]> git.ipfire.org Git - thirdparty/squid.git/blame - helpers/external_acl/kerberos_ldap_group/support_ldap.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / helpers / external_acl / kerberos_ldap_group / support_ldap.cc
CommitLineData
b1218840
AJ		 1/*
2 * -----------------------------------------------------------------------------
3 *
4 * Author: Markus Moeller (markus_moeller at compuserve.com)
5 *
6 * Copyright (C) 2007 Markus Moeller. All rights reserved.
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
21 *
22 * -----------------------------------------------------------------------------
23 */
24
f7f3304a 25#include "squid.h"
b1218840
AJ		 26#include "util.h"
27
28#ifdef HAVE_LDAP
29
30#include "support.h"
31#ifdef HAVE_ERRNO_H
32#include <errno.h>
33#endif
34
35char *convert_domain_to_bind_path(char *domain);
36char *escape_filter(char *filter);
37int check_AD(struct main_args *margs, LDAP * ld);
38int ldap_set_defaults(struct main_args *margs, LDAP * ld);
39int ldap_set_ssl_defaults(struct main_args *margs);
40LDAP *tool_ldap_open(struct main_args *margs, char *host, int port, char *ssl);
41
42#define CONNECT_TIMEOUT 2
43#define SEARCH_TIMEOUT 30
44
45#define FILTER "(memberuid=%s)"
46#define ATTRIBUTE "cn"
47#define FILTER_UID "(uid=%s)"
48#define FILTER_GID "(&(gidNumber=%s)(objectclass=posixgroup))"
49#define ATTRIBUTE_GID "gidNumber"
50
51#define FILTER_AD "(samaccountname=%s)"
52#define ATTRIBUTE_AD "memberof"
53
54int get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val /* OUT (caller frees) */ );
55int search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth);
56
57#if defined(HAVE_SUN_LDAP_SDK) || defined(HAVE_MOZILLA_LDAP_SDK)
58#ifdef HAVE_LDAP_REBINDPROC_CALLBACK
59
60#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
61static LDAP_REBINDPROC_CALLBACK ldap_sasl_rebind;
62
63static int LDAP_CALL LDAP_CALLBACK
64ldap_sasl_rebind(
65 LDAP * ld,
66 char **whop,
67 char **credp,
68 int *methodp,
69 int freeit,
70 void *params)
71{
72 struct ldap_creds *cp = (struct ldap_creds *) params;
73 whop = whop;
74 credp = credp;
75 methodp = methodp;
76 freeit = freeit;
77 return tool_sasl_bind(ld, cp->dn, cp->pw);
78}
79#endif
80
81static LDAP_REBINDPROC_CALLBACK ldap_simple_rebind;
82
83static int LDAP_CALL LDAP_CALLBACK
84ldap_simple_rebind(
85 LDAP * ld,
86 char **whop,
87 char **credp,
88 int *methodp,
89 int freeit,
90 void *params)
91{
92 struct ldap_creds *cp = (struct ldap_creds *) params;
93 whop = whop;
94 credp = credp;
95 methodp = methodp;
96 freeit = freeit;
97 return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
98}
99#elif defined(HAVE_LDAP_REBIND_PROC)
100#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
101static LDAP_REBIND_PROC ldap_sasl_rebind;
102
103static int
104ldap_sasl_rebind(
105 LDAP * ld,
106 LDAP_CONST char *url,
107 ber_tag_t request,
108 ber_int_t msgid,
109 void *params)
110{
111 struct ldap_creds *cp = (struct ldap_creds *) params;
112 url = url;
113 request = request;
114 msgid = msgid;
115 return tool_sasl_bind(ld, cp->dn, cp->pw);
116}
117#endif
118
119static LDAP_REBIND_PROC ldap_simple_rebind;
120
121static int
122ldap_simple_rebind(
123 LDAP * ld,
124 LDAP_CONST char *url,
125 ber_tag_t request,
126 ber_int_t msgid,
127 void *params)
128{
129 struct ldap_creds *cp = (struct ldap_creds *) params;
130 url = url;
131 request = request;
132 msgid = msgid;
133 return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
134}
135
136#elif defined(HAVE_LDAP_REBIND_FUNCTION)
137#ifndef LDAP_REFERRALS
138#define LDAP_REFERRALS
139#endif
140#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
141static LDAP_REBIND_FUNCTION ldap_sasl_rebind;
142
143static int
144ldap_sasl_rebind(
145 LDAP * ld,
146 char **whop,
147 char **credp,
148 int *methodp,
149 int freeit,
150 void *params)
151{
152 struct ldap_creds *cp = (struct ldap_creds *) params;
153 whop = whop;
154 credp = credp;
155 methodp = methodp;
156 freeit = freeit;
157 return tool_sasl_bind(ld, cp->dn, cp->pw);
158}
159#endif
160
161static LDAP_REBIND_FUNCTION ldap_simple_rebind;
162
163static int
164ldap_simple_rebind(
165 LDAP * ld,
166 char **whop,
167 char **credp,
168 int *methodp,
169 int freeit,
170 void *params)
171{
172 struct ldap_creds *cp = (struct ldap_creds *) params;
173 whop = whop;
174 credp = credp;
175 methodp = methodp;
176 freeit = freeit;
177 return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
178}
179#else
180#error "No rebind functione defined"
181#endif
182#else /* HAVE_SUN_LDAP_SDK */
183#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
