The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_krb5.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 3007de21eba2a53aeceb3a6aba76f00e10712d9c $
19 * @file rlm_krb5.c
20 * @brief Authenticate users, retrieving their TGT from a Kerberos V5 TDC.
21 *
22 * @copyright 2000,2006,2012-2013 The FreeRADIUS server project
23 * @copyright 2013 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
24 * @copyright 2000 Nathan Neulinger (nneul@umr.edu)
25 * @copyright 2000 Alan DeKok (aland@freeradius.org)
26 */
27RCSID("$Id: 3007de21eba2a53aeceb3a6aba76f00e10712d9c $")
28
29#define LOG_PREFIX inst->name
30
31#include <freeradius-devel/server/base.h>
32#include <freeradius-devel/server/module_rlm.h>
33#include <freeradius-devel/unlang/call_env.h>
34#include <freeradius-devel/util/debug.h>
35#include "krb5.h"
36
37#ifdef KRB5_IS_THREAD_SAFE
38static const conf_parser_t reuse_krb5_config[] = {
39 FR_SLAB_CONFIG_CONF_PARSER
40 CONF_PARSER_TERMINATOR
41};
42#endif
43
44static const conf_parser_t module_config[] = {
45 { FR_CONF_OFFSET("keytab", rlm_krb5_t, keytabname) },
46 { FR_CONF_OFFSET("service_principal", rlm_krb5_t, service_princ) },
47#ifdef KRB5_IS_THREAD_SAFE
48 { FR_CONF_OFFSET_SUBSECTION("reuse", 0, rlm_krb5_t, reuse, reuse_krb5_config) },
49#endif
50 CONF_PARSER_TERMINATOR
51};
52
57
58#ifdef KRB5_IS_THREAD_SAFE
59static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
60{
61 rlm_krb5_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_krb5_t);
62 rlm_krb5_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_krb5_thread_t);
63
64 t->inst = inst;
65 if (!(t->slab = krb5_slab_list_alloc(t, mctx->el, &inst->reuse, krb5_handle_init, NULL, inst, false, true))) {
66 ERROR("Handle pool instantiation failed");
67 return -1;
68 }
69
70 return 0;
71}
72
73static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
74{
75 rlm_krb5_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_krb5_thread_t);
76 talloc_free(t->slab);
77 return 0;
78}
79#endif
80
81static int mod_detach(module_detach_ctx_t const *mctx)
82{
83 rlm_krb5_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_krb5_t);
84
85#ifndef HEIMDAL_KRB5
86 talloc_free(inst->vic_options);
87
88 if (inst->gic_options) krb5_get_init_creds_opt_free(inst->context, inst->gic_options);
89 if (inst->server) krb5_free_principal(inst->context, inst->server);
90#endif
91
92 /* Don't free hostname, it's just a pointer into service_princ */
93 talloc_free(inst->service);
94
95 if (inst->context) krb5_free_context(inst->context);
96
97 return 0;
98}
99
100static int mod_instantiate(module_inst_ctx_t const *mctx)
101{
102 rlm_krb5_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_krb5_t);
103 krb5_error_code ret;
104#ifndef HEIMDAL_KRB5
105 krb5_keytab keytab;
106 char keytab_name[200];
107 char *princ_name;
108#endif
109
110#ifdef HEIMDAL_KRB5
111 DEBUG("Using Heimdal Kerberos library");
112#else
113 DEBUG("Using MIT Kerberos library");
114#endif
115
116
117 if (!krb5_is_thread_safe()) {
118/*
119 * rlm_krb5 was built as threadsafe
120 */
121#ifdef KRB5_IS_THREAD_SAFE
122 ERROR("Build time libkrb5 was threadsafe, but run time library claims not to be");
123 ERROR("Modify runtime linker path (LD_LIBRARY_PATH on most systems), to prefer threadsafe libkrb5");
124 return -1;
125/*
126 * rlm_krb5 was not built as threadsafe
127 */
128#else
129 fr_log(&default_log, L_WARN, __FILE__, __LINE__,
130 "libkrb5 is not threadsafe, recompile it with thread support enabled ("
131# ifdef HEIMDAL_KRB5
132 "--enable-pthread-support"
133# else
134 "--disable-thread-support=no"
135# endif
136 ")");
137 WARN("rlm_krb5 will run in single threaded mode, performance may be degraded");
138 } else {
139 WARN("Build time libkrb5 was not threadsafe, but run time library claims to be");
140 WARN("Reconfigure and recompile rlm_krb5 to enable thread support");
141#endif
142 }
143
144 ret = krb5_init_context(&inst->context);
145 if (ret) {
146 ERROR("Context initialisation failed: %s", rlm_krb5_error(inst, NULL, ret));
147
148 return -1;
149 }
150
151 /*
152 * Split service principal into service and host components
153 * they're needed to build the server principal in MIT,
154 * and to set the validation service in Heimdal.
