/*% Connects / reconnects to LDAP server */
static isc_result_t dlz_ldap_connect (ldap_instance_t * dbi, dbinstance_t * dbc)
{
isc_result_t result;
int ldap_result;
/* if we have a connection, get ride of it. */
if (dbc->dbconn != NULL)
{
ldap_unbind_s ((LDAP *) dbc->dbconn);
dbc->dbconn = NULL;
}
/* now connect / reconnect. */
/* initialize. */
dbc->dbconn = ldap_init (dbi->hosts, LDAP_PORT);
if (dbc->dbconn == NULL)
return (ISC_R_NOMEMORY);
/* set protocol version. */
ldap_result = ldap_set_option ((LDAP *) dbc->dbconn, LDAP_OPT_PROTOCOL_VERSION, &(dbi->protocol));
if (ldap_result != LDAP_SUCCESS)
{
result = ISC_R_NOPERM;
goto cleanup;
}
/* "bind" to server. i.e. send username / pass */
ldap_result = ldap_bind_s ((LDAP *) dbc->dbconn, dbi->user, dbi->cred, dbi->method);
if (ldap_result != LDAP_SUCCESS)
{
result = ISC_R_FAILURE;
goto cleanup;
}
return (ISC_R_SUCCESS);
cleanup:
/* cleanup if failure. */
if (dbc->dbconn != NULL)
{
ldap_unbind_s ((LDAP *) dbc->dbconn);
dbc->dbconn = NULL;
}
return (result);
}
DWORD
LwLdapBindDirectoryAnonymous(
HANDLE hDirectory
)
{
DWORD dwError = 0;
PLW_LDAP_DIRECTORY_CONTEXT pDirectory = (PLW_LDAP_DIRECTORY_CONTEXT)hDirectory;
LW_BAIL_ON_INVALID_HANDLE(hDirectory);
dwError = ldap_bind_s(
pDirectory->ld,
NULL,
NULL,
LDAP_AUTH_SIMPLE);
BAIL_ON_LDAP_ERROR(dwError);
cleanup:
return dwError;
error:
LW_RTL_LOG_ERROR("Failed on LDAP simple bind (Error code: %u)", dwError);
if(pDirectory->ld != NULL)
{
ldap_unbind_s(pDirectory->ld);
pDirectory->ld = NULL;
}
goto cleanup;
}
static void test_ldap_connection(abts_case *tc, LDAP *ldap)
{
int version = LDAP_VERSION3;
int failures, result;
/* always default to LDAP V3 */
ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
for (failures=0; failures<10; failures++)
{
result = ldap_simple_bind_s(ldap,
(char *)NULL,
(char *)NULL);
if (LDAP_SERVER_DOWN != result)
break;
}
ABTS_TRUE(tc, result == LDAP_SUCCESS);
if (result != LDAP_SUCCESS) {
abts_log_message("%s\n", ldap_err2string(result));
}
ldap_unbind_s(ldap);
return;
}
/** unbind and clear variables */
static int _ldapfull_unbind(moddata_t data) {
ldap_unbind_s(data->ld);
data->ld = NULL;
data->binded = 0;
log_debug(ZONE, "unbinded from ldap server");
return 0;
}
/** connect to the ldap host */
static int _ldapfull_connect(moddata_t data)
{
int ldapversion = LDAP_VERSION3;
int rc;
if(data->ld != NULL)
ldap_unbind_s(data->ld);
data->binded=0;
rc = ldap_initialize(&(data->ld), data->uri);
if( rc != LDAP_SUCCESS )
{
log_write(data->ar->c2s->log, LOG_ERR, "ldap: ldap_initialize failed, uri=%s (%d): %s", data->uri, rc, ldap_err2string(rc));
return 1;
}
if (ldap_set_option(data->ld, LDAP_OPT_PROTOCOL_VERSION, &ldapversion) != LDAP_SUCCESS)
{
log_write(data->ar->c2s->log, LOG_ERR, "ldap: couldn't set v3 protocol");
return 1;
}
if (ldap_set_option(data->ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON) != LDAP_SUCCESS) {
log_write(data->ar->c2s->log, LOG_ERR, "ldap: couldn't set LDAP_OPT_REFERRALS");
}
log_debug(ZONE, "connected to ldap server");
return 0;
}
void
dlz_ldap_destroy(void *driverarg, void *dbdata) {
UNUSED(driverarg);
if (dbdata != NULL) {
#ifdef ISC_PLATFORM_USETHREADS
/* cleanup the list of DBI's */
ldap_destroy_dblist((db_list_t *)
((ldap_instance_t *)dbdata)->db);
#else /* ISC_PLATFORM_USETHREADS */
if (((ldap_instance_t *)dbdata)->db->dbconn != NULL)
ldap_unbind_s((LDAP *)
((ldap_instance_t *)dbdata)->db->dbconn);
/* destroy single DB instance */
destroy_sqldbinstance(((ldap_instance_t *)dbdata)->db);
#endif /* ISC_PLATFORM_USETHREADS */
if (((ldap_instance_t *)dbdata)->hosts != NULL)
isc_mem_free(ns_g_mctx,
((ldap_instance_t *)dbdata)->hosts);
if (((ldap_instance_t *)dbdata)->user != NULL)
isc_mem_free(ns_g_mctx,
((ldap_instance_t *)dbdata)->user);
if (((ldap_instance_t *)dbdata)->cred != NULL)
isc_mem_free(ns_g_mctx,
((ldap_instance_t *)dbdata)->cred);
isc_mem_put(ns_g_mctx, dbdata, sizeof(ldap_instance_t));
}
}
/** Detach from the LDAP server and cleanup internal state.
*
*/
static int mod_detach(void *instance)
{
ldap_instance_t *inst = instance;
fr_connection_pool_delete(inst->pool);
if (inst->user_map) {
talloc_free(inst->user_map);
}
/*
* Keeping the dummy ld around for the lifetime
* of the module should always work,
* irrespective of what changes happen in libldap.
