The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
edir.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 190832cadf77462637abc94691e19a01ec8782f3 $
19 * @file lib/ldap/edir.c
20 * @brief LDAP extension for reading eDirectory universal password.
21 *
22 * To contact Novell about this file by physical or electronic mail, you may
23 * find current contact information at www.novell.com.
24 *
25 * @copyright 2012 Olivier Beytrison (olivier@heliosnet.org)
26 * @copyright 2012 Alan DeKok (aland@freeradius.org)
27 * @copyright 2002-2004 Novell, Inc.
28 */
29RCSID("$Id: 190832cadf77462637abc94691e19a01ec8782f3 $")
30
31USES_APPLE_DEPRECATED_API
32
33#include <freeradius-devel/util/debug.h>
34#include <freeradius-devel/ldap/base.h>
35
36/* NMAS error codes */
37#define NMAS_E_BASE (-1600)
38
39#define NMAS_E_FRAG_FAILURE (NMAS_E_BASE-31) /* -1631 0xFFFFF9A1 */
40#define NMAS_E_SYSTEM_RESOURCES (NMAS_E_BASE-34) /* -1634 0xFFFFF99E */
41#define NMAS_E_INSUFFICIENT_MEMORY (NMAS_E_BASE-35) /* -1635 0xFFFFF99D */
42#define NMAS_E_NOT_SUPPORTED (NMAS_E_BASE-36) /* -1636 0xFFFFF99C */
43#define NMAS_E_INVALID_PARAMETER (NMAS_E_BASE-43) /* -1643 0xFFFFF995 */
44#define NMAS_E_INVALID_VERSION (NMAS_E_BASE-52) /* -1652 0xFFFFF98C */
45#define NMAS_E_ACCESS_NOT_ALLOWED (NMAS_E_BASE-59) /* -1659 0xFFFFF985 */
46#define NMAS_E_INVALID_SPM_REQUEST (NMAS_E_BASE-97) /* -1697 0xFFFFF95F */
47
48/* OID of LDAP extension calls to read Universal Password */
49#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13"
50#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14"
51
52#define NMAS_LDAP_EXT_VERSION 1
53
61
62/** Takes the object DN and BER encodes the data into the BER value which is used as part of the request
63 *
64 @verbatim
65 RequestBer contents:
66 clientVersion INTEGER
67 targetObjectDN OCTET STRING
68 @endverbatim
69 *
70 * @param[out] request_bv where to write the request BER value (must be freed with ber_bvfree).
71 * @param[in] dn to query for.
72 * @return
73 * - 0 on success.
74 * - < 0 on error.
75 */
76static int ber_encode_request_data(char const *dn, struct berval **request_bv)
77{
78 int err = 0;
79 int rc = 0;
80 BerElement *request_ber = NULL;
81
82 if (!dn || !*dn) {
83 err = NMAS_E_INVALID_PARAMETER;
84 goto finish;
85 }
86
87 /* Allocate a BerElement for the request parameters.*/
88 if ((request_ber = ber_alloc()) == NULL) {
89 err = NMAS_E_FRAG_FAILURE;
90 goto finish;
91 }
92
93 rc = ber_printf(request_ber, "{io}", NMAS_LDAP_EXT_VERSION, dn, strlen(dn) + 1);
94 if (rc < 0) {
95 err = NMAS_E_FRAG_FAILURE;
96 goto finish;
97 }
98
99 /*
100 * Convert the BER we just built to a berval that we'll
101 * send with the extended request.
102 */
103 if (ber_flatten(request_ber, request_bv) < 0) {
104 err = NMAS_E_FRAG_FAILURE;
105 goto finish;
106 }
107
108finish:
109 if (request_ber) ber_free(request_ber, 1);
110
111 return err;
112}
113
114/** Converts the reply into server version and a return code
115 *
116 * This function takes the reply BER Value and decodes the NMAS server version and return code and if a non
117 * null retData buffer was supplied, tries to decode the the return data and length.
118 *
119 @verbatim
120 ResponseBer contents:
121 server_version INTEGER
122 error INTEGER
123 data OCTET STRING
124 @endverbatim
125 *
126 * @param[in] reply_bv reply data from extended request.
127 * @param[out] server_version that responded.
128 * @param[out] out data.
129 * @param[out] outlen Length of data written to out.
130 * @return
131 * - 0 on success.
132 * - < 0 on error.
