{
struct gdstruct *p = NULL, *pp = NULL;
- start:
+start:
p = gdsp;
if (!p)
- return;
+ return;
while (p->next) {
- pp = p;
- p = p->next;
+ pp = p;
+ p = p->next;
}
if (p->group) {
- xfree(p->group);
- p->group = NULL;
+ xfree(p->group);
+ p->group = NULL;
}
if (p->domain) {
- xfree(p->domain);
- p->domain = NULL;
+ xfree(p->domain);
+ p->domain = NULL;
}
if (pp && pp->next) {
- xfree(pp->next);
- pp->next = NULL;
+ xfree(pp->next);
+ pp->next = NULL;
}
if (p == gdsp) {
- xfree(gdsp);
- gdsp = NULL;
+ xfree(gdsp);
+ gdsp = NULL;
}
goto start;
}
{
struct ndstruct *p = NULL, *pp = NULL;
- start:
+start:
p = ndsp;
if (!p)
- return;
+ return;
while (p->next) {
- pp = p;
- p = p->next;
+ pp = p;
+ p = p->next;
}
if (p->netbios) {
- xfree(p->netbios);
- p->netbios = NULL;
+ xfree(p->netbios);
+ p->netbios = NULL;
}
if (p->domain) {
- xfree(p->domain);
- p->domain = NULL;
+ xfree(p->domain);
+ p->domain = NULL;
}
if (pp && pp->next) {
- xfree(pp->next);
- pp->next = NULL;
+ xfree(pp->next);
+ pp->next = NULL;
}
if (p == ndsp) {
- xfree(ndsp);
- ndsp = NULL;
+ xfree(ndsp);
+ ndsp = NULL;
}
goto start;
}
clean_args(struct main_args *margs)
{
if (margs->glist) {
- xfree(margs->glist);
- margs->glist = NULL;
+ xfree(margs->glist);
+ margs->glist = NULL;
}
if (margs->ulist) {
- xfree(margs->ulist);
- margs->ulist = NULL;
+ xfree(margs->ulist);
+ margs->ulist = NULL;
}
if (margs->tlist) {
- xfree(margs->tlist);
- margs->tlist = NULL;
+ xfree(margs->tlist);
+ margs->tlist = NULL;
}
if (margs->nlist) {
- xfree(margs->nlist);
- margs->nlist = NULL;
+ xfree(margs->nlist);
+ margs->nlist = NULL;
}
if (margs->luser) {
- xfree(margs->luser);
- margs->luser = NULL;
+ xfree(margs->luser);
+ margs->luser = NULL;
}
if (margs->lpass) {
- xfree(margs->lpass);
- margs->lpass = NULL;
+ xfree(margs->lpass);
+ margs->lpass = NULL;
}
if (margs->lbind) {
- xfree(margs->lbind);
- margs->lbind = NULL;
+ xfree(margs->lbind);
+ margs->lbind = NULL;
}
if (margs->lurl) {
- xfree(margs->lurl);
- margs->lurl = NULL;
+ xfree(margs->lurl);
+ margs->lurl = NULL;
}
if (margs->ssl) {
- xfree(margs->ssl);
- margs->ssl = NULL;
+ xfree(margs->ssl);
+ margs->ssl = NULL;
}
if (margs->ddomain) {
- xfree(margs->ddomain);
- margs->ddomain = NULL;
+ xfree(margs->ddomain);
+ margs->ddomain = NULL;
}
if (margs->groups) {
- clean_gd(margs->groups);
- margs->groups = NULL;
+ clean_gd(margs->groups);
+ margs->groups = NULL;
}
if (margs->ndoms) {
- clean_nd(margs->ndoms);
- margs->ndoms = NULL;
+ clean_nd(margs->ndoms);
+ margs->ndoms = NULL;
}
}
init_args(&margs);
while (-1 != (opt = getopt(argc, argv, "diasg:D:N:u:U:t:T:p:l:b:m:h"))) {
- switch (opt) {
- case 'd':
- debug_enabled = 1;
- break;
- case 'i':
- log_enabled = 1;
- break;
- case 'a':
- margs.rc_allow = 1;
- break;
- case 's':
- margs.ssl = (char *) "yes";
- break;
- case 'g':
- margs.glist = xstrdup(optarg);
- break;
- case 'D':
- margs.ddomain = xstrdup(optarg);
- break;
- case 'N':
- margs.nlist = xstrdup(optarg);
- break;
- case 'u':
- margs.luser = xstrdup(optarg);
- break;
- case 'U':
- margs.ulist = xstrdup(optarg);
- break;
- case 't':
- margs.ulist = xstrdup(optarg);
- break;
- case 'T':
- margs.tlist = xstrdup(optarg);
- break;
- case 'p':
- margs.lpass = xstrdup(optarg);
- /* Hide Password */
- memset(optarg, 'X', strlen(optarg));
- break;
- case 'l':
- margs.lurl = xstrdup(optarg);
- break;
- case 'b':
- margs.lbind = xstrdup(optarg);
- break;
- case 'm':
- margs.mdepth = atoi(optarg);
- break;
- case 'h':
- fprintf(stderr, "Usage: \n");
- fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
- fprintf(stderr, "-d full debug\n");
- fprintf(stderr, "-i informational messages\n");
- fprintf(stderr, "-g group list\n");
- fprintf(stderr, "-t group list (only group name hex UTF-8 format)\n");
- fprintf(stderr, "-T group list (all in hex UTF-8 format - except seperator @)\n");
- fprintf(stderr, "-D default domain\n");
- fprintf(stderr, "-N netbios to dns domain map\n");
- fprintf(stderr, "-u ldap user\n");
- fprintf(stderr, "-p ldap user password\n");
- fprintf(stderr, "-l ldap url\n");
- fprintf(stderr, "-b ldap bind path\n");
- fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
- fprintf(stderr, "-a allow SSL without cert verification\n");
- fprintf(stderr, "-m maximal depth for recursive searches\n");
- fprintf(stderr, "-h help\n");
- fprintf(stderr, "The ldap url, ldap user and ldap user password details are only used if the kerberised\n");
- fprintf(stderr, "access fails(e.g. unknown domain) or if the username does not contain a domain part\n");
- fprintf(stderr, "and no default domain is provided.\n");
- fprintf(stderr, "If the ldap url starts with ldaps:// it is either start_tls or simple SSL\n");
- fprintf(stderr, "The group list can be:\n");
- fprintf(stderr, "group - In this case group can be used for all keberised and non kerberised ldap servers\n");
- fprintf(stderr, "group@ - In this case group can be used for all keberised ldap servers\n");
- fprintf(stderr, "group@domain - In this case group can be used for ldap servers of domain domain\n");
- fprintf(stderr, "group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator\n");
- fprintf(stderr, "Group membership is determined with AD servers through the users memberof attribute which\n");
- fprintf(stderr, "is followed to the top (e.g. if the group is a member of a group)\n");
- fprintf(stderr, "Group membership is determined with non AD servers through the users memberuid (assuming\n");
- fprintf(stderr, "PosixGroup) or primary group membership (assuming PosixAccount)\n");
- clean_args(&margs);
- exit(0);
- default:
- warn((char *) "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), PROGRAM, opt);
- }
+ switch (opt) {
+ case 'd':
+ debug_enabled = 1;
+ break;
+ case 'i':
+ log_enabled = 1;
+ break;
+ case 'a':
+ margs.rc_allow = 1;
+ break;
+ case 's':
+ margs.ssl = (char *) "yes";
+ break;
+ case 'g':
+ margs.glist = xstrdup(optarg);
+ break;
+ case 'D':
+ margs.ddomain = xstrdup(optarg);
+ break;
+ case 'N':
+ margs.nlist = xstrdup(optarg);
+ break;
+ case 'u':
+ margs.luser = xstrdup(optarg);
+ break;
+ case 'U':
+ margs.ulist = xstrdup(optarg);
+ break;
+ case 't':
+ margs.ulist = xstrdup(optarg);
+ break;
+ case 'T':
+ margs.tlist = xstrdup(optarg);
+ break;
+ case 'p':
+ margs.lpass = xstrdup(optarg);
+ /* Hide Password */
+ memset(optarg, 'X', strlen(optarg));
+ break;
+ case 'l':
+ margs.lurl = xstrdup(optarg);
+ break;
+ case 'b':
+ margs.lbind = xstrdup(optarg);
+ break;
+ case 'm':
+ margs.mdepth = atoi(optarg);
+ break;
+ case 'h':
+ fprintf(stderr, "Usage: \n");
+ fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
+ fprintf(stderr, "-d full debug\n");
+ fprintf(stderr, "-i informational messages\n");
+ fprintf(stderr, "-g group list\n");
+ fprintf(stderr, "-t group list (only group name hex UTF-8 format)\n");
+ fprintf(stderr, "-T group list (all in hex UTF-8 format - except seperator @)\n");
+ fprintf(stderr, "-D default domain\n");
+ fprintf(stderr, "-N netbios to dns domain map\n");
+ fprintf(stderr, "-u ldap user\n");
+ fprintf(stderr, "-p ldap user password\n");
+ fprintf(stderr, "-l ldap url\n");
+ fprintf(stderr, "-b ldap bind path\n");
+ fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
+ fprintf(stderr, "-a allow SSL without cert verification\n");
+ fprintf(stderr, "-m maximal depth for recursive searches\n");
+ fprintf(stderr, "-h help\n");
+ fprintf(stderr, "The ldap url, ldap user and ldap user password details are only used if the kerberised\n");
+ fprintf(stderr, "access fails(e.g. unknown domain) or if the username does not contain a domain part\n");
+ fprintf(stderr, "and no default domain is provided.\n");
+ fprintf(stderr, "If the ldap url starts with ldaps:// it is either start_tls or simple SSL\n");
+ fprintf(stderr, "The group list can be:\n");
+ fprintf(stderr, "group - In this case group can be used for all keberised and non kerberised ldap servers\n");
+ fprintf(stderr, "group@ - In this case group can be used for all keberised ldap servers\n");
+ fprintf(stderr, "group@domain - In this case group can be used for ldap servers of domain domain\n");
+ fprintf(stderr, "group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator\n");
+ fprintf(stderr, "Group membership is determined with AD servers through the users memberof attribute which\n");
+ fprintf(stderr, "is followed to the top (e.g. if the group is a member of a group)\n");
+ fprintf(stderr, "Group membership is determined with non AD servers through the users memberuid (assuming\n");
+ fprintf(stderr, "PosixGroup) or primary group membership (assuming PosixAccount)\n");
+ clean_args(&margs);
+ exit(0);
+ default:
+ warn((char *) "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), PROGRAM, opt);
+ }
}
debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, KERBEROS_LDAP_GROUP_VERSION);
if (create_gd(&margs)) {
- debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL");
- SEND_ERR("");
- clean_args(&margs);
- exit(1);
+ debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM, margs.glist ? margs.glist : "NULL");
+ SEND_ERR("");
+ clean_args(&margs);
+ exit(1);
}
if (create_nd(&margs)) {
- debug((char *) "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM, margs.nlist ? margs.nlist : "NULL");
- SEND_ERR("");
- clean_args(&margs);
- exit(1);
+ debug((char *) "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM, margs.nlist ? margs.nlist : "NULL");
+ SEND_ERR("");
+ clean_args(&margs);
+ exit(1);
}
while (1) {
- if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
- if (ferror(stdin)) {
- debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin),
- strerror(ferror(stdin)));
+ if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
+ if (ferror(stdin)) {
+ debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM, ferror(stdin),
+ strerror(ferror(stdin)));
- SEND_ERR("");
- clean_args(&margs);
- exit(1); /* BIIG buffer */
- }
- SEND_ERR("");
- clean_args(&margs);
- exit(0);
- }
- c = (char *) memchr(buf, '\n', sizeof(buf) - 1);
- if (c) {
- *c = '\0';
- length = c - buf;
- } else {
- SEND_ERR("");
- debug((char *) "%s| %s: ERR\n", LogTime(), PROGRAM);
- continue;
- }
+ SEND_ERR("");
+ clean_args(&margs);
+ exit(1); /* BIIG buffer */
+ }
+ SEND_ERR("");
+ clean_args(&margs);
+ exit(0);
+ }
+ c = (char *) memchr(buf, '\n', sizeof(buf) - 1);
+ if (c) {
+ *c = '\0';
+ length = c - buf;
+ } else {
+ SEND_ERR("");
+ debug((char *) "%s| %s: ERR\n", LogTime(), PROGRAM);
+ continue;
+ }
- user = buf;
- nuser = strchr(user, '\\');
- if (!nuser)
- nuser8 = strstr(user, "%5C");
- if (!nuser && !nuser8)
- nuser8 = strstr(user, "%5c");
- domain = strrchr(user, '@');
- if (nuser || nuser8) {
- if (nuser) {
- *nuser = '\0';
- nuser++;
- } else {
- *nuser8 = '\0';
- nuser = nuser8 + 3;
- }
- netbios = user;
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios);
- else
- log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios);
- domain = get_netbios_name(&margs, netbios);
- user = nuser;
- } else if (domain) {
- strup(domain);
- *domain = '\0';
- domain++;
- }
- if (!domain && margs.ddomain) {
- domain = xstrdup(margs.ddomain);
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain);
- else
- log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain);
- }
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL");
- else
- log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL");
+ user = buf;
+ nuser = strchr(user, '\\');
+ if (!nuser)
+ nuser8 = strstr(user, "%5C");
+ if (!nuser && !nuser8)
+ nuser8 = strstr(user, "%5c");
+ domain = strrchr(user, '@');
+ if (nuser || nuser8) {
+ if (nuser) {
+ *nuser = '\0';
+ nuser++;
+ } else {
+ *nuser8 = '\0';
+ nuser = nuser8 + 3;
+ }
+ netbios = user;
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios);
+ else
+ log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, nuser, netbios);
+ domain = get_netbios_name(&margs, netbios);
+ user = nuser;
+ } else if (domain) {
+ strup(domain);
+ *domain = '\0';
+ domain++;
+ }
+ if (!domain && margs.ddomain) {
+ domain = xstrdup(margs.ddomain);
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain);
+ else
+ log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM, user, domain);
+ }
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL");
+ else
+ log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, user, domain ? domain : "NULL");
- if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) {
- clean_args(&margs);
- exit(-1);
- }
- if (check_memberof(&margs, user, domain)) {
- SEND_OK("");
- debug((char *) "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM);
- } else {
- SEND_ERR("");
- debug((char *) "%s| %s: DEBUG: ERR\n", LogTime(), PROGRAM);
- }
+ if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) {
+ clean_args(&margs);
+ exit(-1);
+ }
+ if (check_memberof(&margs, user, domain)) {
+ SEND_OK("");
+ debug((char *) "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM);
+ } else {
+ SEND_ERR("");
+ debug((char *) "%s| %s: DEBUG: ERR\n", LogTime(), PROGRAM);
+ }
}
strup(char *s)
{
while (*s) {
- *s = toupper((unsigned char) *s);
- s++;
+ *s = toupper((unsigned char) *s);
+ s++;
}
}
setbuf(stdin, NULL);
char buf[6400];
while (1) {
- if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
- }
- fprintf(stdout, "ERR\n");
- fprintf(stderr, "LDAP group authorisation not supported\n");
+ if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
+ }
+ fprintf(stdout, "ERR\n");
+ fprintf(stderr, "LDAP group authorisation not supported\n");
}
}
#endif
#define error(X...) \
fprintf(stderr, "%s(%d): pid=%ld :", __FILE__, __LINE__, (long)getpid() ); \
fprintf(stderr,X); \
-
+
#define warn(X...) \
fprintf(stderr, "%s(%d): pid=%ld :", __FILE__, __LINE__, (long)getpid() ); \
fprintf(stderr,X); \
-
+
#else /* __GNUC__ */
/* non-GCC compilers can't do the above macro define yet. */
struct gdstruct *init_gd(void);
struct gdstruct *
-init_gd(void)
-{
+init_gd(void) {
struct gdstruct *gdsp;
gdsp = (struct gdstruct *) xmalloc(sizeof(struct gdstruct));
gdsp->group = NULL;
src = margs->glist;
if (!src)
- return NULL;
+ return NULL;
for (n = 0; n < strlen(src); n++)
- if ((unsigned char) src[n] > 127)
- c++;
+ if ((unsigned char) src[n] > 127)
+ c++;
if (c != 0) {
- p = (unsigned char *) xmalloc(strlen(src) + c);
- dup = p;
- for (n = 0; n < strlen(src); n++) {
- s = (unsigned char) src[n];
- if (s > 127 && s < 192) {
- *p = 194;
- p++;
- *p = s;
- } else if (s > 191 && s < 256) {
- *p = 195;
- p++;
- *p = s - 64;
- } else
- *p = s;
- p++;
- }
- *p = '\0';
- debug((char *) "%s| %s: INFO: Group %s as UTF-8: %s\n", LogTime(), PROGRAM, src, dup);
- return (char *) dup;
+ p = (unsigned char *) xmalloc(strlen(src) + c);
+ dup = p;
+ for (n = 0; n < strlen(src); n++) {
+ s = (unsigned char) src[n];
+ if (s > 127 && s < 192) {
+ *p = 194;
+ p++;
+ *p = s;
+ } else if (s > 191 && s < 256) {
+ *p = 195;
+ p++;
+ *p = s - 64;
+ } else
+ *p = s;
+ p++;
+ }
+ *p = '\0';
+ debug((char *) "%s| %s: INFO: Group %s as UTF-8: %s\n", LogTime(), PROGRAM, src, dup);
+ return (char *) dup;
} else
- return xstrdup(src);
+ return xstrdup(src);
}
char *hex_utf_char(struct main_args *margs, int flag);
/*
* UTF8 = UTF1 / UTFMB
* UTFMB = UTF2 / UTF3 / UTF4
- *
+ *
* UTF0 = %x80-BF
* UTF1 = %x00-7F
* UTF2 = %xC2-DF UTF0
* %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)
* UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /
* %xF4 %x80-8F 2(UTF0)
- *
+ *
* http://www.utf8-chartable.de/unicode-utf8-table.pl
*/
int iUTF2, iUTF3, iUTF4;
if (flag) {
- up = margs->ulist;
+ up = margs->ulist;
} else {
- up = margs->tlist;
+ up = margs->tlist;
}
if (!up)
- return NULL;
+ return NULL;
upd = strrchr(up, '@');
if (upd)
- a = upd - up;
+ a = upd - up;
else
- a = strlen(up);
+ a = strlen(up);
ul = (char *) xmalloc(strlen(up));
n = 0;
iUTF4 = 0;
while (n < (int) strlen(up)) {
- if (flag && n == a)
- break;
- if (up[n] == '@') {
- ul[nl] = '@';
- nl++;
- n++;
- continue;
- }
- ival = up[n];
- if (ival > 64 && ival < 71)
- ichar = (ival - 55) * 16;
- else if (ival > 96 && ival < 103)
- ichar = (ival - 87) * 16;
- else if (ival > 47 && ival < 58)
- ichar = (ival - 48) * 16;
- else {
- debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival);
- if (ul)
- xfree(ul);
- return NULL;
- }
+ if (flag && n == a)
+ break;
+ if (up[n] == '@') {
+ ul[nl] = '@';
+ nl++;
+ n++;
+ continue;
+ }
+ ival = up[n];
+ if (ival > 64 && ival < 71)
+ ichar = (ival - 55) * 16;
+ else if (ival > 96 && ival < 103)
+ ichar = (ival - 87) * 16;
+ else if (ival > 47 && ival < 58)
+ ichar = (ival - 48) * 16;
+ else {
+ debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
- if (n == a - 1) {
- debug((char *) "%s| %s: WARNING: Invalid Hex UTF-8 string %s\n", LogTime(), PROGRAM, up);
- if (ul)
- xfree(ul);
- return NULL;
- }
- n++;
- ival = up[n];
- if (ival > 64 && ival < 71)
- ichar = ichar + ival - 55;
- else if (ival > 96 && ival < 103)
- ichar = ichar + ival - 87;
- else if (ival > 47 && ival < 58)
- ichar = ichar + ival - 48;
- else {
- debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival);
- if (ul)
- xfree(ul);
- return NULL;
- }
+ if (n == a - 1) {
+ debug((char *) "%s| %s: WARNING: Invalid Hex UTF-8 string %s\n", LogTime(), PROGRAM, up);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
+ n++;
+ ival = up[n];
+ if (ival > 64 && ival < 71)
+ ichar = ichar + ival - 55;
+ else if (ival > 96 && ival < 103)
+ ichar = ichar + ival - 87;
+ else if (ival > 47 && ival < 58)
+ ichar = ichar + ival - 48;
+ else {
+ debug((char *) "%s| %s: WARNING: Invalid Hex value %c\n", LogTime(), PROGRAM, ival);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
- if (iUTF2) {
- if (iUTF2 == 0xC2 && ichar > 0x7F && ichar < 0xC0) {
- iUTF2 = 0;
- ul[nl - 1] = ichar;
- } else if (iUTF2 == 0xC3 && ichar > 0x7F && ichar < 0xC0) {
- iUTF2 = 0;
- ul[nl - 1] = ichar + 64;
- } else if (iUTF2 > 0xC3 && iUTF2 < 0xE0 && ichar > 0x7F && ichar < 0xC0) {
- iUTF2 = 0;
- ul[nl] = ichar;
- nl++;
- } else {
- iUTF2 = 0;
- ul[nl] = ichar;
