int _LDAP_initialization(LDAP **ld, PyObject *url, int tls_option) {
int rc;
int portnum;
char *hoststr = NULL;
const int version = LDAP_VERSION3;
const int tls_settings = SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_NO_SERVERNAME_CHECK;
PyObject *scheme = PyObject_GetAttrString(url, "scheme");
PyObject *host = PyObject_GetAttrString(url, "host");
PyObject *port = PyObject_GetAttrString(url, "port");
if (scheme == NULL || host == NULL || port == NULL) return -1;
hoststr = PyObject2char(host);
portnum = PyLong_AsLong(port);
Py_DECREF(host);
Py_DECREF(port);
if (hoststr == NULL) return -1;
if (PyUnicode_CompareWithASCIIString(scheme, "ldaps") == 0) {
*ld = ldap_sslinit(hoststr, portnum, 1);
} else {
*ld = ldap_init(hoststr, portnum);
}
Py_DECREF(scheme);
if (ld == NULL) return -1;
ldap_set_option(*ld, LDAP_OPT_PROTOCOL_VERSION, &version);
switch (tls_option) {
case -1:
/* Cert policy is not set, nothing to do.*/
break;
case 2:
case 4:
/* Cert policy is demand or try, then standard procedure. */
break;
case 0:
case 3:
/* Cert policy is never or allow, then set TLS settings. */
ldap_set_option(*ld, 0x43, &tls_settings);
ldap_set_option(*ld, LDAP_OPT_SERVER_CERTIFICATE, &noverify);
break;
}
rc = ldap_connect(*ld, NULL);
return rc;
}
/*
* \brief Load the cokebank database
*/
int Bank_Initialise(const char *Argument)
{
#if USE_LDAP
int rv;
#endif
// Open Cokebank
gBank_File = fopen(Argument, "rb+");
if( !gBank_File ) gBank_File = fopen(Argument, "wb+");
if( !gBank_File ) {
perror("Opening coke bank");
return -1;
}
Bank_int_ReadDatabase();
// Open log file
// TODO: Do I need this?
gBank_LogFile = fopen("cokebank.log", "a");
if( !gBank_LogFile ) gBank_LogFile = stdout;
#if USE_LDAP
// Connect to LDAP
rv = ldap_create(&gpLDAP);
if(rv) {
fprintf(stderr, "ldap_create: %s\n", ldap_err2string(rv));
return 1;
}
rv = ldap_initialize(&gpLDAP, gsLDAPPath);
if(rv) {
fprintf(stderr, "ldap_initialize: %s\n", ldap_err2string(rv));
return 1;
}
{ int ver = LDAP_VERSION3; ldap_set_option(gpLDAP, LDAP_OPT_PROTOCOL_VERSION, &ver); }
# if 0
rv = ldap_start_tls_s(gpLDAP, NULL, NULL);
if(rv) {
fprintf(stderr, "ldap_start_tls_s: %s\n", ldap_err2string(rv));
return 1;
}
# endif
{
struct berval cred;
struct berval *servcred;
cred.bv_val = "secret";
cred.bv_len = 6;
rv = ldap_sasl_bind_s(gpLDAP, "cn=admin,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au",
"", &cred, NULL, NULL, &servcred);
if(rv) {
fprintf(stderr, "ldap_start_tls_s: %s\n", ldap_err2string(rv));
return 1;
}
}
#endif
return 0;
}
DWORD
VmDirSASLGSSAPIBind(
LDAP** ppLd,
PCSTR pszURI
)
{
DWORD dwError = 0;
int retVal = 0;
LDAP* pLd = NULL;
const int ldapVer = LDAP_VERSION3;
if ( ppLd == NULL || pszURI == NULL )
{
dwError = VMDIR_ERROR_INVALID_PARAMETER;
BAIL_ON_VMDIR_ERROR(dwError);
}
retVal = ldap_initialize( &pLd, pszURI);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_set_option(pLd, LDAP_OPT_PROTOCOL_VERSION, &ldapVer);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
retVal = ldap_sasl_interactive_bind_s( pLd,
NULL,
"GSSAPI",
NULL,
NULL,
LDAP_SASL_QUIET,
_VmDirSASLGSSAPIInteraction,
NULL);
BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
*ppLd = pLd;
cleanup:
return dwError;
ldaperror:
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLGSSBind failed. (%d)(%s)",
retVal, ldap_err2string(retVal) );
dwError = VmDirMapLdapError(retVal);
error:
if (retVal == 0)
{
VMDIR_LOG_VERBOSE( VMDIR_LOG_MASK_ALL, "_VmDirSASLGSSBind failed. (%u)", dwError);
