Common utility functions for interacting with LDAP directories. More...

#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/connection.h>
#include <freeradius-devel/server/global_lib.h>
#include <freeradius-devel/server/map.h>
#include <freeradius-devel/server/trunk.h>
#include <freeradius-devel/unlang/function.h>
#include <freeradius-devel/util/dlist.h>
#include <lber.h>
#include <ldap.h>
#include "config.h"

Include dependency graph for base.h:

Go to the source code of this file.

Data Structures
struct	fr_ldap_bind_auth_ctx_t
	Holds arguments for async bind auth requests. More...

union	fr_ldap_bind_auth_ctx_t.__unnamed51__

struct	fr_ldap_bind_ctx_t
	Holds arguments for the async bind operation. More...

struct	fr_ldap_config_t
	Connection configuration. More...

struct	fr_ldap_connection_t
	Tracks the state of a libldap connection handle. More...

struct	fr_ldap_control_t

struct	fr_ldap_directory_t

struct	fr_ldap_map_exp_t
	Result of expanding the RHS of a set of maps. More...

struct	fr_ldap_query_s
	LDAP query structure. More...

union	fr_ldap_query_s.__unnamed41__
	Fields which are unique to each type of query. More...

struct	fr_ldap_query_s.__unnamed41__.extended

struct	fr_ldap_query_s.__unnamed41__.search

struct	fr_ldap_referral_s
	Parsed LDAP referral structure. More...

struct	fr_ldap_result_t
	Contains a collection of values. More...

struct	fr_ldap_sasl_ctx_t
	Holds arguments for the async SASL bind operation. More...

struct	fr_ldap_sasl_t

struct	fr_ldap_thread_t
	Thread specific structure to manage LDAP trunk connections. More...

struct	fr_ldap_thread_trunk_s
	Thread LDAP trunk structure. More...

struct	fr_libldap_global_config_t
	libldap global configuration data More...

struct	ldap_filter_s
	Structure to hold parsed details of LDAP filters. More...

union	ldap_filter_s.__unnamed45__

struct	ldap_filter_s.__unnamed45__.__unnamed47__

struct	ldap_filter_s.__unnamed45__.__unnamed49__

Macros
#define	LDAP_CONST

#define	LDAP_DEPRECATED 0 /* Quiet warnings about LDAP_DEPRECATED not being defined */

#define	LDAP_DIRECTORY_ATTRS

#define	LDAP_MAP_RESERVED 5
	Number of additional items to allocate in expanded. More...

#define	LDAP_MATCHING_RULE_BIT_AND "1.2.840.113556.1.4.803"
	OID of bit-wise AND LDAP match rule. More...

#define	LDAP_MATCHING_RULE_BIT_OR "1.2.840.113556.1.4.804"
	OID of bit-wise OR LDAP match rule. More...

#define	LDAP_MAX_ATTR_STR_LEN 256
	Maximum length of an xlat expanded LDAP attribute. More...

#define	LDAP_MAX_ATTRMAP 128
	Maximum number of mappings between LDAP and. More...

#define	LDAP_MAX_CACHEABLE 64
	Maximum number of groups we retrieve from the server for. More...

#define	LDAP_MAX_CONTROLS 10
	Maximum number of client/server controls. More...

#define	LDAP_MAX_DN_STR_LEN 1024
	Maximum length of an xlat expanded DN. More...

#define	LDAP_MAX_FILTER_STR_LEN 1024
	Maximum length of an xlat expanded filter. More...

#define	LDAP_MAX_GROUP_NAME_LEN 128
	Maximum name of a group name. More...

#define	LDAP_SERVER_NOTIFICATION_OID "1.2.840.113556.1.4.528"
	OID of Active Directory control for. More...

#define	LDAP_SERVER_SHOW_DELETED_OID "1.2.840.113556.1.4.417"
	OID of Active Directory control which. More...

#define	LDAP_VENDOR_VERSION_PATCH 0

#define	LDAP_VIRTUAL_DN_ATTR "dn"
	'Virtual' attribute which maps to the DN of the object. More...

#define	X 0

Typedefs
typedef int(*	filter_attr_check_t) (char const attr, void uctx)

typedef struct fr_ldap_query_s	fr_ldap_query_t

typedef struct fr_ldap_referral_s	fr_ldap_referral_t
	Parsed LDAP referral structure. More...

typedef void(*	fr_ldap_result_parser_t) (LDAP handle, fr_ldap_query_t query, LDAPMessage head, void rctx)

typedef struct fr_ldap_thread_trunk_s	fr_ldap_thread_trunk_t
	Thread LDAP trunk structure. More...

typedef struct ldap_filter_s	ldap_filter_t

Enumerations
enum	fr_ldap_bind_type_t { LDAP_BIND_SIMPLE = 0 }

enum	fr_ldap_directory_type_t { FR_LDAP_DIRECTORY_UNKNOWN = 0 , FR_LDAP_DIRECTORY_ACTIVE_DIRECTORY , FR_LDAP_DIRECTORY_EDIRECTORY , FR_LDAP_DIRECTORY_IBM , FR_LDAP_DIRECTORY_NETSCAPE , FR_LDAP_DIRECTORY_OPENLDAP , FR_LDAP_DIRECTORY_ORACLE_INTERNET_DIRECTORY , FR_LDAP_DIRECTORY_ORACLE_UNIFIED_DIRECTORY , FR_LDAP_DIRECTORY_ORACLE_VIRTUAL_DIRECTORY , FR_LDAP_DIRECTORY_SUN_ONE_DIRECTORY , FR_LDAP_DIRECTORY_SIEMENS_AG , FR_LDAP_DIRECTORY_UNBOUND_ID , FR_LDAP_DIRECTORY_SAMBA }

enum	fr_ldap_rcode_t { LDAP_PROC_REFERRAL = 2 , LDAP_PROC_CONTINUE = 1 , LDAP_PROC_SUCCESS = 0 , LDAP_PROC_ERROR = -1 , LDAP_PROC_BAD_CONN = -2 , LDAP_PROC_NOT_PERMITTED = -3 , LDAP_PROC_REJECT = -4 , LDAP_PROC_BAD_DN = -5 , LDAP_PROC_NO_RESULT = -6 , LDAP_PROC_TIMEOUT = -7 , LDAP_PROC_REFRESH_REQUIRED = -8 }
	Codes returned by fr_ldap internal functions. More...

enum	fr_ldap_request_type_t { LDAP_REQUEST_SEARCH = 1 , LDAP_REQUEST_MODIFY , LDAP_REQUEST_DELETE , LDAP_REQUEST_EXTENDED }
	Types of LDAP requests. More...

enum	fr_ldap_result_code_t { LDAP_RESULT_PENDING = 1 , LDAP_RESULT_SUCCESS = 0 , LDAP_RESULT_ERROR = -1 , LDAP_RESULT_TIMEOUT = -2 , LDAP_RESULT_BAD_DN = -3 , LDAP_RESULT_NO_RESULT = -4 , LDAP_RESULT_REFERRAL_FAIL = -5 , LDAP_RESULT_EXCESS_REFERRALS = -6 , LDAP_RESULT_MISSING_REFERRAL = -7 }
	LDAP query result codes. More...

enum	fr_ldap_state_t { FR_LDAP_STATE_INIT = 0 , FR_LDAP_STATE_START_TLS , FR_LDAP_STATE_BIND , FR_LDAP_STATE_RUN , FR_LDAP_STATE_ERROR }
	LDAP connection handle states. More...

enum	fr_ldap_sync_type_t { FR_LDAP_SYNC_NONE = 0 , FR_LDAP_SYNC_RFC4533 , FR_LDAP_SYNC_ACTIVE_DIRECTORY , FR_LDAP_SYNC_PERSISTENT_SEARCH }

enum	ldap_filter_logic_t { LDAP_FILTER_LOGIC_AND = 1 , LDAP_FILTER_LOGIC_OR , LDAP_FILTER_LOGIC_NOT }
	Logical operators for use in LDAP filters. More...

enum	ldap_filter_op_t { LDAP_FILTER_OP_UNSET = 0 , LDAP_FILTER_OP_EQ , LDAP_FILTER_OP_SUBSTR , LDAP_FILTER_OP_PRESENT , LDAP_FILTER_OP_GE , LDAP_FILTER_OP_LE , LDAP_FILTER_OP_BIT_AND , LDAP_FILTER_OP_BIT_OR }
	Operators for use in LDAP filters. More...

enum	ldap_filter_type_t { LDAP_FILTER_NODE = 0 , LDAP_FILTER_GROUP }
	Types of parsed LDAP filter nodes. More...

enum	ldap_supported_extension_t { LDAP_EXT_UNSUPPORTED , LDAP_EXT_BINDNAME , LDAP_EXT_BINDPW }

Functions
int	fr_ldap_attrs_check (char const *attrs, char const attr)
	Check that a particular attribute is included in an attribute list. More...

static int	fr_ldap_berval_strncasecmp (struct berval value, char const str, size_t strlen)
	Compare a berval with a C string of a known length using case insensitive comparison. More...

uint8_t *	fr_ldap_berval_to_bin (TALLOC_CTX ctx, struct berval const in)
	Convert a berval to a talloced buffer. More...

char *	fr_ldap_berval_to_string (TALLOC_CTX ctx, struct berval const in)
	Convert a berval to a talloced string. More...

static void	fr_ldap_berval_to_value_shallow (fr_value_box_t value, struct berval berval)
	Inline function to copy pointers from a berval to a valuebox. More...

static void	fr_ldap_berval_to_value_str_shallow (fr_value_box_t value, struct berval berval)
	Inline function to copy pointer from a berval to a string value box. More...

int	fr_ldap_bind_async (fr_ldap_connection_t c, char const bind_dn, char const password, LDAPControl serverctrls, LDAPControl *clientctrls)
	Install I/O handlers for the bind operation. More...

unlang_action_t	fr_ldap_bind_auth_async (request_t request, fr_ldap_thread_t thread, char const bind_dn, char const password)
	Initiate an async LDAP bind for authentication. More...

static int8_t	fr_ldap_bind_auth_cmp (void const one, void const two)
	Compare two ldap bind auth structures on msgid. More...

int	fr_ldap_box_escape (fr_value_box_t vb, UNUSED void uctx)

size_t	fr_ldap_common_dn (char const full, char const part)
	Find the place at which the two DN strings diverge. More...

int	fr_ldap_conn_directory_alloc_async (fr_ldap_connection_t *ldap_conn)
	Async extract useful information from the rootDSE of the LDAP server. More...

fr_ldap_connection_t *	fr_ldap_connection_alloc (TALLOC_CTX *ctx)
	Allocate our ldap connection handle layer. More...

int	fr_ldap_connection_configure (fr_ldap_connection_t c, fr_ldap_config_t const config)
	Allocate and configure a new connection. More...

connection_t *	fr_ldap_connection_state_alloc (TALLOC_CTX ctx, fr_event_list_t el, fr_ldap_config_t const config, char const log_prefix)
	Alloc a self re-establishing connection to an LDAP server. More...

int	fr_ldap_connection_timeout_reset (fr_ldap_connection_t const *conn)

int	fr_ldap_connection_timeout_set (fr_ldap_connection_t const *conn, fr_time_delta_t timeout)

int	fr_ldap_control_add_client (fr_ldap_connection_t conn, LDAPControl ctrl, bool freeit)
	Add a clientctrl to a connection handle. More...

