14 #include <freeradius-devel/radiusd.h>
15 #include <freeradius-devel/modules.h>
22 #define LDAP_DEPRECATED 1
31 #ifndef HAVE_LDAP_CREATE_SESSION_TRACKING_CONTROL
32 # undef LDAP_CONTROL_X_SESSION_TRACKING
43 #ifdef LDAP_CONTROL_X_SESSION_TRACKING
44 # if !defined(HAVE_DECL_LDAP_CREATE_SESSION_TRACKING_CONTROL) || (HAVE_DECL_LDAP_CREATE_SESSION_TRACKING_CONTROL == 0)
46 ldap_create_session_tracking_control LDAP_P((
48 char *sessionSourceIp,
49 char *sessionSourceName,
51 struct berval *sessionTrackingIdentifier,
52 LDAPControl **ctrlp ));
60 #if !defined(LDAP_CREATE_SORT_KEYLIST) || !defined(LDAP_FREE_SORT_KEYLIST)
61 # undef HAVE_LDAP_CREATE_SORT_CONTROL
71 #if !defined(LDAP_VENDOR_VERSION_PATCH) || LDAP_VENDOR_VERSION_PATCH == 0
72 # undef LDAP_VENDOR_VERSION_PATCH
73 # define LDAP_VENDOR_VERSION_PATCH 0
79 #if !defined(LDAP_SCOPE_BASE) && defined(LDAP_SCOPE_BASEOBJECT)
80 # define LDAP_SCOPE_BASE LDAP_SCOPE_BASEOBJECT
83 #if !defined(LDAP_SCOPE_ONE) && defined(LDAP_SCOPE_ONELEVEL)
84 # define LDAP_SCOPE_ONE LDAP_SCOPE_ONELEVEL
87 #if !defined(LDAP_SCOPE_SUB) && defined(LDAP_SCOPE_SUBTREE)
88 # define LDAP_SCOPE_SUB LDAP_SCOPE_SUBTREE
91 #if !defined(LDAP_OPT_RESULT_CODE) && defined(LDAP_OPT_ERROR_NUMBER)
92 # define LDAP_OPT_RESULT_CODE LDAP_OPT_ERROR_NUMBER
99 #if defined(HAVE_LDAP_URL_PARSE) && defined(HAVE_LDAP_IS_LDAP_URL) && defined(HAVE_LDAP_URL_DESC2STR)
100 # define LDAP_CAN_PARSE_URLS
103 #define MOD_PREFIX "rlm_ldap"
105 #define LDAP_MAX_CONTROLS 10
107 #define LDAP_MAX_ATTRMAP 128
109 #define LDAP_MAP_RESERVED 4
114 #define LDAP_MAX_CACHEABLE 64
118 #define LDAP_MAX_GROUP_NAME_LEN 128
119 #define LDAP_MAX_ATTR_STR_LEN 256
120 #define LDAP_MAX_FILTER_STR_LEN 1024
121 #define LDAP_MAX_DN_STR_LEN 1024
123 #define LDAP_VIRTUAL_DN_ATTR "dn"
335 #ifdef LDAP_CONTROL_X_SESSION_TRACKING
336 bool session_tracking;
356 #ifdef LDAP_OPT_X_KEEPALIVE_IDLE
357 uint32_t keepalive_idle;
360 #ifdef LDAP_OPT_X_KEEPALIVE_PROBES
361 uint32_t keepalive_probes;
364 #ifdef LDAP_OPT_X_KEEPALIVE_INTERVAL
365 uint32_t keepalive_interval;
420 #define LDAP_INFO(fmt, ...) INFO("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
421 #define LDAP_WARN(fmt, ...) WARN("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
423 #define LDAP_DBGW(fmt, ...) radlog(L_DBG_WARN, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
424 #define LDAP_DBGW_REQ(fmt, ...) do { if (request) {RWDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBGW(fmt, ##__VA_ARGS__);}} while (0)
426 #define LDAP_DBG(fmt, ...) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
427 #define LDAP_DBG_REQ(fmt, ...) do { if (request) {RDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
429 #define LDAP_DBG2(fmt, ...) if (rad_debug_lvl >= L_DBG_LVL_2) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
430 #define LDAP_DBG_REQ2(fmt, ...) do { if (request) {RDEBUG2(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_2) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
432 #define LDAP_DBG3(fmt, ...) if (rad_debug_lvl >= L_DBG_LVL_3) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
433 #define LDAP_DBG_REQ3(fmt, ...) do { if (request) {RDEBUG3(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_3) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0)
435 #define LDAP_ERR(fmt, ...) ERROR("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__)
436 #define LDAP_ERR_REQ(fmt, ...) do { if (request) {REDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_ERR(fmt, ##__VA_ARGS__);}} while (0)
438 #define LDAP_EXT() if (extra) LDAP_ERR(extra)
439 #define LDAP_EXT_REQ() do { if (extra) { if (request) REDEBUG("%s", extra); else LDAP_ERR("%s", extra); }} while (0)
458 char const *password,
ldap_sasl *sasl,
bool retry,
459 LDAPControl **serverctrls, LDAPControl **clientctrls);
465 char const *dn,
int scope,
char const *filter,
char const *
const *attrs,
466 LDAPControl **serverctrls, LDAPControl **clientctrls);
469 char const *dn, LDAPMod *mods[],
470 LDAPControl **serverctrls, LDAPControl **clientctrls);
473 char const *attrs[],
bool force, LDAPMessage **result,
rlm_rcode_t *rcode);
484 LDAPMessage **result,
char const **error,
char **extra);
