The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_ldap.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: c0d655f5b306b652a422808cf22b3ae720bd1a3c $
19 * @file rlm_ldap.c
20 * @brief LDAP authorization and authentication module.
21 *
22 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 * @author Alan DeKok (aland@freeradius.org)
24 *
25 * @copyright 2012,2015 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
26 * @copyright 2013,2015 Network RADIUS SAS (legal@networkradius.com)
27 * @copyright 2012 Alan DeKok (aland@freeradius.org)
28 * @copyright 1999-2013 The FreeRADIUS Server Project.
29 */
30RCSID("$Id: c0d655f5b306b652a422808cf22b3ae720bd1a3c $")
31
32USES_APPLE_DEPRECATED_API
33
34#include <freeradius-devel/util/debug.h>
35#include <freeradius-devel/util/table.h>
36#include <freeradius-devel/util/uri.h>
37
38#include <freeradius-devel/ldap/conf.h>
39
40#include <freeradius-devel/server/map_proc.h>
41#include <freeradius-devel/server/module_rlm.h>
42
43#include <freeradius-devel/unlang/xlat_func.h>
44#include <freeradius-devel/unlang/map.h>
45
46#include "rlm_ldap.h"
47
53
62
63typedef struct {
64 char const *attr;
65 fr_token_t op;
66 tmpl_t const *tmpl;
67} ldap_mod_tmpl_t;
73
74/** Call environment used in the profile xlat
75 */
76typedef struct {
77 fr_value_box_t profile_filter; //!< Filter to use when searching for users.
78 map_list_t *profile_map; //!< List of maps to apply to the profile.
79} ldap_xlat_profile_call_env_t;
80
81static int ldap_update_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule);
82static int ldap_mod_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule);
83
84static int ldap_group_filter_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule);
85
93
94static conf_parser_t profile_config[] = {
95 { FR_CONF_OFFSET("scope", rlm_ldap_t, profile.obj_scope), .dflt = "base",
96 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
97 { FR_CONF_OFFSET("attribute", rlm_ldap_t, profile.attr) },
98 { FR_CONF_OFFSET("attribute_suspend", rlm_ldap_t, profile.attr_suspend) },
99 { FR_CONF_OFFSET("check_attribute", rlm_ldap_t, profile.check_attr) },
100 { FR_CONF_OFFSET("sort_by", rlm_ldap_t, profile.obj_sort_by) },
101 { FR_CONF_OFFSET("fallthrough_attribute", rlm_ldap_t, profile.fallthrough_attr) },
102 { FR_CONF_OFFSET("fallthrough_default", rlm_ldap_t, profile.fallthrough_def), .dflt = "yes" },
103 CONF_PARSER_TERMINATOR
104};
105
106/*
107 * User configuration
108 */
109static conf_parser_t user_config[] = {
110 { FR_CONF_OFFSET("scope", rlm_ldap_t, user.obj_scope), .dflt = "sub",
111 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
112 { FR_CONF_OFFSET("sort_by", rlm_ldap_t, user.obj_sort_by) },
113
114 { FR_CONF_OFFSET("access_attribute", rlm_ldap_t, user.obj_access_attr) },
115 { FR_CONF_OFFSET("access_positive", rlm_ldap_t, user.access_positive), .dflt = "yes" },
116 { FR_CONF_OFFSET("access_value_negate", rlm_ldap_t, user.access_value_negate), .dflt = "false" },
117 { FR_CONF_OFFSET("access_value_suspend", rlm_ldap_t, user.access_value_suspend), .dflt = "suspended" },
118 { FR_CONF_OFFSET("dn_attribute", rlm_ldap_t, user.dn_attr_str), .dflt = "LDAP-UserDN" },
119 { FR_CONF_OFFSET_IS_SET("expect_password", FR_TYPE_BOOL, 0, rlm_ldap_t, user.expect_password) },
120 CONF_PARSER_TERMINATOR
121};
122
123/*
124 * Group configuration
125 */
126static conf_parser_t group_config[] = {
127 { FR_CONF_OFFSET("filter", rlm_ldap_t, group.obj_filter) },
128 { FR_CONF_OFFSET("scope", rlm_ldap_t, group.obj_scope), .dflt = "sub",
129 .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
130
131 { FR_CONF_OFFSET("name_attribute", rlm_ldap_t, group.obj_name_attr), .dflt = "cn" },
132 { FR_CONF_OFFSET("membership_attribute", rlm_ldap_t, group.userobj_membership_attr) },
133 { FR_CONF_OFFSET_FLAGS("membership_filter", CONF_FLAG_XLAT, rlm_ldap_t, group.obj_membership_filter) },
134 { FR_CONF_OFFSET("cacheable_name", rlm_ldap_t, group.cacheable_name), .dflt = "no" },
135 { FR_CONF_OFFSET("cacheable_dn", rlm_ldap_t, group.cacheable_dn), .dflt = "no" },
136 { FR_CONF_OFFSET("cache_attribute", rlm_ldap_t, group.cache_attr_str) },
137 { FR_CONF_OFFSET("group_attribute", rlm_ldap_t, group.attribute) },
138 { FR_CONF_OFFSET("allow_dangling_group_ref", rlm_ldap_t, group.allow_dangling_refs), .dflt = "no" },
139 { FR_CONF_OFFSET("skip_on_suspend", rlm_ldap_t, group.skip_on_suspend), .dflt = "yes"},
140 CONF_PARSER_TERMINATOR
141};
142
143static const conf_parser_t module_config[] = {
144 /*
145 * Pool config items
146 */
147 { FR_CONF_OFFSET_FLAGS("server", CONF_FLAG_MULTI, rlm_ldap_t, handle_config.server_str) }, /* Do not set to required */
148
149 /*
150 * Common LDAP conf parsers
151 */
152 FR_LDAP_COMMON_CONF(rlm_ldap_t),
153
154 { FR_CONF_OFFSET("valuepair_attribute", rlm_ldap_t, valuepair_attr) },
155
156#ifdef LDAP_CONTROL_X_SESSION_TRACKING
157 { FR_CONF_OFFSET("session_tracking", rlm_ldap_t, session_tracking), .dflt = "no" },
158#endif
159
160#ifdef WITH_EDIR
161 /* support for eDirectory Universal Password */
162 { FR_CONF_OFFSET("edir", rlm_ldap_t, edir) }, /* NULL defaults to "no" */
163
164 /*
165 * Attempt to bind with the cleartext password we got from eDirectory
166 * Universal password for additional authorization checks.