int	fr_ldap_control_add_server (fr_ldap_connection_t conn, LDAPControl ctrl, bool freeit)
	Add a serverctrl to a connection handle. More...

int	fr_ldap_control_add_session_tracking (fr_ldap_connection_t conn, request_t request)

void	fr_ldap_control_clear (fr_ldap_connection_t *conn)
	Clear and free any controls associated with a connection. More...

void	fr_ldap_control_merge (LDAPControl serverctrls_out[], LDAPControl clientctrls_out[], size_t serverctrls_len, size_t clientctrls_len, fr_ldap_connection_t conn, LDAPControl serverctrls_in[], LDAPControl *clientctrls_in[])
	Merge connection and call specific client and server controls. More...

fr_ldap_rcode_t	fr_ldap_delete_async (int msgid, request_t request, fr_ldap_connection_t pconn, char const dn, LDAPControl serverctrls, LDAPControl clientctrls)
	Modify something in the LDAP directory. More...

int	fr_ldap_directory_result_parse (fr_ldap_directory_t directory, LDAP handle, LDAPMessage result, char const name)

char const *	fr_ldap_edir_errstr (int code)

unlang_action_t	fr_ldap_edir_get_password (request_t request, char const dn, fr_ldap_thread_trunk_t ttrunk, fr_dict_attr_t const password_da)
	Initiate retrieval of the universal password from Novell eDirectory. More...

fr_ldap_rcode_t	fr_ldap_error_check (LDAPControl **ctrls, fr_ldap_connection_t const conn, LDAPMessage msg, char const dn)
	Perform basic parsing of multiple types of messages, checking for error conditions. More...

char const *	fr_ldap_error_str (fr_ldap_connection_t const *conn)
	Return the error string associated with a handle. More...

fr_ldap_query_t *	fr_ldap_extended_alloc (TALLOC_CTX ctx, char const reqiod, struct berval reqdata, LDAPControl serverctrls, LDAPControl *clientctrls)
	Allocate a new LDAP extended operations object. More...

fr_ldap_rcode_t	fr_ldap_extended_async (int msgid, request_t request, fr_ldap_connection_t pconn, char const reqiod, struct berval *reqdata)
	Initiate an LDAP extended operation. More...

bool	fr_ldap_filter_eval (fr_dlist_head_t root, fr_ldap_connection_t conn, LDAPMessage *msg)
	Evaluate an LDAP filter. More...

fr_slen_t	fr_ldap_filter_parse (TALLOC_CTX ctx, fr_dlist_head_t root, fr_sbuff_t filter, filter_attr_check_t attr_check, void *uctx)
	Parse an LDAP filter into its component nodes. More...

int	fr_ldap_filter_to_tmpl (TALLOC_CTX ctx, tmpl_rules_t const t_rules, char const sub, size_t sublen, tmpl_t out))
	Combine filters and tokenize to a tmpl. More...

void	fr_ldap_free (void)

int	fr_ldap_global_config (int debug_level, char const *tls_random_file)
	Change settings global to libldap. More...

LDAP *	fr_ldap_handle_thread_local (void)
	Get a thread local dummy LDAP handle. More...

int	fr_ldap_init (void)
	Initialise libldap and check library versions. More...

int	fr_ldap_map_do (request_t request, char const valuepair_attr, fr_ldap_map_exp_t const expanded, LDAPMessage entry)
	Convert attribute map into valuepairs. More...

int	fr_ldap_map_expand (TALLOC_CTX ctx, fr_ldap_map_exp_t expanded, request_t request, map_list_t const maps, char const *generic_attr)
	Expand values in an attribute map where needed. More...

int	fr_ldap_map_getvalue (TALLOC_CTX ctx, fr_pair_list_t out, request_t request, map_t const map, void *uctx)
	Callback for map_to_request. More...

int	fr_ldap_map_verify (map_t map, void instance)

fr_ldap_query_t *	fr_ldap_modify_alloc (TALLOC_CTX ctx, char const dn, LDAPMod mods[], LDAPControl serverctrls, LDAPControl *clientctrls)
	Allocate a new LDAP modify object. More...

fr_ldap_rcode_t	fr_ldap_modify_async (int msgid, request_t request, fr_ldap_connection_t pconn, char const dn, LDAPMod mods[], LDAPControl serverctrls, LDAPControl *clientctrls)
	Modify something in the LDAP directory. More...

int	fr_ldap_parse_url_extensions (LDAPControl *sss, size_t sss_len, char extensions[])
	Parse a subset (just server side sort for now) of LDAP URL extensions. More...

static int8_t	fr_ldap_query_cmp (void const one, void const two)
	Compare two ldap query structures on msgid. More...

fr_ldap_referral_t *	fr_ldap_referral_alloc (TALLOC_CTX ctx, request_t request)
	Allocate a new structure to handle an LDAP referral, setting the destructor. More...

int	fr_ldap_referral_follow (fr_ldap_thread_t thread, request_t request, fr_ldap_query_t *query)
	Follow an LDAP referral. More...

int	fr_ldap_referral_next (fr_ldap_thread_t thread, request_t request, fr_ldap_query_t *query)
	Follow an alternative LDAP referral. More...

fr_ldap_rcode_t	fr_ldap_result (LDAPMessage result, LDAPControl ctrls, fr_ldap_connection_t const conn, int msgid, int all, char const *dn, fr_time_delta_t timeout)
	Parse response from LDAP server dealing with any errors. More...

fr_ldap_query_t *	fr_ldap_search_alloc (TALLOC_CTX ctx, char const base_dn, int scope, char const filter, char const const attrs, LDAPControl serverctrls, LDAPControl *clientctrls)
	Allocate a new search object. More...

fr_ldap_rcode_t	fr_ldap_search_async (int msgid, request_t request, fr_ldap_connection_t pconn, char const dn, int scope, char const filter, char const const attrs, LDAPControl serverctrls, LDAPControl *clientctrls)
	Search for something in the LDAP directory. More...

int	fr_ldap_server_config_check (fr_ldap_config_t handle_config, char const server, CONF_SECTION *cs)
	Check an LDAP server config in server:port format is valid. More...

int	fr_ldap_server_url_check (fr_ldap_config_t handle_config, char const server, CONF_SECTION const *cs)
	Check an LDAP server entry in URL format is valid. More...

int	fr_ldap_start_tls_async (fr_ldap_connection_t c, LDAPControl serverctrls, LDAPControl *clientctrls)
	Install I/O handlers for Start TLS negotiation. More...

void	fr_ldap_state_error (fr_ldap_connection_t *c)
	Signal that there's been an error on the connection. More...

fr_ldap_state_t	fr_ldap_state_next (fr_ldap_connection_t *c)
	Move between LDAP connection states. More...

void	fr_ldap_timeout_debug (request_t request, fr_ldap_connection_t const conn, fr_time_delta_t timeout, char const *prefix)
	Prints information to the debug log on the current timeout settings. More...

static int8_t	fr_ldap_trunk_cmp (void const one, void const two)
	Compare two ldap trunk structures on connection URI / DN. More...

int	fr_ldap_trunk_directory_alloc_async (TALLOC_CTX ctx, fr_ldap_thread_trunk_t ttrunk)
	Async extract useful information from the rootDSE of the LDAP server. More...

unlang_action_t	fr_ldap_trunk_extended (TALLOC_CTX ctx, fr_ldap_query_t out, request_t request, fr_ldap_thread_trunk_t ttrunk, char const reqoid, struct berval reqdata, LDAPControl serverctrls, LDAPControl *clientctrls)
	Run an async LDAP "extended operation" query on a trunk connection. More...

unlang_action_t	fr_ldap_trunk_modify (TALLOC_CTX ctx, fr_ldap_query_t out, request_t request, fr_ldap_thread_trunk_t ttrunk, char const dn, LDAPMod mods[], LDAPControl serverctrls, LDAPControl *clientctrls)
	Run an async modification LDAP query on a trunk connection. More...

unlang_action_t	fr_ldap_trunk_search (TALLOC_CTX ctx, fr_ldap_query_t out, request_t request, fr_ldap_thread_trunk_t ttrunk, char const base_dn, int scope, char const filter, char const const attrs, LDAPControl serverctrls, LDAPControl *clientctrls)
	Run an async search LDAP query on a trunk connection. More...

size_t	fr_ldap_uri_escape_func (UNUSED request_t request, char out, size_t outlen, char const in, UNUSED void arg))
	Converts "bad" strings into ones which are safe for LDAP. More...

size_t	fr_ldap_uri_unescape_func (UNUSED request_t request, char out, size_t outlen, char const in, UNUSED void arg))
	Converts escaped DNs and filter strings into normal. More...

char const *	fr_ldap_url_err_to_str (int ldap_url_err)
	Translate the error code emitted from ldap_url_parse and friends into something accessible with fr_strerror() More...

bool	fr_ldap_util_is_dn (char const *in, size_t inlen)
	Check whether a string looks like a DN. More...

size_t	fr_ldap_util_normalise_dn (char out, char const in)
	Normalise escape sequences in a DN. More...

fr_ldap_thread_trunk_t *	fr_thread_ldap_bind_trunk_get (fr_ldap_thread_t *thread)
	Find the thread specific trunk to use for LDAP bind auths. More...

fr_ldap_thread_trunk_t *	fr_thread_ldap_trunk_get (fr_ldap_thread_t thread, char const uri, char const bind_dn, char const bind_password, request_t request, fr_ldap_config_t const config)
	Find a thread specific LDAP connection for a specific URI / bind DN. More...

trunk_state_t	fr_thread_ldap_trunk_state (fr_ldap_thread_t thread, char const uri, char const *bind_dn)
	Lookup the state of a thread specific LDAP connection trunk for a specific URI / bind DN. More...

Variables
fr_table_num_sorted_t const	fr_ldap_connection_states []

size_t	fr_ldap_connection_states_len

fr_table_num_sorted_t const	fr_ldap_dereference []

size_t	fr_ldap_dereference_len

fr_table_num_sorted_t const	fr_ldap_scope []

size_t	fr_ldap_scope_len

fr_table_num_sorted_t const	fr_ldap_supported_extensions []

size_t	fr_ldap_supported_extensions_len

fr_table_num_sorted_t const	fr_ldap_tls_require_cert []

size_t	fr_ldap_tls_require_cert_len

global_lib_autoinst_t	fr_libldap_global_config

LDAP *	ldap_global_handle
	Hack for OpenLDAP libldap global initialisation. More...

Detailed Description

Common utility functions for interacting with LDAP directories.

Id: deec044d33b75fb4132ddea66f9afa18297dfa91

Author: Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)

Copyright: 2017 The FreeRADIUS Server Project.; 2017 Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)

Definition in file base.h.

Data Structure Documentation

◆ fr_ldap_bind_auth_ctx_t

struct fr_ldap_bind_auth_ctx_t

Holds arguments for async bind auth requests.

Used when LDAP binds are being used to authenticate users, rather than admin binds. Allows tracking of multiple bind requests on a single connection.

Definition at line 613 of file base.h.