133 */
134static int ber_decode_login_data(struct berval *reply_bv, int *server_version, void *out, size_t *outlen)
135{
136 int rc = 0;
137 int err = 0;
138 BerElement *reply_ber = NULL;
139
140 fr_assert(out != NULL);
141 fr_assert(outlen != NULL);
142
143 if ((reply_ber = ber_init(reply_bv)) == NULL) {
144 err = NMAS_E_SYSTEM_RESOURCES;
145 goto finish;
146 }
147
148 rc = ber_scanf(reply_ber, "{iis}", server_version, &err, out, outlen);
149 if (rc == -1) {
150 err = NMAS_E_FRAG_FAILURE;
151 goto finish;
152 }
153
154finish:
155 if (reply_ber) ber_free(reply_ber, 1);
156
157 return err;
158}
159
160/** Submit LDAP extended operation to retrieve Universal Password
161 *
162 * @param p_result Result of current operation.
163 * @param request Current request.
164 * @param uctx eDir lookup context.
165 * @return One of the RLM_MODULE_* values.
166 */
167static unlang_action_t ldap_edir_get_password_start(UNUSED unlang_result_t *p_result, request_t *request, void *uctx)
168{
169 ldap_edir_ctx_t *edir_ctx = talloc_get_type_abort(uctx, ldap_edir_ctx_t);
170 return fr_ldap_trunk_extended(edir_ctx, &edir_ctx->query, request, edir_ctx->ttrunk,
171 edir_ctx->reqoid, edir_ctx->dn, NULL, NULL);
172}
173
174/** Handle results of retrieving Universal Password
175 *
176 * @param p_result Result of current operation.
177 * @param request Current request.
178 * @param uctx eDir lookup context.
179 * @return One of the RLM_MODULE_* values.
180 */
181static unlang_action_t ldap_edir_get_password_resume(unlang_result_t *p_result, request_t *request, void *uctx)
182{
183 ldap_edir_ctx_t *edir_ctx = talloc_get_type_abort(uctx, ldap_edir_ctx_t);
184 fr_ldap_query_t *query = edir_ctx->query;
185 rlm_rcode_t rcode = RLM_MODULE_OK;
186 fr_pair_t *vp;
187 char *reply_oid = NULL;
188 struct berval *reply_bv = NULL;
189 size_t bufsize;
190 char buffer[256];
191 int err = 0;
192 int server_version;
193
194 switch (query->ret){
195 case LDAP_SUCCESS:
196 break;
197
198 default:
199 REDEBUG("Failed retrieving Universal Password");
200 rcode = RLM_MODULE_FAIL;
201 goto finish;
202 }
203
204 err = ldap_parse_extended_result(query->ldap_conn->handle, query->result, &reply_oid, &reply_bv, false);
205
206 switch (err) {
207 case LDAP_SUCCESS:
208 break;
209 }
210
211 /* Make sure there is a return OID */
212 if (!reply_oid) {
213 err = NMAS_E_NOT_SUPPORTED;
214 goto finish;
215 }
216
217 /* Is this what we were expecting to get back. */
218 if (strcmp(reply_oid, NMASLDAP_GET_PASSWORD_RESPONSE) != 0) {
219 err = NMAS_E_NOT_SUPPORTED;
220 goto finish;
221 }
222
223 /* Do we have a good returned berval? */
224 if (!reply_bv) {
225 /*
226 * No; returned berval means we experienced a rather
227 * drastic error. Return operations error.
228 */
229 err = NMAS_E_SYSTEM_RESOURCES;
230 goto finish;
231 }
232
233 bufsize = sizeof(buffer);
234 err = ber_decode_login_data(reply_bv, &server_version, buffer, &bufsize);
235 if (err) goto finish;
236
237 if (server_version != NMAS_LDAP_EXT_VERSION) {
238 err = NMAS_E_INVALID_VERSION;
239 goto finish;
240 }
241
242 /*
243 * Add Password.Cleartext attribute to the request
244 */
245 MEM(pair_update_control(&vp, edir_ctx->password_da) >= 0);
246 fr_pair_value_bstrndup(vp, buffer, bufsize, true);
247
248 if (RDEBUG_ENABLED3) {
249 RDEBUG3("Added eDirectory password. control.%pP", vp);
250 } else {
251 RDEBUG2("Added eDirectory password");
252 }
253
254finish:
255 /*
256 * Free any libldap allocated resources.
257 */
258 if (reply_bv) ber_bvfree(reply_bv);
259 if (reply_oid) ldap_memfree(reply_oid);
260
261 if (err) {
262 REDEBUG("Failed to retrieve eDirectory password: (%i) %s", err, fr_ldap_edir_errstr(err));
263 rcode = RLM_MODULE_FAIL;
264 }
265
266 RETURN_UNLANG_RCODE(rcode);
267}
268
269/** Cancel an in progress Universal Password lookup
270 *
271 */
272static void ldap_edir_get_password_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
273{
274 ldap_edir_ctx_t *edir_ctx = talloc_get_type_abort(uctx, ldap_edir_ctx_t);
275
276 if (!edir_ctx->query || !edir_ctx->query->treq) return;
277
278 trunk_request_signal_cancel(edir_ctx->query->treq);
279}
280
281/** Initiate retrieval of the universal password from Novell eDirectory
282 *
283 * @param[out] p_result Where to write the result of the operation.