167 */
168 { FR_CONF_OFFSET("edir_autz", rlm_ldap_t, edir_autz) }, /* NULL defaults to "no" */
169#endif
170
171 { FR_CONF_POINTER("user", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) user_config },
172
173 { FR_CONF_POINTER("group", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) group_config },
174
175 { FR_CONF_POINTER("profile", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) profile_config },
176
177 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_ldap_t, trunk_conf, trunk_config ) },
178
179 { FR_CONF_OFFSET_SUBSECTION("bind_pool", 0, rlm_ldap_t, bind_trunk_conf, trunk_config ) },
180
181 CONF_PARSER_TERMINATOR
182};
183
184#define LDAP_DN_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_dn_escape_func
185#define LDAP_FILTER_SAFE_FOR (fr_value_box_safe_for_t)fr_ldap_filter_escape_func
186
187#define LDAP_DN_CALL_ENV_ESCAPE \
188 .pair.escape = { \
189 .box_escape = { \
190 .func = fr_ldap_dn_box_escape, \
191 .safe_for = LDAP_DN_SAFE_FOR, \
192 .always_escape = false, \
193 }, \
194 .mode = TMPL_ESCAPE_PRE_CONCAT \
195 }, \
196 .pair.literals_safe_for = LDAP_DN_SAFE_FOR
197
198#define LDAP_FILTER_CALL_ENV_ESCAPE \
199 .pair.escape = { \
200 .box_escape = { \
201 .func = fr_ldap_filter_box_escape, \
202 .safe_for = LDAP_FILTER_SAFE_FOR, \
203 .always_escape = false, \
204 }, \
205 .mode = TMPL_ESCAPE_PRE_CONCAT \
206 }, \
207 .pair.literals_safe_for = LDAP_FILTER_SAFE_FOR
208
209#define USER_CALL_ENV_COMMON(_struct) \
210 { FR_CALL_ENV_OFFSET("base_dn", FR_TYPE_STRING, CALL_ENV_FLAG_REQUIRED | CALL_ENV_FLAG_CONCAT, _struct, user_base), \
211 .pair.dflt = "", .pair.dflt_quote = T_SINGLE_QUOTED_STRING, LDAP_DN_CALL_ENV_ESCAPE }, \
212 { FR_CALL_ENV_OFFSET("filter", FR_TYPE_STRING, CALL_ENV_FLAG_NULLABLE | CALL_ENV_FLAG_CONCAT, _struct, user_filter), \
213 .pair.dflt = "(&)", .pair.dflt_quote = T_SINGLE_QUOTED_STRING, LDAP_FILTER_CALL_ENV_ESCAPE }
214
230
231/** Parameters to allow ldap_update_section_parse to be reused
232 */
237
238static const call_env_method_t authorize_method_env = {
239 FR_CALL_ENV_METHOD_OUT(ldap_autz_call_env_t),
240 .env = (call_env_parser_t[]) {
241 { FR_CALL_ENV_SUBSECTION_FUNC("update", CF_IDENT_ANY, CALL_ENV_FLAG_PARSE_MISSING, ldap_update_section_parse),
242 .uctx = &(ldap_update_rules_t){
243 .map_offset = offsetof(ldap_autz_call_env_t, user_map),
244 .expect_password_offset = offsetof(ldap_autz_call_env_t, expect_password)
245 } },
246 { FR_CALL_ENV_SUBSECTION("user", NULL, CALL_ENV_FLAG_REQUIRED,
247 ((call_env_parser_t[]) {
248 USER_CALL_ENV_COMMON(ldap_autz_call_env_t),
249 CALL_ENV_TERMINATOR
250 })) },
251 { FR_CALL_ENV_SUBSECTION("group", NULL, CALL_ENV_FLAG_NONE,
252 ((call_env_parser_t[]) {
253 { FR_CALL_ENV_OFFSET("base_dn", FR_TYPE_STRING, CALL_ENV_FLAG_CONCAT, ldap_autz_call_env_t, group_base),
254 LDAP_DN_CALL_ENV_ESCAPE },
255 { FR_CALL_ENV_PARSE_ONLY_OFFSET("membership_filter", FR_TYPE_STRING, CALL_ENV_FLAG_CONCAT, ldap_autz_call_env_t, group_filter),
256 .pair.func = ldap_group_filter_parse,
257 LDAP_FILTER_CALL_ENV_ESCAPE
258 },
259 CALL_ENV_TERMINATOR
260 })) },
261 { FR_CALL_ENV_SUBSECTION("profile", NULL, CALL_ENV_FLAG_NONE,
262 ((call_env_parser_t[]) {
263 { FR_CALL_ENV_OFFSET("default", FR_TYPE_STRING, CALL_ENV_FLAG_CONCAT, ldap_autz_call_env_t, default_profile),
264 LDAP_DN_CALL_ENV_ESCAPE },
265 { FR_CALL_ENV_OFFSET("filter", FR_TYPE_STRING, CALL_ENV_FLAG_CONCAT, ldap_autz_call_env_t, profile_filter),
266 .pair.dflt = "(&)", .pair.dflt_quote = T_SINGLE_QUOTED_STRING,
267 LDAP_FILTER_CALL_ENV_ESCAPE },
268 CALL_ENV_TERMINATOR
269 } )) },
270 CALL_ENV_TERMINATOR
271 }
272};
273
274#define USERMOD_ENV(_section) static const call_env_method_t _section ## _usermod_method_env = { \
275 FR_CALL_ENV_METHOD_OUT(ldap_usermod_call_env_t), \
276 .env = (call_env_parser_t[]) { \
277 { FR_CALL_ENV_SUBSECTION("user", NULL, CALL_ENV_FLAG_REQUIRED, \
278 ((call_env_parser_t[]) { \
279 USER_CALL_ENV_COMMON(ldap_usermod_call_env_t), CALL_ENV_TERMINATOR \
280 })) }, \
281 { FR_CALL_ENV_SUBSECTION_FUNC(STRINGIFY(_section), CF_IDENT_ANY, CALL_ENV_FLAG_SUBSECTION | CALL_ENV_FLAG_PARSE_MISSING, ldap_mod_section_parse) }, \
282 CALL_ENV_TERMINATOR \
283 } \
284}
285
286USERMOD_ENV(accounting);
287USERMOD_ENV(send);
288
310
311static const call_env_method_t xlat_profile_method_env = {
312 FR_CALL_ENV_METHOD_OUT(ldap_xlat_profile_call_env_t),
313 .env = (call_env_parser_t[]) {
314 { FR_CALL_ENV_SUBSECTION_FUNC("update", CF_IDENT_ANY, CALL_ENV_FLAG_PARSE_MISSING, ldap_update_section_parse),
