![]() |
The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
|
LDAP authorization and authentication module. More...
#include <freeradius-devel/util/debug.h>
#include <freeradius-devel/util/table.h>
#include <freeradius-devel/util/uri.h>
#include <freeradius-devel/util/value.h>
#include <freeradius-devel/ldap/conf.h>
#include <freeradius-devel/ldap/base.h>
#include <freeradius-devel/server/map_proc.h>
#include <freeradius-devel/server/module_rlm.h>
#include <freeradius-devel/server/rcode.h>
#include <freeradius-devel/unlang/xlat_func.h>
#include <freeradius-devel/unlang/action.h>
#include <freeradius-devel/unlang/map.h>
#include <ldap.h>
#include "rlm_ldap.h"
Go to the source code of this file.
Data Structures | |
struct | ldap_auth_call_env_t |
struct | ldap_auth_ctx_t |
Holds state of in progress async authentication. More... | |
struct | ldap_map_ctx_t |
Holds state of in progress LDAP map. More... | |
struct | ldap_mod_tmpl_t |
struct | ldap_update_rules_t |
Parameters to allow ldap_update_section_parse to be reused. More... | |
struct | ldap_user_modify_ctx_t |
Holds state of in progress ldap user modifications. More... | |
struct | ldap_usermod_call_env_t |
struct | ldap_xlat_profile_call_env_t |
Call environment used in the profile xlat. More... | |
struct | ldap_xlat_profile_ctx_t |
struct | rlm_ldap_boot_t |
Macros | |
#define | CHECK_EXPANDED_SPACE(_expanded) fr_assert((size_t)_expanded->count < (NUM_ELEMENTS(_expanded->attrs) - 1)); |
#define | LDAP_URI_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_uri_escape_func |
This is the common function that actually ends up doing all the URI escaping. | |
#define | REPEAT_LDAP_MEMBEROF_XLAT_RESULTS |
#define | REPEAT_MOD_AUTHORIZE_RESUME |
#define | SSS_CONTROL_BUILD(_obj) |
#define | USER_CALL_ENV_COMMON(_struct) |
#define | USERMOD_ENV(_section) |
Enumerations | |
enum | ldap_schemes_t { LDAP_SCHEME_UNIX = 0 , LDAP_SCHEME_TCP , LDAP_SCHEME_TCP_SSL } |
Functions | |
static int | autz_ctx_free (ldap_autz_ctx_t *autz_ctx) |
Ensure authorization context is properly cleared up. | |
static char * | host_uri_canonify (request_t *request, LDAPURLDesc *url_parsed, fr_value_box_t *url_in) |
Produce canonical LDAP host URI for finding trunks. | |
static int | ldap_group_filter_parse (TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule) |
static int | ldap_group_filter_parse (TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, UNUSED CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule) |
static xlat_action_t | ldap_group_xlat (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Check for a user being in a LDAP group. | |
static void | ldap_group_xlat_cancel (UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx) |
Cancel an in-progress query for the LDAP group membership xlat. | |
static unlang_action_t | ldap_group_xlat_results (unlang_result_t *p_result, request_t *request, void *uctx) |
Run the state machine for the LDAP membership xlat. | |
static xlat_action_t | ldap_group_xlat_resume (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in) |
Process the results of evaluating LDAP group membership. | |
static unlang_action_t | ldap_group_xlat_user_find (UNUSED unlang_result_t *p_result, request_t *request, void *uctx) |
User object lookup as part of group membership xlat. | |
static int | ldap_map_verify (CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst, tmpl_t const *src, UNUSED map_list_t const *maps) |
static int | ldap_mod_section_parse (TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule) |
static int | ldap_mod_section_parse (TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule) |
static xlat_action_t | ldap_profile_xlat (UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Expand an LDAP URL into a query, applying the results using the user update map. | |
static xlat_action_t | ldap_profile_xlat_resume (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in) |
Return whether evaluating the profile was successful. | |
static void | ldap_query_timeout (UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx) |
Callback when LDAP query times out. | |
static int | ldap_update_section_parse (TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule) |
static int | ldap_update_section_parse (TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, UNUSED call_env_ctx_t const *cec, call_env_parser_t const *rule) |
static xlat_action_t | ldap_uri_escape_xlat (TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Escape LDAP string. | |
static int | ldap_uri_part_escape (fr_value_box_t *vb, UNUSED void *uctx) |
Escape function for a part of an LDAP URI. | |
static xlat_action_t | ldap_uri_unescape_xlat (TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Unescape LDAP string. | |
static xlat_action_t | ldap_xlat (UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Expand an LDAP URL into a query, and return a string result from that query. | |
static int | ldap_xlat_profile_ctx_free (ldap_xlat_profile_ctx_t *to_free) |
static xlat_action_t | ldap_xlat_resume (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in) |
