The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
persistent_search.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: f0acacf7d72f693b50d0df952926379121c6a1fe $
19 * @file persistent_search.c
20 * @brief LDAP sync callback functions for servers implementing persistent search.
21 *
22 * @copyright 2022 Network RADIUS SAS (legal@networkradius.com)
23 */
24
25#define LOG_PREFIX "ldap_sync_persistent"
26
27#include "persistent_search.h"
28#include "proto_ldap_sync_ldap.h"
29#include <freeradius-devel/ldap/base.h>
30#include <freeradius-devel/util/debug.h>
31
32/** Allocate and initialise sync queries for persistent searches.
33 *
34 * Servers implementing https://tools.ietf.org/id/draft-ietf-ldapext-psearch-03.txt
35 *
36 * The persisntent search control is defined as
37 *
38 * PersistentSearch ::= SEQUENCE {
39 * changeTypes INTEGER,
40 * changesOnly BOOLEAN
41 * returnECs BOOLEAN
42 * }
43 *
44 * The sync structure is parented off the conn. When the sync is no longer needed, or
45 * an error has occurred, it should be freed with talloc_free(), which will result in
46 * an ldap_abandon message to the server to tell it to cancel the search.
47 *
48 * @param[in] conn Connection to issue the search request on.
49 * @param[in] sync_no number of the sync in the array of configs.
50 * @param[in] inst instance of ldap_sync this query relates to.
51 * @param[in] cookie not applicable to persistent search LDAP servers.
52 */
53int persistent_sync_state_init(fr_ldap_connection_t *conn, size_t sync_no, proto_ldap_sync_t const *inst, UNUSED uint8_t const *cookie)
54{
55 static char const *notify_oid = LDAP_CONTROL_PERSIST_REQUEST;
56 LDAPControl ctrl = {0}, *ctrls[2] = { &ctrl, NULL };
57 BerElement *ber = NULL;
58 int ret;
59 sync_state_t *sync;
60 fr_rb_tree_t *tree;
61 sync_config_t *config = inst->sync_config[sync_no];
62
63 fr_assert(conn);
64 fr_assert(config);
65
66 /*
67 * Allocate or retrieve the tree of outstanding msgids
68 * these are specific to the connection.
69 */
70 if (!conn->uctx) {
71 MEM(tree = fr_rb_inline_talloc_alloc(conn, sync_state_t, node, sync_state_cmp, NULL));
72 conn->uctx = tree;
73 } else {
74 tree = talloc_get_type_abort(conn->uctx, fr_rb_tree_t);
75 }
76
77 /*
78 * Allocate the sync request control
79 */
80 ber = ber_alloc_t(LBER_USE_DER);
81 if (!ber) {
82 ERROR("Failed allocating sync control");
83 return -1;
84 }
85
86 sync = sync_state_alloc(tree, conn, inst, sync_no, config);
87
88 memcpy(&ctrl.ldctl_oid, &notify_oid, sizeof(ctrl.ldctl_oid));
89
90 /*
91 * The value for the search control is
92 * - changeTypes - what changes to receive notifications of
93 * - changesOnly - don't send initial directory contents first
94 * - returnECs - send Entry Change Notification control with change responses.
95 */
96 ber_printf(ber, "{ibb}", LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD |
97 LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE |
98 LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY |
99 LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME,
100 config->changes_only, true );
101 ret = ber_flatten2(ber, &ctrl.ldctl_value, 0);
102 if (ret < 0) {
103 ERROR("Failed creating sync control");
104 ber_free(ber, 1);
105 error:
106 talloc_free(sync);
107 return -1;
108 }
109 memcpy(&ctrl.ldctl_oid, &notify_oid, sizeof(ctrl.ldctl_oid));
110
111 /*
112 * Mark the control as critical
113 */
114 ctrl.ldctl_iscritical = 1;
115
116 ret = fr_ldap_search_async(&sync->msgid, NULL, conn, config->base_dn, config->scope,
117 config->filter, config->attrs, ctrls, NULL);
118 ber_free(ber, 1);
119
120 if (ret != LDAP_PROC_SUCCESS) {
121 ERROR("Failed to start persistent search query");
122 goto error;
123 }
124
125 if (!fr_rb_insert(tree, sync)) {
126 ERROR("Duplicate sync (msgid %i)", sync->msgid);
127 goto error;
128 }
129
130 DEBUG3("Sync created with base dn \"%s\", filter \"%s\", msgid %i",
131 sync->config->base_dn, sync->config->filter, sync->msgid);
132
133 trigger_exec(unlang_interpret_get_thread_default(), config->cs, "ldap_sync.start", true, &sync->trigger_args);
134
135 /*
136 * Register event to store cookies at a regular interval
137 * Whilst persistent search LDAP servers don't provide cookies as such
138 * we treat change numbers, if provided, as cookies.
