static
DWORD
_VmDirSASLGSSBind(
LDAP* pLD
)
{
DWORD dwError = 0;
dwError = ldap_sasl_interactive_bind_s( pLD,
NULL,
"GSSAPI",
NULL,
NULL,
LDAP_SASL_QUIET,
_VmDirSASLInteraction,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
return dwError;
error:
VmDirLog(LDAP_DEBUG_ANY, "VmDirSASLGSSBind failed. (%d)(%s)\n", dwError, ldap_err2string(dwError));
goto cleanup;
}
DWORD
LwLdapBindDirectorySasl(
LDAP *ld,
PCSTR pszServerName,
BOOLEAN bSeal
)
{
DWORD dwError = LW_ERROR_SUCCESS;
// Do not attempt to canonicalize the server
// name which isn't necessary since we used
// the server's FQDN or address.
dwError = ldap_set_option(
ld,
LDAP_OPT_X_SASL_NOCANON,
LDAP_OPT_ON);
BAIL_ON_LDAP_ERROR(dwError);
// ssf=1 is sign, ssf>1 is seal. By default
// it will use the maximum available ssf level
// so setting minssf isn't strictly necessary.
// Setting minssf guarantees an error if it
// cannot provide the minimum level.
if (bSeal)
{
dwError = ldap_set_option(
ld,
LDAP_OPT_X_SASL_SECPROPS,
(void *)"minssf=2");
BAIL_ON_LDAP_ERROR(dwError);
}
else
{
dwError = ldap_set_option(
ld,
LDAP_OPT_X_SASL_SECPROPS,
(void *)"minssf=1,maxssf=1");
BAIL_ON_LDAP_ERROR(dwError);
}
dwError = ldap_sasl_interactive_bind_s(
ld,
NULL,
"GSS-SPNEGO",
NULL,
NULL,
LDAP_SASL_QUIET,
LwLdapGssSpnegoInteract,
(void *)pszServerName);
if (dwError != 0) {
LW_RTL_LOG_ERROR("ldap_sasl_interactive_bind_s failed with error code %d", dwError);
BAIL_ON_LDAP_ERROR(dwError);
}
error:
return dwError;
}
static krb5_error_code
authenticate(krb5_ldap_context *ctx, krb5_ldap_server_handle *server)
{
int st;
struct berval bv;
if (ctx->sasl_mech != NULL) {
st = ldap_sasl_interactive_bind_s(server->ldap_handle, NULL,
ctx->sasl_mech, NULL, NULL,
LDAP_SASL_QUIET, interact, ctx);
if (st != LDAP_SUCCESS) {
k5_setmsg(ctx->kcontext, KRB5_KDB_ACCESS_ERROR,
_("Cannot bind to LDAP server '%s' with SASL mechanism "
"'%s': %s"), server->server_info->server_name,
ctx->sasl_mech, ldap_err2string(st));
return KRB5_KDB_ACCESS_ERROR;
}
} else {
/* Do a simple bind with DN and password. */
bv.bv_val = ctx->bind_pwd;
bv.bv_len = strlen(ctx->bind_pwd);
st = ldap_sasl_bind_s(server->ldap_handle, ctx->bind_dn, NULL, &bv,
NULL, NULL, NULL);
if (st != LDAP_SUCCESS) {
k5_setmsg(ctx->kcontext, KRB5_KDB_ACCESS_ERROR,
_("Cannot bind to LDAP server '%s' as '%s': %s"),
server->server_info->server_name, ctx->bind_dn,
ldap_err2string(st));
return KRB5_KDB_ACCESS_ERROR;
}
}
return 0;
}
DWORD
VmCASASLSRPBind(
LDAP** ppLd,
PCSTR pszURI,
PCSTR pszUPN,
PCSTR pszPass
)
{
DWORD dwError = 0;
PSTR pszLowerCaseUPN = NULL;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
VMCA_SASL_INTERACTIVE_DEFAULT srpDefault = {0};
if ( ppLd == NULL || pszURI == NULL || pszUPN == NULL || pszPass == NULL )
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
dwError = VMCAStringToLower( (PSTR)pszUPN, &pszLowerCaseUPN );
BAIL_ON_ERROR(dwError);
srpDefault.pszAuthName = pszLowerCaseUPN;
srpDefault.pszPass = pszPass;
dwError = ldap_initialize( &pLd, pszURI);
BAIL_ON_ERROR(dwError);
dwError = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_ERROR(dwError);
dwError = ldap_sasl_interactive_bind_s( pLd,
NULL,
"SRP",
NULL,
NULL,
LDAP_SASL_QUIET,
_VMCASASLSRPInteraction,
&srpDefault);
BAIL_ON_ERROR(dwError);
*ppLd = pLd;
cleanup:
VMCA_SAFE_FREE_STRINGA(pszLowerCaseUPN);
return dwError;
error:
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
DWORD
VmDirSASLGSSAPIBind(
LDAP** ppLd,
PCSTR pszURI
)
{
DWORD dwError = 0;
int retVal = 0;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
if ( ppLd == NULL || pszURI == NULL )
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
retVal = ldap_initialize( &pLd, pszURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_sasl_interactive_bind_s( pLd,
NULL,
"GSSAPI",
NULL,
NULL,
LDAP_SASL_QUIET,
_VmDirSASLGSSAPIInteraction,
NULL);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
*ppLd = pLd;
cleanup:
return dwError;
ldaperror:
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLGSSBind failed. (%d)(%s)",
retVal, ldap_err2string(retVal) );
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLGSSBind failed. (%u)", dwError);
}
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
int ldap_add_machine_account(const char *ldap_host,
const char *hostname, const char *realm)
{
LDAP *ld;
int ldap_port = LDAP_PORT;
char *bind_path;
int rc;
LDAPMessage *res;
void *sasl_defaults;
int version = LDAP_VERSION3;
bind_path = build_dn(realm);
printf("Creating host account for %s@%s\n", hostname, realm);
ld = ldap_open(ldap_host, ldap_port);
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
rc = ldap_sasl_interactive_bind_s(ld, NULL, NULL, NULL, NULL, 0,
sasl_interact, NULL);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_bind");
goto failed;
}
rc = find_host(ld, &res, bind_path, hostname);
if (rc == LDAP_SUCCESS && ldap_count_entries(ld, res) == 1) {
printf("Host account for %s already exists\n", hostname);
goto finished;
}
rc = add_host(ld, bind_path, hostname, realm);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "add_host");
goto failed;
}
rc = find_host(ld, &res, bind_path, hostname);
if (rc != LDAP_SUCCESS || ldap_count_entries(ld, res) != 1) {
ldap_perror(ld, "find_host test");
goto failed;
}
printf("Successfully added machine account for %s\n", hostname);
finished:
free(bind_path);
return 0;
failed:
printf("ldap_add_machine_account failed\n");
free(bind_path);
ldap_unbind(ld);
return 1;
}
/** @brief Bind to the server with SASL
* @param ld Reference to LDAP connection.
* @param mech SASL mechanisim.
* @param realm SASL realm.
* @param authcid SASL auth id.
* @param passwd Password for authid.
* @param authzid Proxy authid.
