All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ldap.h
Go to the documentation of this file.
1 /**
2  * $Id: 33da9d0a84ca802c4567cb2b4b1c443c3650155c $
3  * @file ldap.h
4  * @brief LDAP authorization and authentication module headers.
5  *
6  * @author Arran Cudbard-Bell <a.cudbardb@freeradius.org>
7  * @copyright 2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
8  * @copyright 2013 Network RADIUS SARL<info@networkradius.com>
9  * @copyright 2013-2015 The FreeRADIUS Server Project.
10  */
11 #ifndef _RLM_LDAP_H
12 #define _RLM_LDAP_H
13 
14 #include <freeradius-devel/radiusd.h>
15 #include <freeradius-devel/modules.h>
16 
17 /*
18  * We're mostly using the new API now, but ldap_bind
19  * is in the list of deprecated functions, at we may
20  * always need to support that.
21  */
22 #define LDAP_DEPRECATED 1
23 #include <lber.h>
24 #include <ldap.h>
25 #include "config.h"
26 
27 /*
28  * Framework on OSX doesn't export the symbols but leaves
29  * the macro defined *sigh*.
30  */
31 #ifndef HAVE_LDAP_CREATE_SESSION_TRACKING_CONTROL
32 # undef LDAP_CONTROL_X_SESSION_TRACKING
33 #endif
34 
35 /*
36  * There's a typo in libldap's ldap.h which was fixed by
37  * Howard Chu in 19aeb1cd. This typo had the function defined
38  * as ldap_create_session_tracking_control but declared as
39  * ldap_create_session_tracking.
40  *
41  * We fix this, by adding the correct declaration here.
42  */
43 #ifdef LDAP_CONTROL_X_SESSION_TRACKING
44 # if !defined(HAVE_DECL_LDAP_CREATE_SESSION_TRACKING_CONTROL) || (HAVE_DECL_LDAP_CREATE_SESSION_TRACKING_CONTROL == 0)
45 LDAP_F( int )
46 ldap_create_session_tracking_control LDAP_P((
47  LDAP *ld,
48  char *sessionSourceIp,
49  char *sessionSourceName,
50  char *formatOID,
51  struct berval *sessionTrackingIdentifier,
52  LDAPControl **ctrlp ));
53 # endif
54 #endif
55 
56 /*
57  * Ensure the have the ldap_create_sort_keylist()
58  * function too, else we can't use ldap_create_sort_control()
59  */
60 #if !defined(LDAP_CREATE_SORT_KEYLIST) || !defined(LDAP_FREE_SORT_KEYLIST)
61 # undef HAVE_LDAP_CREATE_SORT_CONTROL
62 #endif
63 
64 /*
65  * Because the LTB people define LDAP_VENDOR_VERSION_PATCH
66  * as X, which precludes its use in printf statements *sigh*
67  *
68  * Identifiers that are not macros, all evaluate to 0,
69  * which is why this works.
70  */
71 #if !defined(LDAP_VENDOR_VERSION_PATCH) || LDAP_VENDOR_VERSION_PATCH == 0
72 # undef LDAP_VENDOR_VERSION_PATCH
73 # define LDAP_VENDOR_VERSION_PATCH 0
74 #endif
75 
76 /*
77  * For compatibility with other LDAP libraries
78  */
79 #if !defined(LDAP_SCOPE_BASE) && defined(LDAP_SCOPE_BASEOBJECT)
80 # define LDAP_SCOPE_BASE LDAP_SCOPE_BASEOBJECT
81 #endif
82 
83 #if !defined(LDAP_SCOPE_ONE) && defined(LDAP_SCOPE_ONELEVEL)
84 # define LDAP_SCOPE_ONE LDAP_SCOPE_ONELEVEL
85 #endif
86 
87 #if !defined(LDAP_SCOPE_SUB) && defined(LDAP_SCOPE_SUBTREE)
88 # define LDAP_SCOPE_SUB LDAP_SCOPE_SUBTREE
89 #endif
90 
91 #if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
92 # define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER
93 #endif
94 
95 #ifndef LDAP_CONST
96 # define LDAP_CONST
97 #endif
98 
99 #if defined(HAVE_LDAP_URL_PARSE) && defined(HAVE_LDAP_IS_LDAP_URL) && defined(HAVE_LDAP_URL_DESC2STR)
100 # define LDAP_CAN_PARSE_URLS
101 #endif
102 
103 #define MOD_PREFIX "rlm_ldap" //!< The name of the module.
104 
105 #define LDAP_MAX_CONTROLS 10 //!< Maximum number of client/server controls.
106  //!< Used to allocate static arrays of control pointers.
107 #define LDAP_MAX_ATTRMAP 128 //!< Maximum number of mappings between LDAP and
108  //!< FreeRADIUS attributes.
109 #define LDAP_MAP_RESERVED 4 //!< Number of additional items to allocate in expanded
110  //!< attribute name arrays. Currently for enable attribute,
111  //!< group membership attribute, valuepair attribute,
112  //!< and profile attribute.