155 */
156 if (inst->service_princ) {
157 size_t len;
158 /* Service principal appears to contain a host component */
159 inst->hostname = strchr(inst->service_princ, '/');
160 if (inst->hostname) {
161 len = (inst->hostname - inst->service_princ);
162 inst->hostname++;
163 } else {
164 len = strlen(inst->service_princ);
165 }
166
167 if (len) {
168 inst->service = talloc_array(inst, char, (len + 1));
169 strlcpy(inst->service, inst->service_princ, len + 1);
170 }
171 }
172
173#ifdef HEIMDAL_KRB5
174 if (inst->hostname) DEBUG("Ignoring hostname component of service principal \"%s\", not "
175 "needed/supported by Heimdal", inst->hostname);
176#else
177
178 /*
179 * Convert the service principal string to a krb5 principal.
180 */
181 ret = krb5_sname_to_principal(inst->context, inst->hostname, inst->service, KRB5_NT_SRV_HST, &(inst->server));
182 if (ret) {
183 ERROR("Failed parsing service principal: %s", rlm_krb5_error(inst, inst->context, ret));
184
185 return -1;
186 }
187
188 ret = krb5_unparse_name(inst->context, inst->server, &princ_name);
189 if (ret) {
190 /* Uh? */
191 ERROR("Failed constructing service principal string: %s", rlm_krb5_error(inst, inst->context, ret));
192
193 return -1;
194 }
195
196 /*
197 * Not necessarily the same as the config item
198 */
199 DEBUG("Using service principal \"%s\"", princ_name);
200 krb5_free_unparsed_name(inst->context, princ_name);
201
202 /*
203 * Setup options for getting credentials and verifying them
204 */
205 ret = krb5_get_init_creds_opt_alloc(inst->context, &(inst->gic_options)); /* For some reason the 'init' version
206 of this function is deprecated */
207 if (ret) {
208 ERROR("Couldn't allocate initial credential options: %s", rlm_krb5_error(inst, inst->context, ret));
209
210 return -1;
211 }
212
213 /*
214 * Perform basic checks on the keytab
215 */
216 ret = inst->keytabname ?
217 krb5_kt_resolve(inst->context, inst->keytabname, &keytab) :
218 krb5_kt_default(inst->context, &keytab);
219 if (ret) {
220 ERROR("Resolving keytab failed: %s", rlm_krb5_error(inst, inst->context, ret));
221
222 return -1;
223 }
224
225 ret = krb5_kt_get_name(inst->context, keytab, keytab_name, sizeof(keytab_name));
226 krb5_kt_close(inst->context, keytab);
227 if (ret) {
228 ERROR("Can't retrieve keytab name: %s", rlm_krb5_error(inst, inst->context, ret));
229
230 return -1;
231 }
232
233 DEBUG("Using keytab \"%s\"", keytab_name);
234
235 MEM(inst->vic_options = talloc_zero(inst, krb5_verify_init_creds_opt));
236 krb5_verify_init_creds_opt_init(inst->vic_options);
237 krb5_verify_init_creds_opt_set_ap_req_nofail(inst->vic_options, true);
238#endif
239
240#ifndef KRB5_IS_THREAD_SAFE
241 inst->conn = krb5_mod_conn_create(inst, inst, fr_time_delta_wrap(0));
242 if (!inst->conn) return -1;
243#endif
244 return 0;
245}
246
247/** Common function for transforming a User-Name string into a principal.
248 *
249 * @param[out] client Where to write the client principal.
250 * @param[in] inst of rlm_krb5.
251 * @param[in] request Current request.
252 * @param[in] context Kerberos context.