284 * @param[in] request Current request.
285 * @param[in] dn of the user whose password is to be retrieved.
286 * @param[in] ttrunk on which to send the LDAP request.
287 * @param[in] password_da DA to use when creating password attribute.
288 * @return
289 * - UNLANG_ACTION_PUSHED_CHILD on success.
290 * - UNLANG_ACTION_FAIL on failure.
291 */
292unlang_action_t fr_ldap_edir_get_password(unlang_result_t *p_result,
293 request_t *request, char const *dn, fr_ldap_thread_trunk_t *ttrunk,
294 fr_dict_attr_t const *password_da)
295{
296 ldap_edir_ctx_t *edir_ctx;
297 int err = 0;
298
299 if (!dn || !*dn) {
300 REDEBUG("Missing DN");
301 RETURN_UNLANG_FAIL;
302 }
303
304 MEM(edir_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_edir_ctx_t));
305
306 *edir_ctx = (ldap_edir_ctx_t) {
307 .reqoid = NMASLDAP_GET_PASSWORD_REQUEST,
308 .ttrunk = ttrunk,
309 .password_da = password_da
310 };
311
312 err = ber_encode_request_data(dn, &edir_ctx->dn);
313 if (err) {
314 REDEBUG("Failed to encode user DN: %s", fr_ldap_edir_errstr(err));
315 talloc_free(edir_ctx);
316 RETURN_UNLANG_FAIL;
317 }
318
319 return unlang_function_push_with_result(p_result,
320 request,
321 ldap_edir_get_password_start,
322 ldap_edir_get_password_resume,
323 ldap_edir_get_password_cancel, ~FR_SIGNAL_CANCEL,
324 UNLANG_SUB_FRAME, edir_ctx);
325}
326
327char const *fr_ldap_edir_errstr(int code)
328{
329 switch (code) {
330 case NMAS_E_FRAG_FAILURE:
331 return "BER manipulation failed";
332
333 case NMAS_E_SYSTEM_RESOURCES:
334 case NMAS_E_INSUFFICIENT_MEMORY:
335 return "Insufficient memory or system resources";
336
337 case NMAS_E_NOT_SUPPORTED:
338 return "Server response indicated Universal Password is not supported (missing password response OID)";
339
340 case NMAS_E_INVALID_PARAMETER:
341 return "Bad arguments passed to eDir functions";
342
343 case NMAS_E_INVALID_VERSION:
344 return "LDAP EXT version does not match expected version" STRINGIFY(NMAS_LDAP_EXT_VERSION);
345
346 case NMAS_E_ACCESS_NOT_ALLOWED:
347 return "Bound user does not have sufficient rights to read the Universal Password of users";
348
349 case NMAS_E_INVALID_SPM_REQUEST:
350 return "Universal password is not enabled for the container of this user object";
351
352 default:
353 return ldap_err2string(code);
354 }
355}
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
buffer
static int const char char buffer[256]
Definition acutest.h:578
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
RCSID
#define RCSID(id)
Definition build.h:485
STRINGIFY
#define STRINGIFY(x)
Definition build.h:197
UNUSED
#define UNUSED
Definition build.h:317
MEM
#define MEM(x)
Definition debug.h:36
err
static fr_slen_t err
Definition dict.h:864
NMAS_E_INVALID_VERSION
#define NMAS_E_INVALID_VERSION
Definition edir.c:44
ber_encode_request_data
static int ber_encode_request_data(char const *dn, struct berval **request_bv)
Takes the object DN and BER encodes the data into the BER value which is used as part of the request.
Definition edir.c:76
NMAS_E_SYSTEM_RESOURCES
#define NMAS_E_SYSTEM_RESOURCES
Definition edir.c:40
NMAS_E_FRAG_FAILURE
#define NMAS_E_FRAG_FAILURE
Definition edir.c:39
NMAS_E_ACCESS_NOT_ALLOWED
#define NMAS_E_ACCESS_NOT_ALLOWED
Definition edir.c:45
ber_decode_login_data
static int ber_decode_login_data(struct berval *reply_bv, int *server_version, void *out, size_t *outlen)
Converts the reply into server version and a return code.
Definition edir.c:134
ldap_edir_ctx_t::password_da
fr_dict_attr_t const * password_da
Definition edir.c:59
ldap_edir_get_password_cancel
static void ldap_edir_get_password_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
Cancel an in progress Universal Password lookup.
