The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_ldap.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 2b64b9f23dd57973ec9b3b224a6370a672c3a163 $
19 * @file rlm_ldap.c
20 * @brief LDAP authorization and authentication module.
21 *
22 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 * @author Alan DeKok (aland@freeradius.org)
24 *
25 * @copyright 2012,2015 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
26 * @copyright 2013,2015 Network RADIUS SAS (legal@networkradius.com)
27 * @copyright 2012 Alan DeKok (aland@freeradius.org)
28 * @copyright 1999-2013 The FreeRADIUS Server Project.
29 */
30RCSID("$Id: 2b64b9f23dd57973ec9b3b224a6370a672c3a163 $")
31
33
34#include <freeradius-devel/util/debug.h>
35#include <freeradius-devel/util/table.h>
36#include <freeradius-devel/util/uri.h>
37#include <freeradius-devel/util/value.h>
38
39#include <freeradius-devel/ldap/conf.h>
40#include <freeradius-devel/ldap/base.h>
41
42#include <freeradius-devel/server/map_proc.h>
43#include <freeradius-devel/server/module_rlm.h>
44#include <freeradius-devel/server/rcode.h>
45
46#include <freeradius-devel/unlang/xlat_func.h>
47#include <freeradius-devel/unlang/action.h>
48#include <freeradius-devel/unlang/map.h>
49
50#include <ldap.h>
51#include "rlm_ldap.h"
52
57
66
67typedef struct {
68 char const *attr;
70 tmpl_t const *tmpl;
77
78/** Call environment used in the profile xlat
79 */
80typedef struct {
81 fr_value_box_t profile_filter; //!< Filter to use when searching for users.
82 map_list_t *profile_map; //!< List of maps to apply to the profile.
84
85static int ldap_update_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule);
86static int ldap_mod_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule);
87
88static int ldap_group_filter_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule);
89
97
99 { FR_CONF_OFFSET("scope", rlm_ldap_t, profile.obj_scope), .dflt = "base",
100 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
101 { FR_CONF_OFFSET("attribute", rlm_ldap_t, profile.attr) },
102 { FR_CONF_OFFSET("attribute_suspend", rlm_ldap_t, profile.attr_suspend) },
103 { FR_CONF_OFFSET("check_attribute", rlm_ldap_t, profile.check_attr) },
104 { FR_CONF_OFFSET("sort_by", rlm_ldap_t, profile.obj_sort_by) },
105 { FR_CONF_OFFSET("fallthrough_attribute", rlm_ldap_t, profile.fallthrough_attr) },
106 { FR_CONF_OFFSET("fallthrough_default", rlm_ldap_t, profile.fallthrough_def), .dflt = "yes" },
108};
109
110/*
111 * User configuration
112 */
114 { FR_CONF_OFFSET("scope", rlm_ldap_t, user.obj_scope), .dflt = "sub",
115 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
116 { FR_CONF_OFFSET("sort_by", rlm_ldap_t, user.obj_sort_by) },
117
118 { FR_CONF_OFFSET("access_attribute", rlm_ldap_t, user.obj_access_attr) },
119 { FR_CONF_OFFSET("access_positive", rlm_ldap_t, user.access_positive), .dflt = "yes" },
120 { FR_CONF_OFFSET("access_value_negate", rlm_ldap_t, user.access_value_negate), .dflt = "false" },
121 { FR_CONF_OFFSET("access_value_suspend", rlm_ldap_t, user.access_value_suspend), .dflt = "suspended" },
122 { FR_CONF_OFFSET_IS_SET("expect_password", FR_TYPE_BOOL, 0, rlm_ldap_t, user.expect_password) },
124};
125
126/*
127 * Group configuration
128 */
130 { FR_CONF_OFFSET("filter", rlm_ldap_t, group.obj_filter) },
131 { FR_CONF_OFFSET("scope", rlm_ldap_t, group.obj_scope), .dflt = "sub",
132 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
133
134 { FR_CONF_OFFSET("name_attribute", rlm_ldap_t, group.obj_name_attr), .dflt = "cn" },
135 { FR_CONF_OFFSET("membership_attribute", rlm_ldap_t, group.userobj_membership_attr) },
136 { FR_CONF_OFFSET_FLAGS("membership_filter", CONF_FLAG_XLAT, rlm_ldap_t, group.obj_membership_filter) },
137 { FR_CONF_OFFSET("cacheable_name", rlm_ldap_t, group.cacheable_name), .dflt = "no" },
138 { FR_CONF_OFFSET("cacheable_dn", rlm_ldap_t, group.cacheable_dn), .dflt = "no" },
139 { FR_CONF_OFFSET("cache_attribute", rlm_ldap_t, group.cache_attribute) },
140 { FR_CONF_OFFSET("group_attribute", rlm_ldap_t, group.attribute) },
141 { FR_CONF_OFFSET("allow_dangling_group_ref", rlm_ldap_t, group.allow_dangling_refs), .dflt = "no" },
142 { FR_CONF_OFFSET("skip_on_suspend", rlm_ldap_t, group.skip_on_suspend), .dflt = "yes"},
144};
145
146static const conf_parser_t module_config[] = {
147 /*
148 * Pool config items
149 */
150 { FR_CONF_OFFSET_FLAGS("server", CONF_FLAG_MULTI, rlm_ldap_t, handle_config.server_str) }, /* Do not set to required */
151
152 /*
153 * Common LDAP conf parsers
154 */
156
157 { FR_CONF_OFFSET("valuepair_attribute", rlm_ldap_t, valuepair_attr) },
158
159#ifdef LDAP_CONTROL_X_SESSION_TRACKING
160 { FR_CONF_OFFSET("session_tracking", rlm_ldap_t, session_tracking), .dflt = "no" },
161#endif
162
163#ifdef WITH_EDIR
164 /* support for eDirectory Universal Password */
165 { FR_CONF_OFFSET("edir", rlm_ldap_t, edir) }, /* NULL defaults to "no" */
166
167 /*
168 * Attempt to bind with the cleartext password we got from eDirectory
169 * Universal password for additional authorization checks.
170 */
171 { FR_CONF_OFFSET("edir_autz", rlm_ldap_t, edir_autz) }, /* NULL defaults to "no" */
172#endif
173
174 { FR_CONF_POINTER("user", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) user_config },
175
176 { FR_CONF_POINTER("group", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) group_config },
177
178 { FR_CONF_POINTER("profile", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) profile_config },
179
180 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_ldap_t, trunk_conf, trunk_config ) },
181
182 { FR_CONF_OFFSET_SUBSECTION("bind_pool", 0, rlm_ldap_t, bind_trunk_conf, trunk_config ) },
183
185};
186
187#define USER_CALL_ENV_COMMON(_struct) \
188 { FR_CALL_ENV_OFFSET("base_dn", FR_TYPE_STRING, CALL_ENV_FLAG_REQUIRED | CALL_ENV_FLAG_CONCAT, _struct, user_base), .pair.dflt = "", .pair.dflt_quote = T_SINGLE_QUOTED_STRING }, \
189 { FR_CALL_ENV_OFFSET("filter", FR_TYPE_STRING, CALL_ENV_FLAG_NULLABLE | CALL_ENV_FLAG_CONCAT, _struct, user_filter), .pair.dflt = "(&)", .pair.dflt_quote = T_SINGLE_QUOTED_STRING }
190
206
207/** Parameters to allow ldap_update_section_parse to be reused
208 */
213
216 .env = (call_env_parser_t[]) {
219 .map_offset = offsetof(ldap_autz_call_env_t, user_map),
220 .expect_password_offset = offsetof(ldap_autz_call_env_t, expect_password)
221 } },
223 ((call_env_parser_t[]) {
226 })) },
228 ((call_env_parser_t[]) {
231 .pair.func = ldap_group_filter_parse,
232 .pair.escape = {
233 .box_escape = {
234 .func = fr_ldap_box_escape,
236 .always_escape = false,
237 },
239 },
240 .pair.literals_safe_for = (fr_value_box_safe_for_t)fr_ldap_box_escape,
241 },
243 })) },
245 ((call_env_parser_t[]) {
248 .pair.dflt = "(&)", .pair.dflt_quote = T_SINGLE_QUOTED_STRING }, //!< Correct filter for when the DN is known.
250 } )) },
252 }
253};
254
255#define USERMOD_ENV(_section) static const call_env_method_t _section ## _usermod_method_env = { \
256 FR_CALL_ENV_METHOD_OUT(ldap_usermod_call_env_t), \
257 .env = (call_env_parser_t[]) { \
258 { FR_CALL_ENV_SUBSECTION("user", NULL, CALL_ENV_FLAG_REQUIRED, \
259 ((call_env_parser_t[]) { \
260 USER_CALL_ENV_COMMON(ldap_usermod_call_env_t), CALL_ENV_TERMINATOR \
261 })) }, \
262 { FR_CALL_ENV_SUBSECTION_FUNC(STRINGIFY(_section), CF_IDENT_ANY, CALL_ENV_FLAG_SUBSECTION | CALL_ENV_FLAG_PARSE_MISSING, ldap_mod_section_parse) }, \
263 CALL_ENV_TERMINATOR \
264 } \
265}
266
267USERMOD_ENV(accounting);
269
272 .env = (call_env_parser_t[]) {
274 ((call_env_parser_t[]) {
277 })) },
279 ((call_env_parser_t[]) {
282 .pair.func = ldap_group_filter_parse,
283 .pair.escape = {
284 .box_escape = {
285 .func = fr_ldap_box_escape,
287 .always_escape = false,
288 },
290 },
291 .pair.literals_safe_for = (fr_value_box_safe_for_t)fr_ldap_box_escape,
292 },
294 })) },
296 }
297};
298
301 .env = (call_env_parser_t[]) {
304 .map_offset = offsetof(ldap_xlat_profile_call_env_t, profile_map),
305 .expect_password_offset = -1
306 } },
308 ((call_env_parser_t[]) {
310 .pair.dflt = "(&)", .pair.dflt_quote = T_SINGLE_QUOTED_STRING }, //!< Correct filter for when the DN is known.
312 })) },
314 }
315};
316
318
321 { .out = &dict_freeradius, .proto = "freeradius" },
322 { NULL }
323};
324
332
335 { .out = &attr_password, .name = "Password", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
336 { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
337 { .out = &attr_crypt_password, .name = "Password.Crypt", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
338 { .out = &attr_ldap_userdn, .name = "LDAP-UserDN", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
339 { .out = &attr_nt_password, .name = "Password.NT", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
340 { .out = &attr_password_with_header, .name = "Password.With-Header", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
341 { .out = &attr_expr_bool_enum, .name = "Expr-Bool-Enum", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
342
343 { NULL }
344};
345
346extern global_lib_autoinst_t const *rlm_ldap_lib[];
351
352/** Holds state of in progress async authentication
353 *
354 */
362
363/** Holds state of in progress ldap user modifications
364 *
365 */
379
380/** Holds state of in progress LDAP map
381 *
382 */
383typedef struct {
384 map_list_t const *maps;
385 LDAPURLDesc *ldap_url;
388 LDAPControl *serverctrls[LDAP_MAX_CONTROLS];
390
396
398 { L("ldap://"), LDAP_SCHEME_UNIX },
399 { L("ldapi://"), LDAP_SCHEME_TCP },
400 { L("ldaps://"), LDAP_SCHEME_TCP_SSL },
401};
403
404/** This is the common function that actually ends up doing all the URI escaping
405 */
406#define LDAP_URI_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_uri_escape_func
407
409 { .required = true, .concat = true, .type = FR_TYPE_STRING },
411};
412
414 { .required = true, .concat = true, .type = FR_TYPE_STRING },
416};
417
418/** Escape LDAP string
419 *
420 * @ingroup xlat_functions
421 */
423 UNUSED xlat_ctx_t const *xctx,
424 request_t *request, fr_value_box_list_t *in)
425{
426 fr_value_box_t *vb, *in_vb = fr_value_box_list_head(in);
427 fr_sbuff_t sbuff;
428 fr_sbuff_uctx_talloc_t sbuff_ctx;
429 size_t len;
430
431 MEM(vb = fr_value_box_alloc_null(ctx));
432
433 /*
434 * If it's already safe, just copy it over.
435 */
437 if (unlikely(fr_value_box_copy(vb, vb, in_vb) < 0)) {
438 RPEDEBUG("Failed copying input argument to output");
439 talloc_free(vb);
440 return XLAT_ACTION_FAIL;
441 }
442
444 return XLAT_ACTION_DONE;
445 }
446
447 /*
448 * Maximum space needed for output would be 3 times the input if every
449 * char needed escaping
450 */
451 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, in_vb->vb_length * 3, in_vb->vb_length * 3)) {
452 REDEBUG("Failed to allocate buffer for escaped string");
453 talloc_free(vb);
454 return XLAT_ACTION_FAIL;
455 }
456
457 /*
458 * Call the escape function, including the space for the trailing NULL
459 */
460 len = fr_ldap_uri_escape_func(request, fr_sbuff_buff(&sbuff), in_vb->vb_length * 3 + 1, in_vb->vb_strvalue, NULL);
461
462 /*
463 * Trim buffer to fit used space and assign to box
464 */
465 fr_sbuff_trim_talloc(&sbuff, len);
466 fr_value_box_strdup_shallow(vb, NULL, fr_sbuff_buff(&sbuff), in_vb->tainted);
467
469 return XLAT_ACTION_DONE;
470}
471
473 { .required = true, .concat = true, .type = FR_TYPE_STRING },
475};
476
477/** Unescape LDAP string
478 *
479 * @ingroup xlat_functions
480 */
482 UNUSED xlat_ctx_t const *xctx,
483 request_t *request, fr_value_box_list_t *in)
484{
485 fr_value_box_t *vb, *in_vb = fr_value_box_list_head(in);
486 fr_sbuff_t sbuff;
487 fr_sbuff_uctx_talloc_t sbuff_ctx;
488 size_t len;
489
490 MEM(vb = fr_value_box_alloc_null(ctx));
491 /*
492 * Maximum space needed for output will be the same as the input
493 */
494 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, in_vb->vb_length, in_vb->vb_length)) {
495 REDEBUG("Failed to allocate buffer for unescaped string");
496 talloc_free(vb);
497 return XLAT_ACTION_FAIL;
498 }
499
500 /*
501 * Call the unescape function, including the space for the trailing NULL
502 */
503 len = fr_ldap_uri_unescape_func(request, fr_sbuff_buff(&sbuff), in_vb->vb_length + 1, in_vb->vb_strvalue, NULL);
504
505 /*
506 * Trim buffer to fit used space and assign to box
507 */
508 fr_sbuff_trim_talloc(&sbuff, len);
509 fr_value_box_strdup_shallow(vb, NULL, fr_sbuff_buff(&sbuff), in_vb->tainted);
511
512 return XLAT_ACTION_DONE;
513}
514
515/** Escape function for a part of an LDAP URI
516 *
517 */
518static int ldap_uri_part_escape(fr_value_box_t *vb, UNUSED void *uctx)
519{
520 fr_sbuff_t sbuff;
521 fr_sbuff_uctx_talloc_t sbuff_ctx;
522 size_t len;
523
524 /*
525 * Maximum space needed for output would be 3 times the input if every
526 * char needed escaping
527 */
528 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, vb->vb_length * 3, vb->vb_length * 3)) {
529 fr_strerror_printf_push("Failed to allocate buffer for escaped argument");
530 return -1;
531 }
532
533 /*
534 * Call the escape function, including the space for the trailing NULL
535 */
536 len = fr_ldap_uri_escape_func(NULL, fr_sbuff_buff(&sbuff), vb->vb_length * 3 + 1, vb->vb_strvalue, NULL);
537
538 fr_sbuff_trim_talloc(&sbuff, len);
540
541 return 0;
542}
543
544/** Callback when LDAP query times out
545 *
546 */
548{
549 fr_ldap_query_t *query = talloc_get_type_abort(uctx, fr_ldap_query_t);
550 trunk_request_t *treq;
551 request_t *request;
552
553 /*
554 * If the trunk request has completed but the query
555 * has not yet resumed, query->treq will be NULL
556 */
557 if (!query->treq) return;
558
559 treq = talloc_get_type_abort(query->treq, trunk_request_t);
560 request = treq->request;
561
562 ROPTIONAL(RERROR, ERROR, "Timeout waiting for LDAP query");
563
565
566 query->ret = LDAP_RESULT_TIMEOUT;
568}
569
571 { .required = true, .concat = true, .type = FR_TYPE_STRING },
572 { .required = true, .concat = true, .type = FR_TYPE_STRING },
574};
575
576/** Modify an LDAP URI to append an option to all attributes
577 *
578 * This is for the corner case where a URI is provided by a third party system
579 * and needs amending before being used. e.g. a CRL distribution point extracted
580 * from a certificate may need the "binary" option appending to the attribute
581 * being requested.
582 *
583 * @ingroup xlat_functions
584 */
586 request_t *request, fr_value_box_list_t *in)
587{
588 fr_value_box_t *uri, *option_vb;
589 char *attrs_fixed, **attr, port[6];
590 char const *option;
591 LDAPURLDesc *ldap_url;
592 fr_value_box_t *vb;
593 int ret;
594
595 XLAT_ARGS(in, &uri, &option_vb);
596
597#ifdef STATIC_ANALYZER
598 if (!option_vb) return XLAT_ACTION_FAIL;
599#endif
600
601 if (option_vb->vb_length < 1) {
602 RERROR("LDAP attriubte option must not be blank");
603 return XLAT_ACTION_FAIL;
604 }
605
606 if (!ldap_is_ldap_url(uri->vb_strvalue)) {
607 REDEBUG("String passed does not look like an LDAP URL");
608 return XLAT_ACTION_FAIL;
609 }
610
611 ret = ldap_url_parse(uri->vb_strvalue, &ldap_url);
612 if (ret != LDAP_URL_SUCCESS){
613 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ret));
614 return XLAT_ACTION_FAIL;
615 }
616
617 /*
618 * No attributes, just return what was presented.
