From: hno <> Date: Sat, 1 Mar 2003 22:15:52 +0000 (+0000) Subject: Upgraded squid_ldap_group to 2.12 X-Git-Tag: SQUID_3_0_PRE1~302 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5eecb267fe11b52bfc7d329386c839a653afd0c6;p=thirdparty%2Fsquid.git Upgraded squid_ldap_group to 2.12 --- diff --git a/helpers/external_acl/ldap_group/ChangeLog b/helpers/external_acl/ldap_group/ChangeLog new file mode 100644 index 0000000000..f4f33d1622 --- /dev/null +++ b/helpers/external_acl/ldap_group/ChangeLog @@ -0,0 +1,168 @@ +Version 2.12 + +2003-03-01 Juerg Michel + + Added support for ldap URI via the -H option + +Version 2.11 + +2003-01-31 Henrik Nordstrom + + Packaged as a distribution, with Makefile, README + and INSTALL + + Corrected the squid.conf examples in the manpage and + some spelling in the same + + Separated the changelog/history to a separate + ChangeLog file (this file) + +2003-01-27 Henrik Nordstrom + + Cleaned up error messages shown when a nonexisting + user tries to log in + +Version 2.10 + +2003-01-07 Jon Kinred + + Fixed user search mode (-F/-u) when -g is not used + +Version 2.9 + +2003-01-03 Henrik Nordstrom + + Fixed missing string termination on ldap_escape_vale, + and corrected build problem with LDAPv2 libraries + +Version 2.8 + +2002-11-27 Henrik Nordstrom + + Replacement for ldap_build_filter. Also changed + the % codes to %u (user) and %g (group) which + is a bit more intuitive. + +2002-11-21 Gerard Eviston + + Fix ldap_search_s error management. This fixes + a core dump if there is a LDAP search filter + syntax error (possibly caused by malformed input). + +Version 2.7 + +2002-10-22: Henrik Nordstrom + + strwordtok bugfix + +Version 2.6 + +2002-09-21: Gerard Eviston + + -S option to strip NT domain names from + login names + +Version 2.5 + +2002-09-09: Henrik Nordstrom + + Added support for user DN lookups + (-u -B -F options) + +Version 2.4 + +2002-09-06: Henrik Nordstrom + + Many bugfixes in connection management + + -g option added, and added support + for multiple groups. Prior versions + only supported one group and an optional + group base RDN + +Version 2.3 + +2002-09-04: Henrik Nordstrom + + Minor cleanups + +Version 2.2 + +2002-09-04: Henrik Nordstrom + + Merged changes from squid_ldap_auth.c + - TLS support (Michael Cunningham) + - -p option to specify port + + Documented the % codes to use in -f + +Version 2.1 + +2002-08-21: Henrik Nordstrom + + Support groups or usernames having spaces + +Version 2.0 + +2002-01-22: Henrik Nordstrom + + Added optional third query argument for search RDN + +2002-01-22: Henrik Nordstrom + + Removed unused options, and fully changed name + to squid_ldap_match. + +Version 1.0 + +2001-07-17: Flavio Pescuma + + Using the main function from squid_ldap_auth + wrote squid_ldap_match. This program replaces + the %a and %v (ldapfilter.conf) from the filter + template supplied with -f with the two arguments + sent by squid. Returns OK if the ldap_search + using the composed filter succeeds. + +Changes from squid_ldap_auth.c: + +2001-12-12: Michael Cunningham + + - Added TLS support and partial ldap version 3 support. + +2001-09-05: Henrik Nordstrom + + - Added ability to specify another default LDAP port to + connect to. Persistent connections moved to -P + +2001-05-02: Henrik Nordstrom + + - Support newer OpenLDAP 2.x libraries using the + revised Internet Draft API which unfortunately + is not backwards compatible with RFC1823.. + +2001-04-15: Henrik Nordstrom + + - Added command line option for basedn + + - Added the ability to search for the user DN + +2001-04-16: Henrik Nordstrom + + - Added -D binddn -w bindpasswd. + +2001-04-17: Henrik Nordstrom + + - Added -R to disable referrals + + - Added -a to control alias dereferencing + +2001-04-17: Henrik Nordstrom + + - Added -u, DN username attribute name + +2001-04-18: Henrik Nordstrom + + - Allow full filter specifications in -f + +-- END -- diff --git a/helpers/external_acl/ldap_group/README b/helpers/external_acl/ldap_group/README new file mode 100644 index 0000000000..03ca275735 --- /dev/null +++ b/helpers/external_acl/ldap_group/README @@ -0,0 +1,10 @@ +This program is a LDAP group helper for Squid. + +See the included manpage for documentation. + + nroff -man squid_ldap_group.8 | less + +See INSTALL for installation instructions + +The latest version of this program can always be found from +MARA Systems at http://marasystems.com/download/LDAP_Group/ diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/ldap_group/squid_ldap_group.8 index 3a4408e50c..894c564179 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.8 +++ b/helpers/external_acl/ldap_group/squid_ldap_group.8 @@ -1,17 +1,17 @@ -.TH squid_ldap_group 8 "7 September 2002" "Squid LDAP Match" +.TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match" . .SH NAME squid_ldap_group - Squid LDAP external acl group helper . .SH SYNOPSIS -squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...] +squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI] . .SH DESCRIPTION This helper allows Squid to connect to a LDAP directory to authorize users