/*
- * Copyright (C) 2002-2004 Novell, Inc.
+ * NDS LDAP helper functions
+ * Copied From Samba-3.0.24 pdb_nds.c and trimmed down to the
+ * limited functionality needed to access the plain text password only
*
- * edir_ldapext.c LDAP extension for reading eDirectory universal password
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of version 2 of the GNU General Public License as published
- * by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, contact Novell, Inc.
+ * Original copyright & license follows:
*
- * To contact Novell about this file by physical or electronic mail, you may
- * find current contact information at www.novell.com.
- */
+ * Copyright (C) Vince Brimhall 2004-2005
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+*/
#include "digest_common.h"
-#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */
+#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */
#define snprintf _snprintf
#include <windows.h>
#include <ldap.h>
#endif
+#include <wchar.h>
#include "edir_ldapext.h"
-/* NMAS error codes */
-#define NMAS_E_BASE (-1600)
+#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3"
+#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4"
+#define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11"
+#define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12"
+#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
+#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
-#define NMAS_SUCCESS 0
-#define NMAS_E_SUCCESS NMAS_SUCCESS /* Alias */
-#define NMAS_OK NMAS_SUCCESS /* Alias */
+#define NMAS_LDAP_EXT_VERSION 1
-#define NMAS_E_FRAG_FAILURE (NMAS_E_BASE-31) /* -1631 0xFFFFF9A1 */
-#define NMAS_E_BUFFER_OVERFLOW (NMAS_E_BASE-33) /* -1633 0xFFFFF99F */
-#define NMAS_E_SYSTEM_RESOURCES (NMAS_E_BASE-34) /* -1634 0xFFFFF99E */
-#define NMAS_E_INSUFFICIENT_MEMORY (NMAS_E_BASE-35) /* -1635 0xFFFFF99D */
-#define NMAS_E_NOT_SUPPORTED (NMAS_E_BASE-36) /* -1636 0xFFFFF99C */
-#define NMAS_E_INVALID_PARAMETER (NMAS_E_BASE-43) /* -1643 0xFFFFF995 */
-#define NMAS_E_INVALID_VERSION (NMAS_E_BASE-52) /* -1652 0xFFFFF98C */
+#define SMB_MALLOC_ARRAY(type, nelem) calloc(sizeof(type), nelem)
+#define DEBUG(level, args)
-/* OID of LDAP extenstion calls to read Universal Password */
-#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
-#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
+/**********************************************************************
+ Take the request BER value and input data items and BER encodes the
+ data into the BER value
+**********************************************************************/
-#define NMAS_LDAP_EXT_VERSION 1
+static int berEncodePasswordData(
+ struct berval **requestBV,
+ const char *objectDN,
+ const char *password,
+ const char *password2)
+{
+ int err = 0, rc=0;
+ BerElement *requestBer = NULL;
+ const char * utf8ObjPtr = NULL;
+ int utf8ObjSize = 0;
+ const char * utf8PwdPtr = NULL;
+ int utf8PwdSize = 0;
+ const char * utf8Pwd2Ptr = NULL;
+ int utf8Pwd2Size = 0;
-/* ------------------------------------------------------------------------
- * berEncodePasswordData
- * ==============================
- * RequestBer contents:
- * clientVersion INTEGER
- * targetObjectDN OCTET STRING
- * password1 OCTET STRING
- * password2 OCTET STRING
- *
- * Description:
- * This function takes the request BER value and input data items
- * and BER encodes the data into the BER value
- *
- * ------------------------------------------------------------------------ */
-int
-berEncodePasswordData(
- struct berval **requestBV,
- char *objectDN,
