profile_8c_source.html

 /*

  *   This program is is free software; you can redistribute it and/or modify

  *   it under the terms of the GNU General Public License as published by

  *   the Free Software Foundation; either version 2 of the License, or (at

  *   your option) any later version.

  *

  *   This program is distributed in the hope that it will be useful,

  *   but WITHOUT ANY WARRANTY; without even the implied warranty of

  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  *   GNU General Public License for more details.

  *

  *   You should have received a copy of the GNU General Public License

  *   along with this program; if not, write to the Free Software

  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA

  */


 /**

  * $Id: 1ddbddd14042f3cf4d39b53aad88e2ded228dc7f $

  * @file rlm_ldap.c

  * @brief LDAP authorization and authentication module.

  *

  * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)

  * @author Alan DeKok (aland@freeradius.org)

  *

  * @copyright 2012,2015 Arran Cudbard-Bell (a.cudbardb@freeradius.org)

  * @copyright 2013,2015 Network RADIUS SAS (legal@networkradius.com)

  * @copyright 2012 Alan DeKok (aland@freeradius.org)

  * @copyright 1999-2013 The FreeRADIUS Server Project.

  */

 RCSID("$Id: 1ddbddd14042f3cf4d39b53aad88e2ded228dc7f $")


 USES_APPLE_DEPRECATED_API


 #include "rlm_ldap.h"

 #include <freeradius-devel/ldap/conf.h>


 #include <freeradius-devel/server/map_proc.h>

 #include <freeradius-devel/server/module_rlm.h>


 /** Holds state of in progress async profile lookups

  *

  */

 typedef struct {

         fr_ldap_result_code_t   *ret;                   //!< Result of the query and applying the map.

         fr_ldap_query_t         *query;

         char const              *dn;

         rlm_ldap_t const        *inst;

         fr_ldap_map_exp_t       const *expanded;

 } ldap_profile_ctx_t;


 /** Process the results of a profile lookup

  *

  */

 static unlang_action_t ldap_map_profile_resume(UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request,

                                                void *uctx)

 {

         ldap_profile_ctx_t      *profile_ctx = talloc_get_type_abort(uctx, ldap_profile_ctx_t);

         fr_ldap_query_t         *query = profile_ctx->query;

         LDAP                    *handle;

         LDAPMessage             *entry = NULL;

         int                     ldap_errno;


         /*

          *      Tell the caller what happened

          */

         if (profile_ctx->ret) *profile_ctx->ret = query->ret;


         switch (query->ret) {

         case LDAP_RESULT_SUCCESS:

                 break;


         case LDAP_RESULT_NO_RESULT:

         case LDAP_RESULT_BAD_DN:

                 RDEBUG2("Profile object \"%s\" not found", profile_ctx->dn);

                 goto finish;


         default:

                 goto finish;

         }


         fr_assert(query->result);

         handle = query->ldap_conn->handle;


         entry = ldap_first_entry(handle, query->result);

         if (!entry) {

                 ldap_get_option(handle, LDAP_OPT_RESULT_CODE, &ldap_errno);

                 REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));

                 if (profile_ctx->ret) *profile_ctx->ret = LDAP_RESULT_NO_RESULT;

                 goto finish;

         }


         RDEBUG2("Processing profile attributes");

         RINDENT();

         if (fr_ldap_map_do(request, profile_ctx->inst->valuepair_attr,

                            profile_ctx->expanded, entry) < 0) {

                 if (profile_ctx->ret) *profile_ctx->ret = LDAP_RESULT_ERROR;

         }


         REXDENT();


 finish:

         talloc_free(profile_ctx);

         return UNLANG_ACTION_CALCULATE_RESULT;

 }


 /** Cancel an in progress profile lookup

  *

  */

 static void ldap_map_profile_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)

 {

         ldap_profile_ctx_t      *profile_ctx = talloc_get_type_abort(uctx, ldap_profile_ctx_t);


         if (!profile_ctx->query || !profile_ctx->query->treq) return;


         fr_trunk_request_signal_cancel(profile_ctx->query->treq);

 }


 /** Search for and apply an LDAP profile

  *

  * LDAP profiles are mapped using the same attribute map as user objects, they're used to add common

  * sets of attributes to the request.

  *

  * @param[out] ret              Where to write the result of the query.

  * @param[in] inst              LDAP module instance.

  * @param[in] request           Current request.

  * @param[in] ttrunk            Trunk connection on which to run LDAP queries.

  * @param[in] dn                of profile object to apply.

  * @param[in] scope             to apply when looking up profiles.

  * @param[in] filter            to apply when looking up profiles.

  * @param[in] expanded          Structure containing a list of xlat

  *                              expanded attribute names and mapping information.

  * @return One of the RLM_MODULE_* values.