}
if ( pLd )
{
ldap_unbind_ext_s( pLd, NULL, NULL);
}
goto cleanup;
}
int
main( int argc, char **argv )
{
int version;
LDAP *ld;
char *target;
int rc;
struct berval userid;
struct berval oldpasswd;
struct berval newpasswd;
struct berval genpasswd;
/* Use LDAPv3. */
version = LDAP_VERSION3;
if ( ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version )
!= 0 ) {
fprintf( stderr,
"ldap_set_option protocol version to %d failed\n",
version );
return ( 1 );
}
/* Get a handle to an LDAP connection. */
if ( (ld = ldap_init( MY_HOST, MY_PORT )) == NULL ) {
perror( "ldap_init" );
return( 1 );
}
/* Authenticate to the directory. */
if ( ldap_simple_bind_s( ld, ENTRYDN, ENTRYPW ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_simple_bind_s" );
return( 1 );
}
/* Change the password using the extended operation. */
userid.bv_val = ENTRYDN;
userid.bv_len = strlen(userid.bv_val);
oldpasswd.bv_val = ENTRYPW;
oldpasswd.bv_len = strlen(oldpasswd.bv_val);
newpasswd.bv_val = "ChangeMe!";
newpasswd.bv_len = strlen(newpasswd.bv_val);
rc = ldap_passwd_s(
ld, &userid, &oldpasswd, &newpasswd, &genpasswd, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "ldap_passwd_s: %s\n", ldap_err2string( rc ) );
ldap_unbind( ld );
return( 1 );
} else {
printf( "Successfully changed password for %s\n", userid.bv_val );
}
ldap_unbind( ld );
return( 0 );
}
static void
_mu_ldap_unbind (LDAP *ld)
{
if (ld)
{
ldap_set_option (ld, LDAP_OPT_SERVER_CONTROLS, NULL);
ldap_unbind_ext (ld, NULL, NULL);
}
}
/** @brief Connect to a LDAP server.
* @param uri Server to connect too.
* @param starttls Starttls flags to disallow,allow or enforce SSL.
* @param timelimit Query timelimit.
* @param limit Results limit.
* @param debug Set LDAP_OPT_DEBUG_LEVEL and LBER_OPT_DEBUG_LEVEL to this level.
* @param err Pointer to a int that will contain the ldap error on failure.
* @returns Reference to LDAP connection if its NULL the error is returned in err.*/
extern struct ldap_conn *ldap_connect(const char *uri, enum ldap_starttls starttls, int timelimit, int limit, int debug, int *err) {
struct ldap_conn *ld;
int version = 3;
int res, sslres;
struct timeval timeout;
if (!(ld = objalloc(sizeof(*ld), free_ldapconn))) {
return NULL;
}
ld->uri = strdup(uri);
ld->sctrlsp = NULL;
ld->timelim = timelimit;
ld->limit = limit;
ld->sasl = NULL;
if ((res = ldap_initialize(&ld->ldap, ld->uri) != LDAP_SUCCESS)) {
objunref(ld);
ld = NULL;
} else {
if (debug) {
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug);
ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &debug);
}
if (timelimit) {
timeout.tv_sec = timelimit;
timeout.tv_usec = 0;
ldap_set_option(ld->ldap, LDAP_OPT_NETWORK_TIMEOUT, (void *)&timeout);
}
ldap_set_option(ld->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_set_option(ld->ldap, LDAP_OPT_REFERRALS, (void *)LDAP_OPT_ON);
ldap_set_rebind_proc(ld->ldap, ldap_rebind_proc, ld);
if ((starttls != LDAP_STARTTLS_NONE) & !ldap_tls_inplace(ld->ldap) && (sslres = ldap_start_tls_s(ld->ldap, ld->sctrlsp, NULL))) {
if (starttls == LDAP_STARTTLS_ENFORCE) {
objunref(ld);
ld = NULL;
res = sslres;
}
}
}
*err = res;
return ld;
}
int ldap_add_machine_account(const char *ldap_host,
const char *hostname, const char *realm)
{
LDAP *ld;
int ldap_port = LDAP_PORT;
char *bind_path;
int rc;
LDAPMessage *res;
void *sasl_defaults;
int version = LDAP_VERSION3;
bind_path = build_dn(realm);
printf("Creating host account for %s@%s\n", hostname, realm);