*/
if (inst->handle) {
#ifdef HAVE_LDAP_UNBIND_EXT_S
ldap_unbind_ext_s(inst->handle, NULL, NULL);
#else
ldap_unbind_s(inst->handle);
#endif
}
return 0;
}
static LDAP *ldap_init_and_bind (const char *host,
const char *user_dn,
const char *password)
{
LDAP *ld;
int res;
int desired_version = LDAP_VERSION3;
res = ldap_initialize (&ld, host);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_initialize failed: %s.\n", ldap_err2string(res));
return NULL;
}
/* set the LDAP version to be 3 */
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
if (res != LDAP_OPT_SUCCESS) {
ccnet_warning ("ldap_set_option failed: %s.\n", ldap_err2string(res));
return NULL;
}
if (user_dn) {
res = ldap_bind_s (ld, user_dn, password, LDAP_AUTH_SIMPLE);
if (res != LDAP_SUCCESS ) {
ccnet_warning ("ldap_bind failed: %s.\n", ldap_err2string(res));
ldap_unbind_s (ld);
return NULL;
}
}
return ld;
}
void
dlz_destroy(void *dbdata) {
if (dbdata != NULL) {
ldap_instance_t *db = (ldap_instance_t *)dbdata;
#if PTHREADS
/* cleanup the list of DBI's */
if (db->db != NULL)
ldap_destroy_dblist((db_list_t *)(db->db));
#else /* PTHREADS */
if (db->db->dbconn != NULL)
ldap_unbind_s((LDAP *)(db->db->dbconn));
/* destroy single DB instance */
destroy_dbinstance(db->db);
#endif /* PTHREADS */
if (db->hosts != NULL)
free(db->hosts);
if (db->user != NULL)
free(db->user);
if (db->cred != NULL)
free(db->cred);
free(dbdata);
}
}
/**
void close_ldap_connection(LDAP* ld, int clear)
LDAPサーバとの接続を閉じる
@param ld LDAPサーバへのセッションハンドラ
@param clear TRUEの場合,大域変数 JBXLdapHost, JBXLdapDnBind も削除する.
*/
void close_ldap_connection(LDAP* ld, int clear)
{
if (clear==TRUE) {
del_LDAP_Host(&JBXLdapHost);
del_LDAP_Dn (&JBXLdapDnBind);
}
ldap_unbind_s(ld);
}
static LDAP *ldap_init_and_bind (const char *host,
#ifdef WIN32
gboolean use_ssl,
#endif
const char *user_dn,
const char *password)
{
LDAP *ld;
int res;
int desired_version = LDAP_VERSION3;
#ifndef WIN32
res = ldap_initialize (&ld, host);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_initialize failed: %s.\n", ldap_err2string(res));
return NULL;
}
#else
char *host_copy = g_strdup (host);
if (!use_ssl)
ld = ldap_init (host_copy, LDAP_PORT);
else
ld = ldap_sslinit (host_copy, LDAP_SSL_PORT, 1);
g_free (host_copy);
if (!ld) {
ccnet_warning ("ldap_init failed: %ul.\n", LdapGetLastError());
return NULL;
}
#endif
/* set the LDAP version to be 3 */
res = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
if (res != LDAP_OPT_SUCCESS) {
ccnet_warning ("ldap_set_option failed: %s.\n", ldap_err2string(res));
return NULL;
}
if (user_dn) {
#ifndef WIN32
res = ldap_bind_s (ld, user_dn, password, LDAP_AUTH_SIMPLE);
#else
char *dn_copy = g_strdup(user_dn);
char *password_copy = g_strdup(password);
res = ldap_bind_s (ld, dn_copy, password_copy, LDAP_AUTH_SIMPLE);
g_free (dn_copy);
g_free (password_copy);
#endif
if (res != LDAP_SUCCESS ) {
ccnet_warning ("ldap_bind failed: %s.\n", ldap_err2string(res));
ldap_unbind_s (ld);
return NULL;
}
}
return ld;
}
//- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
std::string LDAP_UNX::getDistinguishedName( const std::string userID,
std::string *dname )
{
*dname = "";
LDAP *ldap = NULL; // INITIALISE AND CONNECT TO LDAP SERVER
std::string e = initialize( &ldap );
if ( ! e.empty() )
{return( e );
}
std::string base = ou + "," + dc;
std::string bparam = std::string("CN=LDAPbind,") + base;
const int ibind = ldap_simple_bind_s( ldap, bparam.c_str(),
ldap_pw.c_str() );
if ( ibind != LDAP_SUCCESS )
{sprintf( ebuf, "ldap_simple_bind_s=%d", ibind );
return( std::string(ebuf) );
}
/* SEARCH FOR ENTRY WITH sAMAccountName AS GIVEN BY USER AND GET
distinguishedName IF IT EXISTS (IF FOUND, THEN USERNAME EXISTS) */
LDAPMessage *res = ( LDAPMessage * )NULL;
std::string filter = "(sAMAccountName=" + userID + ")";
const int isearch = ldap_search_s( ldap, base.c_str(),
LDAP_SCOPE_ONELEVEL, filter.c_str(), ( char ** )NULL, 0, &res );
if ( isearch != LDAP_SUCCESS )
{sprintf( ebuf, "ldap_search_s=%d", isearch );
return( std::string(ebuf) );
}
const int nentries = ldap_count_entries( ldap, res );
if ( nentries <= 0 )
{ // FAILED TO FIND distinguishedName from sAMAccountName
ldap_msgfree( res );
ldap_unbind_s( ldap );
return( "Username not found in LDAP-OU" );
}
// EXTRACT distinguishedNAme
char *dn = ldap_get_dn( ldap, ldap_first_entry( ldap, res ) );
*dname = std::string( dn );
ldap_memfree( dn ); // TIDY UP
ldap_msgfree( res );
ldap_unbind_s( ldap ); // DROP ASSOCIATION
return( "" );
}
static int
qldap_close(qldap *q)
{
CHECK(q, CLOSE);
qldap_free_results(q); /* free results */
/* close and free ldap connection */
ldap_unbind_s(q->ld);
q->state = CLOSE;
return OK;
}
int main(int ac, char** av) {
if (!(ld = auth_fldap()))
return 255;
openlog("slog", LOG_PID|LOG_CONS, LOG_USER);
fuse_main(ac, av, &fldap_oper, NULL);
ldap_unbind_s(ld);
closelog();
return 0;
}
static VALUE rldap_unbind(VALUE obj)
{
RLDAP_WRAP *wrapper;
int retval;
wrapper = get_wrapper(obj);
retval = ldap_unbind_s(wrapper->ld);
if (retval != LDAP_SUCCESS)
rldap_raise(retval);
else
return Qtrue;
}
/* Like isc_result_check, only for LDAP */
void
ldap_result_check (char *msg, char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
fprintf(stderr, "Error while adding %s (%s):\n",
dn, msg);
ldap_perror (conn, dn);
ldap_unbind_s (conn);
exit (-1);
}
}
/** entry-point function for following referrals, required in some cases by Active Directory */
static int rebindProc(LDAP *ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *mdata)
{
drvdata_t data = mdata;
data->ld = ld;
if(ldap_simple_bind_s(data->ld, data->binddn, data->bindpw)) {
log_debug(ZONE, "ldapvcard: bind failed (to %s): %s", url, ldap_err2string(_ldap_get_lderrno(data->ld)));
ldap_unbind_s(data->ld);
data->ld = NULL;
return LDAP_INAPPROPRIATE_AUTH;
}
return LDAP_SUCCESS;
