The FreeRADIUS server
$Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
|
LDAP authorization and authentication module. More...
#include <freeradius-devel/util/debug.h>
#include <freeradius-devel/util/table.h>
#include <freeradius-devel/util/uri.h>
#include <freeradius-devel/util/value.h>
#include <freeradius-devel/ldap/conf.h>
#include <freeradius-devel/ldap/base.h>
#include <freeradius-devel/server/map_proc.h>
#include <freeradius-devel/server/module_rlm.h>
#include <freeradius-devel/server/rcode.h>
#include <freeradius-devel/unlang/xlat_func.h>
#include <freeradius-devel/unlang/action.h>
#include <ldap.h>
#include "rlm_ldap.h"
Go to the source code of this file.
Data Structures | |
struct | ldap_auth_call_env_t |
struct | ldap_auth_ctx_t |
Holds state of in progress async authentication. More... | |
struct | ldap_map_ctx_t |
Holds state of in progress LDAP map. More... | |
struct | ldap_update_rules_t |
Parameters to allow ldap_update_section_parse to be reused. More... | |
struct | ldap_user_modify_ctx_t |
Holds state of in progress ldap user modifications. More... | |
struct | ldap_usermod_call_env_t |
struct | ldap_xlat_profile_call_env_t |
Call environment used in the profile xlat. More... | |
struct | ldap_xlat_profile_ctx_t |
Macros | |
#define | CHECK_EXPANDED_SPACE(_expanded) fr_assert((size_t)_expanded->count < (NUM_ELEMENTS(_expanded->attrs) - 1)); |
#define | LDAP_URI_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_uri_escape_func |
This is the common function that actually ends up doing all the URI escaping. More... | |
#define | REPEAT_LDAP_MEMBEROF_XLAT_RESULTS |
#define | REPEAT_MOD_AUTHORIZE_RESUME |
#define | USER_CALL_ENV_COMMON(_struct) |
Enumerations | |
enum | ldap_schemes_t { LDAP_SCHEME_UNIX = 0 , LDAP_SCHEME_TCP , LDAP_SCHEME_TCP_SSL } |
Functions | |
static int | autz_ctx_free (ldap_autz_ctx_t *autz_ctx) |
Ensure authorization context is properly cleared up. More... | |
static char * | host_uri_canonify (request_t *request, LDAPURLDesc *url_parsed, fr_value_box_t *url_in) |
Produce canonical LDAP host URI for finding trunks. More... | |
static int | ldap_group_filter_parse (TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, UNUSED char const *section_name1, UNUSED char const *section_name2, void const *data, UNUSED call_env_parser_t const *rule) |
static int | ldap_group_filter_parse (TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, UNUSED CONF_ITEM *ci, UNUSED char const *section_name1, UNUSED char const *section_name2, void const *data, UNUSED call_env_parser_t const *rule) |
static int | ldap_map_verify (CONF_SECTION *cs, UNUSED void *mod_inst, UNUSED void *proc_inst, tmpl_t const *src, UNUSED map_list_t const *maps) |
static xlat_action_t | ldap_memberof_xlat (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Check for a user being in a LDAP group. More... | |
static void | ldap_memberof_xlat_cancel (UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx) |
Cancel an in-progress query for the LDAP group membership xlat. More... | |
static unlang_action_t | ldap_memberof_xlat_results (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Run the state machine for the LDAP membership xlat. More... | |
static xlat_action_t | ldap_memberof_xlat_resume (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in) |
Process the results of evaluating LDAP group membership. More... | |
static unlang_action_t | ldap_memberof_xlat_user_find (UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
User object lookup as part of group membership xlat. More... | |
static xlat_action_t | ldap_profile_xlat (UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Expand an LDAP URL into a query, applying the results using the user update map. More... | |
static xlat_action_t | ldap_profile_xlat_resume (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in) |
Return whether evaluating the profile was successful. More... | |
static void | ldap_query_timeout (UNUSED fr_event_list_t *el, UNUSED fr_time_t now, void *uctx) |
Callback when LDAP query times out. More... | |
static int | ldap_update_section_parse (TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, char const *section_name1, char const *section_name2, void const *data, call_env_parser_t const *rule) |
static int | ldap_update_section_parse (TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, UNUSED char const *section_name1, UNUSED char const *section_name2, UNUSED void const *data, call_env_parser_t const *rule) |
static xlat_action_t | ldap_uri_escape_xlat (TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Escape LDAP string. More... | |
static int | ldap_uri_part_escape (fr_value_box_t *vb, UNUSED void *uctx) |
Escape function for a part of an LDAP URI. More... | |
static xlat_action_t | ldap_uri_unescape_xlat (TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Unescape LDAP string. More... | |
static xlat_action_t | ldap_xlat (UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in) |
Expand an LDAP URL into a query, and return a string result from that query. More... | |
static int | ldap_xlat_profile_ctx_free (ldap_xlat_profile_ctx_t *to_free) |