184static LDAP_REBIND_PROC ldap_sasl_rebind;
185
186static int
187ldap_sasl_rebind(
188 LDAP * ld,
189 LDAP_CONST char *url,
190 ber_tag_t request,
191 ber_int_t msgid,
192 void *params)
193{
194 struct ldap_creds *cp = (struct ldap_creds *) params;
195 url = url;
196 request = request;
197 msgid = msgid;
198 return tool_sasl_bind(ld, cp->dn, cp->pw);
199}
200#endif
201
202static LDAP_REBIND_PROC ldap_simple_rebind;
203
204static int
205ldap_simple_rebind(
206 LDAP * ld,
207 LDAP_CONST char *url,
208 ber_tag_t request,
209 ber_int_t msgid,
210 void *params)
211{
212
213 struct ldap_creds *cp = (struct ldap_creds *) params;
214 url = url;
215 request = request;
216 msgid = msgid;
217 return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE);
218}
219
220#endif
221char *
222convert_domain_to_bind_path(char *domain)
223{
224 char *dp, *bindp = NULL, *bp = NULL;
225 int i = 0;
226
227 if (!domain)
2e881a6f 228 return NULL;
b1218840 229
a2f5277a 230 for (dp = domain; *dp; ++dp) {
2e881a6f 231 if (*dp == '.')
755494da 232 ++i;
b1218840 233 }
2e881a6f
A		 234 /*
235 * add dc= and
236 * replace . with ,dc= => new length = old length + #dots * 3 + 3
b1218840
AJ		 237 */
238 bindp = (char *) xmalloc(strlen(domain) + 3 + i * 3 + 1);
239 bp = bindp;
240 strcpy(bp, "dc=");
241 bp += 3;
a2f5277a 242 for (dp = domain; *dp; ++dp) {
2e881a6f
A		 243 if (*dp == '.') {
244 strcpy(bp, ",dc=");
245 bp += 4;
f207fe64
FC		 246 } else {
247 *bp = *dp;
248 ++bp;
249 }
b1218840
AJ		 250 }
251 *bp = '\0';
252 return bindp;
253}
254
255char *
256escape_filter(char *filter)
257{
258 int i;
259 char *ldap_filter_esc, *ldf;
260
261 i = 0;
a2f5277a 262 for (ldap_filter_esc = filter; *ldap_filter_esc; ++ldap_filter_esc) {
2e881a6f
A		 263 if ((*ldap_filter_esc == '*') ||
264 (*ldap_filter_esc == '(') ||
265 (*ldap_filter_esc == ')') ||
266 (*ldap_filter_esc == '\\'))
267 i = i + 3;
b1218840
AJ		 268 }
269
270 ldap_filter_esc = (char *) xcalloc(strlen(filter) + i + 1, sizeof(char));
271 ldf = ldap_filter_esc;
a2f5277a 272 for (; *filter; ++filter) {
2e881a6f
A		 273 if (*filter == '*') {
274 strcpy(ldf, "\\2a");
275 ldf = ldf + 3;
276 } else if (*filter == '(') {
277 strcpy(ldf, "\\28");
278 ldf = ldf + 3;
279 } else if (*filter == ')') {
280 strcpy(ldf, "\\29");
281 ldf = ldf + 3;
282 } else if (*filter == '\\') {
283 strcpy(ldf, "\\5c");
284 ldf = ldf + 3;
285 } else {
286 *ldf = *filter;
755494da 287 ++ldf;
2e881a6f 288 }
b1218840
AJ		 289 }
290 *ldf = '\0';
291
292 return ldap_filter_esc;
293};
294
295int
296check_AD(struct main_args *margs, LDAP * ld)
297{
298 LDAPMessage *res;
299 char **attr_value = NULL;
300 struct timeval searchtime;
301 int max_attr = 0;
302 int j, rc = 0;
303
304#define FILTER_SCHEMA "(objectclass=*)"
305#define ATTRIBUTE_SCHEMA "schemaNamingContext"
306#define FILTER_SAM "(ldapdisplayname=samaccountname)"
307
308 searchtime.tv_sec = SEARCH_TIMEOUT;
309 searchtime.tv_usec = 0;
310
311 debug((char *) "%s| %s: DEBUG: Search ldap server with bind path \"\" and filter: %s\n", LogTime(), PROGRAM, FILTER_SCHEMA);
312 rc = ldap_search_ext_s(ld, (char *) "", LDAP_SCOPE_BASE, (char *) FILTER_SCHEMA, NULL, 0,
2e881a6f 313 NULL, NULL, &searchtime, 0, &res);
b1218840
AJ		 314
315 if (rc == LDAP_SUCCESS)
2e881a6f 316 max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value);
b1218840
AJ		 317
318 if (max_attr == 1) {
2e881a6f
A		 319 ldap_msgfree(res);
320 debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, attr_value[0], FILTER_SAM);
321 rc = ldap_search_ext_s(ld, attr_value[0], LDAP_SCOPE_SUBTREE, (char *) FILTER_SAM, NULL, 0,
322 NULL, NULL, &searchtime, 0, &res);
323 debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
324 if (ldap_count_entries(ld, res) > 0)
325 margs->AD = 1;
b1218840 326 } else
2e881a6f 327 debug((char *) "%s| %s: DEBUG: Did not find ldap entry for subschemasubentry\n", LogTime(), PROGRAM);
b1218840
AJ		 328 debug((char *) "%s| %s: DEBUG: Determined ldap server %sas an Active Directory server\n", LogTime(), PROGRAM, margs->AD ? "" : "not ");
329 /*
330 * Cleanup
331 */
332 if (attr_value) {
a2f5277a 333 for (j = 0; j < max_attr; ++j) {
2e881a6f
A		 334 xfree(attr_value[j]);
335 }
336 xfree(attr_value);
337 attr_value = NULL;
b1218840
AJ		 338 }
339 ldap_msgfree(res);
340 return rc;
341}
342int
343search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth)
344{
345 LDAPMessage *res = NULL;
346 char **attr_value = NULL;
347 int max_attr = 0;
348 char *filter = NULL;
349 char *search_exp = NULL;
350 int j, rc = 0, retval = 0;
351 char *av = NULL, *avp = NULL;
352 int ldepth;
353 char *ldap_filter_esc = NULL;