253 * @param[in] env call env data containing username.
254 */
255static rlm_rcode_t krb5_parse_user(krb5_principal *client, KRB5_UNUSED rlm_krb5_t const *inst, request_t *request,
256 krb5_context context, krb5_auth_call_env_t *env)
257{
258 krb5_error_code ret;
259 char *princ_name;
260
261 ret = krb5_parse_name(context, env->username.vb_strvalue, client);
262 if (ret) {
263 REDEBUG("Failed parsing username as principal: %s", rlm_krb5_error(inst, context, ret));
264
265 return RLM_MODULE_FAIL;
266 }
267
268 krb5_unparse_name(context, *client, &princ_name);
269 RDEBUG2("Using client principal \"%s\"", princ_name);
270#ifdef HEIMDAL_KRB5
271 free(princ_name);
272#else
273 krb5_free_unparsed_name(context, princ_name);
274#endif
275 return RLM_MODULE_OK;
276}
277
278/** Log error message and return appropriate rcode
279 *
280 * Translate kerberos error codes into return codes.
281 * @param inst of rlm_krb5.
282 * @param request Current request.
283 * @param ret code from kerberos.
284 * @param conn used in the last operation.
285 */
286static rlm_rcode_t krb5_process_error(rlm_krb5_t const *inst, request_t *request, rlm_krb5_handle_t *conn, int ret)
287{
288 fr_assert(ret != 0);
289
290 if (!fr_cond_assert(inst)) return RLM_MODULE_FAIL;
291 if (!fr_cond_assert(conn)) return RLM_MODULE_FAIL; /* Silences warnings */
292
293 switch (ret) {
294 case KRB5_LIBOS_BADPWDMATCH:
295 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
296 REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(inst, conn->context, ret));
297 return RLM_MODULE_REJECT;
298
299 case KRB5KDC_ERR_KEY_EXP:
300 case KRB5KDC_ERR_CLIENT_REVOKED:
301 case KRB5KDC_ERR_SERVICE_REVOKED:
302 REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(inst, conn->context, ret));
303 return RLM_MODULE_DISALLOW;
304
305 case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
306 RDEBUG2("User not found (%i): %s", ret, rlm_krb5_error(inst, conn->context, ret));
307 return RLM_MODULE_NOTFOUND;
308
309 default:
310 REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(inst, conn->context, ret));
311 return RLM_MODULE_FAIL;
312 }
313}
314
315#ifdef HEIMDAL_KRB5
316
317/*
318 * Validate user/pass (Heimdal)
319 */
320static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
321{
322 krb5_auth_call_env_t *env = talloc_get_type_abort(mctx->env_data, krb5_auth_call_env_t);
323 rlm_krb5_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_krb5_t);
324# ifdef KRB5_IS_THREAD_SAFE
325 rlm_krb5_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_krb5_thread_t);
326# endif
327 rlm_rcode_t rcode;
328 krb5_error_code ret;
329 rlm_krb5_handle_t *conn;
330 krb5_principal client = NULL;
331
332 /*
333 * Make sure the supplied password isn't empty
334 */
335 if (env->password.vb_length == 0) {
336 REDEBUG("User-Password must not be empty");
337 RETURN_MODULE_INVALID;
338 }
339
340 /*
341 * Log the password
342 */
343 if (RDEBUG_ENABLED3) {
344 RDEBUG("Login attempt with password \"%pV\"", &env->password);
345 } else {
346 RDEBUG2("Login attempt with password");
347 }
348
349# ifdef KRB5_IS_THREAD_SAFE
350 conn = krb5_slab_reserve(t->slab);
351 if (!conn) RETURN_MODULE_FAIL;
352# else
353 conn = inst->conn;
354# endif
355
356 rcode = krb5_parse_user(&client, inst, request, conn->context, env);
357 if (rcode != RLM_MODULE_OK) goto cleanup;
358
359 /*
360 * Verify the user, using the options we set in instantiate
361 */
362 ret = krb5_verify_user_opt(conn->context, client, env->password.vb_strvalue, &conn->options);
363 if (ret) {
364 rcode = krb5_process_error(inst, request, conn, ret);
365 goto cleanup;
366 }
367
368 /*
369 * krb5_verify_user_opt adds the credentials to the ccache
370 * we specified with krb5_verify_opt_set_ccache.