* @returns -1 on error.*/
extern int ldap_saslbind(struct ldap_conn *ld, const char *mech, const char *realm, const char *authcid, const char *passwd, const char *authzid ) {
struct sasl_defaults *sasl;
int res, sasl_flags = LDAP_SASL_AUTOMATIC | LDAP_SASL_QUIET;
if (!objref(ld)) {
return LDAP_UNAVAILABLE;
}
if (!(sasl = objalloc(sizeof(*sasl), free_sasl))) {
return LDAP_NO_MEMORY;
}
ALLOC_CONST(sasl->passwd, passwd);
if (mech) {
ALLOC_CONST(sasl->mech, mech);
} else {
ldap_get_option(ld->ldap, LDAP_OPT_X_SASL_MECH, &sasl->mech);
}
if (realm) {
ALLOC_CONST(sasl->realm, realm);
} else {
ldap_get_option(ld->ldap, LDAP_OPT_X_SASL_REALM, &sasl->realm );
}
if (authcid) {
ALLOC_CONST(sasl->authcid, authcid);
} else {
ldap_get_option(ld->ldap, LDAP_OPT_X_SASL_AUTHCID, &sasl->authcid );
}
if (authzid) {
ALLOC_CONST(sasl->authzid, authzid);
} else {
ldap_get_option(ld->ldap, LDAP_OPT_X_SASL_AUTHZID, &sasl->authzid );
}
objlock(ld);
if (ld->sasl) {
objunref(ld->sasl);
}
ld->sasl = sasl;
res = ldap_sasl_interactive_bind_s(ld->ldap, NULL, sasl->mech, ld->sctrlsp , NULL, sasl_flags, dts_sasl_interact, sasl);
objunlock(ld);
objunref(ld);
return res;
}
/*
connect to the LDAP server
*/
int ads_connect(ADS_STRUCT *ads)
{
int version = LDAP_VERSION3;
int rc;
ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
if (!ads->ld) {
return errno;
}
ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, 0,
sasl_interact, NULL);
return rc;
}
static void* ldap_bind_thread_func( void*arg)
{
LinphoneLDAPContactProvider* obj = linphone_ldap_contact_provider_ref(arg);
const char* auth_mechanism = obj->auth_method;
int ret;
if( (strcmp(auth_mechanism, "ANONYMOUS") == 0) || (strcmp(auth_mechanism, "SIMPLE") == 0) )
{
struct berval passwd = { strlen(obj->password), ms_strdup(obj->password)};
auth_mechanism = LDAP_SASL_SIMPLE;
ret = ldap_sasl_bind_s(obj->ld,
obj->bind_dn,
auth_mechanism,
&passwd,
NULL,
NULL,
NULL);
ms_free(passwd.bv_val);
}
else
{
ms_message("LDAP interactive bind");
ret = ldap_sasl_interactive_bind_s(obj->ld,
obj->bind_dn,
auth_mechanism,
NULL,NULL,
LDAP_SASL_QUIET,
linphone_ldap_contact_provider_bind_interact,
obj);
}
if( ret == LDAP_SUCCESS ) {
ms_message("LDAP bind OK");
obj->connected = 1;
} else {
int err;
ldap_get_option(obj->ld, LDAP_OPT_RESULT_CODE, &err);
ms_error("ldap_sasl_bind error returned %x, err %x (%s), auth_method: %s",
ret, err, ldap_err2string(err), auth_mechanism );
}
obj->bind_thread = 0;
linphone_ldap_contact_provider_unref(obj);
return (void*)0;
}
static
idmap_stat
idmap_open_ad_conn(idmap_nm_handle_t *adh)
{
int zero = 0;
int timeoutms = 30 * 1000;
int ldversion, ldap_rc;
idmap_stat rc = IDMAP_SUCCESS;
/* Open and bind an LDAP connection */
adh->ad = ldap_init(adh->ad_host, adh->ad_port);
if (adh->ad == NULL) {
namemap_log(
gettext("ldap_init() to server %s port %d failed. (%s)"),
CHECK_NULL(adh->ad_host),
adh->ad_port, strerror(errno));
rc = IDMAP_ERR_INTERNAL;
goto out;
}
ldversion = LDAP_VERSION3;
(void) ldap_set_option(adh->ad, LDAP_OPT_PROTOCOL_VERSION, &ldversion);
(void) ldap_set_option(adh->ad, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
(void) ldap_set_option(adh->ad, LDAP_OPT_TIMELIMIT, &zero);
(void) ldap_set_option(adh->ad, LDAP_OPT_SIZELIMIT, &zero);
(void) ldap_set_option(adh->ad, LDAP_X_OPT_CONNECT_TIMEOUT, &timeoutms);
(void) ldap_set_option(adh->ad, LDAP_OPT_RESTART, LDAP_OPT_ON);
ldap_rc = ldap_sasl_interactive_bind_s(adh->ad, "" /* binddn */,
adh->saslmech, NULL, NULL, adh->saslflags, &idmap_saslcallback,
NULL);
if (ldap_rc != LDAP_SUCCESS) {
(void) ldap_unbind(adh->ad);
adh->ad = NULL;
namemap_log(
gettext("ldap_sasl_interactive_bind_s() to server "
"%s port %d failed. (%s)"), CHECK_NULL(adh->ad_host),
adh->ad_port, ldap_err2string(ldap_rc));
rc = IDMAP_ERR_INTERNAL;
}
out:
return (rc);
}
static VALUE rldap_sasl_bind(int argc, VALUE *argv, VALUE obj)
{
RLDAP_WRAP *wrapper;
char *bind_dn = NULL, *passwd = NULL, *sasl_mech = NULL,
*sasl_realm = NULL, *sasl_authz_id = NULL, *sasl_authc_id = NULL;
VALUE rbind_dn, rpasswd, rsasl_mech, rsasl_realm,
rsasl_authz_id, rsasl_authc_id, rprops;
int retval;
RLDAP_BICTX *ctx;
wrapper = get_wrapper(obj);
rb_scan_args(argc, argv, "07", &rbind_dn, &rpasswd, &rsasl_mech, &rsasl_realm, &rsasl_authz_id, &rsasl_authc_id, &rprops);
if (!NIL_P(rprops))
ldap_set_option(wrapper->ld, LDAP_OPT_X_SASL_SECPROPS, StringValuePtr(rprops));
if (!NIL_P(rbind_dn))
bind_dn = StringValuePtr(rbind_dn);
if (!NIL_P(rpasswd))
passwd = StringValuePtr(rpasswd);
if (!NIL_P(rsasl_mech))
sasl_mech = StringValuePtr(rsasl_mech);
if (!NIL_P(rsasl_realm))
sasl_realm = StringValuePtr(rsasl_realm);
if (!NIL_P(rsasl_authz_id))
sasl_authz_id = StringValuePtr(rsasl_authz_id);
if (!NIL_P(rsasl_authc_id))
sasl_authc_id = StringValuePtr(rsasl_authc_id);
ctx = _rldap_sasl_setdefs(wrapper->ld, sasl_mech, sasl_realm, sasl_authc_id, passwd, sasl_authz_id);
retval = ldap_sasl_interactive_bind_s(wrapper->ld, bind_dn, ctx->mech, NULL, NULL, LDAP_SASL_AUTOMATIC, _rldap_sasl_interact, ctx);
_rldap_sasl_freedefs(ctx);
if (retval != LDAP_SUCCESS)
rldap_raise(retval);
else
return Qtrue;
}
static int ldap_rebind_proc(LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *params) {
struct ldap_conn *ldap = params;
int res = LDAP_UNAVAILABLE;
if (!objref(ldap)) {
return LDAP_UNAVAILABLE;
}