ld = ldap_open(ldap_host, ldap_port);
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
rc = ldap_sasl_interactive_bind_s(ld, NULL, NULL, NULL, NULL, 0,
sasl_interact, NULL);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_bind");
goto failed;
}
rc = find_host(ld, &res, bind_path, hostname);
if (rc == LDAP_SUCCESS && ldap_count_entries(ld, res) == 1) {
printf("Host account for %s already exists\n", hostname);
goto finished;
}
rc = add_host(ld, bind_path, hostname, realm);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "add_host");
goto failed;
}
rc = find_host(ld, &res, bind_path, hostname);
if (rc != LDAP_SUCCESS || ldap_count_entries(ld, res) != 1) {
ldap_perror(ld, "find_host test");
goto failed;
}
printf("Successfully added machine account for %s\n", hostname);
finished:
free(bind_path);
return 0;
failed:
printf("ldap_add_machine_account failed\n");
free(bind_path);
ldap_unbind(ld);
return 1;
}
static LDAP *ldap_init_and_bind (const char *host,
#ifdef WIN32
gboolean use_ssl,
#endif
const char *user_dn,
const char *password)
{
LDAP *ld;
int res;
int desired_version = LDAP_VERSION3;
#ifndef WIN32
res = ldap_initialize (&ld, host);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_initialize failed: %s.\n", ldap_err2string(res));
return NULL;
}
#else
char *host_copy = g_strdup (host);
if (!use_ssl)
ld = ldap_init (host_copy, LDAP_PORT);
else
ld = ldap_sslinit (host_copy, LDAP_SSL_PORT, 1);
g_free (host_copy);
if (!ld) {
ccnet_warning ("ldap_init failed: %ul.\n", LdapGetLastError());
return NULL;
}
#endif
/* set the LDAP version to be 3 */
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
if (res != LDAP_OPT_SUCCESS) {
ccnet_warning ("ldap_set_option failed: %s.\n", ldap_err2string(res));
return NULL;
}
if (user_dn) {
#ifndef WIN32
res = ldap_bind_s (ld, user_dn, password, LDAP_AUTH_SIMPLE);
#else
char *dn_copy = g_strdup(user_dn);
char *password_copy = g_strdup(password);
res = ldap_bind_s (ld, dn_copy, password_copy, LDAP_AUTH_SIMPLE);
g_free (dn_copy);
g_free (password_copy);
#endif
if (res != LDAP_SUCCESS ) {
ccnet_warning ("ldap_bind failed: %s.\n", ldap_err2string(res));
ldap_unbind_s (ld);
return NULL;
}
}
return ld;
}
/*
* Function: prldap_import_connection().
*
* Given the LDAP handle the connection parameters for the
* file descriptor are imported into NSPR layer.
*
* Returns an LDAP API code (LDAP_SUCCESS) if all goes well.
*/
int LDAP_CALL
prldap_import_connection (LDAP *ld)
{
int rc = LDAP_SUCCESS; /* optimistic */
int shared = 1; /* Assume shared init */
LBER_SOCKET orig_socket = -1;
PRLDAPIOSessionArg *prsessp = NULL;
PRLDAPIOSocketArg *prsockp = NULL;
PRFileDesc *pr_socket = NULL;
/* Check for invalid ld handle */
if ( ld == NULL) {
ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
return( LDAP_PARAM_ERROR );
}
/* Retrieve TCP socket's integer file descriptor */
if ( ldap_get_option( ld, LDAP_OPT_DESC, &orig_socket ) < 0 ) {
return( ldap_get_lderrno( ld, NULL, NULL ));
}
/* Check for NSPR functions on ld */
if ( prldap_is_installed(ld)) { /* Error : NSPR already Installed */
ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
return( LDAP_LOCAL_ERROR );
}
if (LDAP_SUCCESS != (rc = prldap_install_routines(ld, shared))) {
return( rc );
}
if (LDAP_SUCCESS != (rc = prldap_session_arg_from_ld( ld, &prsessp ))) {
return( rc );
}
/* Get NSPR Socket Arg */
if ( NULL == ( prsockp = prldap_socket_arg_alloc( prsessp ))) {
ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
return( LDAP_NO_MEMORY );
