%s:%i/", inst->server, inst->port); break; } } #ifdef LDAP_OPT_X_TLS_NEVER /* * Workaround for servers which support LDAPS but not START TLS */ if (inst->port == LDAPS_PORT || inst->tls_mode) { inst->tls_mode = LDAP_OPT_X_TLS_HARD; } else { inst->tls_mode = 0; } #endif /* * Convert dereference strings to enumerated constants */ if (inst->dereference_str) { inst->dereference = fr_str2int(ldap_dereference, inst->dereference_str, -1); if (inst->dereference < 0) { cf_log_err_cs(conf, "Invalid 'dereference' value \"%s\", expected 'never', 'searching', " "'finding' or 'always'", inst->dereference_str); goto error; } } #if LDAP_SET_REBIND_PROC_ARGS != 3 /* * The 2-argument rebind doesn't take an instance variable. Our rebind function needs the instance * variable for the username, password, etc. */ if (inst->rebind == true) { cf_log_err_cs(conf, "Cannot use 'rebind' directive as this version of libldap " "does not support the API that we need"); goto error; } #endif /* * Convert scope strings to enumerated constants */ inst->userobj_scope = fr_str2int(ldap_scope, inst->userobj_scope_str, -1); if (inst->userobj_scope < 0) { cf_log_err_cs(conf, "Invalid 'user.scope' value \"%s\", expected 'sub', 'one'" #ifdef LDAP_SCOPE_CHILDREN ", 'base' or 'children'" #else " or 'base'" #endif , inst->userobj_scope_str); goto error; } inst->groupobj_scope = fr_str2int(ldap_scope, inst->groupobj_scope_str, -1); if (inst->groupobj_scope < 0) { cf_log_err_cs(conf, "Invalid 'group.scope' value \"%s\", expected 'sub', 'one'" #ifdef LDAP_SCOPE_CHILDREN ", 'base' or 'children'" #else " or 'base'" #endif , inst->groupobj_scope_str); goto error; } inst->clientobj_scope = fr_str2int(ldap_scope, inst->clientobj_scope_str, -1); if (inst->clientobj_scope < 0) { cf_log_err_cs(conf, "Invalid 'client.scope' value \"%s\", expected 'sub', 'one'" #ifdef LDAP_SCOPE_CHILDREN ", 'base' or 'children'" #else " or 'base'" #endif , inst->clientobj_scope_str); goto error; } if (inst->tls_require_cert_str) { #ifdef LDAP_OPT_X_TLS_NEVER /* * Convert cert strictness to enumerated constants */ inst->tls_require_cert = fr_str2int(ldap_tls_require_cert, inst->tls_require_cert_str, -1); if (inst->tls_require_cert < 0) { cf_log_err_cs(conf, "Invalid 'tls.require_cert' value \"%s\", expected 'never', " "'demand', 'allow', 'try' or 'hard'", inst->tls_require_cert_str); goto error; } #else cf_log_err_cs(conf, "Modifying 'tls.require_cert' is not supported by current " "version of libldap. Please upgrade or substitute current libldap and " "rebuild this module"); goto error; #endif } /* * Build the attribute map */ if (map_afrom_cs(&inst->user_map, cf_section_sub_find(inst->cs, "update"), PAIR_LIST_REPLY, PAIR_LIST_REQUEST, rlm_ldap_map_verify, inst, LDAP_MAX_ATTRMAP) < 0) { return -1; } /* * Group comparison checks. */ if (cf_section_name2(conf)) { static ATTR_FLAGS flags; char buffer[256]; snprintf(buffer, sizeof(buffer), "%s-Ldap-Group", inst->xlat_name); if (dict_addattr(buffer, -1, 0, PW_TYPE_STRING, flags) < 0) { LDAP_ERR("Error creating group attribute: %s", fr_strerror()); return -1; } inst->group_da = dict_attrbyname(buffer); if (!inst->group_da) { LDAP_ERR("Failed creating attribute %s", buffer); goto error; } paircompare_register(inst->group_da, dict_attrbyvalue(PW_USER_NAME, 0), false, rlm_ldap_groupcmp, inst); /* * Were the default instance */ } else { inst->group_da = dict_attrbyvalue(PW_LDAP_GROUP, 0); paircompare_register(dict_attrbyvalue(PW_LDAP_GROUP, 0), dict_attrbyvalue(PW_USER_NAME, 0), false, rlm_ldap_groupcmp, inst); } xlat_register(inst->xlat_name, ldap_xlat, rlm_ldap_escape_func, inst); /* * Setup the cache attribute */ if (inst->cache_attribute) { static ATTR_FLAGS flags; if (dict_addattr(inst->cache_attribute, -1, 0, PW_TYPE_STRING, flags) < 0) { LDAP_ERR("Error creating cache attribute: %s", fr_strerror()); goto error; } inst->cache_da = dict_attrbyname(inst->cache_attribute); } else { inst->cache_da = inst->group_da; /* Default to the group_da */ } /* * Initialize the socket pool. */ inst->pool = fr_connection_pool_module_init(inst->cs, inst, mod_conn_create, NULL, NULL); if (!inst->pool) goto error; /* * Bulk load dynamic clients. */ if (inst->do_clients) { CONF_SECTION *cs; cs = cf_section_sub_find(inst->cs, "client"); if (!cs) { cf_log_err_cs(conf, "Told to load clients but no client section found"); goto error; } cs = cf_section_sub_find(cs, "attribute"); if (!cs) { cf_log_err_cs(conf, "Told to load clients but no attribute section found"); goto error; } if (rlm_ldap_client_load(inst, cs) < 0) { cf_log_err_cs(conf, "Error loading clients"); return -1; } } return 0; error: return -1; }