113 
114 #define LDAP_MAX_CACHEABLE 64 //!< Maximum number of groups we retrieve from the server for
115  //!< a given user. If more than this number are retrieve the
116  //!< module returns invalid.
117 
118 #define LDAP_MAX_GROUP_NAME_LEN 128 //!< Maximum name of a group name.
119 #define LDAP_MAX_ATTR_STR_LEN 256 //!< Maximum length of an xlat expanded LDAP attribute.
120 #define LDAP_MAX_FILTER_STR_LEN 1024 //!< Maximum length of an xlat expanded filter.
121 #define LDAP_MAX_DN_STR_LEN 1024 //!< Maximum length of an xlat expanded DN.
122 
123 #define LDAP_VIRTUAL_DN_ATTR "dn" //!< 'Virtual' attribute which maps to the DN of the object.
124 
125 
126 typedef enum {
127  LDAP_EXT_UNSUPPORTED, //!< Unsupported extension.
128  LDAP_EXT_BINDNAME, //!< Specifies the user DN or name for an LDAP bind.
129  LDAP_EXT_BINDPW, //!< Specifies the password for an LDAP bind.
131 
133 
134 typedef struct ldap_instance rlm_ldap_t;
135 
136 typedef struct ldap_acct_section {
137  CONF_SECTION *cs; //!< Section configuration.
138 
139  char const *reference; //!< Configuration reference string.
141 
142 typedef struct ldap_sasl {
143  char const *mech; //!< SASL mech(s) to try.
144  char const *proxy; //!< Identity to proxy.
145  char const *realm; //!< Kerberos realm.
146 } ldap_sasl;
147 
148 typedef struct ldap_sasl_dynamic {
149  vp_tmpl_t *mech; //!< SASL mech(s) to try.
150  vp_tmpl_t *proxy; //!< Identity to proxy.
151  vp_tmpl_t *realm; //!< Kerberos realm.
153 
154 typedef struct rlm_ldap_control {
155  LDAPControl *control; //!< LDAP control.
156  bool freeit; //!< Whether the control should be freed after
157  //!< we've finished using it.
159 
160 /** Tracks the state of a libldap connection handle
161  *
162  */
163 typedef struct ldap_handle {
164  LDAP *handle; //!< libldap handle.
165  bool rebound; //!< Whether the connection has been rebound to something
166  //!< other than the admin user.
167  bool referred; //!< Whether the connection is now established a server
168  //!< other than the configured one.
169 
170  rlm_ldap_control_t serverctrls[LDAP_MAX_CONTROLS + 1]; //!< Server controls to use for all operations with
171  //!< this handle.
172  rlm_ldap_control_t clientctrls[LDAP_MAX_CONTROLS + 1]; //!< Client controls to use for all operations with
173  //!< this handle.
174  int serverctrls_cnt; //!< Number of server controls associated with the handle.
175  int clientctrls_cnt; //!< Number of client controls associated with the handle.
176 
177  rlm_ldap_t *inst; //!< rlm_ldap configuration.
178 } ldap_handle_t;
179 
181  CONF_SECTION *cs; //!< Main configuration section for this instance.
182  fr_connection_pool_t *pool; //!< Connection pool instance.
183 
184  char const *config_server; //!< Server set in the config.
185  char *server; //!< Initial server to bind to.
186  uint16_t port; //!< Port to use when binding to the server.
187 
188  char const *admin_identity; //!< Identity we bind as when we need to query the LDAP
189  //!< directory.
190  char const *admin_password; //!< Password used in administrative bind.
191 
192  ldap_sasl admin_sasl; //!< SASL parameters used when binding as the admin.
193 
194  char const *dereference_str; //!< When to dereference (never, searching, finding, always)
195  int dereference; //!< libldap value specifying dereferencing behaviour.
196 
197  bool chase_referrals; //!< If the LDAP server returns a referral to another server
198  //!< or point in the tree, follow it, establishing new
199  //!< connections and binding where necessary.
200  bool chase_referrals_unset; //!< If true, use the OpenLDAP defaults for chase_referrals.
201 
202  bool use_referral_credentials; //!< If true use credentials from the referral URL.
203 
204  bool rebind; //!< Controls whether we set an ldad_rebind_proc function
205  //!< and so determines if we can bind to other servers whilst
206  //!< chasing referrals. If this is false, we will still chase
207  //!< referrals on the same server, but won't bind to other
208  //!< servers.
209 
210  uint32_t ldap_debug; //!< Debug flag for the SDK.
211 
212  char const *name; //!< Instance name.
213 
214  bool expect_password; //!< True if the user_map included a mapping between an LDAP
215  //!< attribute and one of our password reference attributes.
216 
217  /*
218  * RADIUS attribute to LDAP attribute maps
219  */
220  vp_map_t *user_map; //!< Attribute map applied to users and profiles.
221 
222  /*
223  * User object attributes and filters
224  */
225  vp_tmpl_t *userobj_filter; //!< Filter to retrieve only user objects.
226  vp_tmpl_t *userobj_base_dn; //!< DN to search for users under.
227  char const *userobj_scope_str; //!< Scope (sub, one, base).
