The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
util.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 7bdabe8117965e7890e17b0fdd4d4fff228c1f00 $
19 * @file lib/ldap/util.c
20 * @brief Utility functions to escape and parse DNs
21 *
22 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 * @copyright 2017 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
24 * @copyright 2017 The FreeRADIUS Server Project.
25 */
26RCSID("$Id: 7bdabe8117965e7890e17b0fdd4d4fff228c1f00 $")
27
28USES_APPLE_DEPRECATED_API
29
30#include <freeradius-devel/ldap/base.h>
31#include <freeradius-devel/util/base16.h>
32
33#include <stdarg.h>
34#include <ctype.h>
35
36static const char specials[] = ",+\"\\<>;*=()";
37static const char hextab[] = "0123456789abcdef";
38static const bool escapes[UINT8_MAX + 1] = {
39 [' '] = true,
40 ['#'] = true,
41 ['='] = true,
42 ['"'] = true,
43 ['+'] = true,
44 [','] = true,
45 [';'] = true,
46 ['<'] = true,
47 ['>'] = true,
48 ['\''] = true
49};
50
51/** Converts "bad" strings into ones which are safe for LDAP
52 *
53 * @note RFC 4515 says filter strings can only use the @verbatim <hex><hex> @endverbatim
54 * format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply
55 * with a backslash. For simplicity, we always use the hex escape sequences.
56 * In other areas where we're doing DN comparison, the DNs need to be normalised first
57 * so that they both use only hex escape sequences.
58 *
59 * @note This is a callback for xlat operations.
60 *
61 * Will escape any characters in input strings that would cause the string to be interpreted
62 * as part of a DN and or filter. Escape sequence is @verbatim <hex><hex> @endverbatim.
63 *
64 * @param request The current request.
65 * @param out Pointer to output buffer.
66 * @param outlen Size of the output buffer.
67 * @param in Raw unescaped string.
68 * @param arg Any additional arguments (unused).
69 */
70size_t fr_ldap_uri_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
71{
72 size_t left = outlen;
73
74 if ((*in == ' ') || (*in == '#')) goto encode;
75
76 while (*in) {
77 /*
78 * Encode unsafe characters.
79 */
80 if (memchr(specials, *in, sizeof(specials) - 1)) {
81 encode:
82 /*
83 * Only 3 or less bytes available.
84 */
85 if (left <= 3) break;
86
87 *out++ = '\\';
88 *out++ = hextab[(*in >> 4) & 0x0f];
89 *out++ = hextab[*in & 0x0f];
90 in++;
91 left -= 3;
92
93 continue;
94 }
95
96 if (left <= 1) break;
97
98 /*
99 * Doesn't need encoding
100 */
101 *out++ = *in++;
102 left--;
103 }
104
105 *out = '\0';
106
107 return outlen - left;
108}
109
110int fr_ldap_box_escape(fr_value_box_t *vb, UNUSED void *uctx)
111{
112 fr_sbuff_t sbuff;
113 fr_sbuff_uctx_talloc_t sbuff_ctx;
114 size_t len;
115
116 fr_assert(!fr_value_box_is_safe_for(vb, fr_ldap_box_escape));
117
118 if ((vb->type != FR_TYPE_STRING) && (fr_value_box_cast_in_place(vb, vb, FR_TYPE_STRING, NULL) < 0)) {
119 return -1;
120 }
121
122 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, vb->vb_length * 3, vb->vb_length * 3)) {
123 fr_strerror_printf_push("Failed to allocate buffer for escaped filter");
124 return -1;
125 }
126
127 len = fr_ldap_uri_escape_func(NULL, fr_sbuff_buff(&sbuff), vb->vb_length * 3 + 1, vb->vb_strvalue, NULL);
128
129 /*
130 * If the returned length is unchanged, the value was already safe
131 */
132 if (len == vb->vb_length) {
133 talloc_free(fr_sbuff_buff(&sbuff));
134 } else {
135 fr_sbuff_trim_talloc(&sbuff, len);
136 fr_value_box_strdup_shallow_replace(vb, fr_sbuff_buff(&sbuff), len);
137 }
138
139 return 0;
140}
141
142/** Converts escaped DNs and filter strings into normal
143 *
144 * @note RFC 4515 says filter strings can only use the @verbatim <hex><hex> @endverbatim
145 * format, whereas RFC 4514 indicates that some chars in DNs, may be escaped simply
146 * with a backslash..