619 */
620 if (!ldap_url->lud_attrs || !ldap_url->lud_attrs[0] || !*ldap_url->lud_attrs[0]) {
621 fr_value_box_list_remove(in, uri);
622 talloc_steal(ctx, uri);
624 goto done;
625 }
626
627 if (option_vb->vb_strvalue[0] != ';') {
628 option = talloc_asprintf(option_vb, ";%s", option_vb->vb_strvalue);
629 } else {
630 option = option_vb->vb_strvalue;
631 }
632
633 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_STRING, NULL));
634 attrs_fixed = talloc_strdup(vb, "");
635
636 attr = ldap_url->lud_attrs;
637 while (*attr) {
638 attrs_fixed = talloc_strdup_append(attrs_fixed, *attr);
639 if (!strstr(*attr, option)) attrs_fixed = talloc_strdup_append(attrs_fixed, option);
640 attr++;
641 if (*attr) attrs_fixed = talloc_strdup_append(attrs_fixed, ",");
642 }
643
644 snprintf(port, sizeof(port), "%d", ldap_url->lud_port);
645 fr_value_box_asprintf(vb, vb, NULL, uri->tainted, "%s://%s%s%s/%s?%s?%s?%s",
646 ldap_url->lud_scheme,
647 ldap_url->lud_host ? ldap_url->lud_host : "",
648 ldap_url->lud_host ? ":" : "",
649 ldap_url->lud_host ? port : "",
650 ldap_url->lud_dn, attrs_fixed,
651 fr_table_str_by_value(fr_ldap_scope, ldap_url->lud_scope, ""),
652 ldap_url->lud_filter ? ldap_url->lud_filter : "");
653
655done:
656 ldap_free_urldesc(ldap_url);
657 return XLAT_ACTION_DONE;
658}
659
660/** Callback when resuming after async ldap query is completed
661 *
662 */
664 xlat_ctx_t const *xctx,
665 request_t *request, UNUSED fr_value_box_list_t *in)
666{
667 fr_ldap_query_t *query = talloc_get_type_abort(xctx->rctx, fr_ldap_query_t);
668 fr_ldap_connection_t *ldap_conn = query->ldap_conn;
669 fr_value_box_t *vb = NULL;
670 LDAPMessage *msg;
671 struct berval **values;
672 char const **attr;
673 int count, i;
674
675 if (query->ret != LDAP_RESULT_SUCCESS) return XLAT_ACTION_FAIL;
676
677 /*
678 * We only parse "entries"
679 */
680 for (msg = ldap_first_entry(ldap_conn->handle, query->result); msg; msg = ldap_next_entry(ldap_conn->handle, msg)) {
681 for (attr = query->search.attrs; *attr; attr++) {
682 values = ldap_get_values_len(ldap_conn->handle, msg, *attr);
683 if (!values) {
684 RDEBUG2("No \"%s\" attributes found in specified object", *attr);
685 continue;
686 }
687
688 count = ldap_count_values_len(values);
689 for (i = 0; i < count; i++) {
690 MEM(vb = fr_value_box_alloc_null(ctx));
691 if (fr_value_box_bstrndup(vb, vb, NULL, values[i]->bv_val, values[i]->bv_len, true) < 0) {
692 talloc_free(vb);
693 RPERROR("Failed creating value from LDAP response");
694 break;
695 }
697 }
698 ldap_value_free_len(values);
699 }
700 }
701
702 talloc_free(query);
703
704 return XLAT_ACTION_DONE;
705}
706
707/** Callback for signalling async ldap query
708 *
709 */
710static void ldap_xlat_signal(xlat_ctx_t const *xctx, request_t *request, UNUSED fr_signal_t action)
711{
712 fr_ldap_query_t *query = talloc_get_type_abort(xctx->rctx, fr_ldap_query_t);
713
714 if (!query->treq) return;
715
716 RDEBUG2("Forcefully cancelling pending LDAP query");
717
719}
720
721/*
722 * If a part doesn't have an escaping function, parsing will fail unless the input
723 * was marked up with a safe_for value by the ldap arg parsing, i.e. was a literal
724 * input argument to the xlat.
725 *
726 * This is equivalent to the old "tainted_allowed" flag.
727 */
729 { .name = "scheme", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L(":")), .part_adv = { [':'] = 1 }, .extra_skip = 2 },
730 { .name = "host", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L(":"), L("/")), .part_adv = { [':'] = 1, ['/'] = 2 } },
731 { .name = "port", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("/")), .part_adv = { ['/'] = 1 } },
732 { .name = "dn", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1 }, .func = ldap_uri_part_escape },
733 { .name = "attrs", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1 }},
734 { .name = "scope", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1 }, .func = ldap_uri_part_escape },
735 { .name = "filter", .safe_for = LDAP_URI_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1}, .func = ldap_uri_part_escape },
736 { .name = "exts", .safe_for = LDAP_URI_SAFE_FOR, .func = ldap_uri_part_escape },
738};
739
740static fr_uri_part_t const ldap_dn_parts[] = {
741 { .name = "dn", .safe_for = LDAP_URI_SAFE_FOR , .func = ldap_uri_part_escape },
743};
744
746 { .required = true, .type = FR_TYPE_STRING, .safe_for = LDAP_URI_SAFE_FOR, .will_escape = true, },
748};
749
750/** Produce canonical LDAP host URI for finding trunks
751 *
752 */
753static inline CC_HINT(always_inline)
754char *host_uri_canonify(request_t *request, LDAPURLDesc *url_parsed, fr_value_box_t *url_in)
755{
756 char *host;
757
758 LDAPURLDesc tmp_desc = {
759 .lud_scheme = url_parsed->lud_scheme,
760 .lud_host = url_parsed->lud_host,
761 .lud_port = url_parsed->lud_port,
762 .lud_scope = -1
763 };
764 host = ldap_url_desc2str(&tmp_desc);
765 if (unlikely(host == NULL)) REDEBUG("Invalid LDAP URL - %pV", url_in); \
766
767 return host;
768}
769
770/** Utility function for parsing LDAP URLs
771 *
772 * All LDAP xlat functions that work with LDAP URLs should call this function to parse the URL.
773 *
774 * @param[out] uri_parsed LDAP URL parsed. Must be freed with ldap_url_desc_free.
775 * @param[out] host_out host name to use for the query. Must be freed with ldap_mem_free
776 * if free_host_out is true.
777 * @param[out] free_host_out True if host_out should be freed.
778 * @param[in] request Request being processed.
779 * @param[in] host_default Default host to use if the URL does not specify a host.
780 * @param[in] uri_in URI to parse.
781 * @return
782 * - 0 on success.
783 * - -1 on failure.
784 */
785static int ldap_xlat_uri_parse(LDAPURLDesc **uri_parsed, char **host_out, bool *free_host_out,
786 request_t *request, char *host_default, fr_value_box_t *uri_in)
787{
788 fr_value_box_t *uri;
789 int ldap_url_ret;
790
791 *free_host_out = false;
792
793 if (fr_uri_escape_list(&uri_in->vb_group, ldap_uri_parts, NULL) < 0){
794 RPERROR("Failed to escape LDAP URI");
795 error:
796 *uri_parsed = NULL;
797 return -1;
798 }
799
800 /*
801 * Smush everything into the first URI box
802 */
803 uri = fr_value_box_list_head(&uri_in->vb_group);
804
805 if (fr_value_box_list_concat_in_place(uri, uri, &uri_in->vb_group,
806 FR_TYPE_STRING, FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
807 RPEDEBUG("Failed concatenating input");
808 goto error;
809 }
810
811 if (!ldap_is_ldap_url(uri->vb_strvalue)) {
812 REDEBUG("String passed does not look like an LDAP URL");
813 goto error;
814 }
815
816 ldap_url_ret = ldap_url_parse(uri->vb_strvalue, uri_parsed);
817 if (ldap_url_ret != LDAP_URL_SUCCESS){
818 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret));
819 goto error;
820 }
821
822 /*
823 * If the URL is <scheme>:/// the parsed host will be NULL - use config default
824 */
825 if (!(*uri_parsed)->lud_host) {
826 *host_out = host_default;
827 } else {
828 *host_out = host_uri_canonify(request, *uri_parsed, uri);
829 if (unlikely(*host_out == NULL)) {
830 ldap_free_urldesc(*uri_parsed);
831 *uri_parsed = NULL;
832 return -1;
833 }
834 *free_host_out = true;
835 }
836
837 return 0;
838}
839
840/** Expand an LDAP URL into a query, and return a string result from that query.
841 *
842 * @ingroup xlat_functions
843 */
845 xlat_ctx_t const *xctx,
846 request_t *request, fr_value_box_list_t *in)
847{
848 fr_ldap_thread_t *t = talloc_get_type_abort(xctx->mctx->thread, fr_ldap_thread_t);
849 fr_value_box_t *uri;
850 char *host;
851 bool free_host = false;
852 fr_ldap_config_t const *handle_config = t->config;
854 fr_ldap_query_t *query = NULL;
855
856 LDAPURLDesc *ldap_url;
857
858 XLAT_ARGS(in, &uri);
859
860 if (ldap_xlat_uri_parse(&ldap_url, &host, &free_host, request, handle_config->server, uri) < 0) return XLAT_ACTION_FAIL;
861
862 /*
863 * Nothing, empty string, "*" string, or got 2 things, die.
864 */
865 if (!ldap_url->lud_attrs || !ldap_url->lud_attrs[0] || !*ldap_url->lud_attrs[0] ||
866 (strcmp(ldap_url->lud_attrs[0], "*") == 0) || ldap_url->lud_attrs[1]) {
867 REDEBUG("Bad attributes list in LDAP URL. URL must specify exactly one attribute to retrieve");
868 ldap_free_urldesc(ldap_url);
869 return XLAT_ACTION_FAIL;
870 }
871
873 ldap_url->lud_dn, ldap_url->lud_scope, ldap_url->lud_filter,
874 (char const * const*)ldap_url->lud_attrs, NULL, NULL);
875 query->ldap_url = ldap_url; /* query destructor will free URL */
876
877 if (ldap_url->lud_exts) {
878 LDAPControl *serverctrls[LDAP_MAX_CONTROLS];
879 int i;
880
881 serverctrls[0] = NULL;
882
883 if (fr_ldap_parse_url_extensions(serverctrls, NUM_ELEMENTS(serverctrls),
884 query->ldap_url->lud_exts) < 0) {
885 RPERROR("Parsing URL extensions failed");
886 if (free_host) ldap_memfree(host);
887
888 query_error:
889 talloc_free(query);
890 return XLAT_ACTION_FAIL;
891 }
892
893 for (i = 0; i < LDAP_MAX_CONTROLS; i++) {
894 if (!serverctrls[i]) break;
895 query->serverctrls[i].control = serverctrls[i];
896 query->serverctrls[i].freeit = true;
897 }
898 }
899
900 /*
901 * Figure out what trunked connection we can use
902 * to communicate with the host.
903 *
904 * If free_host is true, we must free the host
905 * after deciding on a trunk connection as it
906 * was allocated by host_uri_canonify.
907 */
908 ttrunk = fr_thread_ldap_trunk_get(t, host, handle_config->admin_identity,
909 handle_config->admin_password, request, handle_config);
910 if (free_host) ldap_memfree(host);
911 if (!ttrunk) {
912 REDEBUG("Unable to get LDAP query for xlat");
913 goto query_error;
914 }
915
916 switch (trunk_request_enqueue(&query->treq, ttrunk->trunk, request, query, NULL)) {
917 case TRUNK_ENQUEUE_OK:
919 break;
920
921 default:
922 REDEBUG("Unable to enqueue LDAP query for xlat");
923 goto query_error;
924 }
925
926 if (fr_timer_in(query, unlang_interpret_event_list(request)->tl, &query->ev, handle_config->res_timeout,
927 false, ldap_query_timeout, query) < 0) {
928 REDEBUG("Unable to set timeout for LDAP query");
930 goto query_error;
931 }
932
934}
935
936/** User object lookup as part of group membership xlat
937 *
938 * Called if the ldap membership xlat is used and the user DN is not already known
939 */
941{
942 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(uctx, ldap_group_xlat_ctx_t);
943
944 if (xlat_ctx->env_data->user_filter.type == FR_TYPE_STRING) xlat_ctx->filter = &xlat_ctx->env_data->user_filter;
945
946 xlat_ctx->basedn = &xlat_ctx->env_data->user_base;
947
949 /* discard, this function is only used by xlats */NULL,
950 xlat_ctx->inst, request,
951 xlat_ctx->basedn, xlat_ctx->filter,
952 xlat_ctx->ttrunk, xlat_ctx->attrs, &xlat_ctx->query);
953}
954
955/** Cancel an in-progress query for the LDAP group membership xlat
956 *
957 */
958static void ldap_group_xlat_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
959{
960 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(uctx, ldap_group_xlat_ctx_t);
961
962 if (!xlat_ctx->query || !xlat_ctx->query->treq) return;
963
965}
966
967#define REPEAT_LDAP_MEMBEROF_XLAT_RESULTS \
968 if (unlang_function_repeat_set(request, ldap_group_xlat_results) < 0) do { \
969 RETURN_UNLANG_FAIL; \
970 } while (0)
971
972/** Run the state machine for the LDAP membership xlat
973 *
974 * This is called after each async lookup is completed
975 *
976 * Will stop early, and set p_result to unlang_result
977 */
979{
980 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(uctx, ldap_group_xlat_ctx_t);
981 rlm_ldap_t const *inst = xlat_ctx->inst;
982
983 /*
984 * Check to see if rlm_ldap_check_groupobj_dynamic or rlm_ldap_check_userobj_dynamic failed
985 */
987
988 switch (xlat_ctx->status) {
990 if (!xlat_ctx->dn) xlat_ctx->dn = rlm_find_user_dn_cached(request);
992
993 RDEBUG3("Entered GROUP_XLAT_FIND_USER with user DN \"%s\"", xlat_ctx->dn);
994 if (inst->group.obj_membership_filter) {
996 RDEBUG3("Checking for user in group objects");
1000 }
1001 }
1003
1005 if (xlat_ctx->found) RETURN_UNLANG_OK;
1006
1007 RDEBUG3("Entered GROUP_XLAT_MEMB_FILTER with user DN \"%s\"", xlat_ctx->dn);
1008 if (inst->group.userobj_membership_attr) {
1013 }
1014 }
1016
1018 RDEBUG3("Entered GROUP_XLAT_MEMB_ATTR with user DN \"%s\"", xlat_ctx->dn);
1019 if (xlat_ctx->found) RETURN_UNLANG_OK;
1020 break;
1021 }
1022
1024}
1025
1026/** Process the results of evaluating LDAP group membership
1027 *
1028 */
1030 UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
1031{
1032 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(xctx->rctx, ldap_group_xlat_ctx_t);
1033 fr_value_box_t *vb;
1034
1036 vb->vb_bool = xlat_ctx->found;
1038
1039 return XLAT_ACTION_DONE;
1040}
1041
1043 { .required = true, .concat = true, .type = FR_TYPE_STRING, .safe_for = LDAP_URI_SAFE_FOR },
1045};
1046
1047/** Check for a user being in a LDAP group
1048 *
1049 * @ingroup xlat_functions
1050 */
1051static xlat_action_t ldap_group_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
1052 request_t *request, fr_value_box_list_t *in)
1053{
1054 fr_value_box_t *vb = NULL, *group_vb = fr_value_box_list_pop_head(in);
1056 fr_ldap_thread_t *t = talloc_get_type_abort(xctx->mctx->thread, fr_ldap_thread_t);
1057 ldap_xlat_memberof_call_env_t *env_data = talloc_get_type_abort(xctx->env_data, ldap_xlat_memberof_call_env_t);
1058 bool group_is_dn;
1060
1061 RDEBUG2("Searching for user in group \"%pV\"", group_vb);
1062
1063 if (group_vb->vb_length == 0) {
1064 REDEBUG("Cannot do comparison (group name is empty)");
1065 return XLAT_ACTION_FAIL;
1066 }
1067
1068 group_is_dn = fr_ldap_util_is_dn(group_vb->vb_strvalue, group_vb->vb_length);
1069 if (group_is_dn) {
1070 char *norm;
1071 size_t len;
1072
1073 MEM(norm = talloc_array(group_vb, char, talloc_array_length(group_vb->vb_strvalue)));
1074 len = fr_ldap_util_normalise_dn(norm, group_vb->vb_strvalue);
1075
1076 /*
1077 * Will clear existing buffer (i.e. group_vb->vb_strvalue)
1078 */
1079 fr_value_box_bstrdup_buffer_shallow(group_vb, group_vb, NULL, norm, group_vb->tainted);
1080
1081 /*
1082 * Trim buffer to match normalised DN
1083 */
1084 fr_value_box_bstr_realloc(group_vb, NULL, group_vb, len);
1085 }
1086
1087 if ((group_is_dn && inst->group.cacheable_dn) || (!group_is_dn && inst->group.cacheable_name)) {
1088 unlang_result_t our_result;
1089
1090 rlm_ldap_check_cached(&our_result, inst, request, group_vb);
1091 switch (our_result.rcode) {
1093 RDEBUG2("User is not a member of \"%pV\"", group_vb);
1094 return XLAT_ACTION_DONE;
1095
1096 case RLM_MODULE_OK:
1097 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_BOOL, NULL));
1098 vb->vb_bool = true;
1100 return XLAT_ACTION_DONE;
1101
1102 /*
1103 * Fallback to dynamic search
1104 */
1105 default:
1106 break;
1107 }
1108 }
1109
1111
1113 .inst = inst,
1114 .group = group_vb,
1115 .dn = rlm_find_user_dn_cached(request),
1116 .attrs = { inst->group.userobj_membership_attr, NULL },
1117 .group_is_dn = group_is_dn,
1118 .env_data = env_data
1119 };
1120
1121 xlat_ctx->ttrunk = fr_thread_ldap_trunk_get(t, inst->handle_config.server, inst->handle_config.admin_identity,
1122 inst->handle_config.admin_password, request, &inst->handle_config);
1123
1124 if (!xlat_ctx->ttrunk) {
1125 REDEBUG("Unable to get LDAP trunk for group membership check");
1126 error:
1128 return XLAT_ACTION_FAIL;
1129 }
1130
1131 if (unlang_xlat_yield(request, ldap_group_xlat_resume, NULL, 0, xlat_ctx) != XLAT_ACTION_YIELD) goto error;
1132
1134 request,
1137 ldap_group_xlat_cancel, ~FR_SIGNAL_CANCEL,
1139 xlat_ctx) < 0) goto error;
1140
1142}
1143
1150
1151/** Return whether evaluating the profile was successful
1152 *
1153 */
1155 UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
1156{
1157 ldap_xlat_profile_ctx_t *xlat_ctx = talloc_get_type_abort(xctx->rctx, ldap_xlat_profile_ctx_t);
1158 fr_value_box_t *vb;
1159
1161 vb->vb_bool = (xlat_ctx->ret == LDAP_RESULT_SUCCESS) && (xlat_ctx->applied > 0);
1163
1164 return XLAT_ACTION_DONE;
1165}
1166
1168{
1169 if (to_free->url) {
1170 ldap_free_urldesc(to_free->url);
1171 to_free->url = NULL;
1172 }
1173 return 0;
1174}
1175
1176/** Expand an LDAP URL into a query, applying the results using the user update map.