228  char const *userobj_sort_by; //!< List of attributes to sort by.
229  LDAPControl *userobj_sort_ctrl; //!< Server side sort control.
230 
231  int userobj_scope; //!< Search scope.
232 
233  char const *userobj_membership_attr; //!< Attribute that describes groups the user is a member of.
234  char const *userobj_access_attr; //!< Attribute to check to see if the user should be locked out.
235  bool access_positive; //!< If true the presence of the attribute will allow access,
236  //!< else it will deny access.
237 
238  char const *valuepair_attr; //!< Generic dynamic mapping attribute, contains a RADIUS
239  //!< attribute and value.
240 
241  ldap_sasl_dynamic user_sasl; //!< SASL parameters used when binding as the user.
242 
243  /*
244  * Group object attributes and filters
245  */
246  char const *groupobj_filter; //!< Filter to retrieve only group objects.
247  vp_tmpl_t *groupobj_base_dn; //!< DN to search for users under.
248  char const *groupobj_scope_str; //!< Scope (sub, one, base).
249  int groupobj_scope; //!< Search scope.
250 
251  char const *groupobj_name_attr; //!< The name of the group.
252  char const *groupobj_membership_filter; //!< Filter to only retrieve groups which contain
253  //!< the user as a member.
254 
255  bool cacheable_group_name; //!< If true the server will determine complete set of group
256  //!< memberships for the current user object, and perform any
257  //!< resolution necessary to determine the names of those
258  //!< groups, then right them to the control list (LDAP-Group).
259 
260  bool cacheable_group_dn; //!< If true the server will determine complete set of group
261  //!< memberships for the current user object, and perform any
262  //!< resolution necessary to determine the DNs of those groups,
263  //!< then right them to the control list (LDAP-GroupDN).
264 
265  char const *cache_attribute; //!< Sets the attribute we use when creating and retrieving
266  //!< cached group memberships.
267 
268  fr_dict_attr_t const *cache_da; //!< The DA associated with this specific instance of the
269  //!< rlm_ldap module.
270 
271  char const *group_attribute; //!< Sets the attribute we use when comparing group
272  //!< group memberships.
273 
274  fr_dict_attr_t const *group_da; //!< The DA associated with this specific instance of the
275  //!< rlm_ldap module.
276 
277  /*
278  * Dynamic clients
279  */
280  char const *clientobj_filter; //!< Filter to retrieve only client objects.
281  char const *clientobj_base_dn; //!< DN to search for clients under.
282  char const *clientobj_scope_str; //!< Scope (sub, one, base).
283  int clientobj_scope; //!< Search scope.
284 
285  bool do_clients; //!< If true, attempt to load clients on instantiation.
286 
287  /*
288  * Profiles
289  */
290  vp_tmpl_t *default_profile; //!< If this is set, we will search for a profile object
291  //!< with this name, and map any attributes it contains.
292  //!< No value should be set if profiles are not being used
293  //!< as there is an associated performance penalty.
294  char const *profile_attr; //!< Attribute that identifies profiles to apply. May appear
295  //!< in userobj or groupobj.
296  vp_tmpl_t *profile_filter; //!< Filter to retrieve only retrieve group objects.
297 
298  /*
299  * Accounting
300  */
301  ldap_acct_section_t *postauth; //!< Modify mappings for post-auth.
302  ldap_acct_section_t *accounting; //!< Modify mappings for accounting.
303 
304  /*
305  * TLS items. We should really normalize these with the
306  * TLS code in 3.0.
307  */
308  int tls_mode;
309  bool start_tls; //!< Send the Start TLS message to the LDAP directory
310  //!< to start encrypted communications using the standard
311  //!< LDAP port.
312 
313  char const *tls_ca_file; //!< Sets the full path to a CA certificate (used to validate
314  //!< the certificate the server presents).
315 
316  char const *tls_ca_path; //!< Sets the path to a directory containing CA certificates.
317 
318  char const *tls_certificate_file; //!< Sets the path to the public certificate file we present
319  //!< to the servers.
320 
321  char const *tls_private_key_file; //!< Sets the path to the private key for our public
322  //!< certificate.
323 
324  char const *tls_random_file; //!< Path to the random file if /dev/random and /dev/urandom
325  //!< are unavailable.
326 
327  char const *tls_require_cert_str; //!< Sets requirements for validating the certificate the
328  //!< server presents.
329 
330  int tls_require_cert; //!< OpenLDAP constant representing the require cert string.
331 
332  /*
333  * Options
334  */
335 #ifdef LDAP_CONTROL_X_SESSION_TRACKING
336  bool session_tracking; //!< Whether we add session tracking controls, which help
337  //!< identify the autz or acct session the commands were
338  //!< issued for.
339 #endif
340  uint32_t res_timeout; //!< How long we wait for a result from the server.
341  uint32_t srv_timelimit; //!< How long the server should spent on a single request
342  //!< (also bounded by value on the server).
343 
344 #ifdef WITH_EDIR
345  /*
346  * eDir support
347  */
348  bool edir; //!< If true attempt to retrieve the user's cleartext password
349  //!< using the Universal Password feature of Novell eDirectory.
