void
LDAPHHA1(RequestData * requestData)
{
char *password;
ldapconnect();
password = getpassword(requestData->user, requestData->realm);
if (password != NULL) {
if (encrpass)
xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1));
else {
HASH HA1;
DigestCalcHA1("md5", requestData->user, requestData->realm, password, NULL, NULL, HA1, requestData->HHA1);
}
free(password);
} else {
requestData->error = -1;
}
}
static int mod_vhost_ldap_translate_name(request_rec *r)
{
mod_vhost_ldap_request_t *reqc = NULL;
mod_vhost_ldap_config_t *conf =
(mod_vhost_ldap_config_t *)ap_get_module_config(r->server->module_config, &vhost_ldap_ng_module);
#if (AP_SERVER_MAJORVERSION_NUMBER == 2) && (AP_SERVER_MINORVERSION_NUMBER <= 2)
core_server_config *core =
(core_server_config *)ap_get_module_config(r->server->module_config, &core_module);
#endif
LDAP *ld = NULL;
char *realfile = NULL;
char *myfilter = NULL;
alias_t *alias = NULL, *cursor = NULL;
int i = 0, ret = 0;
apr_table_t *e;
LDAPMessage *ldapmsg = NULL, *vhostentry = NULL;
if (conf->enabled != MVL_ENABLED || !conf->url || !r->hostname){
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c] Module disabled");
return DECLINED;
}
//Search in cache
reqc = (mod_vhost_ldap_request_t *)get_from_requestscache(r);
if(!reqc){
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c] Cannot resolve data from cache");
reqc = apr_pcalloc(vhost_ldap_pool, sizeof(mod_vhost_ldap_request_t));
}
if (reqc->expires < apr_time_now()){
//Search ldap
//TODO: Create a function
while((ret = ldapconnect(&ld, conf)) != 0 && i<2){
i++;
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c] ldapconnect: %s", ldap_err2string(ret));
}
if(i == 2){
conf->enabled = MVL_DISABLED;
return HTTP_GATEWAY_TIME_OUT;
}
myfilter = apr_psprintf(r->pool,"(&(%s)(|(apacheServerName=%s)(apacheServerAlias=%s)))",
conf->filter, r->hostname, r->hostname);
ret = ldap_search_s (ld, conf->basedn, conf->scope, myfilter, (char **)attributes, 0, &ldapmsg);
if(ret != LDAP_SUCCESS){//SIGPIPE?
return DECLINED;
}
if(ldap_count_entries(ld, ldapmsg)!=1){
if(!conf->fallback_name || !conf->fallback_docroot){
reqc->name = apr_pstrdup(vhost_ldap_pool, r->hostname);
reqc->decline = 1;
reqc->admin = apr_pstrdup(vhost_ldap_pool, r->server->server_admin);
add_to_requestscache(reqc, r);
if(ldapmsg)
ldap_msgfree(ldapmsg);
ldapdestroy(&ld);
return DECLINED;
}else{
reqc->name = conf->fallback_name;
reqc->docroot = conf->fallback_docroot;
}
}else{
reqc->aliases = (apr_array_header_t *)apr_array_make(vhost_ldap_pool, 2, sizeof(alias_t));
reqc->redirects = (apr_array_header_t *)apr_array_make(vhost_ldap_pool, 2, sizeof(alias_t));
reqc->env = apr_table_make(vhost_ldap_pool, 2);
vhostentry = ldap_first_entry(ld, ldapmsg);
reqc->dn = ldap_get_dn(ld, vhostentry);
i=0;
while(attributes[i]){
int k = 0, j;
char **eValues = ldap_get_values(ld, vhostentry, attributes[i]), *str[3];
if (eValues){
k = ldap_count_values (eValues);
if (strcasecmp(attributes[i], "apacheServerName") == 0){
reqc->name = apr_pstrdup(vhost_ldap_pool, eValues[0]);
}else if(strcasecmp(attributes[i], "apacheServerAdmin") == 0){
reqc->admin = apr_pstrdup(vhost_ldap_pool, eValues[0]);
}else if(strcasecmp(attributes[i], "apacheDocumentRoot") == 0){