Definition edir.c:272
NMASLDAP_GET_PASSWORD_REQUEST
#define NMASLDAP_GET_PASSWORD_REQUEST
Definition edir.c:49
ldap_edir_ctx_t::ttrunk
fr_ldap_thread_trunk_t * ttrunk
Definition edir.c:56
ldap_edir_get_password_resume
static unlang_action_t ldap_edir_get_password_resume(unlang_result_t *p_result, request_t *request, void *uctx)
Handle results of retrieving Universal Password.
Definition edir.c:181
fr_ldap_edir_errstr
char const * fr_ldap_edir_errstr(int code)
Definition edir.c:327
NMASLDAP_GET_PASSWORD_RESPONSE
#define NMASLDAP_GET_PASSWORD_RESPONSE
Definition edir.c:50
ldap_edir_get_password_start
static unlang_action_t ldap_edir_get_password_start(UNUSED unlang_result_t *p_result, request_t *request, void *uctx)
Submit LDAP extended operation to retrieve Universal Password.
Definition edir.c:167
NMAS_E_INVALID_PARAMETER
#define NMAS_E_INVALID_PARAMETER
Definition edir.c:43
fr_ldap_edir_get_password
unlang_action_t fr_ldap_edir_get_password(unlang_result_t *p_result, request_t *request, char const *dn, fr_ldap_thread_trunk_t *ttrunk, fr_dict_attr_t const *password_da)
Initiate retrieval of the universal password from Novell eDirectory.
Definition edir.c:292
ldap_edir_ctx_t::reqoid
char const * reqoid
Definition edir.c:57
NMAS_LDAP_EXT_VERSION
#define NMAS_LDAP_EXT_VERSION
Definition edir.c:52
NMAS_E_INSUFFICIENT_MEMORY
#define NMAS_E_INSUFFICIENT_MEMORY
Definition edir.c:41
ldap_edir_ctx_t::dn
struct berval * dn
Definition edir.c:58
NMAS_E_NOT_SUPPORTED
#define NMAS_E_NOT_SUPPORTED
Definition edir.c:42
NMAS_E_INVALID_SPM_REQUEST
#define NMAS_E_INVALID_SPM_REQUEST
Definition edir.c:46
ldap_edir_ctx_t::query
fr_ldap_query_t * query
Definition edir.c:55
ldap_edir_ctx_t
Definition edir.c:54
unlang_function_push_with_result
#define unlang_function_push_with_result(_result_p, _request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack that produces a result.
Definition function.h:144
unlang_interpret_frame_talloc_ctx
TALLOC_CTX * unlang_interpret_frame_talloc_ctx(request_t *request)
Get a talloc_ctx which is valid only for this frame.
Definition interpret.c:1658
UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition interpret.h:37
unlang_result_t
Definition interpret.h:133
fr_ldap_connection_t::handle
LDAP * handle
libldap handle.
Definition base.h:333
fr_ldap_query_s::ret
fr_ldap_result_code_t ret
Result code.
Definition base.h:472
fr_ldap_query_s::treq
trunk_request_t * treq
Trunk request this query is associated with.
Definition base.h:458
fr_ldap_query_s::ldap_conn
fr_ldap_connection_t * ldap_conn
LDAP connection this query is running on.
Definition base.h:459
fr_ldap_query_s::result
LDAPMessage * result
Head of LDAP results list.
Definition base.h:470
fr_ldap_query_s
LDAP query structure.
Definition base.h:424
fr_ldap_thread_trunk_s
Thread LDAP trunk structure.
Definition base.h:401
fr_ldap_trunk_extended
unlang_action_t fr_ldap_trunk_extended(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *reqoid, struct berval *reqdata, LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async LDAP "extended operation" query on a trunk connection.
Definition base.c:904
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:335
RDEBUG3
#define RDEBUG3(fmt,...)
Definition log.h:343
talloc_free
talloc_free(reap)
fr_dict_attr_t
Definition merged_model.c:133
request_t
Definition merged_model.c:210
fr_pair_value_bstrndup
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2798
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
RETURN_UNLANG_RCODE
#define RETURN_UNLANG_RCODE(_rcode)
Definition rcode.h:57
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:59
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:45
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:44
pair_update_control
#define pair_update_control(_attr, _da)
Return or allocate a fr_pair_t in the control list.
Definition pair.h:140
fr_signal_t
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38
FR_SIGNAL_CANCEL
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40
vp
fr_pair_t * vp
Definition state_machine.c:2293
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
trunk_request_signal_cancel
void trunk_request_signal_cancel(trunk_request_t *treq)
Cancel a trunk request.
Definition trunk.c:2168
out
static size_t char ** out
Definition value.h:1023
Generated by   doxygen 1.9.8