 |
|
LDAP authorization and authentication module headers. More...
#include <freeradius-devel/radiusd.h>#include <freeradius-devel/modules.h>#include <lber.h>#include <ldap.h>#include "config.h"
Include dependency graph for ldap.h: This graph shows which files directly or indirectly include this file:Go to the source code of this file.
Data Structures | |
| struct | ldap_acct_section |
| struct | ldap_handle |
| Tracks the state of a libldap connection handle. More... | |
| struct | ldap_instance |
| struct | ldap_sasl |
| struct | ldap_sasl_dynamic |
| struct | rlm_ldap_control |
| struct | rlm_ldap_map_exp |
| Result of expanding the RHS of a set of maps. More... | |
| struct | rlm_ldap_result |
| Contains a collection of values. More... | |
Macros | |
| #define | LDAP_DBG(fmt,...) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | LDAP_DBG2(fmt,...) if (rad_debug_lvl >= L_DBG_LVL_2) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | LDAP_DBG3(fmt,...) if (rad_debug_lvl >= L_DBG_LVL_3) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | LDAP_DBG_REQ(fmt,...) do { if (request) {RDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) |
| #define | LDAP_DBG_REQ2(fmt,...) do { if (request) {RDEBUG2(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_2) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) |
| #define | LDAP_DBG_REQ3(fmt,...) do { if (request) {RDEBUG3(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_3) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) |
| #define | LDAP_DBGW(fmt,...) radlog(L_DBG_WARN, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | LDAP_DBGW_REQ(fmt,...) do { if (request) {RWDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_DBGW(fmt, ##__VA_ARGS__);}} while (0) |
| #define | LDAP_DEPRECATED 1 |
| #define | LDAP_ERR(fmt,...) ERROR("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | LDAP_ERR_REQ(fmt,...) do { if (request) {REDEBUG(fmt, ##__VA_ARGS__);} else {LDAP_ERR(fmt, ##__VA_ARGS__);}} while (0) |
| #define | LDAP_EXT() if (extra) LDAP_ERR(extra) |
| #define | LDAP_EXT_REQ() do { if (extra) { if (request) REDEBUG("%s", extra); else LDAP_ERR("%s", extra); }} while (0) |
| #define | LDAP_INFO(fmt,...) INFO("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | LDAP_MAP_RESERVED 4 |
| Number of additional items to allocate in expanded. More... | |
| #define | LDAP_MAX_ATTR_STR_LEN 256 |
| Maximum length of an xlat expanded LDAP attribute. More... | |
| #define | LDAP_MAX_ATTRMAP 128 |
| Maximum number of mappings between LDAP and. More... | |
| #define | LDAP_MAX_CACHEABLE 64 |
| Maximum number of groups we retrieve from the server for. More... | |
| #define | LDAP_MAX_CONTROLS 10 |
| Maximum number of client/server controls. More... | |
| #define | LDAP_MAX_DN_STR_LEN 1024 |
| Maximum length of an xlat expanded DN. More... | |
| #define | LDAP_MAX_FILTER_STR_LEN 1024 |
| Maximum length of an xlat expanded filter. More... | |
| #define | LDAP_MAX_GROUP_NAME_LEN 128 |
| Maximum name of a group name. More... | |
| #define | LDAP_VENDOR_VERSION_PATCH 0 |
| #define | LDAP_VIRTUAL_DN_ATTR "dn" |
| 'Virtual' attribute which maps to the DN of the object. More... | |
| #define | LDAP_WARN(fmt,...) WARN("rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define | MOD_PREFIX "rlm_ldap" |
| The name of the module. More... | |
Typedefs | |
| typedef struct ldap_acct_section | ldap_acct_section_t |
| typedef struct ldap_handle | ldap_handle_t |
| Tracks the state of a libldap connection handle. More... | |
| typedef struct ldap_sasl | ldap_sasl |
| typedef struct ldap_sasl_dynamic | ldap_sasl_dynamic |
| typedef struct rlm_ldap_control | rlm_ldap_control_t |
| typedef struct rlm_ldap_map_exp | rlm_ldap_map_exp_t |
| Result of expanding the RHS of a set of maps. More... | |
| typedef struct rlm_ldap_result | rlm_ldap_result_t |
| Contains a collection of values. More... | |
| typedef struct ldap_instance | rlm_ldap_t |
Enumerations | |
| enum | ldap_rcode_t { LDAP_PROC_CONTINUE = 1, LDAP_PROC_SUCCESS = 0, LDAP_PROC_ERROR = -1, LDAP_PROC_RETRY = -2, LDAP_PROC_NOT_PERMITTED = -3, LDAP_PROC_REJECT = -4, LDAP_PROC_BAD_DN = -5, LDAP_PROC_NO_RESULT = -6 } |
| Codes returned by rlm_ldap internal functions. More... | |
| enum | ldap_supported_extension { LDAP_EXT_UNSUPPORTED, LDAP_EXT_BINDNAME, LDAP_EXT_BINDPW } |
Functions | |
| char const * | edir_errstr (int code) |
| void * | mod_conn_create (TALLOC_CTX *ctx, void *instance, struct timeval const *timeout) |
| Create a new connection pool handle. More... | |
| ldap_handle_t * | mod_conn_get (rlm_ldap_t const *inst, REQUEST *request) |
| void | mod_conn_release (rlm_ldap_t const *inst, ldap_handle_t *conn) |
| Frees an LDAP socket back to the connection pool. More... | |
| int | nmasldap_get_password (LDAP *ld, char const *dn, char *password, size_t *len) |
| Attempt to retrieve the universal password from Novell eDirectory. More... | |
| char * | rlm_ldap_berval_to_string (TALLOC_CTX *ctx, struct berval const *in) |
| Convert a berval to a talloced string. More... | |
| ldap_rcode_t | rlm_ldap_bind (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, char const *password, ldap_sasl *sasl, bool retry, LDAPControl **serverctrls, LDAPControl **clientctrls) |