139 */
140 fr_timer_in(sync, conn->conn->el->tl, &sync->cookie_ev, inst->cookie_interval,
141 false, ldap_sync_cookie_event, sync);
142
143 return 0;
144}
145
146/** Handle a SearchResultEntry response from Persistent Search LDAP servers
147 *
148 * Upon receipt of a search request containing the PersistentSearch control, if changesOnly is
149 * false, the server provides the initial content using zero or more SearchResultEntries
150 * without EntryChangeNotification controls.
151 *
152 * Changes subsequent to the initial search request, result in SearchResultEntry or SearchResultReference
153 * with the EntryChangeNotification control which indicates what type of change is being reported.
154 *
155 * The Entry Change Notification is an LDAP Control where the controlType is the object identifier
156 * 2.16.840.1.113730.3.4.3 and the controlValue, an OCTET STRING.
157 * It contains a BER-encoded syncStateValue.
158 *
159 * EntryChangeNotification ::= SEQUENCE {
160 * changeType ENUMERATED {
161 * add (1),
162 * delete (2)
163 * modify (4),
164 * modDN (8)
165 * },
166 * previousDN LDAPDN OPTIONAL, -- only when the changeType is modDN
167 * changeNumber INTEGER OPTIONAL -- if supported, the changeNumber from the change log.
168 * }
169 *
170 * The Sync State Control is only included in SearchResultEntry and SearchResultReference Messages.
171 *
172 * @param[in] sync message was associated with.
173 * @param[in] msg containing an entry to process.
174 * @param[in] ctrls associated with the msg.
175 * @return
176 * - 0 on success.
177 * - -1 on failure.
178 */
179int persistent_sync_search_entry(sync_state_t *sync, LDAPMessage *msg, LDAPControl **ctrls)
180{
181 int ret = 0, i;
182 ber_len_t len;
183 BerElement *ber = NULL;
184 sync_op_t op = SYNC_OP_INVALID;
185 int change_type, change_no;
186 struct berval orig_dn = { 0, NULL };
187
188 fr_assert(sync);
189 fr_assert(sync->conn);
190 fr_assert(msg);
191
192 if (!ctrls) {
193 missing_control:
194 /*
195 * Initial directory sync does not have Entry Change
196 * Notification control in the returned messages.
197 */
198 if (sync->phase == SYNC_PHASE_INIT) {
199 op = SYNC_OP_ADD;
200 goto process_entry;
201 }
202 ERROR("searchResEntry missing EntryChangeNotification control");
203 error:
204 ldap_msgfree(msg);
205 return -1;
206 }
207
208 /*
209 * Every SearchResultEntry must contain a Entry Change Notification Control
210 * describing the state of an object/the changes that should be made to it.
211 *
212 * EntryChangeNotification ::= SEQUENCE {
213 * changeType ENUMERATED {
214 * add (1),
215 * delete (2),
216 * modify (4),
217 * modDN (8)
218 * },
219 * previousDN LDAPDN OPTIONAL, -- modifyDN ops. only
220 * changeNumber INTEGER OPTIONAL -- if supported
221 * }
222 *
223 * If the entry doesn't have this control then the LDAP server is broken.
224 */
225 for (i = 0; ctrls[i] != NULL; i++) {
226 if (strcmp(ctrls[i]->ldctl_oid, LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE) == 0) break;
227 }
228 if (!ctrls[i]) goto missing_control;
229
230 if (sync->phase == SYNC_PHASE_INIT) sync->phase = SYNC_PHASE_DONE;
231
232 /*
233 * Get the value of the control.
234 */
235 ber = ber_init(&ctrls[i]->ldctl_value);
236 if (!ber) {
237 ERROR("Failed allocating ber to handle syncStateValue control");
238
239 free_ber:
240 if (ber) ber_free(ber, 1);
241 goto error;
242 }
243
244 /*
245 * Extract the change type - the only non-optional value.
246 */
247 if (ber_scanf(ber, "{e", &change_type) == LBER_ERROR) {
248 ERROR("Maformed EntryChangeNotification control");
249 goto free_ber;
250 }
251
252 /*
253 * Modifications provide object previous DN.