static xlat_action_t | ldap_xlat_resume (TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in) |
Callback when resuming after async ldap query is completed. More... | |
static void | ldap_xlat_signal (xlat_ctx_t const *xctx, request_t *request, UNUSED fr_signal_t action) |
Callback for signalling async ldap query. More... | |
static int | map_ctx_free (ldap_map_ctx_t *map_ctx) |
Ensure map context is properly cleared up. More... | |
static unlang_action_t | mod_accounting (rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) |
static unlang_action_t | mod_authenticate (rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) |
static unlang_action_t | mod_authenticate_resume (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Initiate async LDAP bind to authenticate user. More... | |
static unlang_action_t | mod_authenticate_start (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Perform async lookup of user DN if required for authentication. More... | |
static unlang_action_t | mod_authorize (rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) |
static void | mod_authorize_cancel (UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx) |
Clear up when cancelling a mod_authorize call. More... | |
static unlang_action_t | mod_authorize_resume (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Resume function called after each potential yield in LDAP authorization. More... | |
static unlang_action_t | mod_authorize_start (UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Start LDAP authorization with async lookup of user DN. More... | |
static int | mod_bootstrap (module_inst_ctx_t const *mctx) |
Bootstrap the module. More... | |
static int | mod_detach (module_detach_ctx_t const *mctx) |
Detach from the LDAP server and cleanup internal state. More... | |
static int | mod_instantiate (module_inst_ctx_t const *mctx) |
Instantiate the module. More... | |
static int | mod_load (void) |
static unlang_action_t | mod_map_proc (rlm_rcode_t *p_result, void *mod_inst, UNUSED void *proc_inst, request_t *request, fr_value_box_list_t *url, map_list_t const *maps) |
Perform a search and map the result of the search to server attributes. More... | |
static unlang_action_t | mod_map_resume (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Process the results of an LDAP map query. More... | |
static unlang_action_t | mod_post_auth (rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) |
static int | mod_thread_detach (module_thread_inst_ctx_t const *mctx) |
Clean up thread specific data structure. More... | |
static int | mod_thread_instantiate (module_thread_inst_ctx_t const *mctx) |
Initialise thread specific data structure. More... | |
static void | mod_unload (void) |
static int | parse_sub_section (module_inst_ctx_t const *mctx, CONF_SECTION *parent, ldap_acct_section_t **config, rlm_components_t comp) |
Parse an accounting sub section. More... | |
static unlang_action_t | user_modify (rlm_rcode_t *p_result, rlm_ldap_t const *inst, request_t *request, ldap_acct_section_t *section, ldap_usermod_call_env_t *call_env) |
Modify user's object in LDAP. More... | |
static void | user_modify_cancel (UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx) |
Cancel an in progress user modification. More... | |
static unlang_action_t | user_modify_final (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Handle results of user modification. More... | |
static unlang_action_t | user_modify_resume (rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Take the retrieved user DN and launch the async modification. More... | |
static unlang_action_t | user_modify_start (UNUSED rlm_rcode_t *p_result, UNUSED int *priority, request_t *request, void *uctx) |
Perform async lookup of user DN if required for user modification. More... | |
LDAP authorization and authentication module.
Definition in file rlm_ldap.c.
struct ldap_auth_call_env_t |
Definition at line 52 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_value_box_t | password | |
tmpl_t const * | password_tmpl | |
fr_value_box_t | user_base | |
fr_value_box_t | user_filter | |
fr_value_box_t | user_sasl_authname | |
fr_value_box_t | user_sasl_mech | |
fr_value_box_t | user_sasl_proxy | |
fr_value_box_t | user_sasl_realm |
struct ldap_auth_ctx_t |
Holds state of in progress async authentication.
Definition at line 341 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ldap_auth_call_env_t * | call_env | |
char const * | dn | |
rlm_ldap_t const * | inst | |
char const * | password | |
fr_ldap_thread_t * | thread |
struct ldap_map_ctx_t |
Holds state of in progress LDAP map.
Definition at line 366 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_ldap_map_exp_t | expanded | |
LDAPURLDesc * | ldap_url | |
map_list_t const * | maps | |
fr_ldap_query_t * | query |
struct ldap_update_rules_t |
Parameters to allow ldap_update_section_parse to be reused.
Definition at line 203 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ssize_t | expect_password_offset | |
size_t | map_offset |
struct ldap_user_modify_ctx_t |
Holds state of in progress ldap user modifications.