reqc->docroot = apr_pstrdup(vhost_ldap_pool, eValues[0]);
/* Make it absolute, relative to ServerRoot */
if(conf->rootdir && (strncmp(reqc->docroot, "/", 1) != 0))
reqc->docroot = apr_pstrcat(vhost_ldap_pool, conf->rootdir, reqc->docroot, NULL);
reqc->docroot = ap_server_root_relative(vhost_ldap_pool, reqc->docroot);
}else if(strcasecmp(attributes[i], "apacheAlias") == 0){
while(k){
k--;
for(j = 0; j < 2; j++)
str[j] = ap_getword_conf(r->pool, (const char **)&eValues[k]);
if(str[--j] == '\0')
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c]: Wrong apacheAlias parameter: %s",
eValues[k]);
else{
alias = apr_array_push(reqc->aliases);
alias->src = apr_pstrdup(vhost_ldap_pool, str[0]);
alias->dst = apr_pstrdup(vhost_ldap_pool, str[1]);
}
}
}else if(strcasecmp(attributes[i], "apacheScriptAlias") == 0){
while(k){
k--;
for(j = 0; j < 2; j++)
str[j] = ap_getword_conf(r->pool, (const char **)&eValues[k]);
if(str[--j] == '\0')
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c]: Wrong apacheScriptAlias parameter: %s", eValues[k]);
else{
alias = apr_array_push(reqc->aliases);
alias->src = apr_pstrdup(vhost_ldap_pool, str[0]);
alias->dst = apr_pstrdup(vhost_ldap_pool, str[1]);
}
}
}else if(strcasecmp (attributes[i], "apacheRedirect") == 0){
while(k){
k--;
for(j = 0; j < 3; j++)
str[j] = ap_getword_conf(r->pool, (const char **)&eValues[k]);
if(str[1] == '\0')
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c]: Missing apacheRedirect parameter: %s",
eValues[k]);
else{
alias = apr_array_push(reqc->redirects);
alias->src = apr_pstrdup(vhost_ldap_pool, str[0]);
if(str[2] != '\0'){
if(strcasecmp(str[1], "gone") == 0)
alias->flags |= REDIR_GONE;
else if (strcasecmp(str[1], "permanent") == 0)
alias->flags |= REDIR_PERMANENT;
else if (strcasecmp(str[1], "temp") == 0)
alias->flags |= REDIR_TEMP;
else if (strcasecmp(str[1], "seeother") == 0)
alias->flags |= REDIR_SEEOTHER;
else{
alias->flags |= REDIR_PERMANENT;
ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c]: Wrong apacheRedirect type: %s", str[2]);
}
alias->dst = apr_pstrdup(vhost_ldap_pool, str[2]);
}else
alias->dst = apr_pstrdup(vhost_ldap_pool, str[1]);
}
}
}else if(strcasecmp(attributes[i], "apacheSuexecUid") == 0){
reqc->uid = apr_pstrdup(vhost_ldap_pool, eValues[0]);
}else if(strcasecmp(attributes[i], "apacheSuexecGid") == 0){
reqc->gid = apr_pstrdup(vhost_ldap_pool, eValues[0]);
}else if(strcasecmp (attributes[i], "apacheErrorLog") == 0){
if(conf->rootdir && (strncmp(eValues[0], "/", 1) != 0))
r->server->error_fname = apr_pstrcat(vhost_ldap_pool, conf->rootdir, eValues[0], NULL);
else
r->server->error_fname = apr_pstrdup(vhost_ldap_pool, eValues[0]);;
apr_file_open(&r->server->error_log, r->server->error_fname,
APR_APPEND | APR_WRITE | APR_CREATE | APR_LARGEFILE,
APR_OS_DEFAULT, r->pool);
}
#ifdef HAVEPHP
else if(strcasecmp(attributes[i], "phpIncludePath") == 0){
if(conf->php_includepath)
reqc->php_includepath = apr_pstrcat(vhost_ldap_pool, conf->php_includepath, ":", eValues[0], NULL);
else
reqc->php_includepath = apr_pstrdup(vhost_ldap_pool, eValues[0]);
}else if(strcasecmp(attributes[i], "phpOpenBasedir") == 0){
if(conf->rootdir && (strncmp(eValues[0], "/", 1) != 0))
