/** Query the LDAP directory to check if a group object includes a user object as a member
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] check vp containing the group value (name or dn).
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_check_groupobj_dynamic(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
VALUE_PAIR *check)
{
ldap_rcode_t status;
char base_dn[LDAP_MAX_DN_STR_LEN + 1];
char filter[LDAP_MAX_FILTER_STR_LEN + 1];
char const *dn = base_dn;
char const *name = check->vp_strvalue;
rad_assert(inst->groupobj_base_dn);
RDEBUG2("Checking for user in group objects");
if (rlm_ldap_is_dn(name)) {
char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter };
if (rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter)) < 0) {
return RLM_MODULE_INVALID;
}
dn = name;
} else {
char name_filter[LDAP_MAX_FILTER_STR_LEN];
char const *filters[] = { name_filter, inst->groupobj_filter, inst->groupobj_membership_filter };
if (!inst->groupobj_name_attr) {
REDEBUG("Told to search for group by name, but missing 'group.name_attribute' "
"directive");
return RLM_MODULE_INVALID;
}
snprintf(name_filter, sizeof(name_filter), "(%s=%s)", inst->groupobj_name_attr, name);
if (rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter)) < 0) {
return RLM_MODULE_INVALID;
}
/*
* rlm_ldap_find_user does this, too. Oh well.
*/
if (radius_xlat(base_dn, sizeof(base_dn), request, inst->groupobj_base_dn,
rlm_ldap_escape_func, NULL) < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
}
status = rlm_ldap_search(inst, request, pconn, dn, inst->groupobj_scope, filter, NULL, NULL);
switch (status) {
case LDAP_PROC_SUCCESS:
RDEBUG("User found in group object");
break;
case LDAP_PROC_NO_RESULT:
RDEBUG("Search returned not found");
return RLM_MODULE_NOTFOUND;
default:
return RLM_MODULE_FAIL;
}
return RLM_MODULE_OK;
}
/** Query the LDAP directory to check if a group object includes a user object as a member
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @param[in] check vp containing the group value (name or dn).
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_check_groupobj_dynamic(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn,
VALUE_PAIR *check)
{
ldap_rcode_t status;
char base_dn[LDAP_MAX_DN_STR_LEN + 1];
char filter[LDAP_MAX_FILTER_STR_LEN + 1];
char const *dn = base_dn;
int ret;
rad_assert(inst->groupobj_base_dn);
switch (check->op) {
case T_OP_CMP_EQ:
case T_OP_CMP_FALSE:
case T_OP_CMP_TRUE:
case T_OP_REG_EQ:
case T_OP_REG_NE:
break;
default:
REDEBUG("Operator \"%s\" not allowed for LDAP group comparisons",
fr_int2str(fr_tokens, check->op, "<INVALID>"));
return 1;
}
RDEBUG2("Checking for user in group objects");
if (rlm_ldap_is_dn(check->vp_strvalue, check->vp_length)) {
char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter };
RINDENT();
ret = rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter));
REXDENT();
if (ret < 0) return RLM_MODULE_INVALID;
dn = check->vp_strvalue;
} else {
char name_filter[LDAP_MAX_FILTER_STR_LEN];
char const *filters[] = { name_filter, inst->groupobj_filter, inst->groupobj_membership_filter };
if (!inst->groupobj_name_attr) {
REDEBUG("Told to search for group by name, but missing 'group.name_attribute' "
"directive");
return RLM_MODULE_INVALID;
}
snprintf(name_filter, sizeof(name_filter), "(%s=%s)", inst->groupobj_name_attr, check->vp_strvalue);
RINDENT();
ret = rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter));
REXDENT();
if (ret < 0) return RLM_MODULE_INVALID;
/*
* rlm_ldap_find_user does this, too. Oh well.
