From: hno <> Date: Sun, 24 Jun 2007 02:50:10 +0000 (+0000) Subject: Bug #1948: digest_edir_auth helper, using novell eDirectory universal password X-Git-Tag: SQUID_3_0_PRE7~204 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89f77e43f36bdbd636826c94085f9b5d882e473d;p=thirdparty%2Fsquid.git Bug #1948: digest_edir_auth helper, using novell eDirectory universal password This is a modified version of digets_ldap_auth, with eDirectory special hooks for retrieving the Universal Password plain text password. --- diff --git a/configure b/configure index 4faed1451d..b0a6e72c47 100755 --- a/configure +++ b/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.458 . +# From configure.in Revision. # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.59 for Squid Web Proxy 3.0.PRE6-CVS. # @@ -44183,7 +44183,7 @@ fi rm -f core - ac_config_files="$ac_config_files Makefile lib/Makefile scripts/Makefile scripts/RunCache scripts/RunAccel src/Makefile src/fs/Makefile src/repl/Makefile src/auth/Makefile contrib/Makefile snmplib/Makefile icons/Makefile errors/Makefile test-suite/Makefile doc/Makefile helpers/Makefile helpers/basic_auth/Makefile helpers/basic_auth/LDAP/Makefile helpers/basic_auth/MSNT/Makefile helpers/basic_auth/NCSA/Makefile helpers/basic_auth/PAM/Makefile helpers/basic_auth/SMB/Makefile helpers/basic_auth/mswin_sspi/Makefile helpers/basic_auth/YP/Makefile helpers/basic_auth/getpwnam/Makefile helpers/basic_auth/multi-domain-NTLM/Makefile helpers/basic_auth/SASL/Makefile helpers/basic_auth/POP3/Makefile helpers/basic_auth/DB/Makefile helpers/digest_auth/Makefile helpers/digest_auth/password/Makefile helpers/digest_auth/ldap/Makefile helpers/ntlm_auth/Makefile helpers/ntlm_auth/fakeauth/Makefile helpers/ntlm_auth/no_check/Makefile helpers/ntlm_auth/SMB/Makefile helpers/ntlm_auth/SMB/smbval/Makefile helpers/ntlm_auth/mswin_sspi/Makefile helpers/negotiate_auth/Makefile helpers/negotiate_auth/mswin_sspi/Makefile helpers/external_acl/Makefile helpers/external_acl/ip_user/Makefile helpers/external_acl/ldap_group/Makefile helpers/external_acl/session/Makefile helpers/external_acl/unix_group/Makefile helpers/external_acl/wbinfo_group/Makefile helpers/external_acl/mswin_lm_group/Makefile tools/Makefile" + ac_config_files="$ac_config_files Makefile lib/Makefile scripts/Makefile scripts/RunCache scripts/RunAccel src/Makefile src/fs/Makefile src/repl/Makefile src/auth/Makefile contrib/Makefile snmplib/Makefile icons/Makefile errors/Makefile test-suite/Makefile doc/Makefile helpers/Makefile helpers/basic_auth/Makefile helpers/basic_auth/LDAP/Makefile helpers/basic_auth/MSNT/Makefile helpers/basic_auth/NCSA/Makefile helpers/basic_auth/PAM/Makefile helpers/basic_auth/SMB/Makefile helpers/basic_auth/mswin_sspi/Makefile helpers/basic_auth/YP/Makefile helpers/basic_auth/getpwnam/Makefile helpers/basic_auth/multi-domain-NTLM/Makefile helpers/basic_auth/SASL/Makefile helpers/basic_auth/POP3/Makefile helpers/basic_auth/DB/Makefile helpers/digest_auth/Makefile helpers/digest_auth/password/Makefile helpers/digest_auth/ldap/Makefile helpers/digest_auth/eDirectory/Makefile helpers/ntlm_auth/Makefile helpers/ntlm_auth/fakeauth/Makefile helpers/ntlm_auth/no_check/Makefile helpers/ntlm_auth/SMB/Makefile helpers/ntlm_auth/SMB/smbval/Makefile helpers/ntlm_auth/mswin_sspi/Makefile helpers/negotiate_auth/Makefile helpers/negotiate_auth/mswin_sspi/Makefile helpers/external_acl/Makefile helpers/external_acl/ip_user/Makefile helpers/external_acl/ldap_group/Makefile helpers/external_acl/session/Makefile helpers/external_acl/unix_group/Makefile helpers/external_acl/wbinfo_group/Makefile helpers/external_acl/mswin_lm_group/Makefile tools/Makefile" @@ -45101,6 +45101,7 @@ do "helpers/digest_auth/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/digest_auth/Makefile" ;; "helpers/digest_auth/password/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/digest_auth/password/Makefile" ;; "helpers/digest_auth/ldap/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/digest_auth/ldap/Makefile" ;; + "helpers/digest_auth/eDirectory/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/digest_auth/eDirectory/Makefile" ;; "helpers/ntlm_auth/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/ntlm_auth/Makefile" ;; "helpers/ntlm_auth/fakeauth/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/ntlm_auth/fakeauth/Makefile" ;; "helpers/ntlm_auth/no_check/Makefile" ) CONFIG_FILES="$CONFIG_FILES helpers/ntlm_auth/no_check/Makefile" ;; diff --git a/configure.in b/configure.in index ff6506fa06..8194690736 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,7 @@ dnl Configuration input file for Squid dnl -dnl $Id: configure.in,v 1.458 2007/06/10 12:08:07 hno Exp $ +dnl $Id: configure.in,v 1.459 2007/06/23 20:50:10 hno Exp $ dnl dnl dnl @@ -11,7 +11,7 @@ AM_CONFIG_HEADER(include/autoconf.h) AC_CONFIG_AUX_DIR(cfgaux) AC_CONFIG_SRCDIR([src/main.cc]) AM_INIT_AUTOMAKE([tar-ustar]) -AC_REVISION($Revision: 1.458 $)dnl +AC_REVISION($Revision: 1.459 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE @@ -3359,6 +3359,7 @@ AC_CONFIG_FILES([\ helpers/digest_auth/Makefile \ helpers/digest_auth/password/Makefile \ helpers/digest_auth/ldap/Makefile \ + helpers/digest_auth/eDirectory/Makefile \ helpers/ntlm_auth/Makefile \ helpers/ntlm_auth/fakeauth/Makefile \ helpers/ntlm_auth/no_check/Makefile \ diff --git a/helpers/digest_auth/eDirectory/Makefile.am b/helpers/digest_auth/eDirectory/Makefile.am new file mode 100644 index 0000000000..18174fdd2b --- /dev/null +++ b/helpers/digest_auth/eDirectory/Makefile.am @@ -0,0 +1,19 @@ +# +# Makefile for the Squid Object Cache server +# +# $Id: Makefile.am,v 1.1 2007/06/23 20:50:10 hno Exp $ +# +# Uncomment and customize the following to suit your needs: +# + +libexec_PROGRAMS = digest_edir_auth +digest_edir_auth_SOURCES = digest_pw_auth.c \ + digest_common.h \ + ldap_backend.c \ + ldap_backend.h \ + edir_ldapext.c \ + edir_ldapext.h +INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ + -I$(top_srcdir)/src/ + +LDADD = -L$(top_builddir)/lib -lmiscutil $(LIB_LDAP) $(LIB_LBER) $(CRYPTLIB) $(XTRA_LIBS) $(SSLLIB) diff --git a/helpers/digest_auth/eDirectory/Makefile.in b/helpers/digest_auth/eDirectory/Makefile.in new file mode 100644 index 0000000000..a7e2d6dc65 --- /dev/null +++ b/helpers/digest_auth/eDirectory/Makefile.in @@ -0,0 +1,588 @@ +# Makefile.in generated by automake 1.9.6 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Makefile for the Squid Object Cache server +# +# $Id: Makefile.in,v 1.1 2007/06/23 20:50:10 hno Exp $ +# +# Uncomment and customize the following to suit your needs: +# + +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +top_builddir = ../../.. +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +INSTALL = @INSTALL@ +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +libexec_PROGRAMS = digest_edir_auth$(EXEEXT) +subdir = helpers/digest_auth/eDirectory +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/include/autoconf.h +CONFIG_CLEAN_FILES = +am__installdirs = "$(DESTDIR)$(libexecdir)" +libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(libexec_PROGRAMS) +am_digest_edir_auth_OBJECTS = digest_pw_auth.$(OBJEXT) \ + ldap_backend.$(OBJEXT) edir_ldapext.$(OBJEXT) +digest_edir_auth_OBJECTS = $(am_digest_edir_auth_OBJECTS) +digest_edir_auth_LDADD = $(LDADD) +am__DEPENDENCIES_1 = +digest_edir_auth_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include +depcomp = $(SHELL) $(top_srcdir)/cfgaux/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +SOURCES = $(digest_edir_auth_SOURCES) +DIST_SOURCES = $(digest_edir_auth_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMDEP_FALSE = @AMDEP_FALSE@ +AMDEP_TRUE = @AMDEP_TRUE@ +AMTAR = @AMTAR@ +AR = @AR@ +AR_R = @AR_R@ +AUTH_LIBS = @AUTH_LIBS@ +AUTH_LINKOBJS = @AUTH_LINKOBJS@ +AUTH_MODULES = @AUTH_MODULES@ +AUTH_OBJS = @AUTH_OBJS@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BASIC_AUTH_HELPERS = @BASIC_AUTH_HELPERS@ +CACHE_HTTP_PORT = @CACHE_HTTP_PORT@ +CACHE_ICP_PORT = @CACHE_ICP_PORT@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CGIEXT = @CGIEXT@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPPUNITCONFIG = @CPPUNITCONFIG@ +CRYPTLIB = @CRYPTLIB@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DIGEST_AUTH_HELPERS = @DIGEST_AUTH_HELPERS@ +DISK_LIBS = @DISK_LIBS@ +DISK_LINKOBJS = @DISK_LINKOBJS@ +DISK_PROGRAMS = @DISK_PROGRAMS@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +ENABLE_ARP_ACL_FALSE = @ENABLE_ARP_ACL_FALSE@ +ENABLE_ARP_ACL_TRUE = @ENABLE_ARP_ACL_TRUE@ +ENABLE_HTCP_FALSE = @ENABLE_HTCP_FALSE@ +ENABLE_HTCP_TRUE = @ENABLE_HTCP_TRUE@ +ENABLE_IDENT_FALSE = @ENABLE_IDENT_FALSE@ +ENABLE_IDENT_TRUE = @ENABLE_IDENT_TRUE@ +ENABLE_PINGER_FALSE = @ENABLE_PINGER_FALSE@ +ENABLE_PINGER_TRUE = @ENABLE_PINGER_TRUE@ +ENABLE_SSL_FALSE = @ENABLE_SSL_FALSE@ +ENABLE_SSL_TRUE = @ENABLE_SSL_TRUE@ +ENABLE_UNLINKD_FALSE = @ENABLE_UNLINKD_FALSE@ +ENABLE_UNLINKD_TRUE = @ENABLE_UNLINKD_TRUE@ +ENABLE_WIN32SPECIFIC_FALSE = @ENABLE_WIN32SPECIFIC_FALSE@ +ENABLE_WIN32SPECIFIC_TRUE = @ENABLE_WIN32SPECIFIC_TRUE@ +ENABLE_XPROF_STATS_FALSE = @ENABLE_XPROF_STATS_FALSE@ +ENABLE_XPROF_STATS_TRUE = @ENABLE_XPROF_STATS_TRUE@ +EPOLL_LIBS = @EPOLL_LIBS@ +ERR_DEFAULT_LANGUAGE = @ERR_DEFAULT_LANGUAGE@ +ERR_LANGUAGES = @ERR_LANGUAGES@ +EXEEXT = @EXEEXT@ +EXTERNAL_ACL_HELPERS = @EXTERNAL_ACL_HELPERS@ +F77 = @F77@ +FALSE = @FALSE@ +FFLAGS = @FFLAGS@ +ICAP_LIBS = @ICAP_LIBS@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LIBADD_DL = @LIBADD_DL@ +LIBDLMALLOC = @LIBDLMALLOC@ +LIBOBJS = @LIBOBJS@ +LIBREGEX = @LIBREGEX@ +LIBS = @LIBS@ +LIBSASL = @LIBSASL@ +LIBTOOL = @LIBTOOL@ +LIB_DB = @LIB_DB@ +LIB_LBER = @LIB_LBER@ +LIB_LDAP = @LIB_LDAP@ +LIB_MALLOC = @LIB_MALLOC@ +LN = @LN@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ +MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ +MAKEINFO = @MAKEINFO@ +MAKE_LEAKFINDER_FALSE = @MAKE_LEAKFINDER_FALSE@ +MAKE_LEAKFINDER_TRUE = @MAKE_LEAKFINDER_TRUE@ +MINGW_LIBS = @MINGW_LIBS@ +MKDIR = @MKDIR@ +MV = @MV@ +NEED_OWN_MD5_FALSE = @NEED_OWN_MD5_FALSE@ +NEED_OWN_MD5_TRUE = @NEED_OWN_MD5_TRUE@ +NEED_OWN_SNPRINTF_FALSE = @NEED_OWN_SNPRINTF_FALSE@ +NEED_OWN_SNPRINTF_TRUE = @NEED_OWN_SNPRINTF_TRUE@ +NEED_OWN_STRSEP_FALSE = @NEED_OWN_STRSEP_FALSE@ +NEED_OWN_STRSEP_TRUE = @NEED_OWN_STRSEP_TRUE@ +NEGOTIATE_AUTH_HELPERS = @NEGOTIATE_AUTH_HELPERS@ +NTLM_AUTH_HELPERS = @NTLM_AUTH_HELPERS@ +OBJEXT = @OBJEXT@ +OPT_DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +RANLIB = @RANLIB@ +REGEXLIB = @REGEXLIB@ +REPL_LIBS = @REPL_LIBS@ +REPL_OBJS = @REPL_OBJS@ +REPL_POLICIES = @REPL_POLICIES@ +RM = @RM@ +SET_MAKE = @SET_MAKE@ +SH = @SH@ +SHELL = @SHELL@ +SNMPLIB = @SNMPLIB@ +SQUID_CFLAGS = @SQUID_CFLAGS@ +SQUID_CPPUNIT_INC = @SQUID_CPPUNIT_INC@ +SQUID_CPPUNIT_LA = @SQUID_CPPUNIT_LA@ +SQUID_CPPUNIT_LIBS = @SQUID_CPPUNIT_LIBS@ +SQUID_CXXFLAGS = @SQUID_CXXFLAGS@ +SSLLIB = @SSLLIB@ +STORE_LIBS = @STORE_LIBS@ +STORE_LINKOBJS = @STORE_LINKOBJS@ +STORE_OBJS = @STORE_OBJS@ +STORE_TESTS = @STORE_TESTS@ +STRIP = @STRIP@ +TRUE = @TRUE@ +USE_AIOPS_WIN32_FALSE = @USE_AIOPS_WIN32_FALSE@ +USE_AIOPS_WIN32_TRUE = @USE_AIOPS_WIN32_TRUE@ +USE_AIO_WIN32_FALSE = @USE_AIO_WIN32_FALSE@ +USE_AIO_WIN32_TRUE = @USE_AIO_WIN32_TRUE@ +USE_DELAY_POOLS_FALSE = @USE_DELAY_POOLS_FALSE@ +USE_DELAY_POOLS_TRUE = @USE_DELAY_POOLS_TRUE@ +USE_DEVPOLL_FALSE = @USE_DEVPOLL_FALSE@ +USE_DEVPOLL_TRUE = @USE_DEVPOLL_TRUE@ +USE_DNSSERVER_FALSE = @USE_DNSSERVER_FALSE@ +USE_DNSSERVER_TRUE = @USE_DNSSERVER_TRUE@ +USE_EPOLL_FALSE = @USE_EPOLL_FALSE@ +USE_EPOLL_TRUE = @USE_EPOLL_TRUE@ +USE_ESI_FALSE = @USE_ESI_FALSE@ +USE_ESI_TRUE = @USE_ESI_TRUE@ +USE_ICAP_CLIENT_FALSE = @USE_ICAP_CLIENT_FALSE@ +USE_ICAP_CLIENT_TRUE = @USE_ICAP_CLIENT_TRUE@ +USE_IPC_WIN32_FALSE = @USE_IPC_WIN32_FALSE@ +USE_IPC_WIN32_TRUE = @USE_IPC_WIN32_TRUE@ +USE_KQUEUE_FALSE = @USE_KQUEUE_FALSE@ +USE_KQUEUE_TRUE = @USE_KQUEUE_TRUE@ +USE_POLL_FALSE = @USE_POLL_FALSE@ +USE_POLL_TRUE = @USE_POLL_TRUE@ +USE_SELECT_FALSE = @USE_SELECT_FALSE@ +USE_SELECT_SIMPLE_FALSE = @USE_SELECT_SIMPLE_FALSE@ +USE_SELECT_SIMPLE_TRUE = @USE_SELECT_SIMPLE_TRUE@ +USE_SELECT_TRUE = @USE_SELECT_TRUE@ +USE_SELECT_WIN32_FALSE = @USE_SELECT_WIN32_FALSE@ +USE_SELECT_WIN32_TRUE = @USE_SELECT_WIN32_TRUE@ +USE_SNMP_FALSE = @USE_SNMP_FALSE@ +USE_SNMP_TRUE = @USE_SNMP_TRUE@ +VERSION = @VERSION@ +WIN32_PSAPI = @WIN32_PSAPI@ +XTRA_LIBS = @XTRA_LIBS@ +XTRA_OBJS = @XTRA_OBJS@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +ac_ct_RANLIB = @ac_ct_RANLIB@ +ac_ct_STRIP = @ac_ct_STRIP@ +am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ +am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ +am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@ +am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +datadir = @datadir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localstatedir = @localstatedir@ +makesnmplib = @makesnmplib@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +subdirs = @subdirs@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +digest_edir_auth_SOURCES = digest_pw_auth.c \ + digest_common.h \ + ldap_backend.c \ + ldap_backend.h \ + edir_ldapext.c \ + edir_ldapext.h + +INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ + -I$(top_srcdir)/src/ + +LDADD = -L$(top_builddir)/lib -lmiscutil $(LIB_LDAP) $(LIB_LBER) $(CRYPTLIB) $(XTRA_LIBS) $(SSLLIB) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign helpers/digest_auth/eDirectory/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --foreign helpers/digest_auth/eDirectory/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-libexecPROGRAMS: $(libexec_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" + @list='$(libexec_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(libexecdir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(libexecdir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-libexecPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(libexec_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(libexecdir)/$$f'"; \ + rm -f "$(DESTDIR)$(libexecdir)/$$f"; \ + done + +clean-libexecPROGRAMS: + @list='$(libexec_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +digest_edir_auth$(EXEEXT): $(digest_edir_auth_OBJECTS) $(digest_edir_auth_DEPENDENCIES) + @rm -f digest_edir_auth$(EXEEXT) + $(LINK) $(digest_edir_auth_LDFLAGS) $(digest_edir_auth_OBJECTS) $(digest_edir_auth_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/digest_pw_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/edir_ldapext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap_backend.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +distclean-libtool: + -rm -f libtool +uninstall-info-am: + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ + list='$(DISTFILES)'; for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ + esac; \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test "$$dir" != "$$file" && test "$$dir" != "."; then \ + dir="/$$dir"; \ + $(mkdir_p) "$(distdir)$$dir"; \ + else \ + dir=''; \ + fi; \ + if test -d $$d/$$file; then \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(libexecdir)"; do \ + test -z "$$dir" || $(mkdir_p) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-libtool distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: + +install-exec-am: install-libexecPROGRAMS + +install-info: install-info-am + +install-man: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libexecPROGRAMS clean-libtool ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-exec \ + install-exec-am install-info install-info-am \ + install-libexecPROGRAMS install-man install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-info-am \ + uninstall-libexecPROGRAMS + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/helpers/digest_auth/eDirectory/config.test b/helpers/digest_auth/eDirectory/config.test new file mode 100755 index 0000000000..5c354f8b35 --- /dev/null +++ b/helpers/digest_auth/eDirectory/config.test @@ -0,0 +1,8 @@ +#!/bin/sh +if [ -f /usr/include/ldap.h ]; then + exit 0 +fi +if [ -f /usr/include/winldap.h ]; then + exit 0 +fi +exit 1 diff --git a/helpers/digest_auth/eDirectory/digest_common.h b/helpers/digest_auth/eDirectory/digest_common.h new file mode 100644 index 0000000000..8804745aab --- /dev/null +++ b/helpers/digest_auth/eDirectory/digest_common.h @@ -0,0 +1,57 @@ +/* + * digest_common.h + * + * AUTHOR: Robert Collins. + * + * Digest helper API details. + * + * Copyright (c) 2003 Robert Collins + */ + +#ifndef _SQUID_DIGEST_COMMON_H_ +#define _SQUID_DIGEST_COMMON_H_ + +#include "config.h" +#if HAVE_STDIO_H +#include +#endif +#if HAVE_STDLIB_H +#include +#endif +#if HAVE_UNISTD_H +#include +#endif +#if HAVE_STRING_H +#include +#endif +#if HAVE_SYS_TYPES_H +#include +#endif +#if HAVE_SYS_STAT_H +#include +#endif +#if HAVE_CRYPT_H +#include +#endif + +#include "util.h" +#include "hash.h" +#include "rfc2617.h" + +typedef struct _request_data { + char *user; + char *realm; + char *password; + HASHHEX HHA1; + int parsed; + int error; +} RequestData; + +/* to use a backend, include your backend.h file + * and define thusly: + * #define ProcessArguments(A, B) MyHandleArguments(A,B) + * #define GetHHA1(A) MyGetHHA1(A) + */ +typedef void HandleArguments(int, char **); +typedef void HHA1Creator(RequestData *); +#endif /* _SQUID_DIGEST_COMMON_H_ */ diff --git a/helpers/digest_auth/eDirectory/digest_pw_auth.c b/helpers/digest_auth/eDirectory/digest_pw_auth.c new file mode 100644 index 0000000000..d971df48e8 --- /dev/null +++ b/helpers/digest_auth/eDirectory/digest_pw_auth.c @@ -0,0 +1,102 @@ +/* + * digest_pw_auth.c + * + * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet + * + * LDAP backend extension by Flavio Pescuma, MARA Systems AB + * + * Example digest authentication program for Squid, based on the original + * proxy_auth code from client_side.c, written by + * Jon Thackray . + * + * - comment lines are possible and should start with a '#'; + * - empty or blank lines are possible; + * - file format is username:password + * + * To build a directory integrated backend, you need to be able to + * calculate the HA1 returned to squid. To avoid storing a plaintext + * password you can calculate MD5(username:realm:password) when the + * user changes their password, and store the tuple username:realm:HA1. + * then find the matching username:realm when squid asks for the + * HA1. + * + * This implementation could be improved by using such a triple for + * the file format. However storing such a triple does little to + * improve security: If compromised the username:realm:HA1 combination + * is "plaintext equivalent" - for the purposes of digest authentication + * they allow the user access. Password syncronisation is not tackled + * by digest - just preventing on the wire compromise. + * + * Copyright (c) 2003 Robert Collins + */ + +#include "digest_common.h" +#include "ldap_backend.h" +#define PROGRAM_NAME "digest_ldap_auth" + + +void +GetHHA1(RequestData * requestData) +{ + LDAPHHA1(requestData); +} + +static void +ParseBuffer(char *buf, RequestData * requestData) +{ + char *p; + requestData->parsed = 0; + if ((p = strchr(buf, '\n')) != NULL) + *p = '\0'; /* strip \n */ + if ((requestData->user = strtok(buf, "\"")) == NULL) + return; + if ((requestData->realm = strtok(NULL, "\"")) == NULL) + return; + if ((requestData->realm = strtok(NULL, "\"")) == NULL) + return; + requestData->parsed = -1; +} + +static void +OutputHHA1(RequestData * requestData) +{ + requestData->error = 0; + GetHHA1(requestData); + if (requestData->error) { + printf("ERR No such user\n"); + return; + } + printf("%s\n", requestData->HHA1); +} + +static void +DoOneRequest(char *buf) +{ + RequestData requestData; + ParseBuffer(buf, &requestData); + if (!requestData.parsed) { + printf("ERR\n"); + return; + } + OutputHHA1(&requestData); +} + +void +ProcessArguments(int argc, char **argv) +{ + int i; + i = LDAPArguments(argc, argv); + if (i) + exit(i); +} + +int +main(int argc, char **argv) +{ + char buf[256]; + setbuf(stdout, NULL); + ProcessArguments(argc, argv); + while (fgets(buf, 256, stdin) != NULL) + DoOneRequest(buf); + exit(0); +} diff --git a/helpers/digest_auth/eDirectory/edir_ldapext.c b/helpers/digest_auth/eDirectory/edir_ldapext.c new file mode 100644 index 0000000000..1e4a128396 --- /dev/null +++ b/helpers/digest_auth/eDirectory/edir_ldapext.c @@ -0,0 +1,363 @@ +/* + * Copyright (C) 2002-2004 Novell, Inc. + * + * edir_ldapext.c LDAP extension for reading eDirectory universal password + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of version 2 of the GNU General Public License as published + * by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, contact Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, you may + * find current contact information at www.novell.com. + */ + +#include +#include +#include +#include +/* NMAS error codes */ +#define NMAS_E_BASE (-1600) + +#define NMAS_SUCCESS 0 +#define NMAS_E_SUCCESS NMAS_SUCCESS /* Alias */ +#define NMAS_OK NMAS_SUCCESS /* Alias */ + +#define NMAS_E_FRAG_FAILURE (NMAS_E_BASE-31) /* -1631 0xFFFFF9A1 */ +#define NMAS_E_BUFFER_OVERFLOW (NMAS_E_BASE-33) /* -1633 0xFFFFF99F */ +#define NMAS_E_SYSTEM_RESOURCES (NMAS_E_BASE-34) /* -1634 0xFFFFF99E */ +#define NMAS_E_INSUFFICIENT_MEMORY (NMAS_E_BASE-35) /* -1635 0xFFFFF99D */ +#define NMAS_E_NOT_SUPPORTED (NMAS_E_BASE-36) /* -1636 0xFFFFF99C */ +#define NMAS_E_INVALID_PARAMETER (NMAS_E_BASE-43) /* -1643 0xFFFFF995 */ +#define NMAS_E_INVALID_VERSION (NMAS_E_BASE-52) /* -1652 0xFFFFF98C */ + +/* OID of LDAP extenstion calls to read Universal Password */ +#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13" +#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14" + +#define NMAS_LDAP_EXT_VERSION 1 + + + +/* ------------------------------------------------------------------------ + * berEncodePasswordData + * ============================== + * RequestBer contents: + * clientVersion INTEGER + * targetObjectDN OCTET STRING + * password1 OCTET STRING + * password2 OCTET STRING + * + * Description: + * This function takes the request BER value and input data items + * and BER encodes the data into the BER value + * + * ------------------------------------------------------------------------ */ +int berEncodePasswordData( + struct berval **requestBV, + char *objectDN, + char *password, + char *password2) +{ + int err = 0, rc=0; + BerElement *requestBer = NULL; + + char * utf8ObjPtr = NULL; + int utf8ObjSize = 0; + char * utf8PwdPtr = NULL; + int utf8PwdSize = 0; + char * utf8Pwd2Ptr = NULL; + int utf8Pwd2Size = 0; + + + utf8ObjSize = strlen(objectDN)+1; + utf8ObjPtr = objectDN; + + if (password != NULL) + { + utf8PwdSize = strlen(password)+1; + utf8PwdPtr = password; + } + + if (password2 != NULL) + { + utf8Pwd2Size = strlen(password2)+1; + utf8Pwd2Ptr = password2; + } + + /* Allocate a BerElement for the request parameters.