static int _mu_conn_setup (LDAP **pld) { int rc; LDAPURLDesc *ludlist, **ludp; char **urls = NULL; int nurls = 0; char *ldapuri = NULL; LDAP *ld = NULL; int protocol = LDAP_VERSION3; /* FIXME: must be configurable */ if (ldap_param.debug) { if (ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &ldap_param.debug) != LBER_OPT_SUCCESS ) mu_error (_("cannot set LBER_OPT_DEBUG_LEVEL %d"), ldap_param.debug); if (ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_param.debug) != LDAP_OPT_SUCCESS ) mu_error (_("could not set LDAP_OPT_DEBUG_LEVEL %d"), ldap_param.debug); } if (ldap_param.url) { rc = ldap_url_parse (ldap_param.url, &ludlist); if (rc != LDAP_URL_SUCCESS) { mu_error (_("cannot parse LDAP URL(s)=%s (%d)"), ldap_param.url, rc); return 1; } for (ludp = &ludlist; *ludp; ) { LDAPURLDesc *lud = *ludp; char **tmp; if (lud->lud_dn && lud->lud_dn[0] && (lud->lud_host == NULL || lud->lud_host[0] == '\0')) { /* if no host but a DN is provided, try DNS SRV to gather the host list */ char *domain = NULL, *hostlist = NULL; size_t i; struct mu_wordsplit ws; if (ldap_dn2domain (lud->lud_dn, &domain) || !domain) { mu_error (_("DNS SRV: cannot convert DN=\"%s\" into a domain"), lud->lud_dn ); goto dnssrv_free; } rc = ldap_domain2hostlist (domain, &hostlist); if (rc) { mu_error (_("DNS SRV: cannot convert domain=%s into a hostlist"), domain); goto dnssrv_free; } if (mu_wordsplit (hostlist, &ws, MU_WRDSF_DEFFLAGS)) { mu_error (_("DNS SRV: could not parse hostlist=\"%s\": %s"), hostlist, mu_wordsplit_strerror (&ws)); goto dnssrv_free; } tmp = realloc (urls, sizeof(char *) * (nurls + ws.ws_wordc + 1)); if (!tmp) { mu_error ("DNS SRV %s", mu_strerror (errno)); goto dnssrv_free; } urls = tmp; urls[nurls] = NULL; for (i = 0; i < ws.ws_wordc; i++) { urls[nurls + i + 1] = NULL; rc = mu_asprintf (&urls[nurls + i], "%s://%s", lud->lud_scheme, ws.ws_wordv[i]); if (rc) { mu_error ("DNS SRV %s", mu_strerror (rc)); goto dnssrv_free; } } nurls += i; dnssrv_free: mu_wordsplit_free (&ws); ber_memfree (hostlist); ber_memfree (domain); } else { tmp = realloc (urls, sizeof(char *) * (nurls + 2)); if (!tmp) { mu_error ("DNS SRV %s", mu_strerror (errno)); break; } urls = tmp; urls[nurls + 1] = NULL; urls[nurls] = ldap_url_desc2str (lud); if (!urls[nurls]) { mu_error ("DNS SRV %s", mu_strerror (errno)); break; } nurls++; } *ludp = lud->lud_next; lud->lud_next = NULL; ldap_free_urldesc (lud); } if (ludlist) { ldap_free_urldesc (ludlist); return 1; } else if (!urls) return 1; rc = mu_argcv_string (nurls, urls, &ldapuri); if (rc) { mu_error ("%s", mu_strerror (rc)); return 1; } ber_memvfree ((void **)urls); } mu_diag_output (MU_DIAG_INFO, "constructed LDAP URI: %s", ldapuri ? ldapuri : "<DEFAULT>"); rc = ldap_initialize (&ld, ldapuri); if (rc != LDAP_SUCCESS) { mu_error (_("cannot create LDAP session handle for URI=%s (%d): %s"), ldapuri, rc, ldap_err2string (rc)); free (ldapuri); return 1; } free (ldapuri); ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &protocol); if (ldap_param.tls) { rc = ldap_start_tls_s (ld, NULL, NULL); if (rc != LDAP_SUCCESS) { char *msg = NULL; ldap_get_option (ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg); mu_error (_("ldap_start_tls failed: %s"), ldap_err2string (rc)); mu_error (_("TLS diagnostics: %s"), msg); ldap_memfree (msg); ldap_unbind_ext (ld, NULL, NULL); return 1; } } /* FIXME: Timeouts, SASL, etc. */ *pld = ld; return 0; }
