]> git.ipfire.org Git - thirdparty/squid.git/blob - helpers/digest_auth/LDAP/ldap_backend.cc
projects / thirdparty / squid.git / blob
? search:


407279df406e3ed4c76832f651b16050d06648af
[thirdparty/squid.git] / helpers / digest_auth / LDAP / ldap_backend.cc
1 /*
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /*
10 * AUTHOR: Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
11 */
12
13 #include "squid.h"
14 #include "util.h"
15
16 #define LDAP_DEPRECATED 1
17
18 #include "ldap_backend.h"
19
20 #if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
21
22 #define snprintf _snprintf
23 #include <windows.h>
24 #include <winldap.h>
25 #ifndef LDAPAPI
26 #define LDAPAPI __cdecl
27 #endif
28 #ifdef LDAP_VERSION3
29 #ifndef LDAP_OPT_X_TLS
30 #define LDAP_OPT_X_TLS 0x6000
31 #endif
32 /* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at
33 * run time.
34 */
35 #undef ldap_start_tls_s
36 #if LDAP_UNICODE
37 #define LDAP_START_TLS_S "ldap_start_tls_sW"
38 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
39 #else
40 #define LDAP_START_TLS_S "ldap_start_tls_sA"
41 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
42 #endif /* LDAP_UNICODE */
43 PFldap_start_tls_s Win32_ldap_start_tls_s;
44 #define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l,NULL,NULL,s,c)
45 #endif /* LDAP_VERSION3 */
46
47 #else
48
49 #include <lber.h>
50 #include <ldap.h>
51
52 #endif
53 #define PROGRAM_NAME "digest_pw_auth(LDAP_backend)"
54
55 /* Globals */
56
57 static LDAP *ld = NULL;
58 static const char *passattr = NULL;
59 static char *ldapServer = NULL;
60 static const char *userbasedn = NULL;
61 static const char *userdnattr = NULL;
62 static const char *usersearchfilter = NULL;
63 static const char *binddn = NULL;
64 static const char *bindpasswd = NULL;
65 static const char *delimiter = ":";
66 static int encrpass = 0;
67 static int searchscope = LDAP_SCOPE_SUBTREE;
68 static int persistent = 0;
69 static int noreferrals = 0;
70 static int port = LDAP_PORT;
71 static int strip_nt_domain = 0;
72 static int aliasderef = LDAP_DEREF_NEVER;
73 #if defined(NETSCAPE_SSL)
74 static char *sslpath = NULL;
75 static int sslinit = 0;
76 #endif
77 static int connect_timeout = 0;
78 static int timelimit = LDAP_NO_LIMIT;
79
80 #ifdef LDAP_VERSION3
81 /* Added for TLS support and version 3 */
82 static int use_tls = 0;
83 static int version = -1;
84 #endif
85
86 static void ldapconnect(void);
87 static int readSecret(const char *filename);
88
89 /* Yuck.. we need to glue to different versions of the API */
90
91 #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
92 static void
93 squid_ldap_set_aliasderef(int deref)
94 {
95 ldap_set_option(ld, LDAP_OPT_DEREF, &deref);
96 }
97 static void
98 squid_ldap_set_referrals(int referrals)
99 {
100 int *value = static_cast<int*>(referrals ? LDAP_OPT_ON :LDAP_OPT_OFF);
101 ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
102 }
103 static void
104 squid_ldap_set_timelimit(int aTimeLimit)
105 {
106 ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &aTimeLimit);
107 }
108 static void
109 squid_ldap_set_connect_timeout(int aTimeLimit)
110 {
111 #if defined(LDAP_OPT_NETWORK_TIMEOUT)
112 struct timeval tv;
113 tv.tv_sec = aTimeLimit;
114 tv.tv_usec = 0;
115 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
116 #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
117 aTimeLimit *= 1000;
118 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &aTimeLimit);
119 #endif
120 }
121
122 #else
123 static int