354 struct timeval searchtime;
355
356#define FILTER_GROUP_AD "(&(%s)(objectclass=group))"
357#define FILTER_GROUP "(&(memberuid=%s)(objectclass=posixgroup))"
358
359 searchtime.tv_sec = SEARCH_TIMEOUT;
360 searchtime.tv_usec = 0;
361
362 if (margs->AD)
2e881a6f 363 filter = (char *) FILTER_GROUP_AD;
b1218840 364 else
2e881a6f 365 filter = (char *) FILTER_GROUP;
b1218840
AJ		 366
367 ldap_filter_esc = escape_filter(ldap_group);
368
369 search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
370 snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
371
372 if (ldap_filter_esc)
2e881a6f 373 xfree(ldap_filter_esc);
b1218840
AJ		 374
375 if (depth > margs->mdepth) {
2e881a6f
A		 376 debug((char *) "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth);
377 return 0;
b1218840
AJ		 378 }
379 debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp);
380 rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
2e881a6f
A		 381 search_exp, NULL, 0,
382 NULL, NULL, &searchtime, 0, &res);
b1218840 383 if (search_exp)
2e881a6f 384 xfree(search_exp);
b1218840
AJ		 385
386 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 387 error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
388 ldap_unbind_s(ld);
389 return 0;
b1218840
AJ		 390 }
391 debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
392
393 if (margs->AD)
2e881a6f 394 max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
b1218840 395 else
2e881a6f 396 max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
b1218840
AJ		 397
398 /*
399 * Compare group names
400 */
401 retval = 0;
402 ldepth = depth + 1;
a2f5277a 403 for (j = 0; j < max_attr; ++j) {
b1218840 404
2e881a6f
A		 405 /* Compare first CN= value assuming it is the same as the group name itself */
406 av = attr_value[j];
407 if (!strncasecmp("CN=", av, 3)) {
408 av += 3;
409 if ((avp = strchr(av, ','))) {
410 *avp = '\0';
411 }
412 }
413 if (debug_enabled) {
414 int n;
415 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
a2f5277a 416 for (n = 0; av[n] != '\0'; ++n)
2e881a6f
A		 417 fprintf(stderr, "%02x", (unsigned char) av[n]);
418 fprintf(stderr, "\n");
419 }
420 if (!strcasecmp(group, av)) {
421 retval = 1;
422 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
423 break;
424 } else
425 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
426 /*
427 * Do recursive group search
428 */
429 debug((char *) "%s| %s: DEBUG: Perform recursive group search for group \"%s\"\n", LogTime(), PROGRAM, av);
430 av = attr_value[j];
431 if (search_group_tree(margs, ld, bindp, av, group, ldepth)) {
432 retval = 1;
433 if (!strncasecmp("CN=", av, 3)) {
434 av += 3;
435 if ((avp = strchr(av, ','))) {
436 *avp = '\0';
437 }
438 }
439 if (debug_enabled)
440 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
441 else
442 break;
443
444 }
b1218840
AJ		 445 }
446
447 /*
448 * Cleanup
449 */
450 if (attr_value) {
a2f5277a 451 for (j = 0; j < max_attr; ++j) {
2e881a6f
A		 452 xfree(attr_value[j]);
453 }
454 xfree(attr_value);
455 attr_value = NULL;
b1218840
AJ		 456 }
457 ldap_msgfree(res);
458
459 return retval;
460}
461
462int
463ldap_set_defaults(struct main_args *margs, LDAP * ld)
464{
465 int val, rc = 0;
466#ifdef LDAP_OPT_NETWORK_TIMEOUT
467 struct timeval tv;
468#endif
469 val = LDAP_VERSION3;
470 rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val);
471 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 472 debug((char *) "%s| %s: DEBUG: Error while setting protocol version: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
473 return rc;
b1218840
AJ		 474 }
475 rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
476 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 477 debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
478 return rc;
b1218840
AJ		 479 }
480#ifdef LDAP_OPT_NETWORK_TIMEOUT
481 tv.tv_sec = CONNECT_TIMEOUT;
482 tv.tv_usec = 0;
483 rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
484 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 485 debug((char *) "%s| %s: DEBUG: Error while setting network timeout: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
486 return rc;
b1218840
AJ		 487 }
488#endif /* LDAP_OPT_NETWORK_TIMEOUT */
489 return LDAP_SUCCESS;
490}
491
492int
493ldap_set_ssl_defaults(struct main_args *margs)
494{
495#if defined(HAVE_OPENLDAP) || defined(HAVE_LDAPSSL_CLIENT_INIT)
496 int rc = 0;
497#endif
498#ifdef HAVE_OPENLDAP
499 int val;
500 char *ssl_cacertfile = NULL;
501 int free_path;
502#elif defined(HAVE_LDAPSSL_CLIENT_INIT)
503 char *ssl_certdbpath = NULL;
504#endif
505
506#ifdef HAVE_OPENLDAP
507 if (!margs->rc_allow) {
2e881a6f