371 *
372 * To make sure we don't accumulate thousands of sets of
373 * credentials, remove them again here.
374 *
375 * @todo This should definitely be optional, which means writing code for the MIT
376 * variant as well.
377 */
378 {
379 krb5_cc_cursor cursor;
380 krb5_creds cred;
381
382 krb5_cc_start_seq_get(conn->context, conn->ccache, &cursor);
383 for (ret = krb5_cc_next_cred(conn->context, conn->ccache, &cursor, &cred);
384 ret == 0;
385 ret = krb5_cc_next_cred(conn->context, conn->ccache, &cursor, &cred)) {
386 krb5_cc_remove_cred(conn->context, conn->ccache, 0, &cred);
387 }
388 krb5_cc_end_seq_get(conn->context, conn->ccache, &cursor);
389 }
390
391cleanup:
392 if (client) {
393 krb5_free_principal(conn->context, client);
394 }
395
396# ifdef KRB5_IS_THREAD_SAFE
397 krb5_slab_release(conn);
398# endif
399 RETURN_MODULE_RCODE(rcode);
400}
401
402#else /* HEIMDAL_KRB5 */
403
404/*
405 * Validate userid/passwd (MIT)
406 */
407static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
408{
409 krb5_auth_call_env_t *env = talloc_get_type_abort(mctx->env_data, krb5_auth_call_env_t);
410 rlm_krb5_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_krb5_t);
411# ifdef KRB5_IS_THREAD_SAFE
412 rlm_krb5_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_krb5_thread_t);
413# endif
414 rlm_rcode_t rcode;
415 krb5_error_code ret;
416
417 rlm_krb5_handle_t *conn;
418
419 krb5_principal client = NULL; /* actually a pointer value */
420 krb5_creds init_creds;
421
422 /*
423 * Make sure the supplied password isn't empty
424 */
425 if (env->password.vb_length == 0) {
426 REDEBUG("User-Password must not be empty");
427 RETURN_MODULE_INVALID;
428 }
429
430 /*
431 * Log the password
432 */
433 if (RDEBUG_ENABLED3) {
434 RDEBUG("Login attempt with password \"%pV\"", &env->password);
435 } else {
436 RDEBUG2("Login attempt with password");
437 }
438
439# ifdef KRB5_IS_THREAD_SAFE
440 conn = krb5_slab_reserve(t->slab);
441 if (!conn) RETURN_MODULE_FAIL;
442# else
443 conn = inst->conn;
444# endif
445
446 /*
447 * Zero out local storage
448 */
449 memset(&init_creds, 0, sizeof(init_creds));
450
451 /*
452 * Check we have all the required VPs, and convert the username
453 * into a principal.
454 */
455 rcode = krb5_parse_user(&client, inst, request, conn->context, env);
456 if (rcode != RLM_MODULE_OK) goto cleanup;
457
458 /*
459 * Retrieve the TGT from the TGS/KDC and check we can decrypt it.
460 */
461 RDEBUG2("Retrieving and decrypting TGT");
462 ret = krb5_get_init_creds_password(conn->context, &init_creds, client, UNCONST(char *, env->password.vb_strvalue),
463 NULL, NULL, 0, NULL, inst->gic_options);
464 if (ret) {
465 rcode = krb5_process_error(inst, request, conn, ret);
466 goto cleanup;
467 }
468
469 RDEBUG2("Attempting to authenticate against service principal");
470 ret = krb5_verify_init_creds(conn->context, &init_creds, inst->server, conn->keytab, NULL, inst->vic_options);
471 if (ret) rcode = krb5_process_error(inst, request, conn, ret);
472
473cleanup:
474 if (client) krb5_free_principal(conn->context, client);
475 krb5_free_cred_contents(conn->context, &init_creds);
476
477# ifdef KRB5_IS_THREAD_SAFE
478 krb5_slab_release(conn);
479# endif
480 RETURN_MODULE_RCODE(rcode);
481}
482
483#endif /* MIT_KRB5 */
484
485static const call_env_method_t krb5_auth_call_env = {
486 FR_CALL_ENV_METHOD_OUT(krb5_auth_call_env_t),
487 .env = (call_env_parser_t[]) {
488 { FR_CALL_ENV_OFFSET("username", FR_TYPE_STRING, CALL_ENV_FLAG_REQUIRED, krb5_auth_call_env_t, username),
489 .pair.dflt = "&User-Name", .pair.dflt_quote = T_BARE_WORD },