}
/* Import file descriptor of connection made via ldap_init() */
if (NULL == (pr_socket = PR_ImportTCPSocket(orig_socket)) ) {
ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
return( LDAP_LOCAL_ERROR );
}
prsockp->prsock_prfd = pr_socket;
/* Set Socket Arg in Extended I/O Layer */
if ( ldap_set_option( ld, LDAP_X_OPT_SOCKETARG, prsockp) != 0 ) {
return( ldap_get_lderrno( ld, NULL, NULL ));
}
return( rc );
}
static int
ldap_set_option_wrapper(LDAP *ld, int option, const void *invalue)
{
#ifdef AUTH_LDAP_TEST_API
return (ldap_set_option(ld, option, invalue));
#else
return ((*ldap_set_option_p)(ld, option, invalue));
#endif
}
static int
_dico_conn_setup(struct _dico_ldap_handle *lp)
{
int rc;
LDAP *ld = NULL;
int protocol = LDAP_VERSION3; /* FIXME: must be configurable */
if (lp->debug) {
if (ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &lp->debug)
!= LBER_OPT_SUCCESS )
dico_log(L_ERR, 0, _("cannot set LBER_OPT_DEBUG_LEVEL %d"),
lp->debug);
if (ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &lp->debug)
!= LDAP_OPT_SUCCESS )
dico_log(L_ERR, 0, _("could not set LDAP_OPT_DEBUG_LEVEL %d"),
lp->debug);
}
rc = ldap_initialize(&ld, lp->url);
if (rc != LDAP_SUCCESS) {
dico_log(L_ERR, 0,
_("cannot create LDAP session handle for URI=%s (%d): %s"),
lp->url, rc, ldap_err2string(rc));
return 1;
}
if (lp->tls) {
rc = ldap_start_tls_s(ld, NULL, NULL);
if (rc != LDAP_SUCCESS) {
dico_log(L_ERR, 0, _("ldap_start_tls failed: %s"),
ldap_err2string(rc));
return 1;
}
}
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &protocol);
/* FIXME: Timeouts, SASL, etc. */
lp->ldap = ld;
return 0;
}
static int set_char_option(LDAP *ld, int option, char *cv)
{
int rc;
if ( (rc=ldap_set_option( NULL, option, cv )) != LDAP_SUCCESS ) {
report_error(rc, "set char opt");
return (0);
}
return (1);
}
static krb5_error_code
LDAP__connect(krb5_context context, HDB * db)
{
int rc, version = LDAP_VERSION3;
/*
* Empty credentials to do a SASL bind with LDAP. Note that empty
* different from NULL credentials. If you provide NULL
* credentials instead of empty credentials you will get a SASL
* bind in progress message.
*/
struct berval bv = { 0, "" };
if (HDB2LDAP(db)) {
/* connection has been opened. ping server. */
struct sockaddr_un addr;
socklen_t len = sizeof(addr);
int sd;
if (ldap_get_option(HDB2LDAP(db), LDAP_OPT_DESC, &sd) == 0 &&
getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
/* the other end has died. reopen. */
LDAP_close(context, db);
}
}
if (HDB2LDAP(db) != NULL) /* server is UP */
return 0;
rc = ldap_initialize(&((struct hdbldapdb *)db->hdb_db)->h_lp, "ldapi:///");
if (rc != LDAP_SUCCESS) {
krb5_set_error_string(context, "ldap_initialize: %s",
ldap_err2string(rc));
return HDB_ERR_NOENTRY;
}
rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_PROTOCOL_VERSION,
(const void *)&version);
if (rc != LDAP_SUCCESS) {
krb5_set_error_string(context, "ldap_set_option: %s",
ldap_err2string(rc));
LDAP_close(context, db);
return HDB_ERR_BADVERSION;
}
rc = ldap_sasl_bind_s(HDB2LDAP(db), NULL, "EXTERNAL", &bv,
NULL, NULL, NULL);
if (rc != LDAP_SUCCESS) {
krb5_set_error_string(context, "ldap_sasl_bind_s: %s",
ldap_err2string(rc));
LDAP_close(context, db);
return HDB_ERR_BADVERSION;
}
return 0;
}
static void dict_ldap_set_tls_options(DICT_LDAP *dict_ldap)
{
char *myname = "dict_ldap_set_tls_options";
int rc;
if (dict_ldap->start_tls || dict_ldap->ldap_ssl) {
if (*dict_ldap->tls_random_file) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