350  bool edir_autz; //!< If true, and we have the Universal Password, bind with it
351  //!< to perform additional authorisation checks.
352 #endif
353  /*
354  * For keep-alives.
355  */
356 #ifdef LDAP_OPT_X_KEEPALIVE_IDLE
357  uint32_t keepalive_idle; //!< Number of seconds a connections needs to remain idle
358  //!< before TCP starts sending keepalive probes.
359 #endif
360 #ifdef LDAP_OPT_X_KEEPALIVE_PROBES
361  uint32_t keepalive_probes; //!< Number of missed timeouts before the connection is
362  //!< dropped.
363 #endif
364 #ifdef LDAP_OPT_X_KEEPALIVE_INTERVAL
365  uint32_t keepalive_interval; //!< Interval between keepalive probes.
366 #endif
367 
368  LDAP *handle; //!< Hack for OpenLDAP libldap global initialisation.
369 };
370 
371 /** Result of expanding the RHS of a set of maps
372  *
373  * Used to store the array of attributes we'll be querying for.
374  */
375 typedef struct rlm_ldap_map_exp {
376  vp_map_t const *maps; //!< Head of list of maps we expanded the RHS of.
377  char const *attrs[LDAP_MAX_ATTRMAP + LDAP_MAP_RESERVED + 1]; //!< Reserve some space for access attributes
378  //!< and NULL termination.
379  TALLOC_CTX *ctx; //!< Context to allocate new attributes in.
380  int count; //!< Index on next free element.
382 
383 /** Contains a collection of values
384  *
385  */
386 typedef struct rlm_ldap_result {
387  struct berval **values; //!< libldap struct containing bv_val (char *)
388  //!< and length bv_len.
389  int count; //!< Number of values.
391 
392 /** Codes returned by rlm_ldap internal functions
393  *
394  */
395 typedef enum {
396  LDAP_PROC_CONTINUE = 1, //!< Operation is in progress.
397  LDAP_PROC_SUCCESS = 0, //!< Operation was successfull.
398 
399  LDAP_PROC_ERROR = -1, //!< Unrecoverable library/server error.
400 
401  LDAP_PROC_RETRY = -2, //!< Transitory error, caller should retry the operation
402  //!< with a new connection.
403 
404  LDAP_PROC_NOT_PERMITTED = -3, //!< Operation was not permitted, either current user was
405  //!< locked out in the case of binds, or has insufficient
406  //!< access.
407 
408  LDAP_PROC_REJECT = -4, //!< Bind failed, user was rejected.
409 
410  LDAP_PROC_BAD_DN = -5, //!< Specified an invalid object in a bind or search DN.
411 
412  LDAP_PROC_NO_RESULT = -6 //!< Got no results.
413 } ldap_rcode_t;
414 
415 /*
416  * Some functions may be called with a NULL request structure, this
417  * simplifies switching certain messages from the request log to
418  * the main log.
419  */
420 #define LDAP_INFO(fmt, ...) INFO("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
421 #define LDAP_WARN(fmt, ...) WARN("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
422 
423 #define LDAP_DBGW(fmt, ...) radlog(L_DBG_WARN, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
424 #define LDAP_DBGW_REQ(fmt, ...) do { if (request) {RWDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBGW(fmt, ##__VA_ARGS__);}} while (0)
425 
426 #define LDAP_DBG(fmt, ...) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
427 #define LDAP_DBG_REQ(fmt, ...) do { if (request) {RDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
428 
429 #define LDAP_DBG2(fmt, ...) if (rad_debug_lvl >= L_DBG_LVL_2) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
430 #define LDAP_DBG_REQ2(fmt, ...) do { if (request) {RDEBUG2(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_2) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
431 
432 #define LDAP_DBG3(fmt, ...) if (rad_debug_lvl >= L_DBG_LVL_3) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
433 #define LDAP_DBG_REQ3(fmt, ...) do { if (request) {RDEBUG3(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_3) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
434 
435 #define LDAP_ERR(fmt, ...) ERROR("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
436 #define LDAP_ERR_REQ(fmt, ...) do { if (request) {REDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_ERR(fmt, ##__VA_ARGS__);}} while (0)
437 
438 #define LDAP_EXT() if (extra) LDAP_ERR(extra)
439 #define LDAP_EXT_REQ() do { if (extra) { if (request) REDEBUG("%s", extra); else LDAP_ERR("%s", extra); }} while (0)
440 
441 extern FR_NAME_NUMBER const ldap_scope[];
443 
444 /*
445  * ldap.c - Wrappers arounds OpenLDAP functions.