reqc->php_openbasedir = apr_pstrcat(vhost_ldap_pool, conf->rootdir, eValues[0], NULL);
else
reqc->php_openbasedir = apr_pstrdup(vhost_ldap_pool, eValues[0]);
}
else if(strcasecmp(attributes[i], "php_admin_value") == 0){
}
#endif
else if(strcasecmp(attributes[i], "SetEnv") == 0){
for(j = 0; j < 2; j++)
str[j] = ap_getword_conf(r->pool, (const char **)&eValues[0]);
if(str[--j] == '\0')
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c]: Wrong apacheScriptAlias parameter: %s", eValues[0]);
else{
apr_table_set(reqc->env, str[0], str[1]);
}
}else if(strcasecmp(attributes[i], "PassEnv") == 0){
}
}
i++;
}
}
if(ldapmsg)
ldap_msgfree(ldapmsg);
ldapdestroy(&ld);
add_to_requestscache(reqc, r);
}
if(reqc->decline)
return DECLINED;
ap_set_module_config(r->request_config, &vhost_ldap_ng_module, reqc);
e = r->subprocess_env;
if(apr_table_elts(reqc->env)->nelts)
r->subprocess_env = apr_table_overlay(r->pool, e, reqc->env);
#ifdef HAVEPHP
char *openbasedir, *include;
if(!reqc->php_includepath)
include = apr_pstrcat(r->pool, conf->php_includepath, ":", reqc->docroot, NULL);
else
include = apr_pstrcat(r->pool, reqc->php_includepath, ":", conf->php_includepath, ":", reqc->docroot, NULL);
zend_alter_ini_entry("include_path", strlen("include_path") + 1, (void *)include, strlen(include), PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
if(reqc->php_openbasedir){
openbasedir = apr_pstrcat(r->pool, reqc->php_openbasedir, ":", include, NULL);
zend_alter_ini_entry("open_basedir", strlen("open_basedir") + 1, (void *)openbasedir, strlen(openbasedir), PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
}
#endif
if ((reqc->name == NULL)||(reqc->docroot == NULL)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c] translate: "
"translate failed; ServerName %s or DocumentRoot %s not defined", reqc->name, reqc->docroot);
return HTTP_INTERNAL_SERVER_ERROR;
}
cursor = NULL;
//From mod_alias: checking for redirects
if(reqc->redirects){
cursor = (alias_t *)reqc->redirects->elts;
if (r->uri[0] != '/' && r->uri[0] != '\0')
return DECLINED;
for(i = 0; i < reqc->redirects->nelts; i++){
alias = (alias_t *) &cursor[i];
if(alias_matches(r->uri, alias->src)){
apr_table_setn(r->headers_out, "Location", alias->dst);
/* OLD STUFF
if(alias->redir_status){
if (strcasecmp(alias->redir_status, "gone") == 0)
return HTTP_GONE;
else if (strcasecmp(alias->redir_status, "permanent") == 0)
return HTTP_MOVED_PERMANENTLY;
else if (strcasecmp(alias->redir_status, "temp") == 0)
return HTTP_MOVED_TEMPORARILY;
else if (strcasecmp(alias->redir_status, "seeother") == 0)
return HTTP_SEE_OTHER;
}
*/
if(alias->flags & REDIR_GONE) return HTTP_GONE;
else if(alias->flags & REDIR_TEMP) return HTTP_MOVED_TEMPORARILY;
else if(alias->flags & REDIR_SEEOTHER) return HTTP_SEE_OTHER;
else return HTTP_MOVED_PERMANENTLY;
}
}
}
/* Checking for aliases */
if(reqc->aliases){
cursor = (alias_t *)reqc->aliases->elts;
for(i = 0; reqc->aliases && i < reqc->aliases->nelts; i++){
alias = (alias_t *) &cursor[i];
if (alias_matches(r->uri, alias->src)) {
/* Set exact filename for CGI script */
realfile = apr_pstrcat(r->pool, alias->dst, r->uri + strlen(alias->src), NULL);