dict_ldap->tls_random_file)) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_random_file to %s: %d: %s",
myname, dict_ldap->tls_random_file,
rc, ldap_err2string(rc));
}
if (*dict_ldap->tls_ca_cert_file) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s",
myname, dict_ldap->tls_ca_cert_file,
rc, ldap_err2string(rc));
}
if (*dict_ldap->tls_ca_cert_dir) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
myname, dict_ldap->tls_ca_cert_dir,
rc, ldap_err2string(rc));
}
if (*dict_ldap->tls_cert) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
dict_ldap->tls_cert)) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_cert to %s: %d: %s",
myname, dict_ldap->tls_cert,
rc, ldap_err2string(rc));
}
if (*dict_ldap->tls_key) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
dict_ldap->tls_key)) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_key to %s: %d: %s",
myname, dict_ldap->tls_key,
rc, ldap_err2string(rc));
}
if (*dict_ldap->tls_cipher_suite) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s",
myname, dict_ldap->tls_cipher_suite,
rc, ldap_err2string(rc));
}
if (dict_ldap->tls_require_cert) {
if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
&(dict_ldap->tls_require_cert))) != LDAP_SUCCESS)
msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s",
myname, dict_ldap->tls_require_cert,
rc, ldap_err2string(rc));
}
}
}
bool BindTheDemon(const char * username, const char * passwd)
{
static LDAP * ld = NULL;
static int auth_method = LDAP_AUTH_SIMPLE;
static int version = LDAP_VERSION3;
static char uri[] = "ldaps://ldap.pheme.uwa.edu.au";
char dn[BUFSIZ]; // The "dn" is essentially the username plus a bunch of cruft that for some (presumably good) reason LDAP requires
if (ld == NULL)
{
ldap_initialize(&ld, uri); // This is deprecated.
if (ld == NULL)
{
fprintf(stderr, "ldap_init failed - %s\n", strerror(errno));
return false;
}
printf("ldap_init succeeded\n");
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) // This is also deprecated.
{
fprintf(stderr, "ldap_set_option failed - %s\n", strerror(errno));
return false;
}
printf("ldap_set_option succeeded\n");
}
char * user_type = "Students";
if (username[0] == '0')
user_type = "Staff";
if (sprintf(dn, "cn=%s,ou=%s,ou=Users,ou=UWA,dc=uwads,dc=uwa,dc=edu,dc=au", username, user_type) >= BUFSIZ)
{
fprintf(stderr, "LDAP DN string too long!\n");
return false;
}
printf("ldap_bind_s ...\n");
//printf("dn = %s\npasswd = %s\n", dn, passwd);
struct berval creds;
creds.bv_val = (char*)passwd;
if (ldap_simple_bind_s(ld, dn, passwd) != LDAP_SUCCESS) // Yep. Deprecated.
//if (ldap_sasl_bind_s(ld, dn, LDAP_SASL_SIMPLE , &creds, NULL, NULL, NULL) != LDAP_SUCCESS) // Doesn't work
{
fprintf(stderr,"ldap_bind_s failed - %s", strerror(errno));
return false;
}
return true;
}
static int
set_ldap_options(LD_session *session) {
struct timeval timeout;
int rc = 0;
char logbuf[MAXLOGBUF];
timeout.tv_sec = ldap_network_timeout;
timeout.tv_usec = FALSE;
ldap_set_option(session->sess, LDAP_OPT_PROTOCOL_VERSION, &ldap_protocol_version);
ldap_set_option(session->sess, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
/* Start TLS if we need it*/
if (ldap_authorization_tls) {
if((rc = ldap_start_tls_s(session->sess, NULL,NULL))!=LDAP_SUCCESS)
{
snprintf(logbuf, MAXLOGBUF, "Ldap start TLS error: %s. ", ldap_err2string(rc));
ldap_log(LOG_WARNING, logbuf);
}
}
}
int
ldap_open_internal_connection( LDAP **ldp, ber_socket_t *fdp )
{
