All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Functions | Variables
rlm_ldap.c File Reference

LDAP authorization and authentication module. More...

#include <freeradius-devel/rad_assert.h>
#include <stdarg.h>
#include <ctype.h>
#include "ldap.h"
#include <freeradius-devel/map_proc.h>
+ Include dependency graph for rlm_ldap.c:

Go to the source code of this file.

Functions

static rlm_rcode_t CC_HINT (nonnull)
 
static ssize_t ldap_escape_xlat (char **out, size_t outlen, UNUSED void const *mod_inst, UNUSED void const *xlat_inst, REQUEST *request, char const *fmt)
 
static ssize_t ldap_unescape_xlat (char **out, size_t outlen, UNUSED void const *mod_inst, UNUSED void const *xlat_inst, REQUEST *request, char const *fmt)
 
static ssize_t ldap_xlat (char **out, size_t outlen, void const *mod_inst, UNUSED void const *xlat_inst, REQUEST *request, char const *fmt)
 Expand an LDAP URL into a query, and return a string result from that query. More...
 
static rlm_rcode_t mod_accounting (void *instance, REQUEST *request) CC_HINT(nonnull)
 
static rlm_rcode_t mod_authenticate (void *instance, REQUEST *request) CC_HINT(nonnull)
 
static rlm_rcode_t mod_authorize (void *instance, REQUEST *request) CC_HINT(nonnull)
 
static int mod_bootstrap (CONF_SECTION *conf, void *instance)
 Bootstrap the module. More...
 
static int mod_detach (void *instance)
 Detach from the LDAP server and cleanup internal state. More...
 
static int mod_instantiate (CONF_SECTION *conf, void *instance)
 Instantiate the module. More...
 
static rlm_rcode_t mod_map_proc (void *mod_inst, UNUSED void *proc_inst, REQUEST *request, char const *url, vp_map_t const *maps)
 Perform a search and map the result of the search to server attributes. More...
 
static rlm_rcode_t mod_post_auth (void *instance, REQUEST *request) CC_HINT(nonnull)
 
static int parse_sub_section (rlm_ldap_t *inst, CONF_SECTION *parent, ldap_acct_section_t **config, rlm_components_t comp)
 Parse an accounting sub section. More...
 
static int rlm_ldap_groupcmp (void *instance, REQUEST *request, UNUSED VALUE_PAIR *thing, VALUE_PAIR *check, UNUSED VALUE_PAIR *check_pairs, UNUSED VALUE_PAIR **reply_pairs)
 Perform LDAP-Group comparison checking. More...
 
static rlm_rcode_t rlm_ldap_map_profile (rlm_ldap_t const *inst, REQUEST *request, ldap_handle_t **pconn, char const *dn, rlm_ldap_map_exp_t const *expanded)
 Search for and apply an LDAP profile. More...
 
static rlm_rcode_t user_modify (rlm_ldap_t *inst, REQUEST *request, ldap_acct_section_t *section)
 Modify user's object in LDAP. More...
 

Variables

static const CONF_PARSER acct_section_config []
 
static CONF_PARSER client_config []
 
static CONF_PARSER group_config []
 
static FR_NAME_NUMBER const ldap_dereference []
 
FR_NAME_NUMBER const ldap_scope []
 
static const CONF_PARSER module_config []
 
static CONF_PARSER option_config []
 
static CONF_PARSER profile_config []
 
module_t rlm_ldap
 
static CONF_PARSER sasl_mech_dynamic []
 
static CONF_PARSER sasl_mech_static []
 
static CONF_PARSER tls_config []
 
static CONF_PARSER user_config []
 

Detailed Description

LDAP authorization and authentication module.

Id:
3d29cb1cb5d8830472e60b87b8c4980dc2032281
Author
Arran Cudbard-Bell a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg
Alan DeKok aland.nosp@m.@fre.nosp@m.eradi.nosp@m.us.o.nosp@m.rg

Definition in file rlm_ldap.c.

Function Documentation

static rlm_rcode_t CC_HINT ( nonnull  )
static

Definition at line 1372 of file rlm_ldap.c.

+ Here is the call graph for this function:

static ssize_t ldap_escape_xlat ( char **  out,
size_t  outlen,
UNUSED void const *  mod_inst,
UNUSED void const *  xlat_inst,
REQUEST request,
char const *  fmt 
)
static

Definition at line 257 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ssize_t ldap_unescape_xlat ( char **  out,
size_t  outlen,
UNUSED void const *  mod_inst,
UNUSED void const *  xlat_inst,
REQUEST request,
char const *  fmt 
)
static

Definition at line 264 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ssize_t ldap_xlat ( char **  out,
size_t  outlen,
void const *  mod_inst,
UNUSED void const *  xlat_inst,
REQUEST request,
char const *  fmt 
)
static

Expand an LDAP URL into a query, and return a string result from that query.