147 *
148 * Will unescape any special characters in strings, or @verbatim <hex><hex> @endverbatim
149 * sequences.
150 *
151 * @param request The current request.
152 * @param out Pointer to output buffer.
153 * @param outlen Size of the output buffer.
154 * @param in Escaped string string.
155 * @param arg Any additional arguments (unused).
156 */
157size_t fr_ldap_uri_unescape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
158{
159 char const *p;
160 char *c1, *c2, c3;
161 size_t freespace = outlen;
162
163 if (outlen <= 1) return 0;
164
165 p = in;
166 while (*p && (--freespace > 0)) {
167 if (*p != '\\') {
168 next:
169 *out++ = *p++;
170 continue;
171 }
172
173 p++;
174
175 /* It's an escaped special, just remove the slash */
176 if (memchr(specials, *p, sizeof(specials) - 1)) {
177 *out++ = *p++;
178 continue;
179 }
180
181 /* Is a hex sequence */
182 if (!(c1 = memchr(hextab, tolower(p[0]), 16)) ||
183 !(c2 = memchr(hextab, tolower(p[1]), 16))) goto next;
184 c3 = ((c1 - hextab) << 4) + (c2 - hextab);
185
186 *out++ = c3;
187 p += 2;
188 }
189
190 *out = '\0';
191
192 return outlen - freespace;
193}
194
195
196/** Check whether a string looks like a DN
197 *
198 * @param[in] in Str to check.
199 * @param[in] inlen Length of string to check.
200 * @return
201 * - true if string looks like a DN.
202 * - false if string does not look like DN.
203 */
204bool fr_ldap_util_is_dn(char const *in, size_t inlen)
205{
206 char const *p;
207
208 char want = '=';
209 bool too_soon = true;
210 int comp = 1;
211
212 for (p = in; inlen > 0; p++, inlen--) {
213 if (p[0] == '\\') {
214 char c;
215
216 too_soon = false;
217
218 /*
219 * Invalid escape sequence, not a DN
220 */
221 if (inlen < 2) return false;
222
223 /*
224 * Double backslash, consume two chars
225 */
226 if (p[1] == '\\') {
227 inlen--;
228 p++;
229 continue;
230 }
231
232 /*
233 * Special, consume two chars
234 */
235 if (escapes[(uint8_t) p[1]]) {
236 inlen -= 1;
237 p += 1;
238 continue;
239 }
240
241 /*
242 * Invalid escape sequence, not a DN
243 */
244 if (inlen < 3) return false;
245
246 /*
247 * Hex encoding, consume three chars
248 */
249 if (fr_base16_decode(NULL, &FR_DBUFF_TMP((uint8_t *) &c, 1), &FR_SBUFF_IN(p + 1, 2), false) == 1) {
250 inlen -= 2;
251 p += 2;
252 continue;
253 }
254
255 /*
256 * Invalid escape sequence, not a DN
257 */
258 return false;
259 }
260
261 switch (*p) {
262 case '=':
263 if (too_soon || (*p != want)) return false; /* Too soon after last , or = */
264 want = ',';
265 too_soon = true;
266 break;
267
268 case ',':
269 if (too_soon || (*p != want)) return false; /* Too soon after last , or = */
270 want = '=';
271 too_soon = true;
272 comp++;
273 break;
274
275 default:
276 too_soon = false;
277 break;
278 }
279 }
280
281 /*
282 * If the string ended with , or =, or the number
283 * of components was less than 2
284 *
285 * i.e. we don't have <attr>=<val>,<attr>=<val>
286 */
287 if (too_soon || (comp < 2)) return false;
288
289 return true;
290}
291
292/** Parse a subset (just server side sort and virtual list view for now) of LDAP URL extensions
293 *
294 * @param[out] sss Array of LDAPControl * pointers to add controls to.
295 * @param[in] sss_len How many elements remain in the sss array.
296 * @param[in] extensions A NULL terminated array of extensions.