254 */
255 if ((change_type == LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME) &&
256 (ber_scanf(ber, "m", &orig_dn) == LBER_ERROR)) {
257 ERROR("Maformed EntryChangeNotification for entry modification");
258 goto free_ber;
259 }
260
261 if (ber_peek_tag(ber, &len) == 0x02) {
262 if (ber_scanf(ber, "i", &change_no) == LBER_ERROR) {
263 ERROR("Malformed changeNumber control");
264 goto free_ber;
265 }
266 /*
267 * The server has returned a changeNumber, treat it as a new cookie
268 */
269 if (sync->cookie) talloc_free(sync->cookie);
270 sync->cookie = (uint8_t *)talloc_asprintf(sync, "%d", change_no);
271 if (ldap_sync_cookie_store(sync, false) < 0) goto error;
272 }
273
274 if (ber_scanf(ber, "}") == LBER_ERROR) {
275 ERROR("Malformed syncStatevalue sequence");
276 goto free_ber;
277 }
278
279 /*
280 * Map persistent change types to sync states
281 */
282 switch(change_type) {
283 case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD:
284 op = SYNC_OP_ADD;
285 break;
286 case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE:
287 op = SYNC_OP_DELETE;
288 break;
289 case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY:
290 op = SYNC_OP_MODIFY;
291 break;
292 case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME:
293 op = SYNC_OP_MODIFY;
294 break;
295 default:
296 ERROR("Invalid changeType returned");
297 goto free_ber;
298 }
299
300process_entry:
301 if (DEBUG_ENABLED3) {
302 char *entry_dn = ldap_get_dn(sync->conn->handle, msg);
303
304 DEBUG3("Processing searchResEntry (%s), dn \"%s\"",
305 fr_table_str_by_value(sync_op_table, op, "<unknown>"),
306 entry_dn ? entry_dn : "<unknown>");
307
308 ldap_memfree(entry_dn);
309 }
310
311 /*
312 * Send the packet with the entry change notification
313 */
314 ret = ldap_sync_entry_send(sync, NULL, &orig_dn, msg, op);
315
316 ber_free(ber, 1);
317
318 return ret;
319}
msg
log_entry msg
Definition acutest.h:794
UNUSED
#define UNUSED
Definition build.h:317
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
unlang_interpret_get_thread_default
unlang_interpret_t * unlang_interpret_get_thread_default(void)
Get the default interpreter for this thread.
Definition interpret.c:1802
fr_ldap_connection_t::handle
LDAP * handle
libldap handle.
Definition base.h:333
fr_ldap_connection_t::uctx
void * uctx
User data associated with the handle.
Definition base.h:354
fr_ldap_connection_t::conn
connection_t * conn
Connection state handle.
Definition base.h:345
LDAP_PROC_SUCCESS
@ LDAP_PROC_SUCCESS
Operation was successful.
Definition base.h:585
fr_ldap_connection_t
Tracks the state of a libldap connection handle.
Definition base.h:332
fr_ldap_search_async
fr_ldap_rcode_t fr_ldap_search_async(int *msgid, request_t *request, fr_ldap_connection_t *pconn, char const *dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Search for something in the LDAP directory.
Definition base.c:529
DEBUG3
#define DEBUG3(_fmt,...)
Definition log.h:266
DEBUG_ENABLED3
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
Definition log.h:259
talloc_free
talloc_free(reap)
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
persistent_sync_search_entry
int persistent_sync_search_entry(sync_state_t *sync, LDAPMessage *msg, LDAPControl **ctrls)
Handle a SearchResultEntry response from Persistent Search LDAP servers.
Definition persistent_search.c:179
persistent_sync_state_init
int persistent_sync_state_init(fr_ldap_connection_t *conn, size_t sync_no, proto_ldap_sync_t const *inst, UNUSED uint8_t const *cookie)
Allocate and initialise sync queries for persistent searches.
Definition persistent_search.c:53
persistent_search.h
config
static const conf_parser_t config[]
Definition base.c:183
sync_config_s::filter
char const * filter
Filter to retrieve only user objects.
Definition proto_ldap_sync.h:117
sync_op_t
sync_op_t
Operations to perform on entries.
Definition proto_ldap_sync.h:70
SYNC_OP_ADD
@ SYNC_OP_ADD
Entry should be added to our copy.