/** Expand an LDAP URL into a query, and return a string result from that query. * */ static ssize_t ldap_xlat(void *instance, REQUEST *request, char const *fmt, char *out, size_t freespace) { ldap_rcode_t status; size_t len = 0; ldap_instance_t *inst = instance; LDAPURLDesc *ldap_url; LDAPMessage *result = NULL; LDAPMessage *entry = NULL; struct berval **values; ldap_handle_t *conn; int ldap_errno; char const *url; char const **attrs; url = fmt; if (!ldap_is_ldap_url(url)) { REDEBUG("String passed does not look like an LDAP URL"); return -1; } if (ldap_url_parse(url, &ldap_url)){ REDEBUG("Parsing LDAP URL failed"); return -1; } /* * Nothing, empty string, "*" string, or got 2 things, die. */ if (!ldap_url->lud_attrs || !ldap_url->lud_attrs[0] || !*ldap_url->lud_attrs[0] || (strcmp(ldap_url->lud_attrs[0], "*") == 0) || ldap_url->lud_attrs[1]) { REDEBUG("Bad attributes list in LDAP URL. URL must specify exactly one attribute to retrieve"); goto free_urldesc; } if (ldap_url->lud_host && ((strcmp(inst->server, ldap_url->lud_host) != 0) || ((uint32_t) ldap_url->lud_port != inst->port))) { REDEBUG("LDAP expansions must specify the same host and port as the their module instance"); goto free_urldesc; } conn = mod_conn_get(inst, request); if (!conn) goto free_urldesc; memcpy(&attrs, &ldap_url->lud_attrs, sizeof(attrs)); status = rlm_ldap_search(inst, request, &conn, ldap_url->lud_dn, ldap_url->lud_scope, ldap_url->lud_filter, attrs, &result); switch (status) { case LDAP_PROC_SUCCESS: break; default: goto free_socket; } rad_assert(conn); rad_assert(result); entry = ldap_first_entry(conn->handle, result); if (!entry) { ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); len = -1; goto free_result; } values = ldap_get_values_len(conn->handle, entry, ldap_url->lud_attrs[0]); if (!values) { RDEBUG("No \"%s\" attributes found in specified object", ldap_url->lud_attrs[0]); goto free_result; } if (values[0]->bv_len >= freespace) goto free_values; memcpy(out, values[0]->bv_val, values[0]->bv_len + 1); /* +1 as strlcpy expects buffer size */ len = values[0]->bv_len; free_values: ldap_value_free_len(values); free_result: ldap_msgfree(result); free_socket: mod_conn_release(inst, conn); free_urldesc: ldap_free_urldesc(ldap_url); return len; }
static CURLcode Curl_ldap(struct connectdata *conn, bool *done) { CURLcode result = CURLE_OK; int rc = 0; LDAP *server = NULL; LDAPURLDesc *ludp = NULL; LDAPMessage *ldapmsg = NULL; LDAPMessage *entryIterator; int num = 0; struct SessionHandle *data=conn->data; int ldap_proto = LDAP_VERSION3; int ldap_ssl = 0; char *val_b64 = NULL; size_t val_b64_sz = 0; curl_off_t dlsize = 0; #ifdef LDAP_OPT_NETWORK_TIMEOUT struct timeval ldap_timeout = {10,0}; /* 10 sec connection/search timeout */ #endif *done = TRUE; /* unconditionally */ infof(data, "LDAP local: LDAP Vendor = %s ; LDAP Version = %d\n", LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION); infof(data, "LDAP local: %s\n", data->change.url); #ifdef HAVE_LDAP_URL_PARSE rc = ldap_url_parse(data->change.url, &ludp); #else rc = _ldap_url_parse(conn, &ludp); #endif if(rc != 0) { failf(data, "LDAP local: %s", ldap_err2string(rc)); result = CURLE_LDAP_INVALID_URL; goto quit; } /* Get the URL scheme ( either ldap or ldaps ) */ if(conn->given->flags & PROTOPT_SSL) ldap_ssl = 1; infof(data, "LDAP local: trying to establish %s connection\n", ldap_ssl ? "encrypted" : "cleartext"); #ifdef LDAP_OPT_NETWORK_TIMEOUT ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); #endif ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); if(ldap_ssl) { #ifdef HAVE_LDAP_SSL #ifdef CURL_LDAP_WIN /* Win32 LDAP SDK doesn't support insecure mode without CA! */ server = ldap_sslinit(conn->host.name, (int)conn->port, 1); ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); #else int ldap_option; char* ldap_ca = data->set.str[STRING_SSL_CAFILE]; #if defined(CURL_HAS_NOVELL_LDAPSDK) rc = ldapssl_client_init(NULL, NULL); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ldapssl_client_init %s", ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } if(data->set.ssl.verifypeer) { /* Novell SDK supports DER or BASE64 files. */ int cert_type = LDAPSSL_CERT_FILETYPE_B64; if((data->set.str[STRING_CERT_TYPE]) && (Curl_raw_equal(data->set.str[STRING_CERT_TYPE], "DER"))) cert_type = LDAPSSL_CERT_FILETYPE_DER; if(!ldap_ca) { failf(data, "LDAP local: ERROR %s CA cert not set!", (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM")); result = CURLE_SSL_CERTPROBLEM; goto quit; } infof(data, "LDAP local: using %s CA cert '%s'\n", (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"), ldap_ca); rc = ldapssl_add_trusted_cert(ldap_ca, cert_type); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ERROR setting %s CA cert: %s", (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"), ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } ldap_option = LDAPSSL_VERIFY_SERVER; } else ldap_option = LDAPSSL_VERIFY_NONE; rc = ldapssl_set_verify_mode(ldap_option); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ERROR setting cert verify mode: %s", ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } server = ldapssl_init(conn->host.name, (int)conn->port, 1); if(server == NULL) { failf(data, "LDAP local: Cannot connect to %s:%ld", conn->host.name, conn->port); result = CURLE_COULDNT_CONNECT; goto quit; } #elif defined(LDAP_OPT_X_TLS) if(data->set.ssl.verifypeer) { /* OpenLDAP SDK supports BASE64 files. */ if((data->set.str[STRING_CERT_TYPE]) && (!Curl_raw_equal(data->set.str[STRING_CERT_TYPE], "PEM"))) { failf(data, "LDAP local: ERROR OpenLDAP only supports PEM cert-type!"); result = CURLE_SSL_CERTPROBLEM; goto quit; } if(!ldap_ca) { failf(data, "LDAP local: ERROR PEM CA cert not set!"); result = CURLE_SSL_CERTPROBLEM; goto quit; } infof(data, "LDAP local: using PEM CA cert: %s\n", ldap_ca); rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ERROR setting PEM CA cert: %s", ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } ldap_option = LDAP_OPT_X_TLS_DEMAND; } else ldap_option = LDAP_OPT_X_TLS_NEVER; rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ERROR setting cert verify mode: %s", ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } server = ldap_init(conn->host.name, (int)conn->port); if(server == NULL) { failf(data, "LDAP local: Cannot connect to %s:%ld", conn->host.name, conn->port); result = CURLE_COULDNT_CONNECT; goto quit; } ldap_option = LDAP_OPT_X_TLS_HARD; rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ERROR setting SSL/TLS mode: %s", ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } /* rc = ldap_start_tls_s(server, NULL, NULL); if(rc != LDAP_SUCCESS) { failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", ldap_err2string(rc)); result = CURLE_SSL_CERTPROBLEM; goto quit; } */ #else /* we should probably never come up to here since configure should check in first place if we can support LDAP SSL/TLS */ failf(data, "LDAP local: SSL/TLS not supported with this version " "of the OpenLDAP toolkit\n"); result = CURLE_SSL_CERTPROBLEM; goto quit; #endif #endif #endif /* CURL_LDAP_USE_SSL */ } else { server = ldap_init(conn->host.name, (int)conn->port); if(server == NULL) { failf(data, "LDAP local: Cannot connect to %s:%ld", conn->host.name, conn->port); result = CURLE_COULDNT_CONNECT; goto quit; } } #ifdef CURL_LDAP_WIN ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); #endif rc = ldap_simple_bind_s(server, conn->bits.user_passwd ? conn->user : NULL, conn->bits.user_passwd ? conn->passwd : NULL); if(!ldap_ssl && rc != 0) { ldap_proto = LDAP_VERSION2; ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); rc = ldap_simple_bind_s(server, conn->bits.user_passwd ? conn->user : NULL, conn->bits.user_passwd ? conn->passwd : NULL); } if(rc != 0) { failf(data, "LDAP local: ldap_simple_bind_s %s", ldap_err2string(rc)); result = CURLE_LDAP_CANNOT_BIND; goto quit; } rc = ldap_search_s(server, ludp->lud_dn, ludp->lud_scope, ludp->lud_filter, ludp->lud_attrs, 0, &ldapmsg); if(rc != 0 && rc != LDAP_SIZELIMIT_EXCEEDED) { failf(data, "LDAP remote: %s", ldap_err2string(rc)); result = CURLE_LDAP_SEARCH_FAILED; goto quit; } for(num = 0, entryIterator = ldap_first_entry(server, ldapmsg); entryIterator; entryIterator = ldap_next_entry(server, entryIterator), num++) { BerElement *ber = NULL; char *attribute; /*! suspicious that this isn't 'const' */ char *dn = ldap_get_dn(server, entryIterator); int i; result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"DN: ", 4); if(result) goto quit; result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)dn, 0); if(result) goto quit; result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1); if(result) goto quit; dlsize += strlen(dn)+5; for(attribute = ldap_first_attribute(server, entryIterator, &ber); attribute; attribute = ldap_next_attribute(server, entryIterator, ber)) { BerValue **vals = ldap_get_values_len(server, entryIterator, attribute); if(vals != NULL) { for(i = 0; (vals[i] != NULL); i++) { result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\t", 1); if(result) goto quit; result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)attribute, 0); if(result) goto quit; result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)": ", 2); if(result) goto