297 * @return
298 * - >0 the number of controls added.
299 * - 0 if no controls added.
300 * - -1 on failure.
301 */
302int fr_ldap_parse_url_extensions(LDAPControl **sss, size_t sss_len, char *extensions[])
303{
304 LDAPControl **sss_p = sss, **sss_end = sss_p + sss_len;
305 int i;
306
307 if (!extensions) {
308 *sss_p = NULL;
309 return 0;
310 }
311
312 /*
313 * Parse extensions in the LDAP URL
314 */
315 for (i = 0; extensions[i]; i++) {
316 fr_sbuff_t sbuff = FR_SBUFF_IN(extensions[i], strlen(extensions[i]));
317 bool is_critical = false;
318
319 if (sss_p == sss_end) {
320 fr_strerror_printf("Too many extensions. Maximum is %ld", sss_len);
321 goto error;
322 }
323
324 if (fr_sbuff_next_if_char(&sbuff, '!')) is_critical = true;
325
326 /*
327 * Server side sort control
328 */
329 if (fr_sbuff_adv_past_str(&sbuff, "sss", 3)) {
330 LDAPSortKey **keys;
331 int ret;
332
333 if (!fr_sbuff_next_if_char(&sbuff, '=')) {
334 LDAPControl **s;
335 fr_strerror_const("Server side sort extension must be "
336 "in the format \"[!]sss=<key>[,key]\"");
337 error:
338 s = sss;
339 while (s < sss_p) {
340 if (*s) ldap_control_free(*s);
341 s++;
342 }
343 return -1;
344 }
345
346 ret = ldap_create_sort_keylist(&keys, fr_sbuff_current(&sbuff));
347 if (ret != LDAP_SUCCESS) {
348 fr_strerror_printf("Invalid server side sort value \"%s\": %s",
349 fr_sbuff_current(&sbuff), ldap_err2string(ret));
350 goto error;
351 }
352
353 if (*sss_p) ldap_control_free(*sss_p);
354
355 ret = ldap_create_sort_control(fr_ldap_handle_thread_local(), keys, is_critical ? 1 : 0, sss_p);
356 ldap_free_sort_keylist(keys);
357 if (ret != LDAP_SUCCESS) {
358 fr_strerror_printf("Failed creating server sort control: %s",
359 ldap_err2string(ret));
360 goto error;
361 }
362 sss_p++;
363 *sss_p = NULL; /* Terminate */
364 continue;
365 }
366
367 if (fr_sbuff_adv_past_str(&sbuff, "vlv", 3)) {
368 LDAPVLVInfo vlvinfo;
369 uint32_t ext_value;
370 struct berval attr_value;
371 int ret;
372
373 if (!fr_sbuff_next_if_char(&sbuff, '=')) {
374 vlv_error:
375 fr_strerror_const("Virtual list view extension must be "
376 "in the format \"[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)");
377 goto error;
378 }
379
380 vlvinfo.ldvlv_context = NULL;
381
382 if (fr_sbuff_out(NULL, &ext_value, &sbuff) <= 0) goto vlv_error;
383 if (!fr_sbuff_next_if_char(&sbuff, '/')) goto vlv_error;
384 vlvinfo.ldvlv_before_count = ext_value;
385
386 if (fr_sbuff_out(NULL, &ext_value, &sbuff) <= 0) goto vlv_error;
387 vlvinfo.ldvlv_after_count = ext_value;
388
389 /* offset/count syntax */
390 if (fr_sbuff_next_if_char(&sbuff, '/')) {
391 /* Ensure attrvalue is null - this is how the type of vlv control is determined */
392 vlvinfo.ldvlv_attrvalue = NULL;
393
394 if (fr_sbuff_out(NULL, &ext_value, &sbuff) <= 0) goto vlv_error;
395 if (!fr_sbuff_next_if_char(&sbuff, '/')) goto error;
396 vlvinfo.ldvlv_offset = ext_value;
397
398 if (fr_sbuff_out(NULL, &ext_value, &sbuff) <= 0) goto vlv_error;
399 vlvinfo.ldvlv_count = ext_value;
400
401 /* greaterThanOrEqual attribute syntax*/
402 } else if (fr_sbuff_next_if_char(&sbuff, ':')) {
403 attr_value.bv_val = fr_sbuff_current(&sbuff);
404 attr_value.bv_len = fr_sbuff_remaining(&sbuff);
405 vlvinfo.ldvlv_attrvalue = &attr_value;
406
407 } else goto error;
408
409 ret = ldap_create_vlv_control(fr_ldap_handle_thread_local(), &vlvinfo, sss_p);
410
411 if (ret != LDAP_SUCCESS) {
412 fr_strerror_printf("Failed creating virtual list view control: %s",
413 ldap_err2string(ret));
414 goto error;
415 }
416
417 sss_p++;
418 *sss_p = NULL; /* Terminate */
419 continue;
420 }
421
422 fr_strerror_printf("URL extension \"%s\" not supported", extensions[i]);
423 return -1;
424 }
425
426 return (sss_end - sss_p);
427}
428
429/** Convert a berval to a talloced string
430 *
431 * The ldap_get_values function is deprecated, and ldap_get_values_len
432 * does not guarantee the berval buffers it returns are \0 terminated.