/* Add apacheRootDir config param IF realfile is a realative path*/
if(conf->rootdir && (strncmp(realfile, "/", 1) != 0))
realfile = apr_pstrcat(r->pool, conf->rootdir, "/", realfile, NULL);
/* Let apache normalize the path */
if((realfile = ap_server_root_relative(r->pool, realfile))) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c]: ap_document_root is: %s",
ap_document_root(r));
r->filename = realfile;
if(alias->flags & ISCGI){
//r->handler = "cgi-script";
r->handler = "Script";
apr_table_setn(r->notes, "alias-forced-type", r->handler);
}
return OK;
}
return OK;
} else if (r->uri[0] == '/') {
/* we don't set r->filename here, and let other modules do it
* this allows other modules (mod_rewrite.c) to work as usual
*/
/* r->filename = apr_pstrcat (r->pool, reqc->docroot, r->uri, NULL); */
} else {
/* We don't handle non-file requests here */
return DECLINED;
}
}
}
if ((r->server = apr_pmemdup(r->pool, r->server, sizeof(*r->server))) == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, r,
"[mod_vhost_ldap_ng.c] translate: "
"translate failed; Unable to copy r->server structure");
return HTTP_INTERNAL_SERVER_ERROR;
}
r->server->server_hostname = apr_pstrdup(r->pool,reqc->name);
if (reqc->admin)
r->server->server_admin = apr_pstrdup(r->pool, reqc->admin);
#if (AP_SERVER_MAJORVERSION_NUMBER == 2) && (AP_SERVER_MINORVERSION_NUMBER <= 2)
core->ap_document_root = apr_pstrdup(r->pool, reqc->docroot);
if (!ap_is_directory(r->pool, reqc->docroot))
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"[mod_vhost_ldap_ng.c] set_document_root: Warning: DocumentRoot [%s] does not exist", core->ap_document_root);
#else
ap_set_document_root(r, reqc->docroot);
#endif
//ap_set_module_config(r->server->module_config, &core_module, core);
/* Hack to allow post-processing by other modules (mod_rewrite, mod_alias) */
return DECLINED;
}
static int auth_ldap_do3(const char *attrname,
const char *user, const char *pass,
int (*callback)(struct authinfo *, void *),
void *arg, const char *newpass,
const char *authaddr)
{
char *newpass_crypt=0;
const char *attributes[10], *ldap_attributes[10];
struct timeval timeout;
LDAPMessage *result;
LDAPMessage *entry;
char *filter, *dn;
int i, j;
struct authinfo auth;
char *homeDir=0;
char *mailDir=0;
char *userPassword=0;
char *cryptPassword=0;
char *cn=0;
uid_t au;
gid_t ag;
int rc;
char *quota=0;
int additionalFilter = 0;
int hasAdditionalFilter = 0;
hasAdditionalFilter = my_ldap.filter != 0;
memset(&auth, 0, sizeof(auth));
if (hasAdditionalFilter)
{
/* To add the additional filter, we need to add on the
* additional size for "(&)" and the other filter. So
* filter+3
*/
additionalFilter = strlen(my_ldap.filter) + 3;
}
if ((filter=malloc(additionalFilter+strlen(attrname)+strlen(user)+
(my_ldap.domain ? strlen(my_ldap.domain):0)+
sizeof ("(=@)"))) == 0)
{
perror("malloc");
return 1;
}
strcpy(filter, "\0");
if (hasAdditionalFilter)
{
strcat(filter, "(&");
strcat(filter, my_ldap.filter);
}
strcat(strcat(strcat(strcat(filter, "("), attrname), "="), user);
if ( my_ldap.domain && my_ldap.domain[0] && strchr(user, '@') == 0 )
strcat(strcat(filter, "@"), my_ldap.domain);
strcat(filter, ")");
if (hasAdditionalFilter)
{
strcat(filter, ")");
}