A		 508 debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM);
509 val = LDAP_OPT_X_TLS_DEMAND;
510 rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
511 if (rc != LDAP_SUCCESS) {
512 error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT DEMAND for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
513 return rc;
514 }
515 ssl_cacertfile = getenv("TLS_CACERTFILE");
516 free_path = 0;
517 if (!ssl_cacertfile) {
518 ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem");
519 free_path = 1;
520 }
521 debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile);
522 rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile);
523 if (ssl_cacertfile && free_path) {
524 xfree(ssl_cacertfile);
525 ssl_cacertfile = NULL;
526 }
527 if (rc != LDAP_OPT_SUCCESS) {
528 error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
529 return rc;
530 }
b1218840 531 } else {
2e881a6f
A		 532 debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
533 val = LDAP_OPT_X_TLS_ALLOW;
534 rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
535 if (rc != LDAP_SUCCESS) {
536 error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT ALLOW for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
537 return rc;
538 }
b1218840
AJ		 539 }
540#elif defined(HAVE_LDAPSSL_CLIENT_INIT)
2e881a6f 541 /*
b1218840
AJ		 542 * Solaris SSL ldap calls require path to certificate database
543 */
2e881a6f
A		 544 /*
545 * rc = ldapssl_client_init( ssl_certdbpath, NULL );
546 * rc = ldapssl_advclientauth_init( ssl_certdbpath, NULL , 0 , NULL, NULL, 0, NULL, 2);
547 */
b1218840
AJ		 548 ssl_certdbpath = getenv("SSL_CERTDBPATH");
549 if (!ssl_certdbpath) {
2e881a6f 550 ssl_certdbpath = xstrdup("/etc/certs");
b1218840
AJ		 551 }
552 debug((char *) "%s| %s: DEBUG: Set certificate database path for ldap server to %s.(Changeable through setting environment variable SSL_CERTDBPATH)\n", LogTime(), PROGRAM, ssl_certdbpath);
553 if (!margs->rc_allow) {
2e881a6f 554 rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 2);
b1218840 555 } else {
2e881a6f
A		 556 rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0);
557 debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
b1218840
AJ		 558 }
559 if (ssl_certdbpath) {
2e881a6f
A		 560 xfree(ssl_certdbpath);
561 ssl_certdbpath = NULL;
b1218840
AJ		 562 }
563 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 564 error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
565 return rc;
b1218840
AJ		 566 }
567#else
568 error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM);
569#endif
570 return LDAP_SUCCESS;
571}
572
573int
574get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value)
575{
576
577 LDAPMessage *msg;
578 char **attr_value = NULL;
579 int max_attr = 0;
580
581 attr_value = *ret_value;
582 /*
583 * loop over attributes
584 */
585 debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute);
586 for (msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) {
587
2e881a6f
A		 588 BerElement *b;
589 char *attr;
590
591 switch (ldap_msgtype(msg)) {
592
593 case LDAP_RES_SEARCH_ENTRY:
594
595 for (attr = ldap_first_attribute(ld, msg, &b); attr;
596 attr = ldap_next_attribute(ld, msg, b)) {
597 if (strcasecmp(attr, attribute) == 0) {
598 struct berval **values;
599 int il;
600
601 if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) {
a2f5277a 602 for (il = 0; values[il] != NULL; ++il) {
2e881a6f
A		 603
604 attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *));
605 if (!attr_value)
606 break;
607
608 attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1);
609 memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len);
610 attr_value[il][values[il]->bv_len] = 0;
611 }
612 max_attr = il;
613 }
614 ber_bvecfree(values);
615 }
616 ldap_memfree(attr);
617 }
618 ber_free(b, 0);
619 break;
620 case LDAP_RES_SEARCH_REFERENCE:
621 debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM);
622 break;
623 case LDAP_RES_SEARCH_RESULT:
624 debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM);
625 break;
626 default:
627 break;
628 }
b1218840
AJ		 629 }
630
631 debug((char *) "%s| %s: DEBUG: %d ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute);
632
633 *ret_value = attr_value;
634 return max_attr;
635}
636
637/*
638 * call to open ldap server with or without SSL
639 */
640LDAP *
641tool_ldap_open(struct main_args * margs, char *host, int port, char *ssl)
642{
643 LDAP *ld;
644#ifdef HAVE_OPENLDAP
645 LDAPURLDesc *url = NULL;
646 char *ldapuri = NULL;
647#endif
648 int rc = 0;
649
2e881a6f
A		 650 /*
651 * Use ldap open here to check if TCP connection is possible. If possible use it.