Definition at line 274 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static rlm_rcode_t mod_accounting ( void *  instance,
REQUEST request 
)
static

Definition at line 2038 of file rlm_ldap.c.

+ Here is the call graph for this function:

static rlm_rcode_t mod_authenticate ( void *  instance,
REQUEST request 
)
static

+ Here is the caller graph for this function:

static rlm_rcode_t mod_authorize ( void *  instance,
REQUEST request 
)
static

Definition at line 1570 of file rlm_ldap.c.

+ Here is the call graph for this function:

static int mod_bootstrap ( CONF_SECTION conf,
void *  instance 
)
static

Bootstrap the module.

Define attributes.

Parameters
confto parse.
instanceconfiguration data.
Returns
  • 0 on success.
  • < 0 on failure.

Definition at line 721 of file rlm_ldap.c.

+ Here is the call graph for this function:

static int mod_detach ( void *  instance)
static

Detach from the LDAP server and cleanup internal state.

Definition at line 642 of file rlm_ldap.c.

+ Here is the call graph for this function:

static int mod_instantiate ( CONF_SECTION conf,
void *  instance 
)
static

Instantiate the module.

Creates a new instance of the module reading parameters from a configuration section.

Parameters
confto parse.
instanceconfiguration data.
Returns
  • 0 on success.
  • < 0 on failure.

Definition at line 787 of file rlm_ldap.c.

+ Here is the call graph for this function:

static rlm_rcode_t mod_map_proc ( void *  mod_inst,
UNUSED void *  proc_inst,
REQUEST request,
char const *  url,
vp_map_t const *  maps 
)
static

Perform a search and map the result of the search to server attributes.

Unlike LDAP xlat, this can be used to process attributes from multiple entries.

Parameters
[in]mod_instrlm_ldap_t
[in]proc_instunused.
[in,out]requestThe current request.
[in]urlLDAP url specifying base DN and filter.
[in]mapsHead of the map list.
Returns

Definition at line 381 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static rlm_rcode_t mod_post_auth ( void *  instance,
REQUEST request 
)
static

+ Here is the caller graph for this function:

static int parse_sub_section ( rlm_ldap_t inst,
CONF_SECTION parent,
ldap_acct_section_t **  config,
rlm_components_t  comp 
)
static

Parse an accounting sub section.

Allocate a new ldap_acct_section_t and write the config data into it.

Parameters
[in]instrlm_ldap configuration.
[in]parentof the config section.
[out]configto write the sub section parameters to.
[in]compThe section name were parsing the config for.
Returns
  • 0 on success.
  • < 0 on failure.

Definition at line 684 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static int rlm_ldap_groupcmp ( void *  instance,
REQUEST request,
UNUSED VALUE_PAIR thing,
VALUE_PAIR check,
UNUSED VALUE_PAIR check_pairs,
UNUSED VALUE_PAIR **  reply_pairs 
)
static

Perform LDAP-Group comparison checking.

Attempts to match users to groups using a variety of methods.

Parameters
instanceof the rlm_ldap module.
requestCurrent request.
thingUnknown.
checkWhich group to check for user membership.
check_pairsUnknown.
reply_pairsUnknown.
Returns
  • 1 on failure (or if the user is not a member).
  • 0 on success.

Definition at line 526 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static rlm_rcode_t rlm_ldap_map_profile ( rlm_ldap_t const *  inst,
REQUEST request,
ldap_handle_t **  pconn,
char const *  dn,
rlm_ldap_map_exp_t const *  expanded 
)
static

Search for and apply an LDAP profile.

LDAP profiles are mapped using the same attribute map as user objects, they're used to add common sets of attributes to the request.

Parameters
[in]instrlm_ldap configuration.
[in]requestCurrent request.
[in,out]pconnto use. May change as this function calls functions which auto re-connect.
[in]dnof profile object to apply.
[in]expandedStructure containing a list of xlat expanded attribute names and mapping information.
Returns
One of the RLM_MODULE_* values.

Definition at line 1510 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static rlm_rcode_t user_modify ( rlm_ldap_t inst,
REQUEST request,
ldap_acct_section_t section 
)
static

Modify user's object in LDAP.

Process a modifcation map to update a user object in the LDAP directory.

Parameters
instrlm_ldap instance.
requestCurrent request.
sectionthat holds the map to process.
Returns
one of the RLM_MODULE_* values.

