rlm_ldap.c File Reference

LDAP authorization and authentication module. More...

#include <freeradius-devel/rad_assert.h>
#include <stdarg.h>
#include <ctype.h>
#include "ldap.h"
#include <freeradius-devel/map_proc.h>

Include dependency graph for rlm_ldap.c:

Go to the source code of this file.

Functions
static rlm_rcode_t	CC_HINT (nonnull)
static ssize_t	ldap_escape_xlat (char **out, size_t outlen, UNUSED void const *mod_inst, UNUSED void const *xlat_inst, REQUEST *request, char const *fmt)
static ssize_t	ldap_unescape_xlat (char **out, size_t outlen, UNUSED void const *mod_inst, UNUSED void const *xlat_inst, REQUEST *request, char const *fmt)
static ssize_t	ldap_xlat (char **out, size_t outlen, void const *mod_inst, UNUSED void const *xlat_inst, REQUEST *request, char const *fmt)
	Expand an LDAP URL into a query, and return a string result from that query. More...
static rlm_rcode_t	mod_accounting (void *instance, REQUEST *request) CC_HINT(nonnull)
static rlm_rcode_t	mod_authenticate (void *instance, REQUEST *request) CC_HINT(nonnull)
static rlm_rcode_t	mod_authorize (void *instance, REQUEST *request) CC_HINT(nonnull)
static int	mod_bootstrap (CONF_SECTION *conf, void *instance)
	Bootstrap the module. More...
static int	mod_detach (void *instance)
	Detach from the LDAP server and cleanup internal state. More...
static int	mod_instantiate (CONF_SECTION *conf, void *instance)
	Instantiate the module. More...
static rlm_rcode_t	mod_map_proc (void *mod_inst, UNUSED void *proc_inst, REQUEST *request, char const *url, vp_map_t const *maps)
	Perform a search and map the result of the search to server attributes. More...
static rlm_rcode_t	mod_post_auth (void *instance, REQUEST *request) CC_HINT(nonnull)
static int	parse_sub_section (rlm_ldap_t *inst, CONF_SECTION *parent, ldap_acct_section_t **config, rlm_components_t comp)
	Parse an accounting sub section. More...
static int	rlm_ldap_groupcmp (void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check, UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs)
	Perform LDAP-Group comparison checking. More...
static rlm_rcode_t	rlm_ldap_map_profile (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, rlm_ldap_map_exp_t const *expanded)
	Search for and apply an LDAP profile. More...
static rlm_rcode_t	user_modify (rlm_ldap_t *inst, REQUEST *request, ldap_acct_section_t *section)
	Modify user's object in LDAP. More...

Variables
static const CONF_PARSER	acct_section_config []
static CONF_PARSER	client_config []
static CONF_PARSER	group_config []
static FR_NAME_NUMBER const	ldap_dereference []
FR_NAME_NUMBER const	ldap_scope []
static const CONF_PARSER	module_config []
static CONF_PARSER	option_config []
static CONF_PARSER	profile_config []
module_t	rlm_ldap
static CONF_PARSER	sasl_mech_dynamic []
static CONF_PARSER	sasl_mech_static []
static CONF_PARSER	tls_config []
static CONF_PARSER	user_config []

Detailed Description

LDAP authorization and authentication module.

Id:

3d29cb1cb5d8830472e60b87b8c4980dc2032281

Author

Arran Cudbard-Bell a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg

Alan DeKok aland.nosp@m.@fre.nosp@m.eradi.nosp@m.us.o.nosp@m.rg

Copyright

2012,2015 Arran Cudbard-Bell a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg

2013,2015 Network RADIUS SARL info@.nosp@m.netw.nosp@m.orkra.nosp@m.dius.nosp@m..com

2012 Alan DeKok aland.nosp@m.@fre.nosp@m.eradi.nosp@m.us.o.nosp@m.rg

1999-2013 The FreeRADIUS Server Project.

Definition in file rlm_ldap.c.

Function Documentation

static rlm_rcode_t CC_HINT ( nonnull  )

static

Definition at line 1372 of file rlm_ldap.c.