}
/*
**| method: int unbind();
**| Unbind from the bound server.
**
**| returns: the LDAP error code
**
**| note: this method uses the OpenLDAP synchronous interface.
**
**| see_also: the OpenLDAP v2 ldap_unbind(3) manual page.
*/
static void
f_ldap_unbind(INT32 args)
{
if (THIS->bound) {
THIS->lerrno = ldap_unbind_s(THIS->conn);
THIS->bound = 0;
} else
THIS->lerrno = 0;
pop_n_elems(args);
push_int(THIS->lerrno);
}
/*
* @uid: user's uid, list all users if * is passed in.
*/
static int ldap_count_users (CcnetUserManager *manager, const char *uid)
{
LDAP *ld = NULL;
int res;
GString *filter;
char *filter_str;
char *attrs[2];
LDAPMessage *msg = NULL;
ld = ldap_init_and_bind (manager->ldap_host,
#ifdef WIN32
manager->use_ssl,
#endif
manager->user_dn,
manager->password);
if (!ld)
return -1;
filter = g_string_new (NULL);
if (!manager->filter)
g_string_printf (filter, "(%s=%s)", manager->login_attr, uid);
else
g_string_printf (filter, "(&(%s=%s) (%s))",
manager->login_attr, uid, manager->filter);
filter_str = g_string_free (filter, FALSE);
attrs[0] = manager->login_attr;
attrs[1] = NULL;
char **base;
int count = 0;
for (base = manager->base_list; *base; ++base) {
res = ldap_search_s (ld, *base, LDAP_SCOPE_SUBTREE,
filter_str, attrs, 0, &msg);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res));
ldap_msgfree (msg);
count = -1;
goto out;
}
count += ldap_count_entries (ld, msg);
ldap_msgfree (msg);
}
out:
g_free (filter_str);
if (ld) ldap_unbind_s (ld);
return count;
}
/** Free any global libldap resources
*
*/
void fr_ldap_free(void)
{
if (--instance_count > 0) return;
/*
* Keeping the dummy ld around for the lifetime
* of the module should always work,
* irrespective of what changes happen in libldap.
*/
#ifdef HAVE_LDAP_UNBIND_EXT_S
ldap_unbind_ext_s(ldap_global_handle, NULL, NULL);
#else
ldap_unbind_s(ldap_global_handle);
#endif
}
void
LwLdapCloseDirectory(
HANDLE hDirectory
)
{
PLW_LDAP_DIRECTORY_CONTEXT pDirectory = (PLW_LDAP_DIRECTORY_CONTEXT)hDirectory;
if (pDirectory) {
if(pDirectory->ld)
{
ldap_unbind_s(pDirectory->ld);
}
LwFreeMemory(pDirectory);
}
return;
}
//- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
std::string LDAP_UNX::authenticate( const std::string userID,
const std::string password )
{
std::string dist_name;
std::string e = getDistinguishedName( userID, &dist_name );
if ( ! e.empty() )
{return( e );
}
LDAP *ldap = NULL; // INITIALISE AND CONNECT TO LDAP SERVER
e = initialize( &ldap );
if ( ! e.empty() )
{return( e );
}
// ATTEMPT TO BIND distinguishedName WITH PASSWORD GIVEN
const int ibind = ldap_simple_bind_s( ldap, dist_name.c_str(),
password.c_str() );
ldap_unbind_s( ldap );
return( ( LDAP_SUCCESS == ibind )
? "" : "Username/password mis-match" );
}
/*%
* Properly cleans up a list of database instances.
* This function is only used when the driver is compiled for
* multithreaded operation.
*/
static void
ldap_destroy_dblist(db_list_t *dblist) {
dbinstance_t *ndbi = NULL;
dbinstance_t *dbi = NULL;
/* get the first DBI in the list */
ndbi = DLZ_LIST_HEAD(*dblist);
/* loop through the list */
while (ndbi != NULL) {
dbi = ndbi;
/* get the next DBI in the list */
ndbi = DLZ_LIST_NEXT(dbi, link);
/* release DB connection */
if (dbi->dbconn != NULL)
ldap_unbind_s((LDAP *) dbi->dbconn);
/* release all memory that comprised a DBI */
destroy_dbinstance(dbi);
}
/* release memory for the list structure */
free(dblist);
}
/*
* @uid: user's uid, list all users if * is passed in.