124 squid_ldap_errno(LDAP * ld)
125 {
126 return ld->ld_errno;
127 }
128 static void
129 squid_ldap_set_aliasderef(int deref)
130 {
131 ld->ld_deref = deref;
132 }
133 static void
134 squid_ldap_set_referrals(int referrals)
135 {
136 if (referrals)
137 ld->ld_options |= ~LDAP_OPT_REFERRALS;
138 else
139 ld->ld_options &= ~LDAP_OPT_REFERRALS;
140 }
141 static void
142 squid_ldap_set_timelimit(int aTimeLimit)
143 {
144 ld->ld_timelimit = aTimeLimit;
145 }
146 static void
147 squid_ldap_set_connect_timeout(int aTimeLimit)
148 {
149 fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
150 }
151 static void
152 squid_ldap_memfree(char *p)
153 {
154 free(p);
155 }
156
157 #endif
158
159 #ifdef LDAP_API_FEATURE_X_OPENLDAP
160 #if LDAP_VENDOR_VERSION > 194
161 #define HAS_URI_SUPPORT 1
162 #endif
163 #endif
164
165 static int
166 ldap_escape_value(char *escaped, int size, const char *src)
167 {
168 int n = 0;
169 while (size > 4 && *src) {
170 switch (*src) {
171 case '*':
172 case '(':
173 case ')':
174 case '\\':
175 n += 3;
176 size -= 3;
177 if (size > 0) {
178 *escaped = '\\';
179 ++escaped;
180 snprintf(escaped, 3, "%02x", (int) *src);
181 ++src;
182 escaped += 2;
183 }
184 break;
185 default:
186 *escaped = *src;
187 ++escaped;
188 ++src;
189 ++n;
190 --size;
191 }
192 }
193 *escaped = '\0';
194 return n;
195 }
196
197 static char *
198 getpassword(char *login, char *realm)
199 {
200 LDAPMessage *res = NULL;
201 LDAPMessage *entry;
202 char **values = NULL;
203 char **value = NULL;
204 char *password = NULL;
205 int retry = 0;
206 char filter[8192];
207 char searchbase[8192];
208 int rc = -1;
209 if (ld) {
210 if (usersearchfilter) {
211 char escaped_login[1024];
212 snprintf(searchbase, sizeof(searchbase), "%s", userbasedn);
213 ldap_escape_value(escaped_login, sizeof(escaped_login), login);
214 snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
215
216 retrysrch:
217 debug("user filter '%s', searchbase '%s'\n", filter, searchbase);
218
219 rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 0, &res);
220 if (rc != LDAP_SUCCESS) {
221 if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
222 /* Everything is fine. This is expected when referrals
223 * are disabled.
224 */
225 rc = LDAP_SUCCESS;
226 } else {
227 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
228 #if defined(NETSCAPE_SSL)
229 if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
230 int sslerr = PORT_GetError();
231 fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
232 }
233 #endif
234 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error, trying to recover'%s'\n", ldap_err2string(rc));
235 ldap_msgfree(res);
236 /* try to connect to the LDAP server agin, maybe my persisten conexion failed. */
237 if (!retry) {
238 ++retry;
239 ldap_unbind(ld);
240 ld = NULL;
241 ldapconnect();
242 goto retrysrch;
243 }
244 return NULL;
245
246 }
247 }
248 } else if (userdnattr) {
249 snprintf(filter,8192,"%s=%s",userdnattr,login);
250
251 retrydnattr:
252 debug("searchbase '%s'\n", userbasedn);
253 rc = ldap_search_s(ld, userbasedn, searchscope, filter, NULL, 0, &res);
254 }
255 if (rc == LDAP_SUCCESS) {
256 entry = ldap_first_entry(ld, res);
257 if (entry)
258 values = ldap_get_values(ld, entry, passattr);
259 else {
260 ldap_msgfree(res);
261 return NULL;
262 }
263 if (!values) {
264 debug("No attribute value found\n");
265 ldap_msgfree(res);
266 return NULL;
267 }
268 value = values;
269 while (*value) {
270 if (encrpass) {
271 const char *t = strtok(*value, delimiter);