int rc;
LDAPConn *c;
LDAPRequest *lr;
rc = ldap_create( ldp );
if( rc != LDAP_SUCCESS ) {
*ldp = NULL;
return( rc );
}
/* Make it appear that a search request, msgid 0, was sent */
lr = (LDAPRequest *)LDAP_CALLOC( 1, sizeof( LDAPRequest ));
if( lr == NULL ) {
ldap_unbind_ext( *ldp, NULL, NULL );
*ldp = NULL;
return( LDAP_NO_MEMORY );
}
memset(lr, 0, sizeof( LDAPRequest ));
lr->lr_msgid = 0;
lr->lr_status = LDAP_REQST_INPROGRESS;
lr->lr_res_errno = LDAP_SUCCESS;
/* no mutex lock needed, we just created this ld here */
(*ldp)->ld_requests = lr;
/* Attach the passed socket as the *LDAP's connection */
c = ldap_new_connection( *ldp, NULL, 1, 0, NULL);
if( c == NULL ) {
ldap_unbind_ext( *ldp, NULL, NULL );
*ldp = NULL;
return( LDAP_NO_MEMORY );
}
ber_sockbuf_ctrl( c->lconn_sb, LBER_SB_OPT_SET_FD, fdp );
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( c->lconn_sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_PROVIDER, (void *)"int_" );
#endif
ber_sockbuf_add_io( c->lconn_sb, &ber_sockbuf_io_tcp,
LBER_SBIOD_LEVEL_PROVIDER, NULL );
(*ldp)->ld_defconn = c;
/* Add the connection to the *LDAP's select pool */
ldap_mark_select_read( *ldp, c->lconn_sb );
ldap_mark_select_write( *ldp, c->lconn_sb );
/* Make this connection an LDAP V3 protocol connection */
rc = LDAP_VERSION3;
ldap_set_option( *ldp, LDAP_OPT_PROTOCOL_VERSION, &rc );
return( LDAP_SUCCESS );
}
void TlsOptions::newCtx() const {
int val = 0;
int ret = ldap_set_option( m_ld, LDAP_OPT_X_TLS_NEWCTX, &val);
if ( ret != LDAP_OPT_SUCCESS )
{
if ( ret != LDAP_OPT_ERROR ){
throw( LDAPException( ret ));
} else {
throw( LDAPException( LDAP_LOCAL_ERROR, "error while renewing TLS context" ) );
}
}
}
void TlsOptions::setOption( tls_option opt, void *value ) const {
int ret = ldap_set_option( m_ld, optmap[opt].optval, value);
if ( ret != LDAP_OPT_SUCCESS )
{
if ( ret != LDAP_OPT_ERROR ){
throw( LDAPException( ret ));
} else {
throw( LDAPException( LDAP_PARAM_ERROR, "error while setting TLS option" ) );
}
}
this->newCtx();
}
static void
set_cert_policy(LDAP *ld, int cert_policy) {
const int tls_settings = SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_NO_SERVERNAME_CHECK;
DEBUG("set_cert_policy (ld:%p, cert_policy:%d)", ld, cert_policy);
switch (cert_policy) {
case -1:
/* Cert policy is not set, nothing to do.*/
break;
case 2:
case 4:
/* Cert policy is demand or try, then standard procedure. */
break;
case 0:
case 3:
/* Cert policy is never or allow, then set TLS settings. */
ldap_set_option(ld, 0x43, &tls_settings);
ldap_set_option(ld, LDAP_OPT_SERVER_CERTIFICATE, &noverify);
break;
}
}
// }}}
// {{{AuthLDAP
bool AuthLDAP::setup()
{
LDAPURLDesc* urlDescription;
LDAP* ldap;
std::string url("dc=trapni,dc=de");
int rv = ldap_url_parse(url.c_str(), &urlDescription);
if (rv != LDAP_SUCCESS) {
return false;
}
int ldapVersion = LDAP_VERSION3;
ldap_set_option(nullptr, LDAP_OPT_PROTOCOL_VERSION, &ldapVersion);
timeval timeout = { 10, 0 };
ldap_set_option(nullptr, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
int reqcert = LDAP_OPT_X_TLS_ALLOW;
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
rv = ldap_initialize(&ldap, url.c_str());
}
int _LDAP_initialization(LDAP **ld, PyObject *url, int tls_option) {
int rc;
char *addrstr;
const int version = LDAP_VERSION3;
PyObject *addr = PyObject_CallMethod(url, "get_address", NULL);
if (addr == NULL) return -1;
addrstr = PyObject2char(addr);
Py_DECREF(addr);
if (addrstr == NULL) return -1;