*/
RINDENT();
ret = radius_xlat(base_dn, sizeof(base_dn), request, inst->groupobj_base_dn,
rlm_ldap_escape_func, NULL);
REXDENT();
if (ret < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
}
RINDENT();
status = rlm_ldap_search(inst, request, pconn, dn, inst->groupobj_scope, filter, NULL, NULL);
REXDENT();
switch (status) {
case LDAP_PROC_SUCCESS:
RDEBUG("User found in group object \"%s\"", dn);
break;
case LDAP_PROC_NO_RESULT:
return RLM_MODULE_NOTFOUND;
default:
return RLM_MODULE_FAIL;
}
return RLM_MODULE_OK;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_groupobj(ldap_instance_t const *inst, REQUEST *request, ldap_handle_t **pconn)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
char **vals;
LDAPMessage *result = NULL;
LDAPMessage *entry;
char base_dn[LDAP_MAX_DN_STR_LEN];
char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter };
char filter[LDAP_MAX_FILTER_STR_LEN + 1];
char const *attrs[] = { inst->groupobj_name_attr, NULL };
char *dn;
rad_assert(inst->groupobj_base_dn);
if (!inst->groupobj_membership_filter) {
RDEBUG2("Skipping caching group objects as directive 'group.membership_filter' is not set");
return RLM_MODULE_OK;
}
if (rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter)) < 0) {
return RLM_MODULE_INVALID;
}
if (radius_xlat(base_dn, sizeof(base_dn), request, inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
status = rlm_ldap_search(inst, request, pconn, base_dn, inst->groupobj_scope, filter, attrs, &result);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG2("No cacheable group memberships found in group objects");
default:
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
goto finish;
}
do {
if (inst->cacheable_group_dn) {
dn = ldap_get_dn((*pconn)->handle, entry);
pairmake(request, &request->config_items, inst->cache_da->name, dn, T_OP_ADD);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name, dn);
ldap_memfree(dn);
}
if (inst->cacheable_group_name) {
vals = ldap_get_values((*pconn)->handle, entry, inst->groupobj_name_attr);
if (!vals) {
continue;
}
pairmake(request, &request->config_items, inst->cache_da->name, *vals, T_OP_ADD);
RDEBUG("Added %s with value \"%s\" to control list", inst->cache_da->name, *vals);
ldap_value_free(vals);
}
} while((entry = ldap_next_entry((*pconn)->handle, entry)));
finish:
if (result) {
ldap_msgfree(result);
}
return rcode;
}
/** Convert group membership information into attributes
*
* @param[in] inst rlm_ldap configuration.
* @param[in] request Current request.
* @param[in,out] pconn to use. May change as this function calls functions which auto re-connect.
* @return One of the RLM_MODULE_* values.
*/
rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
ldap_rcode_t status;
int ldap_errno;
LDAPMessage *result = NULL;
LDAPMessage *entry;
char const *base_dn;
char base_dn_buff[LDAP_MAX_DN_STR_LEN];
char const *filters[] = { inst->groupobj_filter, inst->groupobj_membership_filter };
char filter[LDAP_MAX_FILTER_STR_LEN + 1];
char const *attrs[] = { inst->groupobj_name_attr, NULL };
VALUE_PAIR *vp;
char *dn;
rad_assert(inst->groupobj_base_dn);
if (!inst->groupobj_membership_filter) {
RDEBUG2("Skipping caching group objects as directive 'group.membership_filter' is not set");
return RLM_MODULE_OK;
}
if (rlm_ldap_xlat_filter(request,
filters, sizeof(filters) / sizeof(*filters),
filter, sizeof(filter)) < 0) {
return RLM_MODULE_INVALID;
}
if (tmpl_expand(&base_dn, base_dn_buff, sizeof(base_dn_buff), request,
inst->groupobj_base_dn, rlm_ldap_escape_func, NULL) < 0) {
REDEBUG("Failed creating base_dn");
return RLM_MODULE_INVALID;
}
status = rlm_ldap_search(&result, inst, request, pconn, base_dn,
inst->groupobj_scope, filter, attrs, NULL, NULL);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
RDEBUG2("No cacheable group memberships found in group objects");
goto finish;
default:
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry = ldap_first_entry((*pconn)->handle, result);
if (!entry) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
goto finish;
}
RDEBUG("Adding cacheable group object memberships");
do {
if (inst->cacheable_group_dn) {
dn = ldap_get_dn((*pconn)->handle, entry);
if (!dn) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
REDEBUG("Retrieving object DN from entry failed: %s", ldap_err2string(ldap_errno));
goto finish;
}
rlm_ldap_normalise_dn(dn, dn);
MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD));
fr_pair_value_strcpy(vp, dn);
RINDENT();
RDEBUG("&control:%s += \"%s\"", inst->cache_da->name, dn);
REXDENT();
ldap_memfree(dn);
}
if (inst->cacheable_group_name) {
struct berval **values;
values = ldap_get_values_len((*pconn)->handle, entry, inst->groupobj_name_attr);
if (!values) continue;
MEM(vp = pair_make_config(inst->cache_da->name, NULL, T_OP_ADD));
fr_pair_value_bstrncpy(vp, values[0]->bv_val, values[0]->bv_len);
RINDENT();
RDEBUG("&control:%s += \"%.*s\"", inst->cache_da->name,
(int)values[0]->bv_len, values[0]->bv_val);
REXDENT();
ldap_value_free_len(values);
}
} while ((entry = ldap_next_entry((*pconn)->handle, entry)));
finish:
if (result) ldap_msgfree(result);
return rcode;
}