if (ldap->sasl) {
int sasl_flags = LDAP_SASL_AUTOMATIC | LDAP_SASL_QUIET;
struct sasl_defaults *sasl = ldap->sasl;
res = ldap_sasl_interactive_bind_s(ld, NULL, sasl->mech, ldap->sctrlsp , NULL, sasl_flags, dts_sasl_interact, sasl);
} else
if (ldap->simple) {
struct ldap_simple *simple = ldap->simple;
res = ldap_sasl_bind_s(ld, simple->dn, LDAP_SASL_SIMPLE, simple->cred, ldap->sctrlsp, NULL, NULL);
}
objunref(ldap);
return res;
}
int _LDAP_bind_s(LDAP *ld, char *mech, char* binddn, char *pswstr, char *authcid, char *realm, char *authzid) {
int rc;
LDAPControl **sctrlsp = NULL;
struct berval passwd;
struct berval *servdata;
void *defaults;
/* Mechanism is set, use SASL interactive bind. */
if (mech != NULL) {
if (pswstr == NULL) pswstr = "";
defaults = create_sasl_defaults(ld, mech, realm, authcid, pswstr, authzid);
if (defaults == NULL) return -1;
rc = ldap_sasl_interactive_bind_s(ld, binddn, mech, sctrlsp, NULL, LDAP_SASL_QUIET, sasl_interact, defaults);
} else {
if (pswstr == NULL) {
passwd.bv_len = 0;
} else {
passwd.bv_len = strlen(pswstr);
}
passwd.bv_val = pswstr;
rc = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &passwd, sctrlsp, NULL, &servdata);
}
return rc;
}
int ld_con_connect(db_con_t* con)
{
struct ld_con* lcon;
struct ld_uri* luri;
int ret, version = 3;
char* err_str = NULL;
lcon = DB_GET_PAYLOAD(con);
luri = DB_GET_PAYLOAD(con->uri);
/* Do not reconnect already connected connections */
if (lcon->flags & LD_CONNECTED) return 0;
DBG("ldap: Connecting to %s\n", luri->uri);
if (lcon->con) {
ret = ldap_unbind_ext_s(lcon->con, NULL, NULL);
if (ret != LDAP_SUCCESS) {
ERR("ldap: Error while unbinding from %s: %s\n",
luri->uri, ldap_err2string(ret));
}
}
/* we pass the TLS_REQCERT and TLS_REQCERT attributes over environment
variables to ldap library */
if (luri->tls) {
if (setenv("LDAPTLS_CACERT", luri->ca_list, 1)) {
ERR("ldap: Can't set environment variable 'LDAPTLS_CACERT'\n");
goto error;
}
if (setenv("LDAPTLS_REQCERT", luri->req_cert, 1)) {
ERR("ldap: Can't set environment variable 'LDAPTLS_REQCERT'\n");
goto error;
}
}
ret = ldap_initialize(&lcon->con, luri->uri);
if (lcon->con == NULL) {
ERR("ldap: Error while initializing new LDAP connection to %s\n",
luri->uri);
goto error;
}
ret = ldap_set_option(lcon->con, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_OPT_SUCCESS) {
ERR("ldap: Error while setting protocol version 3: %s\n",
ldap_err2string(ret));
goto error;
}
if (luri->tls) {
ret = ldap_start_tls_s(lcon->con, NULL, NULL);
if (ret != LDAP_SUCCESS) {
/* get addition info of this error */
#ifdef OPENLDAP23
ldap_get_option(lcon->con, LDAP_OPT_ERROR_STRING, &err_str);
#elif OPENLDAP24
ldap_get_option(lcon->con, LDAP_OPT_DIAGNOSTIC_MESSAGE, &err_str);
#endif
ERR("ldap: Error while starting TLS: %s\n", ldap_err2string(ret));
if (err_str) {
ERR("ldap: %s\n", err_str);
ldap_memfree(err_str);
}
goto error;
}
}
switch (luri->authmech) {
case LDAP_AUTHMECH_NONE:
ret = ldap_simple_bind_s(lcon->con, NULL, NULL);
break;
case LDAP_AUTHMECH_SIMPLE:
ret = ldap_simple_bind_s(lcon->con, luri->username, luri->password);
break;
case LDAP_AUTHMECH_DIGESTMD5:
ret = ldap_sasl_interactive_bind_s( lcon->con, NULL,
LDAP_MECHANISM_STR_DIGESTMD5, NULL, NULL,
0, lutil_sasl_interact, luri );
break;
case LDAP_AUTHMECH_EXTERNAL:
default:
ret = !LDAP_SUCCESS;
break;
}
if (ret != LDAP_SUCCESS) {
ERR("ldap: Bind to %s failed: %s\n",
luri->uri, ldap_err2string(ret));
goto error;
}
DBG("ldap: Successfully bound to %s\n", luri->uri);
lcon->flags |= LD_CONNECTED;
return 0;
error:
if (lcon->con) {
ret = ldap_unbind_ext_s(lcon->con, NULL, NULL);
if (ret) {
ERR("ldap: Error while unbinding from %s: %s\n",
luri->uri, ldap_err2string(ret));
}
}
lcon->con = NULL;
return -1;
}
DWORD
VmDirSASLSRPBindExt1(
LDAP** ppLd,
PCSTR pszURI,
PCSTR pszUPN,
PCSTR pszPass,
int iTimeout
)
{
DWORD dwError = 0;
int retVal = 0;
PSTR pszLowerCaseUPN = NULL;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
const int iSaslNoCanon = 1;
VMDIR_SASL_INTERACTIVE_DEFAULT srpDefault = {0};
int iCnt = 0;
struct timeval optTimeout={0};
optTimeout.tv_usec = 0;
optTimeout.tv_sec = iTimeout;
if ( ppLd == NULL || pszURI == NULL || pszUPN == NULL || pszPass == NULL )
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirAllocASCIIUpperToLower( pszUPN, &pszLowerCaseUPN );
BAIL_ON_VMDIR_ERROR(dwError);
srpDefault.pszAuthName = pszLowerCaseUPN;
srpDefault.pszPass = pszPass;
for (iCnt=0; iCnt<2; iCnt++)
{
retVal = ldap_initialize( &pLd, pszURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
// turn off SASL hostname canonicalization for SRP mech
retVal = ldap_set_option(pLd, LDAP_OPT_X_SASL_NOCANON, &iSaslNoCanon);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
if (iTimeout > 0)
{
// timeout connect
retVal = ldap_set_option(pLd, LDAP_OPT_NETWORK_TIMEOUT, (void *)&optTimeout);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
}
retVal = ldap_sasl_interactive_bind_s( pLd,
NULL,
"SRP",
NULL,
NULL,
LDAP_SASL_QUIET,
_VmDirSASLSRPInteraction,
&srpDefault);
if (retVal == LDAP_SERVER_DOWN || retVal == LDAP_TIMEOUT)
{
VmDirSleep(50); // pause 50 ms
if ( pLd )
{
ldap_unbind_ext_s(pLd, NULL, NULL);
pLd = NULL;
}
continue; // if transient network error, retry once.
}
else
{
break;
}
}
BAIL_ON_SIMPLE_LDAP_ERROR(retVal); // bail ldap_sasl_interactive_bind_s failure.