- ul[nl + 1] = '\0';
- debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
- if (ul)
- xfree(ul);
- return NULL;
- }
- } else if (iUTF3) {
- if (iUTF3 == 0xE0 && ichar > 0x9F && ichar < 0xC0) {
- iUTF3 = 1;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF3 > 0xE0 && iUTF3 < 0xED && ichar > 0x7F && ichar < 0xC0) {
- iUTF3 = 2;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF3 == 0xED && ichar > 0x7F && ichar < 0xA0) {
- iUTF3 = 3;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF3 > 0xED && iUTF3 < 0xF0 && ichar > 0x7F && ichar < 0xC0) {
- iUTF3 = 4;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF3 > 0 && iUTF3 < 5 && ichar > 0x7F && ichar < 0xC0) {
- iUTF3 = 0;
- ul[nl] = ichar;
- nl++;
- } else {
- iUTF3 = 0;
- ul[nl] = ichar;
- ul[nl + 1] = '\0';
- debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
- if (ul)
- xfree(ul);
- return NULL;
- }
- } else if (iUTF4) {
- if (iUTF4 == 0xF0 && ichar > 0x8F && ichar < 0xC0) {
- iUTF4 = 1;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF4 > 0xF0 && iUTF3 < 0xF4 && ichar > 0x7F && ichar < 0xC0) {
- iUTF4 = 2;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF4 == 0xF4 && ichar > 0x7F && ichar < 0x90) {
- iUTF4 = 3;
- ul[nl] = ichar;
- nl++;
- } else if (iUTF4 > 0 && iUTF4 < 5 && ichar > 0x7F && ichar < 0xC0) {
- if (iUTF4 == 4)
- iUTF4 = 0;
- else
- iUTF4 = 4;
- ul[nl] = ichar;
- nl++;
- } else {
- iUTF4 = 0;
- ul[nl] = ichar;
- ul[nl + 1] = '\0';
- debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
- if (ul)
- xfree(ul);
- return NULL;
- }
- } else if (ichar < 0x80) {
- /* UTF1 */
- ul[nl] = ichar;
- nl++;
- } else if (ichar > 0xC1 && ichar < 0xE0) {
- /* UTF2 (Latin) */
- iUTF2 = ichar;
- ul[nl] = ichar;
- nl++;
- } else if (ichar > 0xDF && ichar < 0xF0) {
- /* UTF3 */
- iUTF3 = ichar;
- ul[nl] = ichar;
- nl++;
- } else if (ichar > 0xEF && ichar < 0xF5) {
- /* UTF4 */
- iUTF4 = ichar;
- ul[nl] = ichar;
- nl++;
- } else {
- ul[nl] = ichar;
- ul[nl + 1] = '\0';
- debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
- if (ul)
- xfree(ul);
- return NULL;
- }
- n++;
+ if (iUTF2) {
+ if (iUTF2 == 0xC2 && ichar > 0x7F && ichar < 0xC0) {
+ iUTF2 = 0;
+ ul[nl - 1] = ichar;
+ } else if (iUTF2 == 0xC3 && ichar > 0x7F && ichar < 0xC0) {
+ iUTF2 = 0;
+ ul[nl - 1] = ichar + 64;
+ } else if (iUTF2 > 0xC3 && iUTF2 < 0xE0 && ichar > 0x7F && ichar < 0xC0) {
+ iUTF2 = 0;
+ ul[nl] = ichar;
+ nl++;
+ } else {
+ iUTF2 = 0;
+ ul[nl] = ichar;
+ ul[nl + 1] = '\0';
+ debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
+ } else if (iUTF3) {
+ if (iUTF3 == 0xE0 && ichar > 0x9F && ichar < 0xC0) {
+ iUTF3 = 1;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF3 > 0xE0 && iUTF3 < 0xED && ichar > 0x7F && ichar < 0xC0) {
+ iUTF3 = 2;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF3 == 0xED && ichar > 0x7F && ichar < 0xA0) {
+ iUTF3 = 3;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF3 > 0xED && iUTF3 < 0xF0 && ichar > 0x7F && ichar < 0xC0) {
+ iUTF3 = 4;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF3 > 0 && iUTF3 < 5 && ichar > 0x7F && ichar < 0xC0) {
+ iUTF3 = 0;
+ ul[nl] = ichar;
+ nl++;
+ } else {
+ iUTF3 = 0;
+ ul[nl] = ichar;
+ ul[nl + 1] = '\0';
+ debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
+ } else if (iUTF4) {
+ if (iUTF4 == 0xF0 && ichar > 0x8F && ichar < 0xC0) {
+ iUTF4 = 1;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF4 > 0xF0 && iUTF3 < 0xF4 && ichar > 0x7F && ichar < 0xC0) {
+ iUTF4 = 2;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF4 == 0xF4 && ichar > 0x7F && ichar < 0x90) {
+ iUTF4 = 3;
+ ul[nl] = ichar;
+ nl++;
+ } else if (iUTF4 > 0 && iUTF4 < 5 && ichar > 0x7F && ichar < 0xC0) {
+ if (iUTF4 == 4)
+ iUTF4 = 0;
+ else
+ iUTF4 = 4;
+ ul[nl] = ichar;
+ nl++;
+ } else {
+ iUTF4 = 0;
+ ul[nl] = ichar;
+ ul[nl + 1] = '\0';
+ debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
+ } else if (ichar < 0x80) {
+ /* UTF1 */
+ ul[nl] = ichar;
+ nl++;
+ } else if (ichar > 0xC1 && ichar < 0xE0) {
+ /* UTF2 (Latin) */
+ iUTF2 = ichar;
+ ul[nl] = ichar;
+ nl++;
+ } else if (ichar > 0xDF && ichar < 0xF0) {
+ /* UTF3 */
+ iUTF3 = ichar;
+ ul[nl] = ichar;
+ nl++;
+ } else if (ichar > 0xEF && ichar < 0xF5) {
+ /* UTF4 */
+ iUTF4 = ichar;
+ ul[nl] = ichar;
+ nl++;
+ } else {
+ ul[nl] = ichar;
+ ul[nl + 1] = '\0';
+ debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
+ if (ul)
+ xfree(ul);
+ return NULL;
+ }
+ n++;
}
ul[nl] = '\0';
if (iUTF2 || iUTF3 || iUTF4) {
- debug((char *) "%s| %s: INFO: iUTF2: %d iUTF3: %d iUTF4: %d\n", LogTime(), PROGRAM, iUTF2, iUTF3, iUTF4);
- debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
- if (ul)
- xfree(ul);
- return NULL;
+ debug((char *) "%s| %s: INFO: iUTF2: %d iUTF3: %d iUTF4: %d\n", LogTime(), PROGRAM, iUTF2, iUTF3, iUTF4);
+ debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
+ if (ul)
+ xfree(ul);
+ return NULL;
}
if (flag && upd)
- ul = strcat(ul, upd);
+ ul = strcat(ul, upd);
return ul;
}
*
* glist=Pattern1[:Pattern2]
*
- * Pattern=Group Group for all domains(including non Kerberos domains using ldap url options) if no
- * other group definition for domain exists or users without
+ * Pattern=Group Group for all domains(including non Kerberos domains using ldap url options) if no
+ * other group definition for domain exists or users without
* domain information.
* gdstruct.domain=NULL, gdstruct.group=Group
- *
+ *
* or Pattern=Group@ Group for all Kerberos domains if no other group definition
- * exists
+ * exists
* gdstruct.domain="", gdstruct.group=Group
*
* or Pattern=Group@Domain Group for a specific Kerberos domain
up = utf8dup(margs);
p = up;
if (hp1) {
- if (hp2) {
- if (up) {
- p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2);
- strcpy(p, up);
- strcat(p, ":");
- strcat(p, hp1);
- strcat(p, ":");
- strcat(p, hp2);
- } else {
- p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1);
- strcpy(p, hp1);
- strcat(p, ":");
- strcat(p, hp2);
- }
- } else {
- if (up) {
- p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1);
- strcpy(p, up);
- strcat(p, ":");
- strcat(p, hp1);
- } else
- p = hp1;
- }
+ if (hp2) {
+ if (up) {
+ p = (char *) xmalloc(strlen(up) + strlen(hp1) + strlen(hp2) + 2);
+ strcpy(p, up);
+ strcat(p, ":");
+ strcat(p, hp1);
+ strcat(p, ":");
+ strcat(p, hp2);
+ } else {
+ p = (char *) xmalloc(strlen(hp1) + strlen(hp2) + 1);
+ strcpy(p, hp1);
+ strcat(p, ":");
+ strcat(p, hp2);
+ }
+ } else {
+ if (up) {
+ p = (char *) xmalloc(strlen(up) + strlen(hp1) + 1);
+ strcpy(p, up);
+ strcat(p, ":");
+ strcat(p, hp1);
+ } else
+ p = hp1;
+ }
} else {
- if (hp2) {
- if (up) {
- p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1);
- strcpy(p, up);
- strcat(p, ":");
- strcat(p, hp2);
- } else
- p = hp2;
- } else
- p = up;
+ if (hp2) {
+ if (up) {
+ p = (char *) xmalloc(strlen(up) + strlen(hp2) + 1);
+ strcpy(p, up);
+ strcat(p, ":");
+ strcat(p, hp2);
+ } else
+ p = hp2;
+ } else
+ p = up;
}
gp = p;
debug((char *) "%s| %s: INFO: Group list %s\n", LogTime(), PROGRAM, p ? p : "NULL");
dp = NULL;
if (!p) {
- debug((char *) "%s| %s: ERROR: No groups defined.\n", LogTime(), PROGRAM);
- return (1);
+ debug((char *) "%s| %s: ERROR: No groups defined.\n", LogTime(), PROGRAM);
+ return (1);
}
while (*p) { /* loop over group list */
- if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */
- p++;
- continue;
- }
- if (*p == '@') { /* end of group name - start of domain name */
- if (p == gp) { /* empty group name not allowed */
- debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p);
- return (1);
- }
- *p = '\0';
- p++;
- gdsp = init_gd();
- gdsp->group = gp;
- if (gdspn) /* Have already an existing structure */
- gdsp->next = gdspn;
- dp = p; /* after @ starts new domain name */
- } else if (*p == ':') { /* end of group name or end of domain name */
- if (p == gp) { /* empty group name not allowed */
- debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p);
- return (1);
- }
- *p = '\0';
- p++;
- if (dp) { /* end of domain name */
- gdsp->domain = xstrdup(dp);
- dp = NULL;
- } else { /* end of group name and no domain name */
- gdsp = init_gd();
- gdsp->group = gp;
- if (gdspn) /* Have already an existing structure */
- gdsp->next = gdspn;
- }
- gdspn = gdsp;
- gp = p; /* after : starts new group name */
- debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL");
- } else
- p++;
+ if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */
+ p++;
+ continue;
+ }
+ if (*p == '@') { /* end of group name - start of domain name */
+ if (p == gp) { /* empty group name not allowed */
+ debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p);
+ return (1);
+ }
+ *p = '\0';
+ p++;
+ gdsp = init_gd();
+ gdsp->group = gp;
+ if (gdspn) /* Have already an existing structure */
+ gdsp->next = gdspn;
+ dp = p; /* after @ starts new domain name */
+ } else if (*p == ':') { /* end of group name or end of domain name */
+ if (p == gp) { /* empty group name not allowed */
+ debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p);
+ return (1);
+ }
+ *p = '\0';
+ p++;
+ if (dp) { /* end of domain name */
+ gdsp->domain = xstrdup(dp);
+ dp = NULL;
+ } else { /* end of group name and no domain name */
+ gdsp = init_gd();
+ gdsp->group = gp;
+ if (gdspn) /* Have already an existing structure */
+ gdsp->next = gdspn;
+ }
+ gdspn = gdsp;
+ gp = p; /* after : starts new group name */
+ debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL");
+ } else
+ p++;
}
if (p == gp) { /* empty group name not allowed */
- debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p);
- return (1);
+ debug((char *) "%s| %s: ERROR: No group defined for domain %s\n", LogTime(), PROGRAM, p);
+ return (1);
}
if (dp) { /* end of domain name */
- gdsp->domain = xstrdup(dp);
+ gdsp->domain = xstrdup(dp);
} else { /* end of group name and no domain name */
- gdsp = init_gd();
- gdsp->group = gp;
- if (gdspn) /* Have already an existing structure */
- gdsp->next = gdspn;
+ gdsp = init_gd();
+ gdsp->group = gp;
+ if (gdspn) /* Have already an existing structure */
+ gdsp->next = gdspn;
}
debug((char *) "%s| %s: INFO: Group %s Domain %s\n", LogTime(), PROGRAM, gdsp->group, gdsp->domain ? gdsp->domain : "NULL");
krb5_cleanup()
{
if (kparam.context) {
- if (kparam.cc)
- krb5_cc_destroy(kparam.context, kparam.cc);
- krb5_free_context(kparam.context);
+ if (kparam.cc)
+ krb5_cc_destroy(kparam.context, kparam.cc);
+ krb5_free_context(kparam.context);
}
}
/*
kparam.context = NULL;
if (!domain || !strcmp(domain, ""))
- return (1);
+ return (1);
/*
* Initialise Kerberos
code = krb5_init_context(&kparam.context);
if (code) {
- error((char *) "%s| %s: ERROR: Error while initialising Kerberos library : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while initialising Kerberos library : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
}
/*
* getting default keytab name
krb5_kt_default_name(kparam.context, buf, KT_PATH_MAX);
p = strchr(buf, ':'); /* Find the end if "FILE:" */
if (p)
- p++; /* step past : */
+ p++; /* step past : */
keytab_name = xstrdup(p ? p : buf);
debug((char *) "%s| %s: DEBUG: Got default keytab file name %s\n", LogTime(), PROGRAM, keytab_name);
code = krb5_kt_resolve(kparam.context, keytab_name, &keytab);
if (code) {
- error((char *) "%s| %s: ERROR: Error while resolving keytab %s : %s\n", LogTime(), PROGRAM, keytab_name, error_message(code));
- retval = 1;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while resolving keytab %s : %s\n", LogTime(), PROGRAM, keytab_name, error_message(code));
+ retval = 1;
+ goto cleanup;
}
code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor);
if (code) {
- error((char *) "%s| %s: ERROR: Error while starting keytab scan : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while starting keytab scan : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
}
debug((char *) "%s| %s: DEBUG: Get principal name from keytab %s\n", LogTime(), PROGRAM, keytab_name);
nprinc = 0;
while ((code = krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor)) == 0) {
- principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1));
- krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]);
+ principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1));
+ krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]);
#ifdef HAVE_HEIMDAL_KERBEROS
- debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm);
+ debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, entry.principal->realm);
#else
- debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data);
+ debug((char *) "%s| %s: DEBUG: Keytab entry has realm name: %s\n", LogTime(), PROGRAM, krb5_princ_realm(kparam.context, entry.principal)->data);
#endif
#ifdef HAVE_HEIMDAL_KERBEROS
- if (!strcasecmp(domain, entry.principal->realm))
+ if (!strcasecmp(domain, entry.principal->realm))
#else
- if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data))
+ if (!strcasecmp(domain, krb5_princ_realm(kparam.context, entry.principal)->data))
#endif
- {
- code = krb5_unparse_name(kparam.context, entry.principal, &principal_name);
- if (code) {
- error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
- } else {
- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
- found = 1;
- }
- }
+ {
+ code = krb5_unparse_name(kparam.context, entry.principal, &principal_name);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+ } else {
+ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
+ found = 1;
+ }
+ }
#if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1)
- code = krb5_kt_free_entry(kparam.context, &entry);
+ code = krb5_kt_free_entry(kparam.context, &entry);
#else
- code = krb5_free_keytab_entry_contents(kparam.context, &entry);
+ code = krb5_free_keytab_entry_contents(kparam.context, &entry);
#endif
- if (code) {
- error((char *) "%s| %s: ERROR: Error while freeing keytab entry : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- break;
- }
- if (found)
- break;
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while freeing keytab entry : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ break;
+ }
+ if (found)
+ break;
}
if (code && code != KRB5_KT_END) {
- error((char *) "%s| %s: ERROR: Error while scanning keytab : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while scanning keytab : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
}
code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor);
if (code) {
- error((char *) "%s| %s: ERROR: Error while ending keytab scan : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while ending keytab scan : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
}
/*
* prepare memory credential cache
debug((char *) "%s| %s: DEBUG: Set credential cache to %s\n", LogTime(), PROGRAM, mem_cache);
code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc);
if (code) {
- error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
}
/*
* if no principal name found in keytab for domain use the prinipal name which can get a TGT
*/
if (!principal_name) {
- debug((char *) "%s| %s: DEBUG: Did not find a principal in keytab for domain %s.\n", LogTime(), PROGRAM, domain);
- debug((char *) "%s| %s: DEBUG: Try to get principal of trusted domain.\n", LogTime(), PROGRAM);
- creds = (krb5_creds *) xmalloc(sizeof(*creds));
- memset(creds, 0, sizeof(*creds));
+ debug((char *) "%s| %s: DEBUG: Did not find a principal in keytab for domain %s.\n", LogTime(), PROGRAM, domain);
+ debug((char *) "%s| %s: DEBUG: Try to get principal of trusted domain.\n", LogTime(), PROGRAM);
+ creds = (krb5_creds *) xmalloc(sizeof(*creds));
+ memset(creds, 0, sizeof(*creds));
- for (i = 0; i < nprinc; i++) {
- /*
- * get credentials
- */
- code = krb5_unparse_name(kparam.context, principal_list[i], &principal_name);
- if (code) {
- debug((char *) "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
- goto loop_end;
- }
- debug((char *) "%s| %s: DEBUG: Keytab entry has principal: %s\n", LogTime(), PROGRAM, principal_name);
+ for (i = 0; i < nprinc; i++) {
+ /*
+ * get credentials
+ */
+ code = krb5_unparse_name(kparam.context, principal_list[i], &principal_name);
+ if (code) {
+ debug((char *) "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+ goto loop_end;
+ }
+ debug((char *) "%s| %s: DEBUG: Keytab entry has principal: %s\n", LogTime(), PROGRAM, principal_name);
#if HAVE_GET_INIT_CREDS_KEYTAB
- code = krb5_get_init_creds_keytab(kparam.context, creds, principal_list[i], keytab, 0, NULL, NULL);
+ code = krb5_get_init_creds_keytab(kparam.context, creds, principal_list[i], keytab, 0, NULL, NULL);
#else
- service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3);
- snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain);
- creds->client = principal_list[i];
- code = krb5_parse_name(kparam.context, service, &creds->server);
- if (service)
- xfree(service);
- code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
+ service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3);
+ snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain);
+ creds->client = principal_list[i];
+ code = krb5_parse_name(kparam.context, service, &creds->server);
+ if (service)
+ xfree(service);
+ code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
#endif
- if (code) {
- debug((char *) "%s| %s: DEBUG: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code));
- goto loop_end;
- }
- code = krb5_cc_initialize(kparam.context, kparam.cc, principal_list[i]);
- if (code) {
- error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code));
- goto loop_end;
- }
- code = krb5_cc_store_cred(kparam.context, kparam.cc, creds);
- if (code) {
- debug((char *) "%s| %s: DEBUG: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code));
- goto loop_end;
- }
- if (creds->server)
- krb5_free_principal(kparam.context, creds->server);
+ if (code) {
+ debug((char *) "%s| %s: DEBUG: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code));
+ goto loop_end;
+ }
+ code = krb5_cc_initialize(kparam.context, kparam.cc, principal_list[i]);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code));
+ goto loop_end;