446  */
447 size_t rlm_ldap_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg);
448 
449 size_t rlm_ldap_unescape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg);
450 
451 bool rlm_ldap_is_dn(char const *in, size_t inlen);
452 
453 size_t rlm_ldap_normalise_dn(char *out, char const *in);
454 
455 ssize_t rlm_ldap_xlat_filter(REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen);
456 
457 ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn,
458  char const *password, ldap_sasl *sasl, bool retry,
459  LDAPControl **serverctrls, LDAPControl **clientctrls);
460 
461 char const *rlm_ldap_error_str(ldap_handle_t const *conn);
462 
463 ldap_rcode_t rlm_ldap_search(LDAPMessage **result, rlm_ldap_t const *inst, REQUEST *request,
464  ldap_handle_t **pconn,
465  char const *dn, int scope, char const *filter, char const * const *attrs,
466  LDAPControl **serverctrls, LDAPControl **clientctrls);
467 
469  char const *dn, LDAPMod *mods[],
470  LDAPControl **serverctrls, LDAPControl **clientctrls);
471 
472 char const *rlm_ldap_find_user(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn,
473  char const *attrs[], bool force, LDAPMessage **result, rlm_rcode_t *rcode);
474 
476  LDAPMessage *entry);
477 
478 void rlm_ldap_check_reply(rlm_ldap_t const *inst, REQUEST *request);
479 
480 /*
481  * ldap.c - Callbacks for the connection pool API.
482  */
483 ldap_rcode_t rlm_ldap_result(rlm_ldap_t const *inst, ldap_handle_t const *conn, int msgid, char const *dn,
484  LDAPMessage **result, char const **error, char **extra);
485 
486 char *rlm_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in);
487 
488 void *mod_conn_create(TALLOC_CTX *ctx, void *instance, struct timeval const *timeout);
489 
491 
492 void mod_conn_release(rlm_ldap_t const *inst, ldap_handle_t *conn);
493 
494 /*
495  * groups.c - Group membership functions.
496  */
498  LDAPMessage *entry, char const *attr);
499 
501 
503  VALUE_PAIR *check);
504 
506  char const *dn, VALUE_PAIR *check);
507 
509 
510 /*
511  * attrmap.c - Attribute mapping code.
512  */
513 int rlm_ldap_map_getvalue(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx);
514 
515 int rlm_ldap_map_verify(vp_map_t *map, void *instance);
516 
517 int rlm_ldap_map_expand(rlm_ldap_map_exp_t *expanded, REQUEST *request, vp_map_t const *maps);
518 
519 int rlm_ldap_map_do(rlm_ldap_t const *inst, REQUEST *request, LDAP *handle,
520  rlm_ldap_map_exp_t const *expanded, LDAPMessage *entry);
521 
522 /*
523  * clients.c - Dynamic clients (bulk load).
524  */
526 
527 /*
528  * control.c - Connection based client/server controls
529  */
530 void rlm_ldap_control_merge(LDAPControl *serverctrls_out[],
531  LDAPControl *clientctrls_out[],
532  size_t serverctrls_len,
533  size_t clientctrls_len,
534  ldap_handle_t *conn,
535  LDAPControl *serverctrls_in[],
536  LDAPControl *clientctrls_in[]);
537 
538 int rlm_ldap_control_add_server(ldap_handle_t *conn, LDAPControl *ctrl, bool freeit);
539 
540 int rlm_ldap_control_add_client(ldap_handle_t *conn, LDAPControl *ctrl, bool freeit);
541 
543 
545 
546 /*
547  * edir.c - Magic extensions for Novell
548  */
549 int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *len);
550 
551 char const *edir_errstr(int code);
552 
553 /*
554  * sasl.s - SASL bind functions
555  */
557  ldap_handle_t *pconn, char const *dn,
558  char const *password, ldap_sasl *sasl,
559  LDAPControl **serverctrls, LDAPControl **clientctrls,
560  char const **error, char **error_extra);
561 #endif
char const * cache_attribute
Sets the attribute we use when creating and retrieving cached group memberships.
Definition: ldap.h:265
Tracks the state of a libldap connection handle.
Definition: ldap.h:163
ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t *pconn, char const *dn, char const *password, ldap_sasl *sasl, LDAPControl **serverctrls, LDAPControl **clientctrls, char const **error, char **error_extra)
Initiate an LDAP interactive bind.
Definition: sasl.c:105
Operation was successfull.
Definition: ldap.h:397
rlm_rcode_t rlm_ldap_check_access(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t const *conn, LDAPMessage *entry)
Check for presence of access attribute in result.
Definition: ldap.c:1327
rlm_ldap_control_t serverctrls[LDAP_MAX_CONTROLS+1]
Server controls to use for all operations with this handle.
Definition: ldap.h:170
size_t rlm_ldap_unescape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
Converts escaped DNs and filter strings into normal.
Definition: ldap.c:121
struct ldap_sasl ldap_sasl
struct ldap_handle ldap_handle_t
Tracks the state of a libldap connection handle.
rlm_rcode_t rlm_ldap_cacheable_userobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, LDAPMessage *entry, char const *attr)
Convert group membership information into attributes.
Definition: groups.c:267
char const * userobj_access_attr
Attribute to check to see if the user should be locked out.
Definition: ldap.h:234
Dictionary attribute.
Definition: dict.h:77
int rlm_ldap_control_add_session_tracking(ldap_handle_t *conn, REQUEST *request)
char const * clientobj_base_dn
DN to search for clients under.
Definition: ldap.h:281
fr_connection_pool_t * pool
Connection pool instance.