315 .uctx = &(ldap_update_rules_t){
316 .map_offset = offsetof(ldap_xlat_profile_call_env_t, profile_map),
317 .expect_password_offset = -1
318 } },
319 { FR_CALL_ENV_SUBSECTION("profile", NULL, CALL_ENV_FLAG_NONE,
320 ((call_env_parser_t[]) {
321 { FR_CALL_ENV_OFFSET("filter", FR_TYPE_STRING, CALL_ENV_FLAG_CONCAT, ldap_xlat_profile_call_env_t, profile_filter),
322 .pair.dflt = "(&)", .pair.dflt_quote = T_SINGLE_QUOTED_STRING,
323 LDAP_FILTER_CALL_ENV_ESCAPE }, //!< Correct filter for when the DN is known.
324 CALL_ENV_TERMINATOR
325 })) },
326 CALL_ENV_TERMINATOR
327 }
328};
329
330static fr_dict_t const *dict_freeradius;
331
332extern fr_dict_autoload_t rlm_ldap_dict[];
333fr_dict_autoload_t rlm_ldap_dict[] = {
334 { .out = &dict_freeradius, .proto = "freeradius" },
335 DICT_AUTOLOAD_TERMINATOR
336};
337
338fr_dict_attr_t const *attr_password;
339fr_dict_attr_t const *attr_cleartext_password;
340fr_dict_attr_t const *attr_crypt_password;
341fr_dict_attr_t const *attr_nt_password;
342fr_dict_attr_t const *attr_password_with_header;
343static fr_dict_attr_t const *attr_expr_bool_enum;
344
345extern fr_dict_attr_autoload_t rlm_ldap_dict_attr[];
346fr_dict_attr_autoload_t rlm_ldap_dict_attr[] = {
347 { .out = &attr_password, .name = "Password", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
348 { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
349 { .out = &attr_crypt_password, .name = "Password.Crypt", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
350 { .out = &attr_nt_password, .name = "Password.NT", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
351 { .out = &attr_password_with_header, .name = "Password.With-Header", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
352 { .out = &attr_expr_bool_enum, .name = "Expr-Bool-Enum", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
353
354 DICT_AUTOLOAD_TERMINATOR
355};
356
357extern global_lib_autoinst_t const *rlm_ldap_lib[];
362
363/** Holds state of in progress async authentication
364 *
365 */
373
374/** Holds state of in progress ldap user modifications
375 *
376 */
390
391/** Holds state of in progress LDAP map
392 *
393 */
394typedef struct {
395 map_list_t const *maps;
396 LDAPURLDesc *ldap_url;
397 fr_ldap_query_t *query;
398 fr_ldap_map_exp_t expanded;
399 LDAPControl *serverctrls[LDAP_MAX_CONTROLS];
400} ldap_map_ctx_t;
401
407
408static fr_table_num_sorted_t const ldap_uri_scheme_table[] = {
409 { L("ldap://"), LDAP_SCHEME_UNIX },
410 { L("ldapi://"), LDAP_SCHEME_TCP },
411 { L("ldaps://"), LDAP_SCHEME_TCP_SSL },
412};
413static size_t ldap_uri_scheme_table_len = NUM_ELEMENTS(ldap_uri_scheme_table);
414
419
420static xlat_arg_parser_t const ldap_safe_xlat_arg[] = {
421 { .required = true, .concat = true, .type = FR_TYPE_STRING },
422 XLAT_ARG_PARSER_TERMINATOR
423};
424
425/** Escape a string for use in an RFC 4514 DN attribute value
426 *
427 * @ingroup xlat_functions
428 */
429static xlat_action_t ldap_dn_escape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out,
430 UNUSED xlat_ctx_t const *xctx,
431 request_t *request, fr_value_box_list_t *in)
432{
433 fr_value_box_t *vb, *in_vb, *in_group = fr_value_box_list_head(in);
434 fr_sbuff_t sbuff;
435 fr_sbuff_uctx_talloc_t sbuff_ctx;
436 size_t len;
437
438 fr_assert(in_group->type == FR_TYPE_GROUP);
439
440 while ((in_vb = fr_value_box_list_pop_head(&in_group->vb_group))) {
441 if (fr_value_box_is_safe_for_only(in_vb, LDAP_DN_SAFE_FOR)) {
442 fr_dcursor_append(out, in_vb);
443 continue;
444 }
445
446 MEM(vb = fr_value_box_alloc_null(ctx));
447
448 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, in_vb->vb_length * 3, in_vb->vb_length * 3)) {
449 REDEBUG("Failed to allocate buffer for escaped string");
450 talloc_free(vb);
451 return XLAT_ACTION_FAIL;
452 }
453
454 len = fr_ldap_dn_escape_func(request, fr_sbuff_buff(&sbuff), in_vb->vb_length * 3 + 1, in_vb->vb_strvalue, NULL);
455
456 fr_sbuff_trim_talloc(&sbuff, len);
457 fr_value_box_strdup_shallow(vb, NULL, fr_sbuff_buff(&sbuff), in_vb->tainted);
458 talloc_free(in_vb);
459
460 fr_dcursor_append(out, vb);
461 }
462 return XLAT_ACTION_DONE;
463}
464
465/** Escape a string for use as an RFC 4515 filter assertion value
466 *
467 * @ingroup xlat_functions
468 */
469static xlat_action_t ldap_filter_escape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out,
470 UNUSED xlat_ctx_t const *xctx,
471 request_t *request, fr_value_box_list_t *in)
472{
473 fr_value_box_t *vb, *in_vb, *in_group = fr_value_box_list_head(in);
474 fr_sbuff_t sbuff;
