From: hno <> Date: Sat, 1 Mar 2003 22:38:56 +0000 (+0000) Subject: -W secretfile by Christoph Lechleitner X-Git-Tag: SQUID_3_0_PRE1~301 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=954a851376707ccc1938b682bf1bae206779a2ee;p=thirdparty%2Fsquid.git -W secretfile by Christoph Lechleitner --- diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.8 b/helpers/basic_auth/LDAP/squid_ldap_auth.8 index 34ee5f2951..7c5aa8e53a 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.8 +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.8 @@ -68,6 +68,16 @@ This to limit the damage in case someone could get hold of a copy of your Squid configuration file. . .TP +.BI "-D " "binddn " "-W " "secretfile " +The DN and the name of a file containing the password +to bind as while performing searches. +.IP +Less insecure version of the former parameter pair with two advantages: +The password does not occur in the process listing, +and the password is not being compromised if someone gets the squid +configuration file without getting the secretfile. +. +.TP .BI -P Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c index 0af85080f2..8d6693639c 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.c +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c @@ -30,6 +30,8 @@ * or (at your option) any later version. * * Changes: + * 2003-03-01: Christoph Lechleitner + * - Added -W option to read bindpasswd from file * 2003-03-01: Juerg Michel * - Added support for ldap URI via the -H option * (requires OpenLDAP) @@ -84,6 +86,7 @@ static int use_tls = 0; static int version = -1; static int checkLDAP(LDAP * ld, char *userid, char *password); +static int readSecret(char *filename); /* Yuck.. we need to glue to different versions of the API */ @@ -236,6 +239,9 @@ main(int argc, char **argv) case 'w': bindpasswd = value; break; + case 'W': + readSecret (value); + break; case 'P': persistent = !persistent; break; @@ -298,6 +304,7 @@ main(int argc, char **argv) fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); + fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n"); #if HAS_URI_SUPPORT fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n"); #endif @@ -312,7 +319,7 @@ main(int argc, char **argv) #endif fprintf(stderr, "\n"); fprintf(stderr, "\tIf no search filter is specified, then the dn =user,basedn\n\twill be used (same as specifying a search filter of '=',\n\tbut quicker as as there is no need to search for the user DN)\n\n"); - fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n"); + fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n"); exit(1); } while (fgets(buf, 256, stdin) != NULL) { @@ -446,3 +453,36 @@ checkLDAP(LDAP * ld, char *userid, char *password) return 0; } + +int readSecret(char *filename) +{ + char buf[BUFSIZ]; + char *e=0; + FILE *f; + + if(!(f=fopen(filename, "r"))) { + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); + return 1; + } + + if( !fgets(buf, sizeof(buf)-1, f)) { + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); + fclose(f); + return 1; + } + + /* strip whitespaces on end */ + if((e = strrchr(buf, '\n'))) *e = 0; + if((e = strrchr(buf, '\r'))) *e = 0; + + bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1); + if (bindpasswd) { + strcpy(bindpasswd, buf); + } else { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + } + + fclose(f); + + return 0; +} diff --git a/helpers/external_acl/ldap_group/ChangeLog b/helpers/external_acl/ldap_group/ChangeLog index f4f33d1622..e5c3759585 100644 --- a/helpers/external_acl/ldap_group/ChangeLog +++ b/helpers/external_acl/ldap_group/ChangeLog @@ -1,5 +1,9 @@ Version 2.12 +2003-03-01 Christoph Lechleitner + Added -W option to read bindpasswd from file, + e.g. from /etc/ldap.secret + 2003-03-01 Juerg Michel Added support for ldap URI via the -H option diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/ldap_group/squid_ldap_group.8 index 894c564179..a419166a03 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.8 +++ b/helpers/external_acl/ldap_group/squid_ldap_group.8 @@ -72,6 +72,16 @@ in case someone could get hold of a copy of your Squid configuration file or extracts the password used from a process listing. . .TP +.BI "-D " "binddn " "-W " "secretfile " +The DN and the name of a file containing the password +to bind as while performing searches. +.IP +Less insecure version of the former parameter pair with two advantages: +The password does not occur in the process listing, +and the password is not being compromised if someone gets the squid +configuration file without getting the secretfile. +. +.TP .BI -P Use a persistent LDAP connection. Normally the LDAP connection is only open while verifying a users group membership to preserve diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c index 116444b41f..af7173430d 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.c +++ b/helpers/external_acl/ldap_group/squid_ldap_group.c @@ -66,6 +66,8 @@ static int version = -1; static int searchLDAP(LDAP * ld, char *group, char *user, char *extension_dn); +static int readSecret(char *filename); + /* Yuck.. we need to glue to different versions of the API */ #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823 @@ -272,6 +274,9 @@ main(int argc, char **argv) case 'w': bindpasswd = value; break; + case 'W': + readSecret (value); + break; case 'P': persistent = !persistent; break; @@ -347,6 +352,7 @@ main(int argc, char **argv) fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); + fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n"); #if HAS_URI_SUPPORT fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n"); #endif @@ -362,7 +368,7 @@ main(int argc, char **argv) fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n"); fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n"); fprintf(stderr, "\n"); - fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n"); + fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n"); exit(1); } while (fgets(buf, 256, stdin) != NULL) { @@ -636,3 +642,37 @@ searchLDAP(LDAP *ld, char *group, char *login, char *extension_dn) return searchLDAPGroup(ld, group, login, extension_dn); } } + + +int readSecret(char *filename) +{ + char buf[BUFSIZ]; + char *e=0; + FILE *f; + + if(!(f=fopen(filename, "r"))) { + fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); + return 1; + } + + if( !fgets(buf, sizeof(buf)-1, f)) { + fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); + fclose(f); + return 1; + } + + /* strip whitespaces on end */ + if((e = strrchr(buf, '\n'))) *e = 0; + if((e = strrchr(buf, '\r'))) *e = 0; + + bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1); + if (bindpasswd) { + strcpy(bindpasswd, buf); + } else { + fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + } + + fclose(f); + + return 0; +}