Definition: ldap.h:182
vp_tmpl_t * groupobj_base_dn
DN to search for users under.
Definition: ldap.h:247
fr_dict_attr_t const * group_da
The DA associated with this specific instance of the.
Definition: ldap.h:274
rlm_rcode_t rlm_ldap_check_userobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, VALUE_PAIR *check)
Query the LDAP directory to check if a user object is a member of a group.
Definition: groups.c:632
uint32_t res_timeout
How long we wait for a result from the server.
Definition: ldap.h:340
LDAPControl * control
LDAP control.
Definition: ldap.h:155
uint32_t srv_timelimit
How long the server should spent on a single request (also bounded by value on the server)...
Definition: ldap.h:341
int tls_mode
Definition: ldap.h:308
int groupobj_scope
Search scope.
Definition: ldap.h:249
char const * admin_identity
Identity we bind as when we need to query the LDAP directory.
Definition: ldap.h:188
Specifies the password for an LDAP bind.
Definition: ldap.h:129
char const * admin_password
Password used in administrative bind.
Definition: ldap.h:190
rlm_ldap_control_t clientctrls[LDAP_MAX_CONTROLS+1]
Client controls to use for all operations with this handle.
Definition: ldap.h:172
bool start_tls
Send the Start TLS message to the LDAP directory to start encrypted communications using the standard...
Definition: ldap.h:309
ldap_handle_t * mod_conn_get(rlm_ldap_t const *inst, REQUEST *request)
bool use_referral_credentials
If true use credentials from the referral URL.
Definition: ldap.h:202
char const * tls_certificate_file
Sets the path to the public certificate file we present to the servers.
Definition: ldap.h:318
char const * group_attribute
Sets the attribute we use when comparing group group memberships.
Definition: ldap.h:271
#define UNUSED
Definition: libradius.h:134
vp_tmpl_t * proxy
Identity to proxy.
Definition: ldap.h:150
bool chase_referrals_unset
If true, use the OpenLDAP defaults for chase_referrals.
Definition: ldap.h:200
char * server
Initial server to bind to.
Definition: ldap.h:185
ldap_acct_section_t * accounting
Modify mappings for accounting.
Definition: ldap.h:302
struct ldap_acct_section ldap_acct_section_t
vp_tmpl_t * realm
Kerberos realm.
Definition: ldap.h:151
static float timeout
Definition: radclient.c:43
#define inst
bool cacheable_group_name
If true the server will determine complete set of group memberships for the current user object...
Definition: ldap.h:255
int userobj_scope
Search scope.
Definition: ldap.h:231
static expr_map_t map[]
Definition: rlm_expr.c:169
struct rlm_ldap_control rlm_ldap_control_t
bool cacheable_group_dn
If true the server will determine complete set of group memberships for the current user object...
Definition: ldap.h:260
ldap_rcode_t
Codes returned by rlm_ldap internal functions.
Definition: ldap.h:395
vp_map_t const * maps
Head of list of maps we expanded the RHS of.
Definition: ldap.h:376
char const * profile_attr
Attribute that identifies profiles to apply.
Definition: ldap.h:294
void rlm_ldap_control_clear(ldap_handle_t *conn)
Clear and free any controls associated with a connection.
Definition: control.c:127
char const * groupobj_filter
Filter to retrieve only group objects.
Definition: ldap.h:246
int serverctrls_cnt
Number of server controls associated with the handle.
Definition: ldap.h:174
Specifies the user DN or name for an LDAP bind.
Definition: ldap.h:128
int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *len)
Attempt to retrieve the universal password from Novell eDirectory.
Definition: edir.c:165
size_t rlm_ldap_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
Converts "bad" strings into ones which are safe for LDAP.
Definition: ldap.c:65
char const * clientobj_scope_str
Scope (sub, one, base).
Definition: ldap.h:282
char const * reference
Configuration reference string.
Definition: ldap.h:139
Operation was not permitted, either current user was locked out in the case of binds, or has insufficient access.
Definition: ldap.h:404
int dereference
libldap value specifying dereferencing behaviour.
Definition: ldap.h:195
char const * groupobj_scope_str
Scope (sub, one, base).
Definition: ldap.h:248
char const * userobj_membership_attr
Attribute that describes groups the user is a member of.
Definition: ldap.h:233
char const * valuepair_attr
Generic dynamic mapping attribute, contains a RADIUS attribute and value.
Definition: ldap.h:238
ldap_rcode_t rlm_ldap_result(rlm_ldap_t const *inst, ldap_handle_t const *conn, int msgid, char const *dn, LDAPMessage **result, char const **error, char **extra)
Parse response from LDAP server dealing with any errors.
Definition: ldap.c:517
int rlm_ldap_client_load(rlm_ldap_t const *inst, CONF_SECTION *tmpl, CONF_SECTION *cs)
Load clients from LDAP on server start.
Definition: clients.c:102
bool chase_referrals
If the LDAP server returns a referral to another server or point in the tree, follow it...
Definition: ldap.h:197
char const * tls_ca_file
Sets the full path to a CA certificate (used to validate the certificate the server presents)...