Callback when resuming after async ldap query is completed. | |
static void | ldap_xlat_signal (xlat_ctx_t const *xctx, request_t *request, UNUSED fr_signal_t action) |
Callback for signalling async ldap query. | |
static xlat_action_t | ldap_xlat_uri_attr_option (TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Modify an LDAP URI to append an option to all attributes. | |
static int | ldap_xlat_uri_parse (LDAPURLDesc **uri_parsed, char **host_out, bool *free_host_out, request_t *request, char *host_default, fr_value_box_t *uri_in) |
Utility function for parsing LDAP URLs. | |
static int | map_ctx_free (ldap_map_ctx_t *map_ctx) |
Ensure map context is properly cleared up. | |
static unlang_action_t | mod_authenticate (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
static unlang_action_t | mod_authorize (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
static void | mod_authorize_cancel (module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action) |
Clear up when cancelling a mod_authorize call. | |
static unlang_action_t | mod_authorize_resume (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
Resume function called after each potential yield in LDAP authorization. | |
static int | mod_bootstrap (module_inst_ctx_t const *mctx) |
Bootstrap the module. | |
static int | mod_detach (module_detach_ctx_t const *mctx) |
Detach from the LDAP server and cleanup internal state. | |
static int | mod_instantiate (module_inst_ctx_t const *mctx) |
Instantiate the module. | |
static int | mod_load (void) |
static unlang_action_t | mod_map_proc (unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, fr_value_box_list_t *url, map_list_t const *maps) |
Perform a search and map the result of the search to server attributes. | |
static unlang_action_t | mod_map_resume (unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, UNUSED fr_value_box_list_t *url, UNUSED map_list_t const *maps) |
Process the results of an LDAP map query. | |
static unlang_action_t | mod_modify (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
Modify user's object in LDAP. | |
static int | mod_thread_detach (module_thread_inst_ctx_t const *mctx) |
Clean up thread specific data structure. | |
static int | mod_thread_instantiate (module_thread_inst_ctx_t const *mctx) |
Initialise thread specific data structure. | |
static void | mod_unload (void) |
static void | user_modify_cancel (module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action) |
Cancel an in progress user modification. | |
static unlang_action_t | user_modify_final (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
Handle results of user modification. | |
static unlang_action_t | user_modify_mod_build_resume (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
static unlang_action_t | user_modify_resume (unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request) |
Take the retrieved user DN and launch the async tmpl expansion of mod_values. | |
USERMOD_ENV (accounting) | |
USERMOD_ENV (send) | |
LDAP authorization and authentication module.
Definition in file rlm_ldap.c.
struct ldap_auth_call_env_t |
Definition at line 58 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_value_box_t | password | |
tmpl_t const * | password_tmpl | |
fr_value_box_t | user_sasl_authname | |
fr_value_box_t | user_sasl_mech | |
fr_value_box_t | user_sasl_proxy | |
fr_value_box_t | user_sasl_realm |
struct ldap_auth_ctx_t |
Holds state of in progress async authentication.
Definition at line 355 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ldap_auth_call_env_t * | call_env | |
char const * | dn | |
rlm_ldap_t const * | inst | |
char const * | password | |
fr_ldap_thread_t * | thread |
struct ldap_map_ctx_t |
Holds state of in progress LDAP map.
Definition at line 383 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_ldap_map_exp_t | expanded | |
LDAPURLDesc * | ldap_url | |
map_list_t const * | maps | |
fr_ldap_query_t * | query | |
LDAPControl * | serverctrls[LDAP_MAX_CONTROLS] |
struct ldap_mod_tmpl_t |
Definition at line 67 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
char const * | attr | |
fr_token_t | op | |
tmpl_t const * | tmpl |
struct ldap_update_rules_t |
Parameters to allow ldap_update_section_parse to be reused.
Definition at line 209 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ssize_t | expect_password_offset | |
size_t | map_offset |
struct ldap_user_modify_ctx_t |
Holds state of in progress ldap user modifications.
Definition at line 366 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ldap_usermod_call_env_t * | call_env | |
size_t | current_mod | |
char const * | dn | |
fr_value_box_list_t | expanded | |
size_t | expanded_mods | |
rlm_ldap_t const * | inst | |
LDAPMod ** | mod_p | |
LDAPMod * | mod_s | |
size_t | num_mods | |
fr_ldap_query_t * | query | |
fr_ldap_thread_trunk_t * | ttrunk |
struct ldap_usermod_call_env_t |
Definition at line 72 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ldap_mod_tmpl_t ** | mod | |
fr_value_box_t | user_base | |
fr_value_box_t | user_filter |
struct ldap_xlat_profile_call_env_t |
Call environment used in the profile xlat.