+ }
+ code = krb5_cc_store_cred(kparam.context, kparam.cc, creds);
+ if (code) {
+ debug((char *) "%s| %s: DEBUG: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code));
+ goto loop_end;
+ }
+ if (creds->server)
+ krb5_free_principal(kparam.context, creds->server);
#ifdef HAVE_HEIMDAL_KERBEROS
- service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3);
- snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm);
+ service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3);
+ snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(principal_list[i]->realm) + 3, "krbtgt/%s@%s", domain, principal_list[i]->realm);
#else
- service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3);
- snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3, "krbtgt/%s@%s", domain, krb5_princ_realm(kparam.context, principal_list[i])->data);
+ service = (char *) xmalloc(strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3);
+ snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3, "krbtgt/%s@%s", domain, krb5_princ_realm(kparam.context, principal_list[i])->data);
#endif
- code = krb5_parse_name(kparam.context, service, &creds->server);
- if (service)
- xfree(service);
- if (code) {
- error((char *) "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code));
- goto loop_end;
- }
- code = krb5_get_credentials(kparam.context, 0, kparam.cc, creds, &tgt_creds);
- if (code) {
- debug((char *) "%s| %s: DEBUG: Error while getting tgt : %s\n", LogTime(), PROGRAM, error_message(code));
- goto loop_end;
- } else {
- debug((char *) "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name);
- found = 1;
- break;
- }
+ code = krb5_parse_name(kparam.context, service, &creds->server);
+ if (service)
+ xfree(service);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code));
+ goto loop_end;
+ }
+ code = krb5_get_credentials(kparam.context, 0, kparam.cc, creds, &tgt_creds);
+ if (code) {
+ debug((char *) "%s| %s: DEBUG: Error while getting tgt : %s\n", LogTime(), PROGRAM, error_message(code));
+ goto loop_end;
+ } else {
+ debug((char *) "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name);
+ found = 1;
+ break;
+ }
- loop_end:
- if (principal_name)
- xfree(principal_name);
- principal_name = NULL;
- }
+loop_end:
+ if (principal_name)
+ xfree(principal_name);
+ principal_name = NULL;
+ }
- if (tgt_creds)
- krb5_free_creds(kparam.context, tgt_creds);
- tgt_creds = NULL;
- if (creds)
- krb5_free_creds(kparam.context, creds);
- creds = NULL;
+ if (tgt_creds)
+ krb5_free_creds(kparam.context, tgt_creds);
+ tgt_creds = NULL;
+ if (creds)
+ krb5_free_creds(kparam.context, creds);
+ creds = NULL;
}
if (principal_name) {
- debug((char *) "%s| %s: DEBUG: Got principal name %s\n", LogTime(), PROGRAM, principal_name);
- /*
- * build principal
- */
- code = krb5_parse_name(kparam.context, principal_name, &principal);
- if (code) {
- error((char *) "%s| %s: ERROR: Error while parsing name %s : %s\n", LogTime(), PROGRAM, principal_name, error_message(code));
- retval = 1;
- goto cleanup;
- }
- creds = (krb5_creds *) xmalloc(sizeof(*creds));
- memset(creds, 0, sizeof(*creds));
+ debug((char *) "%s| %s: DEBUG: Got principal name %s\n", LogTime(), PROGRAM, principal_name);
+ /*
+ * build principal
+ */
+ code = krb5_parse_name(kparam.context, principal_name, &principal);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while parsing name %s : %s\n", LogTime(), PROGRAM, principal_name, error_message(code));
+ retval = 1;
+ goto cleanup;
+ }
+ creds = (krb5_creds *) xmalloc(sizeof(*creds));
+ memset(creds, 0, sizeof(*creds));
- /*
- * get credentials
- */
+ /*
+ * get credentials
+ */
#if HAVE_GET_INIT_CREDS_KEYTAB
- code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, NULL);
+ code = krb5_get_init_creds_keytab(kparam.context, creds, principal, keytab, 0, NULL, NULL);
#else
- service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3);
- snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain);
- creds->client = principal;
- code = krb5_parse_name(kparam.context, service, &creds->server);
- if (service)
- xfree(service);
- code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
+ service = (char *) xmalloc(strlen("krbtgt") + 2 * strlen(domain) + 3);
+ snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain);
+ creds->client = principal;
+ code = krb5_parse_name(kparam.context, service, &creds->server);
+ if (service)
+ xfree(service);
+ code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
#endif
- if (code) {
- error((char *) "%s| %s: ERROR: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
- }
- code = krb5_cc_initialize(kparam.context, kparam.cc, principal);
- if (code) {
- error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
- }
- code = krb5_cc_store_cred(kparam.context, kparam.cc, creds);
- if (code) {
- error((char *) "%s| %s: ERROR: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code));
- retval = 1;
- goto cleanup;
- }
- debug((char *) "%s| %s: DEBUG: Stored credentials\n", LogTime(), PROGRAM);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
+ }
+ code = krb5_cc_initialize(kparam.context, kparam.cc, principal);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
+ }
+ code = krb5_cc_store_cred(kparam.context, kparam.cc, creds);
+ if (code) {
+ error((char *) "%s| %s: ERROR: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code));
+ retval = 1;
+ goto cleanup;
+ }
+ debug((char *) "%s| %s: DEBUG: Stored credentials\n", LogTime(), PROGRAM);
} else {
- debug((char *) "%s| %s: DEBUG: Got no principal name\n", LogTime(), PROGRAM);
- retval = 1;
+ debug((char *) "%s| %s: DEBUG: Got no principal name\n", LogTime(), PROGRAM);
+ retval = 1;
}
- cleanup:
+cleanup:
if (keytab)
- krb5_kt_close(kparam.context, keytab);
+ krb5_kt_close(kparam.context, keytab);
if (keytab_name)
- xfree(keytab_name);
+ xfree(keytab_name);
if (principal_name)
- xfree(principal_name);
+ xfree(principal_name);
if (mem_cache)
- xfree(mem_cache);
+ xfree(mem_cache);
if (principal)
- krb5_free_principal(kparam.context, principal);
+ krb5_free_principal(kparam.context, principal);
for (i = 0; i < nprinc; i++) {
- if (principal_list[i])
- krb5_free_principal(kparam.context, principal_list[i]);
+ if (principal_list[i])
+ krb5_free_principal(kparam.context, principal_list[i]);
}
if (principal_list)
- xfree(principal_list);
+ xfree(principal_list);
if (creds)
- krb5_free_creds(kparam.context, creds);
+ krb5_free_creds(kparam.context, creds);
return (retval);
}
int i = 0;
if (!domain)
- return NULL;
+ return NULL;
for (dp = domain; *dp; dp++) {
- if (*dp == '.')
- i++;
+ if (*dp == '.')
+ i++;
}
- /*
- * add dc= and
- * replace . with ,dc= => new length = old length + #dots * 3 + 3
+ /*
+ * add dc= and
+ * replace . with ,dc= => new length = old length + #dots * 3 + 3
*/
bindp = (char *) xmalloc(strlen(domain) + 3 + i * 3 + 1);
bp = bindp;
strcpy(bp, "dc=");
bp += 3;
for (dp = domain; *dp; dp++) {
- if (*dp == '.') {
- strcpy(bp, ",dc=");
- bp += 4;
- } else
- *bp++ = *dp;
+ if (*dp == '.') {
+ strcpy(bp, ",dc=");
+ bp += 4;
+ } else
+ *bp++ = *dp;
}
*bp = '\0';
return bindp;
i = 0;
for (ldap_filter_esc = filter; *ldap_filter_esc; ldap_filter_esc++) {
- if ((*ldap_filter_esc == '*') ||
- (*ldap_filter_esc == '(') ||
- (*ldap_filter_esc == ')') ||
- (*ldap_filter_esc == '\\'))
- i = i + 3;
+ if ((*ldap_filter_esc == '*') ||
+ (*ldap_filter_esc == '(') ||
+ (*ldap_filter_esc == ')') ||
+ (*ldap_filter_esc == '\\'))
+ i = i + 3;
}
ldap_filter_esc = (char *) xcalloc(strlen(filter) + i + 1, sizeof(char));
ldf = ldap_filter_esc;
for (; *filter; filter++) {
- if (*filter == '*') {
- strcpy(ldf, "\\2a");
- ldf = ldf + 3;
- } else if (*filter == '(') {
- strcpy(ldf, "\\28");
- ldf = ldf + 3;
- } else if (*filter == ')') {
- strcpy(ldf, "\\29");
- ldf = ldf + 3;
- } else if (*filter == '\\') {
- strcpy(ldf, "\\5c");
- ldf = ldf + 3;
- } else {
- *ldf = *filter;
- ldf++;
- }
+ if (*filter == '*') {
+ strcpy(ldf, "\\2a");
+ ldf = ldf + 3;
+ } else if (*filter == '(') {
+ strcpy(ldf, "\\28");
+ ldf = ldf + 3;
+ } else if (*filter == ')') {
+ strcpy(ldf, "\\29");
+ ldf = ldf + 3;
+ } else if (*filter == '\\') {
+ strcpy(ldf, "\\5c");
+ ldf = ldf + 3;
+ } else {
+ *ldf = *filter;
+ ldf++;
+ }
}
*ldf = '\0';
debug((char *) "%s| %s: DEBUG: Search ldap server with bind path \"\" and filter: %s\n", LogTime(), PROGRAM, FILTER_SCHEMA);
rc = ldap_search_ext_s(ld, (char *) "", LDAP_SCOPE_BASE, (char *) FILTER_SCHEMA, NULL, 0,
- NULL, NULL, &searchtime, 0, &res);
+ NULL, NULL, &searchtime, 0, &res);
if (rc == LDAP_SUCCESS)
- max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value);
+ max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value);
if (max_attr == 1) {
- ldap_msgfree(res);
- debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, attr_value[0], FILTER_SAM);
- rc = ldap_search_ext_s(ld, attr_value[0], LDAP_SCOPE_SUBTREE, (char *) FILTER_SAM, NULL, 0,
- NULL, NULL, &searchtime, 0, &res);
- debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
- if (ldap_count_entries(ld, res) > 0)
- margs->AD = 1;
+ ldap_msgfree(res);
+ debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, attr_value[0], FILTER_SAM);
+ rc = ldap_search_ext_s(ld, attr_value[0], LDAP_SCOPE_SUBTREE, (char *) FILTER_SAM, NULL, 0,
+ NULL, NULL, &searchtime, 0, &res);
+ debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
+ if (ldap_count_entries(ld, res) > 0)
+ margs->AD = 1;
} else
- debug((char *) "%s| %s: DEBUG: Did not find ldap entry for subschemasubentry\n", LogTime(), PROGRAM);
+ debug((char *) "%s| %s: DEBUG: Did not find ldap entry for subschemasubentry\n", LogTime(), PROGRAM);
debug((char *) "%s| %s: DEBUG: Determined ldap server %sas an Active Directory server\n", LogTime(), PROGRAM, margs->AD ? "" : "not ");
/*
* Cleanup
*/
if (attr_value) {
- for (j = 0; j < max_attr; j++) {
- xfree(attr_value[j]);
- }
- xfree(attr_value);
- attr_value = NULL;
+ for (j = 0; j < max_attr; j++) {
+ xfree(attr_value[j]);
+ }
+ xfree(attr_value);
+ attr_value = NULL;
}
ldap_msgfree(res);
return rc;
searchtime.tv_usec = 0;
if (margs->AD)
- filter = (char *) FILTER_GROUP_AD;
+ filter = (char *) FILTER_GROUP_AD;
else
- filter = (char *) FILTER_GROUP;
+ filter = (char *) FILTER_GROUP;
ldap_filter_esc = escape_filter(ldap_group);
snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
if (ldap_filter_esc)
- xfree(ldap_filter_esc);
+ xfree(ldap_filter_esc);
if (depth > margs->mdepth) {
- debug((char *) "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth);
- return 0;
+ debug((char *) "%s| %s: DEBUG: Max search depth reached %d>%d\n", LogTime(), PROGRAM, depth, margs->mdepth);
+ return 0;
}
debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp);
rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
- search_exp, NULL, 0,
- NULL, NULL, &searchtime, 0, &res);
+ search_exp, NULL, 0,
+ NULL, NULL, &searchtime, 0, &res);
if (search_exp)
- xfree(search_exp);
+ xfree(search_exp);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind_s(ld);
- return 0;
+ error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind_s(ld);
+ return 0;
}
debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
if (margs->AD)
- max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
+ max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
else
- max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
+ max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
/*
* Compare group names
ldepth = depth + 1;
for (j = 0; j < max_attr; j++) {
- /* Compare first CN= value assuming it is the same as the group name itself */
- av = attr_value[j];
- if (!strncasecmp("CN=", av, 3)) {
- av += 3;
- if ((avp = strchr(av, ','))) {
- *avp = '\0';
- }
- }
- if (debug_enabled) {
- int n;
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
- for (n = 0; av[n] != '\0'; n++)
- fprintf(stderr, "%02x", (unsigned char) av[n]);
- fprintf(stderr, "\n");
- }
- if (!strcasecmp(group, av)) {
- retval = 1;
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
- break;
- } else
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
- /*
- * Do recursive group search
- */
- debug((char *) "%s| %s: DEBUG: Perform recursive group search for group \"%s\"\n", LogTime(), PROGRAM, av);
- av = attr_value[j];
- if (search_group_tree(margs, ld, bindp, av, group, ldepth)) {
- retval = 1;
- if (!strncasecmp("CN=", av, 3)) {
- av += 3;
- if ((avp = strchr(av, ','))) {
- *avp = '\0';
- }
- }
- if (debug_enabled)
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
- else
- break;
-
- }
+ /* Compare first CN= value assuming it is the same as the group name itself */
+ av = attr_value[j];
+ if (!strncasecmp("CN=", av, 3)) {
+ av += 3;
+ if ((avp = strchr(av, ','))) {
+ *avp = '\0';
+ }
+ }
+ if (debug_enabled) {
+ int n;
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
+ for (n = 0; av[n] != '\0'; n++)
+ fprintf(stderr, "%02x", (unsigned char) av[n]);
+ fprintf(stderr, "\n");
+ }
+ if (!strcasecmp(group, av)) {
+ retval = 1;
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+ break;
+ } else
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+ /*
+ * Do recursive group search
+ */
+ debug((char *) "%s| %s: DEBUG: Perform recursive group search for group \"%s\"\n", LogTime(), PROGRAM, av);
+ av = attr_value[j];
+ if (search_group_tree(margs, ld, bindp, av, group, ldepth)) {
+ retval = 1;
+ if (!strncasecmp("CN=", av, 3)) {
+ av += 3;
+ if ((avp = strchr(av, ','))) {
+ *avp = '\0';
+ }
+ }
+ if (debug_enabled)
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+ else
+ break;
+
+ }
}
/*
* Cleanup
*/
if (attr_value) {
- for (j = 0; j < max_attr; j++) {
- xfree(attr_value[j]);
- }
- xfree(attr_value);
- attr_value = NULL;
+ for (j = 0; j < max_attr; j++) {
+ xfree(attr_value[j]);
+ }
+ xfree(attr_value);
+ attr_value = NULL;
}
ldap_msgfree(res);
val = LDAP_VERSION3;
rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val);
if (rc != LDAP_SUCCESS) {
- debug((char *) "%s| %s: DEBUG: Error while setting protocol version: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- return rc;
+ debug((char *) "%s| %s: DEBUG: Error while setting protocol version: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ return rc;
}
rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
if (rc != LDAP_SUCCESS) {
- debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- return rc;
+ debug((char *) "%s| %s: DEBUG: Error while setting referrals off: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ return rc;
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
tv.tv_sec = CONNECT_TIMEOUT;
tv.tv_usec = 0;
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
if (rc != LDAP_SUCCESS) {
- debug((char *) "%s| %s: DEBUG: Error while setting network timeout: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- return rc;
+ debug((char *) "%s| %s: DEBUG: Error while setting network timeout: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ return rc;
}
#endif /* LDAP_OPT_NETWORK_TIMEOUT */
return LDAP_SUCCESS;
#ifdef HAVE_OPENLDAP
if (!margs->rc_allow) {
- debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM);
- val = LDAP_OPT_X_TLS_DEMAND;
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT DEMAND for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- return rc;
- }
- ssl_cacertfile = getenv("TLS_CACERTFILE");
- free_path = 0;
- if (!ssl_cacertfile) {
- ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem");
- free_path = 1;
- }
- debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile);
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile);
- if (ssl_cacertfile && free_path) {
- xfree(ssl_cacertfile);
- ssl_cacertfile = NULL;
- }
- if (rc != LDAP_OPT_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- return rc;
- }
+ debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM);
+ val = LDAP_OPT_X_TLS_DEMAND;
+ rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT DEMAND for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ return rc;
+ }
+ ssl_cacertfile = getenv("TLS_CACERTFILE");
+ free_path = 0;
+ if (!ssl_cacertfile) {
+ ssl_cacertfile = xstrdup("/etc/ssl/certs/cert.pem");
+ free_path = 1;
+ }
+ debug((char *) "%s| %s: DEBUG: Set certificate file for ldap server to %s.(Changeable through setting environment variable TLS_CACERTFILE)\n", LogTime(), PROGRAM, ssl_cacertfile);
+ rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile);
+ if (ssl_cacertfile && free_path) {
+ xfree(ssl_cacertfile);
+ ssl_cacertfile = NULL;
+ }
+ if (rc != LDAP_OPT_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ return rc;
+ }
} else {
- debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
- val = LDAP_OPT_X_TLS_ALLOW;
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT ALLOW for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- return rc;
- }
+ debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
+ val = LDAP_OPT_X_TLS_ALLOW;
+ rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_REQUIRE_CERT ALLOW for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ return rc;
+ }
}
#elif defined(HAVE_LDAPSSL_CLIENT_INIT)
- /*
+ /*
* Solaris SSL ldap calls require path to certificate database
*/
-/*
- * rc = ldapssl_client_init( ssl_certdbpath, NULL );
- * rc = ldapssl_advclientauth_init( ssl_certdbpath, NULL , 0 , NULL, NULL, 0, NULL, 2);
- */
+ /*
+ * rc = ldapssl_client_init( ssl_certdbpath, NULL );
+ * rc = ldapssl_advclientauth_init( ssl_certdbpath, NULL , 0 , NULL, NULL, 0, NULL, 2);
+ */
ssl_certdbpath = getenv("SSL_CERTDBPATH");
if (!ssl_certdbpath) {
- ssl_certdbpath = xstrdup("/etc/certs");
+ ssl_certdbpath = xstrdup("/etc/certs");
}
debug((char *) "%s| %s: DEBUG: Set certificate database path for ldap server to %s.(Changeable through setting environment variable SSL_CERTDBPATH)\n", LogTime(), PROGRAM, ssl_certdbpath);
if (!margs->rc_allow) {
- rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 2);
+ rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 2);
} else {
- rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0);
- debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
+ rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0);
+ debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
}
if (ssl_certdbpath) {
- xfree(ssl_certdbpath);
- ssl_certdbpath = NULL;
+ xfree(ssl_certdbpath);
+ ssl_certdbpath = NULL;
}
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
- return rc;
+ error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
+ return rc;
}
#else
error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM);
debug((char *) "%s| %s: DEBUG: Search ldap entries for attribute : %s\n", LogTime(), PROGRAM, attribute);
for (msg = ldap_first_entry(ld, res); msg; msg = ldap_next_entry(ld, msg)) {
- BerElement *b;
- char *attr;
-
- switch (ldap_msgtype(msg)) {
-
- case LDAP_RES_SEARCH_ENTRY:
-
- for (attr = ldap_first_attribute(ld, msg, &b); attr;
- attr = ldap_next_attribute(ld, msg, b)) {
- if (strcasecmp(attr, attribute) == 0) {
- struct berval **values;
- int il;
-
- if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) {
- for (il = 0; values[il] != NULL; il++) {
-
- attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *));
- if (!attr_value)
- break;
-
- attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1);
- memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len);
- attr_value[il][values[il]->bv_len] = 0;
- }
- max_attr = il;
- }
- ber_bvecfree(values);
- }
- ldap_memfree(attr);
- }
- ber_free(b, 0);
- break;
- case LDAP_RES_SEARCH_REFERENCE:
- debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM);
- break;
- case LDAP_RES_SEARCH_RESULT:
- debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM);
- break;
- default:
- break;
- }
+ BerElement *b;
+ char *attr;
+
+ switch (ldap_msgtype(msg)) {
+
+ case LDAP_RES_SEARCH_ENTRY:
+
+ for (attr = ldap_first_attribute(ld, msg, &b); attr;
+ attr = ldap_next_attribute(ld, msg, b)) {
+ if (strcasecmp(attr, attribute) == 0) {
+ struct berval **values;
+ int il;
+
+ if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) {
+ for (il = 0; values[il] != NULL; il++) {
+
+ attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *));
+ if (!attr_value)
+ break;
+
+ attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1);
+ memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len);
+ attr_value[il][values[il]->bv_len] = 0;
+ }
+ max_attr = il;
+ }
+ ber_bvecfree(values);
+ }
+ ldap_memfree(attr);
+ }
+ ber_free(b, 0);
+ break;
+ case LDAP_RES_SEARCH_REFERENCE:
+ debug((char *) "%s| %s: DEBUG: Received a search reference message\n", LogTime(), PROGRAM);
+ break;
+ case LDAP_RES_SEARCH_RESULT:
+ debug((char *) "%s| %s: DEBUG: Received a search result message\n", LogTime(), PROGRAM);
+ break;
+ default:
+ break;
+ }
}
debug((char *) "%s| %s: DEBUG: %d ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute);
#endif
int rc = 0;
- /*
- * Use ldap open here to check if TCP connection is possible. If possible use it.
+ /*
+ * Use ldap open here to check if TCP connection is possible. If possible use it.
* (Not sure if this is the best way)
*/
#ifdef HAVE_OPENLDAP
memset(url, 0, sizeof(*url));
#ifdef HAVE_LDAP_URL_LUD_SCHEME
if (ssl)
- url->lud_scheme = (char *) "ldaps";
+ url->lud_scheme = (char *) "ldaps";
else
- url->lud_scheme = (char *) "ldap";
+ url->lud_scheme = (char *) "ldap";
#endif
url->lud_host = host;
url->lud_port = port;
#elif defined(HAVE_LDAP_URL_PARSE)
rc = ldap_url_parse(ldapuri, &url);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- if (ldapuri)
- xfree(ldapuri);
- if (url)
- xfree(url);
- return NULL;
+ error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ if (ldapuri)
+ xfree(ldapuri);
+ if (url)
+ xfree(url);
+ return NULL;
}
#else
#error "No URL parsing function"
#endif
if (url) {
- xfree(url);
- url = NULL;
+ xfree(url);
+ url = NULL;
}
rc = ldap_initialize(&ld, ldapuri);
if (ldapuri)
- xfree(ldapuri);
+ xfree(ldapuri);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
+ error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
}
#else
ld = ldap_init(host, port);
#endif
rc = ldap_set_defaults(margs, ld);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
+ error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
}
if (ssl) {
- /*
- * Try Start TLS first
- */
- debug((char *) "%s| %s: DEBUG: Set SSL defaults\n", LogTime(), PROGRAM);
- rc = ldap_set_ssl_defaults(margs);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
- }
+ /*
+ * Try Start TLS first
+ */
+ debug((char *) "%s| %s: DEBUG: Set SSL defaults\n", LogTime(), PROGRAM);
+ rc = ldap_set_ssl_defaults(margs);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
+ }
#ifdef HAVE_OPENLDAP
- /*
- * Use tls if possible
- */
- rc = ldap_start_tls_s(ld, NULL, NULL);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- url = (LDAPURLDesc *) xmalloc(sizeof(*url));
- memset(url, 0, sizeof(*url));
+ /*
+ * Use tls if possible
+ */
+ rc = ldap_start_tls_s(ld, NULL, NULL);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ url = (LDAPURLDesc *) xmalloc(sizeof(*url));
+ memset(url, 0, sizeof(*url));
#ifdef HAVE_LDAP_URL_LUD_SCHEME
- url->lud_scheme = (char *) "ldaps";
+ url->lud_scheme = (char *) "ldaps";
#endif
- url->lud_host = host;
- url->lud_port = port;
+ url->lud_host = host;
+ url->lud_port = port;
#ifdef HAVE_LDAP_SCOPE_DEFAULT
- url->lud_scope = LDAP_SCOPE_DEFAULT;
+ url->lud_scope = LDAP_SCOPE_DEFAULT;
#else
- url->lud_scope = LDAP_SCOPE_SUBTREE;
+ url->lud_scope = LDAP_SCOPE_SUBTREE;
#endif
#ifdef HAVE_LDAP_URL_DESC2STR
- ldapuri = ldap_url_desc2str(url);
+ ldapuri = ldap_url_desc2str(url);
#elif defined(HAVE_LDAP_URL_PARSE)
- rc = ldap_url_parse(ldapuri, &url);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- if (ldapuri)
- xfree(ldapuri);
- if (url)
- xfree(url);
- return NULL;
- }
+ rc = ldap_url_parse(ldapuri, &url);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ if (ldapuri)
+ xfree(ldapuri);
+ if (url)
+ xfree(url);
+ return NULL;
+ }
#else
#error "No URL parsing function"
#endif
- if (url) {
- xfree(url);
- url = NULL;
- }
- rc = ldap_initialize(&ld, ldapuri);
- if (ldapuri)
- xfree(ldapuri);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
- }
- rc = ldap_set_defaults(margs, ld);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
- }
- }
+ if (url) {
+ xfree(url);
+ url = NULL;
+ }
+ rc = ldap_initialize(&ld, ldapuri);
+ if (ldapuri)
+ xfree(ldapuri);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
+ }
+ rc = ldap_set_defaults(margs, ld);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
+ }
+ }
#elif defined(HAVE_LDAPSSL_CLIENT_INIT)
- ld = ldapssl_init(host, port, 1);
- if (!ld) {
- error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
- }
- rc = ldap_set_defaults(margs, ld);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- return NULL;
- }
+ ld = ldapssl_init(host, port, 1);
+ if (!ld) {
+ error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
+ }
+ rc = ldap_set_defaults(margs, ld);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ return NULL;
+ }
#else
- error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM);
+ error((char *) "%s| %s: ERROR: SSL not supported by ldap library\n", LogTime(), PROGRAM);
#endif
}
return ld;
* Fill Kerberos memory cache with credential from keytab for SASL/GSSAPI
*/
if (domain) {
- debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
+ debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
- kc = krb5_create_cache(margs, domain);
- if (kc) {
- error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
- }
+ kc = krb5_create_cache(margs, domain);
+ if (kc) {
+ error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
+ }
}
if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) {
- /*
- * If Kerberos fails and no url given exit here
- */
- retval = 0;
- goto cleanup;
+ /*
+ * If Kerberos fails and no url given exit here
+ */
+ retval = 0;
+ goto cleanup;
}
#ifndef HAVE_SUN_LDAP_SDK
/*
debug((char *) "%s| %s: DEBUG: Initialise ldap connection\n", LogTime(), PROGRAM);
if (domain && !kc) {
- if (margs->ssl) {
- debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM);
- }
- debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name for domain %s\n", LogTime(), PROGRAM, domain);
- /*
- * Loop over list of ldap servers of users domain
- */
- nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain);
- for (i = 0; i < nhosts; i++) {
- port = 389;
- if (hlist[i].port != -1)
- port = hlist[i].port;
- debug((char *) "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port);
-
- ld = tool_ldap_open(margs, hlist[i].host, port, margs->ssl);
- if (!ld)
- continue;
-
- /*
- * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username)
- */
+ if (margs->ssl) {
+ debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM);
+ }
+ debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name for domain %s\n", LogTime(), PROGRAM, domain);
+ /*
+ * Loop over list of ldap servers of users domain
+ */
+ nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain);
+ for (i = 0; i < nhosts; i++) {
+ port = 389;
+ if (hlist[i].port != -1)
+ port = hlist[i].port;
+ debug((char *) "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port);
+
+ ld = tool_ldap_open(margs, hlist[i].host, port, margs->ssl);
+ if (!ld)
+ continue;
+
+ /*
+ * ldap bind with SASL/GSSAPI authentication (only possible if a domain was part of the username)
+ */
#if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
- debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM);
-
- rc = tool_sasl_bind(ld, bindp, margs->ssl);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- continue;
- }
- lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds));
- lcreds->dn = bindp ? xstrdup(bindp) : NULL;
- lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL;
- ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds);
- if (ld != NULL) {
- debug((char *) "%s| %s: DEBUG: %s initialised %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", margs->ssl ? "SSL protected " : "", hlist[i].host, port);
- break;
- }
+ debug((char *) "%s| %s: DEBUG: Bind to ldap server with SASL/GSSAPI\n", LogTime(), PROGRAM);
+
+ rc = tool_sasl_bind(ld, bindp, margs->ssl);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ continue;
+ }
+ lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds));
+ lcreds->dn = bindp ? xstrdup(bindp) : NULL;
+ lcreds->pw = margs->ssl ? xstrdup(margs->ssl) : NULL;
+ ldap_set_rebind_proc(ld, ldap_sasl_rebind, (char *) lcreds);
+ if (ld != NULL) {
+ debug((char *) "%s| %s: DEBUG: %s initialised %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", margs->ssl ? "SSL protected " : "", hlist[i].host, port);
+ break;
+ }
#else
- ldap_unbind(ld);
- ld = NULL;
- error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM);
- continue;
+ ldap_unbind(ld);
+ ld = NULL;
+ error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM);
+ continue;
#endif
- }
- nhosts = free_hostname_list(&hlist, nhosts);
- if (ld == NULL) {
- debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno));
- }
- bindp = convert_domain_to_bind_path(domain);
+ }
+ nhosts = free_hostname_list(&hlist, nhosts);
+ if (ld == NULL) {
+ debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno));
+ }
+ bindp = convert_domain_to_bind_path(domain);
}
if ((!domain || !ld) && margs->lurl && strstr(margs->lurl, "://")) {
- /*
- * If username does not contain a domain and a url was given then try it
- */
- hostname = strstr(margs->lurl, "://") + 3;
- ssl = strstr(margs->lurl, "ldaps://");
- if (ssl) {
- debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM);
- }
- debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name %s\n", LogTime(), PROGRAM, hostname);
- /*
- * Loop over list of ldap servers
- */
- host = xstrdup(hostname);
- port = 389;
- if ((p = strchr(host, ':'))) {
- *p = '\0';
- p++;
- port = atoi(p);
- }
- nhosts = get_hostname_list(margs, &hlist, 0, host);
- if (host)
- xfree(host);
- host = NULL;
- for (i = 0; i < nhosts; i++) {
-
- ld = tool_ldap_open(margs, hlist[i].host, port, ssl);
- if (!ld)
- continue;
- /*
- * ldap bind with username/password authentication
- */
-
- debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM);
- rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- continue;
- }
- lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds));
- lcreds->dn = xstrdup(margs->luser);
- lcreds->pw = xstrdup(margs->lpass);
- ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds);
- debug((char *) "%s| %s: DEBUG: %s set up %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", ssl ? "SSL protected " : "", hlist[i].host, port);
- break;
-
- }
- nhosts = free_hostname_list(&hlist, nhosts);
- if (bindp)
- xfree(bindp);
- if (margs->lbind) {
- bindp = xstrdup(margs->lbind);
- } else {
- bindp = convert_domain_to_bind_path(domain);
- }
+ /*
+ * If username does not contain a domain and a url was given then try it
+ */
+ hostname = strstr(margs->lurl, "://") + 3;
+ ssl = strstr(margs->lurl, "ldaps://");
+ if (ssl) {
+ debug((char *) "%s| %s: DEBUG: Enable SSL to ldap servers\n", LogTime(), PROGRAM);
+ }
+ debug((char *) "%s| %s: DEBUG: Canonicalise ldap server name %s\n", LogTime(), PROGRAM, hostname);
+ /*
+ * Loop over list of ldap servers
+ */
+ host = xstrdup(hostname);
+ port = 389;
+ if ((p = strchr(host, ':'))) {
+ *p = '\0';
+ p++;
+ port = atoi(p);
+ }
+ nhosts = get_hostname_list(margs, &hlist, 0, host);
+ if (host)
+ xfree(host);
+ host = NULL;
+ for (i = 0; i < nhosts; i++) {
+
+ ld = tool_ldap_open(margs, hlist[i].host, port, ssl);
+ if (!ld)
+ continue;
+ /*
+ * ldap bind with username/password authentication
+ */
+
+ debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM);
+ rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ continue;
+ }
+ lcreds = (ldap_creds *) xmalloc(sizeof(struct ldap_creds));
+ lcreds->dn = xstrdup(margs->luser);
+ lcreds->pw = xstrdup(margs->lpass);
+ ldap_set_rebind_proc(ld, ldap_simple_rebind, (char *) lcreds);
+ debug((char *) "%s| %s: DEBUG: %s set up %sconnection to ldap server %s:%d\n", LogTime(), PROGRAM, ld ? "Successfully" : "Failed to", ssl ? "SSL protected " : "", hlist[i].host, port);
+ break;
+
+ }
+ nhosts = free_hostname_list(&hlist, nhosts);
+ if (bindp)
+ xfree(bindp);
+ if (margs->lbind) {
+ bindp = xstrdup(margs->lbind);
+ } else {
+ bindp = convert_domain_to_bind_path(domain);
+ }
}
if (ld == NULL) {
- debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno));
- retval = 0;
- goto cleanup;
+ debug((char *) "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n", LogTime(), PROGRAM, strerror(errno));
+ retval = 0;
+ goto cleanup;
}
/*
* ldap search for user
*/
- /*
+ /*
* Check if server is AD by querying for attribute samaccountname
*/
margs->AD = 0;
rc = check_AD(margs, ld);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- retval = 0;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ retval = 0;
+ goto cleanup;
}
if (margs->AD)
- filter = (char *) FILTER_AD;
+ filter = (char *) FILTER_AD;
else
- filter = (char *) FILTER;
+ filter = (char *) FILTER;
ldap_filter_esc = escape_filter(user);
snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
if (ldap_filter_esc)
- xfree(ldap_filter_esc);
+ xfree(ldap_filter_esc);
debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter : %s\n", LogTime(), PROGRAM, bindp, search_exp);
rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
- search_exp, NULL, 0,
- NULL, NULL, &searchtime, 0, &res);
+ search_exp, NULL, 0,
+ NULL, NULL, &searchtime, 0, &res);
if (search_exp)
- xfree(search_exp);
+ xfree(search_exp);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
- ldap_unbind(ld);
- ld = NULL;
- retval = 0;
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ ldap_unbind(ld);
+ ld = NULL;
+ retval = 0;
+ goto cleanup;
}
debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
if (ldap_count_entries(ld, res) != 0) {
- if (margs->AD)
- max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
- else {
- max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
- }
-
- /*
- * Compare group names
- */
- retval = 0;
- for (j = 0; j < max_attr; j++) {
-
- /* Compare first CN= value assuming it is the same as the group name itself */
- av = attr_value[j];
- if (!strncasecmp("CN=", av, 3)) {
- av += 3;
- if ((avp = strchr(av, ','))) {
- *avp = '\0';
- }
- }
- if (debug_enabled) {
- int n;
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
- for (n = 0; av[n] != '\0'; n++)
- fprintf(stderr, "%02x", (unsigned char) av[n]);
- fprintf(stderr, "\n");
- }
- if (!strcasecmp(group, av)) {
- retval = 1;
- if (debug_enabled)
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
- else
- break;
- } else
- debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
- }
- /*
- * Do recursive group search for AD only since posixgroups can not contain other groups
- */
- if (!retval && margs->AD) {
- if (debug_enabled && max_attr > 0) {
- debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM);
- }
- for (j = 0; j < max_attr; j++) {
-
- av = attr_value[j];
- if (search_group_tree(margs, ld, bindp, av, group, 1)) {
- retval = 1;
- if (!strncasecmp("CN=", av, 3)) {
- av += 3;
- if ((avp = strchr(av, ','))) {
- *avp = '\0';
- }
- }
- if (debug_enabled)
- debug((char *) "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
- else
- break;
- }
- }
- }
- /*
- * Cleanup
- */
- if (attr_value) {
- for (j = 0; j < max_attr; j++) {
- xfree(attr_value[j]);
- }
- xfree(attr_value);
- attr_value = NULL;
- }
- ldap_msgfree(res);
+ if (margs->AD)
+ max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
+ else {
+ max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
+ }
+
+ /*
+ * Compare group names
+ */
+ retval = 0;
+ for (j = 0; j < max_attr; j++) {
+
+ /* Compare first CN= value assuming it is the same as the group name itself */
+ av = attr_value[j];
+ if (!strncasecmp("CN=", av, 3)) {
+ av += 3;
+ if ((avp = strchr(av, ','))) {
+ *avp = '\0';
+ }
+ }
+ if (debug_enabled) {
+ int n;
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
+ for (n = 0; av[n] != '\0'; n++)