Definition at line 352 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
ldap_usermod_call_env_t * | call_env | |
char const * | dn | |
rlm_ldap_t const * | inst | |
LDAPMod * | mod_p[LDAP_MAX_ATTRMAP+1] | |
LDAPMod | mod_s[LDAP_MAX_ATTRMAP] | |
char * | passed[LDAP_MAX_ATTRMAP *2] | |
fr_ldap_query_t * | query | |
fr_ldap_thread_trunk_t * | ttrunk |
struct ldap_usermod_call_env_t |
Definition at line 63 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_value_box_t | user_base | |
fr_value_box_t | user_filter |
struct ldap_xlat_profile_call_env_t |
Call environment used in the profile xlat.
Definition at line 70 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_value_box_t | profile_filter | Filter to use when searching for users. |
map_list_t * | profile_map | List of maps to apply to the profile. |
struct ldap_xlat_profile_ctx_t |
Definition at line 977 of file rlm_ldap.c.
Data Fields | ||
---|---|---|
fr_ldap_map_exp_t | expanded | |
fr_ldap_result_code_t | ret | |
LDAPURLDesc * | url |
#define CHECK_EXPANDED_SPACE | ( | _expanded | ) | fr_assert((size_t)_expanded->count < (NUM_ELEMENTS(_expanded->attrs) - 1)); |
#define LDAP_URI_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_uri_escape_func |
This is the common function that actually ends up doing all the URI escaping.
Definition at line 388 of file rlm_ldap.c.
#define REPEAT_LDAP_MEMBEROF_XLAT_RESULTS |
Definition at line 808 of file rlm_ldap.c.
#define REPEAT_MOD_AUTHORIZE_RESUME |
Definition at line 1483 of file rlm_ldap.c.
#define USER_CALL_ENV_COMMON | ( | _struct | ) |
Definition at line 180 of file rlm_ldap.c.
enum ldap_schemes_t |
Enumerator | |
---|---|
LDAP_SCHEME_UNIX | |
LDAP_SCHEME_TCP | |
LDAP_SCHEME_TCP_SSL |
Definition at line 373 of file rlm_ldap.c.
|
static |
Ensure authorization context is properly cleared up.
Definition at line 1796 of file rlm_ldap.c.
|
inlinestatic |
Produce canonical LDAP host URI for finding trunks.
Definition at line 643 of file rlm_ldap.c.
|
static |
|
static |
|
static |
|
static |
Cancel an in-progress query for the LDAP group membership xlat.
Definition at line 799 of file rlm_ldap.c.
|
static |
Run the state machine for the LDAP membership xlat.
This is called after each async lookup is completed
Definition at line 818 of file rlm_ldap.c.
|
static |
Process the results of evaluating LDAP group membership.
Definition at line 866 of file rlm_ldap.c.
|
static |
User object lookup as part of group membership xlat.
Called if the ldap membership xlat is used and the user DN is not already known
Definition at line 783 of file rlm_ldap.c.
|
static |
Return whether evaluating the profile was successful.
Definition at line 986 of file rlm_ldap.c.
|
static |
Callback when LDAP query times out.
Definition at line 526 of file rlm_ldap.c.
|
static |
|
static |
|
static |
Escape function for a part of an LDAP URI.
Definition at line 496 of file rlm_ldap.c.
|
static |
|
static |
Callback when resuming after async ldap query is completed.
Definition at line 552 of file rlm_ldap.c.
|
static |
Callback for signalling async ldap query.
Definition at line 599 of file rlm_ldap.c.
|
static |
Ensure map context is properly cleared up.
Definition at line 1255 of file rlm_ldap.c.
|
static |
|
static |
|
static |
Initiate async LDAP bind to authenticate user.
Definition at line 1380 of file rlm_ldap.c.
|
static |
Perform async lookup of user DN if required for authentication.
Definition at line 1362 of file rlm_ldap.c.
|
static |
|
static |
Clear up when cancelling a mod_authorize call.
Definition at line 1786 of file rlm_ldap.c.
|
static |
Resume function called after each potential yield in LDAP authorization.
Some operations may or may not yield. E.g. if group membership is read from an attribute returned with the user object and is already in the correct form, that will not yield. Hence, each state may fall through to the next.
p_result | Result of current authorization. |
priority | Unused. |
request | Current request. |
uctx | Current authorization context. |
Definition at line 1502 of file rlm_ldap.c.
|
static |
Start LDAP authorization with async lookup of user DN.
Definition at line 1474 of file rlm_ldap.c.
|
static |
Bootstrap the module.
Define attributes.
[in] | mctx | configuration data. |
Definition at line 2296 of file rlm_ldap.c.
|
static |
Detach from the LDAP server and cleanup internal state.
Definition at line 2178 of file rlm_ldap.c.
|
static |
Instantiate the module.
Creates a new instance of the module reading parameters from a configuration section.