timeout.tv_sec=my_ldap.timeout;
timeout.tv_usec=0;
read_env("LDAP_HOMEDIR", &attributes[0], "", 0, "homeDir");
read_env("LDAP_MAILDIR", &attributes[1], "", 0, 0);
read_env("LDAP_FULLNAME", &attributes[2], "", 0, "cn");
read_env("LDAP_CLEARPW", &attributes[3], "", 0, 0);
read_env("LDAP_CRYPTPW", &attributes[4], "", 0, 0);
read_env("LDAP_UID", &attributes[5], "", 0, 0);
read_env("LDAP_GID", &attributes[6], "", 0, 0);
attributes[7]=my_ldap.mail;
read_env("LDAP_MAILDIRQUOTA", &attributes[8], "", 0, 0);
j=0;
for (i=0; i<9; i++)
{
if (attributes[i])
ldap_attributes[j++]=attributes[i];
}
ldap_attributes[j]=0;
if (ldaperror(ldap_search_st(my_ldap_fp,
(char *)my_ldap.basedn,LDAP_SCOPE_SUBTREE,
filter, (char **)ldap_attributes, 0,
&timeout, &result)
!= LDAP_SUCCESS))
{
free(filter);
if (my_ldap_fp) return (-1);
return (1);
}
free(filter);
/* If we are more than one result, reject */
if (ldap_count_entries(my_ldap_fp,result)!=1)
{
ldap_msgfree(result);
return -1;
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"Nombre de résulat: %d\n",ldap_count_entries(my_ldap_fp,result));
#endif
dn = ldap_get_dn(my_ldap_fp, result);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"DN: %s\n",dn);
#endif
if (dn == NULL)
{
ldap_perror(my_ldap_fp, "ldap_get_dn");
return -1;
}
/* Get the pointer on this result */
entry=ldap_first_entry(my_ldap_fp,result);
if (entry==NULL)
{
ldap_perror(my_ldap_fp,"ldap_first_entry");
free(dn);
return -1;
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"after ldap_first_entry\n");
#endif
/* Copy the directory and the password into struct */
copy_value(my_ldap_fp,entry,attributes[0],&homeDir, user);
if (attributes[1])
copy_value(my_ldap_fp,entry,attributes[1],&mailDir, user);
copy_value(my_ldap_fp,entry,attributes[2],&cn, user);
if (attributes[3])
copy_value(my_ldap_fp,entry,attributes[3],&userPassword, user);
if (attributes[4])
copy_value(my_ldap_fp,entry,attributes[4],&cryptPassword, user);
au=my_ldap.uid;
ag=my_ldap.gid;
if (attributes[5])
{
char *p=0;
unsigned long n;
copy_value(my_ldap_fp, entry, attributes[5], &p, user);
if (p) {
if (sscanf(p, "%lu", &n) > 0)
au= (uid_t)n;
free(p);
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"au= %d\n",au);
#endif
}
if (attributes[6])
{
char *p=0;
unsigned long n;
copy_value(my_ldap_fp, entry, attributes[6], &p, user);
if (p) {
if (sscanf(p, "%lu", &n) > 0)
ag= (gid_t)n;
free(p);
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"ag= %d\n",ag);
#endif
}
if (attributes[8])
copy_value(my_ldap_fp,entry,attributes[8],"a, user);
if (homeDir != 0 && my_ldap.mailroot != 0 && *my_ldap.mailroot)
{
char *new_mailroot=malloc(strlen(homeDir)+
strlen(my_ldap.mailroot)+2);
if (!new_mailroot)
{
syslog(LOG_DAEMON|LOG_CRIT, "authldap: malloc failed");
rc= -1;
}
else
{
strcat(strcat(strcpy(new_mailroot, my_ldap.mailroot),
"/"), homeDir);
free(homeDir);
homeDir=new_mailroot;
}
}
auth.sysusername=user;
auth.sysuserid= &au;
auth.sysgroupid= ag;
auth.homedir=homeDir;
auth.address=authaddr;
auth.fullname=cn;
auth.maildir=mailDir;
auth.clearpasswd=userPassword;
auth.passwd=cryptPassword;
auth.quota=quota;
if (auth.sysusername == 0)
auth.sysusername=auth.address="";
if (homeDir == 0)
auth.homedir="";
rc=0;
