Squid configuration file.
.
.TP
+.BI "-D " "binddn " "-W " "secretfile "
+The DN and the name of a file containing the password
+to bind as while performing searches.
+.IP
+Less insecure version of the former parameter pair with two advantages:
+The password does not occur in the process listing,
+and the password is not being compromised if someone gets the squid
+configuration file without getting the secretfile.
+.
+.TP
.BI -P
Use a persistent LDAP connection. Normally the LDAP connection
is only open while validating a username to preserve resources
* or (at your option) any later version.
*
* Changes:
+ * 2003-03-01: Christoph Lechleitner <lech@ibcl.at>
+ * - Added -W option to read bindpasswd from file
* 2003-03-01: Juerg Michel
* - Added support for ldap URI via the -H option
* (requires OpenLDAP)
static int version = -1;
static int checkLDAP(LDAP * ld, char *userid, char *password);
+static int readSecret(char *filename);
/* Yuck.. we need to glue to different versions of the API */
case 'w':
bindpasswd = value;
break;
+ case 'W':
+ readSecret (value);
+ break;
case 'P':
persistent = !persistent;
break;
fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
+ fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
#if HAS_URI_SUPPORT
fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
#endif
#endif
fprintf(stderr, "\n");
fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
- fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
+ fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
exit(1);
}
while (fgets(buf, 256, stdin) != NULL) {
return 0;
}
+
+int readSecret(char *filename)
+{
+ char buf[BUFSIZ];
+ char *e=0;
+ FILE *f;
+
+ if(!(f=fopen(filename, "r"))) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
+ return 1;
+ }
+
+ if( !fgets(buf, sizeof(buf)-1, f)) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
+ fclose(f);
+ return 1;
+ }
+
+ /* strip whitespaces on end */
+ if((e = strrchr(buf, '\n'))) *e = 0;
+ if((e = strrchr(buf, '\r'))) *e = 0;
+
+ bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
+ if (bindpasswd) {
+ strcpy(bindpasswd, buf);
+ } else {
+ fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
+ }
+
+ fclose(f);
+
+ return 0;
+}
Version 2.12
+2003-03-01 Christoph Lechleitner <lech@ibcl.at>
+ Added -W option to read bindpasswd from file,
+ e.g. from /etc/ldap.secret
+
2003-03-01 Juerg Michel
Added support for ldap URI via the -H option
extracts the password used from a process listing.
.
.TP
+.BI "-D " "binddn " "-W " "secretfile "
+The DN and the name of a file containing the password
+to bind as while performing searches.
+.IP
+Less insecure version of the former parameter pair with two advantages:
+The password does not occur in the process listing,
+and the password is not being compromised if someone gets the squid
+configuration file without getting the secretfile.
+.
+.TP
.BI -P
Use a persistent LDAP connection. Normally the LDAP connection
is only open while verifying a users group membership to preserve
static int searchLDAP(LDAP * ld, char *group, char *user, char *extension_dn);
+static int readSecret(char *filename);
+
/* Yuck.. we need to glue to different versions of the API */
#if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
case 'w':
bindpasswd = value;
break;
+ case 'W':
+ readSecret (value);
+ break;
case 'P':
persistent = !persistent;
break;
fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
+ fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
#if HAS_URI_SUPPORT
fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
#endif
fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
fprintf(stderr, "\n");
- fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
+ fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
exit(1);
}
while (fgets(buf, 256, stdin) != NULL) {
return searchLDAPGroup(ld, group, login, extension_dn);
}
}
+
+
+int readSecret(char *filename)
+{
+ char buf[BUFSIZ];
+ char *e=0;
+ FILE *f;
+
+ if(!(f=fopen(filename, "r"))) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
+ return 1;
+ }
+
+ if( !fgets(buf, sizeof(buf)-1, f)) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
+ fclose(f);
+ return 1;
+ }
+
+ /* strip whitespaces on end */
+ if((e = strrchr(buf, '\n'))) *e = 0;
+ if((e = strrchr(buf, '\r'))) *e = 0;
+
+ bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
+ if (bindpasswd) {
+ strcpy(bindpasswd, buf);
+ } else {
+ fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
+ }
+
+ fclose(f);
+
+ return 0;
+}
projects / thirdparty / squid.git / commitdiff