272 if (t && strcmp(t, realm) == 0) {
273 password = strtok(NULL, delimiter);
274 break;
275 }
276 } else {
277 password = *value;
278 break;
279 }
280 ++value;
281 }
282 debug("password: %s\n", password);
283 if (password)
284 password = xstrdup(password);
285 ldap_value_free(values);
286 ldap_msgfree(res);
287 return password;
288 } else {
289 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP error '%s'\n", ldap_err2string(rc));
290 /* try to connect to the LDAP server agin, maybe my persisten conexion failed. */
291 if (!retry) {
292 ++retry;
293 ldap_unbind(ld);
294 ld = NULL;
295 ldapconnect();
296 goto retrydnattr;
297 }
298 return NULL;
299 }
300 }
301 return NULL;
302 }
303
304 static void
305 ldapconnect(void)
306 {
307 int rc;
308
309 /* On Windows ldap_start_tls_s is available starting from Windows XP,
310 * so we need to bind at run-time with the function entry point
311 */
312 #if _SQUID_WINDOWS_
313 if (use_tls) {
314
315 HMODULE WLDAP32Handle;
316
317 WLDAP32Handle = GetModuleHandle("wldap32");
318 if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
319 fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
320 exit(1);
321 }
322 }
323 #endif
324
325 if (ld == NULL) {
326 #if HAS_URI_SUPPORT
327 if (strstr(ldapServer, "://") != NULL) {
328 rc = ldap_initialize(&ld, ldapServer);
329 if (rc != LDAP_SUCCESS) {
330 fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
331 }
332 } else
333 #endif
334 #if NETSCAPE_SSL
335 if (sslpath) {
336 if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
337 fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
338 sslpath);
339 exit(1);
340 } else {
341 ++sslinit;
342 }
343 if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
344 fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
345 ldapServer, port);
346 exit(1);
347 }
348 } else
349 #endif
350 if ((ld = ldap_init(ldapServer, port)) == NULL) {
351 fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port);
352 }
353 if (connect_timeout)
354 squid_ldap_set_connect_timeout(connect_timeout);
355
356 #ifdef LDAP_VERSION3
357 if (version == -1) {
358 version = LDAP_VERSION2;
359 }
360 if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version)
361 != LDAP_SUCCESS) {
362 fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
363 version);
364 ldap_unbind(ld);
365 ld = NULL;
366 }
367 if (use_tls) {
368 #ifdef LDAP_OPT_X_TLS
369 if (version != LDAP_VERSION3) {
370 fprintf(stderr, "TLS requires LDAP version 3\n");
371 exit(1);
372 } else if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
373 fprintf(stderr, "Could not Activate TLS connection\n");
374 exit(1);
375 }
376 #else
377 fprintf(stderr, "TLS not supported with your LDAP library\n");
378 ldap_unbind(ld);
379 ld = NULL;
380 #endif
381 }
382 #endif
383 squid_ldap_set_timelimit(timelimit);
384 squid_ldap_set_referrals(!noreferrals);
385 squid_ldap_set_aliasderef(aliasderef);
386 if (binddn && bindpasswd && *binddn && *bindpasswd) {
387 rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
388 if (rc != LDAP_SUCCESS) {
389 fprintf(stderr, PROGRAM_NAME " WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
390 ldap_unbind(ld);
391 ld = NULL;
392 }
393 }
394 debug("Connected OK\n");
395 }
396 }
397 int
398 LDAPArguments(int argc, char **argv)
399 {
400 setbuf(stdout, NULL);
401
402 while (argc > 1 && argv[1][0] == '-') {
403 const char *value = "";
404 char option = argv[1][1];
405 switch (option) {
406 case 'P':
407 case 'R':
408 case 'z':
409 case 'Z':