+ fprintf(stderr, "%02x", (unsigned char) av[n]);
+ fprintf(stderr, "\n");
+ }
+ if (!strcasecmp(group, av)) {
+ retval = 1;
+ if (debug_enabled)
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+ else
+ break;
+ } else
+ debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+ }
+ /*
+ * Do recursive group search for AD only since posixgroups can not contain other groups
+ */
+ if (!retval && margs->AD) {
+ if (debug_enabled && max_attr > 0) {
+ debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM);
+ }
+ for (j = 0; j < max_attr; j++) {
+
+ av = attr_value[j];
+ if (search_group_tree(margs, ld, bindp, av, group, 1)) {
+ retval = 1;
+ if (!strncasecmp("CN=", av, 3)) {
+ av += 3;
+ if ((avp = strchr(av, ','))) {
+ *avp = '\0';
+ }
+ }
+ if (debug_enabled)
+ debug((char *) "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+ else
+ break;
+ }
+ }
+ }
+ /*
+ * Cleanup
+ */
+ if (attr_value) {
+ for (j = 0; j < max_attr; j++) {
+ xfree(attr_value[j]);
+ }
+ xfree(attr_value);
+ attr_value = NULL;
+ }
+ ldap_msgfree(res);
} else if (ldap_count_entries(ld, res) == 0 && margs->AD) {
- ldap_msgfree(res);
- ldap_unbind(ld);
- ld = NULL;
- retval = 0;
- goto cleanup;
+ ldap_msgfree(res);
+ ldap_unbind(ld);
+ ld = NULL;
+ retval = 0;
+ goto cleanup;
} else {
- ldap_msgfree(res);
- retval = 0;
+ ldap_msgfree(res);
+ retval = 0;
}
if (!margs->AD && retval == 0) {
- /*
- * Check for primary Group membership
- */
- debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group);
- filter = (char *) FILTER_UID;
-
- ldap_filter_esc = escape_filter(user);
-
- search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
- snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
-
- if (ldap_filter_esc)
- xfree(ldap_filter_esc);
-
- debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp);
- rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
- search_exp, NULL, 0,
- NULL, NULL, &searchtime, 0, &res);
- if (search_exp)
- xfree(search_exp);
-
- debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
-
- max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value);
-
- if (max_attr == 1) {
- char **attr_value_2 = NULL;
- int max_attr_2 = 0;
-
- ldap_msgfree(res);
- filter = (char *) FILTER_GID;
-
- ldap_filter_esc = escape_filter(attr_value[0]);
-
- search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
- snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
-
- if (ldap_filter_esc)
- xfree(ldap_filter_esc);
-
- debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp);
- rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
- search_exp, NULL, 0,
- NULL, NULL, &searchtime, 0, &res);
- if (search_exp)
- xfree(search_exp);
-
- max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2);
- /*
- * Compare group names
- */
- retval = 0;
- if (max_attr_2 == 1) {
-
- /* Compare first CN= value assuming it is the same as the group name itself */
- av = attr_value_2[0];
- if (!strcasecmp(group, av)) {
- retval = 1;
- debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group);
- } else
- debug((char *) "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group);
-
- }
- /*
- * Cleanup
- */
- if (attr_value_2) {
- for (j = 0; j < max_attr_2; j++) {
- xfree(attr_value_2[j]);
- }
- xfree(attr_value_2);
- attr_value_2 = NULL;
- }
- ldap_msgfree(res);
-
- debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group);
-
- } else
- debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group);
- /*
- * Cleanup
- */
- if (attr_value) {
- for (j = 0; j < max_attr; j++) {
- xfree(attr_value[j]);
- }
- xfree(attr_value);
- attr_value = NULL;
- }
+ /*
+ * Check for primary Group membership
+ */
+ debug((char *) "%s| %s: DEBUG: Search for primary group membership: \"%s\"\n", LogTime(), PROGRAM, group);
+ filter = (char *) FILTER_UID;
+
+ ldap_filter_esc = escape_filter(user);
+
+ search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
+ snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
+
+ if (ldap_filter_esc)
+ xfree(ldap_filter_esc);
+
+ debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp);
+ rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
+ search_exp, NULL, 0,
+ NULL, NULL, &searchtime, 0, &res);
+ if (search_exp)
+ xfree(search_exp);
+
+ debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
+
+ max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value);
+
+ if (max_attr == 1) {
+ char **attr_value_2 = NULL;
+ int max_attr_2 = 0;
+
+ ldap_msgfree(res);
+ filter = (char *) FILTER_GID;
+
+ ldap_filter_esc = escape_filter(attr_value[0]);
+
+ search_exp = (char *) xmalloc(strlen(filter) + strlen(ldap_filter_esc) + 1);
+ snprintf(search_exp, strlen(filter) + strlen(ldap_filter_esc) + 1, filter, ldap_filter_esc);
+
+ if (ldap_filter_esc)
+ xfree(ldap_filter_esc);
+
+ debug((char *) "%s| %s: DEBUG: Search ldap server with bind path %s and filter: %s\n", LogTime(), PROGRAM, bindp, search_exp);
+ rc = ldap_search_ext_s(ld, bindp, LDAP_SCOPE_SUBTREE,
+ search_exp, NULL, 0,
+ NULL, NULL, &searchtime, 0, &res);
+ if (search_exp)
+ xfree(search_exp);
+
+ max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2);
+ /*
+ * Compare group names
+ */
+ retval = 0;
+ if (max_attr_2 == 1) {
+
+ /* Compare first CN= value assuming it is the same as the group name itself */
+ av = attr_value_2[0];
+ if (!strcasecmp(group, av)) {
+ retval = 1;
+ debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group);
+ } else
+ debug((char *) "%s| %s: DEBUG: \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, av, group);
+
+ }
+ /*
+ * Cleanup
+ */
+ if (attr_value_2) {
+ for (j = 0; j < max_attr_2; j++) {
+ xfree(attr_value_2[j]);
+ }
+ xfree(attr_value_2);
+ attr_value_2 = NULL;
+ }
+ ldap_msgfree(res);
+
+ debug((char *) "%s| %s: DEBUG: Users primary group %s %s\n", LogTime(), PROGRAM, retval ? "matches" : "does not match", group);
+
+ } else
+ debug((char *) "%s| %s: DEBUG: Did not find ldap entry for group %s\n", LogTime(), PROGRAM, group);
+ /*
+ * Cleanup
+ */
+ if (attr_value) {
+ for (j = 0; j < max_attr; j++) {
+ xfree(attr_value[j]);
+ }
+ xfree(attr_value);
+ attr_value = NULL;
+ }
}
rc = ldap_unbind(ld);
ld = NULL;
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
}
debug((char *) "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM);
- cleanup:
+cleanup:
if (domain)
- krb5_cleanup();
+ krb5_cleanup();
if (lcreds) {
- if (lcreds->dn)
- xfree(lcreds->dn);
- if (lcreds->pw)
- xfree(lcreds->pw);
- xfree(lcreds);
+ if (lcreds->dn)
+ xfree(lcreds->dn);
+ if (lcreds->pw)
+ xfree(lcreds->pw);
+ xfree(lcreds);
}
if (bindp)
- xfree(bindp);
+ xfree(bindp);
bindp = NULL;
return (retval);
gettimeofday(&now, NULL);
if (now.tv_sec != last_t) {
- tm = localtime(&now.tv_sec);
- strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
- last_t = now.tv_sec;
+ tm = localtime(&now.tv_sec);
+ strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
+ last_t = now.tv_sec;
}
return buf;
}
log(char *format,...)
{
if (!log_enabled)
- return;
+ return;
va_list args;
va_start(args, format);
vfprintf(stderr, format, args);
check_memberof(struct main_args *margs, char *user, char *domain)
{
- /*
+ /*
* Check order:
*
* 1. Check domain against list of groups per domain
* 1a. If domain does not exist in list try default domain
- * 1b. If default domain does not exist use default group against ldap url with user/password
+ * 1b. If default domain does not exist use default group against ldap url with user/password
* 1c. If default group does not exist exit with error.
- * 2. Query ldap membership
+ * 2. Query ldap membership
* 2a. Use GSSAPI/SASL with HTTP/fqdn@DOMAIN credentials from keytab
* 2b. Use username/password with TLS
*
gr = margs->groups;
while (gr && domain) {
- debug((char *) "%s| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
- if (gr->domain && !strcasecmp(gr->domain, domain)) {
- debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
- /* query ldap */
- if (get_memberof(margs, user, domain, gr->group)) {
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- else
- log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- found++;
- break;
- } else {
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- else
- log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- }
- }
- gr = gr->next;
+ debug((char *) "%s| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
+ if (gr->domain && !strcasecmp(gr->domain, domain)) {
+ debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
+ /* query ldap */
+ if (get_memberof(margs, user, domain, gr->group)) {
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ else
+ log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ found++;
+ break;
+ } else {
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ else
+ log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ }
+ }
+ gr = gr->next;
}
if (found)
- return (1);
+ return (1);
/* Check default domain */
gr = margs->groups;
while (gr && domain) {
- debug((char *) "%s| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
- if (gr->domain && !strcasecmp(gr->domain, "")) {
- debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
- /* query ldap */
- if (get_memberof(margs, user, domain, gr->group)) {
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- else
- log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- found++;
- break;
- } else {
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- else
- log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
- }
- }
- gr = gr->next;
+ debug((char *) "%s| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
+ if (gr->domain && !strcasecmp(gr->domain, "")) {
+ debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
+ /* query ldap */
+ if (get_memberof(margs, user, domain, gr->group)) {
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ else
+ log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ found++;
+ break;
+ } else {
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ else
+ log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
+ }
+ }
+ gr = gr->next;
}
if (found)
- return (1);
+ return (1);
/* Check default group with ldap url */
gr = margs->groups;
while (gr) {
- debug((char *) "%s| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
- if (!gr->domain) {
- debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
- /* query ldap */
- if (get_memberof(margs, user, domain, gr->group)) {
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
- else
- log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
- found++;
- break;
- } else {
- if (debug_enabled)
- debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
- else
- log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
- }
- }
- gr = gr->next;
+ debug((char *) "%s| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
+ if (!gr->domain) {
+ debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
+ /* query ldap */
+ if (get_memberof(margs, user, domain, gr->group)) {
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
+ else
+ log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
+ found++;
+ break;
+ } else {
+ if (debug_enabled)
+ debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
+ else
+ log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
+ }
+ }
+ gr = gr->next;
}
if (found)
- return (1);
+ return (1);
return (0);
}
struct ndstruct *init_nd(void);
struct ndstruct *
-init_nd(void)
-{
+init_nd(void) {
struct ndstruct *ndsp;
ndsp = (struct ndstruct *) xmalloc(sizeof(struct ndstruct));
ndsp->netbios = NULL;
dp = NULL;
if (!p) {
- debug((char *) "%s| %s: DEBUG: No netbios names defined.\n", LogTime(), PROGRAM);
- return (0);
+ debug((char *) "%s| %s: DEBUG: No netbios names defined.\n", LogTime(), PROGRAM);
+ return (0);
}
while (*p) { /* loop over group list */
- if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */
- p++;
- continue;
- }
- if (*p == '@') { /* end of group name - start of domain name */
- if (p == np) { /* empty group name not allowed */
- debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p);
- return (1);
- }
- *p = '\0';
- p++;
- ndsp = init_nd();
- ndsp->netbios = xstrdup(np);
- if (ndspn) /* Have already an existing structure */
- ndsp->next = ndspn;
- dp = p; /* after @ starts new domain name */
- } else if (*p == ':') { /* end of group name or end of domain name */
- if (p == np) { /* empty group name not allowed */
- debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p);
- return (1);
- }
- *p = '\0';
- p++;
- if (dp) { /* end of domain name */
- ndsp->domain = xstrdup(dp);
- dp = NULL;
- } else { /* end of group name and no domain name */
- ndsp = init_nd();
- ndsp->netbios = xstrdup(np);
- if (ndspn) /* Have already an existing structure */
- ndsp->next = ndspn;
- }
- ndspn = ndsp;
- np = p; /* after : starts new group name */
- if (!ndsp->domain || !strcmp(ndsp->domain, "")) {
- debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios);
- return (1);
- }
- debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain);
- } else
- p++;
+ if (*p == '\n' || *p == '\r') { /* Ignore CR and LF if exist */
+ p++;
+ continue;
+ }
+ if (*p == '@') { /* end of group name - start of domain name */
+ if (p == np) { /* empty group name not allowed */
+ debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p);
+ return (1);
+ }
+ *p = '\0';
+ p++;
+ ndsp = init_nd();
+ ndsp->netbios = xstrdup(np);
+ if (ndspn) /* Have already an existing structure */
+ ndsp->next = ndspn;
+ dp = p; /* after @ starts new domain name */
+ } else if (*p == ':') { /* end of group name or end of domain name */
+ if (p == np) { /* empty group name not allowed */
+ debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p);
+ return (1);
+ }
+ *p = '\0';
+ p++;
+ if (dp) { /* end of domain name */
+ ndsp->domain = xstrdup(dp);
+ dp = NULL;
+ } else { /* end of group name and no domain name */
+ ndsp = init_nd();
+ ndsp->netbios = xstrdup(np);
+ if (ndspn) /* Have already an existing structure */
+ ndsp->next = ndspn;
+ }
+ ndspn = ndsp;
+ np = p; /* after : starts new group name */
+ if (!ndsp->domain || !strcmp(ndsp->domain, "")) {
+ debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios);
+ return (1);
+ }
+ debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain);
+ } else
+ p++;
}
if (p == np) { /* empty group name not allowed */
- debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p);
- return (1);
+ debug((char *) "%s| %s: DEBUG: No netbios name defined for domain %s\n", LogTime(), PROGRAM, p);
+ return (1);
}
if (dp) { /* end of domain name */
- ndsp->domain = xstrdup(dp);
+ ndsp->domain = xstrdup(dp);
} else { /* end of group name and no domain name */
- ndsp = init_nd();
- ndsp->netbios = xstrdup(np);
- if (ndspn) /* Have already an existing structure */
- ndsp->next = ndspn;
+ ndsp = init_nd();
+ ndsp->netbios = xstrdup(np);
+ if (ndspn) /* Have already an existing structure */
+ ndsp->next = ndspn;
}
if (!ndsp->domain || !strcmp(ndsp->domain, "")) {
- debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios);
- return (1);
+ debug((char *) "%s| %s: DEBUG: No domain defined for netbios name %s\n", LogTime(), PROGRAM, ndsp->netbios);
+ return (1);
}
debug((char *) "%s| %s: DEBUG: Netbios name %s Domain %s\n", LogTime(), PROGRAM, ndsp->netbios, ndsp->domain);
nd = margs->ndoms;
while (nd && netbios) {
- debug((char *) "%s| %s: DEBUG: Netbios domain loop: netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain);
- if (nd->netbios && !strcasecmp(nd->netbios, netbios)) {
- debug((char *) "%s| %s: DEBUG: Found netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain);
- return (nd->domain);
- }
- nd = nd->next;
+ debug((char *) "%s| %s: DEBUG: Netbios domain loop: netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain);
+ if (nd->netbios && !strcasecmp(nd->netbios, netbios)) {
+ debug((char *) "%s| %s: DEBUG: Found netbios@domain %s@%s\n", LogTime(), PROGRAM, nd->netbios, nd->domain);
+ return (nd->domain);
+ }
+ nd = nd->next;
}
return NULL;
*/
/*
* See http://www.ietf.org/rfc/rfc2782.txt
- *
+ *
*/
void
nsError(int nserror, char *service)
{
switch (nserror) {
case HOST_NOT_FOUND:
- error((char *) "%s| %s: ERROR: res_search: Unknown service record: %s\n", LogTime(), PROGRAM, service);
- break;
+ error((char *) "%s| %s: ERROR: res_search: Unknown service record: %s\n", LogTime(), PROGRAM, service);
+ break;
case NO_DATA:
- error((char *) "%s| %s: ERROR: res_search: No SRV record for %s\n", LogTime(), PROGRAM, service);
- break;
+ error((char *) "%s| %s: ERROR: res_search: No SRV record for %s\n", LogTime(), PROGRAM, service);
+ break;
case TRY_AGAIN:
- error((char *) "%s| %s: ERROR: res_search: No response for SRV query\n", LogTime(), PROGRAM);
- break;
+ error((char *) "%s| %s: ERROR: res_search: No response for SRV query\n", LogTime(), PROGRAM);
+ break;
default:
- error((char *) "%s| %s: ERROR: res_search: Unexpected error: %s\n", LogTime(), PROGRAM, strerror(nserror));
+ error((char *) "%s| %s: ERROR: res_search: Unexpected error: %s\n", LogTime(), PROGRAM, strerror(nserror));
}
}
sort(struct hstruct *array, int nitems, int (*cmp) (struct hstruct *, struct hstruct *), int begin, int end)
{
if (end > begin) {
- int pivot = begin;
- int l = begin + 1;
- int r = end;
- while (l < r) {
- if (cmp(&array[l], &array[pivot]) <= 0) {
- l += 1;
- } else {
- r -= 1;
- swap(&array[l], &array[r]);
- }
- }
- l -= 1;
- swap(&array[begin], &array[l]);
- sort(array, nitems, cmp, begin, l);
- sort(array, nitems, cmp, r, end);
+ int pivot = begin;
+ int l = begin + 1;
+ int r = end;
+ while (l < r) {
+ if (cmp(&array[l], &array[pivot]) <= 0) {
+ l += 1;
+ } else {
+ r -= 1;
+ swap(&array[l], &array[r]);
+ }
+ }
+ l -= 1;
+ swap(&array[begin], &array[l]);
+ sort(array, nitems, cmp, begin, l);
+ sort(array, nitems, cmp, r, end);
}
}
compare_hosts(struct hstruct *host1, struct hstruct *host2)
{
/*
- *
+ *
* The comparison function must return an integer less than, equal to,
* or greater than zero if the first argument is considered to be
* respectively less than, equal to, or greater than the second.