433 *
434 * For some cases this is fine, for others we require a \0 terminated
435 * buffer (feeding DNs back into libldap for example).
436 *
437 * @param ctx to allocate in.
438 * @param in Berval to copy.
439 * @return \0 terminated buffer containing in->bv_val.
440 */
441char *fr_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
442{
443 char *out;
444
445 out = talloc_array(ctx, char, in->bv_len + 1);
446 if (!out) return NULL;
447
448 memcpy(out, in->bv_val, in->bv_len);
449 out[in->bv_len] = '\0';
450
451 return out;
452}
453
454/** Convert a berval to a talloced buffer
455 *
456 * @param ctx to allocate in.
457 * @param in Berval to copy.
458 * @return buffer containing in->bv_val.
459 */
460uint8_t *fr_ldap_berval_to_bin(TALLOC_CTX *ctx, struct berval const *in)
461{
462 uint8_t *out;
463
464 out = talloc_array(ctx, uint8_t, in->bv_len);
465 if (!out) return NULL;
466
467 memcpy(out, in->bv_val, in->bv_len);
468
469 return out;
470}
471
472/** Normalise escape sequences in a DN
473 *
474 * Characters in a DN can either be escaped as
475 * @verbatim <hex><hex> @endverbatim or @verbatim <special> @endverbatim
476 *
477 * The LDAP directory chooses how characters are escaped, which can make
478 * local comparisons of DNs difficult.
479 *
480 * Here we search for hex sequences that match special chars, and convert
481 * them to the @verbatim <special> @endverbatim form.
482 *
483 * @note the resulting output string will only ever be shorter than the
484 * input, so it's fine to use the same buffer for both out and in.
485 *
486 * @param out Where to write the normalised DN.
487 * @param in The input DN.
488 * @return The number of bytes written to out.
489 */
490size_t fr_ldap_util_normalise_dn(char *out, char const *in)
491{
492 char const *p;
493 char *o = out;
494
495 for (p = in; *p != '\0'; p++) {
496 if (p[0] == '\\') {
497 char c = '\0';
498
499 /*
500 * Double backslashes get processed specially
501 */
502 if (p[1] == '\\') {
503 p += 1;
504 *o++ = p[0];
505 *o++ = p[1];
506 continue;
507 }
508
509 /*
510 * Hex encodings that have an alternative
511 * special encoding, get rewritten to the
512 * special encoding.
513 */
514 if (fr_base16_decode(NULL, &FR_DBUFF_TMP((uint8_t *) &c, 1), &FR_SBUFF_IN(p + 1, 2), false) == 1 &&
515 escapes[(uint8_t) c]) {
516 *o++ = '\\';
517 *o++ = c;
518 p += 2;
519 continue;
520 }
521 }
522 *o++ = *p;
523 }
524 *o = '\0';
525
526 return o - out;
527}
528
529/** Find the place at which the two DN strings diverge
530 *
531 * Returns the length of the non matching string in full.
532 *
533 * @param full DN.
534 * @param part Partial DN as returned by ldap_parse_result.
535 * @return
536 * - Length of the portion of full which wasn't matched
537 * - -1 on failure.