quit; dlsize += strlen(attribute)+3; if((strlen(attribute) > 7) && (strcmp(";binary", (char *)attribute + (strlen((char *)attribute) - 7)) == 0)) { /* Binary attribute, encode to base64. */ CURLcode error = Curl_base64_encode(data, vals[i]->bv_val, vals[i]->bv_len, &val_b64, &val_b64_sz); if(error) { ldap_value_free_len(vals); ldap_memfree(attribute); ldap_memfree(dn); if(ber) ber_free(ber, 0); result = error; goto quit; } if(val_b64_sz > 0) { result = Curl_client_write(conn, CLIENTWRITE_BODY, val_b64, val_b64_sz); free(val_b64); if(result) goto quit; dlsize += val_b64_sz; } } else { result = Curl_client_write(conn, CLIENTWRITE_BODY, vals[i]->bv_val, vals[i]->bv_len); if(result) goto quit; dlsize += vals[i]->bv_len; } result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 0); if(result) goto quit; dlsize++; } /* Free memory used to store values */ ldap_value_free_len(vals); } result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1); if(result) goto quit; dlsize++; Curl_pgrsSetDownloadCounter(data, dlsize); ldap_memfree(attribute); } ldap_memfree(dn); if(ber) ber_free(ber, 0); } quit: if(ldapmsg) { ldap_msgfree(ldapmsg); LDAP_TRACE (("Received %d entries\n", num)); } if(rc == LDAP_SIZELIMIT_EXCEEDED) infof(data, "There are more than %d entries\n", num); if(ludp) ldap_free_urldesc(ludp); if(server) ldap_unbind_s(server); #if defined(HAVE_LDAP_SSL) && defined(CURL_HAS_NOVELL_LDAPSDK) if(ldap_ssl) ldapssl_client_deinit(); #endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */ /* no data to transfer */ Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL); connclose(conn, "LDAP connection always disable re-use"); return result; }
/* * always protected by conn_mutex * optionally protected by req_mutex and res_mutex */ LDAPConn * ldap_new_connection( LDAP *ld, LDAPURLDesc **srvlist, int use_ldsb, int connect, LDAPreqinfo *bind, int m_req, int m_res ) { LDAPConn *lc; int async = 0; LDAP_ASSERT_MUTEX_OWNER( &ld->ld_conn_mutex ); Debug( LDAP_DEBUG_TRACE, "ldap_new_connection %d %d %d\n", use_ldsb, connect, (bind != NULL) ); /* * make a new LDAP server connection * XXX open connection synchronously for now */ lc = (LDAPConn *)LDAP_CALLOC( 1, sizeof( LDAPConn ) ); if ( lc == NULL ) { ld->ld_errno = LDAP_NO_MEMORY; return( NULL ); } if ( use_ldsb ) { assert( ld->ld_sb != NULL ); lc->lconn_sb = ld->ld_sb; } else { lc->lconn_sb = ber_sockbuf_alloc(); if ( lc->lconn_sb == NULL ) { LDAP_FREE( (char *)lc ); ld->ld_errno = LDAP_NO_MEMORY; return( NULL ); } } if ( connect ) { LDAPURLDesc **srvp, *srv = NULL; async = LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); for ( srvp = srvlist; *srvp != NULL; srvp = &(*srvp)->lud_next ) { int rc; rc = ldap_int_open_connection( ld, lc, *srvp, async ); if ( rc != -1 ) { srv = *srvp; if ( ld->ld_urllist_proc && ( !async || rc != -2 ) ) { ld->ld_urllist_proc( ld, srvlist, srvp, ld->ld_urllist_params ); } break; } } if ( srv == NULL ) { if ( !use_ldsb ) { ber_sockbuf_free( lc->lconn_sb ); } LDAP_FREE( (char *)lc ); ld->ld_errno = LDAP_SERVER_DOWN; return( NULL ); } lc->lconn_server = ldap_url_dup( srv ); } lc->lconn_status = async ? LDAP_CONNST_CONNECTING : LDAP_CONNST_CONNECTED; lc->lconn_next = ld->ld_conns; ld->ld_conns = lc; if ( connect ) { #ifdef HAVE_TLS if ( lc->lconn_server->lud_exts ) { int rc, ext = find_tls_ext( lc->lconn_server ); if ( ext ) { LDAPConn *savedefconn; savedefconn = ld->ld_defconn; ++lc->lconn_refcnt; /* avoid premature free */ ld->ld_defconn = lc; LDAP_REQ_UNLOCK_IF(m_req); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); LDAP_RES_UNLOCK_IF(m_res); rc = ldap_start_tls_s( ld, NULL, NULL ); LDAP_RES_LOCK_IF(m_res); LDAP_MUTEX_LOCK( &ld->ld_conn_mutex ); LDAP_REQ_LOCK_IF(m_req); ld->ld_defconn = savedefconn; --lc->lconn_refcnt; if ( rc != LDAP_SUCCESS && ext == 2 ) { ldap_free_connection( ld, lc, 1, 0 ); return NULL; } } } #endif } if ( bind != NULL ) { int err = 0; LDAPConn *savedefconn; /* Set flag to prevent additional referrals * from being processed on this * connection until the bind has completed */ lc->lconn_rebind_inprogress = 1; /* V3 rebind function */ if ( ld->ld_rebind_proc != NULL) { LDAPURLDesc *srvfunc; srvfunc = ldap_url_dup( *srvlist ); if ( srvfunc == NULL ) { ld->ld_errno = LDAP_NO_MEMORY; err = -1; } else { savedefconn = ld->ld_defconn; ++lc->lconn_refcnt; /* avoid