475 fr_sbuff_uctx_talloc_t sbuff_ctx;
476 size_t len;
477
478 fr_assert(in_group->type == FR_TYPE_GROUP);
479
480 while ((in_vb = fr_value_box_list_pop_head(&in_group->vb_group))) {
481 if (fr_value_box_is_safe_for_only(in_vb, LDAP_FILTER_SAFE_FOR)) {
482 fr_dcursor_append(out, in_vb);
483 continue;
484 }
485
486 MEM(vb = fr_value_box_alloc_null(ctx));
487
488 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, in_vb->vb_length * 3, in_vb->vb_length * 3)) {
489 REDEBUG("Failed to allocate buffer for escaped string");
490 talloc_free(vb);
491 return XLAT_ACTION_FAIL;
492 }
493
494 len = fr_ldap_filter_escape_func(request, fr_sbuff_buff(&sbuff), in_vb->vb_length * 3 + 1, in_vb->vb_strvalue, NULL);
495
496 fr_sbuff_trim_talloc(&sbuff, len);
497 fr_value_box_strdup_shallow(vb, NULL, fr_sbuff_buff(&sbuff), in_vb->tainted);
498 talloc_free(in_vb);
499
500 fr_dcursor_append(out, vb);
501 }
502 return XLAT_ACTION_DONE;
503}
504
509
510/** Unescape LDAP string
511 *
512 * @ingroup xlat_functions
513 */
514static xlat_action_t ldap_uri_unescape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out,
515 UNUSED xlat_ctx_t const *xctx,
516 request_t *request, fr_value_box_list_t *in)
517{
518 fr_value_box_t *vb, *in_vb = NULL, *in_group = fr_value_box_list_head(in);
519 fr_sbuff_t sbuff;
520 fr_sbuff_uctx_talloc_t sbuff_ctx;
521 size_t len;
522
523 fr_assert(in_group->type == FR_TYPE_GROUP);
524
525 while ((in_vb = fr_value_box_list_next(&in_group->vb_group, in_vb))) {
526
527 MEM(vb = fr_value_box_alloc_null(ctx));
528 /*
529 * Maximum space needed for output will be the same as the input
530 */
531 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, in_vb->vb_length, in_vb->vb_length)) {
532 REDEBUG("Failed to allocate buffer for unescaped string");
533 talloc_free(vb);
534 return XLAT_ACTION_FAIL;
535 }
536
537 /*
538 * Call the unescape function, including the space for the trailing NULL
539 */
540 len = fr_ldap_uri_unescape_func(request, fr_sbuff_buff(&sbuff), in_vb->vb_length + 1, in_vb->vb_strvalue, NULL);
541
542 /*
543 * Trim buffer to fit used space and assign to box
544 */
545 fr_sbuff_trim_talloc(&sbuff, len);
546 fr_value_box_strdup_shallow(vb, NULL, fr_sbuff_buff(&sbuff), in_vb->tainted);
547 fr_dcursor_append(out, vb);
548 }
549
550 return XLAT_ACTION_DONE;
551}
552
553/** Escape function for a part of an LDAP URI
554 *
555 */
556static int ldap_uri_part_escape(fr_value_box_t *vb, UNUSED void *uctx)
557{
558 fr_sbuff_t sbuff;
559 fr_sbuff_uctx_talloc_t sbuff_ctx;
560 size_t len;
561
562 /*
563 * Maximum space needed for output would be 3 times the input if every
564 * char needed escaping
565 */
566 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, vb->vb_length * 3, vb->vb_length * 3)) {
567 fr_strerror_printf_push("Failed to allocate buffer for escaped argument");
568 return -1;
569 }
570
571 /*
572 * Call the escape function, including the space for the trailing NULL
573 */
574 len = fr_ldap_dn_escape_func(NULL, fr_sbuff_buff(&sbuff), vb->vb_length * 3 + 1, vb->vb_strvalue, NULL);
575
576 fr_sbuff_trim_talloc(&sbuff, len);
577 fr_value_box_strdup_shallow_replace(vb, fr_sbuff_buff(&sbuff), len);
578
579 return 0;
580}
581
582/** Callback when LDAP query times out
583 *
584 */
585static void ldap_query_timeout(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
586{
587 fr_ldap_query_t *query = talloc_get_type_abort(uctx, fr_ldap_query_t);
588 trunk_request_t *treq;
589 request_t *request;
590
591 /*
592 * If the trunk request has completed but the query
593 * has not yet resumed, query->treq will be NULL
594 */
595 if (!query->treq) return;
596
597 treq = talloc_get_type_abort(query->treq, trunk_request_t);
598 request = treq->request;
599
600 ROPTIONAL(RERROR, ERROR, "Timeout waiting for LDAP query");
601
602 trunk_request_signal_cancel(query->treq);
603
604 query->ret = LDAP_RESULT_TIMEOUT;
605 unlang_interpret_mark_runnable(request);
606}
607
608static xlat_arg_parser_t const ldap_uri_attr_option_xlat_arg[] = {
609 { .required = true, .concat = true, .type = FR_TYPE_STRING },
610 { .required = true, .concat = true, .type = FR_TYPE_STRING },
611 XLAT_ARG_PARSER_TERMINATOR
612};
613
614/** Modify an LDAP URI to append an option to all attributes
615 *
616 * This is for the corner case where a URI is provided by a third party system
617 * and needs amending before being used. e.g. a CRL distribution point extracted
618 * from a certificate may need the "binary" option appending to the attribute
619 * being requested.