Here is the call graph for this function:

static ssize_t ldap_escape_xlat ( char **  out, size_t  outlen, UNUSED void const *  mod_inst, UNUSED void const *  xlat_inst, REQUEST *  request, char const *  fmt  )

static

Definition at line 257 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static ssize_t ldap_unescape_xlat ( char **  out, size_t  outlen, UNUSED void const *  mod_inst, UNUSED void const *  xlat_inst, REQUEST *  request, char const *  fmt  )

static

Definition at line 264 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static ssize_t ldap_xlat ( char **  out, size_t  outlen, void const *  mod_inst, UNUSED void const *  xlat_inst, REQUEST *  request, char const *  fmt  )

static

Expand an LDAP URL into a query, and return a string result from that query.

Definition at line 274 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static rlm_rcode_t mod_accounting ( void *  instance, REQUEST *  request  )

static

Definition at line 2038 of file rlm_ldap.c.

Here is the call graph for this function:

static rlm_rcode_t mod_authenticate ( void *  instance, REQUEST *  request  )

static

Here is the caller graph for this function:

static rlm_rcode_t mod_authorize ( void *  instance, REQUEST *  request  )

static

Definition at line 1570 of file rlm_ldap.c.

Here is the call graph for this function:

static int mod_bootstrap ( CONF_SECTION *  conf, void *  instance  )

static

Bootstrap the module.

Define attributes.

Parameters

conf	to parse.
instance	configuration data.

Returns

• 0 on success.
• < 0 on failure.

Definition at line 721 of file rlm_ldap.c.

Here is the call graph for this function:

static int mod_detach ( void *  instance )

static

Detach from the LDAP server and cleanup internal state.

Definition at line 642 of file rlm_ldap.c.

Here is the call graph for this function:

static int mod_instantiate ( CONF_SECTION *  conf, void *  instance  )

static

Instantiate the module.

Creates a new instance of the module reading parameters from a configuration section.

Parameters

conf	to parse.
instance	configuration data.

Returns

• 0 on success.
• < 0 on failure.

Definition at line 787 of file rlm_ldap.c.

Here is the call graph for this function:

static rlm_rcode_t mod_map_proc ( void *  mod_inst, UNUSED void *  proc_inst, REQUEST *  request, char const *  url, vp_map_t const *  maps  )

static

Perform a search and map the result of the search to server attributes.

Unlike LDAP xlat, this can be used to process attributes from multiple entries.

Parameters

[in]	mod_inst	rlm_ldap_t
[in]	proc_inst	unused.
[in,out]	request	The current request.
[in]	url	LDAP url specifying base DN and filter.
[in]	maps	Head of the map list.

Returns

• RLM_MODULE_NOOP no rows were returned.
• RLM_MODULE_UPDATED if one or more VALUE_PAIR were added to the REQUEST.
• RLM_MODULE_FAIL if an error occurred.

Definition at line 381 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static rlm_rcode_t mod_post_auth ( void *  instance, REQUEST *  request  )

static

Here is the caller graph for this function:

static int parse_sub_section ( rlm_ldap_t *  inst, CONF_SECTION *  parent, ldap_acct_section_t **  config, rlm_components_t  comp  )

static

Parse an accounting sub section.

Allocate a new ldap_acct_section_t and write the config data into it.

Parameters

[in]	inst	rlm_ldap configuration.
[in]	parent	of the config section.
[out]	config	to write the sub section parameters to.
[in]	comp	The section name were parsing the config for.

Returns

• 0 on success.
• < 0 on failure.

Definition at line 684 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static int rlm_ldap_groupcmp ( void *  instance, REQUEST *  request, UNUSED VALUE_PAIR *  thing, VALUE_PAIR *  check, UNUSED VALUE_PAIR *  check_pairs, UNUSED VALUE_PAIR **  reply_pairs  )

static

Perform LDAP-Group comparison checking.

Attempts to match users to groups using a variety of methods.

Parameters

instance	of the rlm_ldap module.
request	Current request.
thing	Unknown.
check	Which group to check for user membership.
check_pairs	Unknown.
reply_pairs	Unknown.

Returns

• 1 on failure (or if the user is not a member).
• 0 on success.

Definition at line 526 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static rlm_rcode_t rlm_ldap_map_profile ( rlm_ldap_t const *  inst, REQUEST *  request, ldap_handle_t **  pconn, char const *  dn, rlm_ldap_map_exp_t const *  expanded  )

static

Search for and apply an LDAP profile.

LDAP profiles are mapped using the same attribute map as user objects, they're used to add common sets of attributes to the request.

Parameters

[in]	inst	rlm_ldap configuration.
[in]	request	Current request.
[in,out]	pconn	to use. May change as this function calls functions which auto re-connect.
[in]	dn	of profile object to apply.
[in]	expanded	Structure containing a list of xlat expanded attribute names and mapping information.