Definition at line 1814 of file rlm_ldap.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Variable Documentation

const CONF_PARSER acct_section_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET("reference", PW_TYPE_STRING | PW_TYPE_XLAT, ldap_acct_section_t, reference), .dflt = "." },
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define PW_TYPE_XLAT
string will be dynamically expanded.
Definition: conffile.h:207
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33

Definition at line 167 of file rlm_ldap.c.

CONF_PARSER client_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET("filter", PW_TYPE_STRING, rlm_ldap_t, clientobj_filter) },
{ FR_CONF_OFFSET("scope", PW_TYPE_STRING, rlm_ldap_t, clientobj_scope_str), .dflt = "sub" },
{ FR_CONF_OFFSET("base_dn", PW_TYPE_STRING, rlm_ldap_t, clientobj_base_dn), .dflt = "" },
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33

Definition at line 157 of file rlm_ldap.c.

CONF_PARSER group_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET("filter", PW_TYPE_STRING, rlm_ldap_t, groupobj_filter) },
{ FR_CONF_OFFSET("scope", PW_TYPE_STRING, rlm_ldap_t, groupobj_scope_str), .dflt = "sub" },
{ FR_CONF_OFFSET("base_dn", PW_TYPE_TMPL, rlm_ldap_t, groupobj_base_dn), .dflt = "", .quote = T_SINGLE_QUOTED_STRING },
{ FR_CONF_OFFSET("name_attribute", PW_TYPE_STRING, rlm_ldap_t, groupobj_name_attr), .dflt = "cn" },
{ FR_CONF_OFFSET("membership_attribute", PW_TYPE_STRING, rlm_ldap_t, userobj_membership_attr) },
{ FR_CONF_OFFSET("membership_filter", PW_TYPE_STRING | PW_TYPE_XLAT, rlm_ldap_t, groupobj_membership_filter) },
{ FR_CONF_OFFSET("cacheable_name", PW_TYPE_BOOLEAN, rlm_ldap_t, cacheable_group_name), .dflt = "no" },
{ FR_CONF_OFFSET("cacheable_dn", PW_TYPE_BOOLEAN, rlm_ldap_t, cacheable_group_dn), .dflt = "no" },
{ FR_CONF_OFFSET("cache_attribute", PW_TYPE_STRING, rlm_ldap_t, cache_attribute) },
{ FR_CONF_OFFSET("group_attribute", PW_TYPE_STRING, rlm_ldap_t, group_attribute) },
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define PW_TYPE_XLAT
string will be dynamically expanded.
Definition: conffile.h:207
A truth value.
Definition: radius.h:56
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33
#define PW_TYPE_TMPL
CONF_PAIR should be parsed as a template.
Definition: conffile.h:208

Definition at line 142 of file rlm_ldap.c.

FR_NAME_NUMBER const ldap_dereference[]
static
Initial value:
= {
{ "never", LDAP_DEREF_NEVER },
{ "searching", LDAP_DEREF_SEARCHING },
{ "finding", LDAP_DEREF_FINDING },
{ "always", LDAP_DEREF_ALWAYS },
{ NULL , -1 }
}

Definition at line 66 of file rlm_ldap.c.

FR_NAME_NUMBER const ldap_scope[]
Initial value:
= {
{ "sub", LDAP_SCOPE_SUB },
{ "one", LDAP_SCOPE_ONE },
{ "base", LDAP_SCOPE_BASE },
{ NULL , -1 }
}

Definition at line 44 of file rlm_ldap.c.

const CONF_PARSER module_config[]
static

Definition at line 219 of file rlm_ldap.c.

CONF_PARSER option_config[]
static

Definition at line 177 of file rlm_ldap.c.

CONF_PARSER profile_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET("filter", PW_TYPE_TMPL, rlm_ldap_t, profile_filter), .dflt = "(&)", .quote = T_SINGLE_QUOTED_STRING },
{ FR_CONF_OFFSET("attribute", PW_TYPE_STRING, rlm_ldap_t, profile_attr) },
{ FR_CONF_OFFSET("default", PW_TYPE_TMPL, rlm_ldap_t, default_profile) },
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33
#define PW_TYPE_TMPL
CONF_PAIR should be parsed as a template.
Definition: conffile.h:208

Definition at line 115 of file rlm_ldap.c.

