The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
profile.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: ed1b03879fd552ab7f573f34efdad22ea5123edc $
19 * @file rlm_ldap.c
20 * @brief LDAP authorization and authentication module.
21 *
22 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 * @author Alan DeKok (aland@freeradius.org)
24 *
25 * @copyright 2012,2015 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
26 * @copyright 2013,2015 Network RADIUS SAS (legal@networkradius.com)
27 * @copyright 2012 Alan DeKok (aland@freeradius.org)
28 * @copyright 1999-2013 The FreeRADIUS Server Project.
29 */
30RCSID("$Id: ed1b03879fd552ab7f573f34efdad22ea5123edc $")
31
32USES_APPLE_DEPRECATED_API
33
34#include "rlm_ldap.h"
35#include <freeradius-devel/ldap/conf.h>
36
37#include <freeradius-devel/server/map_proc.h>
38#include <freeradius-devel/server/module_rlm.h>
39
40/** Holds state of in progress async profile lookups
41 *
42 */
43typedef struct {
44 fr_ldap_result_code_t *ret; //!< Result of the query and applying the map.
45 int *applied; //!< Number of profiles applied.
46 fr_ldap_query_t *query;
47 char const *dn;
48 rlm_ldap_t const *inst;
49 fr_ldap_map_exp_t const *expanded;
50} ldap_profile_ctx_t;
51
52/** Process the results of a profile lookup
53 *
54 */
55static unlang_action_t ldap_map_profile_resume(UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request,
56 void *uctx)
57{
58 ldap_profile_ctx_t *profile_ctx = talloc_get_type_abort(uctx, ldap_profile_ctx_t);
59 fr_ldap_query_t *query = profile_ctx->query;
60 LDAP *handle;
61 LDAPMessage *entry = NULL;
62 int ldap_errno;
63 char *dn = NULL;
64 int ret;
65 bool fallthrough;
66
67 /*
68 * Tell the caller what happened
69 */
70 if (profile_ctx->ret) *profile_ctx->ret = query->ret;
71
72 switch (query->ret) {
73 case LDAP_RESULT_SUCCESS:
74 break;
75
76 case LDAP_RESULT_NO_RESULT:
77 case LDAP_RESULT_BAD_DN:
78 RDEBUG2("Profile object \"%s\" not found", profile_ctx->dn);
79 goto finish;
80
81 default:
82 goto finish;
83 }
84
85 fr_assert(query->result);
86 handle = query->ldap_conn->handle;
87
88 entry = ldap_first_entry(handle, query->result);
89 if (!entry) {
90 ldap_get_option(handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
91 REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
92 if (profile_ctx->ret) *profile_ctx->ret = LDAP_RESULT_NO_RESULT;
93 goto finish;
94 }
95
96 RDEBUG2("Processing profile attributes");
97 RINDENT();
98 while (entry) {
99 if (RDEBUG_ENABLED2) {
100 dn = ldap_get_dn(handle, entry);
101 RDEBUG2("Processing \"%s\"", dn);
102 ldap_memfree(dn);
103 }
104
105 // Set fallthrough to the configured default
106 fallthrough = profile_ctx->inst->profile.fallthrough_def;
107
108 RINDENT();
109 ret = fr_ldap_map_do(request, profile_ctx->inst->profile.check_attr, profile_ctx->inst->valuepair_attr,
110 profile_ctx->expanded, entry);
111 if (ret < 0) {
112 if (profile_ctx->ret) *profile_ctx->ret = LDAP_RESULT_ERROR;
113 } else {
114 if (profile_ctx->applied) *profile_ctx->applied += ret;
115 }
116
117 if (profile_ctx->inst->profile.fallthrough_attr) {
118 struct berval **values;
119 int count;
120 char *value;
121 xlat_exp_head_t *cond_expr = NULL;
122 fr_value_box_list_t res;
123
124 tmpl_rules_t const parse_rules = {
125 .attr = {
126 .dict_def = request->proto_dict,
127 .list_def = request_attr_request,
128 },
129 .xlat = {
130 .runtime_el = unlang_interpret_event_list(request),
131 },
132 .at_runtime = true,
133 };
134
135 values = ldap_get_values_len(handle, entry, profile_ctx->inst->profile.fallthrough_attr);
136 count = ldap_count_values_len(values);
137 if (count == 0) goto free_values;
138 if (count > 1) {
139 RWARN("%s returned more than 1 value. Only evaluating the first.",
140 profile_ctx->inst->profile.fallthrough_attr);
141 }
142 value = fr_ldap_berval_to_string(request, values[0]);
143
144 RDEBUG3("Parsing fallthrough condition %s", value);
145 if (xlat_tokenize_expression(request, &cond_expr,
146 &FR_SBUFF_IN(value, talloc_array_length(value) - 1),
147 NULL, &parse_rules) < 0) {
148 RPEDEBUG("Failed parsing '%s' value \"%s\"", profile_ctx->inst->profile.fallthrough_attr, value);
149 goto free;
150 }
151
152 if (xlat_impure_func(cond_expr)) {
153 fr_strerror_const("Fallthrough expression cannot depend on functions which call external databases");
154 goto free;
155 }
156
157 RDEBUG2("Checking fallthrough condition %s", value);
