static tls_session *
alloc_handle( void *ctx_arg, int is_server )
{
tls_ctx *ctx;
tls_session *ssl;
if ( ctx_arg ) {
ctx = ctx_arg;
} else {
struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
if ( ldap_pvt_tls_init_def_ctx( is_server ) < 0 ) return NULL;
ctx = lo->ldo_tls_ctx;
}
ssl = tls_imp->ti_session_new( ctx, is_server );
if ( ssl == NULL ) {
Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0);
return NULL;
}
return ssl;
}
int is_admin(struct rekey_session *sess)
{
static int ldap_initialized=0;
char *username=NULL;
LDAP *l=NULL;
int v, ssl_hard=LDAP_OPT_X_TLS_HARD, rc, ret=0;
struct timeval tv;
LDAPMessage *response=NULL;
char *reason, *filter;
char *ldap_url, *ldap_base, *ldap_filter, *ldap_binddn;
char *ldap_pwfile, *ldap_cacertdir;
char ldap_pwbuf[257];
#ifdef HAVE_KRB5_REALM
krb5_realm *realm;
#else
krb5_data rdata;
krb5_data *realm = &rdata;
#endif
#if !defined(LDAP_OPT_X_TLS_PROTOCOL_MIN)
SSL_CTX *sslctx;
#endif
if (!princ_ncomp_eq(sess->kctx, sess->princ, 2) ||
!compare_princ_comp(sess->kctx, sess->princ, 1, "admin")) {
goto freeall;
}
if (!(username=dup_comp_string(sess->kctx, sess->princ, 0))) {
prtmsg("Failed to extract username for admin check");
goto freeall;
}
#ifdef HAVE_KRB5_REALM
realm=sess->realm;
#else
rdata.data=sess->realm;
rdata.length=strlen(sess->realm);
#endif
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_uri", LDAP_URI, &ldap_url);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_base", LDAP_BASEDN, &ldap_base);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_filter", USER_INGROUP_FILTER, &ldap_filter);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_binddn", LDAP_BINDDN, &ldap_binddn);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_pwfile", LDAP_PWFILE, &ldap_pwfile);
krb5_appdefault_string(sess->kctx, "rekey", realm, "ldap_cacertdir", "/etc/andy/ldapcerts", &ldap_cacertdir);
if (strlen(ldap_pwfile) > 0) {
int fd=open(ldap_pwfile, O_RDONLY);
ssize_t rsize;
if (fd < 0) {
prtmsg("Failed to open LDAP password file %s: %s", ldap_pwfile, strerror(errno));
goto freeall;
}
rsize=read(fd, ldap_pwbuf, 256);
if (rsize < 0) {
prtmsg("Failed to read from LDAP password file %s: %s", ldap_pwfile, strerror(errno));
goto freeall;
}
if (rsize > 255) {
prtmsg("LDAP password file %s is too large. limit to 255 characters", ldap_pwfile);
goto freeall;
}
while(rsize > 0 && isspace(ldap_pwbuf[rsize-1]))
rsize--;
ldap_pwbuf[rsize]=0;
}
if (!ldap_initialized) {
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_hard);
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CACERTDIR, ldap_cacertdir);
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, "HIGH:!ADH:!eNULL:-SSLv2");
#if defined(LDAP_OPT_X_TLS_PROTOCOL_MIN)
v=LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
LDAP_SET_OPTION(NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN, &v);
#else
extern int ldap_pvt_tls_init();
extern int ldap_pvt_tls_init_def_ctx( int is_server );
ldap_pvt_tls_init();
ldap_pvt_tls_init_def_ctx(0);
LDAP_GET_OPTION(NULL, LDAP_OPT_X_TLS_CTX, &sslctx);
if (sslctx) {
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
}
#endif
ldap_initialized=1;
}
errno=0;
rc = ldap_initialize(&l, ldap_url);
if (rc!=LDAP_SUCCESS)
{
prtmsg("Failed to initialize ldap for %s: %s%s%s", ldap_url,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
v=LDAP_VERSION3;
LDAP_SET_OPTION(l, LDAP_OPT_PROTOCOL_VERSION, &v);
LDAP_SET_OPTION(l, LDAP_OPT_X_TLS, &ssl_hard);
errno=0;
#if 0
rc = ldap_sasl_interactive_bind_s(l, NULL, "GSSAPI", NULL, NULL,
LDAP_SASL_QUIET, do_sasl_interact, NULL);
#else
rc = ldap_bind_s(l, ldap_binddn, ldap_pwbuf, LDAP_AUTH_SIMPLE);
#endif
if (rc!=LDAP_SUCCESS)
{
prtmsg("Failed to connect or authenticate to ldap for %s: %s%s%s", LDAP_URI,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
tv.tv_sec=30;
tv.tv_usec=0;
rc = ldap_search_ext_s(l, rekey_admin_group, LDAP_SCOPE_BASE, NO_FILTER,
no_attrs, 0, NULL, NULL, &tv, LDAP_NO_LIMIT, &response);
if (rc != LDAP_SUCCESS) {
prtmsg("Failed to verify group %s existence (searching): %s%s%s", rekey_admin_group,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
reason=aasprintf("verify group %s existence", rekey_admin_group);
if (!verify_op_success(l, reason, response))
goto freeall;
ldap_msgfree(response);
response=NULL;
filter=aasprintf(ldap_filter, username, rekey_admin_group);
rc = ldap_search_ext_s(l, ldap_base, LDAP_SCOPE_SUB, filter,
no_attrs, 0, NULL, NULL, &tv, LDAP_NO_LIMIT, &response);
if (rc != LDAP_SUCCESS) {
prtmsg("Failed to check user %s admin permission (searching): %s%s%s", username,
ldap_err2string(rc),(errno==0)?"":": ",
(errno==0)?"":strerror(errno));
goto freeall;
}
reason=aasprintf("check user %s admin permission", username);
if (!verify_single_result(l, 0, reason, response))
goto freeall;
ret=1;
freeall:
ldap_msgfree(response);
if (l)
ldap_unbind_ext_s(l, NULL, NULL);
free(username);
return ret;
}