538 */
539size_t fr_ldap_common_dn(char const *full, char const *part)
540{
541 size_t f_len, p_len, i;
542
543 if (!full) return -1;
544
545 f_len = strlen(full);
546
547 if (!part) return -1;
548
549 p_len = strlen(part);
550 if (!p_len) return f_len;
551
552 if ((f_len < p_len) || !f_len) return -1;
553
554 for (i = 0; i < p_len; i++) if (part[p_len - i] != full[f_len - i]) return -1;
555
556 return f_len - p_len;
557}
558
559/** Combine filters and tokenize to a tmpl
560 *
561 * @param ctx To allocate combined filter in
562 * @param t_rules Rules for parsing combined filter.
563 * @param sub Array of subfilters (may contain NULLs).
564 * @param sublen Number of potential subfilters in array.
565 * @param out Where to write a pointer to the resulting tmpl.
566 * @return length of combined data.
567 */
568int fr_ldap_filter_to_tmpl(TALLOC_CTX *ctx, tmpl_rules_t const *t_rules, char const **sub, size_t sublen, tmpl_t **out)
569{
570 char *buffer = NULL;
571 char const *in = NULL;
572 ssize_t len = 0;
573 size_t i;
574 int cnt = 0;
575 tmpl_t *parsed;
576
577 *out = NULL;
578
579 /*
580 * Figure out how many filter elements we need to integrate
581 */
582 for (i = 0; i < sublen; i++) {
583 if (sub[i] && *sub[i]) {
584 in = sub[i];
585 cnt++;
586 len += strlen(sub[i]);
587 }
588 }
589
590 if (!cnt) return 0;
591
592 if (cnt > 1) {
593 /*
594 * Allocate a buffer large enough, allowing for (& ... ) plus trailing '\0'
595 */
596 buffer = talloc_array(ctx, char, len + 4);
597
598 strcpy(buffer, "(&");
599 for (i = 0; i < sublen; i++) {
600 if (sub[i] && (*sub[i] != '\0')) {
601 strcat(buffer, sub[i]);
602 }
603 }
604 strcat(buffer, ")");
605 in = buffer;
606 }
607
608 len = tmpl_afrom_substr(ctx, &parsed, &FR_SBUFF_IN(in, strlen(in)), T_DOUBLE_QUOTED_STRING, NULL, t_rules);
609
610 talloc_free(buffer);
611
612 if (len < 0) {
613 EMARKER(in, -len, fr_strerror());
614 return -1;
615 }
616
617 *out = parsed;
618 return 0;
619}
620
621/** Check that a particular attribute is included in an attribute list
622 *
623 * @param[in] attrs list to check
624 * @param[in] attr to look for
625 * @return
626 * - 1 if attr is in list
627 * - 0 if attr is missing
628 * - -1 if checks not possible
629 */
630int fr_ldap_attrs_check(char const **attrs, char const *attr)
631{
632 size_t len, i;
633
634 if (!attr) return -1;
635
636 len = talloc_array_length(attrs);
637
638 for (i = 0; i < len; i++) {
639 if (!attrs[i]) continue;
640 if (strcasecmp(attrs[i], attr) == 0) return 1;
641 if (strcasecmp(attrs[i], "*") == 0) return 1;
642 }
643
644 return 0;
645}
646
647/** Check an LDAP server entry in URL format is valid
648 *
649 * @param[in,out] handle_config LDAP handle config being built
650 * @param[in] server string to parse
651 * @param[in] cs in which the server is defined
652 * @return
653 * - 0 for valid server definition
654 * - -1 for invalid server definition
655 */
656int fr_ldap_server_url_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION const *cs)
657{
658 LDAPURLDesc *ldap_url;
659 bool set_port_maybe = true;
660 int default_port = LDAP_PORT;
661 char *p, *url;
662 CONF_ITEM *ci = (CONF_ITEM *)cf_pair_find(cs, "server");
663
664 if (ldap_url_parse(server, &ldap_url)) {
665 cf_log_err(ci, "Parsing LDAP URL \"%s\" failed", server);
666 ldap_url_error:
667 ldap_free_urldesc(ldap_url);
668 return -1;
669 }
670
671 if (ldap_url->lud_dn && (ldap_url->lud_dn[0] != '\0')) {
672 cf_log_err(ci, "Base DN cannot be specified via server URL");
673 goto ldap_url_error;
674 }
675
676 if (ldap_url->lud_attrs && ldap_url->lud_attrs[0]) {
677 cf_log_err(ci, "Attribute list cannot be speciried via server URL");
678 goto ldap_url_error;
679 }
680
681 /*
682 * ldap_url_parse sets this to base by default.