1177 *
1178 * For fetching profiles by DN.
1179 *
1180 * @ingroup xlat_functions
1181 */
1183 xlat_ctx_t const *xctx,
1184 request_t *request, fr_value_box_list_t *in)
1185{
1187 fr_ldap_thread_t *t = talloc_get_type_abort(xctx->mctx->thread, fr_ldap_thread_t);
1188 ldap_xlat_profile_call_env_t *env_data = talloc_get_type_abort(xctx->env_data, ldap_xlat_profile_call_env_t);
1189 fr_value_box_t *uri_components, *uri;
1190 char *host_url, *host = NULL;
1191 fr_ldap_config_t const *handle_config = t->config;
1192 fr_ldap_thread_trunk_t *ttrunk;
1194
1195 int ldap_url_ret;
1196
1197 char const *dn;
1198 char const *filter;
1199 int scope;
1200
1201 bool is_dn;
1202
1203 XLAT_ARGS(in, &uri_components);
1204
1205 is_dn = (fr_uri_has_scheme(&uri_components->vb_group, ldap_uri_scheme_table, ldap_uri_scheme_table_len, -1) < 0);
1206
1207 /*
1208 * Apply different escaping rules based on whether the first
1209 * arg lookgs like a URI or a DN.
1210 */
1211 if (is_dn) {
1212 if (fr_uri_escape_list(&uri_components->vb_group, ldap_dn_parts, NULL) < 0) {
1213 RPERROR("Failed to escape LDAP profile DN");
1214 return XLAT_ACTION_FAIL;
1215 }
1216 } else {
1217 if (fr_uri_escape_list(&uri_components->vb_group, ldap_uri_parts, NULL) < 0) {
1218 RPERROR("Failed to escape LDAP profile URI");
1219 return XLAT_ACTION_FAIL;
1220 }
1221 }
1222
1223 /*
1224 * Smush everything into the first URI box
1225 */
1226 uri = fr_value_box_list_head(&uri_components->vb_group);
1227 if (fr_value_box_list_concat_in_place(uri, uri, &uri_components->vb_group,
1228 FR_TYPE_STRING, FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
1229 RPEDEBUG("Failed concatenating input");
1230 return XLAT_ACTION_FAIL;
1231 }
1232
1233 /*
1234 * Allocate a resumption context to store temporary resource and results
1235 */
1237 talloc_set_destructor(xlat_ctx, ldap_xlat_profile_ctx_free);
1238
1239 if (is_dn) {
1240 host_url = handle_config->server;
1241 dn = talloc_typed_strdup_buffer(xlat_ctx, uri->vb_strvalue);
1242 filter = env_data->profile_filter.vb_strvalue;
1243 scope = inst->profile.obj_scope;
1244 } else {
1245 ldap_url_ret = ldap_url_parse(uri->vb_strvalue, &xlat_ctx->url);
1246 if (ldap_url_ret != LDAP_URL_SUCCESS){
1247 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret));
1248 error:
1250 return XLAT_ACTION_FAIL;
1251 }
1252
1253 /*
1254 * The URL must specify a DN
1255 */
1256 if (!xlat_ctx->url->lud_dn) {
1257 REDEBUG("LDAP URI must specify a profile DN");
1258 goto error;
1259 }
1260
1261 dn = xlat_ctx->url->lud_dn;
1262 /*
1263 * Either we use the filter from the URL or we use the default filter
1264 * configured for profiles.
1265 */
1266 filter = xlat_ctx->url->lud_filter ? xlat_ctx->url->lud_filter : env_data->profile_filter.vb_strvalue;
1267
1268 /*
1269 * Determine if the URL includes a scope.
1270 */
1271 scope = xlat_ctx->url->lud_scope == LDAP_SCOPE_DEFAULT ? inst->profile.obj_scope : xlat_ctx->url->lud_scope;
1272
1273 /*
1274 * If the URL is <scheme>:/// the parsed host will be NULL - use config default
1275 */
1276 if (!xlat_ctx->url->lud_host) {
1277 host_url = handle_config->server;
1278 } else {
1279 host_url = host = host_uri_canonify(request, xlat_ctx->url, uri);
1280 if (unlikely(host_url == NULL)) goto error;
1281 }
1282 }
1283
1284 /*
1285 * Synchronous expansion of maps (fixme!)
1286 */
1287 if (fr_ldap_map_expand(xlat_ctx, &xlat_ctx->expanded, request, env_data->profile_map,
1288 inst->valuepair_attr, inst->profile.check_attr, inst->profile.fallthrough_attr) < 0) goto error;
1289 ttrunk = fr_thread_ldap_trunk_get(t, host_url, handle_config->admin_identity,
1290 handle_config->admin_password, request, handle_config);
1291 if (host) ldap_memfree(host);
1292 if (!ttrunk) {
1293 REDEBUG("Unable to get LDAP query for xlat");
1294 goto error;
1295 }
1296
1297 if (unlang_xlat_yield(request, ldap_profile_xlat_resume, NULL, 0, xlat_ctx) != XLAT_ACTION_YIELD) goto error;
1298
1299 /*
1300 * Pushes a frame onto the stack to retrieve and evaluate a profile
1301 */
1302 if (rlm_ldap_map_profile(&xlat_ctx->ret, &xlat_ctx->applied, inst, request, ttrunk, dn,
1303 scope, filter, &xlat_ctx->expanded) < 0) goto error;
1304
1306}
1307
1308/*
1309 * Verify the result of the map.
1310 */
1311static int ldap_map_verify(CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst,
1312 tmpl_t const *src, UNUSED map_list_t const *maps)
1313{
1314 if (!src) {
1315 cf_log_err(cs, "Missing LDAP URI");
1316
1317 return -1;
1318 }
1319
1320 return 0;
1321}
1322
1323/** Process the results of an LDAP map query
1324 *
1325 * @param[out] p_result Result of map expansion:
1326 * - #RLM_MODULE_NOOP no rows were returned.
1327 * - #RLM_MODULE_UPDATED if one or more #fr_pair_t were added to the #request_t.
1328 * - #RLM_MODULE_FAIL if an error occurred.
1329 * @param[in] mpctx module map ctx.
1330 * @param[in,out] request The current request.
1331 * @param[in] url LDAP url specifying base DN and filter.
1332 * @param[in] maps Head of the map list.
1333 * @return One of UNLANG_ACTION_*
1334 */
1335static unlang_action_t mod_map_resume(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request,
1336 UNUSED fr_value_box_list_t *url, UNUSED map_list_t const *maps)
1337{
1338 ldap_map_ctx_t *map_ctx = talloc_get_type_abort(mpctx->rctx, ldap_map_ctx_t);
1339 fr_ldap_query_t *query = map_ctx->query;
1340 fr_ldap_map_exp_t *expanded = &map_ctx->expanded;
1342 LDAPMessage *entry;
1343 map_t const *map;
1344
1345 switch (query->ret) {
1347 rcode = RLM_MODULE_UPDATED;
1348 break;
1349
1351 case LDAP_RESULT_BAD_DN:
1352 goto finish;
1353
1355 goto finish;
1356
1357 default:
1358 rcode = RLM_MODULE_FAIL;
1359 goto finish;
1360 }
1361
1362 for (entry = ldap_first_entry(query->ldap_conn->handle, query->result);
1363 entry;
1364 entry = ldap_next_entry(query->ldap_conn->handle, entry)) {
1365 char *dn = NULL;
1366 int i;
1367
1368 if (RDEBUG_ENABLED2) {
1369 dn = ldap_get_dn(query->ldap_conn->handle, entry);
1370 RDEBUG2("Processing \"%s\"", dn);
1371 }
1372
1373 RINDENT();
1374 for (map = map_list_head(map_ctx->maps), i = 0;
1375 map != NULL;
1376 map = map_list_next(map_ctx->maps, map), i++) {
1377 int ret;
1378 fr_ldap_result_t attr;
1379
1380 attr.values = ldap_get_values_len(query->ldap_conn->handle, entry, expanded->attrs[i]);
1381 if (!attr.values) {
1382 /*
1383 * Many LDAP directories don't expose the DN of
1384 * the object as an attribute, so we need this
1385 * hack, to allow the user to retrieve it.
1386 */
1387 if (strcmp(LDAP_VIRTUAL_DN_ATTR, expanded->attrs[i]) == 0) {
1388 struct berval value;
1389 struct berval *values[2] = { &value, NULL };
1390
1391 if (!dn) dn = ldap_get_dn(query->ldap_conn->handle, entry);
1392 value.bv_val = dn;
1393 value.bv_len = strlen(dn);
1394
1395 attr.values = values;
1396 attr.count = 1;
1397
1398 ret = map_to_request(request, map, fr_ldap_map_getvalue, &attr);
1399 if (ret == -1) {
1400 rcode = RLM_MODULE_FAIL;
1401 ldap_memfree(dn);
1402 goto finish;
1403 }
1404 continue;
1405 }
1406
1407 RDEBUG3("Attribute \"%s\" not found in LDAP object", expanded->attrs[i]);
1408
1409 continue;
1410 }
1411 attr.count = ldap_count_values_len(attr.values);
1412
1413 ret = map_to_request(request, map, fr_ldap_map_getvalue, &attr);
1414 ldap_value_free_len(attr.values);
1415 if (ret == -1) {
1416 rcode = RLM_MODULE_FAIL;
1417 ldap_memfree(dn);
1418 goto finish;
1419 }
1420 }
1421 ldap_memfree(dn);
1422 REXDENT();
1423 }
1424
1425finish:
1426 RETURN_UNLANG_RCODE(rcode);
1427}
1428
1429/** Ensure map context is properly cleared up
1430 *
1431 */
1433{
1434 int i = 0;
1435 talloc_free(map_ctx->expanded.ctx);
1436 ldap_free_urldesc(map_ctx->ldap_url);
1437 while ((i < LDAP_MAX_CONTROLS) && map_ctx->serverctrls[i]) {
1438 ldap_control_free(map_ctx->serverctrls[i]);
1439 i++;
1440 }
1441 return (0);
1442}
1443
1444/** Perform a search and map the result of the search to server attributes
1445 *
1446 * Unlike LDAP xlat, this can be used to process attributes from multiple entries.
1447 *
1448 * @todo For xlat expansions we need to parse the raw URL first, and then apply
1449 * different escape functions to the different parts.
1450 *
1451 * @param[out] p_result Result of map expansion:
1452 * - #RLM_MODULE_NOOP no rows were returned.
1453 * - #RLM_MODULE_UPDATED if one or more #fr_pair_t were added to the #request_t.
1454 * - #RLM_MODULE_FAIL if an error occurred.
1455 * @param[in] mpctx module map ctx.
1456 * @param[in,out] request The current request.
1457 * @param[in] url LDAP url specifying base DN and filter.
1458 * @param[in] maps Head of the map list.
1459 * @return UNLANG_ACTION_CALCULATE_RESULT
1460 */
1461static unlang_action_t mod_map_proc(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request,
1462 fr_value_box_list_t *url, map_list_t const *maps)
1463{
1465 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
1466
1467 LDAPURLDesc *ldap_url;
1468 int ldap_url_ret;
1469 fr_ldap_thread_trunk_t *ttrunk;
1470
1471 fr_value_box_t *url_head;
1473 char *host_url, *host = NULL;
1474
1475 if (fr_uri_escape_list(url, ldap_uri_parts, NULL) < 0) {
1476 RPERROR("Failed to escape LDAP map URI");
1478 }
1479
1480 url_head = fr_value_box_list_head(url);
1481 if (!url_head) {
1482 REDEBUG("LDAP URL cannot be empty");
1484 }
1485
1486 if (fr_value_box_list_concat_in_place(url_head, url_head, url, FR_TYPE_STRING,
1487 FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
1488 RPEDEBUG("Failed concatenating input");
1490 }
1491
1492 if (!ldap_is_ldap_url(url_head->vb_strvalue)) {
1493 REDEBUG("Map query string does not look like a valid LDAP URI");
1495 }
1496
1498 talloc_set_destructor(map_ctx, map_ctx_free);
1499 map_ctx->maps = maps;
1500
1501 ldap_url_ret = ldap_url_parse(url_head->vb_strvalue, &map_ctx->ldap_url);
1502 if (ldap_url_ret != LDAP_URL_SUCCESS){
1503 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret));
1504 fail:
1507 }
1508 ldap_url = map_ctx->ldap_url;
1509
1510 if (ldap_url->lud_exts) {
1511 if (fr_ldap_parse_url_extensions(map_ctx->serverctrls, NUM_ELEMENTS(map_ctx->serverctrls),
1512 ldap_url->lud_exts) < 0) {
1513 RPERROR("Parsing URL extensions failed");
1514 goto fail;
1515 }
1516 }
1517
1518 /*
1519 * Expand the RHS of the maps to get the name of the attributes.
1520 */
1521 if (fr_ldap_map_expand(map_ctx, &map_ctx->expanded, request, maps, NULL, NULL, NULL) < 0) goto fail;
1522
1523 /*
1524 * If the URL is <scheme>:/// the parsed host will be NULL - use config default
1525 */
1526 if (!ldap_url->lud_host) {
1527 host_url = inst->handle_config.server;
1528 } else {
1529 host_url = host = host_uri_canonify(request, ldap_url, url_head);
1530 if (unlikely(host_url == NULL)) goto fail;
1531 }
1532
1533 ttrunk = fr_thread_ldap_trunk_get(thread, host_url, inst->handle_config.admin_identity,
1534 inst->handle_config.admin_password, request, &inst->handle_config);
1535 if (host) ldap_memfree(host);
1536 if (!ttrunk) goto fail;
1537
1538 if (unlikely(unlang_map_yield(request, mod_map_resume, NULL, 0, map_ctx) != UNLANG_ACTION_YIELD)) goto fail;
1539
1540 return fr_ldap_trunk_search(map_ctx, &map_ctx->query, request, ttrunk, ldap_url->lud_dn,
1541 ldap_url->lud_scope, ldap_url->lud_filter, map_ctx->expanded.attrs,
1542 map_ctx->serverctrls, NULL);
1543}
1544
1545static unlang_action_t CC_HINT(nonnull) mod_authenticate(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1546{
1548 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
1549 ldap_auth_ctx_t *auth_ctx;
1550 ldap_auth_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, ldap_auth_call_env_t);
1551
1552 if (call_env->password.type != FR_TYPE_STRING) {
1553 RWDEBUG("You have set \"Auth-Type := LDAP\" somewhere");
1554 RWDEBUG("without checking if %s is present", call_env->password_tmpl->name);
1555 RWDEBUG("*********************************************");
1556 RWDEBUG("* THAT CONFIGURATION IS WRONG. DELETE IT. ");
1557 RWDEBUG("* YOU ARE PREVENTING THE SERVER FROM WORKING");
1558 RWDEBUG("*********************************************");
1559
1560 REDEBUG("Attribute \"%s\" is required for authentication", call_env->password_tmpl->name);
1562 }
1563
1564 auth_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_auth_ctx_t);
1565 *auth_ctx = (ldap_auth_ctx_t){
1566 .password = call_env->password.vb_strvalue,
1567 .thread = thread,
1568 .inst = inst,
1569 .call_env = call_env
1570 };
1571
1572 /*
1573 * Find the user's DN
1574 */
1575 auth_ctx->dn = rlm_find_user_dn_cached(request);
1576
1577 /*
1578 * The DN is required for non-SASL auth
1579 */
1580 if (!auth_ctx->dn && (call_env->user_sasl_mech.type != FR_TYPE_STRING)) {
1581 REDEBUG("No DN found for authentication. Populate control.%s with the DN to use in authentication.",
1582 attr_ldap_userdn->name);
1583 REDEBUG("You should call %s in the recv section and check its return.", inst->mi->name);
1584 talloc_free(auth_ctx);
1586 }
1587
1588 /*
1589 * Log the password
1590 */
1591 if (RDEBUG_ENABLED3) {
1592 RDEBUG("Login attempt with password \"%pV\"", &call_env->password);
1593 } else {
1594 RDEBUG2("Login attempt with password");
1595 }
1596
1597 /*
1598 * SASL bind auth will have the mech set.
1599 */
1600 if (auth_ctx->call_env->user_sasl_mech.type == FR_TYPE_STRING) {
1601#ifdef WITH_SASL
1602 RDEBUG2("Login attempt using identity \"%pV\"", &call_env->user_sasl_authname);
1603
1604 return fr_ldap_sasl_bind_auth_async(p_result, request, auth_ctx->thread, call_env->user_sasl_mech.vb_strvalue,
1605 call_env->user_sasl_authname.vb_strvalue,
1606 auth_ctx->password, call_env->user_sasl_proxy.vb_strvalue,
1607 call_env->user_sasl_realm.vb_strvalue);
1608#else
1609 RDEBUG("Configuration item 'sasl.mech' is not supported. "
1610 "The linked version of libldap does not provide ldap_sasl_bind( function");
1612#endif
1613 }
1614
1615 RDEBUG2("Login attempt as \"%s\"", auth_ctx->dn);
1616
1617 return fr_ldap_bind_auth_async(p_result, request, auth_ctx->thread, auth_ctx->dn, auth_ctx->password);
1618}
1619
1620#define REPEAT_MOD_AUTHORIZE_RESUME \
1621 if (unlang_module_yield(request, mod_authorize_resume, NULL, 0, autz_ctx) == UNLANG_ACTION_FAIL) do { \
1622 p_result->rcode = RLM_MODULE_FAIL; \
1623 goto finish; \
1624 } while (0)
1625
1626/** Resume function called after each potential yield in LDAP authorization
1627 *
1628 * Some operations may or may not yield. E.g. if group membership is
1629 * read from an attribute returned with the user object and is already
1630 * in the correct form, that will not yield.
1631 * Hence, each state may fall through to the next.
1632 *
1633 * @param p_result Result of current authorization.
1634 * @param mctx Module context.
1635 * @param request Current request.
1636 * @return An rcode.
1637 */
1639{
1640 ldap_autz_ctx_t *autz_ctx = talloc_get_type_abort(mctx->rctx, ldap_autz_ctx_t);
1642 ldap_autz_call_env_t *call_env = talloc_get_type_abort(autz_ctx->call_env, ldap_autz_call_env_t);
1643 int ldap_errno;
1644 LDAP *handle = fr_ldap_handle_thread_local();
1645
1646 /*
1647 * If a previous async call returned one of the "failure" results just return.
