/* ARGSUSED */ int _ns_ldap_compare_s(char *service, int flags, char *dn, char *attr, char *value) { LDAP *ld = __s_api_getLDAPconn(flags); return (ldap_compare_s(ld, dn, attr, value)); }
/** * Make a compare for every new value we want to store in the * directory with the current values. Great tool for debugging * against invalid syntax in attributes * * \param ld AddressBook resource * \param dn dn for the entry * \param cnt Number of attributes to compare * \param mods LDAPMod structure */ void ldapsvr_compare_attr(LDAP *ld, gchar *dn, gint cnt, LDAPMod *mods[]) { int i, rc; #ifdef OPEN_LDAP_API_AT_LEAST_3000 struct berval val; #endif cm_return_if_fail(ld != NULL || dn != NULL || cnt >= 0 || mods != NULL); for (i = 0; i < cnt; i++) { gchar *value = g_strdup(mods[i]->mod_vals.modv_strvals[0]); if (!value || strcmp(value, "") == 0) value = g_strdup("thisisonlyadummy"); #ifdef OPEN_LDAP_API_AT_LEAST_3000 val.bv_val = value; val.bv_len = strlen(value); rc = ldap_compare_ext_s(ld, dn, mods[i]->mod_type, &val, NULL, NULL); #else /* This is deprecated as of OpenLDAP-2.3.0 */ rc = ldap_compare_s(ld, dn, mods[i]->mod_type, value); #endif g_printerr("ldap_compare for (%s:%s)\" failed[0x%x]: %s\n", mods[i]->mod_type, value, rc, ldaputil_get_error(ld)); g_free(value); } }
/** * Deside which kind of operation is required to handle * updating the specified attribute * * \param ld AddressBook resource * \param server Reference to server * \param dn dn for the entry * \param attr Attribute * \param value New value * \return int, return will be LDAP_MOD_ADD, LDAP_MOD_REPLACE, or LDAP_MOD_DELETE */ int ldapsvr_deside_operation(LDAP *ld, LdapServer *server, char *dn, char *attr, char *value) { int rc; gboolean dummy = FALSE; #ifdef OPEN_LDAP_API_AT_LEAST_3000 struct berval val; #endif cm_return_val_if_fail(ld != NULL || server != NULL || dn != NULL || attr != NULL, -1); if (value == NULL) return -1; /* value containing empty string cause invalid syntax. A bug in * the LDAP library? Therefore we add a dummy value */ if (strcmp(value,"") == 0) { value = g_strdup("thisisonlyadummy"); dummy = TRUE; } #ifdef OPEN_LDAP_API_AT_LEAST_3000 val.bv_val = value; val.bv_len = strlen(value); rc = ldap_compare_ext_s(ld, dn, attr, &val, NULL, NULL); #else /* This is deprecated as of OpenLDAP-2.3.0 */ rc = ldap_compare_s(ld, dn, attr, value); #endif debug_print("ldap_compare for (%s:%s)\" error_code[0x%x]: %s\n", attr, value, rc, ldaputil_get_error(ld)); switch (rc) { case LDAP_COMPARE_FALSE: if (dummy) return LDAP_MOD_DELETE; else return LDAP_MOD_REPLACE; case LDAP_COMPARE_TRUE: return -1; case LDAP_NO_SUCH_ATTRIBUTE: return LDAP_MOD_ADD; /* LDAP_INAPPROPRIATE_MATCHING needs extensive testing because I * am not aware off the condition causing this return value! */ case LDAP_INAPPROPRIATE_MATCHING: if (dummy) value = NULL; return ldapsvr_compare_manual_attr(ld, server, dn, attr, value); case LDAP_UNDEFINED_TYPE: return -2; case LDAP_INVALID_SYNTAX: return -2; default: return -2; } }
/* Check the userid & password. * Return 0 on success, 1 on failure */ static int checkLDAP(LDAP * persistent_ld, const char *userid, const char *password, const char *ldapServer, int port) { char dn[1024]; int ret = 0; LDAP *bind_ld = NULL; if (!*password) { /* LDAP can't bind with a blank password. Seen as "anonymous" * and always granted access */ if (debug) fprintf(stderr, "Blank password given\n"); return 1; } if (searchfilter) { char filter[16384]; char escaped_login[1024]; LDAPMessage *res = NULL; LDAPMessage *entry; char *searchattr[] = {(char *)LDAP_NO_ATTRS, NULL}; char *userdn; int rc; LDAP *search_ld = persistent_ld; if (!search_ld) search_ld = open_ldap_connection(ldapServer, port); ldap_escape_value(escaped_login, sizeof(escaped_login), userid); if (binddn) { rc = ldap_simple_bind_s(search_ld, binddn, bindpasswd); if (rc != LDAP_SUCCESS) { fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc)); ret = 1; goto search_done; } } snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); if (debug) fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn); rc = ldap_search_s(search_ld, basedn, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { /* Everything is fine. This is expected when referrals * are disabled. */ if (debug) fprintf(stderr, "noreferrals && rc == LDAP_PARTIAL_RESULTS\n"); } else { fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); #if defined(NETSCAPE_SSL) if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { int sslerr = PORT_GetError(); fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); } #endif ret = 1; goto search_done; } } entry = ldap_first_entry(search_ld, res); if (!entry) { if (debug) fprintf(stderr, "Ldap search returned nothing\n"); ret = 1; goto search_done; } userdn = ldap_get_dn(search_ld, entry); if (!userdn) { fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid); ret = 1; goto search_done; } snprintf(dn, sizeof(dn), "%s", userdn); squid_ldap_memfree(userdn); if (ret == 0 && (!binddn || !bind_once || passwdattr)) { /* Reuse the search connection for comparing the user password attribute */ bind_ld = search_ld; search_ld = NULL; } search_done: if (res) { ldap_msgfree(res); res = NULL; } if (search_ld && search_ld != persistent_ld) { ldap_unbind(search_ld); search_ld = NULL; } if (ret != 0) return ret; } else { snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn); } if (debug) fprintf(stderr, "attempting to authenticate user '%s'\n", dn); if (!bind_ld && !bind_once) bind_ld = persistent_ld; if (!bind_ld) bind_ld = open_ldap_connection(ldapServer, port); if (passwdattr) { if (ldap_compare_s(bind_ld, dn, passwdattr, password) != LDAP_COMPARE_TRUE) { ret = 1; } } else if (ldap_simple_bind_s(bind_ld, dn, password) != LDAP_SUCCESS) ret = 1; if (bind_ld != persistent_ld) { ldap_unbind(bind_ld); bind_ld = NULL; } return ret; }