- char *password,
- char *password2)
+ /* Convert objectDN and tag strings from Unicode to UTF-8 */
+ utf8ObjSize = strlen(objectDN)+1;
+ utf8ObjPtr = objectDN;
+
+ if (password != NULL)
+ {
+ utf8PwdSize = strlen(password)+1;
+ utf8PwdPtr = password;
+ }
+
+ if (password2 != NULL)
+ {
+ utf8Pwd2Size = strlen(password2)+1;
+ utf8Pwd2Ptr = password2;
+ }
+
+ /* Allocate a BerElement for the request parameters. */
+ if((requestBer = ber_alloc()) == NULL)
+ {
+ err = LDAP_ENCODING_ERROR;
+ goto Cleanup;
+ }
+
+ if (password != NULL && password2 != NULL)
+ {
+ /* BER encode the NMAS Version, the objectDN, and the password */
+ rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
+ }
+ else if (password != NULL)
+ {
+ /* BER encode the NMAS Version, the objectDN, and the password */
+ rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
+ }
+ else
+ {
+ /* BER encode the NMAS Version and the objectDN */
+ rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
+ }
+
+ if (rc < 0)
+ {
+ err = LDAP_ENCODING_ERROR;
+ goto Cleanup;
+ }
+ else
+ {
+ err = 0;
+ }
+
+ /* Convert the BER we just built to a berval that we'll send with the extended request. */
+ if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
+ {
+ err = LDAP_ENCODING_ERROR;
+ goto Cleanup;
+ }
+
+Cleanup:
+
+ if(requestBer)
+ {
+ ber_free(requestBer, 1);
+ }
+
+ return err;
+}
+
+/**********************************************************************
+ Take the request BER value and input data items and BER encodes the
+ data into the BER value
+**********************************************************************/
+
+static int berEncodeLoginData(
+ struct berval **requestBV,
+ char *objectDN,
+ unsigned int methodIDLen,
+ unsigned int *methodID,
+ char *tag,
+ size_t putDataLen,
+ void *putData)
{
- int err = 0, rc = 0;
- BerElement *requestBer = NULL;
-
- char *utf8ObjPtr = NULL;
- int utf8ObjSize = 0;
- char *utf8PwdPtr = NULL;
- int utf8PwdSize = 0;
- char *utf8Pwd2Ptr = NULL;
- int utf8Pwd2Size = 0;
-
-
- utf8ObjSize = strlen(objectDN) + 1;
- utf8ObjPtr = objectDN;
-
- if (password != NULL) {
- utf8PwdSize = strlen(password) + 1;
- utf8PwdPtr = password;
- }
- if (password2 != NULL) {
- utf8Pwd2Size = strlen(password2) + 1;
- utf8Pwd2Ptr = password2;
- }
- /* Allocate a BerElement for the request parameters. */
- if ((requestBer = ber_alloc()) == NULL) {
- err = NMAS_E_FRAG_FAILURE;
- goto Cleanup;
- }
- if (password != NULL && password2 != NULL) {
- /* BER encode the NMAS Version, the objectDN, and the password */
- rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size);
- } else if (password != NULL) {
- /* BER encode the NMAS Version, the objectDN, and the password */
- rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize);
- } else {
+ int err = 0;
+ BerElement *requestBer = NULL;
+
+ unsigned int i;
+ unsigned int elemCnt = methodIDLen / sizeof(unsigned int);
+
+ char *utf8ObjPtr=NULL;
+ int utf8ObjSize = 0;
+
+ char *utf8TagPtr = NULL;
+ int utf8TagSize = 0;
+
+ utf8ObjPtr = objectDN;
+ utf8ObjSize = strlen(utf8ObjPtr)+1;
+
+ utf8TagPtr = tag;
+ utf8TagSize = strlen(utf8TagPtr)+1;
+
+ /* Allocate a BerElement for the request parameters. */
+ if((requestBer = ber_alloc()) == NULL)
+ {
+ err = LDAP_ENCODING_ERROR;
+ goto Cleanup;
+ }
+
/* BER encode the NMAS Version and the objectDN */
- rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize);
- }
-
- if (rc < 0) {
- err = NMAS_E_FRAG_FAILURE;
- goto Cleanup;
- } else {
- err = 0;
- }
-
- /*
- * Convert the BER we just built to a berval that we'll send with the extended request.