*/
if ((host1->priority < host2->priority) && (host1->priority != -1))
- return -1;
+ return -1;
if ((host1->priority < host2->priority) && (host1->priority == -1))
- return 1;
+ return 1;
if ((host1->priority > host2->priority) && (host2->priority != -1))
- return 1;
+ return 1;
if ((host1->priority > host2->priority) && (host2->priority == -1))
- return -1;
+ return -1;
if (host1->priority == host2->priority) {
- if (host1->weight > host2->weight)
- return -1;
- if (host1->weight < host2->weight)
- return 1;
+ if (host1->weight > host2->weight)
+ return -1;
+ if (host1->weight < host2->weight)
+ return 1;
}
return 0;
}
hp = *hlist;
for (i = 0; i < nhosts; i++) {
- if (hp[i].host)
- xfree(hp[i].host);
- hp[i].host = NULL;
+ if (hp[i].host)
+ xfree(hp[i].host);
+ hp[i].host = NULL;
}
if (hp)
- xfree(hp);
+ xfree(hp);
hp = NULL;
*hlist = hp;
return 0;
struct hstruct *hp = NULL;
if (!name)
- return (nhosts);
+ return (nhosts);
hp = *hlist;
rc = getaddrinfo((const char *) name, NULL, NULL, &hres);
if (rc != 0) {
- error((char *) "%s| %s: ERROR: Error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
- return (nhosts);
+ error((char *) "%s| %s: ERROR: Error while resolving hostname with getaddrinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
+ return (nhosts);
}
hres_list = hres;
count = 0;
while (hres_list) {
- count++;
- hres_list = hres_list->ai_next;
+ count++;
+ hres_list = hres_list->ai_next;
}
hres_list = hres;
count = 0;
while (hres_list) {
- rc = getnameinfo(hres_list->ai_addr, hres_list->ai_addrlen, host, sizeof(host), NULL, 0, 0);
- if (rc != 0) {
- error((char *) "%s| %s: ERROR: Error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
- freeaddrinfo(hres);
- *hlist = hp;
- return (nhosts);
- }
- count++;
- debug((char *) "%s| %s: DEBUG: Resolved address %d of %s to %s\n", LogTime(), PROGRAM, count, name, host);
+ rc = getnameinfo(hres_list->ai_addr, hres_list->ai_addrlen, host, sizeof(host), NULL, 0, 0);
+ if (rc != 0) {
+ error((char *) "%s| %s: ERROR: Error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
+ freeaddrinfo(hres);
+ *hlist = hp;
+ return (nhosts);
+ }
+ count++;
+ debug((char *) "%s| %s: DEBUG: Resolved address %d of %s to %s\n", LogTime(), PROGRAM, count, name, host);
- hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1));
- hp[nhosts].host = xstrdup(host);
- hp[nhosts].port = -1;
- hp[nhosts].priority = -1;
- hp[nhosts].weight = -1;
- nhosts++;
+ hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1));
+ hp[nhosts].host = xstrdup(host);
+ hp[nhosts].port = -1;
+ hp[nhosts].priority = -1;
+ hp[nhosts].weight = -1;
+ nhosts++;
- hres_list = hres_list->ai_next;
+ hres_list = hres_list->ai_next;
}
freeaddrinfo(hres);
u_char *p;
if (margs->ssl) {
- service = (char *) xmalloc(strlen("_ldaps._tcp.") + strlen(domain) + 1);
- strcpy(service, "_ldaps._tcp.");
+ service = (char *) xmalloc(strlen("_ldaps._tcp.") + strlen(domain) + 1);
+ strcpy(service, "_ldaps._tcp.");
} else {
- service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1);
- strcpy(service, "_ldap._tcp.");
+ service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1);
+ strcpy(service, "_ldap._tcp.");
}
strcat(service, domain);
#ifndef PACKETSZ_MULT
-/*
- * It seems Solaris doesn't give back the real length back when res_search uses a to small buffer
- * Set a bigger one here
- */
+ /*
+ * It seems Solaris doesn't give back the real length back when res_search uses a to small buffer
+ * Set a bigger one here
+ */
#define PACKETSZ_MULT 10
#endif
hp = *hlist;
buffer = (u_char *) xmalloc(PACKETSZ_MULT * NS_PACKETSZ);
if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) {
- error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
- nsError(h_errno, service);
- if (margs->ssl) {
- xfree(service);
- service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1);
- strcpy(service, "_ldap._tcp.");
- strcat(service, domain);
- if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) {
- error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
- nsError(h_errno, service);
- goto cleanup;
- }
- } else {
- goto cleanup;
- }
+ error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
+ nsError(h_errno, service);
+ if (margs->ssl) {
+ xfree(service);
+ service = (char *) xmalloc(strlen("_ldap._tcp.") + strlen(domain) + 1);
+ strcpy(service, "_ldap._tcp.");
+ strcat(service, domain);
+ if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, PACKETSZ_MULT * NS_PACKETSZ)) < 0) {
+ error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
+ nsError(h_errno, service);
+ goto cleanup;
+ }
+ } else {
+ goto cleanup;
+ }
}
if (len > PACKETSZ_MULT * NS_PACKETSZ) {
- olen = len;
- buffer = (u_char *) xrealloc(buffer, len);
- if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) {
- error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
- nsError(h_errno, service);
- goto cleanup;
- }
- if (len > olen) {
- error((char *) "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len);
- goto cleanup;
- }
+ olen = len;
+ buffer = (u_char *) xrealloc(buffer, len);
+ if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) {
+ error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
+ nsError(h_errno, service);
+ goto cleanup;
+ }
+ if (len > olen) {
+ error((char *) "%s| %s: ERROR: Reply to big: buffer: %d reply length: %d\n", LogTime(), PROGRAM, olen, len);
+ goto cleanup;
+ }
}
p = buffer;
p += 6 * NS_INT16SZ; /* Header(6*16bit) = id + flags + 4*section count */
if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len);
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len);
+ goto cleanup;
}
if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) {
- error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno));
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno));
+ goto cleanup;
}
p += size; /* Query name */
p += 2 * NS_INT16SZ; /* Query type + class (2*16bit) */
if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len);
- goto cleanup;
+ error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class \n", LogTime(), PROGRAM, len);
+ goto cleanup;
}
while (p < buffer + len) {
- if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) {
- error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno));
- goto cleanup;
- }
- p += size; /* Resource Record name */
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
- NS_GET16(type, p); /* RR type (16bit) */
- p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
- NS_GET16(rdlength, p); /* RR data length (16bit) */
+ if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) {
+ error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno));
+ goto cleanup;
+ }
+ p += size; /* Resource Record name */
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
+ NS_GET16(type, p); /* RR type (16bit) */
+ p += NS_INT16SZ + NS_INT32SZ; /* RR class + ttl (16bit+32bit) */
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
+ NS_GET16(rdlength, p); /* RR data length (16bit) */
- if (type == ns_t_srv) { /* SRV record */
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
- NS_GET16(priority, p); /* Priority (16bit) */
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
- NS_GET16(weight, p); /* Weight (16bit) */
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
- NS_GET16(port, p); /* Port (16bit) */
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
- if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) {
- error((char *) "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno));
- goto cleanup;
- }
- debug((char *) "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host);
- hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1));
- hp[nh].host = xstrdup(host);
- hp[nh].port = port;
- hp[nh].priority = priority;
- hp[nh].weight = weight;
- nh++;
- p += size;
- } else {
- p += rdlength;
- }
- if (p > buffer + len) {
- error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len);
- goto cleanup;
- }
+ if (type == ns_t_srv) { /* SRV record */
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
+ NS_GET16(priority, p); /* Priority (16bit) */
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
+ NS_GET16(weight, p); /* Weight (16bit) */
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
+ NS_GET16(port, p); /* Port (16bit) */
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
+ if ((size = dn_expand(buffer, buffer + len, p, host, NS_MAXDNAME)) < 0) {
+ error((char *) "%s| %s: ERROR: Error while expanding SRV RR name with dn_expand: %s\n", LogTime(), PROGRAM, strerror(errno));
+ goto cleanup;
+ }
+ debug((char *) "%s| %s: DEBUG: Resolved SRV %s record to %s\n", LogTime(), PROGRAM, service, host);
+ hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nh + 1));
+ hp[nh].host = xstrdup(host);
+ hp[nh].port = port;
+ hp[nh].priority = priority;
+ hp[nh].weight = weight;
+ nh++;
+ p += size;
+ } else {
+ p += rdlength;
+ }
+ if (p > buffer + len) {
+ error((char *) "%s| %s: ERROR: Message to small: %d < SRV RR + priority + weight + port + name\n", LogTime(), PROGRAM, len);
+ goto cleanup;
+ }
}
if (p != buffer + len) {
#if (SIZEOF_LONG == 8)
- errror("%s| %s: ERROR: Inconsistence message length: %ld!=0\n", LogTime(), PROGRAM, buffer + len - p);
+ errror("%s| %s: ERROR: Inconsistence message length: %ld!=0\n", LogTime(), PROGRAM, buffer + len - p);
#else
- error((char *) "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p);
+ error((char *) "%s| %s: ERROR: Inconsistence message length: %d!=0\n", LogTime(), PROGRAM, buffer + len - p);
#endif
- goto cleanup;
+ goto cleanup;
}
nhosts = get_hostname_list(margs, &hp, nh, domain);
/* Remove duplicates */
for (i = 0; i < nhosts; i++) {
- for (j = i + 1; j < nhosts; j++) {
- if (!strcasecmp(hp[i].host, hp[j].host)) {
- if (hp[i].port == hp[j].port ||
- (hp[i].port == -1 && hp[j].port == 389) ||
- (hp[i].port == 389 && hp[j].port == -1)) {
- xfree(hp[j].host);
- for (k = j + 1; k < nhosts; k++) {
- hp[k - 1].host = hp[k].host;
- hp[k - 1].port = hp[k].port;
- hp[k - 1].priority = hp[k].priority;
- hp[k - 1].weight = hp[k].weight;
- }
- j--;
- nhosts--;
- hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1));
- }
- }
- }
+ for (j = i + 1; j < nhosts; j++) {
+ if (!strcasecmp(hp[i].host, hp[j].host)) {
+ if (hp[i].port == hp[j].port ||
+ (hp[i].port == -1 && hp[j].port == 389) ||
+ (hp[i].port == 389 && hp[j].port == -1)) {
+ xfree(hp[j].host);
+ for (k = j + 1; k < nhosts; k++) {
+ hp[k - 1].host = hp[k].host;
+ hp[k - 1].port = hp[k].port;
+ hp[k - 1].priority = hp[k].priority;
+ hp[k - 1].weight = hp[k].weight;
+ }
+ j--;
+ nhosts--;
+ hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1));
+ }
+ }
+ }
}
/* Sort by Priority / Weight */
msort(hp, nhosts, compare_hosts);
if (debug_enabled) {
- debug((char *) "%s| %s: DEBUG: Sorted ldap server names for domain %s:\n", LogTime(), PROGRAM, domain);
- for (i = 0; i < nhosts; i++) {
- debug((char *) "%s| %s: DEBUG: Host: %s Port: %d Priority: %d Weight: %d\n", LogTime(), PROGRAM, hp[i].host, hp[i].port, hp[i].priority, hp[i].weight);
- }
+ debug((char *) "%s| %s: DEBUG: Sorted ldap server names for domain %s:\n", LogTime(), PROGRAM, domain);
+ for (i = 0; i < nhosts; i++) {
+ debug((char *) "%s| %s: DEBUG: Host: %s Port: %d Priority: %d Weight: %d\n", LogTime(), PROGRAM, hp[i].host, hp[i].port, hp[i].priority, hp[i].weight);
+ }
}
if (buffer)
- xfree(buffer);
+ xfree(buffer);
if (service)
- xfree(service);
+ xfree(service);
*hlist = hp;
return (nhosts);
- cleanup:
+cleanup:
if (buffer)
- xfree(buffer);
+ xfree(buffer);
if (service)
- xfree(service);
+ xfree(service);
*hlist = hp;
return (nhosts);
}
defaults = (lutilSASLdefaults *) xmalloc(sizeof(lutilSASLdefaults));
if (defaults == NULL)
- return NULL;
+ return NULL;
defaults->mech = mech ? xstrdup(mech) : NULL;
defaults->realm = realm ? xstrdup(realm) : NULL;
defaults->authzid = authzid ? xstrdup(authzid) : NULL;
if (defaults->mech == NULL) {
- ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech);
+ ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech);
}
if (defaults->realm == NULL) {
- ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
+ ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
}
if (defaults->authcid == NULL) {
- ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid);
+ ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid);
}
if (defaults->authzid == NULL) {
- ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid);
+ ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid);
}
defaults->resps = NULL;
defaults->nresps = 0;
flags = flags;
switch (interact->id) {
case SASL_CB_GETREALM:
- if (defaults)
- dflt = defaults->realm;
- break;
+ if (defaults)
+ dflt = defaults->realm;
+ break;
case SASL_CB_AUTHNAME:
- if (defaults)
- dflt = defaults->authcid;
- break;
+ if (defaults)
+ dflt = defaults->authcid;
+ break;
case SASL_CB_PASS:
- if (defaults)
- dflt = defaults->passwd;
- noecho = 1;
- break;
+ if (defaults)
+ dflt = defaults->passwd;
+ noecho = 1;
+ break;
case SASL_CB_USER:
- if (defaults)
- dflt = defaults->authzid;
- break;
+ if (defaults)
+ dflt = defaults->authzid;
+ break;
case SASL_CB_NOECHOPROMPT:
- noecho = 1;
- challenge = 1;
- break;
+ noecho = 1;
+ challenge = 1;
+ break;
case SASL_CB_ECHOPROMPT:
- challenge = 1;
- break;
+ challenge = 1;
+ break;
}
if (dflt && !*dflt)
- dflt = NULL;
+ dflt = NULL;
/* input must be empty */
interact->result = (dflt && *dflt) ? dflt : "";
sasl_interact_t *interact = (sasl_interact_t *) in;
if (ld == NULL)
- return LDAP_PARAM_ERROR;
+ return LDAP_PARAM_ERROR;
while (interact->id != SASL_CB_LIST_END) {
- int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults);
+ int rc = interaction(flags, interact, (lutilSASLdefaults *) defaults);
- if (rc)
- return rc;
- interact++;
+ if (rc)
+ return rc;
+ interact++;
}
return LDAP_SUCCESS;
lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults;
if (defs->mech)
- xfree(defs->mech);
+ xfree(defs->mech);
if (defs->realm)
- xfree(defs->realm);
+ xfree(defs->realm);
if (defs->authcid)
- xfree(defs->authcid);
+ xfree(defs->authcid);
if (defs->passwd)
- xfree(defs->passwd);
+ xfree(defs->passwd);
if (defs->authzid)
- xfree(defs->authzid);
+ xfree(defs->authzid);
if (defs->resps)
- xfree(defs->resps);
+ xfree(defs->resps);
xfree(defs);
}
* unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
* unsigned sasl_flags = LDAP_SASL_QUIET;
*/
- /*
+ /*
* Avoid SASL messages
*/
#ifdef HAVE_SUN_LDAP_SDK
#else
char *sasl_mech = NULL;
#endif
- /*
+ /*
* Force encryption
*/
char *sasl_secprops;
* char *sasl_secprops = (char *)"maxssf=56";
* char *sasl_secprops = NULL;
*/
- struct berval passwd =
- {0, NULL};
+ struct berval passwd = {0, NULL};
void *defaults;
int rc = LDAP_SUCCESS;
if (ssl)
- sasl_secprops = (char *) "maxssf=0";
+ sasl_secprops = (char *) "maxssf=0";
else
- sasl_secprops = (char *) "maxssf=56";
-/* sasl_secprops = (char *)"maxssf=0"; */
-/* sasl_secprops = (char *)"maxssf=56"; */
+ sasl_secprops = (char *) "maxssf=56";
+ /* sasl_secprops = (char *)"maxssf=0"; */
+ /* sasl_secprops = (char *)"maxssf=56"; */
if (sasl_secprops != NULL) {
- rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS,
- (void *) sasl_secprops);
- if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc));
- return rc;
- }
+ rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS,
+ (void *) sasl_secprops);
+ if (rc != LDAP_SUCCESS) {
+ error((char *) "%s| %s: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: %s: %s\n", LogTime(), PROGRAM, sasl_secprops, ldap_err2string(rc));
+ return rc;
+ }
}
defaults = lutil_sasl_defaults(ld,
- sasl_mech,
- sasl_realm,
- sasl_authc_id,
- passwd.bv_val,
- sasl_authz_id);
+ sasl_mech,
+ sasl_realm,
+ sasl_authc_id,
+ passwd.bv_val,
+ sasl_authz_id);
rc = ldap_sasl_interactive_bind_s(ld, binddn,
- sasl_mech, NULL, NULL,
- sasl_flags, lutil_sasl_interact, defaults);
+ sasl_mech, NULL, NULL,
+ sasl_flags, lutil_sasl_interact, defaults);
lutil_sasl_freedefs(defaults);
if (rc != LDAP_SUCCESS) {
- error((char *) "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
+ error((char *) "%s| %s: ERROR: ldap_sasl_interactive_bind_s error: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
}
return rc;
}
#define BASE64_VALUE_SZ 256
int base64_value[BASE64_VALUE_SZ];
const char base64_code[] =
-"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static void
int i;
for (i = 0; i < BASE64_VALUE_SZ; i++)
- base64_value[i] = -1;
+ base64_value[i] = -1;
for (i = 0; i < 64; i++)
- base64_value[(int) base64_code[i]] = i;
+ base64_value[(int) base64_code[i]] = i;
base64_value[(int) '='] = 0;
base64_initialized = 1;
int c;
long val;
if (!data)
- return;
+ return;
if (!base64_initialized)
- ska_base64_init();
+ ska_base64_init();
val = c = 0;
for (j = 0; *data; data++) {
- unsigned int k = ((unsigned char) *data) % BASE64_VALUE_SZ;
- if (base64_value[k] < 0)
- continue;
- val <<= 6;
- val += base64_value[k];
- if (++c < 4)
- continue;
- /* One quantum of four encoding characters/24 bit */
- if (j >= result_size)
- break;