| Bind to the LDAP directory as a user. More... | |
| rlm_rcode_t | rlm_ldap_cacheable_groupobj (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn) |
| Convert group membership information into attributes. More... | |
| rlm_rcode_t | rlm_ldap_cacheable_userobj (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, LDAPMessage *entry, char const *attr) |
| Convert group membership information into attributes. More... | |
| rlm_rcode_t | rlm_ldap_check_access (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t const *conn, LDAPMessage *entry) |
| Check for presence of access attribute in result. More... | |
| rlm_rcode_t | rlm_ldap_check_cached (rlm_ldap_t const *inst, REQUEST *request, VALUE_PAIR *check) |
| Check group membership attributes to see if a user is a member. More... | |
| rlm_rcode_t | rlm_ldap_check_groupobj_dynamic (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, VALUE_PAIR *check) |
| Query the LDAP directory to check if a group object includes a user object as a member. More... | |
| void | rlm_ldap_check_reply (rlm_ldap_t const *inst, REQUEST *request) |
| Verify we got a password from the search. More... | |
| rlm_rcode_t | rlm_ldap_check_userobj_dynamic (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, VALUE_PAIR *check) |
| Query the LDAP directory to check if a user object is a member of a group. More... | |
| int | rlm_ldap_client_load (rlm_ldap_t const *inst, CONF_SECTION *tmpl, CONF_SECTION *cs) |
| Load clients from LDAP on server start. More... | |
| int | rlm_ldap_control_add_client (ldap_handle_t *conn, LDAPControl *ctrl, bool freeit) |
| Add a clientctrl to a connection handle. More... | |
| int | rlm_ldap_control_add_server (ldap_handle_t *conn, LDAPControl *ctrl, bool freeit) |
| Add a serverctrl to a connection handle. More... | |
| int | rlm_ldap_control_add_session_tracking (ldap_handle_t *conn, REQUEST *request) |
| void | rlm_ldap_control_clear (ldap_handle_t *conn) |
| Clear and free any controls associated with a connection. More... | |
| void | rlm_ldap_control_merge (LDAPControl *serverctrls_out[], LDAPControl *clientctrls_out[], size_t serverctrls_len, size_t clientctrls_len, ldap_handle_t *conn, LDAPControl *serverctrls_in[], LDAPControl *clientctrls_in[]) |
| Merge connection and call specific client and server controls. More... | |
| char const * | rlm_ldap_error_str (ldap_handle_t const *conn) |
| Return the error string associated with a handle. More... | |
| size_t | rlm_ldap_escape_func (UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg) |
| Converts "bad" strings into ones which are safe for LDAP. More... | |
| char const * | rlm_ldap_find_user (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *attrs[], bool force, LDAPMessage **result, rlm_rcode_t *rcode) |
| Retrieve the DN of a user object. More... | |
| bool | rlm_ldap_is_dn (char const *in, size_t inlen) |
| Check whether a string looks like a DN. More... | |
| int | rlm_ldap_map_do (rlm_ldap_t const *inst, REQUEST *request, LDAP *handle, rlm_ldap_map_exp_t const *expanded, LDAPMessage *entry) |
| Convert attribute map into valuepairs. More... | |
| int | rlm_ldap_map_expand (rlm_ldap_map_exp_t *expanded, REQUEST *request, vp_map_t const *maps) |
| Expand values in an attribute map where needed. More... | |
| int | rlm_ldap_map_getvalue (TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx) |
| Callback for map_to_request. More... | |
| int | rlm_ldap_map_verify (vp_map_t *map, void *instance) |
| ldap_rcode_t | rlm_ldap_modify (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, LDAPMod *mods[], LDAPControl **serverctrls, LDAPControl **clientctrls) |
| Modify something in the LDAP directory. More... | |
| size_t | rlm_ldap_normalise_dn (char *out, char const *in) |
| Normalise escape sequences in a DN. More... | |
| ldap_rcode_t | rlm_ldap_result (rlm_ldap_t const *inst, ldap_handle_t const *conn, int msgid, char const *dn, LDAPMessage **result, char const **error, char **extra) |
| Parse response from LDAP server dealing with any errors. More... | |
| ldap_rcode_t | rlm_ldap_sasl_interactive (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t *pconn, char const *dn, char const *password, ldap_sasl *sasl, LDAPControl **serverctrls, LDAPControl **clientctrls, char const **error, char **error_extra) |
| Initiate an LDAP interactive bind. More... | |
| ldap_rcode_t | rlm_ldap_search (LDAPMessage **result, rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls) |
| Search for something in the LDAP directory. More... | |
| size_t | rlm_ldap_unescape_func (UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg) |
| Converts escaped DNs and filter strings into normal. More... | |
| ssize_t | rlm_ldap_xlat_filter (REQUEST *request, char const **sub, size_t sublen, char *out, size_t outlen) |
| Combine and expand filters. More... | |
Variables | |
| FR_NAME_NUMBER const | ldap_scope [] |
| FR_NAME_NUMBER const | ldap_supported_extensions [] |
| FR_NAME_NUMBER const | ldap_tls_require_cert [] |
LDAP authorization and authentication module headers.