Collaboration diagram for fr_ldap_bind_auth_ctx_t:

Data Fields
union fr_ldap_bind_auth_ctx_t	__unnamed__
int	msgid	libldap msgid for this bind.
fr_rb_node_t	node	Entry in the tree of outstanding bind requests.
request_t *	request	this bind relates to.
fr_ldap_rcode_t	ret	Return code of bind operation.
fr_ldap_thread_t *	thread	This bind is being run by.
trunk_request_t *	treq	Trunk request this bind is associated with.
fr_ldap_bind_type_t	type	type of bind.

◆ fr_ldap_bind_auth_ctx_t.unnamed51

union fr_ldap_bind_auth_ctx_t.__unnamed51__

Definition at line 620 of file base.h.

Data Fields
fr_ldap_bind_ctx_t *	bind_ctx	User data for simple binds.
fr_ldap_sasl_ctx_t *	sasl_ctx	User data for SASL binds.

◆ fr_ldap_bind_ctx_t

struct fr_ldap_bind_ctx_t

Holds arguments for the async bind operation.

Definition at line 493 of file base.h.

Collaboration diagram for fr_ldap_bind_ctx_t:

Data Fields
char const *	bind_dn	of the user, may be NULL to bind anonymously.
fr_ldap_connection_t *	c	to bind. Only used when binding as admin user.
LDAPControl **	clientctrls	Controls to pass to the client (library).
int	msgid	Of the bind operation. Only used when binding as admin.
char const *	password	of the user, may be NULL if no password is specified.
LDAPControl **	serverctrls	Controls to pass to the server.

◆ fr_ldap_config_t

struct fr_ldap_config_t

Connection configuration.

Must not be passed into functions except via the connection handle this avoids problems with not using the connection pool configuration.

Definition at line 221 of file base.h.

Collaboration diagram for fr_ldap_config_t:

Data Fields
char const *	admin_identity	Identity we bind as when we need to query the LDAP directory.
char const *	admin_password	Password used in administrative bind.
fr_ldap_sasl_t	admin_sasl	SASL parameters used when binding as the admin.
bool	chase_referrals	If the LDAP server returns a referral to another server or point in the tree, follow it, establishing new connections and binding where necessary.
bool	chase_referrals_unset	If true, use the OpenLDAP defaults for chase_referrals.
int	dereference	libldap value specifying dereferencing behaviour.
char const *	dereference_str	When to dereference (never, searching, finding, always)
fr_time_delta_t	idle_timeout	How long to wait before closing unused connections.
fr_time_delta_t	keepalive_idle	Number of seconds a connections needs to remain idle before TCP starts sending keepalive probes.
fr_time_delta_t	keepalive_interval	Interval between keepalive probes.
uint32_t	keepalive_probes	Number of missed timeouts before the connection is dropped.
char const *	name	Name of the module that created this connection.
fr_time_delta_t	net_timeout	How long we wait in blocking network calls. We set this in the LDAP API, even though with async calls, we control this using our event loop. This is just in case there are blocking calls which happen internally which we can't work around.
uint16_t	port	Port to use when binding to the server.
bool	rebind	If use_referral_credentials is false, controls whether we bind as our admin credentials (true) or anonymously (false) when connecting to a different server to follow a referral.
fr_time_delta_t	reconnection_delay	How long to wait before attempting to reconnect.
uint16_t	referral_depth	How many referrals to chase.
fr_time_delta_t	res_timeout	How long we wait for results.
const char *	sasl_secprops	SASL Security Properties to set.
char *	server	Initial server to bind to.
char const **	server_str	Server set in the config.
fr_time_delta_t	srv_timelimit	How long the server should spent on a single request (also bounded by value on the server).
bool	start_tls	Send the Start TLS message to the LDAP directory to start encrypted communications using the standard LDAP port.
char const *	tls_ca_file	Sets the full path to a CA certificate (used to validate the certificate the server presents).
char const *	tls_ca_path	Sets the path to a directory containing CA certificates.
char const *	tls_certificate_file	Sets the path to the public certificate file we present to the servers.
fr_time_delta_t	tls_handshake_timeout	How long we wait for the TLS handshake to complete.
int	tls_min_version
char const *	tls_min_version_str	Minimum TLS version.
int	tls_mode
char const *	tls_private_key_file	Sets the path to the private key for our public certificate.
int	tls_require_cert	OpenLDAP constant representing the require cert string.
char const *	tls_require_cert_str	Sets requirements for validating the certificate the server presents.
bool	use_referral_credentials	If true use credentials from the referral URL.

◆ fr_ldap_connection_t

struct fr_ldap_connection_t

Tracks the state of a libldap connection handle.

Definition at line 332 of file base.h.

Collaboration diagram for fr_ldap_connection_t:

Data Fields
fr_ldap_control_t	clientctrls[LDAP_MAX_CONTROLS+1]	Client controls to use for all operations with this handle.
int	clientctrls_cnt	Number of client controls associated with the handle.
fr_ldap_config_t const *	config	rlm_ldap connection configuration.
connection_t *	conn	Connection state handle.
fr_ldap_directory_t *	directory	The type of directory we're connected to.
int	fd	File descriptor for this connection.
LDAP *	handle	libldap handle.
fr_rb_tree_t *	queries	Outstanding queries on this connection.
fr_dlist_head_t	refs	Replied to queries still referencing this connection.
fr_ldap_control_t	serverctrls[LDAP_MAX_CONTROLS+1]	Server controls to use for all operations with this handle.
int	serverctrls_cnt	Number of server controls associated with the handle.
fr_ldap_state_t	state	LDAP connection state machine.
void *	uctx	User data associated with the handle.

◆ fr_ldap_control_t

struct fr_ldap_control_t

Definition at line 134 of file base.h.

Data Fields
LDAPControl *	control	LDAP control.
bool	freeit	Whether the control should be freed after we've finished using it.

◆ fr_ldap_directory_t

struct fr_ldap_directory_t

Definition at line 201 of file base.h.

Data Fields
bool	cleartext_password	Whether the server will return the user's plaintext password.
char const **	naming_contexts	Databases served by this directory.
fr_ldap_sync_type_t	sync_type	What kind of LDAP sync this directory supports.
fr_ldap_directory_type_t	type	Canonical server implementation.
char const *	vendor_str	As returned from the vendorName attribute in the rootDSE.
char const *	version_str	As returned from the vendorVersion attribute in the rootDSE.

◆ fr_ldap_map_exp_t

struct fr_ldap_map_exp_t

Result of expanding the RHS of a set of maps.

Used to store the array of attributes we'll be querying for.

Definition at line 370 of file base.h.

Data Fields
char const *	attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]	Reserve some space for access attributes. and NULL termination.
int	count	Index on next free element.
TALLOC_CTX *	ctx	Context to allocate new attributes in.
map_list_t const *	maps	Head of list of maps we expanded the RHS of.

◆ fr_ldap_query_s

struct fr_ldap_query_s

LDAP query structure.

Used to hold the elements of an LDAP query and track its progress. libldap structures will be freed by the talloc destructor. The same structure is used both for search queries and modifications

Definition at line 422 of file base.h.

Collaboration diagram for fr_ldap_query_s:

Data Fields
union fr_ldap_query_s	__unnamed__	Fields which are unique to each type of query. Note Delete only uses the DN field, as it operates at an object level.
fr_ldap_control_t	clientctrls[LDAP_MAX_CONTROLS]	Client controls specific to this query.
char const *	dn	Base DN for searches, DN for modifications.
fr_dlist_t	entry	Entry in the list of connection references.
fr_event_timer_t const *	ev	Event for timing out the query.
fr_ldap_connection_t *	ldap_conn	LDAP connection this query is running on.
LDAPURLDesc *	ldap_url	parsed URL for current query if the source of the query was a URL.
int	msgid	The unique identifier for this query. Uniqueness is only per connection.
fr_rb_node_t	node	Entry in the tree of outstanding queries.
fr_ldap_result_parser_t	parser	Custom results parser.
fr_ldap_referral_t *	referral	Referral actually being followed.
uint16_t	referral_depth	How many referrals we have followed.
char **	referral_urls	Referral results to follow.
fr_dlist_head_t	referrals	List of parsed referrals.
LDAPMessage *	result	Head of LDAP results list.
fr_ldap_result_code_t	ret	Result code.
fr_ldap_control_t	serverctrls[LDAP_MAX_CONTROLS]	Server controls specific to this query.
trunk_request_t *	treq	Trunk request this query is associated with.
fr_ldap_request_type_t	type	What type of query this is.

◆ fr_ldap_query_s.unnamed41

union fr_ldap_query_s.__unnamed41__

Fields which are unique to each type of query.

Note: Delete only uses the DN field, as it operates at an object level.

Definition at line 435 of file base.h.

Data Fields
__unnamed41__	extended
LDAPMod **	mods	Changes to be applied if this query is a modification.
__unnamed41__	search

◆ fr_ldap_query_s.unnamed41.extended

struct fr_ldap_query_s.__unnamed41__.extended

Definition at line 441 of file base.h.

Data Fields
struct berval *	reqdata	Data required for the request.
char const *	reqoid	OID of extended operation to perform.

◆ fr_ldap_query_s.unnamed41.search

struct fr_ldap_query_s.__unnamed41__.search

Definition at line 436 of file base.h.

Data Fields
char const **	attrs	Attributes being requested in a search.
char const *	filter	Filter for search.
int	scope	Search scope.

◆ fr_ldap_referral_s

struct fr_ldap_referral_s

Parsed LDAP referral structure.

When LDAP servers respond with a referral, it is parsed into one or more fr_ldap_referral_t and kept until the referral has been followed. Avoids repeated parsing of the referrals as provided by libldap.

Definition at line 479 of file base.h.

Collaboration diagram for fr_ldap_referral_s:

Data Fields
fr_dlist_t	entry	Entry in list of possible referrals.
char *	host_uri	Host URI used for referral connection.
char const *	identity	Bind identity for referral connection.
char const *	password	Bind password for referral connection.
fr_ldap_query_t *	query	Query this referral relates to.
LDAPURLDesc *	referral_url	URL for the referral.
request_t *	request	Request this referral relates to.
fr_ldap_thread_trunk_t *	ttrunk	Trunk this referral should use.

◆ fr_ldap_result_t

struct fr_ldap_result_t

Contains a collection of values.

Definition at line 360 of file base.h.

Data Fields
int	count	Number of values.
struct berval **	values	libldap struct containing bv_val (char *) and length bv_len.

◆ fr_ldap_sasl_ctx_t

struct fr_ldap_sasl_ctx_t

Holds arguments for the async SASL bind operation.

Definition at line 506 of file base.h.

Collaboration diagram for fr_ldap_sasl_ctx_t:

Data Fields
fr_ldap_connection_t *	c	to bind. Only used when binding as admin user.
LDAPControl **	clientctrls	Controls to pass to the client (library).
char const *	identity	of the user.
char const *	mechs	SASL mechanisms to run.
int	msgid	Last msgid. Only used when binding as admin user.
char const *	password	of the user, may be NULL if no password is specified.
char const *	proxy	Proxy identity, may be NULL in which case identity is used.
char const *	realm	SASL realm (may be NULL).
LDAPMessage *	result	Previous result.
char const *	rmech	Mech we're continuing with.
LDAPControl **	serverctrls	Controls to pass to the server.

◆ fr_ldap_sasl_t

struct fr_ldap_sasl_t

Definition at line 128 of file base.h.

Data Fields
char const *	mech	SASL mech(s) to try.
char const *	proxy	Identity to proxy.
char const *	realm	Kerberos realm.