- result[j++] = val >> 16; /* High 8 bits */
- if (j >= result_size)
- break;
- result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */
- if (j >= result_size)
- break;
- result[j++] = val & 0xff; /* Low 8 bits */
- val = c = 0;
+ unsigned int k = ((unsigned char) *data) % BASE64_VALUE_SZ;
+ if (base64_value[k] < 0)
+ continue;
+ val <<= 6;
+ val += base64_value[k];
+ if (++c < 4)
+ continue;
+ /* One quantum of four encoding characters/24 bit */
+ if (j >= result_size)
+ break;
+ result[j++] = val >> 16; /* High 8 bits */
+ if (j >= result_size)
+ break;
+ result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */
+ if (j >= result_size)
+ break;
+ result[j++] = val & 0xff; /* Low 8 bits */
+ val = c = 0;
}
return;
}
/* adopted from http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with adjustments */
void
ska_base64_encode(char *result, const char *data, int result_size,
- int data_size)
+ int data_size)
{
int bits = 0;
int char_count = 0;
int out_cnt = 0;
if (!data)
- return;
+ return;
if (!base64_initialized)
- ska_base64_init();
+ ska_base64_init();
while (data_size--) {
- int c = (unsigned char) *data++;
- bits += c;
- char_count++;
- if (char_count == 3) {
- if (out_cnt >= result_size)
- break;
- result[out_cnt++] = base64_code[bits >> 18];
- if (out_cnt >= result_size)
- break;
- result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
- if (out_cnt >= result_size)
- break;
- result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
- if (out_cnt >= result_size)
- break;
- result[out_cnt++] = base64_code[bits & 0x3f];
- bits = 0;
- char_count = 0;
- } else {
- bits <<= 8;
- }
+ int c = (unsigned char) *data++;
+ bits += c;
+ char_count++;
+ if (char_count == 3) {
+ if (out_cnt >= result_size)
+ break;
+ result[out_cnt++] = base64_code[bits >> 18];
+ if (out_cnt >= result_size)
+ break;
+ result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
+ if (out_cnt >= result_size)
+ break;
+ result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
+ if (out_cnt >= result_size)
+ break;
+ result[out_cnt++] = base64_code[bits & 0x3f];
+ bits = 0;
+ char_count = 0;
+ } else {
+ bits <<= 8;
+ }
}
if (char_count != 0) {
- bits <<= 16 - (8 * char_count);
- if (out_cnt >= result_size)
- goto end;
- result[out_cnt++] = base64_code[bits >> 18];
- if (out_cnt >= result_size)
- goto end;
- result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
- if (char_count == 1) {
- if (out_cnt >= result_size)
- goto end;
- result[out_cnt++] = '=';
- if (out_cnt >= result_size)
- goto end;
- result[out_cnt++] = '=';
- } else {
- if (out_cnt >= result_size)
- goto end;
- result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
- if (out_cnt >= result_size)
- goto end;
- result[out_cnt++] = '=';
- }
+ bits <<= 16 - (8 * char_count);
+ if (out_cnt >= result_size)
+ goto end;
+ result[out_cnt++] = base64_code[bits >> 18];
+ if (out_cnt >= result_size)
+ goto end;
+ result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
+ if (char_count == 1) {
+ if (out_cnt >= result_size)
+ goto end;
+ result[out_cnt++] = '=';
+ if (out_cnt >= result_size)
+ goto end;
+ result[out_cnt++] = '=';
+ } else {
+ if (out_cnt >= result_size)
+ goto end;
+ result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
+ if (out_cnt >= result_size)
+ goto end;
+ result[out_cnt++] = '=';
+ }
}
- end:
+end:
if (out_cnt >= result_size) {
- result[result_size - 1] = '\0'; /* terminate */
+ result[result_size - 1] = '\0'; /* terminate */
} else {
- result[out_cnt] = '\0'; /* terminate */
+ result[out_cnt] = '\0'; /* terminate */
}
return;
}
j = 0;
for (i = strlen(data) - 1; i >= 0; i--) {
- if (data[i] == '=')
- j++;
- if (data[i] != '=')
- break;
+ if (data[i] == '=')
+ j++;
+ if (data[i] != '=')
+ break;
}
return strlen(data) / 4 * 3 - j;
}
void ska_base64_decode(char *result, const char *data, int result_size);
void ska_base64_encode(char *result, const char *data, int result_size,
- int data_size);
+ int data_size);
int ska_base64_encode_len(int len);
int ska_base64_decode_len(const char *data);
#endif
int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
- const char *function, int log);
+ const char *function, int log);
char *gethost_name(void);
static const char *LogTime(void);
-static const unsigned char ntlmProtocol[] =
-{'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
+static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
static const char *
LogTime()
gettimeofday(&now, NULL);
if (now.tv_sec != last_t) {
- tm = localtime((time_t *) & now.tv_sec);
- strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
- last_t = now.tv_sec;
+ tm = localtime((time_t *) & now.tv_sec);
+ strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
+ last_t = now.tv_sec;
}
return buf;
}
rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX));
if (rc) {
- fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n",
- LogTime(), PROGRAM, hostname);
- return NULL;
+ fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n",
+ LogTime(), PROGRAM, hostname);
+ return NULL;
}
rc = getaddrinfo(hostname, NULL, NULL, &hres);
if (rc != 0) {
- fprintf(stderr,
- "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n",
- LogTime(), PROGRAM, gai_strerror(rc));
- return NULL;
+ fprintf(stderr,
+ "%s| %s: ERROR: resolving hostname with getaddrinfo: %s failed\n",
+ LogTime(), PROGRAM, gai_strerror(rc));
+ return NULL;
}
hres_list = hres;
count = 0;
while (hres_list) {
- count++;
- hres_list = hres_list->ai_next;
+ count++;
+ hres_list = hres_list->ai_next;
}
rc = getnameinfo(hres->ai_addr, hres->ai_addrlen, hostname,
- sizeof(hostname), NULL, 0, 0);
+ sizeof(hostname), NULL, 0, 0);
if (rc != 0) {
- fprintf(stderr,
- "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n",
- LogTime(), PROGRAM, gai_strerror(rc));
- freeaddrinfo(hres);
- return NULL;
+ fprintf(stderr,
+ "%s| %s: ERROR: resolving ip address with getnameinfo: %s failed\n",
+ LogTime(), PROGRAM, gai_strerror(rc));
+ freeaddrinfo(hres);
+ return NULL;
}
freeaddrinfo(hres);
hostname[sysconf(_SC_HOST_NAME_MAX) - 1] = '\0';
int
check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
- const char *function, int log)
+ const char *function, int log)
{
if (GSS_ERROR(major_status)) {
- OM_uint32 maj_stat, min_stat;
- OM_uint32 msg_ctx = 0;
- gss_buffer_desc status_string;
- char buf[1024];
- size_t len;
-
- len = 0;
- msg_ctx = 0;
- while (!msg_ctx) {
- /* convert major status code (GSS-API error) to text */
- maj_stat = gss_display_status(&min_stat, major_status,
- GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
- if (maj_stat == GSS_S_COMPLETE) {
- if (sizeof(buf) > len + status_string.length + 1) {
- snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
- len += status_string.length;
- }
- gss_release_buffer(&min_stat, &status_string);
- break;
- }
- gss_release_buffer(&min_stat, &status_string);
- }
- if (sizeof(buf) > len + 2) {
- snprintf(buf + len, (sizeof(buf) - len), "%s", ". ");
- len += 2;
- }
- msg_ctx = 0;
- while (!msg_ctx) {
- /* convert minor status code (underlying routine error) to text */
- maj_stat = gss_display_status(&min_stat, minor_status,
- GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
- if (maj_stat == GSS_S_COMPLETE) {
- if (sizeof(buf) > len + status_string.length) {
- snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
- len += status_string.length;
- }
- gss_release_buffer(&min_stat, &status_string);
- break;
- }
- gss_release_buffer(&min_stat, &status_string);
- }
- debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
- fprintf(stdout, "BH %s failed: %s\n", function, buf);
- if (log)
- fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(),
- PROGRAM);
- return (1);
+ OM_uint32 maj_stat, min_stat;
+ OM_uint32 msg_ctx = 0;
+ gss_buffer_desc status_string;
+ char buf[1024];
+ size_t len;
+
+ len = 0;
+ msg_ctx = 0;
+ while (!msg_ctx) {
+ /* convert major status code (GSS-API error) to text */
+ maj_stat = gss_display_status(&min_stat, major_status,
+ GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
+ if (maj_stat == GSS_S_COMPLETE) {
+ if (sizeof(buf) > len + status_string.length + 1) {
+ snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
+ len += status_string.length;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ break;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ }
+ if (sizeof(buf) > len + 2) {
+ snprintf(buf + len, (sizeof(buf) - len), "%s", ". ");
+ len += 2;
+ }
+ msg_ctx = 0;
+ while (!msg_ctx) {
+ /* convert minor status code (underlying routine error) to text */
+ maj_stat = gss_display_status(&min_stat, minor_status,
+ GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
+ if (maj_stat == GSS_S_COMPLETE) {
+ if (sizeof(buf) > len + status_string.length) {
+ snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
+ len += status_string.length;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ break;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ }
+ debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
+ fprintf(stdout, "BH %s failed: %s\n", function, buf);
+ if (log)
+ fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(),
+ PROGRAM);
+ return (1);
}
return (0);
}
setbuf(stdin, NULL);
while (-1 != (opt = getopt(argc, argv, "dirs:h"))) {
- switch (opt) {
- case 'd':
- debug_enabled = 1;
- break;
- case 'i':
- log = 1;
- break;
- case 'r':
- norealm = 1;
- break;
- case 's':
- service_principal = xstrdup(optarg);
- break;
- case 'h':
- fprintf(stderr, "Usage: \n");
- fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n");
- fprintf(stderr, "-d full debug\n");
- fprintf(stderr, "-i informational messages\n");
- fprintf(stderr, "-r remove realm from username\n");
- fprintf(stderr, "-s service principal name\n");
- fprintf(stderr, "-h help\n");
- fprintf(stderr,
- "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n");
- fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n");
- exit(0);
- default:
- fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(),
- PROGRAM, opt);
- }
+ switch (opt) {
+ case 'd':
+ debug_enabled = 1;
+ break;
+ case 'i':
+ log = 1;
+ break;
+ case 'r':
+ norealm = 1;
+ break;
+ case 's':
+ service_principal = xstrdup(optarg);
+ break;
+ case 'h':
+ fprintf(stderr, "Usage: \n");
+ fprintf(stderr, "squid_kerb_auth [-d] [-i] [-s SPN] [-h]\n");
+ fprintf(stderr, "-d full debug\n");
+ fprintf(stderr, "-i informational messages\n");
+ fprintf(stderr, "-r remove realm from username\n");
+ fprintf(stderr, "-s service principal name\n");
+ fprintf(stderr, "-h help\n");
+ fprintf(stderr,
+ "The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab\n");
+ fprintf(stderr, "default SPN is HTTP/fqdn@DEFAULT_REALM\n");
+ exit(0);
+ default:
+ fprintf(stderr, "%s| %s: WARNING: unknown option: -%c.\n", LogTime(),
+ PROGRAM, opt);
+ }
}
debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM, SQUID_KERB_AUTH_VERSION);
if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) {
- service.value = service_principal;
- service.length = strlen((char *) service.value);
+ service.value = service_principal;
+ service.length = strlen((char *) service.value);
} else {
- host_name = gethost_name();
- if (!host_name) {
- fprintf(stderr,
- "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n",
- LogTime(), PROGRAM);
- fprintf(stdout, "BH hostname error\n");
- exit(-1);
- }
- service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2);
- snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2,
- "%s@%s", service_name, host_name);
- service.length = strlen((char *) service.value);
+ host_name = gethost_name();
+ if (!host_name) {
+ fprintf(stderr,
+ "%s| %s: FATAL: Local hostname could not be determined. Please specify the service principal\n",
+ LogTime(), PROGRAM);
+ fprintf(stdout, "BH hostname error\n");
+ exit(-1);
+ }
+ service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2);
+ snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2,
+ "%s@%s", service_name, host_name);
+ service.length = strlen((char *) service.value);
}
while (1) {
- if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
- if (ferror(stdin)) {
- debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n",
- LogTime(), PROGRAM, ferror(stdin),
- strerror(ferror(stdin)));
-
- fprintf(stdout, "BH input error\n");
- exit(1); /* BIIG buffer */
- }
- fprintf(stdout, "BH input error\n");
- exit(0);
- }
- c = (char *) memchr(buf, '\n', sizeof(buf) - 1);
- if (c) {
- *c = '\0';
- length = c - buf;
- } else {
- err = 1;
- }
- if (err) {
- debug((char *) "%s| %s: ERROR: Oversized message\n", LogTime(), PROGRAM);
- fprintf(stdout, "BH Oversized message\n");
- err = 0;
- continue;
- }
- debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length);
-
- if (buf[0] == '\0') {
- debug((char *) "%s| %s: ERROR: Invalid request\n", LogTime(), PROGRAM);
- fprintf(stdout, "BH Invalid request\n");
- continue;
- }
- if (strlen(buf) < 2) {
- debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
- fprintf(stdout, "BH Invalid request\n");
- continue;
- }
- if (!strncmp(buf, "QQ", 2)) {
- gss_release_buffer(&minor_status, &input_token);
- gss_release_buffer(&minor_status, &output_token);
- gss_release_buffer(&minor_status, &service);
- gss_release_cred(&minor_status, &server_creds);
- if (server_name)
- gss_release_name(&minor_status, &server_name);
- if (client_name)
- gss_release_name(&minor_status, &client_name);
- if (gss_context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&minor_status, &gss_context, NULL);
- if (kerberosToken) {
- /* Allocated by parseNegTokenInit, but no matching free function exists.. */
- if (!spnego_flag)
- xfree((char *) kerberosToken);
- kerberosToken = NULL;
- }
- if (spnego_flag) {
- /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
- if (spnegoToken)
- xfree((char *) spnegoToken);
- spnegoToken = NULL;
- }
- if (token) {
- xfree(token);
- token = NULL;
- }
- if (host_name) {
- xfree(host_name);
- host_name = NULL;
- }
- fprintf(stdout, "BH quit command\n");
- exit(0);
- }
- if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) {
- debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
- fprintf(stdout, "BH Invalid request\n");
- continue;
- }
- if (!strncmp(buf, "YR", 2)) {
- if (gss_context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&minor_status, &gss_context, NULL);
- gss_context = GSS_C_NO_CONTEXT;
- }
- if (strlen(buf) <= 3) {
- debug((char *) "%s| %s: ERROR: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf);
- fprintf(stdout, "BH Invalid negotiate request\n");
- continue;
- }
- input_token.length = ska_base64_decode_len(buf + 3);
- debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n",
- LogTime(), PROGRAM, buf + 3, (int) input_token.length);
- input_token.value = xmalloc(input_token.length);
-
- ska_base64_decode((char *) input_token.value, buf + 3, input_token.length);
-
-
- if ((input_token.length >= sizeof ntlmProtocol + 1) &&
- (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
- debug((char *) "%s| %s: WARNING: received type %d NTLM token\n",
- LogTime(), PROGRAM,
- (int) *((unsigned char *) input_token.value +
- sizeof ntlmProtocol));
- fprintf(stdout, "BH received type %d NTLM token\n",
- (int) *((unsigned char *) input_token.value +
- sizeof ntlmProtocol));
- goto cleanup;
- }
- if (service_principal) {
- if (strcasecmp(service_principal, "GSS_C_NO_NAME")) {
- major_status = gss_import_name(&minor_status, &service,
- (gss_OID) GSS_C_NULL_OID, &server_name);
-
- } else {
- server_name = GSS_C_NO_NAME;
- major_status = GSS_S_COMPLETE;
- }
- } else {
- major_status = gss_import_name(&minor_status, &service,
- gss_nt_service_name, &server_name);
- }
-
- if (check_gss_err(major_status, minor_status, "gss_import_name()", log))
- goto cleanup;
-
- major_status =
- gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
- if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log))
- goto cleanup;
-
- major_status = gss_accept_sec_context(&minor_status,
- &gss_context,
- server_creds,
- &input_token,
- GSS_C_NO_CHANNEL_BINDINGS,
- &client_name, NULL, &output_token, &ret_flags, NULL, NULL);
-
-
- if (output_token.length) {
- spnegoToken = (const unsigned char *) output_token.value;
- spnegoTokenLength = output_token.length;
- token = (char *) xmalloc(ska_base64_encode_len(spnegoTokenLength));
- if (token == NULL) {
- debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
- fprintf(stdout, "BH Not enough memory\n");
- goto cleanup;
- }
- ska_base64_encode(token, (const char *) spnegoToken,
- ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength);
-
- if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
- goto cleanup;
- if (major_status & GSS_S_CONTINUE_NEEDED) {
- debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
- fprintf(stdout, "TT %s\n", token);
- goto cleanup;
- }
- gss_release_buffer(&minor_status, &output_token);
- major_status =
- gss_display_name(&minor_status, client_name, &output_token,
- NULL);
-
- if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
- goto cleanup;