module_t rlm_ldap
Initial value:
= {
.magic = RLM_MODULE_INIT,
.name = "ldap",
.type = 0,
.inst_size = sizeof(rlm_ldap_t),
.config = module_config,
.bootstrap = mod_bootstrap,
.instantiate = mod_instantiate,
.detach = mod_detach,
.methods = {
},
}
static int mod_instantiate(CONF_SECTION *conf, void *instance)
Instantiate the module.
Definition: rlm_ldap.c:787
static rlm_rcode_t mod_post_auth(void *instance, REQUEST *request) CC_HINT(nonnull)
7 methods index for postauth section.
Definition: modules.h:48
static int mod_bootstrap(CONF_SECTION *conf, void *instance)
Bootstrap the module.
Definition: rlm_ldap.c:721
#define RLM_MODULE_INIT
Definition: modules.h:86
static rlm_rcode_t mod_authenticate(void *instance, REQUEST *request) CC_HINT(nonnull)
3 methods index for accounting section.
Definition: modules.h:44
0 methods index for authenticate section.
Definition: modules.h:41
static const CONF_PARSER module_config[]
Definition: rlm_ldap.c:219
struct ldap_instance rlm_ldap_t
Definition: ldap.h:134
static rlm_rcode_t mod_accounting(void *instance, REQUEST *request) CC_HINT(nonnull)
Definition: rlm_ldap.c:2038
1 methods index for authorize section.
Definition: modules.h:42
static int mod_detach(void *instance)
Detach from the LDAP server and cleanup internal state.
Definition: rlm_ldap.c:642
static rlm_rcode_t mod_authorize(void *instance, REQUEST *request) CC_HINT(nonnull)
Definition: rlm_ldap.c:1570

Definition at line 2062 of file rlm_ldap.c.

CONF_PARSER sasl_mech_dynamic[]
static
Initial value:
= {
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define PW_TYPE_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition: conffile.h:211
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
#define PW_TYPE_TMPL
CONF_PAIR should be parsed as a template.
Definition: conffile.h:208

Definition at line 75 of file rlm_ldap.c.

CONF_PARSER sasl_mech_static[]
static
Initial value:
= {
{ FR_CONF_OFFSET("proxy", PW_TYPE_STRING, ldap_sasl, proxy) },
{ FR_CONF_OFFSET("realm", PW_TYPE_STRING, ldap_sasl, realm) },
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define PW_TYPE_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition: conffile.h:211
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33

Definition at line 82 of file rlm_ldap.c.

CONF_PARSER tls_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET("ca_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_ca_file) },
{ FR_CONF_OFFSET("ca_path", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_ca_path) },
{ FR_CONF_OFFSET("certificate_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_certificate_file) },
{ FR_CONF_OFFSET("private_key_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_private_key_file) },
{ FR_CONF_OFFSET("random_file", PW_TYPE_FILE_INPUT, rlm_ldap_t, tls_random_file) },
{ FR_CONF_OFFSET("start_tls", PW_TYPE_BOOLEAN, rlm_ldap_t, start_tls), .dflt = "no" },
{ FR_CONF_OFFSET("require_cert", PW_TYPE_STRING, rlm_ldap_t, tls_require_cert_str) },
}
#define PW_TYPE_FILE_INPUT
File matching value must exist, and must be readable.
Definition: conffile.h:204
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
A truth value.
Definition: radius.h:56
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33

Definition at line 92 of file rlm_ldap.c.

CONF_PARSER user_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET("filter", PW_TYPE_TMPL, rlm_ldap_t, userobj_filter) },
{ FR_CONF_OFFSET("scope", PW_TYPE_STRING, rlm_ldap_t, userobj_scope_str), .dflt = "sub" },
{ FR_CONF_OFFSET("base_dn", PW_TYPE_TMPL, rlm_ldap_t, userobj_base_dn), .dflt = "", .quote = T_SINGLE_QUOTED_STRING },
{ FR_CONF_OFFSET("sort_by", PW_TYPE_STRING, rlm_ldap_t, userobj_sort_by) },
{ FR_CONF_OFFSET("access_attribute", PW_TYPE_STRING, rlm_ldap_t, userobj_access_attr) },
{ FR_CONF_OFFSET("access_positive", PW_TYPE_BOOLEAN, rlm_ldap_t, access_positive), .dflt = "yes" },
{ FR_CONF_OFFSET("sasl", PW_TYPE_SUBSECTION, rlm_ldap_t, user_sasl), .dflt = (void const *) sasl_mech_dynamic },
}
#define CONF_PARSER_TERMINATOR
Definition: conffile.h:289
#define PW_TYPE_SUBSECTION
Definition: conffile.h:188
A truth value.
Definition: radius.h:56
static CONF_PARSER sasl_mech_dynamic[]
Definition: rlm_ldap.c:75
#define FR_CONF_OFFSET(_n, _t, _s, _f)
Definition: conffile.h:168
String of printable characters.
Definition: radius.h:33
#define PW_TYPE_TMPL
CONF_PAIR should be parsed as a template.
Definition: conffile.h:208

Definition at line 125 of file rlm_ldap.c.