1648 */
1649 switch (p_result->rcode) {
1650 case RLM_MODULE_REJECT:
1651 case RLM_MODULE_FAIL:
1652 case RLM_MODULE_HANDLED:
1653 case RLM_MODULE_INVALID:
1655 goto finish;
1656
1657 default:
1658 break;
1659 }
1660
1661 switch (autz_ctx->status) {
1662 case LDAP_AUTZ_FIND:
1663 /*
1664 * If a user entry has been found the current rcode will be OK
1665 */
1666 if (p_result->rcode != RLM_MODULE_OK) return UNLANG_ACTION_CALCULATE_RESULT;
1667
1668 autz_ctx->entry = ldap_first_entry(handle, autz_ctx->query->result);
1669 if (!autz_ctx->entry) {
1670 ldap_get_option(handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
1671 REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
1672
1673 goto finish;
1674 }
1675
1676 /*
1677 * Check for access.
1678 */
1679 if (inst->user.obj_access_attr) {
1680 autz_ctx->access_state = rlm_ldap_check_access(inst, request, autz_ctx->entry);
1681 switch (autz_ctx->access_state) {
1683 break;
1684
1686 if (inst->group.skip_on_suspend) goto post_group;
1687 break;
1688
1690 p_result->rcode = RLM_MODULE_DISALLOW;
1691 goto finish;
1692 }
1693 }
1694
1695 /*
1696 * Check if we need to cache group memberships
1697 */
1698 if ((inst->group.cacheable_dn || inst->group.cacheable_name) && (inst->group.userobj_membership_attr)) {
1700 if (rlm_ldap_cacheable_userobj(p_result, request, autz_ctx,
1701 inst->group.userobj_membership_attr) == UNLANG_ACTION_PUSHED_CHILD) {
1702 autz_ctx->status = LDAP_AUTZ_GROUP;
1704 }
1705 if (p_result->rcode != RLM_MODULE_OK) goto finish;
1706 }
1708
1709 case LDAP_AUTZ_GROUP:
1710 if (inst->group.cacheable_dn || inst->group.cacheable_name) {
1712 if (rlm_ldap_cacheable_groupobj(p_result, request, autz_ctx) == UNLANG_ACTION_PUSHED_CHILD) {
1713 autz_ctx->status = LDAP_AUTZ_POST_GROUP;
1715 }
1716 if (p_result->rcode != RLM_MODULE_OK) goto finish;
1717 }
1719
1721 post_group:
1722#ifdef WITH_EDIR
1723 /*
1724 * We already have a Password.Cleartext. Skip edir.
1725 */
1726 if (fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_cleartext_password)) goto skip_edir;
1727
1728 /*
1729 * Retrieve Universal Password if we use eDirectory
1730 */
1731 if (inst->edir) {
1732 autz_ctx->dn = rlm_find_user_dn_cached(request);
1733
1734 /*
1735 * Retrieve universal password
1736 */
1738 autz_ctx->status = LDAP_AUTZ_EDIR_BIND;
1739 return fr_ldap_edir_get_password(p_result, request, autz_ctx->dn, autz_ctx->ttrunk,
1741 }
1743
1744 case LDAP_AUTZ_EDIR_BIND:
1745 if (inst->edir && inst->edir_autz) {
1746 fr_pair_t *password = fr_pair_find_by_da(&request->control_pairs,
1748 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data,
1750
1751 if (!password) {
1752 REDEBUG("Failed to find control.Password.Cleartext");
1753 p_result->rcode = RLM_MODULE_FAIL;
1754 goto finish;
1755 }
1756
1757 RDEBUG2("Binding as %s for eDirectory authorization checks", autz_ctx->dn);
1758
1759 /*
1760 * Bind as the user
1761 */
1763 autz_ctx->status = LDAP_AUTZ_POST_EDIR;
1764 return fr_ldap_bind_auth_async(p_result, request, thread, autz_ctx->dn, password->vp_strvalue);
1765 }
1766 goto skip_edir;
1767
1768 case LDAP_AUTZ_POST_EDIR:
1769 {
1770 /*
1771 * The result of the eDirectory user bind will be in p_result.
1772 * Anything other than RLM_MODULE_OK is a failure.
1773 */
1774 break;
1775
1776 }
1778
1779#endif
1780 case LDAP_AUTZ_MAP:
1781#ifdef WITH_EDIR
1782 skip_edir:
1783#endif
1784 if (!map_list_empty(call_env->user_map) || inst->valuepair_attr) {
1785 RDEBUG2("Processing user attributes");
1786 RINDENT();
1787 if (fr_ldap_map_do(request, NULL, inst->valuepair_attr,
1788 &autz_ctx->expanded, autz_ctx->entry) > 0) autz_ctx->rcode = RLM_MODULE_UPDATED;
1789 REXDENT();
1790 rlm_ldap_check_reply(request, inst, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk);
1791 }
1793
1795 /*
1796 * Apply ONE user profile, or a default user profile.
1797 */
1798 if (call_env->default_profile.type == FR_TYPE_STRING) {
1799 unlang_action_t ret;
1800
1802 ret = rlm_ldap_map_profile(NULL, NULL, inst, request, autz_ctx->ttrunk,
1803 call_env->default_profile.vb_strvalue,
1804 inst->profile.obj_scope, NULL, &autz_ctx->expanded);
1805 switch (ret) {
1806 case UNLANG_ACTION_FAIL:
1807 p_result->rcode = RLM_MODULE_FAIL;
1808 goto finish;
1809
1813
1814 default:
1815 break;
1816 }
1817 }
1819
1821 /*
1822 * Did we jump back her after applying the default profile?
1823 */
1824 if (autz_ctx->status == LDAP_AUTZ_POST_DEFAULT_PROFILE) autz_ctx->rcode = RLM_MODULE_UPDATED;
1825
1826 /*
1827 * Apply a SET of user profiles.
1828 */
1829 switch (autz_ctx->access_state) {
1831 if (inst->profile.attr) {
1832 int count;
1833
1834 autz_ctx->profile_values = ldap_get_values_len(handle, autz_ctx->entry, inst->profile.attr);
1835 count = ldap_count_values_len(autz_ctx->profile_values);
1836 if (count > 0) {
1837 RDEBUG2("Processing %i profile(s) found in attribute \"%s\"", count, inst->profile.attr);
1838 if (RDEBUG_ENABLED3) {
1839 for (struct berval **bv_p = autz_ctx->profile_values; *bv_p; bv_p++) {
1840 RDEBUG3("Will evaluate profile with DN \"%pV\"", fr_box_strvalue_len((*bv_p)->bv_val, (*bv_p)->bv_len));
1841 }
1842 }
1843 } else {
1844 RDEBUG2("No profile(s) found in attribute \"%s\"", inst->profile.attr);
1845 }
1846 }
1847 break;
1848
1850 if (inst->profile.attr_suspend) {
1851 int count;
1852
1853 autz_ctx->profile_values = ldap_get_values_len(handle, autz_ctx->entry, inst->profile.attr_suspend);
1854 count = ldap_count_values_len(autz_ctx->profile_values);
1855 if (count > 0) {
1856 RDEBUG2("Processing %i suspension profile(s) found in attribute \"%s\"", count, inst->profile.attr_suspend);
1857 if (RDEBUG_ENABLED3) {
1858 for (struct berval **bv_p = autz_ctx->profile_values; *bv_p; bv_p++) {
1859 RDEBUG3("Will evaluate suspenension profile with DN \"%pV\"",
1860 fr_box_strvalue_len((*bv_p)->bv_val, (*bv_p)->bv_len));
1861 }
1862 }
1863 } else {
1864 RDEBUG2("No suspension profile(s) found in attribute \"%s\"", inst->profile.attr_suspend);
1865 }
1866 }
1867 break;
1868
1870 break;
1871 }
1872
1874
1876 /*
1877 * After each profile has been applied, execution will restart here.
1878 * Start by clearing the previously used value.
1879 */
1880 if (autz_ctx->profile_value) {
1881 TALLOC_FREE(autz_ctx->profile_value);
1882 autz_ctx->rcode = RLM_MODULE_UPDATED; /* We're back here after applying a profile successfully */
1883 }
1884
1885 if (autz_ctx->profile_values && autz_ctx->profile_values[autz_ctx->value_idx]) {
1886 unlang_action_t ret;
1887
1888 autz_ctx->profile_value = fr_ldap_berval_to_string(autz_ctx, autz_ctx->profile_values[autz_ctx->value_idx++]);
1890 ret = rlm_ldap_map_profile(NULL, NULL, inst, request, autz_ctx->ttrunk, autz_ctx->profile_value,
1891 inst->profile.obj_scope, autz_ctx->call_env->profile_filter.vb_strvalue, &autz_ctx->expanded);
1892 switch (ret) {
1893 case UNLANG_ACTION_FAIL:
1894 p_result->rcode = RLM_MODULE_FAIL;
1895 goto finish;
1896
1898 autz_ctx->status = LDAP_AUTZ_USER_PROFILE;
1900
1901 default:
1902 break;
1903 }
1904 }
1905 break;
1906 }
1907
1908 p_result->rcode = autz_ctx->rcode;
1909
1910finish:
1911 talloc_free(autz_ctx);
1912
1914}
1915
1916/** Clear up when cancelling a mod_authorize call
1917 *
1918 */
1919static void mod_authorize_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
1920{
1921 ldap_autz_ctx_t *autz_ctx = talloc_get_type_abort(mctx->rctx, ldap_autz_ctx_t);
1922
1923 if (autz_ctx->query && autz_ctx->query->treq) trunk_request_signal_cancel(autz_ctx->query->treq);
1924}
1925
1926/** Ensure authorization context is properly cleared up
1927 *
1928 */
1929static int autz_ctx_free(ldap_autz_ctx_t *autz_ctx)
1930{
1931 talloc_free(autz_ctx->expanded.ctx);
1932 if (autz_ctx->profile_values) ldap_value_free_len(autz_ctx->profile_values);
1933 return 0;
1934}
1935
1936static unlang_action_t CC_HINT(nonnull) mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1937{
1939 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
1940 ldap_autz_ctx_t *autz_ctx;
1941 fr_ldap_map_exp_t *expanded;
1942 ldap_autz_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, ldap_autz_call_env_t);
1943
1944 MEM(autz_ctx = talloc_zero(unlang_interpret_frame_talloc_ctx(request), ldap_autz_ctx_t));
1945 talloc_set_destructor(autz_ctx, autz_ctx_free);
1946 expanded = &autz_ctx->expanded;
1947
1948 /*
1949 * Don't be tempted to add a check for User-Name or
1950 * User-Password here. LDAP authorization can be used
1951 * for many things besides searching for users.
1952 */
1953 if (fr_ldap_map_expand(autz_ctx, expanded, request, call_env->user_map, inst->valuepair_attr,
1954 inst->profile.check_attr, inst->profile.fallthrough_attr) < 0) {
1955 fail:
1956 talloc_free(autz_ctx);
1958 }
1959
1960 autz_ctx->ttrunk = fr_thread_ldap_trunk_get(thread, inst->handle_config.server, inst->handle_config.admin_identity,
1961 inst->handle_config.admin_password, request, &inst->handle_config);
1962 if (!autz_ctx->ttrunk) goto fail;
1963
1964#define CHECK_EXPANDED_SPACE(_expanded) fr_assert((size_t)_expanded->count < (NUM_ELEMENTS(_expanded->attrs) - 1));
1965
1966 /*
1967 * Add any additional attributes we need for checking access, memberships, and profiles
1968 */
1969 if (inst->user.obj_access_attr) {
1970 CHECK_EXPANDED_SPACE(expanded);
1971 expanded->attrs[expanded->count++] = inst->user.obj_access_attr;
1972 }
1973
1974 if (inst->group.userobj_membership_attr && (inst->group.cacheable_dn || inst->group.cacheable_name)) {
1975 CHECK_EXPANDED_SPACE(expanded);
1976 expanded->attrs[expanded->count++] = inst->group.userobj_membership_attr;
1977 }
1978
1979 if (inst->profile.attr) {
1980 CHECK_EXPANDED_SPACE(expanded);
1981 expanded->attrs[expanded->count++] = inst->profile.attr;
1982 }
1983
1984 if (inst->profile.attr_suspend) {
1985 CHECK_EXPANDED_SPACE(expanded);
1986 expanded->attrs[expanded->count++] = inst->profile.attr_suspend;
1987 }
1988 expanded->attrs[expanded->count] = NULL;
1989
1990 autz_ctx->dlinst = mctx->mi;
1991 autz_ctx->inst = inst;
1992 autz_ctx->call_env = call_env;
1993 autz_ctx->status = LDAP_AUTZ_FIND;
1994 autz_ctx->rcode = RLM_MODULE_OK;
1995
1996 if (unlikely(unlang_module_yield(request,
1999 autz_ctx) == UNLANG_ACTION_FAIL)) {
2000 talloc_free(autz_ctx);
2002 }
2003
2004 return rlm_ldap_find_user_async(autz_ctx, p_result,
2005 autz_ctx->inst, request, &autz_ctx->call_env->user_base,
2006 &autz_ctx->call_env->user_filter, autz_ctx->ttrunk, autz_ctx->expanded.attrs,
2007 &autz_ctx->query);
2008}
2009
2010/** Cancel an in progress user modification.
2011 *
2012 */
2013static void user_modify_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
2014{
2015 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2016
2017 if (!usermod_ctx->query || !usermod_ctx->query->treq) return;
2018
2019 trunk_request_signal_cancel(usermod_ctx->query->treq);
2020}
2021
2022/** Handle results of user modification.
2023 *
2024 */
2025static unlang_action_t CC_HINT(nonnull) user_modify_final(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2026{
2027 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2028 fr_ldap_query_t *query = usermod_ctx->query;
2029 rlm_rcode_t rcode = RLM_MODULE_OK;
2030
2031 switch (query->ret) {
2033 break;
2034
2036 case LDAP_RESULT_BAD_DN:
2037 RDEBUG2("User object \"%s\" not modified", usermod_ctx->dn);
2038 rcode = RLM_MODULE_INVALID;
2039 break;
2040
2042 rcode = RLM_MODULE_TIMEOUT;
2043 break;
2044
2045 default:
2046 rcode = RLM_MODULE_FAIL;
2047 break;
2048 }
2049
2050 talloc_free(usermod_ctx);
2051 RETURN_UNLANG_RCODE(rcode);
2052}
2053
2055{
2056 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2057 ldap_usermod_call_env_t *call_env = usermod_ctx->call_env;
2058 LDAPMod **modify;
2059 ldap_mod_tmpl_t *mod;
2060 fr_value_box_t *vb = NULL;
2061 int mod_no = usermod_ctx->expanded_mods, i = 0;
2062 struct berval **value_refs;
2063 struct berval *values;
2064
2065 mod = call_env->mod[usermod_ctx->current_mod];
2066
2067 /*
2068 * If the tmpl produced no boxes, skip
2069 */
2070 if ((mod->op != T_OP_CMP_FALSE) && (fr_value_box_list_num_elements(&usermod_ctx->expanded) == 0)) {
2071 RDEBUG2("Expansion \"%s\" produced no value, skipping attribute \"%s\"", mod->tmpl->name, mod->attr);
2072 goto next;
2073 }
2074
2075 switch (mod->op) {
2076 /*
2077 * T_OP_EQ is *NOT* supported, it is impossible to
2078 * support because of the lack of transactions in LDAP
2079 *
2080 * To allow for binary data, all data is provided as berval which
2081 * requires the operation to be logical ORed with LDAP_MOD_BVALUES
2082 */
2083 case T_OP_ADD_EQ:
2084 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
2085 break;
2086
2087 case T_OP_SET:
2088 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
2089 break;
2090
2091 case T_OP_SUB_EQ:
2092 case T_OP_CMP_FALSE:
2093 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_DELETE | LDAP_MOD_BVALUES;
2094 break;
2095
2096 case T_OP_INCRM:
2097 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_INCREMENT | LDAP_MOD_BVALUES;
2098 break;
2099
2100 default:
2101 REDEBUG("Operator '%s' is not supported for LDAP modify operations",
2102 fr_table_str_by_value(fr_tokens_table, mod->op, "<INVALID>"));
2103
2105 }
2106
2107 if (mod->op == T_OP_CMP_FALSE) {
2108 MEM(value_refs = talloc_zero_array(usermod_ctx, struct berval *, 1));
2109 } else {
2110 MEM(value_refs = talloc_zero_array(usermod_ctx, struct berval *,
2111 fr_value_box_list_num_elements(&usermod_ctx->expanded) + 1));
2112 MEM(values = talloc_zero_array(usermod_ctx, struct berval,
2113 fr_value_box_list_num_elements(&usermod_ctx->expanded)));
2114 while ((vb = fr_value_box_list_pop_head(&usermod_ctx->expanded))) {
2115 switch (vb->type) {
2116 case FR_TYPE_OCTETS:
2117 if (vb->vb_length == 0) continue;
2118 memcpy(&values[i].bv_val, &vb->vb_octets, sizeof(values[i].bv_val));
2119 values[i].bv_len = vb->vb_length;
2120 break;
2121
2122 case FR_TYPE_STRING:
2123 populate_string:
2124 if (vb->vb_length == 0) continue;
2125 memcpy(&values[i].bv_val, &vb->vb_strvalue, sizeof(values[i].bv_val));
2126 values[i].bv_len = vb->vb_length;
2127 break;
2128
2129 case FR_TYPE_GROUP:
2130 {
2131 fr_value_box_t *vb_head = fr_value_box_list_head(&vb->vb_group);
2132 if (fr_value_box_list_concat_in_place(vb_head, vb_head, &vb->vb_group, FR_TYPE_STRING,
2133 FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
2134 RPEDEBUG("Failed concatenating update value");
2136 }
2137 vb = vb_head;
2138 goto populate_string;
2139 }
2140
2141 case FR_TYPE_FIXED_SIZE:
2142 if (fr_value_box_cast_in_place(vb, vb, FR_TYPE_STRING, NULL) < 0) {
2143 RPEDEBUG("Failed casting update value");
2145 }
2146 goto populate_string;
2147
2148 default:
2149 fr_assert(0);
2150
2151 }
2152 value_refs[i] = &values[i];
2153 i++;
2154 }
2155 if (i == 0) {
2156 RDEBUG2("Expansion \"%s\" produced zero length value, skipping attribute \"%s\"", mod->tmpl->name, mod->attr);
2157 goto next;
2158 }
2159 }
2160
2161 /*
2162 * Now everything is evaluated, set up the pointers for the LDAPMod
2163 */
2164 memcpy(&(usermod_ctx->mod_s[mod_no].mod_type), &mod->attr, sizeof(usermod_ctx->mod_s[mod_no].mod_type));
2165 usermod_ctx->mod_s[mod_no].mod_bvalues = value_refs;
2166 usermod_ctx->mod_p[mod_no] = &usermod_ctx->mod_s[mod_no];
2167
2168 usermod_ctx->expanded_mods++;
2169 usermod_ctx->mod_p[usermod_ctx->expanded_mods] = NULL;
2170
2171next:
2172 usermod_ctx->current_mod++;
2173
2174 /*
2175 * Keep calling until we've completed all the modifications
2176 */
2177 if (usermod_ctx->current_mod < usermod_ctx->num_mods) {
2179 if (unlang_tmpl_push(usermod_ctx, NULL, &usermod_ctx->expanded, request,
2180 usermod_ctx->call_env->mod[usermod_ctx->current_mod]->tmpl, NULL, UNLANG_SUB_FRAME) < 0) RETURN_UNLANG_FAIL;
2182 }
2183
2184 modify = usermod_ctx->mod_p;
2185
2187
2188 return fr_ldap_trunk_modify(usermod_ctx, &usermod_ctx->query, request, usermod_ctx->ttrunk,
2189 usermod_ctx->dn, modify, NULL, NULL);
2190}
2191
2192/** Take the retrieved user DN and launch the async tmpl expansion of mod_values.