- user = (char *) xmalloc(output_token.length + 1);
- if (user == NULL) {
- debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
- fprintf(stdout, "BH Not enough memory\n");
- goto cleanup;
- }
- memcpy(user, output_token.value, output_token.length);
- user[output_token.length] = '\0';
- if (norealm && (p = strchr(user, '@')) != NULL) {
- *p = '\0';
- }
- fprintf(stdout, "AF %s %s\n", token, user);
- debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user);
- if (log)
- fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
- PROGRAM, user);
- goto cleanup;
- } else {
- if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
- goto cleanup;
- if (major_status & GSS_S_CONTINUE_NEEDED) {
- debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
- fprintf(stdout, "NA %s\n", token);
- goto cleanup;
- }
- gss_release_buffer(&minor_status, &output_token);
- major_status =
- gss_display_name(&minor_status, client_name, &output_token,
- NULL);
-
- if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
- goto cleanup;
- /*
- * Return dummy token AA. May need an extra return tag then AF
- */
- user = (char *) xmalloc(output_token.length + 1);
- if (user == NULL) {
- debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
- fprintf(stdout, "BH Not enough memory\n");
- goto cleanup;
- }
- memcpy(user, output_token.value, output_token.length);
- user[output_token.length] = '\0';
- if (norealm && (p = strchr(user, '@')) != NULL) {
- *p = '\0';
- }
- fprintf(stdout, "AF %s %s\n", "AA==", user);
- debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user);
- if (log)
- fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
- PROGRAM, user);
-
- }
- cleanup:
- gss_release_buffer(&minor_status, &input_token);
- gss_release_buffer(&minor_status, &output_token);
- gss_release_cred(&minor_status, &server_creds);
- if (server_name)
- gss_release_name(&minor_status, &server_name);
- if (client_name)
- gss_release_name(&minor_status, &client_name);
- if (kerberosToken) {
- /* Allocated by parseNegTokenInit, but no matching free function exists.. */
- if (!spnego_flag)
- xfree((char *) kerberosToken);
- kerberosToken = NULL;
- }
- if (spnego_flag) {
- /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
- if (spnegoToken)
- xfree((char *) spnegoToken);
- spnegoToken = NULL;
- }
- if (token) {
- xfree(token);
- token = NULL;
- }
- if (user) {
- xfree(user);
- user = NULL;
- }
- continue;
+ if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
+ if (ferror(stdin)) {
+ debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n",
+ LogTime(), PROGRAM, ferror(stdin),
+ strerror(ferror(stdin)));
+
+ fprintf(stdout, "BH input error\n");
+ exit(1); /* BIIG buffer */
+ }
+ fprintf(stdout, "BH input error\n");
+ exit(0);
+ }
+ c = (char *) memchr(buf, '\n', sizeof(buf) - 1);
+ if (c) {
+ *c = '\0';
+ length = c - buf;
+ } else {
+ err = 1;
+ }
+ if (err) {
+ debug((char *) "%s| %s: ERROR: Oversized message\n", LogTime(), PROGRAM);
+ fprintf(stdout, "BH Oversized message\n");
+ err = 0;
+ continue;
+ }
+ debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length);
+
+ if (buf[0] == '\0') {
+ debug((char *) "%s| %s: ERROR: Invalid request\n", LogTime(), PROGRAM);
+ fprintf(stdout, "BH Invalid request\n");
+ continue;
+ }
+ if (strlen(buf) < 2) {
+ debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
+ fprintf(stdout, "BH Invalid request\n");
+ continue;
+ }
+ if (!strncmp(buf, "QQ", 2)) {
+ gss_release_buffer(&minor_status, &input_token);
+ gss_release_buffer(&minor_status, &output_token);
+ gss_release_buffer(&minor_status, &service);
+ gss_release_cred(&minor_status, &server_creds);
+ if (server_name)
+ gss_release_name(&minor_status, &server_name);
+ if (client_name)
+ gss_release_name(&minor_status, &client_name);
+ if (gss_context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&minor_status, &gss_context, NULL);
+ if (kerberosToken) {
+ /* Allocated by parseNegTokenInit, but no matching free function exists.. */
+ if (!spnego_flag)
+ xfree((char *) kerberosToken);
+ kerberosToken = NULL;
+ }
+ if (spnego_flag) {
+ /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
+ if (spnegoToken)
+ xfree((char *) spnegoToken);
+ spnegoToken = NULL;
+ }
+ if (token) {
+ xfree(token);
+ token = NULL;
+ }
+ if (host_name) {
+ xfree(host_name);
+ host_name = NULL;
+ }
+ fprintf(stdout, "BH quit command\n");
+ exit(0);
+ }
+ if (strncmp(buf, "YR", 2) && strncmp(buf, "KK", 2)) {
+ debug((char *) "%s| %s: ERROR: Invalid request [%s]\n", LogTime(), PROGRAM, buf);
+ fprintf(stdout, "BH Invalid request\n");
+ continue;
+ }
+ if (!strncmp(buf, "YR", 2)) {
+ if (gss_context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&minor_status, &gss_context, NULL);
+ gss_context = GSS_C_NO_CONTEXT;
+ }
+ if (strlen(buf) <= 3) {
+ debug((char *) "%s| %s: ERROR: Invalid negotiate request [%s]\n", LogTime(), PROGRAM, buf);
+ fprintf(stdout, "BH Invalid negotiate request\n");
+ continue;
+ }
+ input_token.length = ska_base64_decode_len(buf + 3);
+ debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n",
+ LogTime(), PROGRAM, buf + 3, (int) input_token.length);
+ input_token.value = xmalloc(input_token.length);
+
+ ska_base64_decode((char *) input_token.value, buf + 3, input_token.length);
+
+
+ if ((input_token.length >= sizeof ntlmProtocol + 1) &&
+ (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
+ debug((char *) "%s| %s: WARNING: received type %d NTLM token\n",
+ LogTime(), PROGRAM,
+ (int) *((unsigned char *) input_token.value +
+ sizeof ntlmProtocol));
+ fprintf(stdout, "BH received type %d NTLM token\n",
+ (int) *((unsigned char *) input_token.value +
+ sizeof ntlmProtocol));
+ goto cleanup;
+ }
+ if (service_principal) {
+ if (strcasecmp(service_principal, "GSS_C_NO_NAME")) {
+ major_status = gss_import_name(&minor_status, &service,
+ (gss_OID) GSS_C_NULL_OID, &server_name);
+
+ } else {
+ server_name = GSS_C_NO_NAME;
+ major_status = GSS_S_COMPLETE;
+ }
+ } else {
+ major_status = gss_import_name(&minor_status, &service,
+ gss_nt_service_name, &server_name);
+ }
+
+ if (check_gss_err(major_status, minor_status, "gss_import_name()", log))
+ goto cleanup;
+
+ major_status =
+ gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
+ GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
+ if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log))
+ goto cleanup;
+
+ major_status = gss_accept_sec_context(&minor_status,
+ &gss_context,
+ server_creds,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &client_name, NULL, &output_token, &ret_flags, NULL, NULL);
+
+
+ if (output_token.length) {
+ spnegoToken = (const unsigned char *) output_token.value;
+ spnegoTokenLength = output_token.length;
+ token = (char *) xmalloc(ska_base64_encode_len(spnegoTokenLength));
+ if (token == NULL) {
+ debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
+ fprintf(stdout, "BH Not enough memory\n");
+ goto cleanup;
+ }
+ ska_base64_encode(token, (const char *) spnegoToken,
+ ska_base64_encode_len(spnegoTokenLength), spnegoTokenLength);
+
+ if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
+ goto cleanup;
+ if (major_status & GSS_S_CONTINUE_NEEDED) {
+ debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
+ fprintf(stdout, "TT %s\n", token);
+ goto cleanup;
+ }
+ gss_release_buffer(&minor_status, &output_token);
+ major_status =
+ gss_display_name(&minor_status, client_name, &output_token,
+ NULL);
+
+ if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
+ goto cleanup;
+ user = (char *) xmalloc(output_token.length + 1);
+ if (user == NULL) {
+ debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
+ fprintf(stdout, "BH Not enough memory\n");
+ goto cleanup;
+ }
+ memcpy(user, output_token.value, output_token.length);
+ user[output_token.length] = '\0';
+ if (norealm && (p = strchr(user, '@')) != NULL) {
+ *p = '\0';
+ }
+ fprintf(stdout, "AF %s %s\n", token, user);
+ debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, user);
+ if (log)
+ fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
+ PROGRAM, user);
+ goto cleanup;
+ } else {
+ if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
+ goto cleanup;
+ if (major_status & GSS_S_CONTINUE_NEEDED) {
+ debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
+ fprintf(stdout, "NA %s\n", token);
+ goto cleanup;
+ }
+ gss_release_buffer(&minor_status, &output_token);
+ major_status =
+ gss_display_name(&minor_status, client_name, &output_token,
+ NULL);
+
+ if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
+ goto cleanup;
+ /*
+ * Return dummy token AA. May need an extra return tag then AF
+ */
+ user = (char *) xmalloc(output_token.length + 1);
+ if (user == NULL) {
+ debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
+ fprintf(stdout, "BH Not enough memory\n");
+ goto cleanup;
+ }
+ memcpy(user, output_token.value, output_token.length);
+ user[output_token.length] = '\0';
+ if (norealm && (p = strchr(user, '@')) != NULL) {
+ *p = '\0';
+ }
+ fprintf(stdout, "AF %s %s\n", "AA==", user);
+ debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", user);
+ if (log)
+ fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
+ PROGRAM, user);
+
+ }
+cleanup:
+ gss_release_buffer(&minor_status, &input_token);
+ gss_release_buffer(&minor_status, &output_token);
+ gss_release_cred(&minor_status, &server_creds);
+ if (server_name)
+ gss_release_name(&minor_status, &server_name);
+ if (client_name)
+ gss_release_name(&minor_status, &client_name);
+ if (kerberosToken) {
+ /* Allocated by parseNegTokenInit, but no matching free function exists.. */
+ if (!spnego_flag)
+ xfree((char *) kerberosToken);
+ kerberosToken = NULL;
+ }
+ if (spnego_flag) {
+ /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
+ if (spnegoToken)
+ xfree((char *) spnegoToken);
+ spnegoToken = NULL;
+ }
+ if (token) {
+ xfree(token);
+ token = NULL;
+ }
+ if (user) {
+ xfree(user);
+ user = NULL;
+ }
+ continue;
}
}
#else
setbuf(stdin, NULL);
char buf[MAX_AUTHTOKEN_LEN];
while (1) {
- if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
- fprintf(stdout, "BH input error\n");
- exit(0);
- }
- fprintf(stdout, "BH Kerberos authentication not supported\n");
+ if (fgets(buf, sizeof(buf) - 1, stdin) == NULL) {
+ fprintf(stdout, "BH input error\n");
+ exit(0);
+ }
+ fprintf(stdout, "BH Kerberos authentication not supported\n");
}
}
#endif /* HAVE_GSSAPI */
static const char *LogTime(void);
int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
- const char *function);
+ const char *function);
const char *squid_kerb_proxy_auth(char *proxy);
gettimeofday(&now, NULL);
if (now.tv_sec != last_t) {
- tm = localtime((const time_t *) &now.tv_sec);
- strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
- last_t = now.tv_sec;
+ tm = localtime((const time_t *) &now.tv_sec);
+ strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
+ last_t = now.tv_sec;
}
return buf;
}
#ifndef gss_mech_spnego
-static gss_OID_desc _gss_mech_spnego =
-{6, (void *) "\x2b\x06\x01\x05\x05\x02"};
+static gss_OID_desc _gss_mech_spnego = {6, (void *) "\x2b\x06\x01\x05\x05\x02"};
gss_OID gss_mech_spnego = &_gss_mech_spnego;
#endif
int
check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
- const char *function)
+ const char *function)
{
if (GSS_ERROR(major_status)) {
- OM_uint32 maj_stat, min_stat;
- OM_uint32 msg_ctx = 0;
- gss_buffer_desc status_string;
- char buf[1024];
- size_t len;
-
- len = 0;
- msg_ctx = 0;
- while (!msg_ctx) {
- /* convert major status code (GSS-API error) to text */
- maj_stat = gss_display_status(&min_stat, major_status,
- GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
- if (maj_stat == GSS_S_COMPLETE) {
- if (sizeof(buf) > len + status_string.length + 1) {
- snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
- len += status_string.length;
- }
- gss_release_buffer(&min_stat, &status_string);
- break;
- }
- gss_release_buffer(&min_stat, &status_string);
- }
- if (sizeof(buf) > len + 2) {
- snprintf(buf + len, (sizeof(buf) - len), "%s", ". ");
- len += 2;
- }
- msg_ctx = 0;
- while (!msg_ctx) {
- /* convert minor status code (underlying routine error) to text */
- maj_stat = gss_display_status(&min_stat, minor_status,
- GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
- if (maj_stat == GSS_S_COMPLETE) {
- if (sizeof(buf) > len + status_string.length) {
- snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
- len += status_string.length;
- }
- gss_release_buffer(&min_stat, &status_string);
- break;
- }
- gss_release_buffer(&min_stat, &status_string);
- }
- fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function,
- buf);
- return (1);
+ OM_uint32 maj_stat, min_stat;
+ OM_uint32 msg_ctx = 0;
+ gss_buffer_desc status_string;
+ char buf[1024];
+ size_t len;
+
+ len = 0;
+ msg_ctx = 0;
+ while (!msg_ctx) {
+ /* convert major status code (GSS-API error) to text */
+ maj_stat = gss_display_status(&min_stat, major_status,
+ GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
+ if (maj_stat == GSS_S_COMPLETE) {
+ if (sizeof(buf) > len + status_string.length + 1) {
+ snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
+ len += status_string.length;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ break;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ }
+ if (sizeof(buf) > len + 2) {
+ snprintf(buf + len, (sizeof(buf) - len), "%s", ". ");
+ len += 2;
+ }
+ msg_ctx = 0;
+ while (!msg_ctx) {
+ /* convert minor status code (underlying routine error) to text */
+ maj_stat = gss_display_status(&min_stat, minor_status,
+ GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &status_string);
+ if (maj_stat == GSS_S_COMPLETE) {
+ if (sizeof(buf) > len + status_string.length) {
+ snprintf(buf + len, (sizeof(buf) - len), "%s", (char *) status_string.value);
+ len += status_string.length;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ break;
+ }
+ gss_release_buffer(&min_stat, &status_string);
+ }
+ fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function,
+ buf);
+ return (1);
}
return (0);
}
setbuf(stdin, NULL);
if (!proxy) {
- fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(),
- PROGRAM);
- return NULL;
+ fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(),
+ PROGRAM);
+ return NULL;
}
service.value = xmalloc(strlen("HTTP") + strlen(proxy) + 2);
snprintf((char *) service.value, strlen("HTTP") + strlen(proxy) + 2, "%s@%s", "HTTP", proxy);
service.length = strlen((char *) service.value);
major_status = gss_import_name(&minor_status, &service,
- gss_nt_service_name, &server_name);
+ gss_nt_service_name, &server_name);
if (check_gss_err(major_status, minor_status, "gss_import_name()"))
- goto cleanup;
+ goto cleanup;
major_status = gss_init_sec_context(&minor_status,
- GSS_C_NO_CREDENTIAL, &gss_context, server_name,
- gss_mech_spnego,
- 0,
- 0,
- GSS_C_NO_CHANNEL_BINDINGS,
- &input_token, NULL, &output_token, NULL, NULL);
+ GSS_C_NO_CREDENTIAL, &gss_context, server_name,
+ gss_mech_spnego,
+ 0,
+ 0,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &input_token, NULL, &output_token, NULL, NULL);
if (check_gss_err(major_status, minor_status, "gss_init_sec_context()"))
- goto cleanup;
+ goto cleanup;
if (output_token.length) {
- token = (char *) xmalloc(ska_base64_encode_len(output_token.length));
- ska_base64_encode(token, (const char *) output_token.value,
- ska_base64_encode_len(output_token.length), output_token.length);
+ token = (char *) xmalloc(ska_base64_encode_len(output_token.length));
+ ska_base64_encode(token, (const char *) output_token.value,
+ ska_base64_encode_len(output_token.length), output_token.length);
}
- cleanup:
+cleanup:
gss_delete_sec_context(&minor_status, &gss_context, NULL);
gss_release_buffer(&minor_status, &service);
gss_release_buffer(&minor_status, &input_token);
int count;
if (argc < 2) {
- fprintf(stderr, "%s| %s: Error: No proxy server name given\n",
- LogTime(), PROGRAM);
- exit(99);
+ fprintf(stderr, "%s| %s: Error: No proxy server name given\n",
+ LogTime(), PROGRAM);
+ exit(99);
}
if (argc == 3) {
- count = atoi(argv[2]);
- while (count > 0) {
- Token = (const char *) squid_kerb_proxy_auth(argv[1]);
- fprintf(stdout, "YR %s\n", Token ? Token : "NULL");
- count--;
- }
- fprintf(stdout, "QQ\n");
+ count = atoi(argv[2]);
+ while (count > 0) {
+ Token = (const char *) squid_kerb_proxy_auth(argv[1]);
+ fprintf(stdout, "YR %s\n", Token ? Token : "NULL");
+ count--;
+ }
+ fprintf(stdout, "QQ\n");
} else {
- Token = (const char *) squid_kerb_proxy_auth(argv[1]);
- fprintf(stdout, "Token: %s\n", Token ? Token : "NULL");
+ Token = (const char *) squid_kerb_proxy_auth(argv[1]);
+ fprintf(stdout, "Token: %s\n", Token ? Token : "NULL");
}
exit(0);
list = hdr->getList(HDR_PROXY_CONNECTION);
else
#endif
- if (hdr->has(HDR_CONNECTION))
- list = hdr->getList(HDR_CONNECTION);
- else
- return 0;
+ if (hdr->has(HDR_CONNECTION))
+ list = hdr->getList(HDR_CONNECTION);
+ else
+ return 0;
res = strListIsMember(&list, directive, ',');
projects / thirdparty / squid.git / commitdiff