- */
- if (ber_flatten(requestBer, requestBV) == LBER_ERROR) {
- err = NMAS_E_FRAG_FAILURE;
- goto Cleanup;
- }
- Cleanup:
-
- if (requestBer) {
- ber_free(requestBer, 1);
- }
- return err;
-} /* End of berEncodePasswordData */
-
-/* ------------------------------------------------------------------------
- * berDecodeLoginData()
- * ==============================
- * ResponseBer contents:
- * serverVersion INTEGER
- * error INTEGER
- * data OCTET STRING
- *
- * Description:
- * This function takes the reply BER Value and decodes the
- * NMAS server version and return code and if a non null retData
- * buffer was supplied, tries to decode the the return data and length
- *
- * ------------------------------------------------------------------------ */
-int
-berDecodeLoginData(
- struct berval *replyBV,
- int *serverVersion,
- size_t * retDataLen,
- void *retData)
+ err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0;
+
+ /* BER encode the MethodID Length and value */
+ if (!err)
+ {
+ err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0;
+ }
+
+ for (i = 0; !err && i < elemCnt; i++)
+ {
+ err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0;
+ }
+
+ if (!err)
+ {
+ err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0;
+ }
+
+ if(putData)
+ {
+ /* BER Encode the the tag and data */
+ err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0;
+ }
+ else
+ {
+ /* BER Encode the the tag */
+ err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0;
+ }
+
+ if (err)
+ {
+ goto Cleanup;
+ }
+
+ /* Convert the BER we just built to a berval that we'll send with the extended request. */
+ if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
+ {
+ err = LDAP_ENCODING_ERROR;
+ goto Cleanup;
+ }
+
+Cleanup:
+
+ if(requestBer)
+ {
+ ber_free(requestBer, 1);
+ }
+
+ return err;
+}
+
+/**********************************************************************
+ Takes the reply BER Value and decodes the NMAS server version and
+ return code and if a non null retData buffer was supplied, tries to
+ decode the the return data and length
+**********************************************************************/
+
+static int berDecodeLoginData(
+ struct berval *replyBV,
+ int *serverVersion,
+ size_t *retDataLen,
+ void *retData )
{
- int rc = 0, err = 0;
- BerElement *replyBer = NULL;
- char *retOctStr = NULL;
- size_t retOctStrLen = 0;
-
- if ((replyBer = ber_init(replyBV)) == NULL) {
- err = NMAS_E_SYSTEM_RESOURCES;
- goto Cleanup;
- }
- if (retData) {
- retOctStrLen = *retDataLen + 1;
- retOctStr = (char *) malloc(retOctStrLen);
- if (!retOctStr) {
- err = NMAS_E_SYSTEM_RESOURCES;
- goto Cleanup;
- }
- if ((rc = ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen)) != -1) {
- if (*retDataLen >= retOctStrLen) {
- memcpy(retData, retOctStr, retOctStrLen);
- } else if (!err) {
- err = NMAS_E_BUFFER_OVERFLOW;
- }
- *retDataLen = retOctStrLen;
- } else if (!err) {
- err = NMAS_E_FRAG_FAILURE;
- }
- } else {
- if ((rc = ber_scanf(replyBer, "{ii}", serverVersion, &err)) == -1) {
- if (!err) {
- err = NMAS_E_FRAG_FAILURE;
- }
- }
- }
-
- Cleanup:
-
- if (replyBer) {
- ber_free(replyBer, 1);
- }
- if (retOctStr != NULL) {
- memset(retOctStr, 0, retOctStrLen);
- free(retOctStr);
- }
- return err;
-} /* End of berDecodeLoginData */
-
-/* -----------------------------------------------------------------------
- * nmasldap_get_password()
- * ==============================
- *
- * Description:
- * This API attempts to get the universal password
- *
- * ------------------------------------------------------------------------ */
-int
-nmasldap_get_password(
- LDAP * ld,
- char *objectDN,
- size_t * pwdSize, // in bytes
- char *pwd)
+ int err = 0;
+ BerElement *replyBer = NULL;
+ char *retOctStr = NULL;
+ size_t retOctStrLen = 0;
+
+ if((replyBer = ber_init(replyBV)) == NULL)
+ {
+ err = LDAP_OPERATIONS_ERROR;
+ goto Cleanup;
+ }
+
+ if(retData)
+ {
+ retOctStrLen = *retDataLen + 1;
+ retOctStr = SMB_MALLOC_ARRAY(char, retOctStrLen);
+ if(!retOctStr)
+ {
+ err = LDAP_OPERATIONS_ERROR;
+ goto Cleanup;
+ }
+
+ if(ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen) != -1)
+ {
+ if (*retDataLen >= retOctStrLen)
+ {
+ memcpy(retData, retOctStr, retOctStrLen);
+ }
+ else if (!err)
+ {
+ err = LDAP_NO_MEMORY;
+ }
+
+ *retDataLen = retOctStrLen;
+ }
+ else if (!err)
+ {
+ err = LDAP_DECODING_ERROR;
+ }
+ }
+ else
+ {
+ if(ber_scanf(replyBer, "{ii}", serverVersion, &err) == -1)
+ {
+ if (!err)
+ {
+ err = LDAP_DECODING_ERROR;
+ }
+ }
+ }
+
+Cleanup:
+
+ if(replyBer)
+ {
+ ber_free(replyBer, 1);
+ }
+
+ if (retOctStr != NULL)
+ {
+ memset(retOctStr, 0, retOctStrLen);
+ free(retOctStr);
+ }
+
+ return err;
+}
+
+/**********************************************************************
+ Retrieves data in the login configuration of the specified object
+ that is tagged with the specified methodID and tag.