*/ + if((requestBer = ber_alloc()) == NULL) + { + err = NMAS_E_FRAG_FAILURE; + goto Cleanup; + } + + if (password != NULL && password2 != NULL) + { + /* BER encode the NMAS Version, the objectDN, and the password */ + rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size); + } + else if (password != NULL) + { + /* BER encode the NMAS Version, the objectDN, and the password */ + rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize); + } + else + { + /* BER encode the NMAS Version and the objectDN */ + rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize); + } + + if (rc < 0) + { + err = NMAS_E_FRAG_FAILURE; + goto Cleanup; + } + else + { + err = 0; + } + + /* + * Convert the BER we just built to a berval that we'll send with the extended request. + */ + if(ber_flatten(requestBer, requestBV) == LBER_ERROR) + { + err = NMAS_E_FRAG_FAILURE; + goto Cleanup; + } + +Cleanup: + + if(requestBer) + { + ber_free(requestBer, 1); + } + + return err; +} /* End of berEncodePasswordData */ + +/* ------------------------------------------------------------------------ + * berDecodeLoginData() + * ============================== + * ResponseBer contents: + * serverVersion INTEGER + * error INTEGER + * data OCTET STRING + * + * Description: + * This function takes the reply BER Value and decodes the + * NMAS server version and return code and if a non null retData + * buffer was supplied, tries to decode the the return data and length + * + * ------------------------------------------------------------------------ */ +int berDecodeLoginData( + struct berval *replyBV, + int *serverVersion, + size_t *retDataLen, + void *retData ) +{ + int rc=0, err = 0; + BerElement *replyBer = NULL; + char *retOctStr = NULL; + size_t retOctStrLen = 0; + + if((replyBer = ber_init(replyBV)) == NULL) + { + err = NMAS_E_SYSTEM_RESOURCES; + goto Cleanup; + } + + if(retData) + { + retOctStrLen = *retDataLen + 1; + retOctStr = (char *)malloc(retOctStrLen); + if(!retOctStr) + { + err = NMAS_E_SYSTEM_RESOURCES; + goto Cleanup; + } + + if( (rc = ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen)) != -1) + { + if (*retDataLen >= retOctStrLen) + { + memcpy(retData, retOctStr, retOctStrLen); + } + else if (!err) + { + err = NMAS_E_BUFFER_OVERFLOW; + } + + *retDataLen = retOctStrLen; + } + else if (!err) + { + err = NMAS_E_FRAG_FAILURE; + } + } + else + { + if( (rc = ber_scanf(replyBer, "{ii}", serverVersion, &err)) == -1) + { + if (!err) + { + err = NMAS_E_FRAG_FAILURE; + } + } + } + +Cleanup: + + if(replyBer) + { + ber_free(replyBer, 1); + } + + if (retOctStr != NULL) + { + memset(retOctStr, 0, retOctStrLen); + free(retOctStr); + } + + return err; +} /* End of berDecodeLoginData */ + +/* ----------------------------------------------------------------------- + * nmasldap_get_password() + * ============================== + * + * Description: + * This API attempts to get the universal password + * + * ------------------------------------------------------------------------ */ +int nmasldap_get_password( + LDAP *ld, + char *objectDN, + size_t *pwdSize, // in bytes + char *pwd ) +{ + int err = 0; + + struct berval *requestBV = NULL; + char *replyOID = NULL; + struct berval *replyBV = NULL; + int serverVersion; + char *pwdBuf; + size_t pwdBufLen, bufferLen; + +#ifdef NOT_N_PLAT_NLM + int currentThreadGroupID; +#endif + + /* Validate char parameters. */ + if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL) + { + return NMAS_E_INVALID_PARAMETER; + } + + bufferLen = pwdBufLen = *pwdSize; + pwdBuf = (char *)malloc(pwdBufLen+2); + if(pwdBuf == NULL) + { + return NMAS_E_INSUFFICIENT_MEMORY; + } + +#ifdef NOT_N_PLAT_NLM + currentThreadGroupID = SetThreadGroupID(nmasLDAPThreadGroupID); +#endif + + err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL); + if(err) + { + goto Cleanup; + } + + /* Call the ldap_extended_operation (synchronously) */ + if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) + { + goto Cleanup; + } + + /* Make sure there is a return OID */ + if(!replyOID) + { + err = NMAS_E_NOT_SUPPORTED; + goto Cleanup; + } + + /* Is this what we were expecting to get back. */ + if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) + { + err = NMAS_E_NOT_SUPPORTED; + goto Cleanup; + } + + /* Do we have a good returned berval? */ + if(!replyBV) + { + /* + * No; returned berval means we experienced a rather drastic error. + * Return operations error. + */ + err = NMAS_E_SYSTEM_RESOURCES; + goto Cleanup; + } + + err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf); + + if(serverVersion != NMAS_LDAP_EXT_VERSION) + { + err = NMAS_E_INVALID_VERSION; + goto Cleanup; + } + + if (!err && pwdBufLen != 0) + { + if (*pwdSize >= pwdBufLen+1 && pwd != NULL) + { + memcpy(pwd, pwdBuf, pwdBufLen); + pwd[pwdBufLen] = 0; /* add null termination */ + } + *pwdSize = pwdBufLen; /* does not include null termination */ + } + +Cleanup: + + if(replyBV) + { + ber_bvfree(replyBV); + } + + /* Free the return OID string if one was returned. */ + if(replyOID) + { + ldap_memfree(replyOID); + } + + /* Free memory allocated while building the request ber and berval. */ + if(requestBV) + { + ber_bvfree(requestBV); + } + + if (pwdBuf != NULL) + { + memset(pwdBuf, 0, bufferLen); + free(pwdBuf); + } + +#ifdef NOT_N_PLAT_NLM + SetThreadGroupID(currentThreadGroupID); +#endif + + /* Return the appropriate error/success code. */ + return err; +} /* end of nmasldap_get_password */ diff --git a/helpers/digest_auth/eDirectory/edir_ldapext.h b/helpers/digest_auth/eDirectory/edir_ldapext.h new file mode 100644 index 0000000000..2160097290 --- /dev/null +++ b/helpers/digest_auth/eDirectory/edir_ldapext.h @@ -0,0 +1,16 @@ +/* + * edir_ldapext.h + * + * AUTHOR: Guy Antony Halse + * + * stubs for FreeRadius's edir_ldapext.h + * + */ +#include + +#define UNIVERSAL_PASS_LEN 256 +#define NMAS_SUCCESS 0 + +extern int berEncodePasswordData(struct berval **requestBV, char *objectDN, char *password, char *password2); +extern int berDecodeLoginData(struct berval *replyBV, int *serverVersion, size_t *retDataLen, void *retData); +extern int nmasldap_get_password(LDAP *ld, char *objectDN, size_t *pwdSize, char *pwd); diff --git a/helpers/digest_auth/eDirectory/ldap_backend.c b/helpers/digest_auth/eDirectory/ldap_backend.c new file mode 100644 index 0000000000..e8c1b3a81d --- /dev/null +++ b/helpers/digest_auth/eDirectory/ldap_backend.c @@ -0,0 +1,702 @@ +/* + * + * + * + * ldap_backend.c + * AUTHOR: Flavio Pescuma, MARA Systems AB + */ + +#define LDAP_DEPRECATED 1 + +#include +#include +#include +#include +#include "ldap_backend.h" +#include "edir_ldapext.h" + +#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ + +#define snprintf _snprintf +#include +#include +#ifndef LDAPAPI +#define LDAPAPI __cdecl +#endif +#ifdef LDAP_VERSION3 +#ifndef LDAP_OPT_X_TLS +#define LDAP_OPT_X_TLS 0x6000 +#endif +/* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at + * run time. + */ +#undef ldap_start_tls_s +#if LDAP_UNICODE +#define LDAP_START_TLS_S "ldap_start_tls_sW" +typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *); +#else +#define LDAP_START_TLS_S "ldap_start_tls_sA" +typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *); +#endif /* LDAP_UNICODE */ +PFldap_start_tls_s Win32_ldap_start_tls_s; +#define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l,NULL,NULL,s,c) +#endif /* LDAP_VERSION3 */ + +#else + +#include +#include + +#endif +#define PROGRAM_NAME "digest_pw_auth(LDAP_backend)" + +/* Globals */ + +static LDAP *ld = NULL; +static char *passattr = NULL; +static char *ldapServer = NULL; +static char *userbasedn = NULL; +static char *userdnattr = NULL; +static char *usersearchfilter = NULL; +static char *binddn = NULL; +static char *bindpasswd = NULL; +static char *delimiter = ":"; +static int encrpass = 0; +static int searchscope = LDAP_SCOPE_SUBTREE; +static int persistent = 0; +static int noreferrals = 0; +static int debug = 0; +static int port = LDAP_PORT; +static int strip_nt_domain = 0; +static int edir_universal_passwd = 0; +static int aliasderef = LDAP_DEREF_NEVER; +#if defined(NETSCAPE_SSL) +static char *sslpath = NULL; +static int sslinit = 0; +#endif +static int connect_timeout = 0; +static int timelimit = LDAP_NO_LIMIT; + +#ifdef LDAP_VERSION3 +/* Added for TLS support and version 3 */ +static int use_tls = 0; +static int version = -1; +#endif + +static void ldapconnect(void); +static int readSecret(char *filename); + +/* Yuck.. we need to glue to different versions of the API */ + +#if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823 +static void +squid_ldap_set_aliasderef(int deref) +{ + ldap_set_option(ld, LDAP_OPT_DEREF, &deref); +} +static void +squid_ldap_set_referrals(int referrals) +{ + int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF; + ldap_set_option(ld, LDAP_OPT_REFERRALS, value); +} +static void +squid_ldap_set_timelimit(int timelimit) +{ + ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit); +} +static void +squid_ldap_set_connect_timeout(int timelimit) +{ +#if defined(LDAP_OPT_NETWORK_TIMEOUT) + struct timeval tv; + tv.tv_sec = timelimit; + tv.tv_usec = 0; + ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); +#elif defined(LDAP_X_OPT_CONNECT_TIMEOUT) + timelimit *= 1000; + ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit); +#endif +} + +#else +static int +squid_ldap_errno(LDAP * ld) +{ + return ld->ld_errno; +} +static void +squid_ldap_set_aliasderef(int deref) +{ + ld->ld_deref = deref; +} +static void +squid_ldap_set_referrals(int referrals) +{ + if (referrals) + ld->ld_options |= ~LDAP_OPT_REFERRALS; + else + ld->ld_options &= ~LDAP_OPT_REFERRALS; +} +static void +squid_ldap_set_timelimit(int timelimit) +{ + ld->ld_timelimit = timelimit; +} +static void +squid_ldap_set_connect_timeout(int timelimit) +{ + fprintf(stderr, "Connect timeouts not supported in your LDAP library\n"); +} +static void +squid_ldap_memfree(char *p) +{ + free(p); +} + +#endif + +#ifdef LDAP_API_FEATURE_X_OPENLDAP +#if LDAP_VENDOR_VERSION > 194 +#define HAS_URI_SUPPORT 1 +#endif +#endif + +static int +ldap_escape_value(char *escaped, int size, const char *src) +{ + int n = 0; + while (size > 4 && *src) { + switch (*src) { + case '*': + case '(': + case ')': + case '\\': + n += 3; + size -= 3; + if (size > 0) { + *escaped++ = '\\'; + snprintf(escaped, 3, "%02x", (int) *src++); + escaped += 2; + } + break; + default: + *escaped++ = *src++; + n++; + size--; + } + } + *escaped = '\0'; + return n; +} + +static char * +getpassword(char *login, char *realm) +{ + LDAPMessage *res = NULL; + LDAPMessage *entry; + char **values = NULL; + char **value = NULL; + char *password = NULL; + int retry = 0; + char filter[8192]; + char searchbase[8192]; + char *universal_password = NULL; + size_t universal_password_len = UNIVERSAL_PASS_LEN; + int nmas_res = 0; + int rc = -1; + if (ld) { + if (usersearchfilter) { + char escaped_login[1024]; + snprintf(searchbase, sizeof(searchbase), "%s", userbasedn); + ldap_escape_value(escaped_login, sizeof(escaped_login), login); + snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); + + retrysrch: + if (debug) + fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase); + + rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 0, &res); + if (rc != LDAP_SUCCESS) { + if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { + /* Everything is fine. This is expected when referrals + * are disabled. + */ + rc = LDAP_SUCCESS; + } else { + fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); +#if defined(NETSCAPE_SSL) + if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { + int sslerr = PORT_GetError(); + fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); + } +#endif + fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error, trying to recover'%s'\n", ldap_err2string(rc)); + ldap_msgfree(res); + /* try to connect to the LDAP server agin, maybe my persisten conexion failed. */ + if (!retry) { + retry++; + ldap_unbind(ld); + ld = NULL; + ldapconnect(); + goto retrysrch; + } + return NULL; + + } + } + } else if (userdnattr) { + sprintf(searchbase, "%s=%s, %s", userdnattr, login, userbasedn); + + retrydnattr: + if (debug) + fprintf(stderr, "searchbase '%s'\n", searchbase); + rc = ldap_search_s(ld, searchbase, searchscope, NULL, NULL, 0, &res); + } + if (rc == LDAP_SUCCESS) { + entry = ldap_first_entry(ld, res); + if (entry) { + if (debug) + printf("ldap dn: %s\n", ldap_get_dn(ld, entry)); + if (edir_universal_passwd) { + + /* allocate some memory for the universal password returned by NMAS */ + universal_password = malloc(universal_password_len); + memset(universal_password, 0, universal_password_len); + values = malloc(sizeof(char *)); + + /* actually talk to NMAS to get a password */ + nmas_res = nmasldap_get_password(ld, ldap_get_dn(ld, entry), &universal_password_len, universal_password); + if (nmas_res == NMAS_SUCCESS && universal_password) { + if (debug) + printf("NMAS returned value %s\n", universal_password); + values[0] = universal_password; + } else { + if (debug) + printf("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res)); + } + } else { + values = ldap_get_values(ld, entry, passattr); + } + } else { + ldap_msgfree(res); + return NULL; + } + if (!values) { + if (debug) + printf("No attribute value found\n"); + if (edir_universal_passwd) + free(universal_password); + ldap_msgfree(res); + return NULL; + } + value = values; + while (*value) { + if (encrpass) { + if (strcmp(strtok(*value, delimiter), realm) == 0) { + password = strtok(NULL, delimiter); + break; + } + } else { + password = *value; + break; + } + value++; + } + if (debug) + printf("password: %s\n", password); + if (password) + password = strdup(password); + if (edir_universal_passwd) { + free(values); + free(universal_password); + } else { + ldap_value_free(values); + } + ldap_msgfree(res); + return password; + } else { + fprintf(stderr, PROGRAM_NAME " WARNING, LDAP error '%s'\n", ldap_err2string(rc)); + /* try to connect to the LDAP server agin, maybe my persisten conexion failed. */ + if (!retry) { + retry++; + ldap_unbind(ld); + ld = NULL; + ldapconnect(); + goto retrydnattr; + } + return NULL; + } + } + return NULL; +} + + + +static void +ldapconnect(void) +{ + int rc; + +/* On Windows ldap_start_tls_s is available starting from Windows XP, + * so we need to bind at run-time with the function entry point + */ +#ifdef _SQUID_MSWIN_ + if (use_tls) { + + HMODULE WLDAP32Handle; + + WLDAP32Handle = GetModuleHandle("wldap32"); + if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) { + fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n"); + exit(1); + } + } +#endif + + if (ld == NULL) { +#if HAS_URI_SUPPORT + if (strstr(ldapServer, "://") != NULL) { + rc = ldap_initialize(&ld, ldapServer); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer); + } + } else +#endif +#if NETSCAPE_SSL + if (sslpath) { + if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) { + fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n", + sslpath); + exit(1); + } else { + sslinit++; + } + if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) { + fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n", + ldapServer, port); + exit(1); + } + } else +#endif + if ((ld = ldap_init(ldapServer, port)) == NULL) { + fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port); + } + if (connect_timeout) + squid_ldap_set_connect_timeout(connect_timeout); + +#ifdef LDAP_VERSION3 + if (version == -1) { + version = LDAP_VERSION2; + } + if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) + != LDAP_SUCCESS) { + fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", + version); + ldap_unbind(ld); + ld = NULL; + } + if (use_tls) { +#ifdef LDAP_OPT_X_TLS + if ((version == LDAP_VERSION3) && (ldap_start_tls_s(ld, NULL, NULL) == LDAP_SUCCESS)) { + fprintf(stderr, "Could not Activate TLS connection\n"); + ldap_unbind(ld); + ld = NULL; + } +#else + fprintf(stderr, "TLS not supported with your LDAP library\n"); + ldap_unbind(ld); + ld = NULL; +#endif + } +#endif + squid_ldap_set_timelimit(timelimit); + squid_ldap_set_referrals(!noreferrals); + squid_ldap_set_aliasderef(aliasderef); + if (binddn && bindpasswd && *binddn && *bindpasswd) { + rc = ldap_simple_bind_s(ld, binddn, bindpasswd); + if (rc != LDAP_SUCCESS) { + fprintf(stderr, PROGRAM_NAME " WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc)); + ldap_unbind(ld); + ld = NULL; + } + } + if (debug) + fprintf(stderr, "Connected OK\n"); + } +} +int +LDAPArguments(int argc, char **argv) +{ + setbuf(stdout, NULL); + + while (argc > 1 && argv[1][0] == '-') { + char *value = ""; + char option = argv[1][1]; + switch (option) { + case 'P': + case 'R': + case 'z': + case 'Z': + case 'g': + case 'e': + case 'S': + case 'n': + case 'd': + break; + default: + if (strlen(argv[1]) > 2) { + value = argv[1] + 2; + } else if (argc > 2) { + value = argv[2]; + argv++; + argc--; + } else + value = ""; + break; + } + argv++; + argc--; + switch (option) { + case 'H': +#if !HAS_URI_SUPPORT + fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n"); + return 1; +#endif + /* Fall thru to -h */ + case 'h': + if (ldapServer) { + int len = strlen(ldapServer) + 1 + strlen(value) + 1; + char *newhost = malloc(len); + snprintf(newhost, len, "%s %s", ldapServer, value); + free(ldapServer); + ldapServer = newhost; + } else { + ldapServer = strdup(value); + } + break; + case 'A': + passattr = value; + break; + case 'e': + encrpass = 1; + break; + case 'l': + delimiter = value; + break; + case 'b': + userbasedn = value; + break; + case 'F': + usersearchfilter = value; + break; + case 'u': + userdnattr = value; + break; + case 's': + if (strcmp(value, "base") == 0) + searchscope = LDAP_SCOPE_BASE; + else if (strcmp(value, "one") == 0) + searchscope = LDAP_SCOPE_ONELEVEL; + else if (strcmp(value, "sub") == 0) + searchscope = LDAP_SCOPE_SUBTREE; + else { + fprintf(stderr, PROGRAM_NAME " ERROR: Unknown search scope '%s'\n", value); + return 1; + } + break; + case 'S': +#if defined(NETSCAPE_SSL) + sslpath = value; + if (port == LDAP_PORT) + port = LDAPS_PORT; +#else + fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n"); + return 1; +#endif + break; + case 'c': + connect_timeout = atoi(value); + break; + case 't': + timelimit = atoi(value); + break; + case 'a': + if (strcmp(value, "never") == 0) + aliasderef = LDAP_DEREF_NEVER; + else if (strcmp(value, "always") == 0) + aliasderef = LDAP_DEREF_ALWAYS; + else if (strcmp(value, "search") == 0) + aliasderef = LDAP_DEREF_SEARCHING; + else if (strcmp(value, "find") == 0) + aliasderef = LDAP_DEREF_FINDING; + else { + fprintf(stderr, PROGRAM_NAME " ERROR: Unknown alias dereference method '%s'\n", value); + return 1; + } + break; + case 'D': + binddn = value; + break; + case 'w': + bindpasswd = value; + break; + case 'W': + readSecret(value); + break; + case 'P': + persistent = !persistent; + break; + case 'p': + port = atoi(value); + break; + case 'R': + noreferrals = !noreferrals; + break; +#ifdef LDAP_VERSION3 + case 'v': + switch (atoi(value)) { + case 2: + version = LDAP_VERSION2; + break; + case 3: + version = LDAP_VERSION3; + break; + default: + fprintf(stderr, "Protocol version should be 2 or 3\n"); + return 1; + } + break; + case 'Z': + if (version == LDAP_VERSION2) { + fprintf(stderr, "TLS (-Z) is incompatible with version %d\n", + version); + return 1; + } + version = LDAP_VERSION3; + use_tls = 1; + break; +#endif + case 'd': + debug = 1; + break; + case 'E': + strip_nt_domain = 1; + break; + case 'n': + edir_universal_passwd = 1; + break; + default: + fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option); + return 1; + } + } + + while (argc > 1) { + char *value = argv[1]; + if (ldapServer) { + int len = strlen(ldapServer) + 1 + strlen(value) + 1; + char *newhost = malloc(len); + snprintf(newhost, len, "%s %s", ldapServer, value); + free(ldapServer); + ldapServer = newhost; + } else { + ldapServer = strdup(value); + } + argc--; + argv++; + } + + if (!ldapServer) + ldapServer = "localhost"; + + if (!userbasedn || !((passattr != NULL) || (edir_universal_passwd && usersearchfilter && version == LDAP_VERSION3 && use_tls))) { + fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n"); + fprintf(stderr, "\t-A password attribute(REQUIRED)\t\tUser attribute that contains the password\n"); + fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharater(s) that devides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password\n"); + fprintf(stderr, "\t-b basedn (REQUIRED)\t\t\tbase dn under where to search for users\n"); + fprintf(stderr, "\t-e Encrypted passwords(REQUIRED)\tPassword are stored encrypted using HHA1\n"); + fprintf(stderr, "\t-F filter\t\t\t\tuser search filter pattern. %%s = login\n"); + fprintf(stderr, "\t-u attribute\t\t\t\tattribute to use in combination with the basedn to create the user DN\n"); + fprintf(stderr, "\t-s base|one|sub\t\t\t\tsearch scope\n"); + fprintf(stderr, "\t-D binddn\t\t\t\tDN to bind as to perform searches\n"); + fprintf(stderr, "\t-w bindpasswd\t\t\t\tpassword for binddn\n"); + fprintf(stderr, "\t-W secretfile\t\t\t\tread password for binddn from file secretfile\n"); +#if HAS_URI_SUPPORT + fprintf(stderr, "\t-H URI\t\t\t\t\tLDAPURI (defaults to ldap://localhost)\n"); +#endif + fprintf(stderr, "\t-h server\t\t\t\tLDAP server (defaults to localhost)\n"); + fprintf(stderr, "\t-p port\t\t\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT); + fprintf(stderr, "\t-P\t\t\t\t\tpersistent LDAP connection\n"); +#if defined(NETSCAPE_SSL) + fprintf(stderr, "\t-E sslcertpath\t\t\t\tenable LDAP over SSL\n"); +#endif + fprintf(stderr, "\t-c timeout\t\t\t\tconnect timeout\n"); + fprintf(stderr, "\t-t timelimit\t\t\t\tsearch time limit\n"); + fprintf(stderr, "\t-R\t\t\t\t\tdo not follow referrals\n"); + fprintf(stderr, "\t-a never|always|search|find\t\twhen to dereference aliases\n"); +#ifdef LDAP_VERSION3 + fprintf(stderr, "\t-v 2|3\t\t\t\t\tLDAP version\n"); + fprintf(stderr, "\t-Z\t\t\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n"); +#endif + fprintf(stderr, "\t-S\t\t\t\t\tStrip NT domain from usernames\n"); + fprintf(stderr, "\t-n\t\t\t\t\tGet an eDirectory Universal Password from Novell NMAS\n\t\t\t\t\t\t(requires bind credentials, version 3, TLS, and a search filter)\n"); + fprintf(stderr, "\n"); + fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n"); + return -1; + } + return 0; +} +static int +readSecret(char *filename) +{ + char buf[BUFSIZ]; + char *e = 0; + FILE *f; + + if (!(f = fopen(filename, "r"))) { + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); + return 1; + } + if (!fgets(buf, sizeof(buf) - 1, f)) { + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); + fclose(f); + return 1; + } + /* strip whitespaces on end */ + if ((e = strrchr(buf, '\n'))) + *e = 0; + if ((e = strrchr(buf, '\r'))) + *e = 0; + + bindpasswd = (char *) calloc(sizeof(char), strlen(buf) + 1); + if (bindpasswd) { + strcpy(bindpasswd, buf); + } else { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + } + + fclose(f); + + return 0; +} + +void +LDAPHHA1(RequestData * requestData) +{ + char *password = ""; + ldapconnect(); + password = getpassword(requestData->user, requestData->realm); + if (password != NULL) { + if (encrpass) + xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1)); + else { + HASH HA1; + DigestCalcHA1("md5", requestData->user, requestData->realm, password, NULL, NULL, HA1, requestData->HHA1); + } + free(password); + } else { + requestData->error = -1; + } + +} diff --git a/helpers/digest_auth/eDirectory/ldap_backend.h b/helpers/digest_auth/eDirectory/ldap_backend.h new file mode 100644 index 0000000000..669be23f2b --- /dev/null +++ b/helpers/digest_auth/eDirectory/ldap_backend.h @@ -0,0 +1,9 @@ +/* + * text_backend.h + * + * AUTHOR: Flavio Pescuma. + * + */ +#include "digest_common.h" +extern int LDAPArguments(int argc, char **argv); +extern void LDAPHHA1(RequestData * requestData);