Definition at line 80 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_value_box_t | profile_filter | Filter to use when searching for users. |
map_list_t * | profile_map | List of maps to apply to the profile. |
struct ldap_xlat_profile_ctx_t |
Definition at line 1140 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
int | applied | |
fr_ldap_map_exp_t | expanded | |
fr_ldap_result_code_t | ret | |
LDAPURLDesc * | url |
struct rlm_ldap_boot_t |
Definition at line 53 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_dict_attr_t const * | cache_da | |
fr_dict_attr_t const * | group_da |
#define CHECK_EXPANDED_SPACE | ( | _expanded | ) | fr_assert((size_t)_expanded->count < (NUM_ELEMENTS(_expanded->attrs) - 1)); |
#define LDAP_URI_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_uri_escape_func |
This is the common function that actually ends up doing all the URI escaping.
Definition at line 406 of file rlm_ldap.c.
#define REPEAT_LDAP_MEMBEROF_XLAT_RESULTS |
Definition at line 963 of file rlm_ldap.c.
#define REPEAT_MOD_AUTHORIZE_RESUME |
Definition at line 1616 of file rlm_ldap.c.
#define SSS_CONTROL_BUILD | ( | _obj | ) |
#define USER_CALL_ENV_COMMON | ( | _struct | ) |
Definition at line 187 of file rlm_ldap.c.
#define USERMOD_ENV | ( | _section | ) |
Definition at line 255 of file rlm_ldap.c.
enum ldap_schemes_t |
Enumerator | |
---|---|
LDAP_SCHEME_UNIX | |
LDAP_SCHEME_TCP | |
LDAP_SCHEME_TCP_SSL |
Definition at line 391 of file rlm_ldap.c.
|
static |
Ensure authorization context is properly cleared up.
Definition at line 1925 of file rlm_ldap.c.
|
inlinestatic |
Produce canonical LDAP host URI for finding trunks.
Definition at line 750 of file rlm_ldap.c.
|
static |
|
static |
|
static |
Cancel an in-progress query for the LDAP group membership xlat.
Definition at line 954 of file rlm_ldap.c.
|
static |
Run the state machine for the LDAP membership xlat.
This is called after each async lookup is completed
Will stop early, and set p_result to unlang_result
Definition at line 974 of file rlm_ldap.c.
|
static |
Process the results of evaluating LDAP group membership.
Definition at line 1025 of file rlm_ldap.c.
|
static |
User object lookup as part of group membership xlat.
Called if the ldap membership xlat is used and the user DN is not already known
Definition at line 936 of file rlm_ldap.c.
|
static |
|
static |
|
static |
|
static |
Return whether evaluating the profile was successful.
Definition at line 1150 of file rlm_ldap.c.
|
static |
Callback when LDAP query times out.
Definition at line 543 of file rlm_ldap.c.
|
static |
|
static |
|
static |
Escape function for a part of an LDAP URI.
Definition at line 514 of file rlm_ldap.c.
|
static |
|
static |
Callback when resuming after async ldap query is completed.
Definition at line 659 of file rlm_ldap.c.
|
static |
Callback for signalling async ldap query.
Definition at line 706 of file rlm_ldap.c.
|
static |
Utility function for parsing LDAP URLs.
All LDAP xlat functions that work with LDAP URLs should call this function to parse the URL.
[out] | uri_parsed | LDAP URL parsed. Must be freed with ldap_url_desc_free. |
[out] | host_out | host name to use for the query. Must be freed with ldap_mem_free if free_host_out is true. |
[out] | free_host_out | True if host_out should be freed. |
[in] | request | Request being processed. |
[in] | host_default | Default host to use if the URL does not specify a host. |
[in] | uri_in | URI to parse. |
Definition at line 781 of file rlm_ldap.c.
|
static |
Ensure map context is properly cleared up.
Definition at line 1428 of file rlm_ldap.c.
|
static |
|
static |
|
static |
Clear up when cancelling a mod_authorize call.
Definition at line 1915 of file rlm_ldap.c.
|
static |
Resume function called after each potential yield in LDAP authorization.
Some operations may or may not yield. E.g. if group membership is read from an attribute returned with the user object and is already in the correct form, that will not yield. Hence, each state may fall through to the next.
p_result | Result of current authorization. |
mctx | Module context. |
request | Current request. |
Definition at line 1634 of file rlm_ldap.c.
|
static |
Bootstrap the module.
Define attributes.