Definition in file ldap.h.
| struct ldap_acct_section |
Collaboration diagram for ldap_acct_section:| Data Fields | ||
|---|---|---|
| CONF_SECTION * | cs | Section configuration. |
| char const * | reference | Configuration reference string. |
| struct ldap_handle |
Collaboration diagram for ldap_handle:| Data Fields | ||
|---|---|---|
| rlm_ldap_control_t | clientctrls[LDAP_MAX_CONTROLS+1] | Client controls to use for all operations with this handle. |
| int | clientctrls_cnt | Number of client controls associated with the handle. |
| LDAP * | handle | libldap handle. |
| rlm_ldap_t * | inst | rlm_ldap configuration. |
| bool | rebound | Whether the connection has been rebound to something other than the admin user. |
| bool | referred | Whether the connection is now established a server other than the configured one. |
| rlm_ldap_control_t | serverctrls[LDAP_MAX_CONTROLS+1] | Server controls to use for all operations with this handle. |
| int | serverctrls_cnt | Number of server controls associated with the handle. |
| struct ldap_instance |
Collaboration diagram for ldap_instance:| Data Fields | ||
|---|---|---|
| bool | access_positive | If true the presence of the attribute will allow access, else it will deny access. |
| ldap_acct_section_t * | accounting | Modify mappings for accounting. |
| char const * | admin_identity | Identity we bind as when we need to query the LDAP directory. |
| char const * | admin_password | Password used in administrative bind. |
| ldap_sasl | admin_sasl | SASL parameters used when binding as the admin. |
| char const * | cache_attribute | Sets the attribute we use when creating and retrieving cached group memberships. |
| fr_dict_attr_t const * | cache_da |
The DA associated with this specific instance of the. rlm_ldap module. |
| bool | cacheable_group_dn | If true the server will determine complete set of group memberships for the current user object, and perform any resolution necessary to determine the DNs of those groups, then right them to the control list (LDAP-GroupDN). |
| bool | cacheable_group_name | If true the server will determine complete set of group memberships for the current user object, and perform any resolution necessary to determine the names of those groups, then right them to the control list (LDAP-Group). |
| bool | chase_referrals | If the LDAP server returns a referral to another server or point in the tree, follow it, establishing new connections and binding where necessary. |
| bool | chase_referrals_unset | If true, use the OpenLDAP defaults for chase_referrals. |
| char const * | clientobj_base_dn | DN to search for clients under. |
| char const * | clientobj_filter | Filter to retrieve only client objects. |
| int | clientobj_scope | Search scope. |
| char const * | clientobj_scope_str | Scope (sub, one, base). |
| char const * | config_server | Server set in the config. |
| CONF_SECTION * | cs | Main configuration section for this instance. |
| vp_tmpl_t * | default_profile |
If this is set, we will search for a profile object with this name, and map any attributes it contains. No value should be set if profiles are not being used as there is an associated performance penalty. |
| int | dereference | libldap value specifying dereferencing behaviour. |
| char const * | dereference_str | When to dereference (never, searching, finding, always) |
| bool | do_clients | If true, attempt to load clients on instantiation. |
| bool | expect_password | True if the user_map included a mapping between an LDAP attribute and one of our password reference attributes. |
| char const * | group_attribute | Sets the attribute we use when comparing group group memberships. |
| fr_dict_attr_t const * | group_da |
The DA associated with this specific instance of the. rlm_ldap module. |
| vp_tmpl_t * | groupobj_base_dn | DN to search for users under. |
| char const * | groupobj_filter | Filter to retrieve only group objects. |
| char const * | groupobj_membership_filter | Filter to only retrieve groups which contain the user as a member. |
| char const * | groupobj_name_attr | The name of the group. |
| int | groupobj_scope | Search scope. |
| char const * | groupobj_scope_str | Scope (sub, one, base). |
| LDAP * | handle | Hack for OpenLDAP libldap global initialisation. |
| uint32_t | ldap_debug | Debug flag for the SDK. |
| char const * | name | Instance name. |
| fr_connection_pool_t * | pool | Connection pool instance. |
| uint16_t | port | Port to use when binding to the server. |
| ldap_acct_section_t * | postauth | Modify mappings for post-auth. |
| char const * | profile_attr |