683 */
684 if (ldap_url->lud_scope != LDAP_SCOPE_BASE) {
685 cf_log_err(ci, "Scope cannot be specified via server URL");
686 goto ldap_url_error;
687 }
688 ldap_url->lud_scope = -1; /* Otherwise LDAP adds ?base */
689
690 /*
691 * The public ldap_url_parse function sets the default
692 * port, so we have to discover whether a port was
693 * included ourselves.
694 */
695 if ((p = strchr(server, ']')) && (p[1] == ':')) { /* IPv6 */
696 set_port_maybe = false;
697 } else if ((p = strchr(server, ':')) && (strchr(p+1, ':') != NULL)) { /* IPv4 */
698 set_port_maybe = false;
699 }
700
701 /*
702 * Figure out the default port from the URL
703 */
704 if (ldap_url->lud_scheme) {
705 if (strcmp(ldap_url->lud_scheme, "ldaps") == 0) {
706 if (handle_config->start_tls == true) {
707 cf_log_err(ci, "ldaps:// scheme is not compatible with 'start_tls'");
708 goto ldap_url_error;
709 }
710 default_port = LDAPS_PORT;
711 handle_config->tls_mode = LDAP_OPT_X_TLS_HARD;
712 } else if (strcmp(ldap_url->lud_scheme, "ldapi") == 0) {
713 set_port_maybe = false;
714 }
715 }
716
717 if (set_port_maybe) {
718 /*
719 * URL port overrides configured port.
720 */
721 ldap_url->lud_port = handle_config->port;
722
723 /*
724 * If there's no URL port, then set it to the default
725 * this is so debugging messages show explicitly
726 * the port we're connecting to.
727 */
728 if (!ldap_url->lud_port) ldap_url->lud_port = default_port;
729 }
730
731 url = ldap_url_desc2str(ldap_url);
732 if (!url) {
733 cf_log_err(ci, "Failed recombining URL components");
734 goto ldap_url_error;
735 }
736 handle_config->server = talloc_asprintf_append(handle_config->server, "%s ", url);
737
738 ldap_free_urldesc(ldap_url);
739 ldap_memfree(url);
740 return (0);
741}
742
743/** Check an LDAP server config in server:port format is valid
744 *
745 * @param[in,out] handle_config LDAP handle config being built
746 * @param[in] server string to parse
747 * @param[in] cs in which the server is defined
748 * @return
749 * - 0 for valid server definition
750 * - -1 for invalid server definition
751 */
752int fr_ldap_server_config_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION *cs)
753{
754 char const *p;
755 char *q;
756 int port = 0;
757 size_t len;
758
759 port = handle_config->port;
760
761 /*
762 * We don't support URLs if the library didn't provide
763 * URL parsing functions.