rc = ldap_initialize(ld, addrstr);
if (rc != LDAP_SUCCESS) return rc;
ldap_set_option(*ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (tls_option != -1) {
ldap_set_option(*ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_option);
/* Set TLS option globally. */
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_option);
}
return rc;
}
int
init_ldap(char * host, int port)
{
int status = ldap_initialize(&LDAP_handle,host);
if(status != LDAP_SUCCESS)
{
LOG(PURGER_LOG_ERR,"Error: unable to create LDAP handle.");
return -1;
}
int version = LDAP_VERSION3;
ldap_set_option(LDAP_handle, LDAP_OPT_PROTOCOL_VERSION, (void*)&version);
}
static int
LDAP_no_size_limit(krb5_context context, LDAP *lp)
{
int ret, limit = LDAP_NO_LIMIT;
ret = ldap_set_option(lp, LDAP_OPT_SIZELIMIT, (const void *)&limit);
if (ret != LDAP_SUCCESS) {
krb5_set_error_string(context, "ldap_set_option: %s",
ldap_err2string(ret));
return HDB_ERR_BADVERSION;
}
return 0;
}
/*
connect to the database
*/
static int lldb_connect(struct ldb_context *ldb,
const char *url,
unsigned int flags,
const char *options[],
struct ldb_module **_module)
{
struct ldb_module *module;
struct lldb_private *lldb;
int version = 3;
int ret;
module = ldb_module_new(ldb, ldb, "ldb_ldap backend", &lldb_ops);
if (!module) return LDB_ERR_OPERATIONS_ERROR;
lldb = talloc_zero(module, struct lldb_private);
if (!lldb) {
ldb_oom(ldb);
goto failed;
}
ldb_module_set_private(module, lldb);
ret = ldap_initialize(&lldb->ldap, url);
if (ret != LDAP_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_initialize failed for URL '%s' - %s",
url, ldap_err2string(ret));
goto failed;
}
talloc_set_destructor(lldb, lldb_destructor);
ret = ldap_set_option(lldb->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_set_option failed - %s",
ldap_err2string(ret));
goto failed;
}
*_module = module;
ret = lldb_bind(module, options);
if (ret != LDB_SUCCESS) {
goto failed;
}
return LDB_SUCCESS;
failed:
talloc_free(module);
return LDB_ERR_OPERATIONS_ERROR;
}
/*******************************************************************************
函数名称 : dot1x_reauth_ldap_verify
功能描述 : LDAP_BIND_DN状态绑定验证用户DN
输入参数 :
输出参数 : 无
返 回 值 : 无
------------------------------------------------------------
最近一次修改记录 :
修改作者 : 王群
修改目的 : 新增函数
修改日期 : 2011年6月3日
*******************************************************************************/
s32 dot1x_reauth_ldap_verify(struct eapol_state_machine *sm)
{
s32 retcode = ERROR_SUCCESS;
s8 filter[1024];
LDAPMessage *res = NULL;
s32 sizelimit_value = 1;
s32 version = 3;
/*根据用户的dn和密码进行重认证*/
do{
sm->ldap_sm->ldap = ldap_open(g_dot1x_var.ldap_conf.ldap_host, g_dot1x_var.ldap_conf.ldap_port);
if (NULL == sm->ldap_sm->ldap)
{
retcode = !LDAP_SUCCESS;
break;
}
(void)ldap_set_option(sm->ldap_sm->ldap, LDAP_OPT_SIZELIMIT, &sizelimit_value);
(void)ldap_set_option(sm->ldap_sm->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
/*绑定管理员*/
retcode = ldap_simple_bind_s(sm->ldap_sm->ldap, g_dot1x_var.ldap_conf.ldap_rootdn, g_dot1x_var.ldap_conf.ldap_rootpw);
if (LDAP_SUCCESS != retcode)
{
break;
}
snprintf(filter, sizeof(filter), "(%s=%s)", g_dot1x_var.ldap_conf.ldap_filter, sm->identity);
/*执行查询操作*/
retcode = ldap_search_s(sm->ldap_sm->ldap, g_dot1x_var.ldap_conf.ldap_basedn, LDAP_SCOPE_SUBTREE, filter, g_ldap_attrs, 0, &res);
ldap_msgfree(res);
if (LDAP_SUCCESS != retcode)
{
break;
}
}while(0);
ldap_unbind(sm->ldap_sm->ldap);
return retcode;
}
/*% Connects / reconnects to LDAP server */