Definition: ldap.h:313
ssize_t rlm_ldap_xlat_filter(REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen)
Combine and expand filters.
Definition: ldap.c:416
char const * groupobj_name_attr
The name of the group.
Definition: ldap.h:251
int rlm_ldap_map_do(rlm_ldap_t const *inst, REQUEST *request, LDAP *handle, rlm_ldap_map_exp_t const *expanded, LDAPMessage *entry)
Convert attribute map into valuepairs.
Definition: attrmap.c:302
Result of expanding the RHS of a set of maps.
Definition: ldap.h:375
struct ldap_sasl_dynamic ldap_sasl_dynamic
vp_tmpl_t * userobj_base_dn
DN to search for users under.
Definition: ldap.h:226
int rlm_ldap_map_getvalue(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx)
Callback for map_to_request.
Definition: attrmap.c:36
fr_dict_attr_t const * cache_da
The DA associated with this specific instance of the.
Definition: ldap.h:268
bool rebound
Whether the connection has been rebound to something other than the admin user.
Definition: ldap.h:165
char const * clientobj_filter
Filter to retrieve only client objects.
Definition: ldap.h:280
char const * rlm_ldap_error_str(ldap_handle_t const *conn)
Return the error string associated with a handle.
Definition: ldap.c:488
int count
Number of values.
Definition: ldap.h:389
bool rebind
Controls whether we set an ldad_rebind_proc function and so determines if we can bind to other server...
Definition: ldap.h:204
int rlm_ldap_map_expand(rlm_ldap_map_exp_t *expanded, REQUEST *request, vp_map_t const *maps)
Expand values in an attribute map where needed.
Definition: attrmap.c:251
char const * edir_errstr(int code)
Definition: edir.c:245
char const * groupobj_membership_filter
Filter to only retrieve groups which contain the user as a member.
Definition: ldap.h:252
Stores an attribute, a value and various bits of other data.
Definition: pair.h:112
uint16_t port
Port to use when binding to the server.
Definition: ldap.h:186
ldap_sasl_dynamic user_sasl
SASL parameters used when binding as the user.
Definition: ldap.h:241
Contains a collection of values.
Definition: ldap.h:386
FR_NAME_NUMBER const ldap_supported_extensions[]
Definition: ldap.c:39
CONF_SECTION * cs
Main configuration section for this instance.
Definition: ldap.h:181
Operation is in progress.
Definition: ldap.h:396
char const * proxy
Identity to proxy.
Definition: ldap.h:144
char const * name
Instance name.
Definition: ldap.h:212
char const * tls_ca_path
Sets the path to a directory containing CA certificates.
Definition: ldap.h:316
enum rlm_rcodes rlm_rcode_t
Return codes indicating the result of the module call.
ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, char const *password, ldap_sasl *sasl, bool retry, LDAPControl **serverctrls, LDAPControl **clientctrls)
Bind to the LDAP directory as a user.
Definition: ldap.c:751
int tls_require_cert
OpenLDAP constant representing the require cert string.
Definition: ldap.h:330
void rlm_ldap_check_reply(rlm_ldap_t const *inst, REQUEST *request)
Verify we got a password from the search.
Definition: ldap.c:1362
struct rlm_ldap_result rlm_ldap_result_t
Contains a collection of values.
int count
Index on next free element.
Definition: ldap.h:380
vp_map_t * user_map
Attribute map applied to users and profiles.
Definition: ldap.h:220
rlm_ldap_t * inst
rlm_ldap configuration.
Definition: ldap.h:177
LDAP * handle
Hack for OpenLDAP libldap global initialisation.
Definition: ldap.h:368
CONF_SECTION * cs
Section configuration.
Definition: ldap.h:137
char * rlm_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced string.
Definition: ldap.c:281
#define LDAP_MAX_ATTRMAP
Maximum number of mappings between LDAP and.
Definition: ldap.h:107
uint32_t ldap_debug
Debug flag for the SDK.
Definition: ldap.h:210
struct rlm_ldap_map_exp rlm_ldap_map_exp_t
Result of expanding the RHS of a set of maps.
int clientobj_scope
Search scope.
Definition: ldap.h:283
FR_NAME_NUMBER const ldap_tls_require_cert[]
void * mod_conn_create(TALLOC_CTX *ctx, void *instance, struct timeval const *timeout)
Create a new connection pool handle.
Definition: mod.c:68
struct berval ** values
libldap struct containing bv_val (char *) and length bv_len.
Definition: ldap.h:387
rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn)
Convert group membership information into attributes.
Definition: groups.c:415
Specified an invalid object in a bind or search DN.
Definition: ldap.h:410
Unsupported extension.
Definition: ldap.h:127
ldap_rcode_t rlm_ldap_modify(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, LDAPMod *mods[], LDAPControl **serverctrls, LDAPControl **clientctrls)
Modify something in the LDAP directory.
Definition: ldap.c:1048
A connection pool.
Definition: connection.c:85
vp_tmpl_t * userobj_filter
Filter to retrieve only user objects.