*/
static int ldap_count_users (CcnetUserManager *manager, const char *uid)
{
LDAP *ld = NULL;
int res;
GString *filter;
char *filter_str;
char *attrs[2];
LDAPMessage *msg = NULL;
int count = -1;
ld = ldap_init_and_bind (manager->ldap_host,
manager->user_dn,
manager->password);
if (!ld)
return -1;
filter = g_string_new (NULL);
g_string_printf (filter, "(%s=%s)", manager->login_attr, uid);
filter_str = g_string_free (filter, FALSE);
attrs[0] = manager->login_attr;
attrs[1] = NULL;
res = ldap_search_s (ld, manager->base, LDAP_SCOPE_SUBTREE,
filter_str, attrs, 0, &msg);
if (res != LDAP_SUCCESS) {
ccnet_warning ("ldap_search failed: %s.\n", ldap_err2string(res));
goto out;
}
count = ldap_count_entries (ld, msg);
out:
ldap_msgfree (msg);
g_free (filter_str);
if (ld) ldap_unbind_s (ld);
return count;
}
handler_t auth_ldap_init(server *srv, mod_auth_plugin_config *s) {
#ifdef USE_LDAP
int ret;
#if 0
if (s->auth_ldap_basedn->used == 0) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.base-dn has to be set");
return HANDLER_ERROR;
}
#endif
if (s->auth_ldap_hostname->used) {
/* free old context */
if (NULL != s->ldap) ldap_unbind_s(s->ldap);
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return HANDLER_ERROR;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
if (s->auth_ldap_starttls) {
/* if no CA file is given, it is ok, as we will use encryption
* if the server requires a CAfile it will tell us */
if (!buffer_is_empty(s->auth_ldap_cafile)) {
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
s->auth_ldap_cafile->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"Loading CA certificate failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
/* 1. */
if (s->auth_ldap_binddn->used) {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, s->auth_ldap_binddn->ptr, s->auth_ldap_bindpw->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
} else {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
}
return HANDLER_GO_ON;
#else
UNUSED(s);
log_error_write(srv, __FILE__, __LINE__, "s", "no ldap support available");
return HANDLER_ERROR;
#endif
}
void
add_to_rr_list (char *dn, char *name, char *type,
char *data, unsigned int ttl, unsigned int flags)
{
int i;
int x;
ldap_info *tmp;
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
if ((tmp = locate_by_dn (dn)) == NULL)
{
/* There wasn't one already there, so we need to allocate a new one,
* and stick it on the list */
tmp = (ldap_info *) malloc (sizeof (ldap_info));
if (tmp == (ldap_info *) NULL)
{
fprintf (stderr, "malloc: %s\n", strerror (errno));
ldap_unbind_s (conn);
exit (-1);
}
tmp->dn = strdup (dn);
tmp->attrs = (LDAPMod **) calloc (sizeof (LDAPMod *), flags);
if (tmp->attrs == (LDAPMod **) NULL)
{
fprintf (stderr, "calloc: %s\n", strerror (errno));
ldap_unbind_s (conn);
exit (-1);
}
for (i = 0; i < flags; i++)
{
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
if (tmp->attrs[i] == (LDAPMod *) NULL)
{
fprintf (stderr, "malloc: %s\n", strerror (errno));
exit (-1);
}
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
tmp->attrs[0]->mod_type = "objectClass";
if (flags == DNS_OBJECT)
tmp->attrs[0]->mod_values = objectClasses;
else
{
tmp->attrs[0]->mod_values = topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
ldap_info_base = tmp;
return;
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
tmp->attrs[1]->mod_type = "relativeDomainName";
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
exit(-1);
tmp->attrs[1]->mod_values[0] = strdup (name);
tmp->attrs[1]->mod_values[2] = NULL;
sprintf (ldap_type_buffer, "%sRecord", type);
tmp->attrs[2]->mod_op = LDAP_MOD_ADD;
tmp->attrs[2]->mod_type = strdup (ldap_type_buffer);
tmp->attrs[2]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[2]->mod_values == (char **)NULL)
exit(-1);
tmp->attrs[2]->mod_values[0] = strdup (data);
tmp->attrs[2]->mod_values[1] = NULL;
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
tmp->attrs[3]->mod_type = "dNSTTL";
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
exit(-1);
sprintf (charttl, "%d", ttl);
tmp->attrs[3]->mod_values[0] = strdup (charttl);
tmp->attrs[3]->mod_values[1] = NULL;
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
tmp->attrs[4]->mod_type = "zoneName";
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
tmp->attrs[4]->mod_values[0] = gbl_zone;
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
tmp->attrcnt = flags;
tmp->next = ldap_info_base;
ldap_info_base = tmp;
}
else
{
for (i = 0; tmp->attrs[i] != NULL; i++)
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
(ldap_type_buffer, tmp->attrs[i]->mod_type,
strlen (tmp->attrs[i]->mod_type)))
{
attrlist = get_attr_list_size (tmp->attrs[i]->mod_values);
tmp->attrs[i]->mod_values =
(char **) realloc (tmp->attrs[i]->mod_values,
sizeof (char *) * (attrlist + 1));
if (tmp->attrs[i]->mod_values == (char **) NULL)
{
fprintf (stderr, "realloc: %s\n", strerror (errno));
ldap_unbind_s (conn);
exit (-1);
}
for (x = 0; tmp->attrs[i]->mod_values[x] != NULL; x++);
tmp->attrs[i]->mod_values[x] = strdup (data);
tmp->attrs[i]->mod_values[x + 1] = NULL;
return;
}
}
tmp->attrs =
(LDAPMod **) realloc (tmp->attrs,
sizeof (LDAPMod) * ++(tmp->attrcnt));
if (tmp->attrs == NULL)
{
fprintf (stderr, "realloc: %s\n", strerror (errno));
ldap_unbind_s (conn);
exit (-1);
}
for (x = 0; tmp->attrs[x] != NULL; x++);
tmp->attrs[x] = (LDAPMod *) malloc (sizeof (LDAPMod));
tmp->attrs[x]->mod_op = LDAP_MOD_ADD;
tmp->attrs[x]->mod_type = strdup (ldap_type_buffer);
tmp->attrs[x]->mod_values = (char **) calloc (sizeof (char *), 2);
tmp->attrs[x]->mod_values[0] = strdup (data);
tmp->attrs[x]->mod_values[1] = NULL;
tmp->attrs[x + 1] = NULL;
}
}
static switch_xml_t xml_ldap_search(const char *section, const char *tag_name, const char *key_name, const char *key_value, switch_event_t *params,
void *user_data)
{
xml_binding_t *binding = (xml_binding_t *) user_data;
switch_event_header_t *hi;
switch_xml_t xml = NULL, sub = NULL;
struct ldap_c ldap_connection;
struct ldap_c *ldap = &ldap_connection;
int auth_method = LDAP_AUTH_SIMPLE;
int desired_version = LDAP_VERSION3;
xml_ldap_query_type_t query_type;
char *dir_exten = NULL, *dir_domain = NULL;
