/* ARGSUSED */
int _ns_ldap_compare_s(char *service, int flags,
char *dn, char *attr, char *value)
{
LDAP *ld = __s_api_getLDAPconn(flags);
return (ldap_compare_s(ld, dn, attr, value));
}
/**
* Make a compare for every new value we want to store in the
* directory with the current values. Great tool for debugging
* against invalid syntax in attributes
*
* \param ld AddressBook resource
* \param dn dn for the entry
* \param cnt Number of attributes to compare
* \param mods LDAPMod structure
*/
void ldapsvr_compare_attr(LDAP *ld, gchar *dn, gint cnt, LDAPMod *mods[]) {
int i, rc;
#ifdef OPEN_LDAP_API_AT_LEAST_3000
struct berval val;
#endif
cm_return_if_fail(ld != NULL || dn != NULL || cnt >= 0 || mods != NULL);
for (i = 0; i < cnt; i++) {
gchar *value = g_strdup(mods[i]->mod_vals.modv_strvals[0]);
if (!value || strcmp(value, "") == 0)
value = g_strdup("thisisonlyadummy");
#ifdef OPEN_LDAP_API_AT_LEAST_3000
val.bv_val = value;
val.bv_len = strlen(value);
rc = ldap_compare_ext_s(ld, dn, mods[i]->mod_type, &val, NULL, NULL);
#else
/* This is deprecated as of OpenLDAP-2.3.0 */
rc = ldap_compare_s(ld, dn, mods[i]->mod_type, value);
#endif
g_printerr("ldap_compare for (%s:%s)\" failed[0x%x]: %s\n",
mods[i]->mod_type, value, rc, ldaputil_get_error(ld));
g_free(value);
}
}
/**
* Deside which kind of operation is required to handle
* updating the specified attribute
*
* \param ld AddressBook resource
* \param server Reference to server
* \param dn dn for the entry
* \param attr Attribute
* \param value New value
* \return int, return will be LDAP_MOD_ADD, LDAP_MOD_REPLACE, or LDAP_MOD_DELETE
*/
int ldapsvr_deside_operation(LDAP *ld, LdapServer *server, char *dn, char *attr, char *value) {
int rc;
gboolean dummy = FALSE;
#ifdef OPEN_LDAP_API_AT_LEAST_3000
struct berval val;
#endif
cm_return_val_if_fail(ld != NULL || server != NULL || dn != NULL || attr != NULL, -1);
if (value == NULL)
return -1;
/* value containing empty string cause invalid syntax. A bug in
* the LDAP library? Therefore we add a dummy value
*/
if (strcmp(value,"") == 0) {
value = g_strdup("thisisonlyadummy");
dummy = TRUE;
}
#ifdef OPEN_LDAP_API_AT_LEAST_3000
val.bv_val = value;
val.bv_len = strlen(value);
rc = ldap_compare_ext_s(ld, dn, attr, &val, NULL, NULL);
#else
/* This is deprecated as of OpenLDAP-2.3.0 */
rc = ldap_compare_s(ld, dn, attr, value);
#endif
debug_print("ldap_compare for (%s:%s)\" error_code[0x%x]: %s\n",
attr, value, rc, ldaputil_get_error(ld));
switch (rc) {
case LDAP_COMPARE_FALSE:
if (dummy)
return LDAP_MOD_DELETE;
else
return LDAP_MOD_REPLACE;
case LDAP_COMPARE_TRUE: return -1;
case LDAP_NO_SUCH_ATTRIBUTE: return LDAP_MOD_ADD;
/* LDAP_INAPPROPRIATE_MATCHING needs extensive testing because I
* am not aware off the condition causing this return value!
*/
case LDAP_INAPPROPRIATE_MATCHING:
if (dummy)
value = NULL;
return ldapsvr_compare_manual_attr(ld, server, dn, attr, value);
case LDAP_UNDEFINED_TYPE: return -2;
case LDAP_INVALID_SYNTAX: return -2;
default: return -2;
}
}
/* Check the userid & password.
* Return 0 on success, 1 on failure
*/
static int
checkLDAP(LDAP * persistent_ld, const char *userid, const char *password, const char *ldapServer, int port)
{
char dn[1024];
int ret = 0;
LDAP *bind_ld = NULL;
if (!*password) {
/* LDAP can't bind with a blank password. Seen as "anonymous"
* and always granted access
*/
if (debug)
fprintf(stderr, "Blank password given\n");
return 1;
}
if (searchfilter) {
char filter[16384];
char escaped_login[1024];
LDAPMessage *res = NULL;
LDAPMessage *entry;
char *searchattr[] =
{(char *)LDAP_NO_ATTRS, NULL};
char *userdn;
int rc;
LDAP *search_ld = persistent_ld;
if (!search_ld)
search_ld = open_ldap_connection(ldapServer, port);
ldap_escape_value(escaped_login, sizeof(escaped_login), userid);
if (binddn) {
rc = ldap_simple_bind_s(search_ld, binddn, bindpasswd);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
ret = 1;
goto search_done;
}
}
snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
if (debug)
fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn);
rc = ldap_search_s(search_ld, basedn, searchscope, filter, searchattr, 1, &res);
if (rc != LDAP_SUCCESS) {
if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
/* Everything is fine. This is expected when referrals
* are disabled.
*/
if (debug)
fprintf(stderr, "noreferrals && rc == LDAP_PARTIAL_RESULTS\n");
} else {
fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
#if defined(NETSCAPE_SSL)
if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
int sslerr = PORT_GetError();
fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
}
#endif
ret = 1;
goto search_done;
}
}
entry = ldap_first_entry(search_ld, res);
if (!entry) {
if (debug)
fprintf(stderr, "Ldap search returned nothing\n");
ret = 1;
goto search_done;
}
userdn = ldap_get_dn(search_ld, entry);
if (!userdn) {
fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid);
ret = 1;
goto search_done;
}
snprintf(dn, sizeof(dn), "%s", userdn);
squid_ldap_memfree(userdn);
if (ret == 0 && (!binddn || !bind_once || passwdattr)) {
/* Reuse the search connection for comparing the user password attribute */
bind_ld = search_ld;
search_ld = NULL;
}
search_done:
if (res) {
ldap_msgfree(res);
res = NULL;
}
if (search_ld && search_ld != persistent_ld) {
ldap_unbind(search_ld);
search_ld = NULL;
}
if (ret != 0)
return ret;
} else {
snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
}
if (debug)
fprintf(stderr, "attempting to authenticate user '%s'\n", dn);
if (!bind_ld && !bind_once)
bind_ld = persistent_ld;
if (!bind_ld)
bind_ld = open_ldap_connection(ldapServer, port);
if (passwdattr) {
if (ldap_compare_s(bind_ld, dn, passwdattr, password) != LDAP_COMPARE_TRUE) {
ret = 1;
}
} else if (ldap_simple_bind_s(bind_ld, dn, password) != LDAP_SUCCESS)
ret = 1;
if (bind_ld != persistent_ld) {
ldap_unbind(bind_ld);
bind_ld = NULL;
}
return ret;
}