2193 *
2194 */
2195static unlang_action_t CC_HINT(nonnull) user_modify_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2196{
2197 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2198
2199 /*
2200 * If an LDAP search was used to find the user DN
2201 * usermod_ctx->dn will be NULL.
2202 */
2203 if (!usermod_ctx->dn) usermod_ctx->dn = rlm_find_user_dn_cached(request);
2204
2205 if (!usermod_ctx->dn) {
2206 fail:
2207 talloc_free(usermod_ctx);
2209 }
2210
2211 /*
2212 * Allocate arrays to hold mods. mod_p is one element longer to hold a terminating NULL entry
2213 */
2214 MEM(usermod_ctx->mod_p = talloc_zero_array(usermod_ctx, LDAPMod *, usermod_ctx->num_mods + 1));
2215 MEM(usermod_ctx->mod_s = talloc_array(usermod_ctx, LDAPMod, usermod_ctx->num_mods));
2216 fr_value_box_list_init(&usermod_ctx->expanded);
2217
2218 if (unlang_module_yield(request, user_modify_mod_build_resume, NULL, 0, usermod_ctx) == UNLANG_ACTION_FAIL) goto fail;
2219;
2220 if (unlang_tmpl_push(usermod_ctx, NULL, &usermod_ctx->expanded, request,
2221 usermod_ctx->call_env->mod[0]->tmpl, NULL, UNLANG_SUB_FRAME) < 0) goto fail;
2222
2224}
2225
2226/** Modify user's object in LDAP
2227 *
2228 * Process a modification map to update a user object in the LDAP directory.
2229 *
2230 * The module method called in "accouting" and "send" sections.
2231 */
2232static unlang_action_t CC_HINT(nonnull) mod_modify(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2233{
2235 ldap_usermod_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, ldap_usermod_call_env_t);
2236 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
2237 ldap_user_modify_ctx_t *usermod_ctx = NULL;
2238
2239 size_t num_mods = talloc_array_length(call_env->mod);
2240
2241 if (num_mods == 0) RETURN_UNLANG_NOOP;
2242
2243 /*
2244 * Include a talloc pool allowing for one value per modification
2245 */
2247 2 * num_mods + 2,
2248 (sizeof(struct berval) + (sizeof(struct berval *) * 2) +
2249 (sizeof(LDAPMod) + sizeof(LDAPMod *))) * num_mods));
2250 *usermod_ctx = (ldap_user_modify_ctx_t) {
2251 .inst = inst,
2252 .call_env = call_env,
2253 .num_mods = num_mods
2254 };
2255
2256 usermod_ctx->ttrunk = fr_thread_ldap_trunk_get(thread, inst->handle_config.server,
2257 inst->handle_config.admin_identity,
2258 inst->handle_config.admin_password,
2259 request, &inst->handle_config);
2260 if (!usermod_ctx->ttrunk) {
2261 REDEBUG("Unable to get LDAP trunk for update");
2262 talloc_free(usermod_ctx);
2264 }
2265
2266 usermod_ctx->dn = rlm_find_user_dn_cached(request);
2267 /*
2268 * Find the user first
2269 */
2270 if (!usermod_ctx->dn) {
2271 if (unlang_module_yield(request, user_modify_resume, NULL, 0, usermod_ctx) == UNLANG_ACTION_FAIL) {
2272 talloc_free(usermod_ctx);
2274 }
2275
2276 /* Pushes a frame for user resolution */
2277 if (rlm_ldap_find_user_async(usermod_ctx,
2278 p_result,
2279 usermod_ctx->inst, request,
2280 &usermod_ctx->call_env->user_base,
2281 &usermod_ctx->call_env->user_filter,
2282 usermod_ctx->ttrunk, NULL, NULL) == UNLANG_ACTION_FAIL) {
2284 }
2285
2287 }
2288
2289 {
2290 module_ctx_t our_mctx = *mctx;
2291 our_mctx.rctx = usermod_ctx;
2292
2293 return user_modify_resume(p_result, &our_mctx, request);
2294 }
2295}
2296
2297/** Detach from the LDAP server and cleanup internal state.
2298 *
2299 */
2300static int mod_detach(module_detach_ctx_t const *mctx)
2301{
2302 rlm_ldap_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2303
2304 if (inst->user.obj_sort_ctrl) ldap_control_free(inst->user.obj_sort_ctrl);
2305 if (inst->profile.obj_sort_ctrl) ldap_control_free(inst->profile.obj_sort_ctrl);
2306
2307 return 0;
2308}
2309
2310static int ldap_update_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules,
2311 CONF_ITEM *ci,
2312 UNUSED call_env_ctx_t const *cec, call_env_parser_t const *rule)
2313{
2314 map_list_t *maps;
2315 CONF_SECTION *update = cf_item_to_section(ci);
2316 ldap_update_rules_t const *ur = rule->uctx;
2317
2318 bool expect_password = false;
2319
2320 /*
2321 * Build the attribute map
2322 */
2323 {
2324 map_t const *map = NULL;
2325 tmpl_attr_t const *ar;
2326 call_env_parsed_t *parsed;
2327
2328 MEM(parsed = call_env_parsed_add(ctx, out,
2330 .name = "update",
2331 .flags = CALL_ENV_FLAG_PARSE_ONLY,
2332 .pair = {
2333 .parsed = {
2334 .offset = ur->map_offset,
2336 }
2337 }
2338 }));
2339
2340 MEM(maps = talloc(parsed, map_list_t));
2341 map_list_init(maps);
2342
2343 if (update && (map_afrom_cs(maps, maps, update, t_rules, t_rules, fr_ldap_map_verify,
2344 NULL, LDAP_MAX_ATTRMAP)) < 0) {
2345 call_env_parsed_free(out, parsed);
2346 return -1;
2347 }
2348 /*
2349 * Check map to see if a password is being retrieved.
2350 * fr_ldap_map_verify ensures that all maps have attributes on the LHS.
2351 * All passwords have a common parent attribute of attr_password
2352 */
2353 while ((map = map_list_next(maps, map))) {
2354 ar = tmpl_attr_tail(map->lhs);
2355 if (ar->da->parent == attr_password) {
2356 expect_password = true;
2357 break;
2358 }
2359 }
2360 call_env_parsed_set_data(parsed, maps);
2361 }
2362
2363 /*
2364 * Write out whether we expect a password to be returned from the ldap data
2365 */
2366 if (ur->expect_password_offset >= 0) {
2367 call_env_parsed_t *parsed;
2368 fr_value_box_t *vb;
2369
2370 MEM(parsed = call_env_parsed_add(ctx, out,
2372 .name = "expect_password",
2373 .flags = CALL_ENV_FLAG_PARSE_ONLY,
2374 .pair = {
2375 .parsed = {
2376 .offset = ur->expect_password_offset,
2378 }
2379 }
2380 }));
2381 MEM(vb = fr_value_box_alloc(parsed, FR_TYPE_BOOL, NULL));
2382 vb->vb_bool = expect_password;
2383 call_env_parsed_set_value(parsed, vb);
2384 }
2385
2386 return 0;
2387}
2388
2389static int ldap_mod_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules,
2390 CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
2391{
2392 CONF_SECTION const *subcs = NULL;
2393 CONF_PAIR const *to_parse = NULL;
2394 tmpl_t *parsed_tmpl;
2395 call_env_parsed_t *parsed_env;
2396 char *section2, *p;
2397 ssize_t count, slen, multi_index = 0;
2398 ldap_mod_tmpl_t *mod;
2399
2401
2402 section2 = talloc_strdup(NULL, section_name_str(cec->asked->name2));
2403 p = section2;
2404 while (*p != '\0') {
2405 *(p) = tolower((uint8_t)*p);
2406 p++;
2407 }
2408
2409 if (!ci) {
2410 not_found:
2411 cf_log_warn(ci, "No section found for \"%s.%s\" in module \"%s\", this call will have no effect.",
2412 section_name_str(cec->asked->name1), section2, cec->mi->name);
2413 free:
2414 talloc_free(section2);
2415 return 0;
2416 }
2417
2418 subcs = cf_section_find(cf_item_to_section(ci), section2, CF_IDENT_ANY);
2419 if (!subcs) goto not_found;
2420
2421 subcs = cf_section_find(subcs, "update", CF_IDENT_ANY);
2422 if (!subcs) {
2423 cf_log_warn(ci, "No update found inside \"%s -> %s\" in module \"%s\"",
2424 section_name_str(cec->asked->name1), section2, cec->mi->name);
2425 goto free;
2426 }
2427
2429 if (count == 0) {
2430 cf_log_warn(ci, "No modifications found for \"%s.%s\" in module \"%s\"",
2431 section_name_str(cec->asked->name1), section2, cec->mi->name);
2432 goto free;
2433 }
2434 talloc_free(section2);
2435
2436 while ((to_parse = cf_pair_next(subcs, to_parse))) {
2437 switch (cf_pair_operator(to_parse)) {
2438 case T_OP_SET:
2439 case T_OP_ADD_EQ:
2440 case T_OP_SUB_EQ:
2441 case T_OP_CMP_FALSE:
2442 case T_OP_INCRM:
2443 break;
2444
2445 default:
2446 cf_log_perr(to_parse, "Invalid operator for LDAP modification");
2447 return -1;
2448 }
2449
2450 MEM(parsed_env = call_env_parsed_add(ctx, out,
2455 }));
2456
2457 slen = tmpl_afrom_substr(parsed_env, &parsed_tmpl,
2458 &FR_SBUFF_IN(cf_pair_value(to_parse), talloc_array_length(cf_pair_value(to_parse)) - 1),
2460 t_rules);
2461
2462 if (slen <= 0) {
2463 cf_canonicalize_error(to_parse, slen, "Failed parsing LDAP modification \"%s\"", cf_pair_value(to_parse));
2464 error:
2465 call_env_parsed_free(out, parsed_env);
2466 return -1;
2467 }
2468 if (tmpl_needs_resolving(parsed_tmpl) &&
2469 (tmpl_resolve(parsed_tmpl, &(tmpl_res_rules_t){ .dict_def = t_rules->attr.dict_def }) <0)) {
2470 cf_log_perr(to_parse, "Failed resolving LDAP modification \"%s\"", cf_pair_value(to_parse));
2471 goto error;
2472 }
2473
2474 MEM(mod = talloc(parsed_env, ldap_mod_tmpl_t));
2475 mod->attr = cf_pair_attr(to_parse);
2476 mod->tmpl = parsed_tmpl;
2477 mod->op = cf_pair_operator(to_parse);
2478
2479 call_env_parsed_set_multi_index(parsed_env, count, multi_index++);
2480 call_env_parsed_set_data(parsed_env, mod);
2481 }
2482
2483 return 0;
2484}
2485
2486static int ldap_group_filter_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, UNUSED CONF_ITEM *ci,
2487 call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
2488{
2490 char const *filters[] = { inst->group.obj_filter, inst->group.obj_membership_filter };
2491 tmpl_t *parsed;
2492
2493 if (fr_ldap_filter_to_tmpl(ctx, t_rules, filters, NUM_ELEMENTS(filters), &parsed) < 0) return -1;
2494
2495 *(void **)out = parsed;
2496 return 0;
2497}
2498
2499/** Clean up thread specific data structure
2500 *
2501 */
2503{
2504 fr_ldap_thread_t *t = talloc_get_type_abort(mctx->thread, fr_ldap_thread_t);
2505 void **trunks_to_free;
2506 int i;
2507
2508 if (fr_rb_flatten_inorder(NULL, &trunks_to_free, t->trunks) < 0) return -1;
2509
2510 for (i = talloc_array_length(trunks_to_free) - 1; i >= 0; i--) talloc_free(trunks_to_free[i]);
2511 talloc_free(trunks_to_free);
2512 talloc_free(t->trunks);
2513
2514 return 0;
2515}
2516
2517/** Initialise thread specific data structure
2518 *
2519 */
2521{
2522 rlm_ldap_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2523 fr_ldap_thread_t *t = talloc_get_type_abort(mctx->thread, fr_ldap_thread_t);
2524 fr_ldap_thread_trunk_t *ttrunk;
2525
2526 /*
2527 * Initialise tree for connection trunks used by this thread
2528 */
2530
2531 t->config = &inst->handle_config;
2532 t->trunk_conf = &inst->trunk_conf;
2533 t->bind_trunk_conf = &inst->bind_trunk_conf;
2534 t->el = mctx->el;
2535
2536 /*
2537 * Launch trunk for module default connection
2538 */
2539 ttrunk = fr_thread_ldap_trunk_get(t, inst->handle_config.server, inst->handle_config.admin_identity,
2540 inst->handle_config.admin_password, NULL, &inst->handle_config);
2541 if (!ttrunk) {
2542 ERROR("Unable to launch LDAP trunk");
2543 return -1;
2544 }
2545
2546 /*
2547 * Set up a per-thread LDAP trunk to use for bind auths
2548 */
2550
2552
2553 return 0;
2554}
2555
2556/** Instantiate the module
2557 *
2558 * Creates a new instance of the module reading parameters from a configuration section.
2559 *
2560 * @param [in] mctx configuration data.
2561 * @return
2562 * - 0 on success.
2563 * - < 0 on failure.
2564 */
2565static int mod_instantiate(module_inst_ctx_t const *mctx)
2566{
2567 size_t i;
2568
2569 CONF_SECTION *options;
2570 rlm_ldap_boot_t const *boot = talloc_get_type_abort(mctx->mi->boot, rlm_ldap_boot_t);
2571 rlm_ldap_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2572 CONF_SECTION *conf = mctx->mi->conf;
2573
2574 inst->mi = mctx->mi; /* Cached for IO callbacks */
2575 inst->group.da = boot->group_da;
2576 inst->group.cache_da = boot->cache_da;
2577
2578 inst->handle_config.name = talloc_typed_asprintf(inst, "rlm_ldap (%s)", mctx->mi->name);
2579
2580 /*
2581 * Trunks used for bind auth can only have one request in flight per connection.
2582 */
2583 inst->bind_trunk_conf.target_req_per_conn = 1;
2584 inst->bind_trunk_conf.max_req_per_conn = 1;
2585
2586 /*
2587 * Set sizes for trunk request pool.
2588 */
2589 inst->bind_trunk_conf.req_pool_headers = 2;
2590 inst->bind_trunk_conf.req_pool_size = sizeof(fr_ldap_bind_auth_ctx_t) + sizeof(fr_ldap_sasl_ctx_t);
2591
2592 options = cf_section_find(conf, "options", NULL);
2593 if (!options || !cf_pair_find(options, "chase_referrals")) {
2594 inst->handle_config.chase_referrals_unset = true; /* use OpenLDAP defaults */
2595 }
2596
2597 /*
2598 * Sanity checks for cacheable groups code.
2599 */
2600 if (inst->group.cacheable_name && inst->group.obj_membership_filter) {
2601 if (!inst->group.obj_name_attr) {
2602 cf_log_err(conf, "Configuration item 'group.name_attribute' must be set if cacheable "
2603 "group names are enabled");
2604
2605 goto error;
2606 }
2607 }
2608
2609 /*
2610 * If we have a *pair* as opposed to a *section*
2611 * then the module is referencing another ldap module's
2612 * connection pool.
2613 */
2614 if (!cf_pair_find(conf, "pool")) {
2615 if (!inst->handle_config.server_str) {
2616 cf_log_err(conf, "Configuration item 'server' must have a value");
2617 goto error;
2618 }
2619 }
2620
2621#ifndef WITH_SASL
2622 if (inst->handle_config.admin_sasl.mech) {
2623 cf_log_err(conf, "Configuration item 'sasl.mech' not supported. "
2624 "Linked libldap does not provide ldap_sasl_interactive_bind function");
2625 goto error;
2626 }
2627#endif
2628
2629 /*
2630 * Initialise server with zero length string to
2631 * make code below simpler.
2632 */
2633 inst->handle_config.server = talloc_strdup(inst, "");
2634
2635 /*
2636 * Now iterate over all the 'server' config items
2637 */
2638 for (i = 0; i < talloc_array_length(inst->handle_config.server_str); i++) {
2639 char const *value = inst->handle_config.server_str[i];
2640 size_t j;
2641
2642 /*
2643 * Explicitly prevent multiple server definitions
2644 * being used in the same string.
2645 */
2646 for (j = 0; j < talloc_array_length(value) - 1; j++) {
2647 switch (value[j]) {
2648 case ' ':
2649 case ',':
2650 case ';':
2651 cf_log_err(conf, "Invalid character '%c' found in 'server' configuration item",
2652 value[j]);
2653 goto error;
2654
2655 default:
2656 continue;
2657 }
2658 }
2659
2660 /*
2661 * Split original server value out into URI, server and port
2662 * so whatever initialization function we use later will have
2663 * the server information in the format it needs.
2664 */
2665 if (ldap_is_ldap_url(value)) {
2666 if (fr_ldap_server_url_check(&inst->handle_config, value, conf) < 0) return -1;
2667 } else
2668 /*
2669 * If it's not an URL, then just treat server as a hostname.