Attribute that identifies profiles to apply. May appear in userobj or groupobj. |
| vp_tmpl_t * | profile_filter | Filter to retrieve only retrieve group objects. |
| bool | rebind |
Controls whether we set an ldad_rebind_proc function and so determines if we can bind to other servers whilst chasing referrals. If this is false, we will still chase referrals on the same server, but won't bind to other servers. |
| uint32_t | res_timeout | How long we wait for a result from the server. |
| char * | server | Initial server to bind to. |
| uint32_t | srv_timelimit | How long the server should spent on a single request (also bounded by value on the server). |
| bool | start_tls | Send the Start TLS message to the LDAP directory to start encrypted communications using the standard LDAP port. |
| char const * | tls_ca_file | Sets the full path to a CA certificate (used to validate the certificate the server presents). |
| char const * | tls_ca_path | Sets the path to a directory containing CA certificates. |
| char const * | tls_certificate_file | Sets the path to the public certificate file we present to the servers. |
| int | tls_mode | |
| char const * | tls_private_key_file | Sets the path to the private key for our public certificate. |
| char const * | tls_random_file | Path to the random file if /dev/random and /dev/urandom are unavailable. |
| int | tls_require_cert | OpenLDAP constant representing the require cert string. |
| char const * | tls_require_cert_str | Sets requirements for validating the certificate the server presents. |
| bool | use_referral_credentials | If true use credentials from the referral URL. |
| vp_map_t * | user_map | Attribute map applied to users and profiles. |
| ldap_sasl_dynamic | user_sasl | SASL parameters used when binding as the user. |
| char const * | userobj_access_attr | Attribute to check to see if the user should be locked out. |
| vp_tmpl_t * | userobj_base_dn | DN to search for users under. |
| vp_tmpl_t * | userobj_filter | Filter to retrieve only user objects. |
| char const * | userobj_membership_attr | Attribute that describes groups the user is a member of. |
| int | userobj_scope | Search scope. |
| char const * | userobj_scope_str | Scope (sub, one, base). |
| char const * | userobj_sort_by | List of attributes to sort by. |
| LDAPControl * | userobj_sort_ctrl | Server side sort control. |
| char const * | valuepair_attr | Generic dynamic mapping attribute, contains a RADIUS attribute and value. |
| struct ldap_sasl |
| struct ldap_sasl_dynamic |
| struct rlm_ldap_control |
| struct rlm_ldap_map_exp |
Result of expanding the RHS of a set of maps.
Used to store the array of attributes we'll be querying for.
Collaboration diagram for rlm_ldap_map_exp:| Data Fields | ||
|---|---|---|
| char const * | attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1] |
Reserve some space for access attributes. and NULL termination. |
| int | count | Index on next free element. |
| TALLOC_CTX * | ctx | Context to allocate new attributes in. |
| vp_map_t const * | maps | Head of list of maps we expanded the RHS of. |
| struct rlm_ldap_result |
| #define LDAP_DBG2 | ( | fmt, | |
| ... | |||
| ) | if (rad_debug_lvl >= L_DBG_LVL_2) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define LDAP_DBG3 | ( | fmt, | |
| ... | |||
| ) | if (rad_debug_lvl >= L_DBG_LVL_3) radlog(L_DBG, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define LDAP_DBG_REQ2 | ( | fmt, | |
| ... | |||
| ) | do { if (request) {RDEBUG2(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_2) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) |
| #define LDAP_DBG_REQ3 | ( | fmt, | |
| ... | |||
| ) | do { if (request) {RDEBUG3(fmt, ##__VA_ARGS__);} else if (rad_debug_lvl >= L_DBG_LVL_3) {LDAP_DBG(fmt, ##__VA_ARGS__);}} while (0) |
| #define LDAP_DBGW | ( | fmt, | |
| ... | |||
| ) | radlog(L_DBG_WARN, "rlm_ldap (%s): " fmt, inst->name, ##__VA_ARGS__) |
| #define LDAP_MAP_RESERVED 4 |
| #define LDAP_MAX_ATTR_STR_LEN 256 |
| #define LDAP_MAX_ATTRMAP 128 |
| #define LDAP_MAX_CACHEABLE 64 |
| #define LDAP_MAX_CONTROLS 10 |
| #define LDAP_MAX_DN_STR_LEN 1024 |
| #define LDAP_MAX_FILTER_STR_LEN 1024 |
| #define LDAP_MAX_GROUP_NAME_LEN 128 |
| #define LDAP_VIRTUAL_DN_ATTR "dn" |
| typedef struct ldap_acct_section ldap_acct_section_t |
| typedef struct ldap_handle ldap_handle_t |
Tracks the state of a libldap connection handle.
| typedef struct ldap_sasl_dynamic ldap_sasl_dynamic |
| typedef struct rlm_ldap_control rlm_ldap_control_t |
| typedef struct rlm_ldap_map_exp rlm_ldap_map_exp_t |
Result of expanding the RHS of a set of maps.