Definition: ldap.h:225
char const * rlm_ldap_find_user(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *attrs[], bool force, LDAPMessage **result, rlm_rcode_t *rcode)
Retrieve the DN of a user object.
Definition: ldap.c:1152
int clientctrls_cnt
Number of client controls associated with the handle.
Definition: ldap.h:175
Transitory error, caller should retry the operation with a new connection.
Definition: ldap.h:401
char const * tls_require_cert_str
Sets requirements for validating the certificate the server presents.
Definition: ldap.h:327
rlm_rcode_t rlm_ldap_check_cached(rlm_ldap_t const *inst, REQUEST *request, VALUE_PAIR *check)
Check group membership attributes to see if a user is a member.
Definition: groups.c:812
char const * attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]
Reserve some space for access attributes.
Definition: ldap.h:377
int rlm_ldap_control_add_client(ldap_handle_t *conn, LDAPControl *ctrl, bool freeit)
Add a clientctrl to a connection handle.
Definition: control.c:110
rlm_rcode_t rlm_ldap_check_groupobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, VALUE_PAIR *check)
Query the LDAP directory to check if a group object includes a user object as a member.
Definition: groups.c:530
bool do_clients
If true, attempt to load clients on instantiation.
Definition: ldap.h:285
char const * tls_random_file
Path to the random file if /dev/random and /dev/urandom are unavailable.
Definition: ldap.h:324
ldap_rcode_t rlm_ldap_search(LDAPMessage **result, rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Search for something in the LDAP directory.
Definition: ldap.c:880
int rlm_ldap_control_add_server(ldap_handle_t *conn, LDAPControl *ctrl, bool freeit)
Add a serverctrl to a connection handle.
Definition: control.c:86
TALLOC_CTX * ctx
Context to allocate new attributes in.
Definition: ldap.h:379
char const * mech
SASL mech(s) to try.
Definition: ldap.h:143
vp_tmpl_t * profile_filter
Filter to retrieve only retrieve group objects.
Definition: ldap.h:296
LDAPControl * userobj_sort_ctrl
Server side sort control.
Definition: ldap.h:229
bool freeit
Whether the control should be freed after we've finished using it.
Definition: ldap.h:156
vp_tmpl_t * default_profile
If this is set, we will search for a profile object with this name, and map any attributes it contain...
Definition: ldap.h:290
char const * userobj_scope_str
Scope (sub, one, base).
Definition: ldap.h:227
char const * realm
Kerberos realm.
Definition: ldap.h:145
bool access_positive
If true the presence of the attribute will allow access, else it will deny access.
Definition: ldap.h:235
int rlm_ldap_map_verify(vp_map_t *map, void *instance)
Definition: attrmap.c:146
void rlm_ldap_control_merge(LDAPControl *serverctrls_out[], LDAPControl *clientctrls_out[], size_t serverctrls_len, size_t clientctrls_len, ldap_handle_t *conn, LDAPControl *serverctrls_in[], LDAPControl *clientctrls_in[])
Merge connection and call specific client and server controls.
Definition: control.c:41
ldap_supported_extension
Definition: ldap.h:126
ldap_sasl admin_sasl
SASL parameters used when binding as the admin.
Definition: ldap.h:192
Unrecoverable library/server error.
Definition: ldap.h:399
#define LDAP_MAX_CONTROLS
Maximum number of client/server controls.
Definition: ldap.h:105
ldap_acct_section_t * postauth
Modify mappings for post-auth.
Definition: ldap.h:301
LDAP authorization and authentication module headers.
size_t rlm_ldap_normalise_dn(char *out, char const *in)
Normalise escape sequences in a DN.
Definition: ldap.c:312
Value pair map.
Definition: map.h:46
char const * userobj_sort_by
List of attributes to sort by.
Definition: ldap.h:228
bool expect_password
True if the user_map included a mapping between an LDAP attribute and one of our password reference a...
Definition: ldap.h:214
char const * dereference_str
When to dereference (never, searching, finding, always)
Definition: ldap.h:194
A source or sink of value data.
Definition: tmpl.h:187
bool referred
Whether the connection is now established a server other than the configured one. ...
Definition: ldap.h:167
char const * config_server
Server set in the config.
Definition: ldap.h:184
void mod_conn_release(rlm_ldap_t const *inst, ldap_handle_t *conn)
Frees an LDAP socket back to the connection pool.
Definition: ldap.c:1758
#define LDAP_MAP_RESERVED
Number of additional items to allocate in expanded.
Definition: ldap.h:109
LDAP * handle
libldap handle.
Definition: ldap.h:164
Bind failed, user was rejected.
Definition: ldap.h:408
char const * tls_private_key_file
Sets the path to the private key for our public certificate.
Definition: ldap.h:321
FR_NAME_NUMBER const ldap_scope[]
Definition: rlm_ldap.c:44
vp_tmpl_t * mech
SASL mech(s) to try.
Definition: ldap.h:149
Got no results.
Definition: ldap.h:412
bool rlm_ldap_is_dn(char const *in, size_t inlen)
Check whether a string looks like a DN.
Definition: ldap.c:168