Returns

One of the RLM_MODULE_* values.

Definition at line 1510 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

static rlm_rcode_t user_modify ( rlm_ldap_t *  inst, REQUEST *  request, ldap_acct_section_t *  section  )

static

Modify user's object in LDAP.

Process a modifcation map to update a user object in the LDAP directory.

Parameters

inst	rlm_ldap instance.
request	Current request.
section	that holds the map to process.

Returns

one of the RLM_MODULE_* values.

Definition at line 1814 of file rlm_ldap.c.

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

const CONF_PARSER acct_section_config[]

static

Initial value:

= {
        { FR_CONF_OFFSET("reference", PW_TYPE_STRING | PW_TYPE_XLAT, ldap_acct_section_t, reference), .dflt = "." },
        CONF_PARSER_TERMINATOR
}

Definition at line 167 of file rlm_ldap.c.

CONF_PARSER client_config[]

static

Initial value:

= {
        { FR_CONF_OFFSET("filter", PW_TYPE_STRING, rlm_ldap_t, clientobj_filter) },
        { FR_CONF_OFFSET("scope", PW_TYPE_STRING, rlm_ldap_t, clientobj_scope_str), .dflt = "sub" },
        { FR_CONF_OFFSET("base_dn", PW_TYPE_STRING, rlm_ldap_t, clientobj_base_dn), .dflt = "" },
        CONF_PARSER_TERMINATOR
}

Definition at line 157 of file rlm_ldap.c.

CONF_PARSER group_config[]

static

Initial value:

= {
        { FR_CONF_OFFSET("filter", PW_TYPE_STRING, rlm_ldap_t, groupobj_filter) },
        { FR_CONF_OFFSET("scope", PW_TYPE_STRING, rlm_ldap_t, groupobj_scope_str), .dflt = "sub" },
        { FR_CONF_OFFSET("base_dn", PW_TYPE_TMPL, rlm_ldap_t, groupobj_base_dn), .dflt = "", .quote = T_SINGLE_QUOTED_STRING },

        { FR_CONF_OFFSET("name_attribute", PW_TYPE_STRING, rlm_ldap_t, groupobj_name_attr), .dflt = "cn" },
        { FR_CONF_OFFSET("membership_attribute", PW_TYPE_STRING, rlm_ldap_t, userobj_membership_attr) },
        { FR_CONF_OFFSET("membership_filter", PW_TYPE_STRING | PW_TYPE_XLAT, rlm_ldap_t, groupobj_membership_filter) },
        { FR_CONF_OFFSET("cacheable_name", PW_TYPE_BOOLEAN, rlm_ldap_t, cacheable_group_name), .dflt = "no" },
        { FR_CONF_OFFSET("cacheable_dn", PW_TYPE_BOOLEAN, rlm_ldap_t, cacheable_group_dn), .dflt = "no" },
        { FR_CONF_OFFSET("cache_attribute", PW_TYPE_STRING, rlm_ldap_t, cache_attribute) },
        { FR_CONF_OFFSET("group_attribute", PW_TYPE_STRING, rlm_ldap_t, group_attribute) },
        CONF_PARSER_TERMINATOR
}

Definition at line 142 of file rlm_ldap.c.

FR_NAME_NUMBER const ldap_dereference[]

static

Initial value:

= {
        { "never",      LDAP_DEREF_NEVER        },
        { "searching",  LDAP_DEREF_SEARCHING    },
        { "finding",    LDAP_DEREF_FINDING      },
        { "always",     LDAP_DEREF_ALWAYS       },

        {  NULL , -1 }
}

Definition at line 66 of file rlm_ldap.c.

FR_NAME_NUMBER const ldap_scope[]

Initial value:

= {
        { "sub",        LDAP_SCOPE_SUB  },
        { "one",        LDAP_SCOPE_ONE  },
        { "base",       LDAP_SCOPE_BASE },



        {  NULL , -1 }
}

Definition at line 44 of file rlm_ldap.c.

const CONF_PARSER module_config[]

static

Definition at line 219 of file rlm_ldap.c.

CONF_PARSER option_config[]

static

Definition at line 177 of file rlm_ldap.c.