static isc_result_t dlz_ldap_connect (ldap_instance_t * dbi, dbinstance_t * dbc)
{
isc_result_t result;
int ldap_result;
/* if we have a connection, get ride of it. */
if (dbc->dbconn != NULL)
{
ldap_unbind_s ((LDAP *) dbc->dbconn);
dbc->dbconn = NULL;
}
/* now connect / reconnect. */
/* initialize. */
dbc->dbconn = ldap_init (dbi->hosts, LDAP_PORT);
if (dbc->dbconn == NULL)
return (ISC_R_NOMEMORY);
/* set protocol version. */
ldap_result = ldap_set_option ((LDAP *) dbc->dbconn, LDAP_OPT_PROTOCOL_VERSION, &(dbi->protocol));
if (ldap_result != LDAP_SUCCESS)
{
result = ISC_R_NOPERM;
goto cleanup;
}
/* "bind" to server. i.e. send username / pass */
ldap_result = ldap_bind_s ((LDAP *) dbc->dbconn, dbi->user, dbi->cred, dbi->method);
if (ldap_result != LDAP_SUCCESS)
{
result = ISC_R_FAILURE;
goto cleanup;
}
return (ISC_R_SUCCESS);
cleanup:
/* cleanup if failure. */
if (dbc->dbconn != NULL)
{
ldap_unbind_s ((LDAP *) dbc->dbconn);
dbc->dbconn = NULL;
}
return (result);
}
static
void
_VmDirClientTestSimpleBind(
PCSTR pszLDAPURI
)
{
DWORD dwError = 0;
int ldap_version_3 = LDAP_VERSION3;
LDAP * pLD = NULL;
BerValue ldapBindPwd = {0};
printf("_VmDirClientTestSimpleBind ldap simple bind initialize %s\n", pszLDAPURI);
dwError = ldap_initialize( &pLD, pszLDAPURI );
/* Set LDAP V3 protocol version */
ldap_set_option( pLD, LDAP_OPT_PROTOCOL_VERSION, &ldap_version_3 );
printf("_VmDirClientTestSimpleBind ldap simple ANONYMOUS bind started.\n");
dwError = ldap_sasl_bind_s(
pLD,
"",
LDAP_SASL_SIMPLE,
&ldapBindPwd, // no credentials
NULL,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("_VmDirClientTestSimpleBind ldap simple ANONYMOUS bind succeeded.\n");
cleanup:
if (pLD)
{
dwError = ldap_unbind_ext_s( pLD,
NULL,
NULL);
BAIL_ON_VMDIR_ERROR(dwError);
printf("_VmDirClientTestSimpleBind ldap unbind succeeded.\n\n\n");
}
return;
error:
printf("_VmDirClientTestSimpleBind failed. (%d)(%s)\n\n", dwError, ldap_err2string(dwError));
goto cleanup;
}
static krb5_error_code
LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry)
{
krb5_error_code ret;
LDAPMessage *msg, *e;
char *dn = NULL;
int rc, limit = LDAP_NO_LIMIT;
ret = LDAP_principal2message(context, db, entry->principal, &msg);
if (ret)
goto out;
e = ldap_first_entry(HDB2LDAP(db), msg);
if (e == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
}
dn = ldap_get_dn(HDB2LDAP(db), e);
if (dn == NULL) {
ret = HDB_ERR_NOENTRY;
goto out;
}
rc = ldap_set_option(HDB2LDAP(db), LDAP_OPT_SIZELIMIT, (const void *)&limit);
if (rc != LDAP_SUCCESS) {
krb5_set_error_string(context, "ldap_set_option: %s",
ldap_err2string(rc));
ret = HDB_ERR_BADVERSION;
goto out;
}
rc = ldap_delete_s(HDB2LDAP(db), dn);
if (check_ldap(context, db, rc)) {
krb5_set_error_string(context, "ldap_delete_s: %s",
ldap_err2string(rc));
ret = HDB_ERR_CANT_LOCK_DB;
} else
ret = 0;
out:
if (dn != NULL)
free(dn);
if (msg != NULL)
ldap_msgfree(msg);
return ret;
}
int ldap_do_init()
{
if(!nickserv_conf.ldap_enable)
return false;
/* TODO: check here for all required config options and exit() out if not present */
//ld = ldap_init(nickserv_conf.ldap_host, nickserv_conf.ldap_port);
//if(ld == NULL) {
if(ldap_initialize(&ld, nickserv_conf.ldap_uri)) {
log_module(MAIN_LOG, LOG_ERROR, "LDAP initilization failed!\n");
exit(1);
}
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &nickserv_conf.ldap_version);
log_module(MAIN_LOG, LOG_INFO, "Success! ldap_init() was successfull in connecting to %s\n", nickserv_conf.ldap_uri);
return true;
}