*ppLd = pLd;
cleanup:
VMDIR_SAFE_FREE_MEMORY(pszLowerCaseUPN);
return dwError;
ldaperror:
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLSRPBind failed. (%d)(%s)",
retVal, ldap_err2string(retVal) );
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLSRPBind failed. (%u)", dwError);
}
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
DWORD
VmDirSASLSRPBind(
LDAP** ppLd,
PCSTR pszURI,
PCSTR pszUPN,
PCSTR pszPass
)
{
DWORD dwError = 0;
int retVal = 0;
PSTR pszLowerCaseUPN = NULL;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
VMDIR_SASL_INTERACTIVE_DEFAULT srpDefault = {0};
int iCnt = 0;
if ( ppLd == NULL || pszURI == NULL || pszUPN == NULL || pszPass == NULL )
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = VmDirAllocASCIIUpperToLower( pszUPN, &pszLowerCaseUPN );
BAIL_ON_VMDIR_ERROR(dwError);
srpDefault.pszAuthName = pszLowerCaseUPN;
srpDefault.pszPass = pszPass;
for (iCnt=0; iCnt<2; iCnt++)
{
retVal = ldap_initialize( &pLd, pszURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_sasl_interactive_bind_s( pLd,
NULL,
"SRP",
NULL,
NULL,
LDAP_SASL_QUIET,
_VmDirSASLSRPInteraction,
&srpDefault);
if (retVal == LDAP_SERVER_DOWN)
{
VmDirSleep(50); // pause 50 ms
if ( pLd )
{
ldap_unbind_ext_s(pLd, NULL, NULL);
pLd = NULL;
}
continue; // if transient network error, retry once.
}
else
{
break;
}
}
BAIL_ON_SIMPLE_LDAP_ERROR(retVal); // bail ldap_sasl_interactive_bind_s failure.
*ppLd = pLd;
cleanup:
VMDIR_SAFE_FREE_MEMORY(pszLowerCaseUPN);
return dwError;
ldaperror:
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLSRPBind failed. (%d)(%s)",
retVal, ldap_err2string(retVal) );
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLSRPBind failed. (%u)", dwError);
}
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw, LDAP **_ld)
{
char *msg = NULL;
struct berval bv;
int version;
LDAP *ld;
int ssl;
int ret;
/* TODO: support referrals ? */
if (bind_dn) {
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
return ret;
}
ret = ipa_ldap_init(&ld, "ldaps", server_name, 636);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldaps(636) connection\n"));
return ret;
}
ssl = LDAP_OPT_X_TLS_HARD;;
ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
goto done;
}
} else {
ret = ipa_ldap_init(&ld, "ldap", server_name, 389);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldap(389) connection\n"));
return ret;
}
}
if (ld == NULL) {
fprintf(stderr, _("Unable to initialize ldap library!\n"));
return LDAP_OPERATIONS_ERROR;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto done;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
goto done;
}
if (bind_dn) {
bv.bv_val = discard_const(bind_pw);
bv.bv_len = strlen(bind_pw);
ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
&bv, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Simple bind failed\n"));
goto done;
}
} else {
ret = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET,
ldap_sasl_interact, bind_princ);
if (ret != LDAP_SUCCESS) {
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto done;
}
}
ret = LDAP_SUCCESS;
done:
if (ret != LDAP_SUCCESS) {
if (ld) ldap_unbind_ext(ld, NULL, NULL);
} else {
*_ld = ld;
}
return ret;
}
void
OPENLDAP::Book::refresh_start ()
{
int msgid = -1;
int result = LDAP_SUCCESS;
int ldap_version = LDAP_VERSION3;
status = std::string (_("Refreshing"));
updated (this->shared_from_this ());
result = ldap_initialize (&ldap_context, bookinfo.uri_host.c_str());
if (result != LDAP_SUCCESS) {
status = std::string (_("Could not initialize server"));
updated (this->shared_from_this ());
return;
}
/* the openldap code shows I don't have to check the result of this
* (see for example tests/prog/slapd-search.c)
*/
(void)ldap_set_option (ldap_context,
LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
if (bookinfo.starttls) {
result = ldap_start_tls_s (ldap_context, NULL, NULL);
if (result != LDAP_SUCCESS) {
status = std::string (_("LDAP Error: ")) +
std::string (ldap_err2string (result));
updated (this->shared_from_this ());
ldap_unbind_ext (ldap_context, NULL, NULL);
ldap_context = NULL;
return;
}
}
if (bookinfo.sasl) {
interctx ctx;
ctx.book = this;
ctx.authcID = bookinfo.authcID;
ctx.password = bookinfo.password;
result = ldap_sasl_interactive_bind_s (ldap_context, NULL,
bookinfo.saslMech.c_str(), NULL, NULL, LDAP_SASL_QUIET,
book_saslinter, &ctx);
} else {
/* Simple Bind */
if (bookinfo.password.empty ()) {
struct berval bv={0,NULL};
result = ldap_sasl_bind (ldap_context, NULL,
LDAP_SASL_SIMPLE, &bv,
NULL, NULL,
&msgid);
} else {
struct berval passwd = { 0, NULL };
passwd.bv_val = g_strdup (bookinfo.password.c_str ());
passwd.bv_len = bookinfo.password.length();
result = ldap_sasl_bind (ldap_context, bookinfo.authcID.c_str(),
LDAP_SASL_SIMPLE, &passwd,
NULL, NULL,
&msgid);
g_free (passwd.bv_val);
}
}
if (result != LDAP_SUCCESS) {
status = std::string (_("LDAP Error: ")) +
std::string (ldap_err2string (result));
updated (this->shared_from_this ());
ldap_unbind_ext (ldap_context, NULL, NULL);
ldap_context = NULL;
return;
}
status = std::string (_("Contacted server"));
updated (this->shared_from_this ());
patience = 3;
refresh_bound ();
}
LDAP *ads_init(Env E)
{
LDAP *ld = NULL;
LDAPMessage *result, *e;
int i;
int h, nh;
int rc;
char uri[1024];
syslog(LOG_DEBUG, ".. auth_initialize, host=%s\n", E->ads_host);
/* Get a handle to the server */
if (E->ads_ca) { /* tls version */
#ifdef LDAP_DEBUG
set_ldap_debug();
#endif
if (!set_int_option(NULL, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3)) rc=1;
if (!set_int_option(NULL, LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_DEMAND)) rc=1;
if (!set_char_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, E->ads_ca)) rc=1;
sprintf(uri,"ldap://%s:%s/", E->ads_host, E->ads_port);
if ( (rc = ldap_initialize(&ld, uri )) != LDAP_SUCCESS ) {
report_error(rc, "ldap_initialize");
rc=1;
}
syslog(LOG_DEBUG, ".. ldap tls initialize ok\n");
} else { /* not tls */