+**********************************************************************/
+
+static int getLoginConfig(
+ LDAP *ld,
+ char *objectDN,
+ unsigned int methodIDLen,
+ unsigned int *methodID,
+ char *tag,
+ size_t *dataLen,
+ void *data )
{
- int err = 0;
+ int err = 0;
+ struct berval *requestBV = NULL;
+ char *replyOID = NULL;
+ struct berval *replyBV = NULL;
+ int serverVersion = 0;
+
+ /* Validate unicode parameters. */
+ if((strlen(objectDN) == 0) || ld == NULL)
+ {
+ return LDAP_NO_SUCH_ATTRIBUTE;
+ }
- struct berval *requestBV = NULL;
- char *replyOID = NULL;
- struct berval *replyBV = NULL;
- int serverVersion;
- char *pwdBuf;
- size_t pwdBufLen, bufferLen;
+ err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL);
+ if(err)
+ {
+ goto Cleanup;
+ }
-#ifdef NOT_N_PLAT_NLM
- int currentThreadGroupID;
-#endif
+ /* Call the ldap_extended_operation (synchronously) */
+ if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST,
+ requestBV, NULL, NULL, &replyOID, &replyBV)))
+ {
+ goto Cleanup;
+ }
- /* Validate char parameters. */
- if (objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL) {
- return NMAS_E_INVALID_PARAMETER;
- }
- bufferLen = pwdBufLen = *pwdSize;
- pwdBuf = (char *) malloc(pwdBufLen + 2);
- if (pwdBuf == NULL) {
- return NMAS_E_INSUFFICIENT_MEMORY;
- }
-#ifdef NOT_N_PLAT_NLM
- currentThreadGroupID = SetThreadGroupID(nmasLDAPThreadGroupID);
-#endif
+ /* Make sure there is a return OID */
+ if(!replyOID)
+ {
+ err = LDAP_NOT_SUPPORTED;
+ goto Cleanup;
+ }
- err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
- if (err) {
- goto Cleanup;
- }
- /* Call the ldap_extended_operation (synchronously) */
- if ((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) {
- goto Cleanup;
- }
- /* Make sure there is a return OID */
- if (!replyOID) {
- err = NMAS_E_NOT_SUPPORTED;
- goto Cleanup;
- }
- /* Is this what we were expecting to get back. */
- if (strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) {
- err = NMAS_E_NOT_SUPPORTED;
- goto Cleanup;
- }
- /* Do we have a good returned berval? */
- if (!replyBV) {
- /*
- * No; returned berval means we experienced a rather drastic error.
- * Return operations error.