premature free */ ld->ld_defconn = lc; Debug( LDAP_DEBUG_TRACE, "Call application rebind_proc\n", 0, 0, 0); LDAP_REQ_UNLOCK_IF(m_req); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); LDAP_RES_UNLOCK_IF(m_res); err = (*ld->ld_rebind_proc)( ld, bind->ri_url, bind->ri_request, bind->ri_msgid, ld->ld_rebind_params ); LDAP_RES_LOCK_IF(m_res); LDAP_MUTEX_LOCK( &ld->ld_conn_mutex ); LDAP_REQ_LOCK_IF(m_req); ld->ld_defconn = savedefconn; --lc->lconn_refcnt; if ( err != 0 ) { err = -1; ldap_free_connection( ld, lc, 1, 0 ); lc = NULL; } ldap_free_urldesc( srvfunc ); } } else { int msgid, rc; struct berval passwd = BER_BVNULL; savedefconn = ld->ld_defconn; ++lc->lconn_refcnt; /* avoid premature free */ ld->ld_defconn = lc; Debug( LDAP_DEBUG_TRACE, "anonymous rebind via ldap_sasl_bind(\"\")\n", 0, 0, 0); LDAP_REQ_UNLOCK_IF(m_req); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); LDAP_RES_UNLOCK_IF(m_res); rc = ldap_sasl_bind( ld, "", LDAP_SASL_SIMPLE, &passwd, NULL, NULL, &msgid ); if ( rc != LDAP_SUCCESS ) { err = -1; } else { for ( err = 1; err > 0; ) { struct timeval tv = { 0, 100000 }; LDAPMessage *res = NULL; switch ( ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res ) ) { case -1: err = -1; break; case 0: #ifdef LDAP_R_COMPILE ldap_pvt_thread_yield(); #endif break; case LDAP_RES_BIND: rc = ldap_parse_result( ld, res, &err, NULL, NULL, NULL, NULL, 1 ); if ( rc != LDAP_SUCCESS ) { err = -1; } else if ( err != LDAP_SUCCESS ) { err = -1; } /* else err == LDAP_SUCCESS == 0 */ break; default: Debug( LDAP_DEBUG_TRACE, "ldap_new_connection %p: " "unexpected response %d " "from BIND request id=%d\n", (void *) ld, ldap_msgtype( res ), msgid ); err = -1; break; } } } LDAP_RES_LOCK_IF(m_res); LDAP_MUTEX_LOCK( &ld->ld_conn_mutex ); LDAP_REQ_LOCK_IF(m_req); ld->ld_defconn = savedefconn; --lc->lconn_refcnt; if ( err != 0 ) { ldap_free_connection( ld, lc, 1, 0 ); lc = NULL; } } if ( lc != NULL ) lc->lconn_rebind_inprogress = 0; } return( lc ); }
/* * call-seq: * OpenLDAP.split_url( str ) -> array * * Split an LDAP URL into an array of its parts: * - uri_scheme * - host * - port * - base * - attrs * - scope * - filter * - exts * - crit_exts */ static VALUE ropenldap_s_split_url( VALUE UNUSED(module), VALUE urlstring ) { const char *url = StringValueCStr( urlstring ); LDAPURLDesc *urldesc; VALUE rval = Qnil, obj = Qnil; if ( !ldap_is_ldap_url(url) ) rb_raise( rb_eArgError, "Not an LDAP URL." ); /* Parse the URL */ if ( ldap_url_parse(url, &urldesc) != 0 ) rb_raise( rb_eRuntimeError, "Error parsing %s as an LDAP URL!", url ); rval = rb_ary_new2( 9 ); /* Scheme */ if ( urldesc->lud_scheme ) { ropenldap_log( "debug", " parsed scheme: %s", urldesc->lud_scheme ); obj = rb_str_new2( urldesc->lud_scheme ); OBJ_INFECT( obj, urlstring ); rb_ary_store( rval, 0L, obj ); } /* LDAP host to contact */ if ( urldesc->lud_host ) { ropenldap_log( "debug", " parsed host: %s", urldesc->lud_host ); obj = rb_str_new2( urldesc->lud_host ); OBJ_INFECT( obj, urlstring ); rb_ary_store( rval, 1L, obj ); } /* Port */ rb_ary_store( rval, 2L, INT2FIX(urldesc->lud_port) ); /* Base DN */ if ( urldesc->lud_dn ) { ropenldap_log( "debug", " parsed DN: %s", urldesc->lud_dn ); obj = rb_str_new2( urldesc->lud_dn ); OBJ_INFECT( obj, urlstring ); rb_ary_store( rval, 3L, obj ); } /* Attributes */ rb_ary_store( rval, 4L, ropenldap_rb_string_array(urldesc->lud_attrs) ); /* Numeric scope (LDAP_SCOPE_*) */ rb_ary_store( rval, 5L, INT2FIX(urldesc->lud_scope) ); /* Filter */ if ( urldesc->lud_filter ) { ropenldap_log( "debug", " parsed filter: %s", urldesc->lud_filter ); obj = rb_str_new2( urldesc->lud_filter ); OBJ_INFECT( obj, urlstring ); rb_ary_store( rval, 6L, obj ); } /* lists of LDAP extensions */ rb_ary_store( rval, 7L, ropenldap_rb_string_array(urldesc->lud_exts) ); /* Critical extension/s flag */ rb_ary_store( rval, 8L, urldesc->lud_crit_exts ? Qtrue : Qfalse ); ldap_free_urldesc( urldesc ); return rval; }