b1218840
AJ		 652 * (Not sure if this is the best way)
653 */
654#ifdef HAVE_OPENLDAP
655 url = (LDAPURLDesc *) xmalloc(sizeof(*url));
656 memset(url, 0, sizeof(*url));
657#ifdef HAVE_LDAP_URL_LUD_SCHEME
658 if (ssl)
2e881a6f 659 url->lud_scheme = (char *) "ldaps";
b1218840 660 else
2e881a6f 661 url->lud_scheme = (char *) "ldap";
b1218840
AJ		 662#endif
663 url->lud_host = host;
664 url->lud_port = port;
665#ifdef HAVE_LDAP_SCOPE_DEFAULT
666 url->lud_scope = LDAP_SCOPE_DEFAULT;
667#else
668 url->lud_scope = LDAP_SCOPE_SUBTREE;
669#endif
670#ifdef HAVE_LDAP_URL_DESC2STR
671 ldapuri = ldap_url_desc2str(url);
672#elif defined(HAVE_LDAP_URL_PARSE)
673 rc = ldap_url_parse(ldapuri, &url);
674 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 675 error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
676 if (ldapuri)
677 xfree(ldapuri);
678 if (url)
679 xfree(url);
680 return NULL;
b1218840
AJ		 681 }
682#else
683#error "No URL parsing function"
684#endif
685 if (url) {
2e881a6f
A		 686 xfree(url);
687 url = NULL;
b1218840
AJ		 688 }
689 rc = ldap_initialize(&ld, ldapuri);
690 if (ldapuri)
2e881a6f 691 xfree(ldapuri);
b1218840 692 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 693 error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
694 ldap_unbind(ld);
695 ld = NULL;
696 return NULL;
b1218840
AJ		 697 }
698#else
699 ld = ldap_init(host, port);
700#endif
701 rc = ldap_set_defaults(margs, ld);
702 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 703 error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
704 ldap_unbind(ld);
705 ld = NULL;
706 return NULL;
b1218840
AJ		 707 }
708 if (ssl) {
2e881a6f
A		 709 /*
710 * Try Start TLS first
711 */
712 debug((char *) "%s| %s: DEBUG: Set SSL defaults\n", LogTime(), PROGRAM);
713 rc = ldap_set_ssl_defaults(margs);
714 if (rc != LDAP_SUCCESS) {
715 error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
716 ldap_unbind(ld);
717 ld = NULL;
718 return NULL;
719 }
b1218840 720#ifdef HAVE_OPENLDAP
2e881a6f
A		 721 /*
722 * Use tls if possible
723 */
724 rc = ldap_start_tls_s(ld, NULL, NULL);
725 if (rc != LDAP_SUCCESS) {
726 error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
727 ldap_unbind(ld);
728 ld = NULL;
729 url = (LDAPURLDesc *) xmalloc(sizeof(*url));
730 memset(url, 0, sizeof(*url));
b1218840 731#ifdef HAVE_LDAP_URL_LUD_SCHEME
2e881a6f 732 url->lud_scheme = (char *) "ldaps";
b1218840 733#endif
2e881a6f
A		 734 url->lud_host = host;
735 url->lud_port = port;
b1218840 736#ifdef HAVE_LDAP_SCOPE_DEFAULT
2e881a6f 737 url->lud_scope = LDAP_SCOPE_DEFAULT;
b1218840 738#else
2e881a6f 739 url->lud_scope = LDAP_SCOPE_SUBTREE;
b1218840
AJ		 740#endif
741#ifdef HAVE_LDAP_URL_DESC2STR
2e881a6f 742 ldapuri = ldap_url_desc2str(url);
b1218840 743#elif defined(HAVE_LDAP_URL_PARSE)
2e881a6f
A		 744 rc = ldap_url_parse(ldapuri, &url);
745 if (rc != LDAP_SUCCESS) {
746 error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
747 if (ldapuri)
748 xfree(ldapuri);
749 if (url)
750 xfree(url);
751 return NULL;
752 }
b1218840
AJ		 753#else
754#error "No URL parsing function"
755#endif
2e881a6f
A		 756 if (url) {
757 xfree(url);
758 url = NULL;
759 }
760 rc = ldap_initialize(&ld, ldapuri);
761 if (ldapuri)
762 xfree(ldapuri);
763 if (rc != LDAP_SUCCESS) {
764 error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
765 ldap_unbind(ld);
766 ld = NULL;
767 return NULL;
768 }
769 rc = ldap_set_defaults(margs, ld);
770 if (rc != LDAP_SUCCESS) {
771 error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
772 ldap_unbind(ld);
773 ld = NULL;
774 return NULL;
775 }
776 }
b1218840 777#elif defined(HAVE_LDAPSSL_CLIENT_INIT)
2e881a6f
A		 778 ld = ldapssl_init(host, port, 1);
779 if (!ld) {
780 error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
781 ldap_unbind(ld);
782 ld = NULL;
783 return NULL;
784 }
785 rc = ldap_set_defaults(margs, ld);
786 if (rc != LDAP_SUCCESS) {
787 error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
788 ldap_unbind(ld);
789 ld = NULL;
790 return NULL;
791 }
b1218840 792#else
2e881a6f 793 error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM);
b1218840
AJ		 794#endif
795 }
796 return ld;
797}
798
799/*
800 * ldap calls to get attribute from Ldap Directory Server
801 */
802int