- */
- err = NMAS_E_SYSTEM_RESOURCES;
- goto Cleanup;
- }
- err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
-
- if (serverVersion != NMAS_LDAP_EXT_VERSION) {
- err = NMAS_E_INVALID_VERSION;
- goto Cleanup;
- }
- if (!err && pwdBufLen != 0) {
- if (*pwdSize >= pwdBufLen + 1 && pwd != NULL) {
- memcpy(pwd, pwdBuf, pwdBufLen);
- pwd[pwdBufLen] = 0; /* add null termination */
- }
- *pwdSize = pwdBufLen; /* does not include null termination */
- }
- Cleanup:
-
- if (replyBV) {
- ber_bvfree(replyBV);
- }
- /* Free the return OID string if one was returned. */
- if (replyOID) {
- ldap_memfree(replyOID);
- }
- /* Free memory allocated while building the request ber and berval. */
- if (requestBV) {
- ber_bvfree(requestBV);
- }
- if (pwdBuf != NULL) {
- memset(pwdBuf, 0, bufferLen);
- free(pwdBuf);
- }
-#ifdef NOT_N_PLAT_NLM
- SetThreadGroupID(currentThreadGroupID);
-#endif
+ /* Is this what we were expecting to get back. */
+ if(strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE))
+ {
+ err = LDAP_NOT_SUPPORTED;
+ goto Cleanup;
+ }
+
+ /* Do we have a good returned berval? */
+ if(!replyBV)
+ {
+ /* No; returned berval means we experienced a rather drastic error. */
+ /* Return operations error. */
+ err = LDAP_OPERATIONS_ERROR;
+ goto Cleanup;
+ }
+
+ err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data);
+
+ if(serverVersion != NMAS_LDAP_EXT_VERSION)
+ {
+ err = LDAP_OPERATIONS_ERROR;
+ goto Cleanup;
+ }
+
+Cleanup:
+
+ if(replyBV)
+ {
+ ber_bvfree(replyBV);
+ }
+
+ /* Free the return OID string if one was returned. */
+ if(replyOID)
+ {
+ ldap_memfree(replyOID);
+ }
+
+ /* Free memory allocated while building the request ber and berval. */
+ if(requestBV)
+ {
+ ber_bvfree(requestBV);
+ }
+
+ /* Return the appropriate error/success code. */
+ return err;
+}
+
+/**********************************************************************
+ Attempts to get the Simple Password
+**********************************************************************/
+
+static int nmasldap_get_simple_pwd(
+ LDAP *ld,
+ char *objectDN,
+ size_t pwdLen,
+ char *pwd )
+{
+ int err = 0;
+ unsigned int methodID = 0;
+ unsigned int methodIDLen = sizeof(methodID);
+ char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0};
+ char *pwdBuf=NULL;
+ size_t pwdBufLen, bufferLen;
+
+ bufferLen = pwdBufLen = pwdLen+2;
+ pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen); /* digest and null */
+ if(pwdBuf == NULL)
+ {
+ return LDAP_NO_MEMORY;
+ }
+
+ err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf);
+ if (err == 0)
+ {
+ if (pwdBufLen !=0)
+ {
+ pwdBuf[pwdBufLen] = 0; /* null terminate */
+
+ switch (pwdBuf[0])
+ {
+ case 1: /* cleartext password */
+ break;
+ case 2: /* SHA1 HASH */
+ case 3: /* MD5_ID */
+ case 4: /* UNIXCrypt_ID */
+ case 8: /* SSHA_ID */
+ default: /* Unknown digest */
+ err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */
+ break;
+ }
+
+ if (!err)
+ {
+ if (pwdLen >= pwdBufLen-1)
+ {
+ memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */
+ }
+ else
+ {
+ err = LDAP_NO_MEMORY;
+ }
+ }
+ }
+ }
+
+ if (pwdBuf != NULL)
+ {
+ memset(pwdBuf, 0, bufferLen);
+ free(pwdBuf);
+ }
+
+ return err;
+}
+
+
+/**********************************************************************
+ Attempts to get the Universal Password
+**********************************************************************/
+
+static int nmasldap_get_password(
+ LDAP *ld,
+ char *objectDN,
+ size_t *pwdSize, /* in bytes */
+ unsigned char *pwd )
+{
+ int err = 0;