[in] | mctx | configuration data. |
Definition at line 2483 of file rlm_ldap.c.
|
static |
|
static |
Perform a search and map the result of the search to server attributes.
Unlike LDAP xlat, this can be used to process attributes from multiple entries.
[out] | p_result | Result of map expansion:
|
[in] | mod_inst | rlm_ldap_t |
[in] | proc_inst | unused. |
[in,out] | request | The current request. |
[in] | url | LDAP url specifying base DN and filter. |
[in] | maps | Head of the map list. |
Definition at line 1280 of file rlm_ldap.c.
|
static |
Process the results of an LDAP map query.
[out] | p_result | Result of applying the map. |
[in] | priority | Unused. |
[in] | request | Current request. |
[in] | uctx | Map context. |
Definition at line 1162 of file rlm_ldap.c.
|
static |
|
static |
Clean up thread specific data structure.
Definition at line 2272 of file rlm_ldap.c.
|
static |
Initialise thread specific data structure.
Definition at line 2233 of file rlm_ldap.c.
|
static |
|
static |
Parse an accounting sub section.
Allocate a new ldap_acct_section_t and write the config data into it.
[in] | mctx | rlm_ldap configuration. |
[in] | parent | of the config section. |
[out] | config | to write the sub section parameters to. |
[in] | comp | The section name were parsing the config for. |
Definition at line 2199 of file rlm_ldap.c.
|
static |
Modify user's object in LDAP.
Process a modification map to update a user object in the LDAP directory.
[out] | p_result | the result of the modification. |
[in] | inst | rlm_ldap instance. |
[in] | request | Current request. |
[in] | section | that holds the map to process. |
[in] | call_env | Call environment. Contains expanded base and filter to find user. |
Definition at line 1959 of file rlm_ldap.c.
|
static |
Cancel an in progress user modification.
Definition at line 1882 of file rlm_ldap.c.
|
static |
Handle results of user modification.
Definition at line 1894 of file rlm_ldap.c.
|
static |
Take the retrieved user DN and launch the async modification.
Definition at line 1923 of file rlm_ldap.c.
|
static |
Perform async lookup of user DN if required for user modification.
Definition at line 1870 of file rlm_ldap.c.
|
static |
Definition at line 134 of file rlm_ldap.c.
fr_dict_attr_t const* attr_cleartext_password |
Definition at line 312 of file rlm_ldap.c.
fr_dict_attr_t const* attr_crypt_password |
Definition at line 313 of file rlm_ldap.c.
|
static |
Definition at line 317 of file rlm_ldap.c.
fr_dict_attr_t const* attr_ldap_userdn |
Definition at line 314 of file rlm_ldap.c.
fr_dict_attr_t const* attr_nt_password |
Definition at line 315 of file rlm_ldap.c.
fr_dict_attr_t const* attr_password |
Definition at line 311 of file rlm_ldap.c.
fr_dict_attr_t const* attr_password_with_header |
Definition at line 316 of file rlm_ldap.c.
|
static |
Definition at line 184 of file rlm_ldap.c.
|
static |
Definition at line 208 of file rlm_ldap.c.
|
static |
Definition at line 303 of file rlm_ldap.c.
|
static |
Definition at line 114 of file rlm_ldap.c.
|
static |
Definition at line 629 of file rlm_ldap.c.
|
static |
Definition at line 879 of file rlm_ldap.c.
|
static |
Definition at line 395 of file rlm_ldap.c.
|
static |
Definition at line 390 of file rlm_ldap.c.
|
static |
Definition at line 617 of file rlm_ldap.c.
|
static |
Definition at line 379 of file rlm_ldap.c.
|
static |
Definition at line 384 of file rlm_ldap.c.
|
static |
Definition at line 450 of file rlm_ldap.c.
|
static |
Definition at line 634 of file rlm_ldap.c.
|
static |
Definition at line 139 of file rlm_ldap.c.
|
static |
Definition at line 87 of file rlm_ldap.c.
module_rlm_t rlm_ldap |
Definition at line 2706 of file rlm_ldap.c.
fr_dict_autoload_t rlm_ldap_dict |
Definition at line 306 of file rlm_ldap.c.
fr_dict_attr_autoload_t rlm_ldap_dict_attr |
Definition at line 320 of file rlm_ldap.c.
global_lib_autoinst_t const * rlm_ldap_lib |
Definition at line 333 of file rlm_ldap.c.
|
static |
Definition at line 79 of file rlm_ldap.c.
|
static |
Definition at line 98 of file rlm_ldap.c.
|
static |
Definition at line 246 of file rlm_ldap.c.
|
static |
Definition at line 259 of file rlm_ldap.c.
|
static |
Definition at line 285 of file rlm_ldap.c.