490 { FR_CALL_ENV_OFFSET("password", FR_TYPE_STRING, CALL_ENV_FLAG_SECRET | CALL_ENV_FLAG_REQUIRED, krb5_auth_call_env_t, password),
491 .pair.dflt = "&User-Password", .pair.dflt_quote = T_BARE_WORD },
492 CALL_ENV_TERMINATOR
493 }
494};
495
496extern module_rlm_t rlm_krb5;
497module_rlm_t rlm_krb5 = {
498 .common = {
499 .magic = MODULE_MAGIC_INIT,
500 .name = "krb5",
501 /*
502 * FIXME - Probably want a global mutex created on mod_load
503 */
504#ifndef KRB5_IS_THREAD_SAFE
505 .flags = MODULE_TYPE_THREAD_UNSAFE,
506#else
507 .thread_inst_size = sizeof(rlm_krb5_thread_t),
508 .thread_instantiate = mod_thread_instantiate,
509 .thread_detach = mod_thread_detach,
510#endif
511 .inst_size = sizeof(rlm_krb5_t),
512 .config = module_config,
513 .instantiate = mod_instantiate,
514 .detach = mod_detach
515 },
516 .method_group = {
517 .bindings = (module_method_binding_t[]){
518 { .section = SECTION_NAME("authenticate", CF_IDENT_ANY), .method = mod_authenticate, .method_env = &krb5_auth_call_env },
519 MODULE_BINDING_TERMINATOR
520 }
521 }
522};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
context
static int context
Definition radmin.c:71
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
RCSID
#define RCSID(id)
Definition build.h:483
CALL_ENV_TERMINATOR
#define CALL_ENV_TERMINATOR
Definition call_env.h:231
FR_CALL_ENV_METHOD_OUT
#define FR_CALL_ENV_METHOD_OUT(_inst)
Helper macro for populating the size/type fields of a call_env_method_t from the output structure typ...
Definition call_env.h:235
call_env_method_s::env
call_env_parser_t const * env
Parsing rules for call method env.
Definition call_env.h:242
CALL_ENV_FLAG_SECRET
@ CALL_ENV_FLAG_SECRET
The value is a secret, and should not be logged.
Definition call_env.h:91
CALL_ENV_FLAG_REQUIRED
@ CALL_ENV_FLAG_REQUIRED
Associated conf pair or section is required.
Definition call_env.h:75
FR_CALL_ENV_OFFSET
#define FR_CALL_ENV_OFFSET(_name, _cast_type, _flags, _struct, _field)
Specify a call_env_parser_t which writes out runtime results to the specified field.
Definition call_env.h:335
call_env_method_s
Definition call_env.h:239
call_env_parser_s
Per method call config.
Definition call_env.h:175
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:642
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:268
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:297
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:579
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:139
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
DEBUG
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
free
free(array)
krb5_handle_init
int krb5_handle_init(rlm_krb5_handle_t *conn, void *uctx)
Definition krb5.c:101
krb5_mod_conn_create
void * krb5_mod_conn_create(TALLOC_CTX *ctx, void *instance, UNUSED fr_time_delta_t timeout)
Create and return a new connection.
Definition krb5.c:145
krb5.h
Context management functions for rlm_krb5.
rlm_krb5_handle_t::keytab
krb5_keytab keytab
Definition krb5.h:38
rlm_krb5_error
#define rlm_krb5_error(_x, _y, _z)
Definition krb5.h:99
KRB5_UNUSED
#define KRB5_UNUSED
Definition krb5.h:100
rlm_krb5_handle_t::context
krb5_context context
Definition krb5.h:37
rlm_krb5_handle_t
Definition krb5.h:36
rlm_krb5_t
Instance configuration for rlm_krb5.
Definition krb5.h:50
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:335
talloc_free
talloc_free(reap)
default_log
fr_log_t default_log
Definition log.c:291
fr_log
void fr_log(fr_log_t const *log, fr_log_type_t type, char const *file, int line, char const *fmt,...)
Send a server log message to its destination.