◆ fr_ldap_thread_t

struct fr_ldap_thread_t

Thread specific structure to manage LDAP trunk connections.

Definition at line 381 of file base.h.

Collaboration diagram for fr_ldap_thread_t:

Data Fields
fr_ldap_thread_trunk_t *	bind_trunk	LDAP trunk used for bind auths.
trunk_conf_t *	bind_trunk_conf	Trunk config for bind auth trunk.
fr_rb_tree_t *	binds	Tree of outstanding bind auths.
fr_ldap_config_t *	config	Module instance config.
fr_event_list_t *	el	Thread event list for callbacks / timeouts.
trunk_conf_t *	trunk_conf	Module trunk config.
fr_rb_tree_t *	trunks	Tree of LDAP trunks used by this thread.

◆ fr_ldap_thread_trunk_s

struct fr_ldap_thread_trunk_s

Thread LDAP trunk structure.

One fr_ldap_thread_trunk_t will be allocated for each destination a thread needs to create an LDAP trunk connection to.

Used to hold config regarding the LDAP connection and associate pending queries with the trunk they are running on.

Definition at line 399 of file base.h.

Collaboration diagram for fr_ldap_thread_trunk_s:

Data Fields
char const *	bind_dn	DN connection is bound as.
fr_ldap_config_t	config	Config used for this connection.
fr_ldap_directory_t *	directory	The type of directory we're connected to.
fr_event_timer_t const *	ev	Event to close the thread when it has been idle.
fr_rb_node_t	node	Entry in the tree of connections.
fr_ldap_thread_t *	t	Thread this connection is associated with.
trunk_t *	trunk	Connection trunk.
char const *	uri	Server URI for this connection.

◆ fr_libldap_global_config_t

struct fr_libldap_global_config_t

libldap global configuration data

Definition at line 319 of file base.h.

Data Fields
uint32_t	ldap_debug	LDAP debug level.
char const *	tls_random_file	Path to the ramdon file if /dev/random and /dev/urandom are unavailable.

◆ ldap_filter_s

struct ldap_filter_s

Structure to hold parsed details of LDAP filters.

Definition at line 562 of file base.h.

Collaboration diagram for ldap_filter_s:

Data Fields
union ldap_filter_s	__unnamed__
fr_dlist_t	entry	Entry in the list of filter nodes.
ldap_filter_type_t	filter_type	Type of this filter node.
char *	orig	Text representation of filter for debug messages,.

◆ ldap_filter_s.unnamed45

union ldap_filter_s.__unnamed45__

Definition at line 566 of file base.h.

Data Fields
__unnamed45__	__unnamed__
__unnamed45__	__unnamed__

◆ ldap_filter_s.unnamed45.unnamed47

struct ldap_filter_s.__unnamed45__.__unnamed47__

Definition at line 567 of file base.h.

Data Fields
fr_dlist_head_t	children	List of child nodes in this group.
ldap_filter_logic_t	logic_op	Logical operator for this group.

◆ ldap_filter_s.unnamed45.unnamed49

struct ldap_filter_s.__unnamed45__.__unnamed49__

Definition at line 571 of file base.h.

Data Fields
char *	attr	Attribute for the filter node.
ldap_filter_op_t	op	Operator to be used for comparison.
fr_value_box_t *	value	Value to compare with.

Macro Definition Documentation

◆ LDAP_CONST

#define LDAP_CONST

Definition at line 91 of file base.h.

◆ LDAP_DEPRECATED

#define LDAP_DEPRECATED 0 /* Quiet warnings about LDAP_DEPRECATED not being defined */

Definition at line 20 of file base.h.

◆ LDAP_DIRECTORY_ATTRS

#define LDAP_DIRECTORY_ATTRS

Value:

                               { "vendorname", \
                               "vendorversion", \
                               "isGlobalCatalogReady", \
                               "objectClass", \
                               "orcldirectoryversion", \
                               "supportedControl", \
                               "namingContexts", \
                               NULL }

Definition at line 824 of file base.h.

◆ LDAP_MAP_RESERVED

#define LDAP_MAP_RESERVED 5

Number of additional items to allocate in expanded.

attribute name arrays. Currently for enable attribute, group membership attribute, valuepair attribute, profile attribute and profile suspend attribute.

Definition at line 101 of file base.h.

◆ LDAP_MATCHING_RULE_BIT_AND

#define LDAP_MATCHING_RULE_BIT_AND "1.2.840.113556.1.4.803"

OID of bit-wise AND LDAP match rule.

Definition at line 119 of file base.h.

◆ LDAP_MATCHING_RULE_BIT_OR

#define LDAP_MATCHING_RULE_BIT_OR "1.2.840.113556.1.4.804"

OID of bit-wise OR LDAP match rule.

Definition at line 120 of file base.h.

◆ LDAP_MAX_ATTR_STR_LEN

#define LDAP_MAX_ATTR_STR_LEN 256

Maximum length of an xlat expanded LDAP attribute.

Definition at line 109 of file base.h.

◆ LDAP_MAX_ATTRMAP

#define LDAP_MAX_ATTRMAP 128

Maximum number of mappings between LDAP and.

FreeRADIUS attributes.

Definition at line 97 of file base.h.

◆ LDAP_MAX_CACHEABLE

#define LDAP_MAX_CACHEABLE 64

Maximum number of groups we retrieve from the server for.

a given user which need resolving from name to DN or DN to name. If more than this require resolving, the module returns invalid.

Definition at line 106 of file base.h.

◆ LDAP_MAX_CONTROLS

#define LDAP_MAX_CONTROLS 10

Maximum number of client/server controls.

Used to allocate static arrays of control pointers.

Definition at line 95 of file base.h.

◆ LDAP_MAX_DN_STR_LEN

#define LDAP_MAX_DN_STR_LEN 1024

Maximum length of an xlat expanded DN.

Definition at line 111 of file base.h.

◆ LDAP_MAX_FILTER_STR_LEN

#define LDAP_MAX_FILTER_STR_LEN 1024

Maximum length of an xlat expanded filter.

Definition at line 110 of file base.h.

◆ LDAP_MAX_GROUP_NAME_LEN

#define LDAP_MAX_GROUP_NAME_LEN 128

Maximum name of a group name.

Definition at line 108 of file base.h.

◆ LDAP_SERVER_NOTIFICATION_OID

#define LDAP_SERVER_NOTIFICATION_OID "1.2.840.113556.1.4.528"

OID of Active Directory control for.

persistent search.

Definition at line 116 of file base.h.

◆ LDAP_SERVER_SHOW_DELETED_OID

#define LDAP_SERVER_SHOW_DELETED_OID "1.2.840.113556.1.4.417"

OID of Active Directory control which.

enables searching for deleted objects.

Definition at line 118 of file base.h.

◆ LDAP_VENDOR_VERSION_PATCH

#define LDAP_VENDOR_VERSION_PATCH 0

Definition at line 67 of file base.h.

◆ LDAP_VIRTUAL_DN_ATTR

#define LDAP_VIRTUAL_DN_ATTR "dn"

'Virtual' attribute which maps to the DN of the object.

Definition at line 113 of file base.h.

◆ X

#define X 0

Definition at line 64 of file base.h.

Typedef Documentation

◆ filter_attr_check_t

typedef int(* filter_attr_check_t) (char const *attr, void *uctx)

Definition at line 971 of file base.h.

◆ fr_ldap_query_t

typedef struct fr_ldap_query_s fr_ldap_query_t

Definition at line 325 of file base.h.

◆ fr_ldap_referral_t

typedef struct fr_ldap_referral_s fr_ldap_referral_t

Parsed LDAP referral structure.

When LDAP servers respond with a referral, it is parsed into one or more fr_ldap_referral_t and kept until the referral has been followed. Avoids repeated parsing of the referrals as provided by libldap.

Definition at line 325 of file base.h.

◆ fr_ldap_result_parser_t

typedef void(* fr_ldap_result_parser_t) (LDAP *handle, fr_ldap_query_t *query, LDAPMessage *head, void *rctx)

Definition at line 414 of file base.h.

◆ fr_ldap_thread_trunk_t

typedef struct fr_ldap_thread_trunk_s fr_ldap_thread_trunk_t

Thread LDAP trunk structure.

One fr_ldap_thread_trunk_t will be allocated for each destination a thread needs to create an LDAP trunk connection to.

Used to hold config regarding the LDAP connection and associate pending queries with the trunk they are running on.

Definition at line 325 of file base.h.

◆ ldap_filter_t

typedef struct ldap_filter_s ldap_filter_t

Definition at line 414 of file base.h.

Enumeration Type Documentation

◆ fr_ldap_bind_type_t

enum fr_ldap_bind_type_t

Enumerator
LDAP_BIND_SIMPLE

Definition at line 521 of file base.h.

◆ fr_ldap_directory_type_t

enum fr_ldap_directory_type_t

Enumerator
FR_LDAP_DIRECTORY_UNKNOWN	We can't determine the directory server.
FR_LDAP_DIRECTORY_ACTIVE_DIRECTORY	Directory server is Active Directory.
FR_LDAP_DIRECTORY_EDIRECTORY	Directory server is eDir.
FR_LDAP_DIRECTORY_IBM	Directory server is IBM.
FR_LDAP_DIRECTORY_NETSCAPE	Directory server is Netscape.
FR_LDAP_DIRECTORY_OPENLDAP	Directory server is OpenLDAP.
FR_LDAP_DIRECTORY_ORACLE_INTERNET_DIRECTORY	Directory server is Oracle Internet Directory.
FR_LDAP_DIRECTORY_ORACLE_UNIFIED_DIRECTORY	Directory server is Oracle Unified Directory.
FR_LDAP_DIRECTORY_ORACLE_VIRTUAL_DIRECTORY	Directory server is Oracle Virtual Directory.
FR_LDAP_DIRECTORY_SUN_ONE_DIRECTORY	Directory server is Sun One Directory.
FR_LDAP_DIRECTORY_SIEMENS_AG	Directory server is Siemens AG.
FR_LDAP_DIRECTORY_UNBOUND_ID	Directory server is Unbound ID.
FR_LDAP_DIRECTORY_SAMBA	Directory server is Samba.

Definition at line 140 of file base.h.

◆ fr_ldap_rcode_t

enum fr_ldap_rcode_t

Codes returned by fr_ldap internal functions.

Enumerator
LDAP_PROC_REFERRAL	LDAP server returned referral URLs.
LDAP_PROC_CONTINUE	Operation is in progress.
LDAP_PROC_SUCCESS	Operation was successful.
LDAP_PROC_ERROR	Unrecoverable library/server error.
LDAP_PROC_BAD_CONN	Transitory error, caller should retry the operation with a new connection.
LDAP_PROC_NOT_PERMITTED	Operation was not permitted, either current user was locked out in the case of binds, or has insufficient access.
LDAP_PROC_REJECT	Bind failed, user was rejected.
LDAP_PROC_BAD_DN	Specified an invalid object in a bind or search DN.
LDAP_PROC_NO_RESULT	Got no results.
LDAP_PROC_TIMEOUT	Operation timed out.
LDAP_PROC_REFRESH_REQUIRED	Don't continue with the current refresh phase, exit, and retry the operation with a NULL cookie.

Definition at line 582 of file base.h.

◆ fr_ldap_request_type_t

enum fr_ldap_request_type_t

Types of LDAP requests.

