From: hno <>
Date: Mon, 16 Apr 2001 03:04:30 +0000 (+0000)
Subject: Ability to search for the user DN to log in as
X-Git-Tag: SQUID_3_0_PRE1~1542
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=331ba75615f2fdc0500eeb6525b6c68dd2bf81c8;p=thirdparty%2Fsquid.git

Ability to search for the user DN to log in as

Command line options for all configuration data. No longer any need
to edit squid_ldap_auth.c, just specify the correct options from
squid.conf.

Arguments:
   -b basedn
   -s searchscope
   -f searchfilter
   ldap_server_name

More documentation will be written later, explaining how to use the
searchfilter and scope, with examples on how to use this to log in
to Microsoft active directory.
---

diff --git a/helpers/basic_auth/LDAP/Makefile.in b/helpers/basic_auth/LDAP/Makefile.in
index 6398e3b2c9..ec57eeadaa 100644
--- a/helpers/basic_auth/LDAP/Makefile.in
+++ b/helpers/basic_auth/LDAP/Makefile.in
@@ -36,6 +36,7 @@ MV		= @MV@
 RM		= @RM@
 SHELL		= /bin/sh
 
+CFLAGS		= $(AC_CFLAGS) $(INCLUDE) $(DEFINES)
 
 all: $(LDAP_EXE)
 
@@ -52,6 +53,9 @@ install-mkdirs:
 		mkdir -p $(libexecdir); \
 	fi
 
+.c.o:
+	$(CC) $(CFLAGS) -c $<
+
 # Michael Lupp <mike@nemesis.saar.de> wants to know about additions
 # to the install target.
 install: all install-mkdirs
diff --git a/helpers/basic_auth/LDAP/README b/helpers/basic_auth/LDAP/README
index 2af85db4b4..568f2f1c12 100644
--- a/helpers/basic_auth/LDAP/README
+++ b/helpers/basic_auth/LDAP/README
@@ -1,8 +1,13 @@
-This LDAP Authentication code is written by Glen Newton
+This LDAP Authentication code is maintained by Henrik Nordstrom
+<hno@squid-cache.org> who added command line options, and
+the ability to search for the user DN to log in as.
+
+The original LDAP Authentication code is written by Glen Newton
 <gnewton@wapiti.cisti.nrc.ca>.
 
-Please see his Web page at:
+Please also see his Web page at:
 http://orca.cisti.nrc.ca/~gnewton/opensource/squid_ldap_auth/
 
 In order to use squid_ldap_auth, you will also need to install
 the OpenLDAP libraries (ldap lber) from http://www.openldap.org.
+
diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c
index 7f204d3317..1837167c98 100644
--- a/helpers/basic_auth/LDAP/squid_ldap_auth.c
+++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c
@@ -8,7 +8,7 @@
  * CISTI
  * National Research Council
  * 
- * Usage: squid_ldap_auth <ldap_server_name>
+ * Usage: squid_ldap_auth [-b basedn] [-s searchscope] [-f searchfilter] <ldap_server_name>
  * 
  * Dependencies: You need to get the OpenLDAP libraries
  * from http://www.openldap.org
@@ -21,12 +21,15 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <stdlib.h>
 #include <lber.h>
 #include <ldap_cdefs.h>
 #include <ldap.h>
 
 /* Change this to your search base */
-#define SEARCHBASE "ou=people,o=nrc.ca"
+static char *basedn = "ou=people,o=nrc.ca";
+static char *searchfilter = NULL;
+static int searchscope = LDAP_SCOPE_SUBTREE;
 
 int checkLDAP(LDAP * ld, char *userid, char *password);
 
@@ -37,12 +40,48 @@ main(int argc, char **argv)
     char *user, *passwd, *p;
     char *ldapServer;
     LDAP *ld;
-    LDAPMessage *result, *e;
 
     setbuf(stdout, NULL);
 
+    while (argc > 2 && argv[1][0] == '-') {
+	char *value;
+	char option = argv[1][1];
+	if (strlen(argv[1]) > 2) {
+	    value = argv[1]+2;
+	} else {
+	    value = argv[2];
+	    argv++;
+	    argc--;
+	}
+	argv++;
+	argc--;
+	switch(option) {
+	case 'b':
+		basedn = value;
+		break;
+	case 'f':
+		searchfilter = value;
+		break;
+	case 's':
+		if (strcmp(value, "base") == 0)
+		    searchscope = LDAP_SCOPE_BASE;
+		else if (strcmp(value, "one") == 0)
+		    searchscope = LDAP_SCOPE_ONELEVEL;
+		else if (strcmp(value, "sub") == 0)
+		    searchscope = LDAP_SCOPE_SUBTREE;
+		else {
+		    fprintf(stderr, "squid_ldap_auth: ERROR: Unknown search scope '%s'\n", value);
+		    exit(1);
+		}
+		break;
+	default:
+		fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
+		exit(1);
+	}
+    }
+	
     if (argc != 2) {
-	fprintf(stderr, "Usage: squid_ldap_auth ldap_server_name\n");
+	fprintf(stderr, "Usage: squid_ldap_auth [-b basedn] [-s searchscope] [-f searchfilter] ldap_server_name\n");
 	exit(1);
     }
     ldapServer = (char *) argv[1];
@@ -77,21 +116,44 @@ main(int argc, char **argv)
 	}
 	ldap_unbind(ld);
     }
+    return 0;
 }
 
-
-
 int
 checkLDAP(LDAP * ld, char *userid, char *password)
 {
-    char str[256];
+    char dn[256];
+    int result = 1;
 
-    /*sprintf(str,"uid=[%s][%s], %s",userid, password, SEARCHBASE); */
-    sprintf(str, "uid=%s, %s", userid, SEARCHBASE);
+    if (searchfilter) {
+	char filter[256];
+	LDAPMessage *res = NULL;
+	LDAPMessage *entry;
+	char *searchattr[] = {NULL};
+	char *userdn;
 
-    if (ldap_simple_bind_s(ld, str, password) != LDAP_SUCCESS) {
-	/*fprintf(stderr, "\nUnable to bind\n"); */
-	return 33;
+	snprintf(filter, sizeof(filter), "%s%s", searchfilter, userid);
+	if (ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res) != LDAP_SUCCESS)
+	    return 1;
+	entry = ldap_first_entry(ld, res);
+	if (!entry) {
+	    ldap_msgfree(res);
+	    return 1;
+	}
+	userdn = ldap_get_dn(ld, entry);
+	if (!userdn) {
+	    ldap_msgfree(res);
+	    return 1;
+	}
+	snprintf(dn, sizeof(dn), "%s", userdn);
+	free(userdn);
+	ldap_msgfree(res);
+    } else {
+	snprintf(dn, sizeof(dn), "uid=%s, %s", userid, basedn);
     }
-    return 0;
+
+    if (ldap_simple_bind_s(ld, dn, password) == LDAP_SUCCESS)
+	result = 0;
+
+    return result;
 }