2670 */
2671 {
2672 if (fr_ldap_server_config_check(&inst->handle_config, value, conf) < 0) return -1;
2673 }
2674 }
2675
2676 /*
2677 * inst->handle_config.server be unset if connection pool sharing is used.
2678 */
2679 if (inst->handle_config.server) {
2680 inst->handle_config.server[talloc_array_length(inst->handle_config.server) - 2] = '\0';
2681 DEBUG4("rlm_ldap (%s) - LDAP server string: %s", mctx->mi->name, inst->handle_config.server);
2682 }
2683
2684 /*
2685 * Workaround for servers which support LDAPS but not START TLS
2686 */
2687 if (inst->handle_config.port == LDAPS_PORT || inst->handle_config.tls_mode) {
2688 inst->handle_config.tls_mode = LDAP_OPT_X_TLS_HARD;
2689 } else {
2690 inst->handle_config.tls_mode = 0;
2691 }
2692
2693 /*
2694 * Convert dereference strings to enumerated constants
2695 */
2696 if (inst->handle_config.dereference_str) {
2697 inst->handle_config.dereference = fr_table_value_by_str(fr_ldap_dereference,
2698 inst->handle_config.dereference_str, -1);
2699 if (inst->handle_config.dereference < 0) {
2700 cf_log_err(conf, "Invalid 'dereference' value \"%s\", expected 'never', 'searching', "
2701 "'finding' or 'always'", inst->handle_config.dereference_str);
2702 goto error;
2703 }
2704 }
2705
2706 /*
2707 * Build the server side sort control for user / profile objects
2708 */
2709#define SSS_CONTROL_BUILD(_obj) if (inst->_obj.obj_sort_by) { \
2710 LDAPSortKey **keys; \
2711 int ret; \
2712 ret = ldap_create_sort_keylist(&keys, UNCONST(char *, inst->_obj.obj_sort_by)); \
2713 if (ret != LDAP_SUCCESS) { \
2714 cf_log_err(conf, "Invalid " STRINGIFY(_obj) ".sort_by value \"%s\": %s", \
2715 inst->_obj.obj_sort_by, ldap_err2string(ret)); \
2716 goto error; \
2717 } \
2718 /* \
2719 * Always set the control as critical, if it's not needed \
2720 * the user can comment it out... \
2721 */ \
2722 ret = ldap_create_sort_control(ldap_global_handle, keys, 1, &inst->_obj.obj_sort_ctrl); \
2723 ldap_free_sort_keylist(keys); \
2724 if (ret != LDAP_SUCCESS) { \
2725 ERROR("Failed creating server sort control: %s", ldap_err2string(ret)); \
2726 goto error; \
2727 } \
2728 }
2729
2730 SSS_CONTROL_BUILD(user)
2731 SSS_CONTROL_BUILD(profile)
2732
2733 if (inst->handle_config.tls_require_cert_str) {
2734 /*
2735 * Convert cert strictness to enumerated constants
2736 */
2737 inst->handle_config.tls_require_cert = fr_table_value_by_str(fr_ldap_tls_require_cert,
2738 inst->handle_config.tls_require_cert_str, -1);
2739 if (inst->handle_config.tls_require_cert < 0) {
2740 cf_log_err(conf, "Invalid 'tls.require_cert' value \"%s\", expected 'never', "
2741 "'demand', 'allow', 'try' or 'hard'", inst->handle_config.tls_require_cert_str);
2742 goto error;
2743 }
2744 }
2745
2746 if (inst->handle_config.tls_min_version_str) {
2747#ifdef LDAP_OPT_X_TLS_PROTOCOL_TLS1_3
2748 if (strcmp(inst->handle_config.tls_min_version_str, "1.3") == 0) {
2749 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_3;
2750
2751 } else
2752#endif
2753 if (strcmp(inst->handle_config.tls_min_version_str, "1.2") == 0) {
2754 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
2755
2756 } else if (strcmp(inst->handle_config.tls_min_version_str, "1.1") == 0) {
2757 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1;
2758
2759 } else if (strcmp(inst->handle_config.tls_min_version_str, "1.0") == 0) {
2760 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
2761
2762 } else {
2763 cf_log_err(conf, "Invalid 'tls.tls_min_version' value \"%s\"", inst->handle_config.tls_min_version_str);
2764 goto error;
2765 }
2766 }
2767
2768 return 0;
2769
2770error:
2771 return -1;
2772}
2773
2774/** Bootstrap the module
2775 *
2776 * Define attributes.
2777 *
2778 * @param[in] mctx configuration data.
2779 * @return
2780 * - 0 on success.
2781 * - < 0 on failure.
2782 */
2783static int mod_bootstrap(module_inst_ctx_t const *mctx)
2784{
2785 rlm_ldap_boot_t *boot = talloc_get_type_abort(mctx->mi->boot, rlm_ldap_boot_t);
2786 rlm_ldap_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2787 CONF_SECTION *conf = mctx->mi->conf;
2788 char buffer[256];
2789 char const *group_attribute;
2790 xlat_t *xlat;
2791
2792 if (inst->group.attribute) {
2793 group_attribute = inst->group.attribute;
2794 } else if (cf_section_name2(conf)) {
2795 snprintf(buffer, sizeof(buffer), "%s-LDAP-Group", mctx->mi->name);
2796 group_attribute = buffer;
2797 } else {
2798 group_attribute = "LDAP-Group";
2799 }
2800
2801 boot->group_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), group_attribute);
2802
2803 /*
2804 * If the group attribute was not in the dictionary, create it
2805 */
2806 if (!boot->group_da) {
2808 group_attribute, FR_TYPE_STRING, NULL) < 0) {
2809 PERROR("Error creating group attribute");
2810 return -1;
2811
2812 }
2813 boot->group_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), group_attribute);
2814 }
2815
2816 /*
2817 * Setup the cache attribute
2818 */
2819
2820 if (inst->group.cache_attribute) {
2821 boot->cache_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), inst->group.cache_attribute);
2822 if (!boot->cache_da) {
2824 inst->group.cache_attribute, FR_TYPE_STRING, NULL) < 0) {
2825 PERROR("Error creating cache attribute");
2826 return -1;
2827 }
2828 boot->cache_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), inst->group.cache_attribute);
2829 }
2830 } else {
2831 boot->cache_da = boot->group_da; /* Default to the group_da */
2832 }
2833
2834 xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, NULL, ldap_xlat, FR_TYPE_STRING);
2836
2837 if (unlikely(!(xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "group", ldap_group_xlat,
2838 FR_TYPE_BOOL)))) return -1;
2841
2842 if (unlikely(!(xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "profile", ldap_profile_xlat,
2843 FR_TYPE_BOOL)))) return -1;
2846
2848
2849 return 0;
2850}
2851
2852static int mod_load(void)
2853{
2854 xlat_t *xlat;
2855
2856 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.escape", ldap_uri_escape_xlat, FR_TYPE_STRING)))) return -1;
2859 xlat_func_safe_for_set(xlat, LDAP_URI_SAFE_FOR); /* Used for all LDAP escaping */
2860
2861 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.safe", xlat_transparent, FR_TYPE_STRING)))) return -1;
2865
2866 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.unescape", ldap_uri_unescape_xlat, FR_TYPE_STRING)))) return -1;
2869
2870 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.attr_option", ldap_xlat_uri_attr_option, FR_TYPE_STRING)))) return -1;
2873
2874 return 0;
2875}
2876
2877static void mod_unload(void)
2878{
2879 xlat_func_unregister("ldap.uri.escape");
2880 xlat_func_unregister("ldap.uri.safe");
2881 xlat_func_unregister("ldap.uri.unescape");
2882}
2884/* globally exported name */
2885extern module_rlm_t rlm_ldap;
2887 .common = {
2888 .magic = MODULE_MAGIC_INIT,
2889 .name = "ldap",
2890 .flags = 0,
2893 .config = module_config,
2894 .onload = mod_load,
2895 .unload = mod_unload,
2896 .bootstrap = mod_bootstrap,
2897 .instantiate = mod_instantiate,
2898 .detach = mod_detach,
2900 .thread_instantiate = mod_thread_instantiate,
2901 .thread_detach = mod_thread_detach,
2902 },
2903 .method_group = {
2904 .bindings = (module_method_binding_t[]){
2905 /*
2906 * Hack to support old configurations
2907 */
2908 { .section = SECTION_NAME("accounting", CF_IDENT_ANY), .method = mod_modify, .method_env = &accounting_usermod_method_env },
2909 { .section = SECTION_NAME("authenticate", CF_IDENT_ANY), .method = mod_authenticate, .method_env = &authenticate_method_env },
2910 { .section = SECTION_NAME("authorize", CF_IDENT_ANY), .method = mod_authorize, .method_env = &authorize_method_env },
2911
2912 { .section = SECTION_NAME("recv", CF_IDENT_ANY), .method = mod_authorize, .method_env = &authorize_method_env },
2913 { .section = SECTION_NAME("send", CF_IDENT_ANY), .method = mod_modify, .method_env = &send_usermod_method_env },
2915 }
2916 }
2917};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
@ UNLANG_ACTION_PUSHED_CHILD
unlang_t pushed a new child onto the stack, execute it instead of continuing.
Definition action.h:39
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition action.h:36
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
@ UNLANG_ACTION_YIELD
Temporarily pause execution until an event occurs.
Definition action.h:41
static int const char char buffer[256]
Definition acutest.h:576
log_entry msg
Definition acutest.h:794
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
#define RCSID(id)
Definition build.h:485
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define NUM_ELEMENTS(_t)
Definition build.h:339
void call_env_parsed_free(call_env_parsed_head_t *parsed, call_env_parsed_t *ptr)
Remove a call_env_parsed_t from the list of parsed call envs.
Definition call_env.c:775
call_env_parsed_t * call_env_parsed_add(TALLOC_CTX *ctx, call_env_parsed_head_t *head, call_env_parser_t const *rule)
Allocate a new call_env_parsed_t structure and add it to the list of parsed call envs.
Definition call_env.c:688
void call_env_parsed_set_multi_index(call_env_parsed_t *parsed, size_t count, size_t index)
Assign a count and index to a call_env_parsed_t.
Definition call_env.c:760
void call_env_parsed_set_data(call_env_parsed_t *parsed, void const *data)
Assign data to a call_env_parsed_t.
Definition call_env.c:745
void call_env_parsed_set_value(call_env_parsed_t *parsed, fr_value_box_t const *vb)
Assign a value box to a call_env_parsed_t.
Definition call_env.c:731
#define CALL_ENV_TERMINATOR
Definition call_env.h:236
call_env_ctx_type_t type
Type of callenv ctx.
Definition call_env.h:227
@ CALL_ENV_CTX_TYPE_MODULE
The callenv is registered to a module method.
Definition call_env.h:222
#define FR_CALL_ENV_PARSE_OFFSET(_name, _cast_type, _flags, _struct, _field, _parse_field)
Specify a call_env_parser_t which writes out runtime results and the result of the parsing phase to t...
Definition call_env.h:365
#define FR_CALL_ENV_METHOD_OUT(_inst)
Helper macro for populating the size/type fields of a call_env_method_t from the output structure typ...
Definition call_env.h:240
call_env_parser_t const * env
Parsing rules for call method env.
Definition call_env.h:247
section_name_t const * asked
The actual name1/name2 that resolved to a module_method_binding_t.
Definition call_env.h:232
void const * uctx
User context for callback functions.
Definition call_env.h:218
#define FR_CALL_ENV_SUBSECTION(_name, _name2, _flags, _subcs)
Specify a call_env_parser_t which defines a nested subsection.
Definition call_env.h:402
@ CALL_ENV_FLAG_CONCAT
If the tmpl produced multiple boxes they should be concatenated.
Definition call_env.h:76
@ CALL_ENV_FLAG_ATTRIBUTE
Tmpl MUST contain an attribute reference.
Definition call_env.h:86
@ CALL_ENV_FLAG_PARSE_ONLY
The result of parsing will not be evaluated at runtime.
Definition call_env.h:85
@ CALL_ENV_FLAG_NONE
Definition call_env.h:74
@ CALL_ENV_FLAG_MULTI
Multiple instances of the conf pairs are allowed.
Definition call_env.h:78
@ CALL_ENV_FLAG_REQUIRED
Associated conf pair or section is required.
Definition call_env.h:75
@ CALL_ENV_FLAG_PARSE_MISSING
If this subsection is missing, still parse it.
Definition call_env.h:88
@ CALL_ENV_FLAG_BARE_WORD_ATTRIBUTE
bare words are treated as an attribute, but strings may be xlats.
Definition call_env.h:92
@ CALL_ENV_FLAG_NULLABLE
Tmpl expansions are allowed to produce no output.
Definition call_env.h:80
@ CALL_ENV_PARSE_TYPE_VALUE_BOX
Output of the parsing phase is a single value box (static data).
Definition call_env.h:61
@ CALL_ENV_PARSE_TYPE_VOID
Output of the parsing phase is undefined (a custom structure).
Definition call_env.h:62
module_instance_t const * mi
Module instance that the callenv is registered to.
Definition call_env.h:229
#define FR_CALL_ENV_SUBSECTION_FUNC(_name, _name2, _flags, _func)
Specify a call_env_parser_t which parses a subsection using a callback function.
Definition call_env.h:412
#define FR_CALL_ENV_OFFSET(_name, _cast_type, _flags, _struct, _field)
Specify a call_env_parser_t which writes out runtime results to the specified field.
Definition call_env.h:340
#define FR_CALL_ENV_PARSE_ONLY_OFFSET(_name, _cast_type, _flags, _struct, _parse_field)
Specify a call_env_parser_t which writes out the result of the parsing phase to the field specified.
Definition call_env.h:389
Per method call config.
Definition call_env.h:180
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1633
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:662
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:616
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:339
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:298
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:272
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:451
@ CONF_FLAG_XLAT
string will be dynamically expanded.
Definition cf_parse.h:448
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:428
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:599
Common header for all CONF_* types.
Definition cf_priv.h:49
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:70
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
unsigned int cf_pair_count_descendents(CONF_SECTION const *cs)
Count the number of conf pairs beneath a section.
Definition cf_util.c:1504
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1438
fr_token_t cf_pair_operator(CONF_PAIR const *pair)
Return the operator of a pair.
Definition cf_util.c:1607
fr_token_t cf_pair_value_quote(CONF_PAIR const *pair)
Return the value (rhs) quoting of a pair.
Definition cf_util.c:1637
CONF_PAIR * cf_pair_next(CONF_SECTION const *cs, CONF_PAIR const *curr)
Return the next child that's a CONF_PAIR.
Definition cf_util.c:1412
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1593
char const * cf_pair_attr(CONF_PAIR const *pair)
Return the attr of a CONF_PAIR.
Definition cf_util.c:1577
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
#define cf_canonicalize_error(_ci, _slen, _msg, _str)
Definition cf_util.h:367
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:296
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:290
#define CF_IDENT_ANY
Definition cf_util.h:78
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:408
#define MEM(x)
Definition debug.h:36
#define ERROR(fmt,...)
Definition dhcpclient.c:41
int fr_dict_attr_add_name_only(fr_dict_t *dict, fr_dict_attr_t const *parent, char const *name, fr_type_t type, fr_dict_attr_flags_t const *flags))
Add an attribute to the dictionary.
Definition dict_util.c:1752
fr_dict_t * fr_dict_unconst(fr_dict_t const *dict)
Coerce to non-const.
Definition dict_util.c:4642
fr_dict_attr_t const * fr_dict_attr_by_name(fr_dict_attr_err_t *err, fr_dict_attr_t const *parent, char const *attr))
Locate a fr_dict_attr_t by its name.
Definition dict_util.c:3277
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2414
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
static fr_slen_t in
Definition dict.h:846
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Test enumeration values.
Definition dict_test.h:92
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
#define unlang_function_push_with_result(_result_p, _request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack that produces a result.
Definition function.h:144
#define GLOBAL_LIB_TERMINATOR
Definition global_lib.h:51
Structure to define how to initialise libraries with global configuration.
Definition global_lib.h:38
static xlat_action_t ldap_uri_escape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Escape LDAP string.
Definition rlm_ldap.c:422
static xlat_action_t ldap_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Expand an LDAP URL into a query, and return a string result from that query.
Definition rlm_ldap.c:844
static xlat_action_t ldap_group_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Check for a user being in a LDAP group.
Definition rlm_ldap.c:1051
static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Expand an LDAP URL into a query, applying the results using the user update map.
Definition rlm_ldap.c:1182
static xlat_action_t ldap_xlat_uri_attr_option(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Modify an LDAP URI to append an option to all attributes.
Definition rlm_ldap.c:585
static xlat_action_t ldap_uri_unescape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Unescape LDAP string.
Definition rlm_ldap.c:481
unlang_action_t rlm_ldap_cacheable_groupobj(unlang_result_t *p_result, request_t *request, ldap_autz_ctx_t *autz_ctx)
Convert group membership information into attributes.
Definition groups.c:698
unlang_action_t rlm_ldap_check_groupobj_dynamic(unlang_result_t *p_result, request_t *request, ldap_group_xlat_ctx_t *xlat_ctx)
Initiate an LDAP search to determine group membership, querying group objects.
Definition groups.c:787
unlang_action_t rlm_ldap_cacheable_userobj(unlang_result_t *p_result, request_t *request, ldap_autz_ctx_t *autz_ctx, char const *attr)
Convert group membership information into attributes.
Definition groups.c:441
unlang_action_t rlm_ldap_check_userobj_dynamic(unlang_result_t *p_result, request_t *request, ldap_group_xlat_ctx_t *xlat_ctx)
Query the LDAP directory to check if a user object is a member of a group.
Definition groups.c:1138
unlang_action_t rlm_ldap_check_cached(unlang_result_t *p_result, rlm_ldap_t const *inst, request_t *request, fr_value_box_t const *check)
Check group membership attributes to see if a user is a member.
Definition groups.c:1181
free(array)
void unlang_interpret_mark_runnable(request_t *request)
Mark a request as resumable.
Definition interpret.c:1612
TALLOC_CTX * unlang_interpret_frame_talloc_ctx(request_t *request)
Get a talloc_ctx which is valid only for this frame.
Definition interpret.c:1657
fr_event_list_t * unlang_interpret_event_list(request_t *request)
Get the event list for the current interpreter.
Definition interpret.c:2009
#define UNLANG_SUB_FRAME
Definition interpret.h:37
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:134
char const * fr_ldap_url_err_to_str(int ldap_url_err)
Translate the error code emitted from ldap_url_parse and friends into something accessible with fr_st...