Used to store the array of attributes we'll be querying for.
| typedef struct rlm_ldap_result rlm_ldap_result_t |
Contains a collection of values.
| typedef struct ldap_instance rlm_ldap_t |
| enum ldap_rcode_t |
Codes returned by rlm_ldap internal functions.
| char const* edir_errstr | ( | int | code | ) |
| void* mod_conn_create | ( | TALLOC_CTX * | ctx, |
| void * | instance, | ||
| struct timeval const * | timeout | ||
| ) |
Create a new connection pool handle.
Create a new connection to Couchbase within the pool and initialize information associated with the connection instance.
| ctx | The connection parent context. |
| instance | The module instance. |
| timeout | Maximum time to establish the connection. |
Create a new connection pool handle.
Create a new ldap connection and allocate memory for a new rlm_handle_t
Create a new connection pool handle.
Matches the fr_connection_create_t function prototype, is passed to fr_connection_pool_init, and called when a new connection is required by the connection pool API.
Creates an instances of rlm_rest_handle_t, and rlm_rest_curl_context_t which hold the context data required for generating requests and parsing responses.
If instance->connect_uri is not NULL libcurl will attempt to open a TCP socket to the server specified in the URI. This is done so that when the socket is first used, there will already be a cached TCP connection to the REST server associated with the curl handle.
Create a new connection to Couchbase within the pool and initialize information associated with the connection instance.
| ctx | The connection parent context. |
| instance | The module instance. |
| timeout | Maximum time to establish the connection. |
Create a new connection pool handle.
Create a new ldap connection and allocate memory for a new rlm_handle_t
Create a new connection pool handle.
Matches the fr_connection_create_t function prototype, is passed to fr_connection_pool_init, and called when a new connection is required by the connection pool API.
Creates an instances of rlm_rest_handle_t, and rlm_rest_curl_context_t which hold the context data required for generating requests and parsing responses.
If instance->connect_uri is not NULL libcurl will attempt to open a TCP socket to the server specified in the URI. This is done so that when the socket is first used, there will already be a cached TCP connection to the REST server associated with the curl handle.
| ldap_handle_t* mod_conn_get | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request | ||
| ) |
| void mod_conn_release | ( | rlm_ldap_t const * | inst, |
| ldap_handle_t * | conn | ||
| ) |
Frees an LDAP socket back to the connection pool.
If the socket was rebound chasing a referral onto another server then we destroy it. If the socket was rebound to another user on the same server, we let the next caller rebind it.
| inst | rlm_ldap configuration. |
| conn | to release. |
Definition at line 1758 of file ldap.c.
Here is the call graph for this function:| int nmasldap_get_password | ( | LDAP * | ld, |
| char const * | dn, | ||
| char * | password, | ||
| size_t * | passlen | ||
| ) |
Attempt to retrieve the universal password from Novell eDirectory.
| [in] | ld | LDAP handle. |
| [in] | dn | of user we want to retrieve the password for. |
| [out] | password | Where to write the retrieved password. |
| [out] | passlen | Length of data written to the password buffer. |
Definition at line 165 of file edir.c.
Here is the call graph for this function: Here is the caller graph for this function:| char* rlm_ldap_berval_to_string | ( | TALLOC_CTX * | ctx, |
| struct berval const * | in | ||
| ) |
Convert a berval to a talloced string.
The ldap_get_values function is deprecated, and ldap_get_values_len does not guarantee the berval buffers it returns are \0 terminated.
For some cases this is fine, for others we require a \0 terminated buffer (feeding DNs back into libldap for example).
| ctx | to allocate in. |
| in | Berval to copy. |
Definition at line 281 of file ldap.c.
Here is the caller graph for this function:| ldap_rcode_t rlm_ldap_bind | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| char const * | dn, | ||
| char const * | password, | ||
| ldap_sasl * | sasl, | ||
| bool | retry, | ||
| LDAPControl ** | serverctrls, | ||
| LDAPControl ** | clientctrls | ||
| ) |
Bind to the LDAP directory as a user.
Performs a simple bind to the LDAP directory, and handles any errors that occur.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request, this may be NULL, in which case all debug logging is done with radlog. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | dn | of the user, may be NULL to bind anonymously. |
| [in] | password | of the user, may be NULL if no password is specified. |
| [in] | sasl | mechanism to use for bind, and additional parameters. |
| [in] | retry | if the server is down. |
| [in] | serverctrls | Search controls to pass to the server. Only used for SASL binds. May be NULL. |
| [in] | clientctrls | Search controls for sasl_bind. Only used for SASL binds. May be NULL. |
Definition at line 751 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| rlm_rcode_t rlm_ldap_cacheable_groupobj | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn | ||
| ) |
Convert group membership information into attributes.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
Definition at line 415 of file groups.c.