if ( (ld = ldap_init( E->ads_host, atoi(E->ads_port) )) == NULL ) {
syslog(LOG_ERR, "non tls ldap_init failed" );
rc=1;
}
}
/* Bind */
if (E->ads_ca && E->ads_crt) {
/* cert */
syslog(LOG_DEBUG, "using cert from %s\n", E->ads_crt);
if (!set_char_option(NULL, LDAP_OPT_X_TLS_CERTFILE, E->ads_crt)) exit (1);
if (!set_char_option(NULL, LDAP_OPT_X_TLS_KEYFILE, E->ads_key)) exit (1);
if ((rc=ldap_start_tls_s(ld, NULL, NULL)) != LDAP_SUCCESS) {
report_error(rc, "ldap_start_tls_s");
rc=1;
}
if ((rc=ldap_sasl_interactive_bind_s(ld, NULL, "EXTERNAL", 0, 0,
LDAP_SASL_AUTOMATIC|LDAP_SASL_QUIET, tsasl_interact, 0)) != LDAP_SUCCESS) {
report_error(rc, "ldap_sasl_interactive_bind_s");
rc=1;
}
} else {
syslog(LOG_ERR, "invalid ldap config\n");
rc=1;
}
syslog(LOG_DEBUG, ".. ldap bind ok\n");
set_int_option( ld, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
if (ld) syslog(LOG_DEBUG, ".. ldap connect OK.\n");
else syslog(LOG_DEBUG, ".. ldap connect failed.\n");
E->ldap = ld;
// show_cfg(cfg);
return (ld);
}
int is_admin(struct rekey_session *sess)
{
static int ldap_initialized=0;
char *username=NULL;
LDAP *l=NULL;
int v, ssl_hard=LDAP_OPT_X_TLS_HARD, rc, ret=0;
struct timeval tv;
LDAPMessage *response=NULL;
char *reason, *filter;
char *ldap_url, *ldap_base, *ldap_filter, *ldap_binddn;
char *ldap_pwfile, *ldap_cacertdir;
char ldap_pwbuf[257];
#ifdef HAVE_KRB5_REALM
krb5_realm *realm;
#else
krb5_data rdata;
krb5_data *realm = &rdata;
#endif
#if !defined(LDAP_OPT_X_TLS_PROTOCOL_MIN)
SSL_CTX *sslctx;
#endif
if (!princ_ncomp_eq(sess->kctx, sess->princ, 2) ||
!compare_princ_comp(sess->kctx, sess->princ, 1, "admin")) {
goto freeall;
}
if (!(username=dup_comp_string(sess->kctx, sess->princ, 0))) {
prtmsg("Failed to extract username for admin check");
goto freeall;
}
#ifdef HAVE_KRB5_REALM
realm=sess->realm;
#else
rdata.data=sess->realm;
rdata.length=strlen(sess->realm);
#endif
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_uri", LDAP_URI, &ldap_url);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_base", LDAP_BASEDN, &ldap_base);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_filter", USER_INGROUP_FILTER, &ldap_filter);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_binddn", LDAP_BINDDN, &ldap_binddn);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_pwfile", LDAP_PWFILE, &ldap_pwfile);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_cacertdir", "/etc/andy/ldapcerts", &ldap_cacertdir);
if (strlen(ldap_pwfile) > 0) {
int fd=open(ldap_pwfile, O_RDONLY);
ssize_t rsize;
if (fd < 0) {
prtmsg("Failed to open LDAP password file %s: %s", ldap_pwfile, strerror(errno));
goto freeall;
}
rsize=read(fd, ldap_pwbuf, 256);
if (rsize < 0) {
prtmsg("Failed to read from LDAP password file %s: %s", ldap_pwfile, strerror(errno));
goto freeall;
}
if (rsize > 255) {
prtmsg("LDAP password file %s is too large. limit to 255 characters", ldap_pwfile);
goto freeall;
}
while(rsize > 0 && isspace(ldap_pwbuf[rsize-1]))
rsize--;
ldap_pwbuf[rsize]=0;
}
if (!ldap_initialized) {
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_hard);
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTDIR, ldap_cacertdir);
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, "HIGH:!ADH:!eNULL:-SSLv2");
#if defined(LDAP_OPT_X_TLS_PROTOCOL_MIN)
v=LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN, &v);
#else
extern int ldap_pvt_tls_init();
extern int ldap_pvt_tls_init_def_ctx( int is_server );
ldap_pvt_tls_init();
ldap_pvt_tls_init_def_ctx(0);
LDAP_GET_OPTION(NULL, LDAP_OPT_X_TLS_CTX, &sslctx);
if (sslctx) {
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
}
#endif
ldap_initialized=1;
}
errno=0;
rc = ldap_initialize(&l, ldap_url);
if (rc!=LDAP_SUCCESS)
{
prtmsg("Failed to initialize ldap for %s: %s%s%s", ldap_url,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
v=LDAP_VERSION3;
LDAP_SET_OPTION(l, LDAP_OPT_PROTOCOL_VERSION, &v);
LDAP_SET_OPTION(l, LDAP_OPT_X_TLS, &ssl_hard);
errno=0;
#if 0
rc = ldap_sasl_interactive_bind_s(l, NULL, "GSSAPI", NULL, NULL,
LDAP_SASL_QUIET, do_sasl_interact, NULL);
#else
rc = ldap_bind_s(l, ldap_binddn, ldap_pwbuf, LDAP_AUTH_SIMPLE);
#endif
if (rc!=LDAP_SUCCESS)
{
prtmsg("Failed to connect or authenticate to ldap for %s: %s%s%s", LDAP_URI,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
tv.tv_sec=30;
tv.tv_usec=0;
rc = ldap_search_ext_s(l, rekey_admin_group, LDAP_SCOPE_BASE, NO_FILTER,
no_attrs, 0, NULL, NULL, &tv, LDAP_NO_LIMIT, &response);
if (rc != LDAP_SUCCESS) {
prtmsg("Failed to verify group %s existence (searching): %s%s%s", rekey_admin_group,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
reason=aasprintf("verify group %s existence", rekey_admin_group);
if (!verify_op_success(l, reason, response))
goto freeall;
ldap_msgfree(response);
response=NULL;
filter=aasprintf(ldap_filter, username, rekey_admin_group);
rc = ldap_search_ext_s(l, ldap_base, LDAP_SCOPE_SUB, filter,
no_attrs, 0, NULL, NULL, &tv, LDAP_NO_LIMIT, &response);
if (rc != LDAP_SUCCESS) {
prtmsg("Failed to check user %s admin permission (searching): %s%s%s", username,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
reason=aasprintf("check user %s admin permission", username);
if (!verify_single_result(l, 0, reason, response))
goto freeall;
ret=1;
freeall:
ldap_msgfree(response);
if (l)
ldap_unbind_ext_s(l, NULL, NULL);
free(username);
return ret;
}
DWORD
IDMLdapSaslBind(
LDAP* pLd /* IN */
)
{
DWORD dwError = 0;
DWORD dwCleanupError = 0;
BOOLEAN bLocked = FALSE;
PSTR pszCachePath = NULL;
if (!pLd)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
switch (IDMKrbGetState(pgIdmKrbContext))
{
case IDM_KRB_CONTEXT_STATE_INITIAL:
dwError = IDMKrbDetermineJoinState(pgIdmKrbContext);
BAIL_ON_ERROR(dwError);
case IDM_KRB_CONTEXT_STATE_JOINED:
dwError = IDMKrbRenewCredentials(pgIdmKrbContext);
if (dwError)
{
// Refreshing credentials might fail if the system left
// the domain or there were issues reaching the domain
// controller.