Definition log.c:583
L_WARN
@ L_WARN
Warning.
Definition log.h:57
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
module_ctx_t::env_data
void * env_data
Per call environment data.
Definition module_ctx.h:44
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t::thread
void * thread
Thread specific instance data.
Definition module_ctx.h:43
module_thread_inst_ctx_t::el
fr_event_list_t * el
Event list to register any IO handlers and timers against.
Definition module_ctx.h:68
module_detach_ctx_t::mi
module_instance_t * mi
Module instance to detach.
Definition module_ctx.h:57
module_thread_inst_ctx_t::thread
void * thread
Thread instance data.
Definition module_ctx.h:67
module_thread_inst_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:64
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_detach_ctx_t
Temporary structure to hold arguments for detach calls.
Definition module_ctx.h:56
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
module_thread_inst_ctx_t
Temporary structure to hold arguments for thread_instantiation calls.
Definition module_ctx.h:63
module_rlm_s::common
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
module_rlm_s
Definition module_rlm.h:38
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient.h:53
WARN
#define WARN(fmt,...)
Definition radclient.h:47
thread_detach
static void thread_detach(UNUSED void *uctx)
Explicitly cleanup module/xlat resources.
Definition radiusd.c:149
thread_instantiate
static int thread_instantiate(TALLOC_CTX *ctx, fr_event_list_t *el, UNUSED void *uctx)
Create module and xlat per-thread instances.
Definition radiusd.c:132
cleanup
static bool cleanup
Definition radsniff.c:60
RETURN_MODULE_RCODE
#define RETURN_MODULE_RCODE(_rcode)
Definition rcode.h:64
RETURN_MODULE_INVALID
#define RETURN_MODULE_INVALID
Definition rcode.h:59
RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:56
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:46
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:47
mod_thread_instantiate
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Definition rlm_cache_memcached.c:326
mod_thread_detach
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
Definition rlm_cache_memcached.c:341
mod_detach
static int mod_detach(module_detach_ctx_t const *mctx)
Definition rlm_krb5.c:81
krb5_auth_call_env_t::username
fr_value_box_t username
Definition rlm_krb5.c:54
krb5_auth_call_env_t::password
fr_value_box_t password
Definition rlm_krb5.c:55
krb5_process_error
static rlm_rcode_t krb5_process_error(rlm_krb5_t const *inst, request_t *request, rlm_krb5_handle_t *conn, int ret)
Log error message and return appropriate rcode.
Definition rlm_krb5.c:286
krb5_auth_call_env
static const call_env_method_t krb5_auth_call_env
Definition rlm_krb5.c:485
mod_authenticate
static unlang_action_t mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_krb5.c:407
rlm_krb5
module_rlm_t rlm_krb5
Definition rlm_krb5.c:497
krb5_parse_user
static rlm_rcode_t krb5_parse_user(krb5_principal *client, KRB5_UNUSED rlm_krb5_t const *inst, request_t *request, krb5_context context, krb5_auth_call_env_t *env)
Common function for transforming a User-Name string into a principal.
Definition rlm_krb5.c:255
module_config
static const conf_parser_t module_config[]
Definition rlm_krb5.c:44
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_krb5.c:100
krb5_auth_call_env_t
Definition rlm_krb5.c:53
username
username
Definition rlm_securid.c:420
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
MODULE_TYPE_THREAD_UNSAFE
@ MODULE_TYPE_THREAD_UNSAFE
Module is not threadsafe.
Definition module.h:48
module_s::flags
module_flags_t flags
Flags that control how a module starts up and how a module is called.
Definition module.h:227
module_instance_s::data
void * data
Module's instance data.
Definition module.h:271
MODULE_BINDING_TERMINATOR
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:151
module_method_binding_s
Named methods exported by a module.
Definition module.h:173
FR_SLAB_CONFIG_CONF_PARSER
#define FR_SLAB_CONFIG_CONF_PARSER
conf_parser_t entries to populate user configurable slab values
Definition slab.h:35
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
strlcpy
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition strlcpy.c:34
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:282
fr_time_delta_wrap
#define fr_time_delta_wrap(_time)
Definition time.h:152
T_BARE_WORD
@ T_BARE_WORD
Definition token.h:120
nonnull
int nonnull(2, 5))
Generated by   doxygen 1.9.8