/*
- * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
static const char *binddn = NULL;
static const char *bindpasswd = NULL;
static const char *delimiter = ":";
+static const char *frealm = "";
static int encrpass = 0;
static int searchscope = LDAP_SCOPE_SUBTREE;
static int persistent = 0;
}
value = values;
while (*value) {
- if (encrpass) {
+ if (encrpass && *delimiter ) {
const char *t = strtok(*value, delimiter);
if (t && strcmp(t, realm) == 0) {
password = strtok(NULL, delimiter);
WLDAP32Handle = GetModuleHandle("wldap32");
if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
- exit(1);
+ exit(EXIT_FAILURE);
}
}
#endif
if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
sslpath);
- exit(1);
+ exit(EXIT_FAILURE);
} else {
++sslinit;
}
if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
ldapServer, port);
- exit(1);
+ exit(EXIT_FAILURE);
}
} else
#endif
#ifdef LDAP_OPT_X_TLS
if (version != LDAP_VERSION3) {
fprintf(stderr, "TLS requires LDAP version 3\n");
- exit(1);
+ exit(EXIT_FAILURE);
} else if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
fprintf(stderr, "Could not Activate TLS connection\n");
- exit(1);
+ exit(EXIT_FAILURE);
}
#else
fprintf(stderr, "TLS not supported with your LDAP library\n");
case 'l':
delimiter = value;
break;
+ case 'r':
+ frealm = value;
+ break;
case 'b':
userbasedn = value;
break;
if (!ldapServer)
ldapServer = (char *) "localhost";
- if (!userbasedn || !passattr) {
- fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n");
+ if (!userbasedn || !passattr || (!*delimiter && !*frealm)) {
+ fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -F filter [options] ldap_server_name\n\n");
fprintf(stderr, "\t-A password attribute(REQUIRED)\t\tUser attribute that contains the password\n");
- fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharater(s) that devides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password\n");
+ fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharacter(s) that divides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password, could be\n\t\t\t\t\t\tempty string if the password is alone in the password attribute\n");
+ fprintf(stderr, "\t-r filtered realm\t\t\tonly honor Squid requests for this realm. Mandatory if the password is alone in\n\t\t\t\t\t\tthe password attribute, acting as the implicit realm\n");
fprintf(stderr, "\t-b basedn (REQUIRED)\t\t\tbase dn under where to search for users\n");
fprintf(stderr, "\t-e Encrypted passwords(REQUIRED)\tPassword are stored encrypted using HHA1\n");
fprintf(stderr, "\t-F filter\t\t\t\tuser search filter pattern. %%s = login\n");
void
LDAPHHA1(RequestData * requestData)
{
- char *password;
+ char *password = NULL;
ldapconnect();
- password = getpassword(requestData->user, requestData->realm);
+
+ // use the -l delimiter to find realm, or
+ // only honor the -r specified realm
+ const bool lookup = (!*frealm && *delimiter) ||
+ (*frealm && strcmp(requestData->realm, frealm) == 0);
+
+ if (lookup)
+ password = getpassword(requestData->user, requestData->realm);
+
if (password != NULL) {
if (encrpass)
xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1));