803get_memberof(struct main_args *margs, char *user, char *domain, char *group)
804{
805 LDAP *ld = NULL;
806 LDAPMessage *res;
807#ifndef HAVE_SUN_LDAP_SDK
808 int ldap_debug = 0;
809#endif
810 struct ldap_creds *lcreds = NULL;
811 char *bindp = NULL;
812 char *filter = NULL;
813 char *search_exp;
814 struct timeval searchtime;
815 int i, j, rc = 0, kc = 1;
816 int retval;
817 char **attr_value = NULL;
818 char *av = NULL, *avp = NULL;
819 int max_attr = 0;
820 struct hstruct *hlist = NULL;
821 int nhosts = 0;
822 char *hostname;
823 char *host;
824 int port;
825 char *ssl = NULL;
826 char *p;
827 char *ldap_filter_esc = NULL;
828
b1218840
AJ		 829 searchtime.tv_sec = SEARCH_TIMEOUT;
830 searchtime.tv_usec = 0;
831 /*
832 * Fill Kerberos memory cache with credential from keytab for SASL/GSSAPI
833 */
834 if (domain) {
2e881a6f 835 debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
b1218840 836
bec91ba0 837#ifdef HAVE_KRB5
2e881a6f
A		 838 kc = krb5_create_cache(margs, domain);
839 if (kc) {
840 error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
841 }
bec91ba0
MM		 842#else
843 kc = 1;
844 debug((char *) "%s| %s: DEBUG: Kerberos is not supported. Use username/passwaord with ldap url instead\n", LogTime(), PROGRAM);
845#endif
b1218840 846 }
bec91ba0 847
b1218840 848 if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) {
2e881a6f
A		 849 /*
850 * If Kerberos fails and no url given exit here
851 */
852 retval = 0;
853 goto cleanup;
b1218840
AJ		 854 }
855#ifndef HAVE_SUN_LDAP_SDK
856 /*
857 * Initialise ldap
858 */
859 ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
860 ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
861 ldap_debug = 0;
862 (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
863#endif
864 debug((char *) "%s| %s: DEBUG: Initialise ldap connection\n", LogTime(), PROGRAM);
865
866 if (domain && !kc) {
2e881a6f
A		 867 if (margs->ssl) {
868 debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM);
869 }
870 debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name for domain %s\n", LogTime(), PROGRAM, domain);
871 /*
872 * Loop over list of ldap servers of users domain
873 */
874 nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain);
a2f5277a 875 for (i = 0; i < nhosts; ++i) {
2e881a6f
A		 876 port = 389;
877 if (hlist[i].port != -1)
878 port = hlist[i].port;
879 debug((char *) "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port);
880
881 ld = tool_ldap_open(margs, hlist[i].host, port, margs->ssl);
882 if (!ld)
883 continue;
884
885 /*
886 * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username)
887 */
b1218840
AJ		 888
889#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
2e881a6f
A		 890 debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM);
891
892 rc = tool_sasl_bind(ld, bindp, margs->ssl);
893 if (rc != LDAP_SUCCESS) {
894 error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
895 ldap_unbind(ld);
896 ld = NULL;
897 continue;
898 }
899 lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds));
900 lcreds->dn = bindp ? xstrdup(bindp) : NULL;
901 lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL;
902 ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds);
903 if (ld != NULL) {
904 debug((char *) "%s| %s: DEBUG: %s initialised %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", margs->ssl ? "SSL protected " : "", hlist[i].host, port);
905 break;
906 }
b1218840 907#else
2e881a6f
A		 908 ldap_unbind(ld);
909 ld = NULL;
910 error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM);
911 continue;
b1218840 912#endif
2e881a6f
A		 913 }
914 nhosts = free_hostname_list(&hlist, nhosts);
915 if (ld == NULL) {
916 debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno));
917 }
918 bindp = convert_domain_to_bind_path(domain);
b1218840
AJ		 919 }
920 if ((!domain || !ld) && margs->lurl && strstr(margs->lurl, "://")) {
2e881a6f
A		 921 /*
922 * If username does not contain a domain and a url was given then try it
923 */
924 hostname = strstr(margs->lurl, "://") + 3;
925 ssl = strstr(margs->lurl, "ldaps://");
926 if (ssl) {
927 debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM);
928 }
929 debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name %s\n", LogTime(), PROGRAM, hostname);
930 /*