+
+ struct berval *requestBV = NULL;
+ char *replyOID = NULL;
+ struct berval *replyBV = NULL;
+ int serverVersion;
+ char *pwdBuf;
+ size_t pwdBufLen, bufferLen;
+
+ /* Validate char parameters. */
+ if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL)
+ {
+ return LDAP_NO_SUCH_ATTRIBUTE;
+ }
+
+ bufferLen = pwdBufLen = *pwdSize;
+ pwdBuf = SMB_MALLOC_ARRAY(char, pwdBufLen+2);
+ if(pwdBuf == NULL)
+ {
+ return LDAP_NO_MEMORY;
+ }
+
+ err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
+ if(err)
+ {
+ goto Cleanup;
+ }
+
+ /* Call the ldap_extended_operation (synchronously) */
+ if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV)))
+ {
+ goto Cleanup;
+ }
+
+ /* Make sure there is a return OID */
+ if(!replyOID)
+ {
+ err = LDAP_NOT_SUPPORTED;
+ goto Cleanup;
+ }
+
+ /* Is this what we were expecting to get back. */
+ if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE))
+ {
+ err = LDAP_NOT_SUPPORTED;
+ goto Cleanup;
+ }
+
+ /* Do we have a good returned berval? */
+ if(!replyBV)
+ {
+ /* No; returned berval means we experienced a rather drastic error. */
+ /* Return operations error. */
+ err = LDAP_OPERATIONS_ERROR;
+ goto Cleanup;
+ }
+
+ err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
+
+ if(serverVersion != NMAS_LDAP_EXT_VERSION)
+ {
+ err = LDAP_OPERATIONS_ERROR;
+ goto Cleanup;
+ }
+
+ if (!err && pwdBufLen != 0)
+ {
+ if (*pwdSize >= pwdBufLen+1 && pwd != NULL)
+ {
+ memcpy(pwd, pwdBuf, pwdBufLen);
+ pwd[pwdBufLen] = 0; /* add null termination */
+ }
+ *pwdSize = pwdBufLen; /* does not include null termination */
+ }
+
+Cleanup:
+
+ if(replyBV)
+ {
+ ber_bvfree(replyBV);
+ }
+
+ /* Free the return OID string if one was returned. */
+ if(replyOID)
+ {
+ ldap_memfree(replyOID);
+ }
+
+ /* Free memory allocated while building the request ber and berval. */
+ if(requestBV)
+ {
+ ber_bvfree(requestBV);
+ }
+
+ if (pwdBuf != NULL)
+ {
+ memset(pwdBuf, 0, bufferLen);
+ free(pwdBuf);
+ }
+
+ /* Return the appropriate error/success code. */
+ return err;
+}
+
+/**********************************************************************
+ Get the user's password from NDS.
+ *********************************************************************/
+
+int nds_get_password(
+ LDAP *ld,
+ char *object_dn,
+ size_t *pwd_len,
+ char *pwd )
+{
+ int rc = -1;
+
+ rc = nmasldap_get_password(ld, object_dn, pwd_len, (unsigned char *)pwd);
+ if (rc == LDAP_SUCCESS) {
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn));
+#endif
+ DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn));
+ } else {
+ DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn));
+ }
+
+ if (rc != LDAP_SUCCESS) {
+ rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd);
+ if (rc == LDAP_SUCCESS) {
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn));
+#endif
+ DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn));
+ } else {
+ /* We couldn't get the password */
+ DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn));
+ return LDAP_INVALID_CREDENTIALS;
+ }
+ }
+
+ /* We got the password */
+ return LDAP_SUCCESS;
+}
- /* Return the appropriate error/success code. */
- return err;
-} /* end of nmasldap_get_password */
#include <stdlib.h>
#include <ctype.h>
-#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */
+#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */
#define snprintf _snprintf
#include <windows.h>
#define LDAP_OPT_X_TLS 0x6000
#endif
/* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at
- run time.
+ * run time.