620 *
621 * @ingroup xlat_functions
622 */
623static xlat_action_t ldap_xlat_uri_attr_option(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx,
624 request_t *request, fr_value_box_list_t *in)
625{
626 fr_value_box_t *uri, *option_vb;
627 char *attrs_fixed, **attr, port[6];
628 char const *option;
629 LDAPURLDesc *ldap_url;
630 fr_value_box_t *vb;
631 int ret;
632
633 XLAT_ARGS(in, &uri, &option_vb);
634
635#ifdef STATIC_ANALYZER
636 if (!option_vb) return XLAT_ACTION_FAIL;
637#endif
638
639 if (option_vb->vb_length < 1) {
640 RERROR("LDAP attriubte option must not be blank");
641 return XLAT_ACTION_FAIL;
642 }
643
644 if (!ldap_is_ldap_url(uri->vb_strvalue)) {
645 REDEBUG("String passed does not look like an LDAP URL");
646 return XLAT_ACTION_FAIL;
647 }
648
649 ret = ldap_url_parse(uri->vb_strvalue, &ldap_url);
650 if (ret != LDAP_URL_SUCCESS){
651 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ret));
652 return XLAT_ACTION_FAIL;
653 }
654
655 /*
656 * No attributes, just return what was presented.
657 */
658 if (!ldap_url->lud_attrs || !ldap_url->lud_attrs[0] || !*ldap_url->lud_attrs[0]) {
659 xlat_arg_copy_out(ctx, out, in, uri);
660 goto done;
661 }
662
663 if (option_vb->vb_strvalue[0] != ';') {
664 option = talloc_asprintf(option_vb, ";%s", option_vb->vb_strvalue);
665 } else {
666 option = option_vb->vb_strvalue;
667 }
668
669 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_STRING, NULL));
670 attrs_fixed = talloc_strdup(vb, "");
671
672 attr = ldap_url->lud_attrs;
673 while (*attr) {
674 attrs_fixed = talloc_strdup_append(attrs_fixed, *attr);
675 if (!strstr(*attr, option)) attrs_fixed = talloc_strdup_append(attrs_fixed, option);
676 attr++;
677 if (*attr) attrs_fixed = talloc_strdup_append(attrs_fixed, ",");
678 }
679
680 snprintf(port, sizeof(port), "%d", ldap_url->lud_port);
681 fr_value_box_asprintf(vb, vb, NULL, uri->tainted, "%s://%s%s%s/%s?%s?%s?%s",
682 ldap_url->lud_scheme,
683 ldap_url->lud_host ? ldap_url->lud_host : "",
684 ldap_url->lud_host ? ":" : "",
685 ldap_url->lud_host ? port : "",
686 ldap_url->lud_dn, attrs_fixed,
687 fr_table_str_by_value(fr_ldap_scope, ldap_url->lud_scope, ""),
688 ldap_url->lud_filter ? ldap_url->lud_filter : "");
689
690 fr_dcursor_append(out, vb);
691done:
692 ldap_free_urldesc(ldap_url);
693 return XLAT_ACTION_DONE;
694}
695
696/** Callback when resuming after async ldap query is completed
697 *
698 */
699static xlat_action_t ldap_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out,
700 xlat_ctx_t const *xctx,
701 request_t *request, UNUSED fr_value_box_list_t *in)
702{
703 fr_ldap_query_t *query = talloc_get_type_abort(xctx->rctx, fr_ldap_query_t);
704 fr_ldap_connection_t *ldap_conn = query->ldap_conn;
705 fr_value_box_t *vb = NULL;
706 LDAPMessage *msg;
707 struct berval **values;
708 char const **attr;
709 int count, i;
710
711 if (query->ret != LDAP_RESULT_SUCCESS) return XLAT_ACTION_FAIL;
712
713 /*
714 * We only parse "entries"
715 */
716 for (msg = ldap_first_entry(ldap_conn->handle, query->result); msg; msg = ldap_next_entry(ldap_conn->handle, msg)) {
717 for (attr = query->search.attrs; *attr; attr++) {
718 values = ldap_get_values_len(ldap_conn->handle, msg, *attr);
719 if (!values) {
720 RDEBUG2("No \"%s\" attributes found in specified object", *attr);
721 continue;
722 }
723
724 count = ldap_count_values_len(values);
725 for (i = 0; i < count; i++) {
726 MEM(vb = fr_value_box_alloc_null(ctx));
727 if (fr_value_box_bstrndup(vb, vb, NULL, values[i]->bv_val, values[i]->bv_len, true) < 0) {
728 talloc_free(vb);
729 RPERROR("Failed creating value from LDAP response");
730 break;
731 }
732 fr_dcursor_append(out, vb);
733 }
734 ldap_value_free_len(values);
735 }
736 }
737
738 talloc_free(query);
739
740 return XLAT_ACTION_DONE;
741}
742
743/** Callback for signalling async ldap query
744 *
745 */
746static void ldap_xlat_signal(xlat_ctx_t const *xctx, request_t *request, UNUSED fr_signal_t action)
747{
748 fr_ldap_query_t *query = talloc_get_type_abort(xctx->rctx, fr_ldap_query_t);
749
750 if (!query->treq) return;
751
752 RDEBUG2("Forcefully cancelling pending LDAP query");
753
754 trunk_request_signal_cancel(query->treq);
755}
756
757/*
758 * If a part doesn't have an escaping function, parsing will fail unless the input
759 * was marked up with a safe_for value by the ldap arg parsing, i.e. was a literal
760 * input argument to the xlat.