IDMKrbSetState(pgIdmKrbContext, IDM_KRB_CONTEXT_STATE_INITIAL);
}
BAIL_ON_ERROR(dwError);
IDM_RWMUTEX_LOCK_SHARED(
&pgIdmKrbContext->mutex_rw,
bLocked,
dwError);
BAIL_ON_ERROR(dwError);
dwError = LwKrb5SetThreadDefaultCachePath(
pgIdmKrbContext->pszCachePath,
&pszCachePath);
BAIL_ON_ERROR(dwError);
dwError = LwMapLdapErrorToLwError(
ldap_sasl_interactive_bind_s(
pLd,
NULL,
"GSSAPI",
NULL,
NULL,
LDAP_SASL_QUIET,
&IDMSASLInteraction,
NULL));
BAIL_ON_ERROR(dwError);
break;
default:
dwError = ERROR_INVALID_STATE;
BAIL_ON_ERROR(dwError);
break;
}
cleanup:
if (pszCachePath)
{
LwKrb5SetThreadDefaultCachePath(pszCachePath, NULL);
LwFreeMemory(pszCachePath);
}
IDM_RWMUTEX_UNLOCK(&pgIdmKrbContext->mutex_rw, bLocked, dwCleanupError);
if(!dwError)
{
dwError = dwCleanupError;
}
return dwError;
error:
goto cleanup;
}
/*
* call-seq:
* conn.sasl_bind(dn=nil, mech=nil, cred=nil, sctrls=nil, cctrls=nil, sasl_options=nil) => self
* conn.sasl_bind(dn=nil, mech=nil, cred=nil, sctrls=nil, cctrls=nil, sasl_options=nil)
* { |conn| } => nil
*
* Bind an LDAP connection, using the DN, +dn+, the mechanism, +mech+, and the
* credential, +cred+.
*
* +sctrls+ is an array of server controls, whilst +cctrls+ is an array of
* client controls.
*
* sasl_options is a hash which should have the following keys:
*
* - +:authcid+ and +:authzid+ for alternate SASL authentication
* - +realm+ to specify the SASL realm
*
* If a block is given, +self+ is yielded to the block.
*/
VALUE
rb_ldap_conn_sasl_bind (int argc, VALUE argv[], VALUE self)
{
RB_LDAP_DATA *ldapdata;
VALUE arg1, arg2, arg3, arg4, arg5, sasl_options = Qnil;
int version;
char *dn = NULL;
char *mechanism = NULL;
struct berval *cred = ALLOCA_N (struct berval, 1);
LDAPControl **serverctrls = NULL;
LDAPControl **clientctrls = NULL;
/*
struct berval *servercred = NULL;
char *sasl_realm = NULL;
char *sasl_authc_id = NULL;
char *sasl_authz_id = NULL;
char *sasl_secprops = NULL;
struct berval passwd = { 0, NULL };
*/
unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
Data_Get_Struct (self, RB_LDAP_DATA, ldapdata);
if (!ldapdata->ldap)
{
if (rb_iv_get (self, "@args") != Qnil)
{
rb_ldap_conn_rebind (self);
GET_LDAP_DATA (self, ldapdata);
}
else
{
rb_raise (rb_eLDAP_InvalidDataError,
"The LDAP handler has already unbound.");
}
}
if (ldapdata->bind)
{
rb_raise (rb_eLDAP_Error, "already bound.");
};
switch (rb_scan_args (argc, argv, "24", &arg1, &arg2, &arg3, &arg4, &arg5, &sasl_options))
{
case 6:
/* nothing. this requires credentials to be parsed first. we'll get defaults after arg-scanning */
case 5:
if(!NIL_P(arg5))
clientctrls = rb_ldap_get_controls (arg5);
/* down seems more likely */
case 4:
if(!NIL_P(arg4))
serverctrls = rb_ldap_get_controls (arg4);
/* down seems more likely */
case 3:
if(!NIL_P(arg3))
{
cred->bv_val = StringValueCStr (arg3);
cred->bv_len = RSTRING_LEN (arg3);
}
/* down seems more likely */
case 2: /* don't need the cred for GSSAPI */
dn = StringValuePtr (arg1);
mechanism = StringValuePtr (arg2);
if (rb_iv_get (self, "@sasl_quiet") == Qtrue)
sasl_flags = LDAP_SASL_QUIET;
break;
default:
rb_bug ("rb_ldap_conn_bind_s");
}
ldap_get_option (ldapdata->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
if (version < LDAP_VERSION3)
{
version = LDAP_VERSION3;
ldapdata->err =
ldap_set_option (ldapdata->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
Check_LDAP_Result (ldapdata->err);
}
/* the following works for GSSAPI, at least */
ldapdata->err =
ldap_sasl_interactive_bind_s (ldapdata->ldap, dn, mechanism,
serverctrls, clientctrls, sasl_flags,
rb_ldap_sasl_interaction, (void*)sasl_options);
if (ldapdata->err == LDAP_SASL_BIND_IN_PROGRESS)
{
rb_raise (rb_eNotImpError,
"SASL authentication is not fully supported.");
/* How can I implement this with portability? */
/*
VALUE scred;
scred = rb_tainted_str_new(servercred->bv_val,
servercred->bv_len);
*/
}
else
{
Check_LDAP_Result (ldapdata->err);
ldapdata->bind = 1;
}
if (rb_block_given_p ())
{
rb_ensure (rb_yield, self, rb_ldap_conn_unbind, self);
return Qnil;
}
else
{
return self;
};
}
void
tester_init_ld( LDAP **ldp, struct tester_conn_args *config, int flags )
{
LDAP *ld;
int rc, do_retry = config->retries;
int version = LDAP_VERSION3;
retry:;
ldap_initialize( &ld, config->uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
(void) ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
(void) ldap_set_option( ld, LDAP_OPT_REFERRALS,
config->chaserefs ? LDAP_OPT_ON: LDAP_OPT_OFF );
if ( !( flags & TESTER_INIT_ONLY ) ) {
if ( config->authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
if ( config->secprops != NULL ) {
rc = ldap_set_option( ld,
LDAP_OPT_X_SASL_SECPROPS, config->secprops );
if ( rc != LDAP_OPT_SUCCESS ) {
tester_ldap_error( ld, "ldap_set_option(SECPROPS)", NULL );
ldap_unbind_ext( ld, NULL, NULL );
exit( EXIT_FAILURE );
}
}
rc = ldap_sasl_interactive_bind_s( ld,
config->binddn,
config->mech,
NULL, NULL,
LDAP_SASL_QUIET,
lutil_sasl_interact,
config->defaults );
#else /* HAVE_CYRUS_SASL */
/* caller shouldn't have allowed this */
assert(0);
#endif
} else if ( config->authmethod == LDAP_AUTH_SIMPLE ) {
rc = ldap_sasl_bind_s( ld,
config->binddn, LDAP_SASL_SIMPLE,
&config->pass, NULL, NULL, NULL );
}
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
if ( do_retry > 0 ) {
do_retry--;
if ( config->delay > 0 ) {
sleep( config->delay );
}
goto retry;
}
}
ldap_unbind_ext( ld, NULL, NULL );
exit( EXIT_FAILURE );
}
}
*ldp = ld;
}
static switch_xml_t xml_ldap_search(const char *section, const char *tag_name, const char *key_name, const char *key_value, switch_event_t *params,
void *user_data)
{
xml_binding_t *binding = (xml_binding_t *) user_data;
switch_event_header_t *hi;
switch_xml_t xml = NULL, sub = NULL;
struct ldap_c ldap_connection;
struct ldap_c *ldap = &ldap_connection;
int auth_method = LDAP_AUTH_SIMPLE;