[in] | mctx | configuration data. |
Definition at line 2776 of file rlm_ldap.c.
|
static |
Detach from the LDAP server and cleanup internal state.
Definition at line 2296 of file rlm_ldap.c.
|
static |
Instantiate the module.
Creates a new instance of the module reading parameters from a configuration section.
[in] | mctx | configuration data. |
Definition at line 2561 of file rlm_ldap.c.
|
static |
Definition at line 2845 of file rlm_ldap.c.
|
static |
Perform a search and map the result of the search to server attributes.
Unlike LDAP xlat, this can be used to process attributes from multiple entries.
[out] | p_result | Result of map expansion:
|
[in] | mpctx | module map ctx. |
[in,out] | request | The current request. |
[in] | url | LDAP url specifying base DN and filter. |
[in] | maps | Head of the map list. |
Definition at line 1457 of file rlm_ldap.c.
|
static |
Process the results of an LDAP map query.
[out] | p_result | Result of map expansion:
|
[in] | mpctx | module map ctx. |
[in,out] | request | The current request. |
[in] | url | LDAP url specifying base DN and filter. |
[in] | maps | Head of the map list. |
Definition at line 1331 of file rlm_ldap.c.
|
static |
Modify user's object in LDAP.
Process a modification map to update a user object in the LDAP directory.
The module method called in "accouting" and "send" sections.
Definition at line 2228 of file rlm_ldap.c.
|
static |
Clean up thread specific data structure.
Definition at line 2498 of file rlm_ldap.c.
|
static |
Initialise thread specific data structure.
Definition at line 2516 of file rlm_ldap.c.
|
static |
Definition at line 2870 of file rlm_ldap.c.
|
static |
Cancel an in progress user modification.
Definition at line 2009 of file rlm_ldap.c.
|
static |
Handle results of user modification.
Definition at line 2021 of file rlm_ldap.c.
|
static |
Definition at line 2050 of file rlm_ldap.c.
|
static |
Take the retrieved user DN and launch the async tmpl expansion of mod_values.
Definition at line 2191 of file rlm_ldap.c.
USERMOD_ENV | ( | accounting | ) |
USERMOD_ENV | ( | send | ) |
fr_dict_attr_t const* attr_cleartext_password |
Definition at line 326 of file rlm_ldap.c.
fr_dict_attr_t const* attr_crypt_password |
Definition at line 327 of file rlm_ldap.c.
|
static |
Definition at line 331 of file rlm_ldap.c.
fr_dict_attr_t const* attr_ldap_userdn |
Definition at line 328 of file rlm_ldap.c.
fr_dict_attr_t const* attr_nt_password |
Definition at line 329 of file rlm_ldap.c.
fr_dict_attr_t const* attr_password |
Definition at line 325 of file rlm_ldap.c.
fr_dict_attr_t const* attr_password_with_header |
Definition at line 330 of file rlm_ldap.c.
|
static |
Definition at line 191 of file rlm_ldap.c.
|
static |
Definition at line 214 of file rlm_ldap.c.
|
static |
Definition at line 317 of file rlm_ldap.c.
|
static |
Definition at line 129 of file rlm_ldap.c.
|
static |
Definition at line 736 of file rlm_ldap.c.
|
static |
Definition at line 1038 of file rlm_ldap.c.
|
static |
Definition at line 413 of file rlm_ldap.c.
|
static |
Definition at line 566 of file rlm_ldap.c.
|
static |
Definition at line 408 of file rlm_ldap.c.
|
static |
Definition at line 724 of file rlm_ldap.c.
|
static |
Definition at line 397 of file rlm_ldap.c.
|
static |
Definition at line 402 of file rlm_ldap.c.
|
static |
Definition at line 468 of file rlm_ldap.c.
|
static |
Definition at line 741 of file rlm_ldap.c.
|
static |
Definition at line 146 of file rlm_ldap.c.
|
static |
Definition at line 98 of file rlm_ldap.c.
module_rlm_t rlm_ldap |
Definition at line 2879 of file rlm_ldap.c.
fr_dict_autoload_t rlm_ldap_dict |
Definition at line 320 of file rlm_ldap.c.
fr_dict_attr_autoload_t rlm_ldap_dict_attr |
Definition at line 334 of file rlm_ldap.c.
global_lib_autoinst_t const * rlm_ldap_lib |
Definition at line 347 of file rlm_ldap.c.
|
static |
Definition at line 90 of file rlm_ldap.c.
|
static |
Definition at line 113 of file rlm_ldap.c.
|
static |
Definition at line 270 of file rlm_ldap.c.
|
static |
Definition at line 299 of file rlm_ldap.c.