Here is the call graph for this function: Here is the caller graph for this function:| rlm_rcode_t rlm_ldap_cacheable_userobj | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| LDAPMessage * | entry, | ||
| char const * | attr | ||
| ) |
Convert group membership information into attributes.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | entry | retrieved by rlm_ldap_find_user or rlm_ldap_search. |
| [in] | attr | membership attribute to look for in the entry. |
Definition at line 267 of file groups.c.
Here is the call graph for this function: Here is the caller graph for this function:| rlm_rcode_t rlm_ldap_check_access | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t const * | conn, | ||
| LDAPMessage * | entry | ||
| ) |
Check for presence of access attribute in result.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in] | conn | used to retrieve access attributes. |
| [in] | entry | retrieved by rlm_ldap_find_user or rlm_ldap_search. |
Definition at line 1327 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| rlm_rcode_t rlm_ldap_check_cached | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| VALUE_PAIR * | check | ||
| ) |
Check group membership attributes to see if a user is a member.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in] | check | vp containing the group value (name or dn). |
Definition at line 812 of file groups.c.
Here is the call graph for this function: Here is the caller graph for this function:| rlm_rcode_t rlm_ldap_check_groupobj_dynamic | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| VALUE_PAIR * | check | ||
| ) |
Query the LDAP directory to check if a group object includes a user object as a member.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | check | vp containing the group value (name or dn). |
Definition at line 530 of file groups.c.
Here is the call graph for this function: Here is the caller graph for this function:| void rlm_ldap_check_reply | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request | ||
| ) |
Verify we got a password from the search.
Checks to see if after the LDAP to RADIUS mapping has been completed that a reference password.
| inst | rlm_ldap configuration. |
| request | Current request. |
Definition at line 1362 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| rlm_rcode_t rlm_ldap_check_userobj_dynamic | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| char const * | dn, | ||
| VALUE_PAIR * | check | ||
| ) |
Query the LDAP directory to check if a user object is a member of a group.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | dn | of user object. |
| [in] | check | vp containing the group value (name or dn). |
Definition at line 632 of file groups.c.
Here is the call graph for this function: Here is the caller graph for this function:| int rlm_ldap_client_load | ( | rlm_ldap_t const * | inst, |
| CONF_SECTION * | tmpl, | ||
| CONF_SECTION * | map | ||
| ) |
Load clients from LDAP on server start.
| [in] | inst | rlm_ldap configuration. |
| [in] | tmpl | to use as the base for the new client. |
| [in] | map | to load client attribute/LDAP attribute mappings from. |
Definition at line 102 of file clients.c.
Here is the call graph for this function: Here is the caller graph for this function:| int rlm_ldap_control_add_client | ( | ldap_handle_t * | conn, |
| LDAPControl * | ctrl, | ||
| bool | freeit | ||
| ) |
Add a clientctrl to a connection handle.
All internal LDAP functions will pass this clientctrl to libldap.
| conn | to add control to. |
| ctrl | to add. |
| freeit | Whether the control should be freed when the handle is released or closed. |
| int rlm_ldap_control_add_server | ( | ldap_handle_t * | conn, |
| LDAPControl * | ctrl, | ||
| bool | freeit | ||
| ) |
Add a serverctrl to a connection handle.
All internal LDAP functions will pass this serverctrl to the server.
| conn | to add control to. |
| ctrl | to add. |
| freeit | Whether the control should be freed when the handle is released or closed. |
| int rlm_ldap_control_add_session_tracking | ( | ldap_handle_t * | conn, |
| REQUEST * | request | ||
| ) |
Here is the caller graph for this function:| void rlm_ldap_control_clear | ( | ldap_handle_t * | conn | ) |
| void rlm_ldap_control_merge | ( | LDAPControl * | serverctrls_out[], |
| LDAPControl * | clientctrls_out[], | ||
| size_t | serverctrls_len, | ||
| size_t | clientctrls_len, | ||
| ldap_handle_t * | conn, | ||
| LDAPControl * | serverctrls_in[], | ||
| LDAPControl * | clientctrls_in[] | ||
| ) |
Merge connection and call specific client and server controls.
LDAP_OPT_CLIENT_CONTROLS and LDAP_OPT_SERVER_CONTROLS are useless because they're overriden in their entirety if any call specific controls are specified.
| [out] | serverctrls_out | Where to write serverctrls. |
| [out] | clientctrls_out | Where to write clientctrls. |
| [in] | serverctrls_len | length of serverctrls array. |
| [in] | clientctrls_len | length of clientctrls array. |
| [in] | conn | to get controls from. |
| [in] | serverctrls_in | from arguments. |
| [in] | clientctrls_in | from_arguments. |
Definition at line 41 of file control.c.