int desired_version = LDAP_VERSION3;
xml_ldap_query_type_t query_type;
char *dir_exten = NULL, *dir_domain = NULL;
char *search_filter = NULL, *search_base = NULL;
int off = 0, ret = 1;
//char *buf;
//buf = malloc(4096);
if (!binding) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "No bindings...sorry bud returning now\n");
return NULL;
}
if (!strcmp(section, "configuration")) {
query_type = XML_LDAP_CONFIG;
} else if (!strcmp(section, "directory")) {
query_type = XML_LDAP_DIRECTORY;
} else if (!strcmp(section, "dialplan")) {
query_type = XML_LDAP_DIALPLAN;
} else if (!strcmp(section, "phrases")) {
query_type = XML_LDAP_PHRASE;
} else if (!strcmp(section, "languages")) {
query_type = XML_LDAP_LANGUAGE;
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Invalid section\n");
return NULL;
}
if (params) {
if ((hi = params->headers)) {
for (; hi; hi = hi->next) {
switch (query_type) {
case XML_LDAP_CONFIG:
break;
case XML_LDAP_DIRECTORY:
if (!strcmp(hi->name, "user")) {
dir_exten = strdup(hi->value);
} else if (!strcmp(hi->name, "domain")) {
dir_domain = strdup(hi->value);
}
break;
case XML_LDAP_DIALPLAN:
case XML_LDAP_PHRASE:
case XML_LDAP_LANGUAGE:
break;
}
}
switch (query_type) {
case XML_LDAP_CONFIG:
break;
case XML_LDAP_DIRECTORY:
if (dir_exten && dir_domain) {
if ((xml = switch_xml_new("directory"))) {
switch_xml_set_attr_d(xml, "type", "freeswitch/xml");
if ((sub = switch_xml_add_child_d(xml, "section", off++))) {
switch_xml_set_attr_d(sub, "name", "directory");
}
if ((sub = switch_xml_add_child_d(sub, "domain", off++))) {
switch_xml_set_attr_d(sub, "name", dir_domain);
}
if ((sub = switch_xml_add_child_d(sub, "user", off++))) {
switch_xml_set_attr_d(sub, "id", dir_exten);
}
}
search_filter = switch_mprintf(binding->filter, dir_exten);
search_base = switch_mprintf(binding->basedn, dir_domain);
free(dir_exten);
dir_exten = NULL;
free(dir_domain);
dir_domain = NULL;
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR,
"Something bad happened during the query construction phase likely exten(%s) or domain(%s) is null\n", dir_exten,
dir_domain);
goto cleanup;
}
break;
case XML_LDAP_DIALPLAN:
if ((xml = switch_xml_new("document"))) {
switch_xml_set_attr_d(xml, "type", "freeswitch/xml");
if ((sub = switch_xml_add_child_d(xml, "section", off++))) {
switch_xml_set_attr_d(sub, "name", "dialplan");
}
sub = switch_xml_add_child_d(xml, "context", off++);
}
break;
case XML_LDAP_PHRASE:
case XML_LDAP_LANGUAGE:
break;
}
} else {
goto cleanup;
}
}
if ((ldap->ld = (LDAP *) ldap_init(binding->host, LDAP_PORT)) == NULL) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Unable to connect to ldap server.%s\n", binding->host);
goto cleanup;
}
if (ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS) {
goto cleanup;
}
ldap_set_option(ldap->ld, LDAP_OPT_X_SASL_SECPROPS, &ldap->sp);
if (binding->binddn) {
if (ldap_bind_s(ldap->ld, binding->binddn, binding->bindpass, auth_method) != LDAP_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Unable to bind to ldap server %s as %s\n", binding->host, binding->binddn);
goto cleanup;
}
} else {
if (ldap_sasl_interactive_bind_s
(ldap->ld, NULL, binding->defaults->mech, NULL, NULL, (unsigned) (intptr_t) LDAP_SASL_SIMPLE, lutil_sasl_interact,
binding->defaults) != LDAP_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Unable to sasl_bind to ldap server %s as %s\n", binding->host,
binding->defaults->authcid);
goto cleanup;
}
}
if (ldap_search_s(ldap->ld, search_base, LDAP_SCOPE_SUBTREE, search_filter, NULL, 0, &ldap->msg) != LDAP_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Query failed: -b \"%s\" \"%s\"\n", search_base, search_filter);
goto cleanup;
}
if (ldap_count_entries(ldap->ld, ldap->msg) <= 0) {
goto cleanup;
}
if (sub && xml_ldap_result(&ldap_connection, binding, &sub, &off, query_type) != SWITCH_STATUS_SUCCESS) {
goto cleanup;
}
ret = 0;
cleanup:
if (ldap->msg) {
ldap_msgfree(ldap->msg);
}
if (ldap->ld) {
ldap_unbind_s(ldap->ld);
}
switch_safe_free(search_filter);
switch_safe_free(search_base);
//switch_xml_toxml_buf(xml,buf,0,0,1);
//switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Providing:\n%s\n", buf);
if (ret) {
switch_xml_free(xml);
return NULL;
}
return xml;
}
/*
* meta_back_proxy_authz_cred()
*
* prepares credentials & method for meta_back_proxy_authz_bind();
* or, if method is SASL, performs the SASL bind directly.
*/
int
meta_back_proxy_authz_cred(
metaconn_t *mc,
int candidate,
Operation *op,
SlapReply *rs,
ldap_back_send_t sendok,
struct berval *binddn,
struct berval *bindcred,
int *method )
{
metainfo_t *mi = (metainfo_t *)op->o_bd->be_private;
metatarget_t *mt = mi->mi_targets[ candidate ];
metasingleconn_t *msc = &mc->mc_conns[ candidate ];
struct berval ndn;
int dobind = 0;
/* don't proxyAuthz if protocol is not LDAPv3 */
switch ( mt->mt_version ) {
case LDAP_VERSION3:
break;
case 0:
if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
break;
}
/* fall thru */
default:
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
goto done;
}
if ( op->o_tag == LDAP_REQ_BIND ) {
ndn = op->o_req_ndn;
} else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
} else {
ndn = op->o_ndn;
}
rs->sr_err = LDAP_SUCCESS;
/*
* FIXME: we need to let clients use proxyAuthz
* otherwise we cannot do symmetric pools of servers;
* we have to live with the fact that a user can
* authorize itself as any ID that is allowed
* by the authzTo directive of the "proxyauthzdn".
*/
/*
* NOTE: current Proxy Authorization specification
* and implementation do not allow proxy authorization
* control to be provided with Bind requests
*/
/*
* if no bind took place yet, but the connection is bound
* and the "proxyauthzdn" is set, then bind as
* "proxyauthzdn" and explicitly add the proxyAuthz
* control to every operation with the dn bound
* to the connection as control value.