158 fr_value_box_list_init(&res);
159 if (unlang_xlat_eval(request, &res, request, cond_expr) < 0) {
160 RPEDEBUG("Failed evaluating condition");
161 goto free;
162 }
163 fallthrough = (fr_value_box_list_head(&res) && fr_value_box_is_truthy(fr_value_box_list_head(&res))) ? true : false;
164 fr_value_box_list_talloc_free(&res);
165 RDEBUG2("Fallthrough condition evaluated to %s", fallthrough ? "true" : "false");
166 free:
167 talloc_free(value);
168 talloc_free(cond_expr);
169 free_values:
170 ldap_value_free_len(values);
171 }
172
173 entry = ldap_next_entry(handle, entry);
174 REXDENT();
175 if (!fallthrough) break;
176 }
177 REXDENT();
178
179finish:
180 talloc_free(profile_ctx);
181 return UNLANG_ACTION_CALCULATE_RESULT;
182}
183
184/** Cancel an in progress profile lookup
185 *
186 */
187static void ldap_map_profile_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
188{
189 ldap_profile_ctx_t *profile_ctx = talloc_get_type_abort(uctx, ldap_profile_ctx_t);
190
191 if (!profile_ctx->query || !profile_ctx->query->treq) return;
192
193 trunk_request_signal_cancel(profile_ctx->query->treq);
194}
195
196/** Search for and apply an LDAP profile
197 *
198 * LDAP profiles are mapped using the same attribute map as user objects, they're used to add common
199 * sets of attributes to the request.
200 *
201 * @param[out] ret Where to write the result of the query.
202 * @param[out] applied Where to write the number of profiles applied.
203 * @param[in] inst LDAP module instance.
204 * @param[in] request Current request.
205 * @param[in] ttrunk Trunk connection on which to run LDAP queries.
206 * @param[in] dn of profile object to apply.
207 * @param[in] scope to apply when looking up profiles.
208 * @param[in] filter to apply when looking up profiles.
209 * @param[in] expanded Structure containing a list of xlat
210 * expanded attribute names and mapping information.
211 * @return One of the RLM_MODULE_* values.
212 */
213unlang_action_t rlm_ldap_map_profile(fr_ldap_result_code_t *ret, int *applied,
214 rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk,
215 char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)
216{
217 ldap_profile_ctx_t *profile_ctx;
218 LDAPControl *serverctrls[] = { inst->profile.obj_sort_ctrl, NULL };
219
220 if (!dn || !*dn) return UNLANG_ACTION_CALCULATE_RESULT;
221
222 MEM(profile_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_profile_ctx_t));
223 *profile_ctx = (ldap_profile_ctx_t) {
224 .ret = ret,
225 .applied = applied,
226 .dn = dn,
227 .expanded = expanded,
228 .inst = inst
229 };
230 if (ret) *ret = LDAP_RESULT_ERROR;
231
232 if (unlang_function_push(request, NULL, ldap_map_profile_resume, ldap_map_profile_cancel,
233 ~FR_SIGNAL_CANCEL, UNLANG_SUB_FRAME, profile_ctx) < 0) {
234 talloc_free(profile_ctx);
235 return UNLANG_ACTION_FAIL;
236 }
237
238 return fr_ldap_trunk_search(profile_ctx, &profile_ctx->query, request, ttrunk, dn,
239 scope, filter,
240 expanded->attrs, serverctrls, NULL);
241}
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_FAIL
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition action.h:36
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
RCSID
#define RCSID(id)
Definition build.h:485
UNUSED
#define UNUSED
Definition build.h:317
MEM
#define MEM(x)
Definition debug.h:36
value
Test enumeration values.
Definition dict_test.h:92
unlang_function_push
#define unlang_function_push(_request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack.
Definition function.h:111
free
free(array)
unlang_interpret_frame_talloc_ctx
TALLOC_CTX * unlang_interpret_frame_talloc_ctx(request_t *request)
Get a talloc_ctx which is valid only for this frame.
Definition interpret.c:1462
unlang_interpret_event_list
fr_event_list_t * unlang_interpret_event_list(request_t *request)
Get the event list for the current interpreter.
Definition interpret.c:1822
UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition interpret.h:36
fr_ldap_map_do
int fr_ldap_map_do(request_t *request, char const *check_attr, char const *valuepair_attr, fr_ldap_map_exp_t const *expanded, LDAPMessage *entry)
Convert attribute map into valuepairs.
Definition map.c:328
fr_ldap_connection_t::handle
LDAP * handle
libldap handle.
Definition base.h:333
fr_ldap_query_s::ret
fr_ldap_result_code_t ret
Result code.
Definition base.h:470
fr_ldap_query_s::treq
trunk_request_t * treq
Trunk request this query is associated with.