410 case 'g':
411 case 'e':
412 case 'S':
413 break;
414 default:
415 if (strlen(argv[1]) > 2) {
416 value = argv[1] + 2;
417 } else if (argc > 2) {
418 value = argv[2];
419 ++argv;
420 --argc;
421 } else
422 value = "";
423 break;
424 }
425 ++argv;
426 --argc;
427 switch (option) {
428 case 'H':
429 #if !HAS_URI_SUPPORT
430 fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
431 return 1;
432 #endif
433 /* Fall thru to -h */
434 case 'h':
435 if (ldapServer) {
436 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
437 char *newhost = static_cast<char*>(xmalloc(len));
438 snprintf(newhost, len, "%s %s", ldapServer, value);
439 free(ldapServer);
440 ldapServer = newhost;
441 } else {
442 ldapServer = xstrdup(value);
443 }
444 break;
445 case 'A':
446 passattr = value;
447 break;
448 case 'e':
449 encrpass = 1;
450 break;
451 case 'l':
452 delimiter = value;
453 break;
454 case 'b':
455 userbasedn = value;
456 break;
457 case 'F':
458 usersearchfilter = value;
459 break;
460 case 'u':
461 userdnattr = value;
462 break;
463 case 's':
464 if (strcmp(value, "base") == 0)
465 searchscope = LDAP_SCOPE_BASE;
466 else if (strcmp(value, "one") == 0)
467 searchscope = LDAP_SCOPE_ONELEVEL;
468 else if (strcmp(value, "sub") == 0)
469 searchscope = LDAP_SCOPE_SUBTREE;
470 else {
471 fprintf(stderr, PROGRAM_NAME " ERROR: Unknown search scope '%s'\n", value);
472 return 1;
473 }
474 break;
475 case 'S':
476 #if defined(NETSCAPE_SSL)
477 sslpath = value;
478 if (port == LDAP_PORT)
479 port = LDAPS_PORT;
480 #else
481 fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
482 return 1;
483 #endif
484 break;
485 case 'c':
486 connect_timeout = atoi(value);
487 break;
488 case 't':
489 timelimit = atoi(value);
490 break;
491 case 'a':
492 if (strcmp(value, "never") == 0)
493 aliasderef = LDAP_DEREF_NEVER;
494 else if (strcmp(value, "always") == 0)
495 aliasderef = LDAP_DEREF_ALWAYS;
496 else if (strcmp(value, "search") == 0)
497 aliasderef = LDAP_DEREF_SEARCHING;
498 else if (strcmp(value, "find") == 0)
499 aliasderef = LDAP_DEREF_FINDING;
500 else {
501 fprintf(stderr, PROGRAM_NAME " ERROR: Unknown alias dereference method '%s'\n", value);
502 return 1;
503 }
504 break;
505 case 'D':
506 binddn = value;
507 break;
508 case 'w':
509 bindpasswd = value;
510 break;
511 case 'W':
512 readSecret(value);
513 break;
514 case 'P':
515 persistent = !persistent;
516 break;
517 case 'p':
518 port = atoi(value);
519 break;
520 case 'R':
521 noreferrals = !noreferrals;
522 break;
523 #ifdef LDAP_VERSION3
524 case 'v':
525 switch (atoi(value)) {
526 case 2:
527 version = LDAP_VERSION2;
528 break;
529 case 3:
530 version = LDAP_VERSION3;
531 break;
532 default:
533 fprintf(stderr, "Protocol version should be 2 or 3\n");
534 return 1;
535 }
536 break;
537 case 'Z':
538 if (version == LDAP_VERSION2) {
539 fprintf(stderr, "TLS (-Z) is incompatible with version %d\n",
540 version);
541 return 1;
542 }
543 version = LDAP_VERSION3;
544 use_tls = 1;
545 break;
546 #endif
547 case 'd':
548 debug_enabled = 1;
549 break;
550 case 'E':
551 strip_nt_domain = 1;
552 break;
553 default:
554 fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
555 return 1;
556 }
557 }
558
559 while (argc > 1) {
560 char *value = argv[1];
561 if (ldapServer) {
562 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
563 char *newhost = static_cast<char*>(xmalloc(len));
564 snprintf(newhost, len, "%s %s", ldapServer, value);
565 free(ldapServer);
566 ldapServer = newhost;
567 } else {
568 ldapServer = xstrdup(value);