*/
#undef ldap_start_tls_s
#if LDAP_UNICODE
#define LDAP_START_TLS_S "ldap_start_tls_sW"
-typedef WINLDAPAPI ULONG (LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
+typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
#else
#define LDAP_START_TLS_S "ldap_start_tls_sA"
-typedef WINLDAPAPI ULONG (LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
+typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
#endif /* LDAP_UNICODE */
PFldap_start_tls_s Win32_ldap_start_tls_s;
#define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l,NULL,NULL,s,c)
#endif
#if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
-static int
+static int
squid_ldap_errno(LDAP * ld)
{
int err = 0;
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
return err;
}
-static void
+static void
squid_ldap_set_aliasderef(LDAP * ld, int deref)
{
ldap_set_option(ld, LDAP_OPT_DEREF, &deref);
}
-static void
+static void
squid_ldap_set_referrals(LDAP * ld, int referrals)
{
int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
}
static void
-squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+squid_ldap_set_timelimit(LDAP * ld, int timelimit)
{
ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit);
}
static void
-squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+squid_ldap_set_connect_timeout(LDAP * ld, int timelimit)
{
#if defined(LDAP_OPT_NETWORK_TIMEOUT)
struct timeval tv;
ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit);
#endif
}
-static void
+static void
squid_ldap_memfree(char *p)
{
ldap_memfree(p);
}
+
#else
-static int
+static int
squid_ldap_errno(LDAP * ld)
{
return ld->ld_errno;
}
-static void
+static void
squid_ldap_set_aliasderef(LDAP * ld, int deref)
{
ld->ld_deref = deref;
}
-static void
+static void
squid_ldap_set_referrals(LDAP * ld, int referrals)
{
if (referrals)
ld->ld_options &= ~LDAP_OPT_REFERRALS;
}
static void
-squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+squid_ldap_set_timelimit(LDAP * ld, int timelimit)
{
ld->ld_timelimit = timelimit;
}
static void
-squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+squid_ldap_set_connect_timeout(LDAP * ld, int timelimit)
{
fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
}
-static void
+static void
squid_ldap_memfree(char *p)
{
free(p);
}
+
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP
- #if LDAP_VENDOR_VERSION > 194
- #define HAS_URI_SUPPORT 1
- #endif
+#if LDAP_VENDOR_VERSION > 194
+#define HAS_URI_SUPPORT 1
+#endif
#endif
int
int port = LDAP_PORT;
int use_extension_dn = 0;
int strip_nt_domain = 0;
+ int strip_kerberos_realm = 0;
int err = 0;
setbuf(stdout, NULL);
bindpasswd = value;
break;
case 'W':
- readSecret (value);
+ readSecret(value);
break;
case 'P':
persistent = !persistent;
case 'S':
strip_nt_domain = 1;
break;
+ case 'K':
+ strip_kerberos_realm = 1;
+ break;
default:
fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
exit(1);
}
if (!ldapServer)
- ldapServer = (char *)"localhost";
+ ldapServer = (char *) "localhost";
if (!basedn || !searchfilter) {
fprintf(stderr, "\n" PROGRAM_NAME " version " PROGRAM_VERSION "\n\n");
#endif
fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+ fprintf(stderr, "\t-K\t\t\tStrip Kerberos realm from usernames\n");
fprintf(stderr, "\n");
fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
exit(1);
}
-
/* On Windows ldap_start_tls_s is available starting from Windows XP,
- so we need to bind at run-time with the function entry point
+ * so we need to bind at run-time with the function entry point
*/
#ifdef _SQUID_MSWIN_
if (use_tls) {
- HMODULE WLDAP32Handle;
+ HMODULE WLDAP32Handle;
WLDAP32Handle = GetModuleHandle("wldap32");
- if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
- fprintf( stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
+ if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
+ fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
exit(1);
- }
+ }
}
#endif
if (u && u[1])
user = u + 1;
}
+ if (strip_kerberos_realm) {
+ char *u = strchr(user, '@');
+ if (u != NULL) {
+ *u = '\0';
+ }
+ }
if (use_extension_dn) {