via LDAP groups. .P The program operates by searching with a search filter based -on the users login name and requested group, and if a match +on the users user name and requested group, and if a match is found it is determined that the user belongs to the group. . .TP @@ -25,7 +25,7 @@ Specifies the base DN under which the users are located (if different) .TP .B "-g" Specifies that the first query argument sent to the helper by Squid is -a extension to the basedn and will be temporarily added infront of the +a extension to the basedn and will be temporarily added in front of the global basedn for this query. . .TP @@ -33,7 +33,7 @@ global basedn for this query. LDAP search filter used to search the LDAP directory for any matching group memberships. .BR -In the filter %u will be replaced by the user login name (or DN if +In the filter %u will be replaced by the user name (or DN if the -F or -u options are used) and %g by the requested group name. . .TP @@ -41,13 +41,13 @@ the -F or -u options are used) and %g by the requested group name. LDAP search filter used to search the LDAP directory for any matching users. .BR -In the filter %s will be replaced by the user login name. If % is to be +In the filter %s will be replaced by the user name. If % is to be included literally in the filter then use %%. . .TP .BI "-u " attr -LDAP attribute used to construct the user DN from the login name and -base dn. +LDAP attribute used to construct the user DN from the user name and +base dn without needing to search for the user. . .TP .BI "-s " base|one|sub @@ -74,8 +74,8 @@ extracts the password used from a process listing. .TP .BI -P Use a persistent LDAP connection. Normally the LDAP connection -is only open while validating a username to preserve resources -at the LDAP server. This option causes the LDAP connection to +is only open while verifying a users group membership to preserve +resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations. Recommended for larger installations. . @@ -97,6 +97,10 @@ or only to the base object . .TP +.BI -H " ldapuri" +Specity the LDAP server to connect to by a LDAP URI +. +.TP .BI -h " ldapserver" Specify the LDAP server to connect to .TP @@ -106,7 +110,7 @@ other than the default LDAP port 389. . .TP .BI -S -Strip NT domain name component from usernames (/ or \\ separated) +Strip NT domain name component from user names (/ or \\ separated) . .SH SQUID CONFIGURATION . @@ -117,15 +121,15 @@ squid.conf. .nf external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... .br -acl group1 ldap_group Group1 +acl group1 external ldap_group Group1 .br -acl group2 ldap_gorup Group2 +acl group2 external ldap_group Group2 .fi .ft . .SH NOTES . -When constructing search filters it is strongly recommended to test the filter +When constructing search filters it is recommended to first test the filter using ldapsearch before you attempt to use squid_ldap_group. This to verify that the filter matches what you expect. . @@ -141,7 +145,7 @@ based on prior work in squid_ldap_auth by .I Glen Newton . .SH KNOWN LIMITATIONS -Max 16 occurances of %s in the -u argument is supported. +Max 16 occurrences of %s in the -u argument is supported. . .SH QUESTIONS Any questions on usage can be sent to diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/ldap_group/squid_ldap_group.c index b689472a57..116444b41f 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.c +++ b/helpers/external_acl/ldap_group/squid_ldap_group.c @@ -13,8 +13,7 @@ * Henrik Nordstrom * MARA Systems AB, Sweden * - * With contributions from others mentioned in the change histor section - * below. + * With contributions from others mentioned in the ChangeLog file * * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom. * @@ -32,90 +31,6 @@ * and/or modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2, * or (at your option) any later version. - * - * History: - * - * Version 2.9 - * 2003-01-03 Henrik Nordstrom - * Fixed missing string termination on ldap_escape_vale, - * and corrected build problem with LDAPv2 libraries - * Version 2.8 - * 2002-11-27 Henrik Nordstrom - * Replacement for ldap_build_filter. Also changed - * the % codes to %u (user) and %g (group) which - * is a bit more intuitive. - * 2002-11-21 Gerard Eviston - * Fix ldap_search_s error management. This fixes - * a core dump if there is a LDAP search filter - * syntax error (possibly caused by malformed input). - * Version 2.7 - * 2002-10-22: Henrik Nordstrom - * strwordtok bugfix - * Version 2.6 - * 2002-09-21: Gerard Eviston - * -S option to strip NT domain names from - * login names - * Version 2.5 - * 2002-09-09: Henrik Nordstrom - * Added support for user DN lookups - * (-u -B -F options) - * Version 2.4 - * 2002-09-06: Henrik Nordstrom - * Many bugfixes in connection management - * -g option added, and added support - * for multiple groups. Prior versions - * only supported one group and an optional - * group base RDN - * Version 2.3 - * 2002-09-04: Henrik Nordstrom - * Minor cleanups - * Version 2.2 - * 2002-09-04: Henrik Nordstrom - * Merged changes from