char *search_filter = NULL, *search_base = NULL;
int off = 0, ret = 1;
//char *buf;
//buf = malloc(4096);
if (!binding) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "No bindings...sorry bud returning now\n");
return NULL;
}
if (!strcmp(section, "configuration")) {
query_type = XML_LDAP_CONFIG;
} else if (!strcmp(section, "directory")) {
query_type = XML_LDAP_DIRECTORY;
} else if (!strcmp(section, "dialplan")) {
query_type = XML_LDAP_DIALPLAN;
} else if (!strcmp(section, "phrases")) {
query_type = XML_LDAP_PHRASE;
} else if (!strcmp(section, "languages")) {
query_type = XML_LDAP_LANGUAGE;
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Invalid section\n");
return NULL;
}
if (params) {
if ((hi = params->headers)) {
for (; hi; hi = hi->next) {
switch (query_type) {
case XML_LDAP_CONFIG:
break;
case XML_LDAP_DIRECTORY:
if (!strcmp(hi->name, "user")) {
dir_exten = strdup(hi->value);
} else if (!strcmp(hi->name, "domain")) {
dir_domain = strdup(hi->value);
}
break;
case XML_LDAP_DIALPLAN:
case XML_LDAP_PHRASE:
case XML_LDAP_LANGUAGE:
break;
}
}
switch (query_type) {
case XML_LDAP_CONFIG:
break;
case XML_LDAP_DIRECTORY:
if (dir_exten && dir_domain) {
if ((xml = switch_xml_new("directory"))) {
switch_xml_set_attr_d(xml, "type", "freeswitch/xml");
if ((sub = switch_xml_add_child_d(xml, "section", off++))) {
switch_xml_set_attr_d(sub, "name", "directory");
}
if ((sub = switch_xml_add_child_d(sub, "domain", off++))) {
switch_xml_set_attr_d(sub, "name", dir_domain);
}
if ((sub = switch_xml_add_child_d(sub, "user", off++))) {
switch_xml_set_attr_d(sub, "id", dir_exten);
}
}
search_filter = switch_mprintf(binding->filter, dir_exten);
search_base = switch_mprintf(binding->basedn, dir_domain);
free(dir_exten);
dir_exten = NULL;
free(dir_domain);
dir_domain = NULL;
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR,
"Something bad happened during the query construction phase likely exten(%s) or domain(%s) is null\n", dir_exten,
dir_domain);
goto cleanup;
}
break;
case XML_LDAP_DIALPLAN:
if ((xml = switch_xml_new("document"))) {
switch_xml_set_attr_d(xml, "type", "freeswitch/xml");
if ((sub = switch_xml_add_child_d(xml, "section", off++))) {
switch_xml_set_attr_d(sub, "name", "dialplan");
}
sub = switch_xml_add_child_d(xml, "context", off++);
}
break;
case XML_LDAP_PHRASE:
case XML_LDAP_LANGUAGE:
break;
}
} else {
goto cleanup;
}
}
if ((ldap->ld = (LDAP *) ldap_init(binding->host, LDAP_PORT)) == NULL) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Unable to connect to ldap server.%s\n", binding->host);
goto cleanup;
}
if (ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS) {
goto cleanup;
}
ldap_set_option(ldap->ld, LDAP_OPT_X_SASL_SECPROPS, &ldap->sp);
if (binding->binddn) {
if (ldap_bind_s(ldap->ld, binding->binddn, binding->bindpass, auth_method) != LDAP_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Unable to bind to ldap server %s as %s\n", binding->host, binding->binddn);
goto cleanup;
}
} else {
if (ldap_sasl_interactive_bind_s
(ldap->ld, NULL, binding->defaults->mech, NULL, NULL, (unsigned) (intptr_t) LDAP_SASL_SIMPLE, lutil_sasl_interact,
binding->defaults) != LDAP_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Unable to sasl_bind to ldap server %s as %s\n", binding->host,
binding->defaults->authcid);
goto cleanup;
}
}
if (ldap_search_s(ldap->ld, search_base, LDAP_SCOPE_SUBTREE, search_filter, NULL, 0, &ldap->msg) != LDAP_SUCCESS) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Query failed: -b \"%s\" \"%s\"\n", search_base, search_filter);
goto cleanup;
}
if (ldap_count_entries(ldap->ld, ldap->msg) <= 0) {
goto cleanup;
}
if (sub && xml_ldap_result(&ldap_connection, binding, &sub, &off, query_type) != SWITCH_STATUS_SUCCESS) {
goto cleanup;
}
ret = 0;
cleanup:
if (ldap->msg) {
ldap_msgfree(ldap->msg);
}
if (ldap->ld) {
ldap_unbind_s(ldap->ld);
}
switch_safe_free(search_filter);
switch_safe_free(search_base);
//switch_xml_toxml_buf(xml,buf,0,0,1);
//switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Providing:\n%s\n", buf);
if (ret) {
switch_xml_free(xml);
return NULL;
}
return xml;
}
static CURLcode Curl_ldap(struct connectdata *conn, bool *done)
{
CURLcode result = CURLE_OK;
int rc = 0;
LDAP *server = NULL;
LDAPURLDesc *ludp = NULL;
LDAPMessage *ldapmsg = NULL;
LDAPMessage *entryIterator;
int num = 0;
struct SessionHandle *data=conn->data;
int ldap_proto = LDAP_VERSION3;
int ldap_ssl = 0;
char *val_b64 = NULL;
size_t val_b64_sz = 0;
curl_off_t dlsize = 0;
#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval ldap_timeout = {10,0}; /* 10 sec connection/search timeout */
#endif
*done = TRUE; /* unconditionally */
infof(data, "LDAP local: LDAP Vendor = %s ; LDAP Version = %d\n",
LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION);
infof(data, "LDAP local: %s\n", data->change.url);
#ifdef HAVE_LDAP_URL_PARSE
rc = ldap_url_parse(data->change.url, &ludp);
#else
rc = _ldap_url_parse(conn, &ludp);
#endif
if(rc != 0) {
failf(data, "LDAP local: %s", ldap_err2string(rc));
result = CURLE_LDAP_INVALID_URL;
goto quit;
}
/* Get the URL scheme ( either ldap or ldaps ) */
if(conn->given->flags & PROTOPT_SSL)
ldap_ssl = 1;
infof(data, "LDAP local: trying to establish %s connection\n",
ldap_ssl ? "encrypted" : "cleartext");
#ifdef LDAP_OPT_NETWORK_TIMEOUT
ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
#endif
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
if(ldap_ssl) {
#ifdef HAVE_LDAP_SSL
#ifdef CURL_LDAP_WIN
/* Win32 LDAP SDK doesn't support insecure mode without CA! */
server = ldap_sslinit(conn->host.name, (int)conn->port, 1);
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
#else
int ldap_option;
char* ldap_ca = data->set.str[STRING_SSL_CAFILE];
#if defined(CURL_HAS_NOVELL_LDAPSDK)
rc = ldapssl_client_init(NULL, NULL);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ldapssl_client_init %s", ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
if(data->set.ssl.verifypeer) {
/* Novell SDK supports DER or BASE64 files. */
int cert_type = LDAPSSL_CERT_FILETYPE_B64;
if((data->set.str[STRING_CERT_TYPE]) &&
(Curl_raw_equal(data->set.str[STRING_CERT_TYPE], "DER")))
cert_type = LDAPSSL_CERT_FILETYPE_DER;