*/
/* bind as proxyauthzdn only if no idassert mode
* is requested, or if the client's identity
* is authorized */
switch ( mt->mt_idassert_mode ) {
case LDAP_BACK_IDASSERT_LEGACY:
if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) {
if ( !BER_BVISNULL( &mt->mt_idassert_authcDN ) && !BER_BVISEMPTY( &mt->mt_idassert_authcDN ) )
{
*binddn = mt->mt_idassert_authcDN;
*bindcred = mt->mt_idassert_passwd;
dobind = 1;
}
}
break;
default:
/* NOTE: rootdn can always idassert */
if ( BER_BVISNULL( &ndn )
&& mt->mt_idassert_authz == NULL
&& !( mt->mt_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) )
{
if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
goto done;
}
rs->sr_err = LDAP_SUCCESS;
*binddn = slap_empty_bv;
*bindcred = slap_empty_bv;
break;
} else if ( mt->mt_idassert_authz && !be_isroot( op ) ) {
struct berval authcDN;
if ( BER_BVISNULL( &ndn ) ) {
authcDN = slap_empty_bv;
} else {
authcDN = ndn;
}
rs->sr_err = slap_sasl_matches( op, mt->mt_idassert_authz,
&authcDN, &authcDN );
if ( rs->sr_err != LDAP_SUCCESS ) {
if ( mt->mt_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
goto done;
}
rs->sr_err = LDAP_SUCCESS;
*binddn = slap_empty_bv;
*bindcred = slap_empty_bv;
break;
}
}
*binddn = mt->mt_idassert_authcDN;
*bindcred = mt->mt_idassert_passwd;
dobind = 1;
break;
}
if ( dobind && mt->mt_idassert_authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
void *defaults = NULL;
struct berval authzID = BER_BVNULL;
int freeauthz = 0;
/* if SASL supports native authz, prepare for it */
if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
( mt->mt_idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
{
switch ( mt->mt_idassert_mode ) {
case LDAP_BACK_IDASSERT_OTHERID:
case LDAP_BACK_IDASSERT_OTHERDN:
authzID = mt->mt_idassert_authzID;
break;
case LDAP_BACK_IDASSERT_ANONYMOUS:
BER_BVSTR( &authzID, "dn:" );
break;
case LDAP_BACK_IDASSERT_SELF:
if ( BER_BVISNULL( &ndn ) ) {
/* connection is not authc'd, so don't idassert */
BER_BVSTR( &authzID, "dn:" );
break;
}
authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
memcpy( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
memcpy( authzID.bv_val + STRLENOF( "dn:" ),
ndn.bv_val, ndn.bv_len + 1 );
freeauthz = 1;
break;
default:
break;
}
}
if ( mt->mt_idassert_secprops != NULL ) {
rs->sr_err = ldap_set_option( msc->msc_ld,
LDAP_OPT_X_SASL_SECPROPS,
(void *)mt->mt_idassert_secprops );
if ( rs->sr_err != LDAP_OPT_SUCCESS ) {
rs->sr_err = LDAP_OTHER;
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
goto done;
}
}
defaults = lutil_sasl_defaults( msc->msc_ld,
mt->mt_idassert_sasl_mech.bv_val,
mt->mt_idassert_sasl_realm.bv_val,
mt->mt_idassert_authcID.bv_val,
mt->mt_idassert_passwd.bv_val,
authzID.bv_val );
if ( defaults == NULL ) {
rs->sr_err = LDAP_OTHER;
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
goto done;
}
rs->sr_err = ldap_sasl_interactive_bind_s( msc->msc_ld, binddn->bv_val,
mt->mt_idassert_sasl_mech.bv_val, NULL, NULL,
LDAP_SASL_QUIET, lutil_sasl_interact,
defaults );
rs->sr_err = slap_map_api2result( rs );
if ( rs->sr_err != LDAP_SUCCESS ) {
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
} else {
LDAP_BACK_CONN_ISBOUND_SET( msc );
}
lutil_sasl_freedefs( defaults );
if ( freeauthz ) {
slap_sl_free( authzID.bv_val, op->o_tmpmemctx );
}
goto done;
#endif /* HAVE_CYRUS_SASL */
}
*method = mt->mt_idassert_authmethod;
switch ( mt->mt_idassert_authmethod ) {
case LDAP_AUTH_NONE:
BER_BVSTR( binddn, "" );
BER_BVSTR( bindcred, "" );
/* fallthru */
case LDAP_AUTH_SIMPLE:
break;
default:
/* unsupported! */
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
break;
}
done:;
if ( !BER_BVISEMPTY( binddn ) ) {
LDAP_BACK_CONN_ISIDASSERT_SET( msc );
}
return rs->sr_err;
}
static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw,
const char *mech, const char *ca_cert_file,
LDAP **_ld)
{
char *msg = NULL;
struct berval bv;
LDAP *ld;
int ret;
/* TODO: support referrals ? */
ret = ipa_ldap_init(&ld, ldap_uri);
if (ret != LDAP_SUCCESS) {
return ret;
}
if (ld == NULL) {
fprintf(stderr, _("Unable to initialize ldap library!\n"));
return LDAP_OPERATIONS_ERROR;
}
ret = ipa_tls_ssl_init(ld, ldap_uri, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
goto done;
}
if (bind_dn) {
bv.bv_val = discard_const(bind_pw);
bv.bv_len = strlen(bind_pw);
ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
&bv, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Simple bind failed\n"));
goto done;
}
} else {
if (strcmp(mech, LDAP_SASL_EXTERNAL) == 0) {
ret = ldap_sasl_bind_s(ld, NULL, LDAP_SASL_EXTERNAL,
NULL, NULL, NULL, NULL);
} else {
ret = ldap_sasl_interactive_bind_s(ld, NULL, LDAP_SASL_GSSAPI,
NULL, NULL, LDAP_SASL_QUIET,
ldap_sasl_interact, bind_princ);
}
if (ret != LDAP_SUCCESS) {
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto done;
}
}
ret = LDAP_SUCCESS;
done:
if (ret != LDAP_SUCCESS) {
if (ld) ldap_unbind_ext(ld, NULL, NULL);
} else {
*_ld = ld;
}
return ret;
}
static int
libbalsa_address_book_ldap_open_connection(LibBalsaAddressBookLdap * ab)
{
int result;
static const int version = LDAP_VERSION3;
gboolean v3_enabled;
LibBalsaAddressBook *lbab = LIBBALSA_ADDRESS_BOOK(ab);
g_return_val_if_fail(ab->host != NULL, FALSE);
ldap_initialize(&ab->directory, ab->host);
if (ab->directory == NULL) { /* very unlikely... */
libbalsa_address_book_set_status(lbab, g_strdup("Host not found"));
return LDAP_SERVER_DOWN;
}
/* ignore error if the V3 LDAP cannot be set */
v3_enabled =
ldap_set_option(ab->directory, LDAP_OPT_PROTOCOL_VERSION, &version)
== LDAP_OPT_SUCCESS;
if(!v3_enabled) printf("Too old LDAP server - interaction may fail.\n");
if(v3_enabled && ab->enable_tls) {
#ifdef HAVE_LDAP_TLS
/* turn TLS on but what if we have SSL already on? */
result = ldap_start_tls_s(ab->directory, NULL, NULL);
if(result != LDAP_SUCCESS) {
ldap_unbind_ext(ab->directory, NULL, NULL);
ab->directory = NULL;
libbalsa_address_book_set_status
(lbab, g_strdup(ldap_err2string(result)));
return result;
}
#else /* HAVE_LDAP_TLS */
libbalsa_address_book_set_status(lbab,
_("TLS requested but not compiled in"));
return LDAP_INAPPRIOPRIATE_AUTH;
#endif /* HAVE_LDAP_TLS */
}
#ifdef HAVE_CYRUS_SASL
result = ldap_sasl_interactive_bind_s(ab->directory, ab->bind_dn, NULL,
NULL, NULL,
LDAP_SASL_QUIET, abl_interact, ab);
#else /* HAVE_CYRUS_SASL */
{
struct berval cred;
cred.bv_val = ab->passwd;
cred.bv_len = ab->passwd ? strlen(ab->passwd) : 0;
result = ldap_sasl_bind_s(ab->directory, ab->bind_dn, NULL, &cred,
NULL, NULL, NULL);
}
#endif /* HAVE_CYRUS_SASL */
/* do not follow referrals (OpenLDAP binds anonymously here, which will usually
* fail */
if (result == LDAP_SUCCESS)
result = ldap_set_option(ab->directory, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_OFF);
if (result != LDAP_SUCCESS) {
libbalsa_address_book_set_status(lbab,
g_strdup(ldap_err2string(result)));
ldap_unbind_ext(ab->directory, NULL, NULL);
ab->directory = NULL;
}
return result;
}