BerVarray referral_rewrite( BerVarray in, struct berval *base, struct berval *target, int scope ) { int i; BerVarray refs; struct berval *iv, *jv; if ( in == NULL ) { return NULL; } for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) { /* just count them */ } if ( i < 1 ) { return NULL; } refs = ch_malloc( ( i + 1 ) * sizeof( struct berval ) ); for ( iv = in, jv = refs; !BER_BVISNULL( iv ); iv++ ) { LDAPURLDesc *url; char *dn; int rc; rc = ldap_url_parse_ext( iv->bv_val, &url, LDAP_PVT_URL_PARSE_NONE ); if ( rc == LDAP_URL_ERR_BADSCHEME ) { ber_dupbv( jv++, iv ); continue; } else if ( rc != LDAP_URL_SUCCESS ) { continue; } dn = url->lud_dn; url->lud_dn = referral_dn_muck( ( dn && *dn ) ? dn : NULL, base, target ); ldap_memfree( dn ); if ( url->lud_scope == LDAP_SCOPE_DEFAULT ) { url->lud_scope = scope; } jv->bv_val = ldap_url_desc2str( url ); if ( jv->bv_val != NULL ) { jv->bv_len = strlen( jv->bv_val ); } else { ber_dupbv( jv, iv ); } jv++; ldap_free_urldesc( url ); } if ( jv == refs ) { ch_free( refs ); refs = NULL; } else { BER_BVZERO( jv ); } return refs; }
int rewrite_xmap_destroy( struct rewrite_map **pmap ) { struct rewrite_map *map; assert( pmap != NULL ); assert( *pmap != NULL ); map = *pmap; switch ( map->lm_type ) { case REWRITE_MAP_XPWDMAP: #ifdef USE_REWRITE_LDAP_PVT_THREADS --xpasswd_mutex_init; if ( !xpasswd_mutex_init ) { ldap_pvt_thread_mutex_destroy( &xpasswd_mutex ); } #endif /* USE_REWRITE_LDAP_PVT_THREADS */ break; case REWRITE_MAP_XFILEMAP: #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_lock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ if ( map->lm_args ) { fclose( ( FILE * )map->lm_args ); map->lm_args = NULL; } #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &map->lm_mutex ); ldap_pvt_thread_mutex_destroy( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ break; case REWRITE_MAP_XLDAPMAP: #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_lock( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ if ( map->lm_args ) { ldap_free_urldesc( ( LDAPURLDesc * )map->lm_args ); map->lm_args = NULL; } #ifdef USE_REWRITE_LDAP_PVT_THREADS ldap_pvt_thread_mutex_unlock( &map->lm_mutex ); ldap_pvt_thread_mutex_destroy( &map->lm_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ break; default: break; } free( map->lm_name ); free( map ); *pmap = NULL; return 0; }
/* * Map parsing * NOTE: these are old-fashion maps; new maps will be parsed on separate * config lines, and referred by name. */ struct rewrite_map * rewrite_xmap_parse( struct rewrite_info *info, const char *s, const char **currpos ) { struct rewrite_map *map; assert( info != NULL ); assert( s != NULL ); assert( currpos != NULL ); Debug( LDAP_DEBUG_ARGS, "rewrite_xmap_parse: %s\n%s%s", s, "", "" ); *currpos = NULL; map = calloc( sizeof( struct rewrite_map ), 1 ); if ( map == NULL ) { Debug( LDAP_DEBUG_ANY, "rewrite_xmap_parse:" " calloc failed\n%s%s%s", "", "", "" ); return NULL; } /* * Experimental passwd map: * replaces the uid with the matching gecos from /etc/passwd file */ if ( strncasecmp(s, "xpasswd", 7 ) == 0 ) { map->lm_type = REWRITE_MAP_XPWDMAP; map->lm_name = strdup( "xpasswd" ); if ( map->lm_name == NULL ) { free( map ); return NULL; } assert( s[7] == '}' ); *currpos = s + 8; #ifdef USE_REWRITE_LDAP_PVT_THREADS if ( !xpasswd_mutex_init ) { if ( ldap_pvt_thread_mutex_init( &xpasswd_mutex ) ) { free( map ); return NULL; } } ++xpasswd_mutex_init; #endif /* USE_REWRITE_LDAP_PVT_THREADS */ /* Don't really care if fails */ return map; /* * Experimental file map: * looks up key in a `key value' ascii file */ } else if ( strncasecmp( s, "xfile", 5 ) == 0 ) { char *filename; const char *p; int l; int c = 5; map->lm_type = REWRITE_MAP_XFILEMAP; if ( s[ c ] != '(' ) { free( map ); return NULL; } /* Must start with '/' for security concerns */ c++; if ( s[ c ] != '/' ) { free( map ); return NULL; } for ( p = s + c; p[ 0 ] != '\0' && p[ 0 ] != ')'; p++ ); if ( p[ 0 ] != ')' ) { free( map ); return NULL; } l = p - s - c; filename = calloc( sizeof( char ), l + 1 ); if ( filename == NULL ) { free( map ); return NULL; } AC_MEMCPY( filename, s + c, l ); filename[ l ] = '\0'; map->lm_args = ( void * )fopen( filename, "r" ); free( filename ); if ( map->lm_args == NULL ) { free( map ); return NULL; } *currpos = p + 1; #ifdef USE_REWRITE_LDAP_PVT_THREADS if ( ldap_pvt_thread_mutex_init( &map->lm_mutex ) ) { fclose( ( FILE * )map->lm_args ); free( map ); return NULL; } #endif /* USE_REWRITE_LDAP_PVT_THREADS */ return map; /* * Experimental ldap map: * looks up key on the fly (not implemented!) */ } else if ( strncasecmp(s, "xldap", 5 ) == 0 ) { char *p; char *url; int l, rc; int c = 5; LDAPURLDesc *lud; if ( s[ c ] != '(' ) { free( map ); return NULL; } c++; p = strchr( s, '}' ); if ( p == NULL ) { free( map ); return NULL; } p--; *currpos = p + 2; /* * Add two bytes for urlencoding of '%s' */ l = p - s - c; url = calloc( sizeof( char ), l + 3 ); if ( url == NULL ) { free( map ); return NULL; } AC_MEMCPY( url, s + c, l ); url[ l ] = '\0'; /* * Urlencodes the '%s' for ldap_url_parse */ p = strchr( url, '%' ); if ( p != NULL ) { AC_MEMCPY( p + 3, p + 1, strlen( p + 1 ) + 1 ); p[ 1 ] = '2'; p[ 2 ] = '5'; } rc = ldap_url_parse( url, &lud ); free( url ); if ( rc != LDAP_SUCCESS ) { free( map ); return NULL; } assert( lud != NULL ); map->lm_args = ( void * )lud; map->lm_type = REWRITE_MAP_XLDAPMAP; #ifdef USE_REWRITE_LDAP_PVT_THREADS if ( ldap_pvt_thread_mutex_init( &map->lm_mutex ) ) { ldap_free_urldesc( lud ); free( map ); return NULL; } #endif /* USE_REWRITE_LDAP_PVT_THREADS */ return map; /* Unhandled map */ } free( map ); return NULL; }
/* * returns an LDAP error code * * XXXmcs: this function used to have #ifdef LDAP_DNS code in it but I * removed it when I improved the parsing (we don't define LDAP_DNS * here at Netscape). */ static int chase_one_referral( LDAP *ld, LDAPRequest *lr, LDAPRequest *origreq, char *refurl, char *desc, int *unknownp ) { int rc, tmprc, secure, msgid; LDAPServer *srv; BerElement *ber; LDAPURLDesc *ludp; *unknownp = 0; ludp = NULLLDAPURLDESC; if ( nsldapi_url_parse( refurl, &ludp, 0 ) != 0 ) { LDAPDebug( LDAP_DEBUG_TRACE, "ignoring unknown %s <%s>\n", desc, refurl, 0 ); *unknownp = 1; rc = LDAP_SUCCESS; goto cleanup_and_return; } secure = (( ludp->lud_options & LDAP_URL_OPT_SECURE ) != 0 ); /* XXXmcs: can't tell if secure is supported by connect callback */ if ( secure && ld->ld_extconnect_fn == NULL ) { LDAPDebug( LDAP_DEBUG_TRACE, "ignoring LDAPS %s <%s>\n", desc, refurl, 0 ); *unknownp = 1; rc = LDAP_SUCCESS; goto cleanup_and_return; } LDAPDebug( LDAP_DEBUG_TRACE, "chasing LDAP%s %s: <%s>\n", secure ? "S" : "", desc, refurl ); LDAP_MUTEX_LOCK( ld, LDAP_MSGID_LOCK ); msgid = ++ld->ld_msgid; LDAP_MUTEX_UNLOCK( ld, LDAP_MSGID_LOCK ); if (( tmprc = re_encode_request( ld, origreq->lr_ber, msgid, ludp, &ber )) != LDAP_SUCCESS ) { rc = tmprc; goto cleanup_and_return; } if (( srv = (LDAPServer *)NSLDAPI_CALLOC( 1, sizeof( LDAPServer ))) == NULL ) { ber_free( ber, 1 ); rc = LDAP_NO_MEMORY; goto cleanup_and_return; } if (ludp->lud_host == NULL && ld->ld_defhost == NULL) { srv->lsrv_host = NULL; } else { if (ludp->lud_host == NULL) { srv->lsrv_host = nsldapi_strdup( origreq->lr_conn->lconn_server->lsrv_host ); LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using hostname '%s' from original " "request on new request\n", srv->lsrv_host, 0, 0); } else { srv->lsrv_host = nsldapi_strdup(ludp->lud_host); LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using hostname '%s' as specified " "on new request\n", srv->lsrv_host, 0, 0); } if (srv->lsrv_host == NULL) { NSLDAPI_FREE((char *)srv); ber_free(ber, 1); rc = LDAP_NO_MEMORY; goto cleanup_and_return; } } /* * According to our reading of RFCs 2255 and 1738, the * following algorithm applies: * - no hostport (no host, no port) provided in LDAP URL, use those * of previous request * - no port but a host, use default LDAP port * - else use given hostport */ if (ludp->lud_port == 0 && ludp->lud_host == NULL) { srv->lsrv_port = origreq->lr_conn->lconn_server->lsrv_port; LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using port (%d) from original " "request on new request\n", srv->lsrv_port, 0, 0); } else if (ludp->lud_port == 0 && ludp->lud_host != NULL) { srv->lsrv_port = (secure) ? LDAPS_PORT : LDAP_PORT; LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using default port (%d) \n", srv->lsrv_port, 0, 0); } else { srv->lsrv_port = ludp->lud_port; LDAPDebug(LDAP_DEBUG_TRACE, "chase_one_referral: using port (%d) as specified on " "new request\n", srv->lsrv_port, 0, 0); } if ( secure ) { srv->lsrv_options |= LDAP_SRV_OPT_SECURE; } if ( nsldapi_send_server_request( ld, ber, msgid, lr, srv, NULL, NULL, 1 ) < 0 ) { rc = LDAP_GET_LDERRNO( ld, NULL, NULL ); LDAPDebug( LDAP_DEBUG_ANY, "Unable to chase %s %s (%s)\n", desc, refurl, ldap_err2string( rc )); } else { rc = LDAP_SUCCESS; } cleanup_and_return: if ( ludp != NULLLDAPURLDESC ) { ldap_free_urldesc( ludp ); } return( rc ); }