498 LDAPMessage *entry,
char const *attr);
531 LDAPControl *clientctrls_out[],
532 size_t serverctrls_len,
533 size_t clientctrls_len,
535 LDAPControl *serverctrls_in[],
536 LDAPControl *clientctrls_in[]);
559 LDAPControl **serverctrls, LDAPControl **clientctrls,
560 char const **error,
char **error_extra);
char const * cache_attribute
Sets the attribute we use when creating and retrieving cached group memberships.
Tracks the state of a libldap connection handle.
ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t *pconn, char const *dn, char const *password, ldap_sasl *sasl, LDAPControl **serverctrls, LDAPControl **clientctrls, char const **error, char **error_extra)
Initiate an LDAP interactive bind.
Operation was successfull.
rlm_rcode_t rlm_ldap_check_access(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t const *conn, LDAPMessage *entry)
Check for presence of access attribute in result.
rlm_ldap_control_t serverctrls[LDAP_MAX_CONTROLS+1]
Server controls to use for all operations with this handle.
size_t rlm_ldap_unescape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
Converts escaped DNs and filter strings into normal.
struct ldap_sasl ldap_sasl
struct ldap_handle ldap_handle_t
Tracks the state of a libldap connection handle.
rlm_rcode_t rlm_ldap_cacheable_userobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, LDAPMessage *entry, char const *attr)
Convert group membership information into attributes.
char const * userobj_access_attr
Attribute to check to see if the user should be locked out.
int rlm_ldap_control_add_session_tracking(ldap_handle_t *conn, REQUEST *request)
char const * clientobj_base_dn
DN to search for clients under.
fr_connection_pool_t * pool
Connection pool instance.
vp_tmpl_t * groupobj_base_dn
DN to search for users under.
fr_dict_attr_t const * group_da
The DA associated with this specific instance of the.
rlm_rcode_t rlm_ldap_check_userobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, VALUE_PAIR *check)
Query the LDAP directory to check if a user object is a member of a group.
uint32_t res_timeout
How long we wait for a result from the server.
LDAPControl * control
LDAP control.
uint32_t srv_timelimit
How long the server should spent on a single request (also bounded by value on the server)...
int groupobj_scope
Search scope.
char const * admin_identity
Identity we bind as when we need to query the LDAP directory.
Specifies the password for an LDAP bind.
char const * admin_password
Password used in administrative bind.
rlm_ldap_control_t clientctrls[LDAP_MAX_CONTROLS+1]
Client controls to use for all operations with this handle.
bool start_tls
Send the Start TLS message to the LDAP directory to start encrypted communications using the standard...
ldap_handle_t * mod_conn_get(rlm_ldap_t const *inst, REQUEST *request)
bool use_referral_credentials
If true use credentials from the referral URL.
char const * tls_certificate_file
Sets the path to the public certificate file we present to the servers.
char const * group_attribute
Sets the attribute we use when comparing group group memberships.
vp_tmpl_t * proxy
Identity to proxy.
bool chase_referrals_unset
If true, use the OpenLDAP defaults for chase_referrals.
char * server
Initial server to bind to.
ldap_acct_section_t * accounting
Modify mappings for accounting.
struct ldap_acct_section ldap_acct_section_t
vp_tmpl_t * realm
Kerberos realm.
bool cacheable_group_name
If true the server will determine complete set of group memberships for the current user object...
int userobj_scope
Search scope.
struct rlm_ldap_control rlm_ldap_control_t
bool cacheable_group_dn
If true the server will determine complete set of group memberships for the current user object...
ldap_rcode_t
Codes returned by rlm_ldap internal functions.
vp_map_t const * maps
Head of list of maps we expanded the RHS of.
char const * profile_attr
Attribute that identifies profiles to apply.
void rlm_ldap_control_clear(ldap_handle_t *conn)
Clear and free any controls associated with a connection.
char const * groupobj_filter
Filter to retrieve only group objects.
int serverctrls_cnt
Number of server controls associated with the handle.