Enumerator
LDAP_REQUEST_SEARCH	A lookup in an LDAP directory.
LDAP_REQUEST_MODIFY	A modification to an LDAP entity.
LDAP_REQUEST_DELETE	A deletion of an LDAP entity.
LDAP_REQUEST_EXTENDED	An extended LDAP operation.

Definition at line 178 of file base.h.

◆ fr_ldap_result_code_t

enum fr_ldap_result_code_t

LDAP query result codes.

Enumerator
LDAP_RESULT_PENDING	Result not yet returned.
LDAP_RESULT_SUCCESS	Successfully got LDAP results.
LDAP_RESULT_ERROR	A general error occurred.
LDAP_RESULT_TIMEOUT	The query timed out.
LDAP_RESULT_BAD_DN	The requested DN does not exist.
LDAP_RESULT_NO_RESULT	No results returned.
LDAP_RESULT_REFERRAL_FAIL	Initial results indicated a referral was needed but the referral could not be followed.
LDAP_RESULT_EXCESS_REFERRALS	The referral chain took too many hops.
LDAP_RESULT_MISSING_REFERRAL	A referral was indicated but no URL was provided.

Definition at line 188 of file base.h.

◆ fr_ldap_state_t

enum fr_ldap_state_t

LDAP connection handle states.

Enumerator
FR_LDAP_STATE_INIT	Connection uninitialised.
FR_LDAP_STATE_START_TLS	TLS is being negotiated.
FR_LDAP_STATE_BIND	Connection is being bound.
FR_LDAP_STATE_RUN	Connection is muxing/demuxing requests.
FR_LDAP_STATE_ERROR	Connection is in an error state.

Definition at line 167 of file base.h.

◆ fr_ldap_sync_type_t

enum fr_ldap_sync_type_t

Enumerator
FR_LDAP_SYNC_NONE	No support for LDAP sync.
FR_LDAP_SYNC_RFC4533	Directory supports RFC 4533.
FR_LDAP_SYNC_ACTIVE_DIRECTORY	Directory supports AD style persistent search.
FR_LDAP_SYNC_PERSISTENT_SEARCH	Directory supports persistent search.

Definition at line 157 of file base.h.

◆ ldap_filter_logic_t

enum ldap_filter_logic_t

Logical operators for use in LDAP filters.

Enumerator
LDAP_FILTER_LOGIC_AND
LDAP_FILTER_LOGIC_OR
LDAP_FILTER_LOGIC_NOT

Definition at line 541 of file base.h.

◆ ldap_filter_op_t

enum ldap_filter_op_t

Operators for use in LDAP filters.

Enumerator
LDAP_FILTER_OP_UNSET	Attribute not set yet.
LDAP_FILTER_OP_EQ	Attribute equals value.
LDAP_FILTER_OP_SUBSTR	Attribute matches string with wildcards.
LDAP_FILTER_OP_PRESENT	Attribute present.
LDAP_FILTER_OP_GE	Attribute greater than or equal to value.
LDAP_FILTER_OP_LE	Attribute less than or equal to value.
LDAP_FILTER_OP_BIT_AND	Bitwise AND comparison.
LDAP_FILTER_OP_BIT_OR	Bitwise OR comparison.

Definition at line 549 of file base.h.

◆ ldap_filter_type_t

enum ldap_filter_type_t

Types of parsed LDAP filter nodes.

Enumerator
LDAP_FILTER_NODE	The filter node is an individual one to be evaluated against an attribute.
LDAP_FILTER_GROUP	The filter node is a parent of a group which will be combined using a logical operator.

Definition at line 532 of file base.h.

◆ ldap_supported_extension_t

enum ldap_supported_extension_t

Enumerator
LDAP_EXT_UNSUPPORTED	Unsupported extension.
LDAP_EXT_BINDNAME	Specifies the user DN or name for an LDAP bind.
LDAP_EXT_BINDPW	Specifies the password for an LDAP bind.

Definition at line 122 of file base.h.

Function Documentation

◆ fr_ldap_attrs_check()

int fr_ldap_attrs_check	(	char const **	attrs,
		char const *	attr
	)

Check that a particular attribute is included in an attribute list.

Parameters

[in]	attrs	list to check
[in]	attr	to look for

Returns

1 if attr is in list
0 if attr is missing
-1 if checks not possible

Definition at line 579 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_berval_strncasecmp()

static int fr_ldap_berval_strncasecmp	(	struct berval *	value,
		char const *	str,
		size_t	strlen
	)

inlinestatic

Compare a berval with a C string of a known length using case insensitive comparison.

Parameters

[in]	value	berval.
[in]	str	String to compare with value.
[in]	strlen	Number of characters of str to compare.

Definition at line 677 of file base.h.

Here is the caller graph for this function:

◆ fr_ldap_berval_to_bin()

uint8_t* fr_ldap_berval_to_bin	(	TALLOC_CTX *	ctx,
		struct berval const *	in
	)

Convert a berval to a talloced buffer.

Parameters

ctx	to allocate in.
in	Berval to copy.

Returns: buffer containing in->bv_val.

Definition at line 409 of file util.c.

Here is the caller graph for this function:

◆ fr_ldap_berval_to_string()

char* fr_ldap_berval_to_string	(	TALLOC_CTX *	ctx,
		struct berval const *	in
	)

Convert a berval to a talloced string.

The ldap_get_values function is deprecated, and ldap_get_values_len does not guarantee the berval buffers it returns are \0 terminated.

For some cases this is fine, for others we require a \0 terminated buffer (feeding DNs back into libldap for example).

Parameters

ctx	to allocate in.
in	Berval to copy.

Returns: \0 terminated buffer containing in->bv_val.

Definition at line 390 of file util.c.

Here is the caller graph for this function:

◆ fr_ldap_berval_to_value_shallow()

static void fr_ldap_berval_to_value_shallow	(	fr_value_box_t *	value,
		struct berval *	berval
	)

inlinestatic

Inline function to copy pointers from a berval to a valuebox.

Note: This results in a shallow copy of the berval, so if the berval is freed the value box becomes invalidated.

Parameters

[out]	value	to write berval values to.
[in]	berval	to copy pointers/lengths from.

Definition at line 650 of file base.h.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_berval_to_value_str_shallow()

static void fr_ldap_berval_to_value_str_shallow	(	fr_value_box_t *	value,
		struct berval *	berval
	)

inlinestatic

Inline function to copy pointer from a berval to a string value box.

Useful for printing contents of bervals known to contain strings in DEBUG output since they are not NULL terminated.

Note: This results in a shallow copy of the berval, so if the berval is freed the value box becomes invalidated.

Parameters

[out]	value	to write berval value to.
[in]	berval	top copy pointer / length from.

Definition at line 666 of file base.h.

Here is the call graph for this function:

◆ fr_ldap_bind_async()

int fr_ldap_bind_async	(	fr_ldap_connection_t *	c,
		char const *	bind_dn,
		char const *	password,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Install I/O handlers for the bind operation.

Parameters

[in]	c	connection to StartTLS on.
[in]	bind_dn	Identity to bind with.
[in]	password	Password to bind with.
[in]	serverctrls	Extra controls to pass to the server.
[in]	clientctrls	Extra controls to pass to libldap.

Returns

0 on success.
-1 on failure.

Definition at line 185 of file bind.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_bind_auth_async()

unlang_action_t fr_ldap_bind_auth_async	(	request_t *	request,
		fr_ldap_thread_t *	thread,
		char const *	bind_dn,
		char const *	password
	)

Initiate an async LDAP bind for authentication.

Parameters

[in]	request	this bind relates to.
[in]	thread	whose connection the bind should be performed on.
[in]	bind_dn	Identity to bind with.
[in]	password	Password to bind with.

Returns

0 on success.
-1 on failure.

Definition at line 319 of file bind.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_bind_auth_cmp()

static int8_t fr_ldap_bind_auth_cmp	(	void const *	one,
		void const *	two
	)

inlinestatic

Compare two ldap bind auth structures on msgid.

Parameters

[in]	one	first bind request to compare.
[in]	two	second bind request to compare.

Returns: CMP(one,two)

Definition at line 724 of file base.h.

Here is the caller graph for this function:

◆ fr_ldap_box_escape()

int fr_ldap_box_escape	(	fr_value_box_t *	vb,
		UNUSED void *	uctx
	)

Definition at line 110 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_common_dn()

size_t fr_ldap_common_dn	(	char const *	full,
		char const *	part
	)

Find the place at which the two DN strings diverge.

Returns the length of the non matching string in full.

Parameters

full	DN.
part	Partial DN as returned by ldap_parse_result.

Returns

Length of the portion of full which wasn't matched
-1 on failure.

Definition at line 488 of file util.c.

Here is the caller graph for this function:

◆ fr_ldap_conn_directory_alloc_async()

int fr_ldap_conn_directory_alloc_async ( fr_ldap_connection_t * ldap_conn )

Async extract useful information from the rootDSE of the LDAP server.

This version is for a single connection rather than a connection trunk

Parameters

[in] ldap_conn connection to be queried

Returns

message ID on success < 0 on failure

Definition at line 287 of file directory.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_connection_alloc()

fr_ldap_connection_t* fr_ldap_connection_alloc ( TALLOC_CTX * ctx )

Allocate our ldap connection handle layer.

This is using handles outside of the connection state machine.

Parameters

[in] ctx to allocate connection handle in.

Returns

A new unbound/unconfigured connection handle on success. Call f::r_ldap_connection_configure next.
NULL on OOM.

Definition at line 258 of file connection.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_connection_configure()

int fr_ldap_connection_configure	(	fr_ldap_connection_t *	c,
		fr_ldap_config_t const *	config
	)

Allocate and configure a new connection.

Configures both our ldap handle, and libldap's handle.

This can be used by async code and async code as no attempt is made to connect to the LDAP server. An attempt will only be made if ldap_start_tls* or ldap_bind* functions are called.

If called on an fr_ldap_connection_t which has already been initialised, will clear any memory allocated to the connection, unbind the ldap handle, and reinitialise everything.

Parameters

[in]	c	to configure.
[in]	config	to apply.

Returns

0 on success.
-1 on error.

Definition at line 67 of file connection.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_connection_state_alloc()

connection_t* fr_ldap_connection_state_alloc	(	TALLOC_CTX *	ctx,
		fr_event_list_t *	el,
		fr_ldap_config_t const *	config,
		char const *	log_prefix
	)

Alloc a self re-establishing connection to an LDAP server.

Parameters

[in]	ctx	to allocate any memory in, and to bind the lifetime of the connection to.
[in]	el	to insert I/O and timer callbacks into.
[in]	config	to use to bind the connection to an LDAP server.
[in]	log_prefix	to prepend to connection state messages.

Definition at line 386 of file connection.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_connection_timeout_reset()

int fr_ldap_connection_timeout_reset ( fr_ldap_connection_t const * conn )

Definition at line 431 of file connection.c.

Here is the caller graph for this function:

◆ fr_ldap_connection_timeout_set()

int fr_ldap_connection_timeout_set	(	fr_ldap_connection_t const *	conn,
		fr_time_delta_t	timeout
	)

Definition at line 409 of file connection.c.