931 * Loop over list of ldap servers
932 */
933 host = xstrdup(hostname);
934 port = 389;
935 if ((p = strchr(host, ':'))) {
936 *p = '\0';
755494da 937 ++p;
2e881a6f
A		 938 port = atoi(p);
939 }
940 nhosts = get_hostname_list(margs, &hlist, 0, host);
941 if (host)
942 xfree(host);
943 host = NULL;
a2f5277a 944 for (i = 0; i < nhosts; ++i) {
2e881a6f
A		 945
946 ld = tool_ldap_open(margs, hlist[i].host, port, ssl);
947 if (!ld)
948 continue;
949 /*
950 * ldap bind with username/password authentication
951 */
952
953 debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM);
954 rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass);
955 if (rc != LDAP_SUCCESS) {
956 error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
957 ldap_unbind(ld);
958 ld = NULL;
959 continue;
960 }
961 lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds));
962 lcreds->dn = xstrdup(margs->luser);
963 lcreds->pw = xstrdup(margs->lpass);
964 ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds);
965 debug((char *) "%s| %s: DEBUG: %s set up %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", ssl ? "SSL protected " : "", hlist[i].host, port);
966 break;
967
968 }
969 nhosts = free_hostname_list(&hlist, nhosts);
970 if (bindp)
971 xfree(bindp);
972 if (margs->lbind) {
973 bindp = xstrdup(margs->lbind);
974 } else {
975 bindp = convert_domain_to_bind_path(domain);
976 }
b1218840
AJ		 977 }
978 if (ld == NULL) {
2e881a6f
A		 979 debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno));
980 retval = 0;
981 goto cleanup;
b1218840
AJ		 982 }
983 /*
984 * ldap search for user
985 */
2e881a6f 986 /*
b1218840
AJ		 987 * Check if server is AD by querying for attribute samaccountname
988 */
989 margs->AD = 0;
990 rc = check_AD(margs, ld);
991 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 992 error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
993 ldap_unbind(ld);
994 ld = NULL;
995 retval = 0;
996 goto cleanup;
b1218840
AJ		 997 }
998 if (margs->AD)
2e881a6f 999 filter = (char *) FILTER_AD;
b1218840 1000 else
2e881a6f 1001 filter = (char *) FILTER;
b1218840
AJ		 1002
1003 ldap_filter_esc = escape_filter(user);
1004
1005 search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
1006 snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
1007
1008 if (ldap_filter_esc)
2e881a6f 1009 xfree(ldap_filter_esc);
b1218840
AJ		 1010
1011 debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp);
1012 rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
2e881a6f
A		 1013 search_exp, NULL, 0,
1014 NULL, NULL, &searchtime, 0, &res);
b1218840 1015 if (search_exp)
2e881a6f 1016 xfree(search_exp);
b1218840
AJ		 1017
1018 if (rc != LDAP_SUCCESS) {
2e881a6f
A		 1019 error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
1020 ldap_unbind(ld);
1021 ld = NULL;
1022 retval = 0;
1023 goto cleanup;
b1218840
AJ		 1024 }
1025 debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
1026
1027 if (ldap_count_entries(ld, res) != 0) {
1028
2e881a6f
A		 1029 if (margs->AD)
1030 max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
1031 else {
1032 max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
1033 }
1034
1035 /*
1036 * Compare group names
1037 */
1038 retval = 0;
a2f5277a 1039 for (j = 0; j < max_attr; ++j) {
2e881a6f
A		 1040
1041 /* Compare first CN= value assuming it is the same as the group name itself */
1042 av = attr_value[j];
1043 if (!strncasecmp("CN=", av, 3)) {
1044 av += 3;
1045 if ((avp = strchr(av, ','))) {
1046 *avp = '\0';
1047 }
1048 }
1049 if (debug_enabled) {
1050 int n;
1051 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
a2f5277a 1052 for (n = 0; av[n] != '\0'; ++n)
2e881a6f
A		 1053 fprintf(stderr, "%02x", (unsigned char) av[n]);
1054 fprintf(stderr, "\n");
1055 }
1056 if (!strcasecmp(group, av)) {
1057 retval = 1;
1058 if (debug_enabled)
1059 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
1060 else
1061 break;
1062 } else
1063 debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
1064 }
1065 /*
1066 * Do recursive group search for AD only since posixgroups can not contain other groups
1067 */
1068 if (!retval && margs->AD) {
1069 if (debug_enabled && max_attr > 0) {
1070 debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM);
1071 }