Here is the caller graph for this function:| char const* rlm_ldap_error_str | ( | ldap_handle_t const * | conn | ) |
| size_t rlm_ldap_escape_func | ( | UNUSED REQUEST * | request, |
| char * | out, | ||
| size_t | outlen, | ||
| char const * | in, | ||
| UNUSED void * | arg | ||
| ) |
Converts "bad" strings into ones which are safe for LDAP.
\<hex><hex>format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply with a backslash. For simplicity, we always use the hex escape sequences. In other areas where we're doing DN comparison, the DNs need to be normalised first so that they both use only hex escape sequences.
Will escape any characters in input strings that would cause the string to be interpreted as part of a DN and or filter. Escape sequence is
\<hex><hex>
.
| request | The current request. |
| out | Pointer to output buffer. |
| outlen | Size of the output buffer. |
| in | Raw unescaped string. |
| arg | Any additional arguments (unused). |
Definition at line 65 of file ldap.c.
Here is the caller graph for this function:| char const* rlm_ldap_find_user | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| char const * | attrs[], | ||
| bool | force, | ||
| LDAPMessage ** | result, | ||
| rlm_rcode_t * | rcode | ||
| ) |
Retrieve the DN of a user object.
Retrieves the DN of a user and adds it to the control list as LDAP-UserDN. Will also retrieve any attributes passed and return the result in *result.
This potentially allows for all authorization and authentication checks to be performed in one ldap search operation, which is a big bonus given the number of crappy, slow cough*AD*cough LDAP directory servers out there.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | attrs | Additional attributes to retrieve, may be NULL. |
| [in] | force | Query even if the User-DN already exists. |
| [out] | result | Where to write the result, may be NULL in which case result is discarded. |
| [out] | rcode | The status of the operation, one of the RLM_MODULE_* codes. |
< Whether the message should be freed after being processed.
Definition at line 1152 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| bool rlm_ldap_is_dn | ( | char const * | in, |
| size_t | inlen | ||
| ) |
Check whether a string looks like a DN.
| [in] | in | Str to check. |
| [in] | inlen | Length of string to check. |
Definition at line 168 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| int rlm_ldap_map_do | ( | const rlm_ldap_t * | inst, |
| REQUEST * | request, | ||
| LDAP * | handle, | ||
| rlm_ldap_map_exp_t const * | expanded, | ||
| LDAPMessage * | entry | ||
| ) |
Convert attribute map into valuepairs.
Use the attribute map built earlier to convert LDAP values into valuepairs and insert them into whichever list they need to go into.
This is NOT atomic, but there's no condition for which we should error out...
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in] | handle | associated with entry. |
| [in] | expanded | attributes (rhs of map). |
| [in] | entry | to retrieve attributes from. |
Definition at line 302 of file attrmap.c.
Here is the call graph for this function: Here is the caller graph for this function:| int rlm_ldap_map_expand | ( | rlm_ldap_map_exp_t * | expanded, |
| REQUEST * | request, | ||
| vp_map_t const * | maps | ||
| ) |
Expand values in an attribute map where needed.
| [out] | expanded | array of attributes. Need not be initialised (we'll initialise). |
| [in] | request | The current request. |
| [in] | maps | to expand. |
Definition at line 251 of file attrmap.c.
Here is the call graph for this function: Here is the caller graph for this function:| int rlm_ldap_map_getvalue | ( | TALLOC_CTX * | ctx, |
| VALUE_PAIR ** | out, | ||
| REQUEST * | request, | ||
| vp_map_t const * | map, | ||
| void * | uctx | ||
| ) |
| int rlm_ldap_map_verify | ( | vp_map_t * | map, |
| void * | instance | ||
| ) |
| ldap_rcode_t rlm_ldap_modify | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| char const * | dn, | ||
| LDAPMod * | mods[], | ||
| LDAPControl ** | serverctrls, | ||
| LDAPControl ** | clientctrls | ||
| ) |
Modify something in the LDAP directory.
Binds as the administrative user and attempts to modify an LDAP object.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | dn | of the object to modify. |
| [in] | mods | to make, see 'man ldap_modify' for more information. |
| [in] | serverctrls | Search controls to pass to the server. May be NULL. |
| [in] | clientctrls | Search controls for ldap_modify. May be NULL. |
Definition at line 1048 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| size_t rlm_ldap_normalise_dn | ( | char * | out, |
| char const * | in | ||
| ) |
Normalise escape sequences in a DN.
Characters in a DN can either be escaped as
\<hex><hex>
or
\<special>
The LDAP directory chooses how characters are escaped, which can make local comparisons of DNs difficult.