764 */
765 if (strchr(server, '/')) {
766 CONF_ITEM *ci;
767 bad_server_fmt:
768 ci = (CONF_ITEM *)cf_pair_find(cs, "server");
769 cf_log_err(ci, "Invalid 'server' entry, must be in format <server>[:<port>] or "
770 "an ldap URI (ldap|cldap|ldaps|ldapi)://<server>:<port>");
771 return -1;
772 }
773
774 p = strrchr(server, ':');
775 if (p) {
776 port = (int)strtol((p + 1), &q, 10);
777 if ((p == server) || ((p + 1) == q) || (*q != '\0')) goto bad_server_fmt;
778 len = p - server;
779 } else {
780 len = strlen(server);
781 }
782 if (port == 0) port = LDAP_PORT;
783
784 handle_config->server = talloc_asprintf_append(handle_config->server, "ldap://%.*s:%i ",
785 (int)len, server, port);
786 return 0;
787}
788
789/** Translate the error code emitted from ldap_url_parse and friends into something accessible with fr_strerror()
790 *
791 * @param[in] ldap_url_err The error code returned
792 */
793char const *fr_ldap_url_err_to_str(int ldap_url_err)
794{
795 switch (ldap_url_err) {
796 case LDAP_URL_SUCCESS:
797 return "success";
798
799 case LDAP_URL_ERR_MEM:
800 return "no memory";
801
802 case LDAP_URL_ERR_PARAM:
803 return "parameter is bad";
804
805 case LDAP_URL_ERR_BADSCHEME:
806 return "URL doesn't begin with \"[c]ldap[si]://\"";
807
808 case LDAP_URL_ERR_BADENCLOSURE:
809 return "URL is missing trailing \">\"";
810
811 case LDAP_URL_ERR_BADURL:
812 return "URL is bad";
813
814 case LDAP_URL_ERR_BADHOST:
815 return "host/port is bad";
816
817 case LDAP_URL_ERR_BADATTRS:
818 return "bad (or missing) attributes";
819
820 case LDAP_URL_ERR_BADSCOPE:
821 return "scope string is invalid (or missing)";
822
823 case LDAP_URL_ERR_BADFILTER:
824 return "bad or missing filter";
825
826 case LDAP_URL_ERR_BADEXTS:
827 return "bad or missing extensions";
828
829 default:
830 return "unknown reason";
831 }
832}
buffer
static int const char char buffer[256]
Definition acutest.h:576
strcpy
strcpy(log_entry->msg, buffer)
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:95
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
RCSID
#define RCSID(id)
Definition build.h:485
UNUSED
#define UNUSED
Definition build.h:317
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_pair_find
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1438
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:514
in
static fr_slen_t in
Definition dict.h:840
fr_ldap_config_t::server
char * server
Initial server to bind to.
Definition base.h:224
fr_ldap_config_t::start_tls
bool start_tls
Send the Start TLS message to the LDAP directory to start encrypted communications using the standard...
Definition base.h:258
fr_ldap_config_t::port
uint16_t port
Port to use when binding to the server.
Definition base.h:227
fr_ldap_config_t
Connection configuration.
Definition base.h:221
fr_ldap_handle_thread_local
LDAP * fr_ldap_handle_thread_local(void)
Get a thread local dummy LDAP handle.
Definition base.c:1106
fr_ldap_url_err_to_str
char const * fr_ldap_url_err_to_str(int ldap_url_err)
Translate the error code emitted from ldap_url_parse and friends into something accessible with fr_st...
Definition util.c:793
hextab
static const char hextab[]
Definition util.c:37
fr_ldap_util_normalise_dn
size_t fr_ldap_util_normalise_dn(char *out, char const *in)
Normalise escape sequences in a DN.
Definition util.c:490
fr_ldap_uri_escape_func
size_t fr_ldap_uri_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
Converts "bad" strings into ones which are safe for LDAP.
Definition util.c:70
fr_ldap_util_is_dn
bool fr_ldap_util_is_dn(char const *in, size_t inlen)
Check whether a string looks like a DN.
Definition util.c:204
fr_ldap_common_dn
size_t fr_ldap_common_dn(char const *full, char const *part)
Find the place at which the two DN strings diverge.
Definition util.c:539
fr_ldap_attrs_check
int fr_ldap_attrs_check(char const **attrs, char const *attr)
Check that a particular attribute is included in an attribute list.
Definition util.c:630
specials
static USES_APPLE_DEPRECATED_API const char specials[]
Definition util.c:36
fr_ldap_berval_to_bin
uint8_t * fr_ldap_berval_to_bin(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced buffer.
Definition util.c:460
fr_ldap_server_url_check
int fr_ldap_server_url_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION const *cs)
Check an LDAP server entry in URL format is valid.
Definition util.c:656
fr_ldap_berval_to_string
char * fr_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced string.
Definition util.c:441
fr_ldap_box_escape
int fr_ldap_box_escape(fr_value_box_t *vb, UNUSED void *uctx)
Definition util.c:110
fr_ldap_server_config_check
int fr_ldap_server_config_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION *cs)
Check an LDAP server config in server:port format is valid.