a2f5277a 1072 for (j = 0; j < max_attr; ++j) {
2e881a6f
A		 1073
1074 av = attr_value[j];
1075 if (search_group_tree(margs, ld, bindp, av, group, 1)) {
1076 retval = 1;
1077 if (!strncasecmp("CN=", av, 3)) {
1078 av += 3;
1079 if ((avp = strchr(av, ','))) {
1080 *avp = '\0';
1081 }
1082 }
1083 if (debug_enabled)
1084 debug((char *) "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
1085 else
1086 break;
1087 }
1088 }
1089 }
1090 /*
1091 * Cleanup
1092 */
1093 if (attr_value) {
a2f5277a 1094 for (j = 0; j < max_attr; ++j) {
2e881a6f
A		 1095 xfree(attr_value[j]);
1096 }
1097 xfree(attr_value);
1098 attr_value = NULL;
1099 }
1100 ldap_msgfree(res);
b1218840 1101 } else if (ldap_count_entries(ld, res) == 0 && margs->AD) {
2e881a6f
A		 1102 ldap_msgfree(res);
1103 ldap_unbind(ld);
1104 ld = NULL;
1105 retval = 0;
1106 goto cleanup;
b1218840 1107 } else {
2e881a6f
A		 1108 ldap_msgfree(res);
1109 retval = 0;
b1218840
AJ		 1110 }
1111
1112 if (!margs->AD && retval == 0) {
2e881a6f
A		 1113 /*
1114 * Check for primary Group membership
1115 */
1116 debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group);
1117 filter = (char *) FILTER_UID;
1118
1119 ldap_filter_esc = escape_filter(user);
1120
1121 search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
1122 snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
1123
1124 if (ldap_filter_esc)
1125 xfree(ldap_filter_esc);
1126
1127 debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp);
1128 rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
1129 search_exp, NULL, 0,
1130 NULL, NULL, &searchtime, 0, &res);
1131 if (search_exp)
1132 xfree(search_exp);
1133
1134 debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
1135
1136 max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value);
1137
1138 if (max_attr == 1) {
1139 char **attr_value_2 = NULL;
1140 int max_attr_2 = 0;
1141
1142 ldap_msgfree(res);
1143 filter = (char *) FILTER_GID;
1144
1145 ldap_filter_esc = escape_filter(attr_value[0]);
1146
1147 search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
1148 snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
1149
1150 if (ldap_filter_esc)
1151 xfree(ldap_filter_esc);
1152
1153 debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp);
1154 rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
1155 search_exp, NULL, 0,
1156 NULL, NULL, &searchtime, 0, &res);
1157 if (search_exp)
1158 xfree(search_exp);
1159
1160 max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2);
1161 /*
1162 * Compare group names
1163 */
1164 retval = 0;
1165 if (max_attr_2 == 1) {
1166
1167 /* Compare first CN= value assuming it is the same as the group name itself */
1168 av = attr_value_2[0];
1169 if (!strcasecmp(group, av)) {
1170 retval = 1;
1171 debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group);
1172 } else
1173 debug((char *) "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group);
1174
1175 }
1176 /*
1177 * Cleanup
1178 */
1179 if (attr_value_2) {
a2f5277a 1180 for (j = 0; j < max_attr_2; ++j) {
2e881a6f
A		 1181 xfree(attr_value_2[j]);
1182 }
1183 xfree(attr_value_2);
1184 attr_value_2 = NULL;
1185 }
1186 ldap_msgfree(res);
1187
1188 debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group);
1189
1190 } else
1191 debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group);
1192 /*
1193 * Cleanup
1194 */
1195 if (attr_value) {
a2f5277a 1196 for (j = 0; j < max_attr; ++j) {
2e881a6f
A		 1197 xfree(attr_value[j]);
1198 }
1199 xfree(attr_value);
1200 attr_value = NULL;
1201 }
b1218840
AJ		 1202 }
1203 rc = ldap_unbind(ld);
1204 ld = NULL;
1205 if (rc != LDAP_SUCCESS) {
2e881a6f 1206 error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
b1218840
AJ		 1207 }
1208 debug((char *) "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM);
2e881a6f 1209cleanup:
bec91ba0 1210#ifdef HAVE_KRB5
b1218840 1211 if (domain)
2e881a6f 1212 krb5_cleanup();
bec91ba0 1213#endif
b1218840 1214 if (lcreds) {
2e881a6f
A		 1215 if (lcreds->dn)
1216 xfree(lcreds->dn);
1217 if (lcreds->pw)
1218 xfree(lcreds->pw);
1219 xfree(lcreds);
b1218840
AJ		 1220 }
1221 if (bindp)
2e881a6f 1222 xfree(bindp);
b1218840
AJ		 1223 bindp = NULL;
1224 return (retval);
1225
1226}
1227#endif
Mirror of https://github.com/squid-cache/squid.git