761 *
762 * This is equivalent to the old "tainted_allowed" flag.
763 */
764static fr_uri_part_t const ldap_uri_parts[] = {
765 { .name = "scheme", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L(":")), .part_adv = { [':'] = 1 }, .extra_skip = 2 },
766 { .name = "host", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L(":"), L("/")), .part_adv = { [':'] = 1, ['/'] = 2 } },
767 { .name = "port", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("/")), .part_adv = { ['/'] = 1 } },
768 { .name = "dn", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1 }, .func = ldap_uri_part_escape },
769 { .name = "attrs", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1 }},
770 { .name = "scope", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1 }, .func = ldap_uri_part_escape },
771 { .name = "filter", .safe_for = LDAP_DN_SAFE_FOR, .terminals = &FR_SBUFF_TERMS(L("?")), .part_adv = { ['?'] = 1}, .func = ldap_uri_part_escape },
772 { .name = "exts", .safe_for = LDAP_DN_SAFE_FOR, .func = ldap_uri_part_escape },
773 XLAT_URI_PART_TERMINATOR
774};
775
776static fr_uri_part_t const ldap_dn_parts[] = {
777 { .name = "dn", .safe_for = LDAP_DN_SAFE_FOR , .func = ldap_uri_part_escape },
778 XLAT_URI_PART_TERMINATOR
779};
780
781static xlat_arg_parser_t const ldap_xlat_arg[] = {
782 { .required = true, .type = FR_TYPE_STRING, .safe_for = LDAP_DN_SAFE_FOR, .will_escape = true, },
783 XLAT_ARG_PARSER_TERMINATOR
784};
785
786/** Produce canonical LDAP host URI for finding trunks
787 *
788 */
789static inline CC_HINT(always_inline)
790char *host_uri_canonify(request_t *request, LDAPURLDesc *url_parsed, fr_value_box_t *url_in)
791{
792 char *host;
793
794 LDAPURLDesc tmp_desc = {
795 .lud_scheme = url_parsed->lud_scheme,
796 .lud_host = url_parsed->lud_host,
797 .lud_port = url_parsed->lud_port,
798 .lud_scope = -1
799 };
800 host = ldap_url_desc2str(&tmp_desc);
801 if (unlikely(host == NULL)) REDEBUG("Invalid LDAP URL - %pV", url_in); \
802
803 return host;
804}
805
806/** Utility function for parsing LDAP URLs
807 *
808 * All LDAP xlat functions that work with LDAP URLs should call this function to parse the URL.
809 *
810 * @param[out] uri_parsed LDAP URL parsed. Must be freed with ldap_url_desc_free.
811 * @param[out] host_out host name to use for the query. Must be freed with ldap_mem_free
812 * if free_host_out is true.
813 * @param[out] free_host_out True if host_out should be freed.
814 * @param[in] request Request being processed.
815 * @param[in] host_default Default host to use if the URL does not specify a host.
816 * @param[in] uri_in URI to parse.
817 * @return
818 * - 0 on success.
819 * - -1 on failure.
820 */
821static int ldap_xlat_uri_parse(LDAPURLDesc **uri_parsed, char **host_out, bool *free_host_out,
822 request_t *request, char *host_default, fr_value_box_t *uri_in)
823{
824 fr_value_box_t *uri;
825 int ldap_url_ret;
826
827 *free_host_out = false;
828
829 if (fr_uri_escape_list(&uri_in->vb_group, ldap_uri_parts, NULL) < 0){
830 RPERROR("Failed to escape LDAP URI");
831 error:
832 *uri_parsed = NULL;
833 return -1;
834 }
835
836 /*
837 * Smush everything into the first URI box
838 */
839 uri = fr_value_box_list_head(&uri_in->vb_group);
840
841 if (fr_value_box_list_concat_in_place(uri, uri, &uri_in->vb_group,
842 FR_TYPE_STRING, FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
843 RPEDEBUG("Failed concatenating input");
844 goto error;
845 }
846
847 if (!ldap_is_ldap_url(uri->vb_strvalue)) {
848 REDEBUG("String passed does not look like an LDAP URL");
849 goto error;
850 }
851
852 ldap_url_ret = ldap_url_parse(uri->vb_strvalue, uri_parsed);
853 if (ldap_url_ret != LDAP_URL_SUCCESS){
854 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret));
855 goto error;
856 }
857
858 /*
859 * If the URL is <scheme>:/// the parsed host will be NULL - use config default
860 */
861 if (!(*uri_parsed)->lud_host) {
862 *host_out = host_default;
863 } else {
864 *host_out = host_uri_canonify(request, *uri_parsed, uri);
865 if (unlikely(*host_out == NULL)) {
866 ldap_free_urldesc(*uri_parsed);
867 *uri_parsed = NULL;
868 return -1;
869 }
870 *free_host_out = true;
871 }
872
873 return 0;
874}
875
876/** Expand an LDAP URL into a query, and return a string result from that query.