squid_ldap_auth.c - * - TLS support (Michael Cunningham) - * - -p option to specify port - * Documented the % codes to use in -f - * Version 2.1 - * 2002-08-21: Henrik Nordstrom - * Support groups or usernames having spaces - * Version 2.0 - * 2002-01-22: Henrik Nordstrom - * Added optional third query argument for search RDN - * 2002-01-22: Henrik Nordstrom - * Removed unused options, and fully changed name - * to squid_ldap_group. - * Version 1.0 - * 2001-07-17: Flavio Pescuma - * Using the main function from squid_ldap_auth - * wrote squid_ldap_group. This program replaces - * the %a and %v (ldapfilter.conf) from the filter - * template supplied with -f with the two arguments - * sent by squid. Returns OK if the ldap_search - * using the composed filter succeeds. - * - * Changes from squid_ldap_auth.c: - * - * 2001-12-12: Michael Cunningham - * - Added TLS support and partial ldap version 3 support. - * 2001-09-05: Henrik Nordstrom - * - Added ability to specify another default LDAP port to - * connect to. Persistent connections moved to -P - * 2001-05-02: Henrik Nordstrom - * - Support newer OpenLDAP 2.x libraries using the - * revised Internet Draft API which unfortunately - * is not backwards compatible with RFC1823.. - * 2001-04-15: Henrik Nordstrom - * - Added command line option for basedn - * - Added the ability to search for the user DN - * 2001-04-16: Henrik Nordstrom - * - Added -D binddn -w bindpasswd. - * 2001-04-17: Henrik Nordstrom - * - Added -R to disable referrals - * - Added -a to control alias dereferencing - * 2001-04-17: Henrik Nordstrom - * - Added -u, DN username attribute name - * 2001-04-18: Henrik Nordstrom - * - Allow full filter specifications in -f */ #include @@ -203,6 +118,12 @@ squid_ldap_memfree(char *p) } #endif +#ifdef LDAP_API_FEATURE_X_OPENLDAP + #if LDAP_VENDOR_VERSION > 194 + #define HAS_URI_SUPPORT 1 + #endif +#endif + static char * strwordtok(char *buf, char **t) { @@ -287,6 +208,12 @@ main(int argc, char **argv) argv++; argc--; switch (option) { + case 'H': +#if !HAS_URI_SUPPORT + fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n"); + exit(1); +#endif + /* Fall thru to -h */ case 'h': if (ldapServer) { int len = strlen(ldapServer) + 1 + strlen(value) + 1; @@ -298,7 +225,6 @@ main(int argc, char **argv) ldapServer = strdup(value); } break; - case 'b': basedn = value; break; @@ -421,13 +347,18 @@ main(int argc, char **argv) fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n"); fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n"); fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n"); +#if HAS_URI_SUPPORT + fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n"); +#endif fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n"); fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT); fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n"); fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n"); fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n"); - fprintf(stderr, "\t-v 1|2\t\t\tLDAP version\n"); +#ifdef LDAP_VERSION3 + fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n"); fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n"); +#endif fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n"); fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n"); fprintf(stderr, "\n"); @@ -452,11 +383,20 @@ main(int argc, char **argv) recover: if (ld == NULL) { +#if HAS_URI_SUPPORT + if (strstr(ldapServer, "://") != NULL) { + rc = ldap_initialize( &ld, ldapServer ); + if( rc != LDAP_SUCCESS ) { + fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer); + break; + } + } else +#endif if ((ld = ldap_init(ldapServer, port)) == NULL) { - fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", - ldapServer, port); + fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port); break; } + #ifdef LDAP_VERSION3 if (version == -1) { version = LDAP_VERSION2; @@ -619,7 +559,7 @@ searchLDAPGroup(LDAP * ld, char *group, char *member, char *extension_dn) } if (debug) - fprintf(stderr, "filter %s\n", filter); + fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase); rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); if (rc != LDAP_SUCCESS) { @@ -656,10 +596,12 @@ searchLDAP(LDAP *ld, char *group, char *login, char *extension_dn) char *userdn; if (extension_dn && *extension_dn) snprintf(searchbase, sizeof(searchbase), "%s,%s", extension_dn, userbasedn ? userbasedn : basedn); + else + snprintf(searchbase, sizeof(searchbase), "%s", userbasedn ? userbasedn : basedn); ldap_escape_value(escaped_login, sizeof(escaped_login), login); snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); if (debug) - fprintf(stderr, "user filter %s\n", filter); + fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase); rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { @@ -674,7 +616,7 @@ searchLDAP(LDAP *ld, char *group, char *login, char *extension_dn) } entry = ldap_first_entry(ld, res); if (!entry) { - fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found\n", filter); + fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase); ldap_msgfree(res); return 1; }