CONF_PARSER profile_config[]

static

Initial value:

= {
        { FR_CONF_OFFSET("filter", PW_TYPE_TMPL, rlm_ldap_t, profile_filter), .dflt = "(&)", .quote = T_SINGLE_QUOTED_STRING }, 
        { FR_CONF_OFFSET("attribute", PW_TYPE_STRING, rlm_ldap_t, profile_attr) },
        { FR_CONF_OFFSET("default", PW_TYPE_TMPL, rlm_ldap_t, default_profile) },
        CONF_PARSER_TERMINATOR
}

Definition at line 115 of file rlm_ldap.c.

module_t rlm_ldap

Initial value:

= {
        .magic          = RLM_MODULE_INIT,
        .name           = "ldap",
        .type           = 0,
        .inst_size      = sizeof(rlm_ldap_t),
        .config         = module_config,
        .bootstrap      = mod_bootstrap,
        .instantiate    = mod_instantiate,
        .detach         = mod_detach,
        .methods = {
                [MOD_AUTHENTICATE]      = mod_authenticate,
                [MOD_AUTHORIZE]         = mod_authorize,
                [MOD_ACCOUNTING]        = mod_accounting,
                [MOD_POST_AUTH]         = mod_post_auth
        },
}

Definition at line 2062 of file rlm_ldap.c.

CONF_PARSER sasl_mech_dynamic[]

static

Initial value:

= {
        { FR_CONF_OFFSET("mech", PW_TYPE_TMPL | PW_TYPE_NOT_EMPTY, ldap_sasl_dynamic, mech) },
        { FR_CONF_OFFSET("proxy", PW_TYPE_TMPL, ldap_sasl_dynamic, proxy) },
        { FR_CONF_OFFSET("realm", PW_TYPE_TMPL, ldap_sasl_dynamic, realm) },
        CONF_PARSER_TERMINATOR
}

Definition at line 75 of file rlm_ldap.c.

CONF_PARSER sasl_mech_static[]

static

Initial value:

= {
        { FR_CONF_OFFSET("mech", PW_TYPE_STRING | PW_TYPE_NOT_EMPTY, ldap_sasl, mech) },
        { FR_CONF_OFFSET("proxy", PW_TYPE_STRING, ldap_sasl, proxy) },
        { FR_CONF_OFFSET("realm", PW_TYPE_STRING, ldap_sasl, realm) },
        CONF_PARSER_TERMINATOR
}

Definition at line 82 of file rlm_ldap.c.

CONF_PARSER tls_config[]

static

Initial value:

= {
        
        { FR_CONF_OFFSET("ca_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_ca_file) },

        { FR_CONF_OFFSET("ca_path", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_ca_path) },

        { FR_CONF_OFFSET("certificate_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_certificate_file) },

        { FR_CONF_OFFSET("private_key_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_private_key_file) }, 

        { FR_CONF_OFFSET("random_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_random_file) },

        
        { FR_CONF_OFFSET("start_tls", PW_TYPE_BOOLEAN, rlm_ldap_t, start_tls), .dflt = "no" },
        { FR_CONF_OFFSET("require_cert", PW_TYPE_STRING, rlm_ldap_t, tls_require_cert_str) },
        CONF_PARSER_TERMINATOR
}

Definition at line 92 of file rlm_ldap.c.

CONF_PARSER user_config[]

static

Initial value:

= {
        { FR_CONF_OFFSET("filter", PW_TYPE_TMPL, rlm_ldap_t, userobj_filter) },
        { FR_CONF_OFFSET("scope", PW_TYPE_STRING, rlm_ldap_t, userobj_scope_str), .dflt = "sub" },
        { FR_CONF_OFFSET("base_dn", PW_TYPE_TMPL, rlm_ldap_t, userobj_base_dn), .dflt = "", .quote = T_SINGLE_QUOTED_STRING },
        { FR_CONF_OFFSET("sort_by", PW_TYPE_STRING, rlm_ldap_t, userobj_sort_by) },

        { FR_CONF_OFFSET("access_attribute", PW_TYPE_STRING, rlm_ldap_t, userobj_access_attr) },
        { FR_CONF_OFFSET("access_positive", PW_TYPE_BOOLEAN, rlm_ldap_t, access_positive), .dflt = "yes" },

        
        { FR_CONF_OFFSET("sasl", PW_TYPE_SUBSECTION, rlm_ldap_t, user_sasl), .dflt = (void const *) sasl_mech_dynamic },
        CONF_PARSER_TERMINATOR
}

Definition at line 125 of file rlm_ldap.c.