/
ldap_authorization_sample.c
336 lines (292 loc) · 9.75 KB
/
ldap_authorization_sample.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
#include <stdio.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>
#include <stdlib.h>
#include <ldap.h>
#define RETURN_TRUE 0
#define RETURN_FALSE 1
#define TRUE 1
#define FALSE 0
#define LDAP_DEFAULT_NETTIMEOUT 5
#define MAXLOGBUF 256
#define MAXLOGBUFEX 512
#define MAXFILTERSTR 128
#define MAXAUTHSTR 128
#define MINAUTHSTR 3
#define MAXCFGLINE 1024
#define MAXGROUPLIST 512
#define CR_ERROR 1
#define CR_OK 0
#if !defined(__attribute__) && (defined(__cplusplus) || !defined(__GNUC__) || __GNUC__ == 2 && __GNUC_MINOR__ < 8)
#define __attribute__(A)
#endif
static char *ldap_authorization_host = "ldap://ldap.bsdway.ru"; /* 127.0.0.1 */
static long ldap_authorization_port = 389; /* 389 */
static char *ldap_authorization_validgroups = "mysql_admins"; /* */
static char *ldap_authorization_binddn = "cn=readonly,dc=bsdway,dc=ru";
static char *ldap_authorization_bindpasswd = "jhgjhgasdjhgjhg";
static char *ldap_authorization_basedn = "dc=bsdway,dc=ru";
static char *ldap_authorization_defaultfilter = "";
static char *ldap_authorization_type = NULL;
static unsigned int ldap_authorization_timeout = 20;
static unsigned short ldap_protocol_version = LDAP_VERSION3;
static unsigned long ldap_network_timeout = LDAP_DEFAULT_NETTIMEOUT;
static char ldap_authorization_tls = TRUE;
static char ldap_authorization_debug = TRUE;
typedef struct {
LDAP *sess;
} LD_session;
static void
ldap_log(int priority, char *msg)
{
char *env = NULL;
printf("%s\n", msg);
};
static int
init_ldap_connection(LD_session *session) {
/* Init LDAP */
#ifdef LDAP_API_FEATURE_X_OPENLDAP
if (ldap_authorization_host != NULL && strchr(ldap_authorization_host, '/'))
{
if(ldap_initialize(&session->sess, ldap_authorization_host)!=LDAP_SUCCESS)
{
ldap_log(LOG_ERR, "Ldap connection initialize return fail status");
return RETURN_FALSE;
}
} else {
#if LDAP_API_VERSION>3000
ldap_log(LOG_ERR, "Ldap connection initialize return fail status");
return RETURN_FALSE;
#else
session->sess = ldap_init(ldap_authorization_host, &ldap_authorization_port);
#endif
}
#else
session->sess = ldap_open(ldap_authorization_host, ldap_authorization_port);
#endif
if (session->sess == NULL)
{
ldap_log(LOG_ERR, "Final check: Ldap connection initialize return fail status");
return RETURN_FALSE;
}
return RETURN_TRUE;
}
static int
set_ldap_options(LD_session *session) {
struct timeval timeout;
int rc = 0;
char logbuf[MAXLOGBUF];
timeout.tv_sec = ldap_network_timeout;
timeout.tv_usec = FALSE;
ldap_set_option(session->sess, LDAP_OPT_PROTOCOL_VERSION, &ldap_protocol_version);
ldap_set_option(session->sess, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
/* Start TLS if we need it*/
if (ldap_authorization_tls) {
if((rc = ldap_start_tls_s(session->sess, NULL,NULL))!=LDAP_SUCCESS)
{
snprintf(logbuf, MAXLOGBUF, "Ldap start TLS error: %s. ", ldap_err2string(rc));
ldap_log(LOG_WARNING, logbuf);
}
}
}
static int
ldap_get_fulldn(LD_session *session, char *username, char *userstr, int username_length)
{
struct berval cred;
struct berval *msgidp=NULL;
char filter[MAXFILTERSTR], *dn;
int rc = 0;
char logbuf[MAXLOGBUF];
LDAPMessage *res, *entry;
memset(userstr, 0, username_length);
cred.bv_val = ldap_authorization_bindpasswd;
cred.bv_len = strlen(ldap_authorization_bindpasswd);
#if LDAP_API_VERSION > 3000
if((rc = ldap_sasl_bind_s(session->sess, ldap_authorization_binddn, ldap_authorization_type, &cred, NULL, NULL, &msgidp))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "!!!Ldap server %s authentificate with method %s failed: %s", ldap_authorization_host, ldap_authorization_type, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_FALSE;
};
#else
if((rc = ldap_bind_s(session->sess, ldap_authorization_binddn, ldap_authorization_bindpasswd, LDAP_AUTH_SIMPLE))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate failed: %s", ldap_authorization_host, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_FALSE;
}
#endif
/* create filter for search */
memset(filter, 0, MAXFILTERSTR);
snprintf(filter, MAXLOGBUF, "(uid=%s)", username);
if ((rc = ldap_search_ext_s(session->sess, ldap_authorization_basedn, LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res)) != LDAP_SUCCESS) {
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_FALSE;
}
if ((entry = ldap_first_entry(session->sess,res)) == NULL) {
return RETURN_FALSE;
} else {
dn = ldap_get_dn(session->sess, entry);
strncpy(userstr, dn, strlen(dn));
};
ldap_msgfree(res);