Definition util.c:795
int fr_ldap_map_verify(map_t *map, void *instance)
size_t fr_ldap_uri_unescape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg))
Converts escaped DNs and filter strings into normal.
Definition util.c:159
size_t fr_ldap_util_normalise_dn(char *out, char const *in)
Normalise escape sequences in a DN.
Definition util.c:492
int fr_ldap_map_getvalue(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, map_t const *map, void *uctx)
Callback for map_to_request.
Definition map.c:39
size_t fr_ldap_uri_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg))
Converts "bad" strings into ones which are safe for LDAP.
Definition util.c:72
int fr_ldap_filter_to_tmpl(TALLOC_CTX *ctx, tmpl_rules_t const *t_rules, char const **sub, size_t sublen, tmpl_t **out))
Combine filters and tokenize to a tmpl.
Definition util.c:570
struct berval ** values
libldap struct containing bv_val (char *) and length bv_len.
Definition base.h:361
fr_ldap_control_t serverctrls[LDAP_MAX_CONTROLS]
Server controls specific to this query.
Definition base.h:450
int fr_ldap_map_do(request_t *request, char const *check_attr, char const *valuepair_attr, fr_ldap_map_exp_t const *expanded, LDAPMessage *entry)
Convert attribute map into valuepairs.
Definition map.c:335
fr_time_delta_t res_timeout
How long we wait for results.
Definition base.h:298
char const * admin_password
Password used in administrative bind.
Definition base.h:231
fr_ldap_config_t * config
Module instance config.
Definition base.h:383
int count
Index on next free element.
Definition base.h:375
bool fr_ldap_util_is_dn(char const *in, size_t inlen)
Check whether a string looks like a DN.
Definition util.c:206
char * server
Initial server to bind to.
Definition base.h:224
static int8_t fr_ldap_bind_auth_cmp(void const *one, void const *two)
Compare two ldap bind auth structures on msgid.
Definition base.h:724
LDAP * handle
libldap handle.
Definition base.h:333
char const * admin_identity
Identity we bind as when we need to query the LDAP directory.
Definition base.h:229
fr_ldap_result_code_t ret
Result code.
Definition base.h:470
bool freeit
Whether the control should be freed after we've finished using it.
Definition base.h:136
fr_rb_tree_t * trunks
Tree of LDAP trunks used by this thread.
Definition base.h:382
trunk_conf_t * trunk_conf
Module trunk config.
Definition base.h:384
trunk_request_t * treq
Trunk request this query is associated with.
Definition base.h:456
fr_ldap_thread_trunk_t * fr_thread_ldap_trunk_get(fr_ldap_thread_t *thread, char const *uri, char const *bind_dn, char const *bind_password, request_t *request, fr_ldap_config_t const *config)
Find a thread specific LDAP connection for a specific URI / bind DN.
Definition connection.c:917
int fr_ldap_server_url_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION const *cs)
Check an LDAP server entry in URL format is valid.
Definition util.c:658
char * fr_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced string.
Definition util.c:443
int count
Number of values.
Definition base.h:363
#define LDAP_MAX_ATTRMAP
Maximum number of mappings between LDAP and FreeRADIUS attributes.
Definition base.h:96
int fr_ldap_box_escape(fr_value_box_t *vb, UNUSED void *uctx)
Definition util.c:112
static int8_t fr_ldap_trunk_cmp(void const *one, void const *two)
Compare two ldap trunk structures on connection URI / DN.
Definition base.h:695
int fr_ldap_server_config_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION *cs)
Check an LDAP server config in server:port format is valid.
Definition util.c:754
unlang_action_t fr_ldap_edir_get_password(unlang_result_t *p_result, request_t *request, char const *dn, fr_ldap_thread_trunk_t *ttrunk, fr_dict_attr_t const *password_da)
Initiate retrieval of the universal password from Novell eDirectory.
Definition edir.c:292
fr_ldap_connection_t * ldap_conn
LDAP connection this query is running on.
Definition base.h:457
fr_ldap_result_code_t
LDAP query result codes.
Definition base.h:188
@ LDAP_RESULT_TIMEOUT
The query timed out.
Definition base.h:192
@ LDAP_RESULT_SUCCESS
Successfully got LDAP results.
Definition base.h:190
@ LDAP_RESULT_NO_RESULT
No results returned.
Definition base.h:194
@ LDAP_RESULT_BAD_DN
The requested DN does not exist.
Definition base.h:193
fr_ldap_thread_trunk_t * fr_thread_ldap_bind_trunk_get(fr_ldap_thread_t *thread)
Find the thread specific trunk to use for LDAP bind auths.
int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t *request, map_list_t const *maps, char const *generic_attr, char const *check_attr, char const *fallthrough_attr)
Expand values in an attribute map where needed.
Definition map.c:279
#define LDAP_MAX_CONTROLS
Maximum number of client/server controls.
Definition base.h:94
trunk_conf_t * bind_trunk_conf
Trunk config for bind auth trunk.
Definition base.h:385
#define LDAP_VIRTUAL_DN_ATTR
'Virtual' attribute which maps to the DN of the object.
Definition base.h:113
int fr_ldap_parse_url_extensions(LDAPControl **sss, size_t sss_len, char *extensions[])
Parse a subset (just server side sort and virtual list view for now) of LDAP URL extensions.
Definition util.c:304
LDAPMessage * result
Head of LDAP results list.
Definition base.h:468
fr_event_list_t * el
Thread event list for callbacks / timeouts.
Definition base.h:386
LDAPControl * control
LDAP control.
Definition base.h:135
char const * attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]
Reserve some space for access attributes.
Definition base.h:372
fr_ldap_thread_trunk_t * bind_trunk
LDAP trunk used for bind auths.
Definition base.h:387
trunk_t * trunk
Connection trunk.
Definition base.h:405
unlang_action_t fr_ldap_bind_auth_async(unlang_result_t *p_result, request_t *request, fr_ldap_thread_t *thread, char const *bind_dn, char const *password)
Initiate an async LDAP bind for authentication.
Definition bind.c:326
fr_timer_t * ev
Event for timing out the query.
Definition base.h:459
TALLOC_CTX * ctx
Context to allocate new attributes in.
Definition base.h:374
fr_rb_tree_t * binds
Tree of outstanding bind auths.
Definition base.h:388
LDAPURLDesc * ldap_url
parsed URL for current query if the source of the query was a URL.
Definition base.h:426
Holds arguments for async bind auth requests.
Definition base.h:613
Connection configuration.
Definition base.h:221
Tracks the state of a libldap connection handle.
Definition base.h:332
Result of expanding the RHS of a set of maps.
Definition base.h:370
LDAP query structure.
Definition base.h:422
Contains a collection of values.
Definition base.h:360
Holds arguments for the async SASL bind operation.
Definition base.h:506
Thread specific structure to manage LDAP trunk connections.
Definition base.h:381
Thread LDAP trunk structure.
Definition base.h:399
#define FR_LDAP_COMMON_CONF(_conf)
Definition conf.h:19
size_t fr_ldap_scope_len
Definition base.c:77
LDAP * fr_ldap_handle_thread_local(void)
Get a thread local dummy LDAP handle.
Definition base.c:1132
global_lib_autoinst_t fr_libldap_global_config
Definition base.c:136
unlang_action_t fr_ldap_trunk_modify(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, LDAPMod *mods[], LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async modification LDAP query on a trunk connection.
Definition base.c:772
fr_table_num_sorted_t const fr_ldap_tls_require_cert[]
Definition base.c:79
fr_table_num_sorted_t const fr_ldap_dereference[]
Definition base.c:88
fr_ldap_query_t * fr_ldap_search_alloc(TALLOC_CTX *ctx, char const *base_dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Allocate a new search object.
Definition base.c:1053
unlang_action_t fr_ldap_trunk_search(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *base_dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async search LDAP query on a trunk connection.
Definition base.c:720
fr_table_num_sorted_t const fr_ldap_scope[]
Definition base.c:71
#define PERROR(_fmt,...)
Definition log.h:228
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
#define ROPTIONAL(_l_request, _l_global, _fmt,...)
Use different logging functions depending on whether request is NULL or not.
Definition log.h:528
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:335
#define RDEBUG3(fmt,...)
Definition log.h:343
#define RERROR(fmt,...)
Definition log.h:298
#define DEBUG4(_fmt,...)
Definition log.h:267
#define RPERROR(fmt,...)
Definition log.h:302
#define RPEDEBUG(fmt,...)
Definition log.h:376
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
int map_afrom_cs(TALLOC_CTX *ctx, map_list_t *out, CONF_SECTION *cs, tmpl_rules_t const *lhs_rules, tmpl_rules_t const *rhs_rules, map_validate_t validate, void *uctx, unsigned int max)
Convert a config section into an attribute map.
Definition map.c:1131
int map_to_request(request_t *request, map_t const *map, radius_map_getvalue_t func, void *ctx)
Convert map_t to fr_pair_t (s) and add them to a request_t.
Definition map.c:1873
unlang_action_t unlang_map_yield(request_t *request, map_proc_func_t resume, unlang_map_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition map.c:344
talloc_free(reap)
static TALLOC_CTX * map_ctx
Definition map_builtin.c:32
int map_proc_register(TALLOC_CTX *ctx, void const *mod_inst, char const *name, map_proc_func_t evaluate, map_proc_instantiate_t instantiate, size_t inst_size, fr_value_box_safe_for_t literals_safe_for)
Register a map processor.
Definition map_proc.c:125
void * rctx
Resume ctx that a module previously set.
Definition map_proc.h:53
void const * moi
Map module instance.
Definition map_proc.h:54
Temporary structure to hold arguments for map calls.
Definition map_proc.h:52
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_VOID
User data.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
@ FR_TYPE_GROUP
A grouping of other attributes.
long int ssize_t
unsigned char uint8_t
void * env_data
Per call environment data.
Definition module_ctx.h:44
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
void * thread
Thread specific instance data.
Definition module_ctx.h:43
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
fr_event_list_t * el
Event list to register any IO handlers and timers against.
Definition module_ctx.h:68
module_instance_t * mi
Module instance to detach.
Definition module_ctx.h:57
void * thread
Thread instance data.
Definition module_ctx.h:67
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:64
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for detach calls.
Definition module_ctx.h:56
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
Temporary structure to hold arguments for thread_instantiation calls.
Definition module_ctx.h:63
xlat_t * module_rlm_xlat_register(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, char const *name, xlat_func_t func, fr_type_t return_type)
Definition module_rlm.c:243
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:775
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:698
unlang_action_t rlm_ldap_map_profile(fr_ldap_result_code_t *ret, int *applied, rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)
Search for and apply an LDAP profile.
Definition profile.c:212
#define fr_assert(_expr)
Definition rad_assert.h:38
static bool done
Definition radclient.c:81
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG_ENABLED2()
Definition radclient.h:50
#define RDEBUG2(fmt,...)
Definition radclient.h:54
#define RDEBUG(fmt,...)
Definition radclient.h:53
static rs_t * conf
Definition radsniff.c:53
#define fr_rb_inline_talloc_alloc(_ctx, _type, _field, _data_cmp, _data_free)
Allocs a red black that verifies elements are of a specific talloc type.
Definition rb.h:246
int fr_rb_flatten_inorder(TALLOC_CTX *ctx, void **out[], fr_rb_tree_t *tree)
#define RETURN_UNLANG_INVALID
Definition rcode.h:62
#define RETURN_UNLANG_RCODE(_rcode)
Definition rcode.h:57
#define RETURN_UNLANG_NOTFOUND
Definition rcode.h:64
#define RETURN_UNLANG_FAIL
Definition rcode.h:59
#define RETURN_UNLANG_OK
Definition rcode.h:60
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:47
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:45
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:44
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:48
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:43
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:52
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:49
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:51
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:46
#define RETURN_UNLANG_NOOP
Definition rcode.h:65
static unlang_action_t mod_map_proc(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, fr_value_box_list_t *url, map_list_t const *maps)
Perform a search and map the result of the search to server attributes.
Definition rlm_ldap.c:1461
tmpl_t const * tmpl
Definition rlm_ldap.c:70
static void mod_authorize_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
Clear up when cancelling a mod_authorize call.
Definition rlm_ldap.c:1919
static const call_env_method_t xlat_memberof_method_env
Definition rlm_ldap.c:270
static int mod_detach(module_detach_ctx_t const *mctx)
Detach from the LDAP server and cleanup internal state.
Definition rlm_ldap.c:2300
static int mod_load(void)
Definition rlm_ldap.c:2849
static xlat_action_t ldap_profile_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
Return whether evaluating the profile was successful.
Definition rlm_ldap.c:1154
map_list_t * profile_map
List of maps to apply to the profile.
Definition rlm_ldap.c:82
#define REPEAT_LDAP_MEMBEROF_XLAT_RESULTS
Definition rlm_ldap.c:967
static conf_parser_t profile_config[]
Definition rlm_ldap.c:98
static int ldap_map_verify(CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst, tmpl_t const *src, UNUSED map_list_t const *maps)
Definition rlm_ldap.c:1311
fr_dict_attr_t const * attr_nt_password
Definition rlm_ldap.c:329
static xlat_arg_parser_t const ldap_safe_xlat_arg[]
Definition rlm_ldap.c:413
ldap_auth_call_env_t * call_env
Definition rlm_ldap.c:360
static const call_env_method_t authenticate_method_env
Definition rlm_ldap.c:191
static xlat_arg_parser_t const ldap_uri_escape_xlat_arg[]
Definition rlm_ldap.c:408
fr_ldap_result_code_t ret
Definition rlm_ldap.c:1145
fr_dict_attr_t const * attr_ldap_userdn
Definition rlm_ldap.c:328
global_lib_autoinst_t const * rlm_ldap_lib[]
Definition rlm_ldap.c:347
static const call_env_method_t authorize_method_env
Definition rlm_ldap.c:214
#define USERMOD_ENV(_section)
Definition rlm_ldap.c:255
fr_value_box_t password
Definition rlm_ldap.c:59
#define SSS_CONTROL_BUILD(_obj)
static xlat_arg_parser_t const ldap_uri_unescape_xlat_arg[]
Definition rlm_ldap.c:472
static const call_env_method_t xlat_profile_method_env
Definition rlm_ldap.c:299
static xlat_arg_parser_t const ldap_uri_attr_option_xlat_arg[]
Definition rlm_ldap.c:570
static int ldap_mod_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule)
#define CHECK_EXPANDED_SPACE(_expanded)
static unlang_action_t mod_map_resume(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, UNUSED fr_value_box_list_t *url, UNUSED map_list_t const *maps)
Process the results of an LDAP map query.
Definition rlm_ldap.c:1335
static unlang_action_t mod_authorize_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resume function called after each potential yield in LDAP authorization.
Definition rlm_ldap.c:1638
map_list_t const * maps
Definition rlm_ldap.c:384
fr_dict_attr_t const * attr_crypt_password
Definition rlm_ldap.c:327
fr_value_box_t user_filter
Definition rlm_ldap.c:74
static int ldap_group_filter_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
static fr_dict_t const * dict_freeradius
Definition rlm_ldap.c:317
static int map_ctx_free(ldap_map_ctx_t *map_ctx)
Ensure map context is properly cleared up.
Definition rlm_ldap.c:1432
fr_dict_attr_t const * cache_da
Definition rlm_ldap.c:55
static void ldap_query_timeout(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
Callback when LDAP query times out.
Definition rlm_ldap.c:547
static unlang_action_t user_modify_mod_build_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_ldap.c:2054
static conf_parser_t user_config[]
Definition rlm_ldap.c:113
static fr_dict_attr_t const * attr_expr_bool_enum
Definition rlm_ldap.c:331
static fr_table_num_sorted_t const ldap_uri_scheme_table[]
Definition rlm_ldap.c:397
static xlat_arg_parser_t const ldap_xlat_arg[]
Definition rlm_ldap.c:745
static unlang_action_t mod_modify(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Modify user's object in LDAP.
Definition rlm_ldap.c:2232
static int ldap_uri_part_escape(fr_value_box_t *vb, UNUSED void *uctx)
Escape function for a part of an LDAP URI.
Definition rlm_ldap.c:518
fr_dict_attr_t const * group_da
Definition rlm_ldap.c:54
static unlang_action_t ldap_group_xlat_user_find(UNUSED unlang_result_t *p_result, request_t *request, void *uctx)
User object lookup as part of group membership xlat.
Definition rlm_ldap.c:940
fr_dict_attr_t const * attr_password
Definition rlm_ldap.c:325
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Bootstrap the module.
Definition rlm_ldap.c:2780
#define REPEAT_MOD_AUTHORIZE_RESUME
Definition rlm_ldap.c:1620
fr_value_box_t user_sasl_proxy
Definition rlm_ldap.c:63
fr_ldap_thread_trunk_t * ttrunk
Definition rlm_ldap.c:372
fr_value_box_t user_sasl_authname
Definition rlm_ldap.c:62
fr_dict_attr_t const * attr_password_with_header
Definition rlm_ldap.c:330
static int ldap_update_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule)
static unlang_action_t mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_ldap.c:1936
rlm_ldap_t const * inst
Definition rlm_ldap.c:367
static conf_parser_t group_config[]
Definition rlm_ldap.c:129
fr_ldap_query_t * query
Definition rlm_ldap.c:386
static void mod_unload(void)
Definition rlm_ldap.c:2874
fr_dict_attr_autoload_t rlm_ldap_dict_attr[]
Definition rlm_ldap.c:334
ldap_mod_tmpl_t ** mod
Definition rlm_ldap.c:75
static xlat_action_t ldap_group_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
Process the results of evaluating LDAP group membership.
Definition rlm_ldap.c:1029
char const * attr
Definition rlm_ldap.c:68
static unlang_action_t ldap_group_xlat_results(unlang_result_t *p_result, request_t *request, void *uctx)
Run the state machine for the LDAP membership xlat.
Definition rlm_ldap.c:978
static void ldap_group_xlat_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
Cancel an in-progress query for the LDAP group membership xlat.
Definition rlm_ldap.c:958
ssize_t expect_password_offset
Definition rlm_ldap.c:211
static int ldap_xlat_uri_parse(LDAPURLDesc **uri_parsed, char **host_out, bool *free_host_out, request_t *request, char *host_default, fr_value_box_t *uri_in)
Utility function for parsing LDAP URLs.
Definition rlm_ldap.c:785
static unlang_action_t user_modify_final(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Handle results of user modification.