Here is the caller graph for this function:

◆ fr_ldap_control_add_client()

int fr_ldap_control_add_client	(	fr_ldap_connection_t *	conn,
		LDAPControl *	ctrl,
		bool	freeit
	)

Add a clientctrl to a connection handle.

All internal LDAP functions will pass this clientctrl to libldap.

Parameters

conn	to add control to.
ctrl	to add.
freeit	Whether the control should be freed when the handle is released or closed.

Returns

0 on success.
-1 on failure (exceeded maximum controls).

Definition at line 117 of file control.c.

◆ fr_ldap_control_add_server()

int fr_ldap_control_add_server	(	fr_ldap_connection_t *	conn,
		LDAPControl *	ctrl,
		bool	freeit
	)

Add a serverctrl to a connection handle.

All internal LDAP functions will pass this serverctrl to the server.

Parameters

conn	to add control to.
ctrl	to add.
freeit	Whether the control should be freed when the handle is released or closed.

Returns

0 on success.
-1 on failure (exceeded maximum controls).

Definition at line 93 of file control.c.

◆ fr_ldap_control_add_session_tracking()

int fr_ldap_control_add_session_tracking	(	fr_ldap_connection_t *	conn,
		request_t *	request
	)

◆ fr_ldap_control_clear()

void fr_ldap_control_clear ( fr_ldap_connection_t * conn )

Clear and free any controls associated with a connection.

Parameters

conn	to clear controls from.

Definition at line 134 of file control.c.

Here is the caller graph for this function:

◆ fr_ldap_control_merge()

void fr_ldap_control_merge	(	LDAPControl *	serverctrls_out[],
		LDAPControl *	clientctrls_out[],
		size_t	serverctrls_len,
		size_t	clientctrls_len,
		fr_ldap_connection_t *	conn,
		LDAPControl *	serverctrls_in[],
		LDAPControl *	clientctrls_in[]
	)

Merge connection and call specific client and server controls.

LDAP_OPT_CLIENT_CONTROLS and LDAP_OPT_SERVER_CONTROLS are useless because they're overridden in their entirety if any call specific controls are specified.

Parameters

[out]	serverctrls_out	Where to write serverctrls.
[out]	clientctrls_out	Where to write clientctrls.
[in]	serverctrls_len	length of serverctrls array.
[in]	clientctrls_len	length of clientctrls array.
[in]	conn	to get controls from.
[in]	serverctrls_in	from arguments.
[in]	clientctrls_in	from_arguments.

Definition at line 48 of file control.c.

Here is the caller graph for this function:

◆ fr_ldap_delete_async()

fr_ldap_rcode_t fr_ldap_delete_async	(	int *	msgid,
		request_t *	request,
		fr_ldap_connection_t *	pconn,
		char const *	dn,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Modify something in the LDAP directory.

Used on connections bound as the administrative user to attempt to modify an LDAP object. Called by the trunk mux function

Parameters

[out]	msgid	LDAP message ID.
[in]	request	Current request.
[in]	pconn	to use.
[in]	dn	of the object to delete.
[in]	serverctrls	Search controls to pass to the server. May be NULL.
[in]	clientctrls	Search controls for ldap_delete. May be NULL.

Returns: One of the LDAP_PROC_* (fr_ldap_rcode_t) values.

Definition at line 840 of file base.c.

Here is the call graph for this function:

◆ fr_ldap_directory_result_parse()

int fr_ldap_directory_result_parse	(	fr_ldap_directory_t *	directory,
		LDAP *	handle,
		LDAPMessage *	result,
		char const *	name
	)

Definition at line 52 of file directory.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_edir_errstr()

char const* fr_ldap_edir_errstr ( int code )

Definition at line 326 of file edir.c.

Here is the caller graph for this function:

◆ fr_ldap_edir_get_password()

unlang_action_t fr_ldap_edir_get_password	(	request_t *	request,
		char const *	dn,
		fr_ldap_thread_trunk_t *	ttrunk,
		fr_dict_attr_t const *	password_da
	)

Initiate retrieval of the universal password from Novell eDirectory.

Parameters

[in]	request	Current request.
[in]	dn	of the user whose password is to be retrieved.
[in]	ttrunk	on which to send the LDAP request.
[in]	password_da	DA to use when creating password attribute.

Returns

UNLANG_ACTION_PUSHED_CHILD on success.
UNLANG_ACTION_FAIL on failure.

Definition at line 295 of file edir.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_error_check()

fr_ldap_rcode_t fr_ldap_error_check	(	LDAPControl ***	ctrls,
		fr_ldap_connection_t const *	conn,
		LDAPMessage *	msg,
		char const *	dn
	)

Perform basic parsing of multiple types of messages, checking for error conditions.

Note: Error messages should be retrieved with fr_strerror() and fr_strerror_pop()

Parameters

[out]	ctrls	Server ctrls returned to the client. May be NULL if not required. Must be freed with ldap_free_ctrls.
[in]	conn	the message was received on.
[in]	msg	we're parsing.
[in]	dn	if processing the result from a search request.

Returns: One of the LDAP_PROC_* (fr_ldap_rcode_t) values.

Definition at line 232 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_error_str()

char const* fr_ldap_error_str ( fr_ldap_connection_t const * conn )

Return the error string associated with a handle.

Parameters

conn	to retrieve error from.

Returns: error string.

Definition at line 210 of file base.c.

◆ fr_ldap_extended_alloc()

fr_ldap_query_t* fr_ldap_extended_alloc	(	TALLOC_CTX *	ctx,
		char const *	reqoid,
		struct berval *	reqdata,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Allocate a new LDAP extended operations object.

Parameters

[in]	ctx	to allocate the query in.
[in]	reqoid	OID of extended operation to perform.
[in]	reqdata	Request data to send.
[in]	serverctrls	Controls to pass to the server. May be NULL.
[in]	clientctrls	Client controls. May be NULL.

Returns: LDAP query object

Definition at line 1075 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_extended_async()

fr_ldap_rcode_t fr_ldap_extended_async	(	int *	msgid,
		request_t *	request,
		fr_ldap_connection_t *	pconn,
		char const *	reqoid,
		struct berval *	reqdata
	)

Initiate an LDAP extended operation.

Called by the trunk mux function

Parameters

[out]	msgid	LDAP message ID.
[in]	request	Current request.
[in]	pconn	to use.
[in]	reqoid	OID of extended operation to perform.
[in]	reqdata	Data required for the request.

Returns: One of the LDAP_PROC_* (fr_ldap_rcode_t) values.

Definition at line 924 of file base.c.

Here is the call graph for this function:

◆ fr_ldap_filter_eval()

bool fr_ldap_filter_eval	(	fr_dlist_head_t *	root,
		fr_ldap_connection_t *	conn,
		LDAPMessage *	msg
	)

Evaluate an LDAP filter.

Parameters

[in]	root	of the LDAP filter to evaluate.
[in]	conn	LDAP connection the message being filtered was returned on.
[in]	msg	to filter.

Returns: true or false result of the node evaluation.

Definition at line 583 of file filter.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_filter_parse()

fr_slen_t fr_ldap_filter_parse	(	TALLOC_CTX *	ctx,
		fr_dlist_head_t **	root,
		fr_sbuff_t *	filter,
		filter_attr_check_t	attr_check,
		void *	uctx
	)

Parse an LDAP filter into its component nodes.

Parameters

[in]	ctx	to allocate nodes in.
[in,out]	root	where to allocate the root of the parsed filter.
[in]	filter	to parse.
[in]	attr_check	callback to check if required attributes are in the query.
[in]	uctx	passed to attribute check callback.

Returns

number of bytes parsed on success < 0 on failure

Definition at line 343 of file filter.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_filter_to_tmpl()

int fr_ldap_filter_to_tmpl	(	TALLOC_CTX *	ctx,
		tmpl_rules_t const *	t_rules,
		char const **	sub,
		size_t	sublen,
		tmpl_t **	out
	)

Combine filters and tokenize to a tmpl.

Parameters

ctx	To allocate combined filter in
t_rules	Rules for parsing combined filter.
sub	Array of subfilters (may contain NULLs).
sublen	Number of potential subfilters in array.
out	Where to write a pointer to the resulting tmpl.

Returns: length of combined data.

Definition at line 517 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_free()

void fr_ldap_free ( void )

◆ fr_ldap_global_config()

int fr_ldap_global_config	(	int	debug_level,
		char const *	tls_random_file
	)

Change settings global to libldap.

May only be called once. Subsequent calls will be ignored.

Parameters

[in]	debug_level	to enable in libldap.
[in]	tls_random_file	Where OpenSSL gets its randomness.

Definition at line 1125 of file base.c.

Here is the caller graph for this function:

◆ fr_ldap_handle_thread_local()

LDAP* fr_ldap_handle_thread_local ( void )

Get a thread local dummy LDAP handle.

Many functions in the OpenLDAP API don't actually use the handle for anything other than writing out error codes.

This is true for most of the LDAP extensions API functions.

This gives us a reusable handle that was can pass to those functions when we don't already have one available.

Definition at line 1105 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_init()

int fr_ldap_init ( void )

Initialise libldap and check library versions.

Returns

0 on success.
-1 on failure.

Definition at line 1164 of file base.c.

Here is the caller graph for this function:

◆ fr_ldap_map_do()

int fr_ldap_map_do	(	request_t *	request,
		char const *	valuepair_attr,
		fr_ldap_map_exp_t const *	expanded,
		LDAPMessage *	entry
	)

Convert attribute map into valuepairs.

Use the attribute map built earlier to convert LDAP values into valuepairs and insert them into whichever list they need to go into.

This is NOT atomic, but there's no condition for which we should error out...

Parameters

[in]	request	Current request.
[in]	valuepair_attr	Treat attribute with this name as holding complete AVP definitions.
[in]	expanded	attributes (rhs of map).
[in]	entry	to retrieve attributes from.

Returns

Number of maps successfully applied.
-1 on failure.

Definition at line 323 of file map.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_map_expand()

int fr_ldap_map_expand	(	TALLOC_CTX *	ctx,
		fr_ldap_map_exp_t *	expanded,
		request_t *	request,
		map_list_t const *	maps,
		char const *	generic_attr
	)

Expand values in an attribute map where needed.

Parameters

[in]	ctx	o allocate any dynamic expansions in.
[out]	expanded	array of attributes. Need not be initialised (we'll initialise).
[in]	request	The current request.
[in]	maps	to expand.
[in]	generic_attr	name to append to the attribute list.

Returns

0 on success.
-1 on failure.

Definition at line 271 of file map.c.

Here is the caller graph for this function:

◆ fr_ldap_map_getvalue()

int fr_ldap_map_getvalue	(	TALLOC_CTX *	ctx,
		fr_pair_list_t *	out,
		request_t *	request,
		map_t const *	map,
		void *	uctx
	)

Callback for map_to_request.

Performs exactly the same job as map_to_vp, but pulls attribute values from LDAP entries

See also: map_to_vp

Definition at line 39 of file map.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_map_verify()

int fr_ldap_map_verify	(	map_t *	map,
		void *	instance
	)

Here is the caller graph for this function:

◆ fr_ldap_modify_alloc()

fr_ldap_query_t* fr_ldap_modify_alloc	(	TALLOC_CTX *	ctx,
		char const *	dn,
		LDAPMod *	mods[],
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Allocate a new LDAP modify object.