877 *
878 * @ingroup xlat_functions
879 */
880static xlat_action_t ldap_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out,
881 xlat_ctx_t const *xctx,
882 request_t *request, fr_value_box_list_t *in)
883{
884 fr_ldap_thread_t *t = talloc_get_type_abort(xctx->mctx->thread, fr_ldap_thread_t);
885 fr_value_box_t *uri;
886 char *host;
887 bool free_host = false;
888 fr_ldap_config_t const *handle_config = t->config;
889 fr_ldap_thread_trunk_t *ttrunk;
890 fr_ldap_query_t *query = NULL;
891
892 LDAPURLDesc *ldap_url;
893
894 XLAT_ARGS(in, &uri);
895
896 if (ldap_xlat_uri_parse(&ldap_url, &host, &free_host, request, handle_config->server, uri) < 0) return XLAT_ACTION_FAIL;
897
898 /*
899 * Nothing, empty string, "*" string, or got 2 things, die.
900 */
901 if (!ldap_url->lud_attrs || !ldap_url->lud_attrs[0] || !*ldap_url->lud_attrs[0] ||
902 (strcmp(ldap_url->lud_attrs[0], "*") == 0) || ldap_url->lud_attrs[1]) {
903 REDEBUG("Bad attributes list in LDAP URL. URL must specify exactly one attribute to retrieve");
904 ldap_free_urldesc(ldap_url);
905 return XLAT_ACTION_FAIL;
906 }
907
908 query = fr_ldap_search_alloc(unlang_interpret_frame_talloc_ctx(request),
909 ldap_url->lud_dn, ldap_url->lud_scope, ldap_url->lud_filter,
910 (char const * const*)ldap_url->lud_attrs, NULL, NULL);
911 query->ldap_url = ldap_url; /* query destructor will free URL */
912
913 if (ldap_url->lud_exts) {
914 LDAPControl *serverctrls[LDAP_MAX_CONTROLS];
915 int i;
916
917 serverctrls[0] = NULL;
918
919 if (fr_ldap_parse_url_extensions(serverctrls, NUM_ELEMENTS(serverctrls),
920 query->ldap_url->lud_exts) < 0) {
921 RPERROR("Parsing URL extensions failed");
922 if (free_host) ldap_memfree(host);
923
924 query_error:
925 talloc_free(query);
926 return XLAT_ACTION_FAIL;
927 }
928
929 for (i = 0; i < LDAP_MAX_CONTROLS; i++) {
930 if (!serverctrls[i]) break;
931 query->serverctrls[i].control = serverctrls[i];
932 query->serverctrls[i].freeit = true;
933 }
934 }
935
936 /*
937 * Figure out what trunked connection we can use
938 * to communicate with the host.
939 *
940 * If free_host is true, we must free the host
941 * after deciding on a trunk connection as it
942 * was allocated by host_uri_canonify.
943 */
944 ttrunk = fr_thread_ldap_trunk_get(t, host, handle_config->admin_identity,
945 handle_config->admin_password, request, handle_config);
946 if (free_host) ldap_memfree(host);
947 if (!ttrunk) {
948 REDEBUG("Unable to get LDAP query for xlat");
949 goto query_error;
950 }
951
952 switch (trunk_request_enqueue(&query->treq, ttrunk->trunk, request, query, NULL)) {
953 case TRUNK_ENQUEUE_OK:
954 case TRUNK_ENQUEUE_IN_BACKLOG:
955 break;
956
957 default:
958 REDEBUG("Unable to enqueue LDAP query for xlat");
959 goto query_error;
960 }
961
962 if (fr_timer_in(query, unlang_interpret_event_list(request)->tl, &query->ev, handle_config->res_timeout,
963 false, ldap_query_timeout, query) < 0) {
964 REDEBUG("Unable to set timeout for LDAP query");
965 trunk_request_signal_cancel(query->treq);
966 goto query_error;
967 }
968
969 return unlang_xlat_yield(request, ldap_xlat_resume, ldap_xlat_signal, ~FR_SIGNAL_CANCEL, query);
970}
971
972/** User object lookup as part of group membership xlat
973 *
974 * Called if the ldap membership xlat is used and the user DN is not already known
975 */
976static unlang_action_t ldap_group_xlat_user_find(UNUSED unlang_result_t *p_result, request_t *request, void *uctx)
977{
978 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(uctx, ldap_group_xlat_ctx_t);
979
980 if (xlat_ctx->env_data->user_filter.type == FR_TYPE_STRING) xlat_ctx->filter = &xlat_ctx->env_data->user_filter;
981
982 xlat_ctx->basedn = &xlat_ctx->env_data->user_base;
983
984 return rlm_ldap_find_user_async(xlat_ctx,
985 /* discard, this function is only used by xlats */NULL,
986 xlat_ctx->inst, request,
987 xlat_ctx->basedn, xlat_ctx->filter,
988 xlat_ctx->ttrunk, xlat_ctx->attrs, &xlat_ctx->query);
989}
990
991/** Cancel an in-progress query for the LDAP group membership xlat
992 *
993 */
994static void ldap_group_xlat_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
995{
996 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(uctx, ldap_group_xlat_ctx_t);
997
998 if (!xlat_ctx->query || !xlat_ctx->query->treq) return;
999
1000 trunk_request_signal_cancel(xlat_ctx->query->treq);
1001}
1002
1003#define REPEAT_LDAP_MEMBEROF_XLAT_RESULTS \
1004 if (unlang_function_repeat_set(request, ldap_group_xlat_results) < 0) do { \