Definition rlm_ldap.c:2025
static int ldap_xlat_profile_ctx_free(ldap_xlat_profile_ctx_t *to_free)
Definition rlm_ldap.c:1167
static char * host_uri_canonify(request_t *request, LDAPURLDesc *url_parsed, fr_value_box_t *url_in)
Produce canonical LDAP host URI for finding trunks.
Definition rlm_ldap.c:754
fr_dict_attr_t const * attr_cleartext_password
Definition rlm_ldap.c:326
tmpl_t const * password_tmpl
Definition rlm_ldap.c:60
static xlat_action_t ldap_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Callback when resuming after async ldap query is completed.
Definition rlm_ldap.c:663
fr_value_box_t user_sasl_mech
Definition rlm_ldap.c:61
fr_dict_autoload_t rlm_ldap_dict[]
Definition rlm_ldap.c:320
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Initialise thread specific data structure.
Definition rlm_ldap.c:2520
module_rlm_t rlm_ldap
Definition rlm_ldap.c:2883
char const * password
Definition rlm_ldap.c:357
static unlang_action_t mod_authenticate(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_ldap.c:1545
static int autz_ctx_free(ldap_autz_ctx_t *autz_ctx)
Ensure authorization context is properly cleared up.
Definition rlm_ldap.c:1929
ldap_schemes_t
Definition rlm_ldap.c:391
@ LDAP_SCHEME_UNIX
Definition rlm_ldap.c:392
@ LDAP_SCHEME_TCP_SSL
Definition rlm_ldap.c:394
@ LDAP_SCHEME_TCP
Definition rlm_ldap.c:393
fr_token_t op
Definition rlm_ldap.c:69
fr_value_box_t user_base
Definition rlm_ldap.c:73
fr_ldap_map_exp_t expanded
Definition rlm_ldap.c:1148
static void ldap_xlat_signal(xlat_ctx_t const *xctx, request_t *request, UNUSED fr_signal_t action)
Callback for signalling async ldap query.
Definition rlm_ldap.c:710
fr_ldap_query_t * query
Definition rlm_ldap.c:373
fr_ldap_thread_t * thread
Definition rlm_ldap.c:359
static size_t ldap_uri_scheme_table_len
Definition rlm_ldap.c:402
#define LDAP_URI_SAFE_FOR
This is the common function that actually ends up doing all the URI escaping.
Definition rlm_ldap.c:406
static fr_uri_part_t const ldap_dn_parts[]
Definition rlm_ldap.c:740
static const conf_parser_t module_config[]
Definition rlm_ldap.c:146
#define USER_CALL_ENV_COMMON(_struct)
Definition rlm_ldap.c:187
ldap_usermod_call_env_t * call_env
Definition rlm_ldap.c:368
fr_value_box_t profile_filter
Filter to use when searching for users.
Definition rlm_ldap.c:81
static void user_modify_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
Cancel an in progress user modification.
Definition rlm_ldap.c:2013
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
Clean up thread specific data structure.
Definition rlm_ldap.c:2502
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the module.
Definition rlm_ldap.c:2565
fr_ldap_map_exp_t expanded
Definition rlm_ldap.c:387
LDAPURLDesc * ldap_url
Definition rlm_ldap.c:385
static const call_env_parser_t sasl_call_env[]
Definition rlm_ldap.c:90
fr_value_box_t user_sasl_realm
Definition rlm_ldap.c:64
fr_value_box_list_t expanded
Definition rlm_ldap.c:374
static fr_uri_part_t const ldap_uri_parts[]
Definition rlm_ldap.c:728
static unlang_action_t user_modify_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Take the retrieved user DN and launch the async tmpl expansion of mod_values.
Definition rlm_ldap.c:2195
char const * dn
Definition rlm_ldap.c:356
static xlat_arg_parser_t const ldap_group_xlat_arg[]
Definition rlm_ldap.c:1042
rlm_ldap_t const * inst
Definition rlm_ldap.c:358
Holds state of in progress async authentication.
Definition rlm_ldap.c:355
Holds state of in progress LDAP map.
Definition rlm_ldap.c:383
Parameters to allow ldap_update_section_parse to be reused.
Definition rlm_ldap.c:209
Holds state of in progress ldap user modifications.
Definition rlm_ldap.c:366
Call environment used in the profile xlat.
Definition rlm_ldap.c:80
LDAP authorization and authentication module headers.
fr_ldap_map_exp_t expanded
Definition rlm_ldap.h:194
ldap_autz_call_env_t * call_env
Definition rlm_ldap.h:197
struct berval ** profile_values
Definition rlm_ldap.h:200
@ LDAP_ACCESS_SUSPENDED
User account has been suspended.
Definition rlm_ldap.h:185
@ LDAP_ACCESS_ALLOWED
User is allowed to login.
Definition rlm_ldap.h:183
@ LDAP_ACCESS_DISALLOWED
User it not allow to login (disabled)
Definition rlm_ldap.h:184
fr_ldap_thread_trunk_t * ttrunk
Definition rlm_ldap.h:196
rlm_ldap_t const * inst
Definition rlm_ldap.h:193
fr_value_box_t profile_filter
Filter to use when searching for profiles.
Definition rlm_ldap.h:144
fr_value_box_t user_filter
Filter to use when searching for users.
Definition rlm_ldap.h:137
LDAPMessage * entry
Definition rlm_ldap.h:198
@ LDAP_AUTZ_GROUP
Definition rlm_ldap.h:167
@ LDAP_AUTZ_FIND
Definition rlm_ldap.h:166
@ LDAP_AUTZ_DEFAULT_PROFILE
Definition rlm_ldap.h:174
@ LDAP_AUTZ_USER_PROFILE
Definition rlm_ldap.h:176
@ LDAP_AUTZ_MAP
Definition rlm_ldap.h:173
@ LDAP_AUTZ_POST_DEFAULT_PROFILE
Definition rlm_ldap.h:175
@ LDAP_AUTZ_POST_GROUP
Definition rlm_ldap.h:168
ldap_autz_status_t status
Definition rlm_ldap.h:199
fr_ldap_query_t * query
Definition rlm_ldap.h:195
char * profile_value
Definition rlm_ldap.h:202
ldap_access_state_t access_state
What state a user's account is in.
Definition rlm_ldap.h:204
unlang_action_t rlm_ldap_find_user_async(TALLOC_CTX *ctx, unlang_result_t *p_result, rlm_ldap_t const *inst, request_t *request, fr_value_box_t *base, fr_value_box_t *filter_box, fr_ldap_thread_trunk_t *ttrunk, char const *attrs[], fr_ldap_query_t **query_out)
Initiate asynchronous retrieval of the DN of a user object.
Definition user.c:163
fr_value_box_t user_base
Base DN in which to search for users.
Definition rlm_ldap.h:136
char const * dn
Definition rlm_ldap.h:203
map_list_t * user_map
Attribute map applied to users and profiles.
Definition rlm_ldap.h:146
rlm_rcode_t rcode
What rcode we'll finally respond with.
Definition rlm_ldap.h:205
static char const * rlm_find_user_dn_cached(request_t *request)
Definition rlm_ldap.h:248
void rlm_ldap_check_reply(request_t *request, rlm_ldap_t const *inst, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk)
Verify we got a password from the search.
Definition user.c:261
fr_value_box_t const * expect_password
True if the user_map included a mapping between an LDAP attribute and one of our password reference a...
Definition rlm_ldap.h:148
fr_value_box_t default_profile
If this is set, we will search for a profile object with this name, and map any attributes it contain...
Definition rlm_ldap.h:140
@ GROUP_XLAT_MEMB_FILTER
Definition rlm_ldap.h:212
@ GROUP_XLAT_MEMB_ATTR
Definition rlm_ldap.h:213
@ GROUP_XLAT_FIND_USER
Definition rlm_ldap.h:211
module_instance_t const * dlinst
Definition rlm_ldap.h:192
ldap_access_state_t rlm_ldap_check_access(rlm_ldap_t const *inst, request_t *request, LDAPMessage *entry)
Check for presence of access attribute in result.
Definition user.c:209
Call environment used in LDAP authorization.
Definition rlm_ldap.h:135
Holds state of in progress async authorization.
Definition rlm_ldap.h:191
Holds state of in progress group membership check xlat.
Definition rlm_ldap.h:219
Call environment used in group membership xlat.
Definition rlm_ldap.h:155
unlang_action_t fr_ldap_sasl_bind_auth_async(unlang_result_t *p_result, request_t *request, fr_ldap_thread_t *thread, char const *mechs, char const *identity, char const *password, char const *proxy, char const *realm)
Initiate an async SASL LDAP bind for authentication.
Definition sasl.c:504
int fr_sbuff_trim_talloc(fr_sbuff_t *sbuff, size_t len)
Trim a talloced sbuff to the minimum length required to represent the contained string.
Definition sbuff.c:421
#define FR_SBUFF_IN(_start, _len_or_end)
#define FR_SBUFF_TERMS(...)
Initialise a terminal structure with a list of sorted strings.
Definition sbuff.h:192
#define fr_sbuff_buff(_sbuff_or_marker)
Talloc sbuff extension structure.
Definition sbuff.h:139
static char const * section_name_str(char const *name)
Return a printable string for the section name.
Definition section.h:98
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
char const * name2
Second section name. Usually a packet type like 'access-request', 'access-accept',...
Definition section.h:46
char const * name1
First section name. Usually a verb like 'recv', 'send', etc...
Definition section.h:45
#define MODULE_THREAD_INST(_ctype)
Definition module.h:256
char const * name
Instance name e.g. user_database.
Definition module.h:355
module_flags_t flags
Flags that control how a module starts up and how a module is called.
Definition module.h:236
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
void * data
Module's instance data.
Definition module.h:291
#define MODULE_BOOT(_ctype)
Definition module.h:254
void * boot
Data allocated during the boostrap phase.
Definition module.h:294
void * data
Thread specific instance data.
Definition module.h:372
static module_thread_instance_t * module_thread(module_instance_t const *mi)
Retrieve module/thread specific instance for a module.
Definition module.h:501
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:152
#define MODULE_INST(_ctype)
Definition module.h:255
Named methods exported by a module.
Definition module.h:174
static tmpl_attr_t const * tmpl_attr_tail(tmpl_t const *vpt)
Return the last attribute reference.
Definition tmpl.h:790
int tmpl_resolve(tmpl_t *vpt, tmpl_res_rules_t const *tr_rules))
Attempt to resolve functions and attributes in xlats and attribute references.
ssize_t tmpl_afrom_substr(TALLOC_CTX *ctx, tmpl_t **out, fr_sbuff_t *in, fr_token_t quote, fr_sbuff_parse_rules_t const *p_rules, tmpl_rules_t const *t_rules))
Convert an arbitrary string into a tmpl_t.
tmpl_attr_rules_t attr
Rules/data for parsing attribute references.
Definition tmpl.h:335
#define tmpl_needs_resolving(vpt)
Definition tmpl.h:223
Similar to tmpl_rules_t, but used to specify parameters that may change during subsequent resolution ...
Definition tmpl.h:364
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:332
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
return count
Definition module.c:155
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition module.c:429
eap_aka_sim_process_conf_t * inst
Value pair map.
Definition map.h:77
tmpl_t * lhs
Typically describes the attribute to add, modify or compare.
Definition map.h:78
fr_dict_t const * dict_def
Default dictionary to use with unqualified attribute references.
Definition tmpl.h:273
An element in a list of nested attribute references.
Definition tmpl.h:430
fr_dict_attr_t const *_CONST da
Resolved dictionary attribute.
Definition tmpl.h:434
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
char * talloc_typed_strdup_buffer(TALLOC_CTX *ctx, char const *p)
Call talloc_strndup, setting the type on the new chunk correctly.
Definition talloc.c:491
char * talloc_typed_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Call talloc vasprintf, setting the type on the new chunk correctly.
Definition talloc.c:514
#define talloc_get_type_abort_const
Definition talloc.h:287
#define talloc_pooled_object(_ctx, _type, _num_subobjects, _total_subobjects_size)
Definition talloc.h:180
"server local" time.
Definition time.h:69
An event timer list.
Definition timer.c:50
#define fr_timer_in(...)
Definition timer.h:87
int unlang_tmpl_push(TALLOC_CTX *ctx, unlang_result_t *p_result, fr_value_box_list_t *out, request_t *request, tmpl_t const *tmpl, unlang_tmpl_args_t *args, bool top_frame)
Push a tmpl onto the stack for evaluation.
Definition tmpl.c:276
@ TMPL_ESCAPE_PRE_CONCAT
Pre-concatenation escaping is useful for DSLs where elements of the expansion are static,...
Definition tmpl_escape.h:61
fr_table_num_ordered_t const fr_tokens_table[]
Definition token.c:34
enum fr_token fr_token_t
@ T_OP_SUB_EQ
Definition token.h:70
@ T_SINGLE_QUOTED_STRING
Definition token.h:122
@ T_BARE_WORD
Definition token.h:120
@ T_OP_SET
Definition token.h:84
@ T_OP_ADD_EQ
Definition token.h:69
@ T_OP_CMP_FALSE
Definition token.h:105
@ T_OP_INCRM
Definition token.h:113
trunk_enqueue_t trunk_request_enqueue(trunk_request_t **treq_out, trunk_t *trunk, request_t *request, void *preq, void *rctx)
Enqueue a request that needs data written to the trunk.
Definition trunk.c:2588
void trunk_request_signal_cancel(trunk_request_t *treq)
Cancel a trunk request.
Definition trunk.c:2153
conf_parser_t const trunk_config[]
Config parser definitions to populate a trunk_conf_t.
Definition trunk.c:314
Wraps a normal request.
Definition trunk.c:99
@ TRUNK_ENQUEUE_OK
Operation was successful.
Definition trunk.h:150
@ TRUNK_ENQUEUE_IN_BACKLOG
Request should be enqueued in backlog.
Definition trunk.h:149
xlat_action_t unlang_xlat_yield(request_t *request, xlat_func_t resume, xlat_func_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition xlat.c:548
xlat_action_t xlat_transparent(UNUSED TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
uint8_t required
Argument must be present, and non-empty.
Definition xlat.h:146
#define XLAT_ARGS(_list,...)
Populate local variables with value boxes from the input list.
Definition xlat.h:383
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
Definition xlat.h:37
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
@ XLAT_ACTION_YIELD
An xlat function pushed a resume frame onto the stack.
Definition xlat.h:42
@ XLAT_ACTION_PUSH_UNLANG
An xlat function pushed an unlang frame onto the unlang stack.
Definition xlat.h:39
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
Definition for a single argument consumend by an xlat function.
Definition xlat.h:145
int fr_uri_escape_list(fr_value_box_list_t *uri, fr_uri_part_t const *uri_parts, void *uctx)
Parse a list of value boxes representing a URI.
Definition uri.c:140
int fr_uri_has_scheme(fr_value_box_list_t *uri, fr_table_num_sorted_t const *schemes, size_t schemes_len, int def)
Searches for a matching scheme in the table of schemes, using a list of value boxes representing the ...
Definition uri.c:167
#define XLAT_URI_PART_TERMINATOR
Definition uri.h:66
char const * name
Name of this part of the URI.
Definition uri.h:47
Definition for a single part of a URI.
Definition uri.h:46
#define fr_strerror_printf_push(_fmt,...)
Add a message to an existing stack of messages at the tail.
Definition strerror.h:84
#define FR_TYPE_FIXED_SIZE
Definition types.h:308
int fr_value_box_asprintf(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, bool tainted, char const *fmt,...)
Print a formatted string using our internal printf wrapper and assign it to a value box.
Definition value.c:4462
fr_sbuff_parse_rules_t const * value_parse_rules_quoted[T_TOKEN_LAST]
Parse rules for quoted strings.
Definition value.c:612
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:4156
int fr_value_box_cast_in_place(TALLOC_CTX *ctx, fr_value_box_t *vb, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv)
Convert one type of fr_value_box_t to another in place.
Definition value.c:3984
void fr_value_box_strdup_shallow_replace(fr_value_box_t *vb, char const *src, ssize_t len)
Free the existing buffer (if talloced) associated with the valuebox, and replace it with a new one.
Definition value.c:4500
void fr_value_box_strdup_shallow(fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, bool tainted)
Assign a buffer containing a nul terminated string to a box, but don't copy it.
Definition value.c:4484
int fr_value_box_bstr_realloc(TALLOC_CTX *ctx, char **out, fr_value_box_t *dst, size_t len)
Change the length of a buffer already allocated to a value box.
Definition value.c:4552
int fr_value_box_bstrndup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, size_t len, bool tainted)
Copy a string to to a fr_value_box_t.
Definition value.c:4596
int fr_value_box_bstrdup_buffer_shallow(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, bool tainted)
Assign a talloced buffer containing a nul terminated string to a box, but don't copy it.
Definition value.c:4701
int fr_value_box_list_concat_in_place(TALLOC_CTX *ctx, fr_value_box_t *out, fr_value_box_list_t *list, fr_type_t type, fr_value_box_list_action_t proc_action, bool flatten, size_t max_size)
Concatenate a list of value boxes.
Definition value.c:6273
@ FR_VALUE_BOX_LIST_FREE
Definition value.h:239
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:643
#define fr_value_box_is_safe_for_only(_box, _safe_for)
Definition value.h:1082
#define fr_box_strvalue_len(_val, _len)
Definition value.h:308
uintptr_t fr_value_box_safe_for_t
Escaping that's been applied to a value box.
Definition value.h:162
int nonnull(2, 5))
#define fr_value_box_alloc_null(_ctx)
Allocate a value box for later use with a value assignment function.
Definition value.h:654
static size_t char ** out
Definition value.h:1023
static TALLOC_CTX * xlat_ctx
void * rctx
Resume context.
Definition xlat_ctx.h:54
void * env_data
Expanded call env data.
Definition xlat_ctx.h:53
module_ctx_t const * mctx
Synthesised module calling ctx.
Definition xlat_ctx.h:52
An xlat calling ctx.
Definition xlat_ctx.h:49
void xlat_func_flags_set(xlat_t *x, xlat_func_flags_t flags)
Specify flags that alter the xlat's behaviour.
Definition xlat_func.c:399
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363
void xlat_func_call_env_set(xlat_t *x, call_env_method_t const *env_method)
Register call environment of an xlat.
Definition xlat_func.c:389
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
void xlat_func_unregister(char const *name)
Unregister an xlat function.
Definition xlat_func.c:516
#define xlat_func_safe_for_set(_xlat, _escaped)
Set the escaped values for output boxes.
Definition xlat_func.h:82
@ XLAT_FUNC_FLAG_PURE
Definition xlat_func.h:38