Parameters

[in]	ctx	to allocate the query in.
[in]	dn	of the object to modify.
[in]	mods	to apply to the object.
[in]	serverctrls	Controls to pass to the server. May be NULL.
[in]	clientctrls	Client controls. May be NULL.

Returns: LDAP query object

Definition at line 1052 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_modify_async()

fr_ldap_rcode_t fr_ldap_modify_async	(	int *	msgid,
		request_t *	request,
		fr_ldap_connection_t *	pconn,
		char const *	dn,
		LDAPMod *	mods[],
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Modify something in the LDAP directory.

Used on connections bound as the administrative user to attempt to modify an LDAP object. Called by the trunk mux function

Parameters

[out]	msgid	LDAP message ID.
[in]	request	Current request.
[in]	pconn	to use.
[in]	dn	of the object to modify.
[in]	mods	to make, see 'man ldap_modify' for more information.
[in]	serverctrls	Search controls to pass to the server. May be NULL.
[in]	clientctrls	Search controls for ldap_modify. May be NULL.

Returns: One of the LDAP_PROC_* (fr_ldap_rcode_t) values.

Definition at line 800 of file base.c.

Here is the call graph for this function:

◆ fr_ldap_parse_url_extensions()

int fr_ldap_parse_url_extensions	(	LDAPControl **	sss,
		size_t	sss_len,
		char *	extensions[]
	)

Parse a subset (just server side sort for now) of LDAP URL extensions.

Parameters

[out]	sss	Array of LDAPControl * pointers to add controls to.
[in]	sss_len	How many elements remain in the sss array.
[in]	extensions	A NULL terminated array of extensions.

Returns

>0 the number of controls added.
0 if no controls added.
-1 on failure.

Definition at line 309 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_query_cmp()

static int8_t fr_ldap_query_cmp	(	void const *	one,
		void const *	two
	)

inlinestatic

Compare two ldap query structures on msgid.

Parameters

[in]	one	first query to compare.
[in]	two	second query to compare.

Returns: CMP(one,two)

Definition at line 711 of file base.h.

Here is the caller graph for this function:

◆ fr_ldap_referral_alloc()

fr_ldap_referral_t* fr_ldap_referral_alloc	(	TALLOC_CTX *	ctx,
		request_t *	request
	)

Allocate a new structure to handle an LDAP referral, setting the destructor.

Parameters

[in]	ctx	to allocate the referral in
[in]	request	the LDAP query relates to.

Returns

a new referral structure on success
NULL on failure

Definition at line 49 of file referral.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_referral_follow()

int fr_ldap_referral_follow	(	fr_ldap_thread_t *	t,
		request_t *	request,
		fr_ldap_query_t *	query
	)

Follow an LDAP referral.

The returned list of LDAP referrals should already be in query->referrals. We check all the possible referrals and look for one where there already is an active trunk connection.

Parameters

t	Thread running the query.
request	related to the query.
query	whose result was one or more referral URLs.

Returns

0 on success.
< 0 on failure.

Definition at line 113 of file referral.c.

Here is the call graph for this function:

◆ fr_ldap_referral_next()

int fr_ldap_referral_next	(	fr_ldap_thread_t *	t,
		request_t *	request,
		fr_ldap_query_t *	query
	)

Follow an alternative LDAP referral.

If an initial chase of an LDAP referral results in an error being returned this function can be used to attempt one of the other referral URLs given in the initial query results.

The initial use of fr_ldap_referral_follow may have launched trunks for any referral URLs which parsed successfully, so this starts by looking for the first which has an active state and sends the query that way.

If no active trunks match the remaining servers listed in referrals then new trunks are launched with watchers to send the query on the first active trunk.

Parameters

t	Thread running the query.
request	the query relates to.
query	whose referrals are being chased.

Returns

0 on success.
< 0 on failure.

Definition at line 310 of file referral.c.

Here is the call graph for this function:

◆ fr_ldap_result()

fr_ldap_rcode_t fr_ldap_result	(	LDAPMessage **	result,
		LDAPControl ***	ctrls,
		fr_ldap_connection_t const *	conn,
		int	msgid,
		int	all,
		char const *	dn,
		fr_time_delta_t	timeout
	)

Parse response from LDAP server dealing with any errors.

Should be called after an LDAP operation. Will check result of operation and if it was successful, then attempt to retrieve and parse the result. Will also produce extended error output including any messages the server sent, and information about partial DN matches.

Note: Error messages should be retrieved with fr_strerror() and fr_strerror_pop()

Parameters

[out]	result	Where to write result, if NULL result will be freed. If not NULL caller must free with ldap_msgfree().
[out]	ctrls	Server ctrls returned to the client. May be NULL if not required. Must be freed with ldap_free_ctrls.
[in]	conn	Current connection.
[in]	msgid	returned from last operation. Special values are: LDAP_RES_ANY - Retrieve any received messages useful for multiplexing. LDAP_RES_UNSOLICITED - Any unsolicited message.
[in]	all	How many messages to retrieve: LDAP_MSG_ONE - Retrieve the first message matching msgid (waiting if one is not available). LDAP_MSG_ALL - Retrieve all received messages matching msgid (waiting if none are available). LDAP_MSG_RECEIVED - Retrieve all received messages.
[in]	dn	Last search or bind DN. May be NULL.
[in]	timeout	Override the default result timeout.

Returns: One of the LDAP_PROC_* (fr_ldap_rcode_t) values.

Definition at line 449 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_search_alloc()

fr_ldap_query_t* fr_ldap_search_alloc	(	TALLOC_CTX *	ctx,
		char const *	base_dn,
		int	scope,
		char const *	filter,
		char const const	attrs,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Allocate a new search object.

Parameters

[in]	ctx	to allocate query in.
[in]	base_dn	for the search.
[in]	scope	of the search.
[in]	filter	for the search
[in]	attrs	to request.
[in]	serverctrls	Search controls to pass to the server. May be NULL.
[in]	clientctrls	Client controls. May be NULL.

Definition at line 1026 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_search_async()

fr_ldap_rcode_t fr_ldap_search_async	(	int *	msgid,
		request_t *	request,
		fr_ldap_connection_t *	pconn,
		char const *	dn,
		int	scope,
		char const *	filter,
		char const const	attrs,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Search for something in the LDAP directory.

Performs an LDAP search, typically on a connection bound as the administrative user, dealing with any errors. Called from the trunk mux function and elsewhere where appropriate event handlers have been set on the connection fd.

Parameters

[out]	msgid	to match response to request.
[in]	request	Current request.
[in]	pconn	to use.
[in]	dn	to use as base for the search.
[in]	scope	to use (LDAP_SCOPE_BASE, LDAP_SCOPE_ONE, LDAP_SCOPE_SUB).
[in]	filter	to use, should be pre-escaped.
[in]	attrs	to retrieve.
[in]	serverctrls	Search controls to pass to the server. May be NULL.
[in]	clientctrls	Search controls for ldap_search. May be NULL.

Returns: One of the LDAP_PROC_* (fr_ldap_rcode_t) values.

Definition at line 528 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_server_config_check()

int fr_ldap_server_config_check	(	fr_ldap_config_t *	handle_config,
		char const *	server,
		CONF_SECTION *	cs
	)

Check an LDAP server config in server:port format is valid.

Parameters

[in,out]	handle_config	LDAP handle config being built
[in]	server	string to parse
[in]	cs	in which the server is defined

Returns

0 for valid server definition
-1 for invalid server definition

Definition at line 701 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_server_url_check()

int fr_ldap_server_url_check	(	fr_ldap_config_t *	handle_config,
		char const *	server,
		CONF_SECTION const *	cs
	)

Check an LDAP server entry in URL format is valid.

Parameters

[in,out]	handle_config	LDAP handle config being built
[in]	server	string to parse
[in]	cs	in which the server is defined

Returns

0 for valid server definition
-1 for invalid server definition

Definition at line 605 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_start_tls_async()

int fr_ldap_start_tls_async	(	fr_ldap_connection_t *	c,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Install I/O handlers for Start TLS negotiation.

Parameters

[in]	c	connection to StartTLS on.
[in]	serverctrls	Extra controls to pass to the server.
[in]	clientctrls	Extra controls to pass to libldap.

Returns

0 on success.
-1 on failure.

Definition at line 222 of file start_tls.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_state_error()

void fr_ldap_state_error ( fr_ldap_connection_t * c )

Signal that there's been an error on the connection.

Definition at line 134 of file state.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_state_next()

fr_ldap_state_t fr_ldap_state_next ( fr_ldap_connection_t * c )

Move between LDAP connection states.

Bringing up an LDAP connection is quite complex, as we need to do multiple operations before we can install the main mux/demux functions which do the work of sending requests to the directory and processing the responses.

This function moves the connection through different states, setting different I/O handlers.

If any of the states

Definition at line 49 of file state.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_timeout_debug()

void fr_ldap_timeout_debug	(	request_t *	request,
		fr_ldap_connection_t const *	conn,
		fr_time_delta_t	timeout,
		char const *	prefix
	)

Prints information to the debug log on the current timeout settings.

There are so many different timers in LDAP it's often hard to debug issues with them, hence the need for this function.

Definition at line 152 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_trunk_cmp()

static int8_t fr_ldap_trunk_cmp	(	void const *	one,
		void const *	two
	)

inlinestatic

Compare two ldap trunk structures on connection URI / DN.

Parameters

[in]	one	first connection to compare.
[in]	two	second connection to compare.

Returns: CMP(one, two)

Definition at line 695 of file base.h.

Here is the caller graph for this function:

◆ fr_ldap_trunk_directory_alloc_async()

int fr_ldap_trunk_directory_alloc_async	(	TALLOC_CTX *	ctx,
		fr_ldap_thread_trunk_t *	ttrunk
	)

Async extract useful information from the rootDSE of the LDAP server.

This is called once for each new thread trunk when it first connects.

Parameters

[in]	ctx	to allocate fr_ldap_directory_t in.
[in]	ttrunk	Thread trunk connection to be queried

Returns

0 on success < 0 on failure

Definition at line 257 of file directory.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_trunk_extended()

unlang_action_t fr_ldap_trunk_extended	(	TALLOC_CTX *	ctx,
		fr_ldap_query_t **	out,
		request_t *	request,
		fr_ldap_thread_trunk_t *	ttrunk,
		char const *	reqoid,
		struct berval *	reqdata,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Run an async LDAP "extended operation" query on a trunk connection.

Parameters

[in]	ctx	to allocate the query in.
[out]	out	that has been allocated.
[in]	request	this query relates to.
[in]	ttrunk	to submit the query to.
[in]	reqoid	OID of extended operation.
[in]	reqdata	Request data to send.
[in]	serverctrls	specific to this query.
[in]	clientctrls	specific to this query.

Returns

UNLANG_ACTION_FAIL on error.
UNLANG_ACTION_PUSHED_CHILD on success.

Definition at line 881 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_trunk_modify()

unlang_action_t fr_ldap_trunk_modify	(	TALLOC_CTX *	ctx,
		fr_ldap_query_t **	out,
		request_t *	request,
		fr_ldap_thread_trunk_t *	ttrunk,
		char const *	dn,
		LDAPMod *	mods[],
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Run an async modification LDAP query on a trunk connection.

Parameters

[in]	ctx	to allocate the query in.
[out]	out	that has been allocated.
[in]	request	this query relates to.
[in]	ttrunk	to submit the query to.
[in]	dn	of the object being modified.
[in]	mods	to be performed.
[in]	serverctrls	specific to this query.
[in]	clientctrls	specific to this query.