  */

 unlang_action_t rlm_ldap_map_profile(fr_ldap_result_code_t *ret,

                                      rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk,

                                      char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)

 {

         ldap_profile_ctx_t      *profile_ctx;


         if (!dn || !*dn) return UNLANG_ACTION_CALCULATE_RESULT;


         MEM(profile_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_profile_ctx_t));

         *profile_ctx = (ldap_profile_ctx_t) {

                 .ret = ret,

                 .dn = dn,

                 .expanded = expanded,

                 .inst = inst

         };

         if (ret) *ret = LDAP_RESULT_ERROR;


         if (unlang_function_push(request, NULL, ldap_map_profile_resume, ldap_map_profile_cancel,

                                  ~FR_SIGNAL_CANCEL, UNLANG_SUB_FRAME, profile_ctx) < 0) {

                 talloc_free(profile_ctx);

                 return UNLANG_ACTION_FAIL;

         }


         return fr_ldap_trunk_search(profile_ctx, &profile_ctx->query, request, ttrunk, dn,

                                     scope, filter,

                                     expanded->attrs, NULL, NULL);

 }


unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35

UNLANG_ACTION_FAIL
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition: action.h:36

UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition: action.h:37

USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition: build.h:431

RCSID
#define RCSID(id)
Definition: build.h:444

UNUSED
#define UNUSED
Definition: build.h:313

unlang_function_push
#define unlang_function_push(_request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack.
Definition: function.h:111

unlang_interpret_frame_talloc_ctx
TALLOC_CTX * unlang_interpret_frame_talloc_ctx(request_t *request)
Get a talloc_ctx which is valid only for this frame.
Definition: interpret.c:1384

UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition: interpret.h:36

fr_ldap_query_s::treq
fr_trunk_request_t * treq
Trunk request this query is associated with.
Definition: base.h:451

fr_ldap_connection_t::handle
LDAP * handle
libldap handle.
Definition: base.h:331

fr_ldap_query_s::ret
fr_ldap_result_code_t ret
Result code.
Definition: base.h:465

fr_ldap_query_s::ldap_conn
fr_ldap_connection_t * ldap_conn
LDAP connection this query is running on.
Definition: base.h:452

fr_ldap_result_code_t
fr_ldap_result_code_t
LDAP query result codes.
Definition: base.h:186

LDAP_RESULT_ERROR
@ LDAP_RESULT_ERROR
A general error occurred.
Definition: base.h:189

LDAP_RESULT_SUCCESS
@ LDAP_RESULT_SUCCESS
Successfully got LDAP results.
Definition: base.h:188

LDAP_RESULT_NO_RESULT
@ LDAP_RESULT_NO_RESULT
No results returned.
Definition: base.h:192

LDAP_RESULT_BAD_DN
@ LDAP_RESULT_BAD_DN
The requested DN does not exist.
Definition: base.h:191

fr_ldap_query_s::result
LDAPMessage * result
Head of LDAP results list.
Definition: base.h:463

fr_ldap_map_do
int fr_ldap_map_do(request_t *request, char const *valuepair_attr, fr_ldap_map_exp_t const *expanded, LDAPMessage *entry)
Convert attribute map into valuepairs.
Definition: map.c:323

fr_ldap_map_exp_t::attrs
char const  * attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]
Reserve some space for access attributes.
Definition: base.h:370

fr_ldap_map_exp_t
Result of expanding the RHS of a set of maps.
Definition: base.h:368

fr_ldap_query_s
LDAP query structure.
Definition: base.h:420

fr_ldap_thread_trunk_s
Thread LDAP trunk structure.
Definition: base.h:397

fr_ldap_trunk_search
unlang_action_t fr_ldap_trunk_search(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *base_dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async search LDAP query on a trunk connection.
Definition: base.c:694

REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition: log.h:443

RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition: log.h:430

talloc_free
talloc_free(reap)

request_t
Definition: merged_model.c:210

ldap_map_profile_resume
static unlang_action_t ldap_map_profile_resume(UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx)
Process the results of a profile lookup.
Definition: profile.c:54

rlm_ldap_map_profile
unlang_action_t rlm_ldap_map_profile(fr_ldap_result_code_t *ret, rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)
Search for and apply an LDAP profile.
Definition: profile.c:134

ldap_map_profile_cancel
static void ldap_map_profile_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
Cancel an in progress profile lookup.
Definition: profile.c:109

ldap_profile_ctx_t::ret
fr_ldap_result_code_t * ret
Result of the query and applying the map.
Definition: profile.c:44

ldap_profile_ctx_t::inst
rlm_ldap_t const  * inst
Definition: profile.c:47

ldap_profile_ctx_t::dn
char const  * dn
Definition: profile.c:46

ldap_profile_ctx_t::expanded
fr_ldap_map_exp_t const  * expanded
Definition: profile.c:48

ldap_profile_ctx_t::query
fr_ldap_query_t * query
Definition: profile.c:45

ldap_profile_ctx_t
Holds state of in progress async profile lookups.
Definition: profile.c:43

REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52

RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54

rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40

rlm_ldap_t::valuepair_attr
char const  * valuepair_attr
Generic dynamic mapping attribute, contains a RADIUS attribute and value.
Definition: rlm_ldap.h:99

rlm_ldap_t
Definition: rlm_ldap.h:26

fr_signal_t
fr_signal_t
Definition: signal.h:48

fr_assert
fr_assert(0)

MEM
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)

inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3633

fr_trunk_request_signal_cancel
void fr_trunk_request_signal_cancel(fr_trunk_request_t *treq)
Cancel a trunk request.
Definition: trunk.c:2047