if(!ldap_ca) {
failf(data, "LDAP local: ERROR %s CA cert not set!",
(cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
infof(data, "LDAP local: using %s CA cert '%s'\n",
(cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"),
ldap_ca);
rc = ldapssl_add_trusted_cert(ldap_ca, cert_type);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting %s CA cert: %s",
(cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"),
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
ldap_option = LDAPSSL_VERIFY_SERVER;
}
else
ldap_option = LDAPSSL_VERIFY_NONE;
rc = ldapssl_set_verify_mode(ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
server = ldapssl_init(conn->host.name, (int)conn->port, 1);
if(server == NULL) {
failf(data, "LDAP local: Cannot connect to %s:%ld",
conn->host.name, conn->port);
result = CURLE_COULDNT_CONNECT;
goto quit;
}
#elif defined(LDAP_OPT_X_TLS)
if(data->set.ssl.verifypeer) {
/* OpenLDAP SDK supports BASE64 files. */
if((data->set.str[STRING_CERT_TYPE]) &&
(!Curl_raw_equal(data->set.str[STRING_CERT_TYPE], "PEM"))) {
failf(data, "LDAP local: ERROR OpenLDAP only supports PEM cert-type!");
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
if(!ldap_ca) {
failf(data, "LDAP local: ERROR PEM CA cert not set!");
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
infof(data, "LDAP local: using PEM CA cert: %s\n", ldap_ca);
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
ldap_option = LDAP_OPT_X_TLS_DEMAND;
}
else
ldap_option = LDAP_OPT_X_TLS_NEVER;
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
server = ldap_init(conn->host.name, (int)conn->port);
if(server == NULL) {
failf(data, "LDAP local: Cannot connect to %s:%ld",
conn->host.name, conn->port);
result = CURLE_COULDNT_CONNECT;
goto quit;
}
ldap_option = LDAP_OPT_X_TLS_HARD;
rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting SSL/TLS mode: %s",
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
/*
rc = ldap_start_tls_s(server, NULL, NULL);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
*/
#else
/* we should probably never come up to here since configure
should check in first place if we can support LDAP SSL/TLS */
failf(data, "LDAP local: SSL/TLS not supported with this version "
"of the OpenLDAP toolkit\n");
result = CURLE_SSL_CERTPROBLEM;
goto quit;
#endif
#endif
#endif /* CURL_LDAP_USE_SSL */
}
else {
server = ldap_init(conn->host.name, (int)conn->port);
if(server == NULL) {
failf(data, "LDAP local: Cannot connect to %s:%ld",
conn->host.name, conn->port);
result = CURLE_COULDNT_CONNECT;
goto quit;
}
}
#ifdef CURL_LDAP_WIN
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
#endif
rc = ldap_simple_bind_s(server,
conn->bits.user_passwd ? conn->user : NULL,
conn->bits.user_passwd ? conn->passwd : NULL);
if(!ldap_ssl && rc != 0) {
ldap_proto = LDAP_VERSION2;
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
rc = ldap_simple_bind_s(server,
conn->bits.user_passwd ? conn->user : NULL,
conn->bits.user_passwd ? conn->passwd : NULL);
}
if(rc != 0) {
failf(data, "LDAP local: ldap_simple_bind_s %s", ldap_err2string(rc));
result = CURLE_LDAP_CANNOT_BIND;
goto quit;
}
rc = ldap_search_s(server, ludp->lud_dn, ludp->lud_scope,
ludp->lud_filter, ludp->lud_attrs, 0, &ldapmsg);
if(rc != 0 && rc != LDAP_SIZELIMIT_EXCEEDED) {
failf(data, "LDAP remote: %s", ldap_err2string(rc));
result = CURLE_LDAP_SEARCH_FAILED;
goto quit;
}
for(num = 0, entryIterator = ldap_first_entry(server, ldapmsg);
entryIterator;
entryIterator = ldap_next_entry(server, entryIterator), num++) {
BerElement *ber = NULL;
char *attribute; /*! suspicious that this isn't 'const' */
char *dn = ldap_get_dn(server, entryIterator);
int i;
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"DN: ", 4);
if(result)
goto quit;
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)dn, 0);
if(result)
goto quit;
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1);
if(result)
goto quit;
dlsize += strlen(dn)+5;
for(attribute = ldap_first_attribute(server, entryIterator, &ber);
attribute;
attribute = ldap_next_attribute(server, entryIterator, ber)) {
BerValue **vals = ldap_get_values_len(server, entryIterator, attribute);
if(vals != NULL) {
for(i = 0; (vals[i] != NULL); i++) {
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\t", 1);
if(result)
goto quit;
result = Curl_client_write(conn, CLIENTWRITE_BODY,
(char *)attribute, 0);
if(result)
goto quit;
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)": ", 2);
if(result)
goto quit;
dlsize += strlen(attribute)+3;
if((strlen(attribute) > 7) &&
(strcmp(";binary",
(char *)attribute +
(strlen((char *)attribute) - 7)) == 0)) {
/* Binary attribute, encode to base64. */
CURLcode error = Curl_base64_encode(data,
vals[i]->bv_val,
vals[i]->bv_len,
&val_b64,
&val_b64_sz);
if(error) {
ldap_value_free_len(vals);
ldap_memfree(attribute);
ldap_memfree(dn);
if(ber)
ber_free(ber, 0);
result = error;
goto quit;
}
if(val_b64_sz > 0) {
result = Curl_client_write(conn, CLIENTWRITE_BODY, val_b64,
val_b64_sz);
free(val_b64);
if(result)
goto quit;
dlsize += val_b64_sz;
}
}
else {
result = Curl_client_write(conn, CLIENTWRITE_BODY, vals[i]->bv_val,
vals[i]->bv_len);
if(result)
goto quit;
dlsize += vals[i]->bv_len;
}
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 0);
if(result)
goto quit;
dlsize++;
}
/* Free memory used to store values */
ldap_value_free_len(vals);
}
result = Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1);
if(result)
goto quit;
dlsize++;
Curl_pgrsSetDownloadCounter(data, dlsize);
ldap_memfree(attribute);
}
ldap_memfree(dn);
if(ber)
ber_free(ber, 0);
}
quit:
if(ldapmsg) {
ldap_msgfree(ldapmsg);
LDAP_TRACE (("Received %d entries\n", num));
}
if(rc == LDAP_SIZELIMIT_EXCEEDED)
infof(data, "There are more than %d entries\n", num);
if(ludp)
ldap_free_urldesc(ludp);
if(server)
ldap_unbind_s(server);
#if defined(HAVE_LDAP_SSL) && defined(CURL_HAS_NOVELL_LDAPSDK)
if(ldap_ssl)
ldapssl_client_deinit();
#endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */
/* no data to transfer */
Curl_setup_transfer(conn, -1, -1, FALSE, NULL, -1, NULL);
connclose(conn, "LDAP connection always disable re-use");
return result;
}
/**
* Get certificate from LDAP-Server.