return RETURN_TRUE;
}
static int
check_auth(LD_session *session, char *login, char *password, char *fullname) {
int rc = 0, count = 0;
char username[MAXFILTERSTR];
char logbuf[MAXLOGBUF];
LDAPMessage *res, *entry;
char *attr;
BerElement * ber;
struct berval **list_of_values;
struct berval value;
char *userdn, *validgroups, *fn;
char filter[MAXFILTERSTR];
/* Check authorization */
memset(filter, 0, 100);
snprintf(filter, MAXLOGBUF, "(&(objectClass=posixGroup)(memberUid=%s))", login);
struct berval cred;
struct berval *msgidp=NULL;
cred.bv_val = password;
cred.bv_len = strlen(password);
#if LDAP_API_VERSION > 3000
if((rc = ldap_sasl_bind_s(session->sess, fullname, ldap_authorization_type, &cred, NULL, NULL, NULL))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate with method %s failed: %s", ldap_authorization_host, ldap_authorization_type, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_FALSE;
};
#else
if((rc = ldap_bind_s(session->sess, fullname, password, LDAP_AUTH_SIMPLE))!=LDAP_SUCCESS) {
snprintf(logbuf, MAXLOGBUF, "Ldap server %s authentificate failed: %s", ldap_authorization_host, ldap_err2string(rc));
ldap_log(LOG_DEBUG, logbuf);
return RETURN_FALSE;
}
#endif
if ((rc = ldap_search_ext_s(session->sess, ldap_authorization_basedn, LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res)) != LDAP_SUCCESS) {
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_TRUE;
}
for (entry = ldap_first_entry(session->sess,res); entry!=NULL && count<ldap_count_messages(session->sess, res); entry=ldap_next_entry(session->sess, res)) {
count++;
for(attr = ldap_first_attribute(session->sess,entry,&ber); attr != NULL ; attr=ldap_next_attribute(session->sess,entry,ber)) {
snprintf(logbuf, MAXLOGBUF, "Found attribute %s", attr);
ldap_log(LOG_DEBUG, logbuf);
if (strcmp(attr, "cn"))
continue;
if ((list_of_values = ldap_get_values_len(session->sess, entry, attr)) != NULL ) {
value = *list_of_values[0];
char temp[MAXGROUPLIST];
memset(temp, 0, MAXGROUPLIST);
if (ldap_authorization_validgroups) {
strcpy(temp, ldap_authorization_validgroups);
validgroups = strtok(temp, ",");
while (validgroups != NULL)
{
snprintf(logbuf, MAXLOGBUF, "Attribute value validgroups ? value.bv_val >> %s ? %s", validgroups, value.bv_val);
ldap_log(LOG_DEBUG, logbuf);
if (!strcmp(validgroups, value.bv_val))
{
ldap_msgfree(res);
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
fn = (char *)malloc(strlen(value.bv_val));
strcpy(fn, value.bv_val);
return RETURN_TRUE;
}
validgroups = strtok (NULL, ",");
}
printf("VAL: %s\n", value.bv_val);
ldap_value_free_len( list_of_values );
}
}
}
res = ldap_next_message(session->sess, res);
};
ldap_msgfree(res);
#if LDAP_API_VERSION > 3000
ldap_unbind_ext(session->sess, NULL, NULL);
#else
ldap_unbind(session->sess);
#endif
return RETURN_FALSE;
}
int
main ()
{
unsigned char *pkt;
char *authas;
int i;
char auth_string[MAXAUTHSTR], ch;
char logbuf[MAXLOGBUF];
LD_session ldap_session;
#define MAXINPLEN 100
char user[MAXINPLEN];
char pass[MAXINPLEN];
memset(pass, 0, MAXINPLEN);
memset(user, 0, MAXINPLEN);
printf("Enter the username: ");
for(i=0;i<MAXINPLEN;i++)
{
ch = getchar();
if (ch == '\n') break;
user[i] = ch;
}
user[i+1] = '\0';
printf("Username: %s\n", user);
printf("Enter the password <any characters>: ");
for(i=0;i<MAXINPLEN;i++)
{
ch = getchar();
if (ch == '\n') break;
pass[i] = ch;
}
pass[i+1] = '\0';
/*If you want to know what you have entered as password, you can print it*/
printf("Your password is: ");
for(i=0;i<MAXINPLEN;i++)
{
printf("%c",pass[i]);
}
printf("\n");
ldap_session.sess = NULL;
memset(logbuf, 0, MAXLOGBUF);
memset(auth_string, 0, MAXAUTHSTR);
/* Check parametrs */
if (!ldap_authorization_host)
{
ldap_log(LOG_ERR, "Config node \"ldap_authorization_host\" isn't correct");
return CR_ERROR;
}
if (init_ldap_connection(&ldap_session) == RETURN_FALSE) {
ldap_log(LOG_ERR, "LDAP Initialisation connect return error status. Exiting...");
return CR_ERROR;
};
if (set_ldap_options(&ldap_session) == RETURN_FALSE) {
ldap_log(LOG_ERR, "LDAP Set options return error status. Exiting...");
return CR_ERROR;
};
if (ldap_get_fulldn(&ldap_session, user, auth_string, MAXAUTHSTR) == RETURN_FALSE) {
ldap_log(LOG_ERR, "LDAP User isn't found in catalog. Exiting...");
return CR_ERROR;
}
printf("%s\n", auth_string);
if (check_auth(&ldap_session, user, pass, auth_string) == RETURN_FALSE) {
ldap_log(LOG_ERR, "Auth user name or password isn't correct. Exiting...");
return CR_ERROR;
};
snprintf(logbuf, MAXLOGBUF, "Login SUCCESS.");
ldap_log(LOG_DEBUG, logbuf);
return CR_OK;
}