Specifies the user DN or name for an LDAP bind.
int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *len)
Attempt to retrieve the universal password from Novell eDirectory.
size_t rlm_ldap_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
Converts "bad" strings into ones which are safe for LDAP.
char const * clientobj_scope_str
Scope (sub, one, base).
char const * reference
Configuration reference string.
Operation was not permitted, either current user was locked out in the case of binds, or has insufficient access.
int dereference
libldap value specifying dereferencing behaviour.
char const * groupobj_scope_str
Scope (sub, one, base).
char const * userobj_membership_attr
Attribute that describes groups the user is a member of.
char const * valuepair_attr
Generic dynamic mapping attribute, contains a RADIUS attribute and value.
ldap_rcode_t rlm_ldap_result(rlm_ldap_t const *inst, ldap_handle_t const *conn, int msgid, char const *dn, LDAPMessage **result, char const **error, char **extra)
Parse response from LDAP server dealing with any errors.
int rlm_ldap_client_load(rlm_ldap_t const *inst, CONF_SECTION *tmpl, CONF_SECTION *cs)
Load clients from LDAP on server start.
bool chase_referrals
If the LDAP server returns a referral to another server or point in the tree, follow it...
char const * tls_ca_file
Sets the full path to a CA certificate (used to validate the certificate the server presents)...
ssize_t rlm_ldap_xlat_filter(REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen)
Combine and expand filters.
char const * groupobj_name_attr
The name of the group.
int rlm_ldap_map_do(rlm_ldap_t const *inst, REQUEST *request, LDAP *handle, rlm_ldap_map_exp_t const *expanded, LDAPMessage *entry)
Convert attribute map into valuepairs.
Result of expanding the RHS of a set of maps.
struct ldap_sasl_dynamic ldap_sasl_dynamic
vp_tmpl_t * userobj_base_dn
DN to search for users under.
int rlm_ldap_map_getvalue(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx)
Callback for map_to_request.
fr_dict_attr_t const * cache_da
The DA associated with this specific instance of the.
bool rebound
Whether the connection has been rebound to something other than the admin user.
char const * clientobj_filter
Filter to retrieve only client objects.
char const * rlm_ldap_error_str(ldap_handle_t const *conn)
Return the error string associated with a handle.
int count
Number of values.
bool rebind
Controls whether we set an ldad_rebind_proc function and so determines if we can bind to other server...
int rlm_ldap_map_expand(rlm_ldap_map_exp_t *expanded, REQUEST *request, vp_map_t const *maps)
Expand values in an attribute map where needed.
char const * edir_errstr(int code)
char const * groupobj_membership_filter
Filter to only retrieve groups which contain the user as a member.
Stores an attribute, a value and various bits of other data.
uint16_t port
Port to use when binding to the server.
ldap_sasl_dynamic user_sasl
SASL parameters used when binding as the user.
Contains a collection of values.
FR_NAME_NUMBER const ldap_supported_extensions[]
CONF_SECTION * cs
Main configuration section for this instance.
Operation is in progress.
char const * proxy
Identity to proxy.
char const * name
Instance name.
char const * tls_ca_path
Sets the path to a directory containing CA certificates.
enum rlm_rcodes rlm_rcode_t
Return codes indicating the result of the module call.
ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, char const *password, ldap_sasl *sasl, bool retry, LDAPControl **serverctrls, LDAPControl **clientctrls)
Bind to the LDAP directory as a user.
int tls_require_cert
OpenLDAP constant representing the require cert string.
void rlm_ldap_check_reply(rlm_ldap_t const *inst, REQUEST *request)
Verify we got a password from the search.
struct rlm_ldap_result rlm_ldap_result_t
Contains a collection of values.
int count
Index on next free element.
vp_map_t * user_map
Attribute map applied to users and profiles.
rlm_ldap_t * inst
rlm_ldap configuration.
LDAP * handle
Hack for OpenLDAP libldap global initialisation.
CONF_SECTION * cs
Section configuration.
char * rlm_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced string.