*/
static int ldap_get_certificate(const char *login) {
LDAP *ldap_connection;
int entries;
LDAPMessage *res;
LDAPMessage *entry;
struct berval **bvals = NULL;
BerElement *ber = NULL;
char *name = NULL;
char filter_str[100];
char *attrs[2];
int rv = LDAP_SUCCESS;
void *bv_val;
char uri[4096];
char uribuf[4096];
char *uris[LDAP_CONFIG_URI_MAX + 1];
const char *p;
int current_uri = 0, start_uri = 0;
char *buffer;
size_t buflen;
uris[0] = NULL;
attrs[0] = (char *)attribute;
attrs[1] = NULL;
DBG1("ldap_get_certificate(): begin login = %s", login);
/* Put the login to the %s in Filterstring */
snprintf(filter_str, sizeof(filter_str), filter, login);
DBG1("ldap_get_certificate(): filter_str = %s", filter_str);
/* parse and split URI config entry */
buffer = uribuf;
buflen = sizeof (uribuf);
strncpy(uri, ldapURI, sizeof (uri)-1);
/* Add a space separated list of URIs */
/* TODO: no spaces in one URI allowed => URL-encoding? */
if(strncmp(ldapURI,"",1))
for (p = uri; p != NULL; )
{
char *q = strchr (p, ' ');
if (q != NULL)
*q = '\0';
if( strlen(p) > 1 ) /* SAW: don't add spaces */
rv = ldap_add_uri (uris, p, &buffer, &buflen);
p = (q != NULL) ? ++q : NULL;
if (rv)
break;
}
/* set the default port if no port is given */
if (ldapport == 0)
{
if (ssl_on == SSL_LDAPS)
{
ldapport = LDAPS_PORT;
}
else
{
ldapport = LDAP_PORT;
}
}
/* add ldaphost to uris if set, nevermind "uri" is set in config */
if( strlen(ldaphost) > 1 )
{
/* No port specified in URI and non-default port specified */
snprintf (uri, sizeof (uri), "%s%s:%d",
ssl_on == SSL_LDAPS ? "ldaps://" : "ldap://",
ldaphost, ldapport);
ldap_add_uri (uris, uri, &buffer, &buflen);
}
if (uris[0] == NULL)
{
DBG("ldap_get_certificate(): Nor URI or usable Host entry found");
return(-1);
}
/* Attempt to connect to specified URI in order until do_open succeed */
start_uri = current_uri;
do
{
if(uris[current_uri] != NULL)
DBG1("ldap_get_certificate(): try do_open for %s", uris[current_uri]);
rv = do_open(&ldap_connection, uris[current_uri], ldapport, ssl_on);
/* hot-fix, because in some circumstances an LDAP_SERVER_DOWN is returned */
if (rv != LDAP_UNAVAILABLE && rv != LDAP_SERVER_DOWN)
break;
current_uri++;
if (uris[current_uri] == NULL)
current_uri = 0;
}
while (current_uri != start_uri);
if( rv != LDAP_SUCCESS )
{
DBG("ldap_get_certificate(): do_open failed");
return(-2);
}
/* TODO: (1) The problem: if an working uri is found it is used
and if there is an (SSL-)error, no other one is tried
(2) There is no session, so we don't know which LDAP_Server
is the last with a successful connection. So we try the same
server again. Perhaps create a state file/smem/etc. ?
*/
rv = ldap_search_s(
ldap_connection,
base,
sscope[scope],
filter_str,
attrs,
0,
&res);
if ( rv != LDAP_SUCCESS ) {
DBG1("ldap_search_s() failed: %s", ldap_err2string(rv));
ldap_unbind_s(ldap_connection);
return(-3);
} else {
entries = ldap_count_entries(ldap_connection, res);
DBG1("ldap_get_certificate(): entries = %d", entries);
if( entries > 1 ) {
DBG("! Warning, more than one entry found. Please choose \"filter\" and");
DBG("! \"attribute\" in ldap mapper config section of your config,");
DBG("! that only one entry with one attribute is matched");
DBG("! Maybe there is another problem in ldap with not unique user");
DBG("! entries in your LDAP server.");
}
/* Only first entry is used. "filter" and "attribute"
* should be choosen, so that only one entry with
* one attribute is returned */
if ( NULL == (entry = ldap_first_entry(ldap_connection, res))){
DBG("ldap_first_entry() failed: %s");
ldap_unbind_s(ldap_connection);
return(-4);
}
/* Only first attribute is used. See comment above... */
if ( NULL == (name = ldap_first_attribute(ldap_connection, res, &ber))){
DBG("ldap_first_attribute() failed (rc=%d)");
ldap_unbind_s(ldap_connection);
return(-5);
}
DBG1("attribute name = %s", name);
bvals = ldap_get_values_len(ldap_connection, entry, name);
certcnt = ldap_count_values_len(bvals);
DBG1("number of user certificates = %d", certcnt);
ldap_x509 = malloc(sizeof(X509*) * certcnt );
if (NULL == ldap_x509)
{
DBG("not enough memory");
return(-7);
}
rv = 0;
while(rv < certcnt )
{
/* SaW: not nifty, but otherwise gcc doesn't optimize */
bv_val = &bvals[rv]->bv_val;
#ifdef HAVE_NSS
{
SECItem derdata;
derdata.data = bv_val;
derdata.len = bvals[rv]->bv_len;
ldap_x509[rv] = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&derdata, NULL, 0, 1);
}
#else
ldap_x509[rv] = d2i_X509(NULL, ((const unsigned char **) bv_val), bvals[rv]->bv_len);
#endif
if (NULL == ldap_x509[rv]) {
DBG1("d2i_X509() failed for certificate %d", rv);
free(ldap_x509);
#ifdef HAVE_NSS
{
for (rv=0; rv<certcnt; rv++)
if (ldap_x509[rv])
CERT_DestroyCertificate(ldap_x509[rv]);
}
#endif
certcnt=0;
ldap_msgfree(res);
ldap_unbind_s(ldap_connection);
return(-6);
}else {