if (au == 0 || ag == 0)
{
syslog(LOG_DAEMON|LOG_CRIT,
"authlib: refuse to authenticate %s: uid=%d, gid=%d\n",
user, au, ag);
rc= 1;
}
if (pass)
{
if (my_ldap.authbind)
{
LDAP *bindp=ldapconnect();
if (!bindp)
rc=1;
else
{
#if HAVE_LDAP_TLS
if(my_ldap.tls && enable_tls_on(bindp)) {
#if HAVE_SYSLOG_H
syslog(LOG_DAEMON|LOG_CRIT, "authlib: LDAP_TLS enabled but I'm unable to start tls, check your config\n");
#endif
rc = 1;
} else {
#endif
switch (ldap_simple_bind_s(bindp, dn, (char *)pass))
{
case LDAP_SUCCESS:
break;
case LDAP_INVALID_CREDENTIALS:
rc = -1;
break;
default:
rc = 1;
break;
}
#if HAVE_LDAP_TLS
}
#endif
ldap_unbind(bindp);
}
if (rc == 0 && newpass)
{
if ((newpass_crypt=authcryptpasswd(newpass,
NULL))
== 0)
rc= -1;
}
}
else
{
if (auth.clearpasswd)
{
if (strcmp(pass,auth.clearpasswd))
rc= -1;
}
else
{
const char *p=auth.passwd;
if (p && strncasecmp(p, "{crypt}", 7) == 0)
p += 7; /* For authcheckpassword */
if (!p || authcheckpassword(pass, p))
rc= -1;
}
if (rc == 0 && newpass && auth.passwd)
{
if ((newpass_crypt=authcryptpasswd(newpass,
auth.passwd)
) == 0)
rc= -1;
}
}
}
if (rc == 0 && newpass)
{
LDAPMod *mods[3];
int mod_index=0;
LDAPMod mod_clear, mod_crypt;
char *mod_clear_vals[2], *mod_crypt_vals[2];
if (attributes[3])
{
mods[mod_index]= &mod_clear;
mod_clear.mod_op=LDAP_MOD_REPLACE;
mod_clear.mod_type=(char *)attributes[3];
mod_clear.mod_values=mod_clear_vals;
mod_clear_vals[0]=(char *)newpass;
mod_clear_vals[1]=NULL;
++mod_index;
}
if (attributes[4] && newpass_crypt)
{
mods[mod_index]= &mod_crypt;
mod_crypt.mod_op=LDAP_MOD_REPLACE;
mod_crypt.mod_type=(char *)attributes[4];
mod_crypt.mod_values=mod_crypt_vals;
mod_crypt_vals[0]=newpass_crypt;
mod_crypt_vals[1]=NULL;
++mod_index;
}
if (mod_index == 0)
rc= -1;
else
{
mods[mod_index]=0;
if (ldap_modify_s(my_ldap_fp, dn, mods))
{
rc= -1;
}
}
}
if (newpass_crypt)
free(newpass_crypt);
free (dn);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"before callback rc=%d\n",rc);
#endif
if (rc == 0 && callback)
rc= (*callback)(&auth, arg);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"after callback rc=%d\n",rc);
#endif
ldap_msgfree(result);
if (homeDir) free(homeDir);
if (mailDir) free(mailDir);
if (userPassword) free(userPassword);
if (cryptPassword) free(cryptPassword);
if (cn) free(cn);
if (quota) free(quota);
return (rc);
}
static char *
getpassword(char *login, char *realm)
{
LDAPMessage *res = NULL;
LDAPMessage *entry;
char **values = NULL;
char **value = NULL;
char *password = NULL;
int retry = 0;
char filter[8192];
char searchbase[8192];
char *universal_password = NULL;
size_t universal_password_len = UNIVERSAL_PASS_LEN;
int nmas_res = 0;
int rc = -1;
if (ld) {
if (usersearchfilter) {
char escaped_login[1024];
snprintf(searchbase, sizeof(searchbase), "%s", userbasedn);
ldap_escape_value(escaped_login, sizeof(escaped_login), login);
snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
retrysrch:
if (debug)
fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase);
rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 0, &res);
if (rc != LDAP_SUCCESS) {
if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
/* Everything is fine. This is expected when referrals
* are disabled.