Definition base.h:456
fr_ldap_berval_to_string
char * fr_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced string.
Definition util.c:441
fr_ldap_query_s::ldap_conn
fr_ldap_connection_t * ldap_conn
LDAP connection this query is running on.
Definition base.h:457
fr_ldap_result_code_t
fr_ldap_result_code_t
LDAP query result codes.
Definition base.h:188
LDAP_RESULT_ERROR
@ LDAP_RESULT_ERROR
A general error occurred.
Definition base.h:191
LDAP_RESULT_SUCCESS
@ LDAP_RESULT_SUCCESS
Successfully got LDAP results.
Definition base.h:190
LDAP_RESULT_NO_RESULT
@ LDAP_RESULT_NO_RESULT
No results returned.
Definition base.h:194
LDAP_RESULT_BAD_DN
@ LDAP_RESULT_BAD_DN
The requested DN does not exist.
Definition base.h:193
fr_ldap_query_s::result
LDAPMessage * result
Head of LDAP results list.
Definition base.h:468
fr_ldap_map_exp_t::attrs
char const * attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]
Reserve some space for access attributes.
Definition base.h:372
fr_ldap_map_exp_t
Result of expanding the RHS of a set of maps.
Definition base.h:370
fr_ldap_query_s
LDAP query structure.
Definition base.h:422
fr_ldap_thread_trunk_s
Thread LDAP trunk structure.
Definition base.h:399
fr_ldap_trunk_search
unlang_action_t fr_ldap_trunk_search(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *base_dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async search LDAP query on a trunk connection.
Definition base.c:709
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
RDEBUG3
#define RDEBUG3(fmt,...)
Definition log.h:343
RWARN
#define RWARN(fmt,...)
Definition log.h:297
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:376
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
talloc_free
talloc_free(reap)
request_t
Definition merged_model.c:210
ldap_map_profile_resume
static unlang_action_t ldap_map_profile_resume(UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx)
Process the results of a profile lookup.
Definition profile.c:55
ldap_profile_ctx_t::applied
int * applied
Number of profiles applied.
Definition profile.c:45
rlm_ldap_map_profile
unlang_action_t rlm_ldap_map_profile(fr_ldap_result_code_t *ret, int *applied, rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)
Search for and apply an LDAP profile.
Definition profile.c:213
ldap_map_profile_cancel
static void ldap_map_profile_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
Cancel an in progress profile lookup.
Definition profile.c:187
ldap_profile_ctx_t::ret
fr_ldap_result_code_t * ret
Result of the query and applying the map.
Definition profile.c:44
ldap_profile_ctx_t::inst
rlm_ldap_t const * inst
Definition profile.c:48
ldap_profile_ctx_t::dn
char const * dn
Definition profile.c:47
ldap_profile_ctx_t::expanded
fr_ldap_map_exp_t const * expanded
Definition profile.c:49
ldap_profile_ctx_t::query
fr_ldap_query_t * query
Definition profile.c:46
ldap_profile_ctx_t
Holds state of in progress async profile lookups.
Definition profile.c:43
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition radclient.h:50
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
request_attr_request
fr_dict_attr_t const * request_attr_request
Definition request.c:43
rlm_ldap_t::profile
struct rlm_ldap_t::@169 profile
rlm_ldap_t::valuepair_attr
char const * valuepair_attr
Generic dynamic mapping attribute, contains a RADIUS attribute and value.
Definition rlm_ldap.h:93
rlm_ldap_t
Definition rlm_ldap.h:20
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
tmpl_rules_s::attr
tmpl_attr_rules_t attr
Rules/data for parsing attribute references.
Definition tmpl.h:335
tmpl_rules_s
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:332
fr_signal_t
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38
FR_SIGNAL_CANCEL
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40
count
return count
Definition module.c:155
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
tmpl_attr_rules_s::dict_def
fr_dict_t const * dict_def
Default dictionary to use with unqualified attribute references.
Definition tmpl.h:273
trunk_request_signal_cancel
void trunk_request_signal_cancel(trunk_request_t *treq)
Cancel a trunk request.
Definition trunk.c:2151
unlang_xlat_eval
int unlang_xlat_eval(TALLOC_CTX *ctx, fr_value_box_list_t *out, request_t *request, xlat_exp_head_t const *xlat)
Evaluate a "pure" (or not impure) xlat.
Definition xlat.c:735
xlat_impure_func
bool xlat_impure_func(xlat_exp_head_t const *head)
Definition xlat_tokenize.c:2053
xlat_tokenize_expression
fr_slen_t xlat_tokenize_expression(TALLOC_CTX *ctx, xlat_exp_head_t **head, fr_sbuff_t *in, fr_sbuff_parse_rules_t const *p_rules, tmpl_rules_t const *t_rules))
Definition xlat_expr.c:3030
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
fr_value_box_is_truthy
bool fr_value_box_is_truthy(fr_value_box_t const *in)
Check truthiness of values.
Definition value.c:6574
xlat_exp_head_s
Definition xlat_priv.h:188
Generated by   doxygen 1.9.8