DBG1("d2i_X509(): success for certificate %d", rv);
}
rv++;
}
ldap_msgfree(res);
/* TODO: this leads to a segfault, but the doc said ... */
/* ldap_value_free_len(bvals); */
}
if ( 0 != ldap_unbind_s(ldap_connection)) {
DBG("ldap_unbind_s() failed.");
ldap_perror(ldap_connection, "ldap_unbind_s() failed.");
return(-1);
};
DBG("ldap_get_certificate(): end");
return 1;
}
CURLcode Curl_ldap(struct connectdata *conn)
{
CURLcode status = CURLE_OK;
int rc;
void *(*ldap_init)(char *, int);
int (*ldap_simple_bind_s)(void *, char *, char *);
int (*ldap_unbind_s)(void *);
int (*ldap_url_parse)(char *, LDAPURLDesc **);
void (*ldap_free_urldesc)(void *);
int (*ldap_search_s)(void *, char *, int, char *, char **, int, void **);
int (*ldap_search_st)(void *, char *, int, char *, char **, int, void *, void **);
void *(*ldap_first_entry)(void *, void *);
void *(*ldap_next_entry)(void *, void *);
char *(*ldap_err2string)(int);
char *(*ldap_get_dn)(void *, void *);
char *(*ldap_first_attribute)(void *, void *, void **);
char *(*ldap_next_attribute)(void *, void *, void *);
char **(*ldap_get_values)(void *, void *, char *);
void (*ldap_value_free)(char **);
void (*ldap_memfree)(void *);
void (*ber_free)(void *, int);
void *server;
LDAPURLDesc *ludp;
void *result;
void *entryIterator;
void *ber;
void *attribute;
struct SessionHandle *data=conn->data;
infof(data, "LDAP: %s\n", data->change.url);
DynaOpen();
if (libldap == NULL) {
failf(data, "The needed LDAP library/libraries couldn't be opened");
return CURLE_LIBRARY_NOT_FOUND;
}
/* The types are needed because ANSI C distinguishes between
* pointer-to-object (data) and pointer-to-function.
*/
DYNA_GET_FUNCTION(void *(*)(char *, int), ldap_init);
DYNA_GET_FUNCTION(int (*)(void *, char *, char *), ldap_simple_bind_s);
DYNA_GET_FUNCTION(int (*)(void *), ldap_unbind_s);
DYNA_GET_FUNCTION(int (*)(char *, LDAPURLDesc **), ldap_url_parse);
DYNA_GET_FUNCTION(void (*)(void *), ldap_free_urldesc);
DYNA_GET_FUNCTION(int (*)(void *, char *, int, char *, char **, int, void **), ldap_search_s);
DYNA_GET_FUNCTION(int (*)(void *, char *, int, char *, char **, int, void *, void **), ldap_search_st);
DYNA_GET_FUNCTION(void *(*)(void *, void *), ldap_first_entry);
DYNA_GET_FUNCTION(void *(*)(void *, void *), ldap_next_entry);
DYNA_GET_FUNCTION(char *(*)(int), ldap_err2string);
DYNA_GET_FUNCTION(char *(*)(void *, void *), ldap_get_dn);
DYNA_GET_FUNCTION(char *(*)(void *, void *, void **), ldap_first_attribute);
DYNA_GET_FUNCTION(char *(*)(void *, void *, void *), ldap_next_attribute);
DYNA_GET_FUNCTION(char **(*)(void *, void *, char *), ldap_get_values);
DYNA_GET_FUNCTION(void (*)(char **), ldap_value_free);
DYNA_GET_FUNCTION(void (*)(void *), ldap_memfree);
DYNA_GET_FUNCTION(void (*)(void *, int), ber_free);
server = ldap_init(conn->hostname, conn->port);
if (server == NULL) {
failf(data, "LDAP: Cannot connect to %s:%d",
conn->hostname, conn->port);
status = CURLE_COULDNT_CONNECT;
}
else {
rc = ldap_simple_bind_s(server,
conn->bits.user_passwd?conn->user:NULL,
conn->bits.user_passwd?conn->passwd:NULL);
if (rc != 0) {
failf(data, "LDAP: %s", ldap_err2string(rc));
status = CURLE_LDAP_CANNOT_BIND;
}
else {
rc = ldap_url_parse(data->change.url, &ludp);
if (rc != 0) {
failf(data, "LDAP: %s", ldap_err2string(rc));
status = CURLE_LDAP_INVALID_URL;
}
else {
rc = ldap_search_s(server, ludp->lud_dn, ludp->lud_scope,
ludp->lud_filter, ludp->lud_attrs, 0, &result);
if (rc != 0) {
failf(data, "LDAP: %s", ldap_err2string(rc));
status = CURLE_LDAP_SEARCH_FAILED;
}
else {
for (entryIterator = ldap_first_entry(server, result);
entryIterator;
entryIterator = ldap_next_entry(server, entryIterator)) {
char *dn = ldap_get_dn(server, entryIterator);
char **vals;
int i;
Curl_client_write(data, CLIENTWRITE_BODY, (char *)"DN: ", 4);
Curl_client_write(data, CLIENTWRITE_BODY, dn, 0);
Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n", 1);
for(attribute = ldap_first_attribute(server, entryIterator,
&ber);
attribute;
attribute = ldap_next_attribute(server, entryIterator,
ber) ) {
vals = ldap_get_values(server, entryIterator, attribute);
if (vals != NULL) {
for(i = 0; (vals[i] != NULL); i++) {
Curl_client_write(data, CLIENTWRITE_BODY, (char*)"\t", 1);
Curl_client_write(data, CLIENTWRITE_BODY, attribute, 0);
Curl_client_write(data, CLIENTWRITE_BODY, (char *)": ", 2);
Curl_client_write(data, CLIENTWRITE_BODY, vals[i], 0);
Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n", 0);
}
}
/* Free memory used to store values */
ldap_value_free(vals);
}
Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n", 1);
ldap_memfree(attribute);
ldap_memfree(dn);
if (ber) ber_free(ber, 0);
}
}
ldap_free_urldesc(ludp);
}
ldap_unbind_s(server);
}
}
DynaClose();
/* no data to transfer */
Curl_Transfer(conn, -1, -1, FALSE, NULL, -1, NULL);
return status;
}