Returns

UNLANG_ACTION_FAIL on error.
UNLANG_ACTION_PUSHED_CHILD on success.

Definition at line 754 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_trunk_search()

unlang_action_t fr_ldap_trunk_search	(	TALLOC_CTX *	ctx,
		fr_ldap_query_t **	out,
		request_t *	request,
		fr_ldap_thread_trunk_t *	ttrunk,
		char const *	base_dn,
		int	scope,
		char const *	filter,
		char const const	attrs,
		LDAPControl **	serverctrls,
		LDAPControl **	clientctrls
	)

Run an async search LDAP query on a trunk connection.

Parameters

[in]	ctx	to allocate the query in.
[out]	out	that has been allocated.
[in]	request	this query relates to.
[in]	ttrunk	to submit the query to.
[in]	base_dn	for the search.
[in]	scope	of the search.
[in]	filter	for the search.
[in]	attrs	to be returned.
[in]	serverctrls	specific to this query.
[in]	clientctrls	specific to this query.

Returns

UNLANG_ACTION_FAIL on error.
UNLANG_ACTION_PUSHED_CHILD on success.

Definition at line 708 of file base.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_uri_escape_func()

size_t fr_ldap_uri_escape_func	(	UNUSED request_t *	request,
		char *	out,
		size_t	outlen,
		char const *	in,
		UNUSED void *	arg
	)

Converts "bad" strings into ones which are safe for LDAP.

Note

RFC 4515 says filter strings can only use the

\<hex><hex>

format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply with a backslash. For simplicity, we always use the hex escape sequences. In other areas where we're doing DN comparison, the DNs need to be normalised first so that they both use only hex escape sequences.

This is a callback for xlat operations.

Will escape any characters in input strings that would cause the string to be interpreted as part of a DN and or filter. Escape sequence is

\<hex><hex>

.

Parameters

request	The current request.
out	Pointer to output buffer.
outlen	Size of the output buffer.
in	Raw unescaped string.
arg	Any additional arguments (unused).

Definition at line 70 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_uri_unescape_func()

size_t fr_ldap_uri_unescape_func	(	UNUSED request_t *	request,
		char *	out,
		size_t	outlen,
		char const *	in,
		UNUSED void *	arg
	)

Converts escaped DNs and filter strings into normal.

Note

RFC 4515 says filter strings can only use the

\<hex><hex>

format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply with a backslash..

Will unescape any special characters in strings, or

\<hex><hex>

sequences.

Parameters

request	The current request.
out	Pointer to output buffer.
outlen	Size of the output buffer.
in	Escaped string string.
arg	Any additional arguments (unused).

Definition at line 164 of file util.c.

Here is the caller graph for this function:

◆ fr_ldap_url_err_to_str()

char const* fr_ldap_url_err_to_str ( int ldap_url_err )

Translate the error code emitted from ldap_url_parse and friends into something accessible with fr_strerror()

Parameters

[in] ldap_url_err The error code returned

Definition at line 742 of file util.c.

Here is the caller graph for this function:

◆ fr_ldap_util_is_dn()

bool fr_ldap_util_is_dn	(	char const *	in,
		size_t	inlen
	)

Check whether a string looks like a DN.

Parameters

[in]	in	Str to check.
[in]	inlen	Length of string to check.

Returns

true if string looks like a DN.
false if string does not look like DN.

Definition at line 211 of file util.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_ldap_util_normalise_dn()

size_t fr_ldap_util_normalise_dn	(	char *	out,
		char const *	in
	)

Normalise escape sequences in a DN.

Characters in a DN can either be escaped as

\<hex><hex>

or

\<special>

The LDAP directory chooses how characters are escaped, which can make local comparisons of DNs difficult.

Here we search for hex sequences that match special chars, and convert them to the

\<special>

form.

Note: the resulting output string will only ever be shorter than the input, so it's fine to use the same buffer for both out and in.

Parameters

out	Where to write the normalised DN.
in	The input DN.

Returns: The number of bytes written to out.

Definition at line 439 of file util.c.

Here is the caller graph for this function:

◆ fr_thread_ldap_bind_trunk_get()

fr_ldap_thread_trunk_t* fr_thread_ldap_bind_trunk_get ( fr_ldap_thread_t * thread )

Find the thread specific trunk to use for LDAP bind auths.

If there is no current trunk then a new one is created.

Parameters

[in] thread to which the connection belongs

Returns

an existing or new trunk.
NULL on failure

Definition at line 1295 of file connection.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_thread_ldap_trunk_get()

fr_ldap_thread_trunk_t* fr_thread_ldap_trunk_get	(	fr_ldap_thread_t *	thread,
		char const *	uri,
		char const *	bind_dn,
		char const *	bind_password,
		request_t *	request,
		fr_ldap_config_t const *	config
	)

Find a thread specific LDAP connection for a specific URI / bind DN.

If no existing connection exists for that combination then create a new one

Parameters

[in]	thread	to which the connection belongs
[in]	uri	of the host to find / create a connection to
[in]	bind_dn	to make the connection as
[in]	bind_password	for making connection
[in]	request	currently being processed (only for debug messages)
[in]	config	LDAP config of the module requesting the connection.

Returns

an existing or new connection matching the URI and bind DN
NULL on failure

Definition at line 918 of file connection.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_thread_ldap_trunk_state()

trunk_state_t fr_thread_ldap_trunk_state	(	fr_ldap_thread_t *	thread,
		char const *	uri,
		char const *	bind_dn
	)

Lookup the state of a thread specific LDAP connection trunk for a specific URI / bind DN.

Parameters

[in]	thread	to which the connection belongs
[in]	uri	of the host to find / create a connection to
[in]	bind_dn	to make the connection as

Returns

State of a trunk matching the URI and bind DN
TRUNK_STATE_MAX if no matching trunk

Definition at line 996 of file connection.c.

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

◆ fr_ldap_connection_states

fr_table_num_sorted_t const fr_ldap_connection_states[]

extern

Definition at line 51 of file base.c.

◆ fr_ldap_connection_states_len

size_t fr_ldap_connection_states_len

extern

Definition at line 58 of file base.c.

◆ fr_ldap_dereference

fr_table_num_sorted_t const fr_ldap_dereference[]

extern

Definition at line 86 of file base.c.

◆ fr_ldap_dereference_len

size_t fr_ldap_dereference_len

extern

Definition at line 92 of file base.c.

◆ fr_ldap_scope

fr_table_num_sorted_t const fr_ldap_scope[]

extern

Definition at line 69 of file base.c.

◆ fr_ldap_scope_len

size_t fr_ldap_scope_len

extern

Definition at line 75 of file base.c.

◆ fr_ldap_supported_extensions

fr_table_num_sorted_t const fr_ldap_supported_extensions[]

extern

Definition at line 60 of file base.c.

◆ fr_ldap_supported_extensions_len

size_t fr_ldap_supported_extensions_len

extern

Definition at line 64 of file base.c.

◆ fr_ldap_tls_require_cert

fr_table_num_sorted_t const fr_ldap_tls_require_cert[]

extern

Definition at line 77 of file base.c.

◆ fr_ldap_tls_require_cert_len

size_t fr_ldap_tls_require_cert_len

extern

Definition at line 84 of file base.c.

◆ fr_libldap_global_config

global_lib_autoinst_t fr_libldap_global_config

extern

Definition at line 134 of file base.c.

◆ ldap_global_handle

LDAP* ldap_global_handle

extern

Hack for OpenLDAP libldap global initialisation.

Definition at line 39 of file base.c.

Data Structures

Macros

Typedefs

Enumerations

Functions

Variables

Detailed Description

Data Structure Documentation

◆ fr_ldap_bind_auth_ctx_t

◆ fr_ldap_bind_auth_ctx_t.__unnamed51__

◆ fr_ldap_bind_ctx_t

◆ fr_ldap_config_t

◆ fr_ldap_connection_t

◆ fr_ldap_control_t

◆ fr_ldap_directory_t

◆ fr_ldap_map_exp_t

◆ fr_ldap_query_s

◆ fr_ldap_query_s.__unnamed41__

◆ fr_ldap_query_s.__unnamed41__.extended

◆ fr_ldap_query_s.__unnamed41__.search

◆ fr_ldap_referral_s

◆ fr_ldap_result_t

◆ fr_ldap_sasl_ctx_t

◆ fr_ldap_sasl_t

◆ fr_ldap_thread_t

◆ fr_ldap_thread_trunk_s

◆ fr_libldap_global_config_t

◆ ldap_filter_s

◆ ldap_filter_s.__unnamed45__

◆ ldap_filter_s.__unnamed45__.__unnamed47__

◆ ldap_filter_s.__unnamed45__.__unnamed49__

Macro Definition Documentation

◆ LDAP_CONST

◆ LDAP_DEPRECATED

◆ LDAP_DIRECTORY_ATTRS

◆ LDAP_MAP_RESERVED

◆ LDAP_MATCHING_RULE_BIT_AND

◆ LDAP_MATCHING_RULE_BIT_OR

◆ LDAP_MAX_ATTR_STR_LEN

◆ LDAP_MAX_ATTRMAP

◆ LDAP_MAX_CACHEABLE

◆ LDAP_MAX_CONTROLS

◆ LDAP_MAX_DN_STR_LEN

◆ LDAP_MAX_FILTER_STR_LEN

◆ LDAP_MAX_GROUP_NAME_LEN

◆ LDAP_SERVER_NOTIFICATION_OID

◆ LDAP_SERVER_SHOW_DELETED_OID

◆ LDAP_VENDOR_VERSION_PATCH

◆ LDAP_VIRTUAL_DN_ATTR

◆ X

Typedef Documentation

◆ filter_attr_check_t

◆ fr_ldap_query_t

◆ fr_ldap_referral_t

◆ fr_ldap_result_parser_t

◆ fr_ldap_thread_trunk_t

◆ ldap_filter_t

Enumeration Type Documentation

◆ fr_ldap_bind_type_t

◆ fr_ldap_directory_type_t

◆ fr_ldap_rcode_t

◆ fr_ldap_request_type_t

◆ fr_ldap_result_code_t

◆ fr_ldap_state_t

◆ fr_ldap_sync_type_t

◆ ldap_filter_logic_t

◆ ldap_filter_op_t

◆ ldap_filter_type_t

◆ ldap_supported_extension_t

Function Documentation

◆ fr_ldap_attrs_check()

◆ fr_ldap_berval_strncasecmp()

◆ fr_ldap_berval_to_bin()

◆ fr_ldap_berval_to_string()

◆ fr_ldap_berval_to_value_shallow()

◆ fr_ldap_berval_to_value_str_shallow()

◆ fr_ldap_bind_async()

◆ fr_ldap_bind_auth_async()

◆ fr_ldap_bind_auth_cmp()

◆ fr_ldap_box_escape()

◆ fr_ldap_bind_auth_ctx_t.unnamed51

◆ fr_ldap_query_s.unnamed41

◆ fr_ldap_query_s.unnamed41.extended

◆ fr_ldap_query_s.unnamed41.search

◆ ldap_filter_s.unnamed45

◆ ldap_filter_s.unnamed45.unnamed47

◆ ldap_filter_s.unnamed45.unnamed49