extension_dn = strtok(NULL, " \n");
if (!extension_dn) {
}
rfc1738_unescape(extension_dn);
}
-
while (!found && user && (group = strtok(NULL, " \n")) != NULL) {
rfc1738_unescape(group);
recover:
if (ld == NULL) {
#if HAS_URI_SUPPORT
- if (strstr(ldapServer, "://") != NULL) {
- rc = ldap_initialize( &ld, ldapServer );
- if( rc != LDAP_SUCCESS ) {
+ if (strstr(ldapServer, "://") != NULL) {
+ rc = ldap_initialize(&ld, ldapServer);
+ if (rc != LDAP_SUCCESS) {
fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
break;
}
- } else
+ } else
#endif
#if NETSCAPE_SSL
if (sslpath) {
- if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
+ if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
- sslpath);
+ sslpath);
exit(1);
} else {
sslinit++;
}
if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
- ldapServer, port);
+ ldapServer, port);
exit(1);
}
} else
#endif
if ((ld = ldap_init(ldapServer, port)) == NULL) {
- fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port);
+ fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port);
break;
}
-
if (connect_timeout)
squid_ldap_set_connect_timeout(ld, connect_timeout);
if (found)
printf("OK\n");
else {
-error:
+ error:
printf("ERR\n");
-}
+ }
if (ld != NULL) {
if (!persistent || (squid_ldap_errno(ld) != LDAP_SUCCESS && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS)) {
{
int n = 0;
while (size > 4 && *src) {
- switch(*src) {
+ switch (*src) {
case '*':
case '(':
case ')':
size -= 3;
if (size > 0) {
*escaped++ = '\\';
- snprintf(escaped, 3, "%02x", (unsigned char)*src++);
- escaped+=2;
+ snprintf(escaped, 3, "%02x", (unsigned char) *src++);
+ escaped += 2;
}
break;
default:
build_filter(char *filter, int size, const char *template, const char *user, const char *group)
{
int n;
- while(*template && size > 0) {
- switch(*template) {
+ while (*template && size > 0) {
+ switch (*template) {
case '%':
template++;
switch (*template) {
LDAPMessage *res = NULL;
LDAPMessage *entry;
int rc;
- char *searchattr[] = {(char *)LDAP_NO_ATTRS, NULL};
+ char *searchattr[] =
+ {(char *) LDAP_NO_ATTRS, NULL};
if (extension_dn && *extension_dn)
snprintf(searchbase, sizeof(searchbase), "%s,%s", extension_dn, basedn);
fprintf(stderr, PROGRAM_NAME " ERROR, Failed to construct LDAP search filter. filter=\"%s\", user=\"%s\", group=\"%s\"\n", filter, member, group);
return 1;
}
-
if (debug)
fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase);
}
static int
-searchLDAP(LDAP *ld, char *group, char *login, char *extension_dn)
+searchLDAP(LDAP * ld, char *group, char *login, char *extension_dn)
{
if (usersearchfilter) {
LDAPMessage *entry;
int rc;
char *userdn;
- char *searchattr[] = {(char *)LDAP_NO_ATTRS, NULL};
+ char *searchattr[] =
+ {(char *) LDAP_NO_ATTRS, NULL};
if (extension_dn && *extension_dn)
snprintf(searchbase, sizeof(searchbase), "%s,%s", extension_dn, userbasedn ? userbasedn : basedn);
else
}
-int readSecret(const char *filename)
+int
+readSecret(const char *filename)
{
- char buf[BUFSIZ];
- char *e=0;
- FILE *f;
+ char buf[BUFSIZ];
+ char *e = 0;
+ FILE *f;
- if(!(f=fopen(filename, "r"))) {
- fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
- return 1;
- }
-
- if( !fgets(buf, sizeof(buf)-1, f)) {
- fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
+ if (!(f = fopen(filename, "r"))) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
+ return 1;
+ }
+ if (!fgets(buf, sizeof(buf) - 1, f)) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
+ fclose(f);
+ return 1;
+ }
+ /* strip whitespaces on end */
+ if ((e = strrchr(buf, '\n')))
+ *e = 0;
+ if ((e = strrchr(buf, '\r')))
+ *e = 0;
+
+ bindpasswd = strdup(buf);
+ if (!bindpasswd) {
+ fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
+ }
fclose(f);
- return 1;
- }
- /* strip whitespaces on end */
- if((e = strrchr(buf, '\n'))) *e = 0;
- if((e = strrchr(buf, '\r'))) *e = 0;
-
- bindpasswd = strdup(buf);
- if (!bindpasswd) {
- fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
- }
-
- fclose(f);
-
- return 0;
+ return 0;
}
projects / thirdparty / squid.git / commitdiff