*/
rc = LDAP_SUCCESS;
} else {
fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
#if defined(NETSCAPE_SSL)
if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
int sslerr = PORT_GetError();
fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
}
#endif
fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error, trying to recover'%s'\n", ldap_err2string(rc));
ldap_msgfree(res);
/* try to connect to the LDAP server agin, maybe my persisten conexion failed. */
if (!retry) {
retry++;
ldap_unbind(ld);
ld = NULL;
ldapconnect();
goto retrysrch;
}
return NULL;
}
}
} else if (userdnattr) {
sprintf(searchbase, "%s=%s, %s", userdnattr, login, userbasedn);
retrydnattr:
if (debug)
fprintf(stderr, "searchbase '%s'\n", searchbase);
rc = ldap_search_s(ld, searchbase, searchscope, NULL, NULL, 0, &res);
}
if (rc == LDAP_SUCCESS) {
entry = ldap_first_entry(ld, res);
if (entry) {
if (debug)
printf("ldap dn: %s\n", ldap_get_dn(ld, entry));
if (edir_universal_passwd) {
/* allocate some memory for the universal password returned by NMAS */
universal_password = malloc(universal_password_len);
memset(universal_password, 0, universal_password_len);
values = malloc(sizeof(char *));
/* actually talk to NMAS to get a password */
nmas_res = nmasldap_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password);
if (nmas_res == NMAS_SUCCESS && universal_password) {
if (debug)
printf("NMAS returned value %s\n", universal_password);
values[0] = universal_password;
} else {
if (debug)
printf("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res));
}
} else {
values = ldap_get_values(ld, entry, passattr);
}
} else {
ldap_msgfree(res);
return NULL;
}
if (!values) {
if (debug)
printf("No attribute value found\n");
if (edir_universal_passwd)
free(universal_password);
ldap_msgfree(res);
return NULL;
}
value = values;
while (*value) {
if (encrpass) {
if (strcmp(strtok(*value, delimiter), realm) == 0) {
password = strtok(NULL, delimiter);
break;
}
} else {
password = *value;
break;
}
value++;
}
if (debug)
printf("password: %s\n", password);
if (password)
password = strdup(password);
if (edir_universal_passwd) {
free(values);
free(universal_password);
} else {
ldap_value_free(values);
}
ldap_msgfree(res);
return password;
} else {
fprintf(stderr, PROGRAM_NAME " WARNING, LDAP error '%s'\n", ldap_err2string(rc));
/* try to connect to the LDAP server agin, maybe my persisten conexion failed. */
if (!retry) {
retry++;
ldap_unbind(ld);
ld = NULL;
ldapconnect();
goto retrydnattr;
}
return NULL;
}
}
return NULL;
}
static int ldapopen()
{
int ldrc;
if (my_ldap_fp) return (0);
if (authldap_read_config(&my_ldap) == 0)
return (1);
my_ldap_fp=ldapconnect();
if (!my_ldap_fp)
{
return (1);
}
#if HAVE_LDAP_TLS
if (my_ldap.tls && enable_tls_on(my_ldap_fp))
{
authldapclose();
ldapconnfailure();
return (-1);
}
#endif
#ifdef LDAP_OPT_DEREF
/* Set deferencing mode */
if (ldaperror(ldrc = ldap_set_option(my_ldap_fp, LDAP_OPT_DEREF,
(void *) & my_ldap.deref)) != LDAP_SUCCESS)
{
const char *s=ldap_err2string(ldrc);
#if HAVE_SYSLOG_H
syslog(LOG_DAEMON|LOG_CRIT, "ldap_set_option failed: %s", s);
#endif
authldapclose();
ldapconnfailure();
return (-1);
}
#endif
/* Bind to server */
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"BindDn: %s\nBindPw: %s\n",my_ldap.binddn,my_ldap.bindpw);
#endif
if (ldaperror(ldrc = ldap_simple_bind_s(my_ldap_fp,
(char *)my_ldap.binddn,
(char *)my_ldap.bindpw)) != LDAP_SUCCESS)
{
const char *s=ldap_err2string(ldrc);
#if HAVE_SYSLOG_H
syslog(LOG_DAEMON|LOG_CRIT, "ldap_simple_bind_s failed: %s", s);
#endif
authldapclose();
ldapconnfailure();
return (-1);
}
return (0);
}