569 }
570 --argc;
571 ++argv;
572 }
573
574 if (!ldapServer)
575 ldapServer = (char *) "localhost";
576
577 if (!userbasedn || !passattr) {
578 fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n");
579 fprintf(stderr, "\t-A password attribute(REQUIRED)\t\tUser attribute that contains the password\n");
580 fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharater(s) that devides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password\n");
581 fprintf(stderr, "\t-b basedn (REQUIRED)\t\t\tbase dn under where to search for users\n");
582 fprintf(stderr, "\t-e Encrypted passwords(REQUIRED)\tPassword are stored encrypted using HHA1\n");
583 fprintf(stderr, "\t-F filter\t\t\t\tuser search filter pattern. %%s = login\n");
584 fprintf(stderr, "\t-u attribute\t\t\t\tattribute to use in combination with the basedn to create the user DN\n");
585 fprintf(stderr, "\t-s base|one|sub\t\t\t\tsearch scope\n");
586 fprintf(stderr, "\t-D binddn\t\t\t\tDN to bind as to perform searches\n");
587 fprintf(stderr, "\t-w bindpasswd\t\t\t\tpassword for binddn\n");
588 fprintf(stderr, "\t-W secretfile\t\t\t\tread password for binddn from file secretfile\n");
589 #if HAS_URI_SUPPORT
590 fprintf(stderr, "\t-H URI\t\t\t\t\tLDAPURI (defaults to ldap://localhost)\n");
591 #endif
592 fprintf(stderr, "\t-h server\t\t\t\tLDAP server (defaults to localhost)\n");
593 fprintf(stderr, "\t-p port\t\t\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
594 fprintf(stderr, "\t-P\t\t\t\t\tpersistent LDAP connection\n");
595 #if defined(NETSCAPE_SSL)
596 fprintf(stderr, "\t-E sslcertpath\t\t\t\tenable LDAP over SSL\n");
597 #endif
598 fprintf(stderr, "\t-c timeout\t\t\t\tconnect timeout\n");
599 fprintf(stderr, "\t-t timelimit\t\t\t\tsearch time limit\n");
600 fprintf(stderr, "\t-R\t\t\t\t\tdo not follow referrals\n");
601 fprintf(stderr, "\t-a never|always|search|find\t\twhen to dereference aliases\n");
602 #ifdef LDAP_VERSION3
603 fprintf(stderr, "\t-v 2|3\t\t\t\t\tLDAP version\n");
604 fprintf(stderr, "\t-Z\t\t\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
605 #endif
606 fprintf(stderr, "\t-S\t\t\t\t\tStrip NT domain from usernames\n");
607 fprintf(stderr, "\n");
608 fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
609 return -1;
610 }
611 return 0;
612 }
613 static int
614 readSecret(const char *filename)
615 {
616 char buf[BUFSIZ];
617 char *e = 0;
618 FILE *f;
619
620 if (!(f = fopen(filename, "r"))) {
621 fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
622 return 1;
623 }
624 if (!fgets(buf, sizeof(buf) - 1, f)) {
625 fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
626 fclose(f);
627 return 1;
628 }
629 /* strip whitespaces on end */
630 if ((e = strrchr(buf, '\n')))
631 *e = 0;
632 if ((e = strrchr(buf, '\r')))
633 *e = 0;
634
635 bindpasswd = xstrdup(buf);
636 if (!bindpasswd) {
637 fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
638 }
639 fclose(f);
640
641 return 0;
642 }
643
644 void
645 LDAPHHA1(RequestData * requestData)
646 {
647 char *password;
648 ldapconnect();
649 password = getpassword(requestData->user, requestData->realm);
650 if (password != NULL) {
651 if (encrpass)
652 xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1));
653 else {
654 HASH HA1;
655 DigestCalcHA1("md5", requestData->user, requestData->realm, password, NULL, NULL, HA1, requestData->HHA1);
656 }
657 free(password);
658 } else {
659 requestData->error = -1;
660 }
661
662 }
663
Mirror of https://github.com/squid-cache/squid.git