/*
* Set the SQL user name.
*
* We don't call the escape function here. The resulting string
* will be escaped later in the queries xlat so we don't need to
* escape it twice. (it will make things wrong if we have an
* escape candidate character in the username)
*/
int sql_set_user(rlm_sql_t *inst, REQUEST *request, char const *username)
{
char *expanded = NULL;
VALUE_PAIR *vp = NULL;
char const *sqluser;
ssize_t len;
if (username != NULL) {
sqluser = username;
} else if (inst->config->query_user[0] != '\0') {
sqluser = inst->config->query_user;
} else {
return 0;
}
len = radius_axlat(&expanded, request, sqluser, NULL, NULL);
if (len < 0) {
return -1;
}
vp = pairalloc(request->packet, inst->sql_user);
if (!vp) {
talloc_free(expanded);
return -1;
}
pairstrsteal(vp, expanded);
RDEBUG2("SQL-User-Name set to '%s'", vp->vp_strvalue);
vp->op = T_OP_SET;
pairmove(request, &request->packet->vps, &vp); /* needs to be pair move else op is not respected */
return 0;
}
/** Perform LDAP-Group comparison checking
*
* Attempts to match users to groups using a variety of methods.
*
* @param instance of the rlm_ldap module.
* @param request Current request.
* @param thing Unknown.
* @param check Which group to check for user membership.
* @param check_pairs Unknown.
* @param reply_pairs Unknown.
* @return 1 on failure (or if the user is not a member), else 0.
*/
static int rlm_ldap_groupcmp(void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check,
UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs)
{
ldap_instance_t *inst = instance;
rlm_rcode_t rcode;
bool found = false;
bool check_is_dn;
ldap_handle_t *conn = NULL;
char const *user_dn;
rad_assert(inst->groupobj_base_dn);
RDEBUG("Searching for user in group \"%s\"", check->vp_strvalue);
if (check->vp_length == 0) {
REDEBUG("Cannot do comparison (group name is empty)");
return 1;
}
/*
* Check if we can do cached membership verification
*/
check_is_dn = rlm_ldap_is_dn(check->vp_strvalue, check->vp_length);
if (check_is_dn) {
char *norm;
MEM(norm = talloc_memdup(check, check->vp_strvalue, talloc_array_length(check->vp_strvalue)));
rlm_ldap_normalise_dn(norm, check->vp_strvalue);
pairstrsteal(check, norm);
}
if ((check_is_dn && inst->cacheable_group_dn) || (!check_is_dn && inst->cacheable_group_name)) {
switch (rlm_ldap_check_cached(inst, request, check)) {
case RLM_MODULE_NOTFOUND:
found = false;
goto finish;
case RLM_MODULE_OK:
found = true;
goto finish;
/*
* Fallback to dynamic search on failure
*/
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
default:
break;
}
}
conn = mod_conn_get(inst, request);
if (!conn) return 1;
/*
* This is used in the default membership filter.
*/
user_dn = rlm_ldap_find_user(inst, request, &conn, NULL, false, NULL, &rcode);
if (!user_dn) {
mod_conn_release(inst, conn);
return 1;
}
rad_assert(conn);
/*
* Check groupobj user membership
*/
if (inst->groupobj_membership_filter) {
switch (rlm_ldap_check_groupobj_dynamic(inst, request, &conn, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
rad_assert(conn);
/*
* Check userobj group membership
*/
if (inst->userobj_membership_attr) {
switch (rlm_ldap_check_userobj_dynamic(inst, request, &conn, user_dn, check)) {
case RLM_MODULE_NOTFOUND:
break;
case RLM_MODULE_OK:
found = true;
default:
goto finish;
}
}
rad_assert(conn);
finish:
if (conn) mod_conn_release(inst, conn);
if (!found) {
RDEBUG("User is not a member of \"%s\"", check->vp_strvalue);
return 1;
}
return 0;
}