Definition proto_ldap_sync.h:73
SYNC_OP_MODIFY
@ SYNC_OP_MODIFY
Entry should be updated in our copy.
Definition proto_ldap_sync.h:74
SYNC_OP_INVALID
@ SYNC_OP_INVALID
Invalid sync operation.
Definition proto_ldap_sync.h:71
SYNC_OP_DELETE
@ SYNC_OP_DELETE
Entry should be deleted from our copy.
Definition proto_ldap_sync.h:75
sync_config_s::base_dn
char const * base_dn
DN to search for users under.
Definition proto_ldap_sync.h:118
proto_ldap_sync_t
An instance of a proto_ldap_sync listen section.
Definition proto_ldap_sync.h:35
sync_config_s
Areas of the directory to receive notifications for.
Definition proto_ldap_sync.h:116
ldap_sync_cookie_store
int ldap_sync_cookie_store(sync_state_t *sync, bool refresh)
Add a new cookie packet ctx to the pending list.
Definition proto_ldap_sync_ldap.c:228
ldap_sync_cookie_event
void ldap_sync_cookie_event(fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
Event to handle storing of cookies on a timed basis.
Definition proto_ldap_sync_ldap.c:255
ldap_sync_entry_send
int ldap_sync_entry_send(sync_state_t *sync, uint8_t const uuid[SYNC_UUID_LENGTH], struct berval *orig_dn, LDAPMessage *msg, sync_op_t op)
Enqueue a new entry change packet.
Definition proto_ldap_sync_ldap.c:420
sync_op_table
fr_table_num_sorted_t const sync_op_table[]
Operations performed on entries.
Definition proto_ldap_sync_ldap.c:109
sync_state_cmp
int8_t sync_state_cmp(void const *one, void const *two)
Compare two sync state structures on msgid.
Definition proto_ldap_sync_ldap.c:140
sync_state_alloc
sync_state_t * sync_state_alloc(TALLOC_CTX *ctx, fr_ldap_connection_t *conn, proto_ldap_sync_t const *inst, size_t sync_no, sync_config_t const *config)
Allocate a sync state.
Definition proto_ldap_sync_ldap.c:188
proto_ldap_sync_ldap.h
sync_state_s::cookie
uint8_t * cookie
Opaque cookie, used to resume synchronisation.
Definition proto_ldap_sync_ldap.h:55
sync_state_s::phase
sync_phases_t phase
Phase this sync is in.
Definition proto_ldap_sync_ldap.h:57
sync_state_s::msgid
int msgid
The unique identifier for this sync session.
Definition proto_ldap_sync_ldap.h:51
sync_state_s::config
sync_config_t const * config
Configuration for this sync.
Definition proto_ldap_sync_ldap.h:49
sync_state_s::cookie_ev
fr_timer_t * cookie_ev
Timer event for sending cookies.
Definition proto_ldap_sync_ldap.h:72
SYNC_PHASE_DONE
@ SYNC_PHASE_DONE
Refresh phase is complete.
Definition proto_ldap_sync_ldap.h:39
SYNC_PHASE_INIT
@ SYNC_PHASE_INIT
We haven't entered any of the refresh phases.
Definition proto_ldap_sync_ldap.h:36
sync_state_s::conn
fr_ldap_connection_t * conn
Connection the sync is running on.
Definition proto_ldap_sync_ldap.h:47
sync_state_s::trigger_args
fr_pair_list_t trigger_args
Arguments to make available in triggers.
Definition proto_ldap_sync_ldap.h:75
sync_state_s
State of an individual sync.
Definition proto_ldap_sync_ldap.h:44
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
fr_rb_insert
bool fr_rb_insert(fr_rb_tree_t *tree, void const *data)
Insert data into a tree.
Definition rb.c:626
fr_rb_inline_talloc_alloc
#define fr_rb_inline_talloc_alloc(_ctx, _type, _field, _data_cmp, _data_free)
Allocs a red black that verifies elements are of a specific talloc type.
Definition rb.h:246
fr_rb_tree_s
The main red black tree structure.
Definition rb.h:73
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
fr_timer_in
#define fr_timer_in(...)
Definition timer.h:86
trigger_exec
int trigger_exec(unlang_interpret_t *intp, CONF_SECTION const *cs, char const *name, bool rate_limit, fr_pair_list_t *args)
Execute a trigger - call an executable to process an event.
Definition trigger.c:233
Generated by   doxygen 1.9.8