Definition util.c:752
fr_ldap_uri_unescape_func
size_t fr_ldap_uri_unescape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
Converts escaped DNs and filter strings into normal.
Definition util.c:157
escapes
static const bool escapes[UINT8_MAX+1]
Definition util.c:38
fr_ldap_parse_url_extensions
int fr_ldap_parse_url_extensions(LDAPControl **sss, size_t sss_len, char *extensions[])
Parse a subset (just server side sort and virtual list view for now) of LDAP URL extensions.
Definition util.c:302
fr_ldap_filter_to_tmpl
int fr_ldap_filter_to_tmpl(TALLOC_CTX *ctx, tmpl_rules_t const *t_rules, char const **sub, size_t sublen, tmpl_t **out)
Combine filters and tokenize to a tmpl.
Definition util.c:568
EMARKER
#define EMARKER(_str, _marker_idx, _marker)
Definition log.h:232
talloc_free
talloc_free(reap)
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_sbuff_t
Definition merged_model.c:37
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
tmpl_t
Definition merged_model.c:225
strcasecmp
int strcasecmp(char *s1, char *s2)
Definition missing.c:66
encode
static int encode(bio_handle_t *h, request_t *request, bio_request_t *u, uint8_t id)
Definition bio.c:1121
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
comp
static int8_t comp(void const *a, void const *b)
Definition rbmonkey.c:13
fr_sbuff_trim_talloc
int fr_sbuff_trim_talloc(fr_sbuff_t *sbuff, size_t len)
Trim a talloced sbuff to the minimum length required to represent the contained string.
Definition sbuff.c:421
fr_sbuff_adv_past_str
size_t fr_sbuff_adv_past_str(fr_sbuff_t *sbuff, char const *needle, size_t needle_len)
Return true and advance past the end of the needle if needle occurs next in the sbuff.
Definition sbuff.c:1714
fr_sbuff_next_if_char
bool fr_sbuff_next_if_char(fr_sbuff_t *sbuff, char c)
Return true if the current char matches, and if it does, advance.
Definition sbuff.c:2090
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
fr_sbuff_current
#define fr_sbuff_current(_sbuff_or_marker)
fr_sbuff_buff
#define fr_sbuff_buff(_sbuff_or_marker)
fr_sbuff_out
#define fr_sbuff_out(_err, _out, _in)
fr_sbuff_remaining
#define fr_sbuff_remaining(_sbuff_or_marker)
fr_sbuff_uctx_talloc_t
Talloc sbuff extension structure.
Definition sbuff.h:139
tmpl_afrom_substr
ssize_t tmpl_afrom_substr(TALLOC_CTX *ctx, tmpl_t **out, fr_sbuff_t *in, fr_token_t quote, fr_sbuff_parse_rules_t const *p_rules, tmpl_rules_t const *t_rules))
Convert an arbitrary string into a tmpl_t.
Definition tmpl_tokenize.c:3155
tmpl_rules_s
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:332
T_DOUBLE_QUOTED_STRING
@ T_DOUBLE_QUOTED_STRING
Definition token.h:121
fr_strerror
char const * fr_strerror(void)
Get the last library error.
Definition strerror.c:553
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_printf_push
#define fr_strerror_printf_push(_fmt,...)
Add a message to an existing stack of messages at the tail.
Definition strerror.h:84
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
fr_value_box_cast_in_place
int fr_value_box_cast_in_place(TALLOC_CTX *ctx, fr_value_box_t *vb, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv)
Convert one type of fr_value_box_t to another in place.
Definition value.c:3790
fr_value_box_strdup_shallow_replace
void fr_value_box_strdup_shallow_replace(fr_value_box_t *vb, char const *src, ssize_t len)
Free the existing buffer (if talloced) associated with the valuebox, and replace it with a new one.
Definition value.c:4283
fr_value_box_is_safe_for
#define fr_value_box_is_safe_for(_box, _safe_for)
Definition value.h:1078
inlen
static size_t char fr_sbuff_t size_t inlen
Definition value.h:1020
out
static size_t char ** out
Definition value.h:1020
Generated by   doxygen 1.9.8