#define LDAP_MAX_ATTRMAP
Maximum number of mappings between LDAP and.
uint32_t ldap_debug
Debug flag for the SDK.
struct rlm_ldap_map_exp rlm_ldap_map_exp_t
Result of expanding the RHS of a set of maps.
int clientobj_scope
Search scope.
FR_NAME_NUMBER const ldap_tls_require_cert[]
void * mod_conn_create(TALLOC_CTX *ctx, void *instance, struct timeval const *timeout)
Create a new connection pool handle.
struct berval ** values
libldap struct containing bv_val (char *) and length bv_len.
rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn)
Convert group membership information into attributes.
Specified an invalid object in a bind or search DN.
ldap_rcode_t rlm_ldap_modify(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, LDAPMod *mods[], LDAPControl **serverctrls, LDAPControl **clientctrls)
Modify something in the LDAP directory.
vp_tmpl_t * userobj_filter
Filter to retrieve only user objects.
char const * rlm_ldap_find_user(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *attrs[], bool force, LDAPMessage **result, rlm_rcode_t *rcode)
Retrieve the DN of a user object.
int clientctrls_cnt
Number of client controls associated with the handle.
Transitory error, caller should retry the operation with a new connection.
char const * tls_require_cert_str
Sets requirements for validating the certificate the server presents.
rlm_rcode_t rlm_ldap_check_cached(rlm_ldap_t const *inst, REQUEST *request, VALUE_PAIR *check)
Check group membership attributes to see if a user is a member.
char const * attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]
Reserve some space for access attributes.
int rlm_ldap_control_add_client(ldap_handle_t *conn, LDAPControl *ctrl, bool freeit)
Add a clientctrl to a connection handle.
rlm_rcode_t rlm_ldap_check_groupobj_dynamic(rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, VALUE_PAIR *check)
Query the LDAP directory to check if a group object includes a user object as a member.
bool do_clients
If true, attempt to load clients on instantiation.
char const * tls_random_file
Path to the random file if /dev/random and /dev/urandom are unavailable.
ldap_rcode_t rlm_ldap_search(LDAPMessage **result, rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Search for something in the LDAP directory.
int rlm_ldap_control_add_server(ldap_handle_t *conn, LDAPControl *ctrl, bool freeit)
Add a serverctrl to a connection handle.
TALLOC_CTX * ctx
Context to allocate new attributes in.
char const * mech
SASL mech(s) to try.
vp_tmpl_t * profile_filter
Filter to retrieve only retrieve group objects.
LDAPControl * userobj_sort_ctrl
Server side sort control.
bool freeit
Whether the control should be freed after we've finished using it.
vp_tmpl_t * default_profile
If this is set, we will search for a profile object with this name, and map any attributes it contain...
char const * userobj_scope_str
Scope (sub, one, base).
char const * realm
Kerberos realm.
bool access_positive
If true the presence of the attribute will allow access, else it will deny access.
int rlm_ldap_map_verify(vp_map_t *map, void *instance)
void rlm_ldap_control_merge(LDAPControl *serverctrls_out[], LDAPControl *clientctrls_out[], size_t serverctrls_len, size_t clientctrls_len, ldap_handle_t *conn, LDAPControl *serverctrls_in[], LDAPControl *clientctrls_in[])
Merge connection and call specific client and server controls.
ldap_sasl admin_sasl
SASL parameters used when binding as the admin.
Unrecoverable library/server error.
#define LDAP_MAX_CONTROLS
Maximum number of client/server controls.
ldap_acct_section_t * postauth
Modify mappings for post-auth.
LDAP authorization and authentication module headers.
size_t rlm_ldap_normalise_dn(char *out, char const *in)
Normalise escape sequences in a DN.
char const * userobj_sort_by
List of attributes to sort by.
bool expect_password
True if the user_map included a mapping between an LDAP attribute and one of our password reference a...
char const * dereference_str
When to dereference (never, searching, finding, always)
A source or sink of value data.
bool referred
Whether the connection is now established a server other than the configured one. ...
char const * config_server
Server set in the config.
void mod_conn_release(rlm_ldap_t const *inst, ldap_handle_t *conn)
Frees an LDAP socket back to the connection pool.
#define LDAP_MAP_RESERVED
Number of additional items to allocate in expanded.
LDAP * handle
libldap handle.
Bind failed, user was rejected.
char const * tls_private_key_file
Sets the path to the private key for our public certificate.
FR_NAME_NUMBER const ldap_scope[]
vp_tmpl_t * mech
SASL mech(s) to try.
bool rlm_ldap_is_dn(char const *in, size_t inlen)
Check whether a string looks like a DN.