Here we search for hex sequences that match special chars, and convert them to the
\<special>
form.
| out | Where to write the normalised DN. |
| in | The input DN. |
Definition at line 312 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| ldap_rcode_t rlm_ldap_result | ( | rlm_ldap_t const * | inst, |
| ldap_handle_t const * | conn, | ||
| int | msgid, | ||
| char const * | dn, | ||
| LDAPMessage ** | result, | ||
| char const ** | error, | ||
| char ** | extra | ||
| ) |
Parse response from LDAP server dealing with any errors.
Should be called after an LDAP operation. Will check result of operation and if it was successful, then attempt to retrieve and parse the result.
Will also produce extended error output including any messages the server sent, and information about partial DN matches.
| [in] | inst | of LDAP module. |
| [in] | conn | Current connection. |
| [in] | msgid | returned from last operation. May be -1 if no result processing is required. |
| [in] | dn | Last search or bind DN. |
| [out] | result | Where to write result, if NULL result will be freed. |
| [out] | error | Where to write the error string, may be NULL, must not be freed. |
| [out] | extra | Where to write additional error string to, may be NULL (faster) or must be freed (with talloc_free). |
Definition at line 517 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| ldap_rcode_t rlm_ldap_sasl_interactive | ( | rlm_ldap_t const * | inst, |
| REQUEST * | request, | ||
| ldap_handle_t * | conn, | ||
| char const * | identity, | ||
| char const * | password, | ||
| ldap_sasl * | sasl, | ||
| LDAPControl ** | serverctrls, | ||
| LDAPControl ** | clientctrls, | ||
| char const ** | error, | ||
| char ** | extra | ||
| ) |
Initiate an LDAP interactive bind.
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request, this may be NULL, in which case all debug logging is done with radlog. |
| [in] | conn | to use. May change as this function calls functions which auto re-connect. |
| [in] | identity | of the user. |
| [in] | password | of the user. |
| [in] | sasl | mechanism to use for bind, and additional parameters. |
| [in] | serverctrls | Search controls to pass to the server. May be NULL. |
| [in] | clientctrls | Search controls for ldap_sasl_interactive. May be NULL. |
| [out] | error | message resulting from bind. |
| [out] | extra | information about the error. |
Definition at line 105 of file sasl.c.
Here is the call graph for this function: Here is the caller graph for this function:| ldap_rcode_t rlm_ldap_search | ( | LDAPMessage ** | result, |
| rlm_ldap_t const * | inst, | ||
| REQUEST * | request, | ||
| ldap_handle_t ** | pconn, | ||
| char const * | dn, | ||
| int | scope, | ||
| char const * | filter, | ||
| char const *const * | attrs, | ||
| LDAPControl ** | serverctrls, | ||
| LDAPControl ** | clientctrls | ||
| ) |
Search for something in the LDAP directory.
Binds as the administrative user and performs a search, dealing with any errors.
| [out] | result | Where to store the result. Must be freed with ldap_msgfree if LDAP_PROC_SUCCESS is returned. May be NULL in which case result will be automatically freed after use. |
| [in] | inst | rlm_ldap configuration. |
| [in] | request | Current request. |
| [in,out] | pconn | to use. May change as this function calls functions which auto re-connect. |
| [in] | dn | to use as base for the search. |
| [in] | scope | to use (LDAP_SCOPE_BASE, LDAP_SCOPE_ONE, LDAP_SCOPE_SUB). |
| [in] | filter | to use, should be pre-escaped. |
| [in] | attrs | to retrieve. |
| [in] | serverctrls | Search controls to pass to the server. May be NULL. |
| [in] | clientctrls | Search controls for ldap_search. May be NULL. |
Definition at line 880 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| size_t rlm_ldap_unescape_func | ( | UNUSED REQUEST * | request, |
| char * | out, | ||
| size_t | outlen, | ||
| char const * | in, | ||
| UNUSED void * | arg | ||
| ) |
Converts escaped DNs and filter strings into normal.
\<hex><hex>format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply with a backslash..
Will unescape any special characters in strings, or
\<hex><hex>
sequences.
| request | The current request. |
| out | Pointer to output buffer. |
| outlen | Size of the output buffer. |
| in | Escaped string string. |
| arg | Any additional arguments (unused). |
Definition at line 121 of file ldap.c.
Here is the caller graph for this function:| ssize_t rlm_ldap_xlat_filter | ( | REQUEST * | request, |
| char const ** | sub, | ||
| size_t | sublen, | ||
| char * | out, | ||
| size_t | outlen | ||
| ) |
Combine and expand filters.
| request | Current request. |
| out | Where to write the expanded string. |
| outlen | Length of output buffer. |
| sub | Array of subfilters (may contain NULLs). |
| sublen | Number of potential subfilters in array. |
Definition at line 416 of file ldap.c.
Here is the call graph for this function: Here is the caller graph for this function:| FR_NAME_NUMBER const ldap_scope[] |
Definition at line 44 of file rlm_ldap.c.
| FR_NAME_NUMBER const ldap_supported_extensions[] |
| FR_NAME_NUMBER const ldap_tls_require_cert[] |
1.8.6