1005 RETURN_UNLANG_FAIL; \
1006 } while (0)
1007
1008/** Run the state machine for the LDAP membership xlat
1009 *
1010 * This is called after each async lookup is completed
1011 *
1012 * Will stop early, and set p_result to unlang_result
1013 */
1014static unlang_action_t ldap_group_xlat_results(unlang_result_t *p_result, request_t *request, void *uctx)
1015{
1016 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(uctx, ldap_group_xlat_ctx_t);
1017 rlm_ldap_t const *inst = xlat_ctx->inst;
1018
1019 /*
1020 * Check to see if rlm_ldap_check_groupobj_dynamic or rlm_ldap_check_userobj_dynamic failed
1021 */
1022 if (p_result->rcode == RLM_MODULE_FAIL) return UNLANG_ACTION_CALCULATE_RESULT;
1023
1024 switch (xlat_ctx->status) {
1025 case GROUP_XLAT_FIND_USER:
1026 if (!xlat_ctx->dn) xlat_ctx->dn = rlm_find_user_dn_cached(inst, request);
1027 if (!xlat_ctx->dn) RETURN_UNLANG_FAIL;
1028
1029 RDEBUG3("Entered GROUP_XLAT_FIND_USER with user DN \"%s\"", xlat_ctx->dn);
1030 if (inst->group.obj_membership_filter) {
1031 REPEAT_LDAP_MEMBEROF_XLAT_RESULTS;
1032 RDEBUG3("Checking for user in group objects");
1033 if (rlm_ldap_check_groupobj_dynamic(p_result, request, xlat_ctx) == UNLANG_ACTION_PUSHED_CHILD) {
1034 xlat_ctx->status = GROUP_XLAT_MEMB_FILTER;
1035 return UNLANG_ACTION_PUSHED_CHILD;
1036 }
1037 }
1038 FALL_THROUGH;
1039
1040 case GROUP_XLAT_MEMB_FILTER:
1041 if (xlat_ctx->found) RETURN_UNLANG_OK;
1042
1043 RDEBUG3("Entered GROUP_XLAT_MEMB_FILTER with user DN \"%s\"", xlat_ctx->dn);
1044 if (inst->group.userobj_membership_attr) {
1045 REPEAT_LDAP_MEMBEROF_XLAT_RESULTS;
1046 if (rlm_ldap_check_userobj_dynamic(p_result, request, xlat_ctx) == UNLANG_ACTION_PUSHED_CHILD) {
1047 xlat_ctx->status = GROUP_XLAT_MEMB_ATTR;
1048 return UNLANG_ACTION_PUSHED_CHILD;
1049 }
1050 }
1051 FALL_THROUGH;
1052
1053 case GROUP_XLAT_MEMB_ATTR:
1054 RDEBUG3("Entered GROUP_XLAT_MEMB_ATTR with user DN \"%s\"", xlat_ctx->dn);
1055 if (xlat_ctx->found) RETURN_UNLANG_OK;
1056 break;
1057 }
1058
1059 RETURN_UNLANG_NOTFOUND;
1060}
1061
1062/** Process the results of evaluating LDAP group membership
1063 *
1064 */
1065static xlat_action_t ldap_group_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
1066 UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
1067{
1068 ldap_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(xctx->rctx, ldap_group_xlat_ctx_t);
1069 fr_value_box_t *vb;
1070
1071 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_BOOL, attr_expr_bool_enum));
1072 vb->vb_bool = xlat_ctx->found;
1073 fr_dcursor_append(out, vb);
1074
1075 return XLAT_ACTION_DONE;
1076}
1077
1078static xlat_arg_parser_t const ldap_group_xlat_arg[] = {
1079 { .required = true, .concat = true, .type = FR_TYPE_STRING, .safe_for = LDAP_DN_SAFE_FOR },
1080 XLAT_ARG_PARSER_TERMINATOR
1081};
1082
1083/** Check for a user being in a LDAP group
1084 *
1085 * @ingroup xlat_functions
1086 */
1087static xlat_action_t ldap_group_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
1088 request_t *request, fr_value_box_list_t *in)
1089{
1090 fr_value_box_t *vb = NULL, *group_vb = fr_value_box_list_pop_head(in);
1091 rlm_ldap_t const *inst = talloc_get_type_abort_const(xctx->mctx->mi->data, rlm_ldap_t);
1092 fr_ldap_thread_t *t = talloc_get_type_abort(xctx->mctx->thread, fr_ldap_thread_t);
1093 ldap_xlat_memberof_call_env_t *env_data = talloc_get_type_abort(xctx->env_data, ldap_xlat_memberof_call_env_t);
1094 bool group_is_dn;
1095 ldap_group_xlat_ctx_t *xlat_ctx;
1096
1097 RDEBUG2("Searching for user in group \"%pV\"", group_vb);
1098
1099 if (group_vb->vb_length == 0) {
1100 REDEBUG("Cannot do comparison (group name is empty)");
1101 return XLAT_ACTION_FAIL;
1102 }
1103
1104 group_is_dn = fr_ldap_util_is_dn(group_vb->vb_strvalue, group_vb->vb_length);
1105 if (group_is_dn) {
1106 char *norm;
1107 size_t len;
1108
1109 MEM(norm = talloc_array(group_vb, char, talloc_array_length(group_vb->vb_strvalue)));
1110 len = fr_ldap_util_normalise_dn(norm, group_vb->vb_strvalue);
1111
1112 /*
1113 * Will clear existing buffer (i.e. group_vb->vb_strvalue)
1114 */
1115 fr_value_box_bstrdup_buffer_shallow(group_vb, group_vb, NULL, norm, group_vb->tainted);
1116
1117 /*
1118 * Trim buffer to match normalised DN
1119 */
1120 fr_value_box_bstr_realloc(group_vb, NULL, group_vb, len);
1121 }
1122
1123 if ((group_is_dn && inst->group.cacheable_dn) || (!group_is_dn && inst->group.cacheable_name)) {
1124 unlang_result_t our_result;
1125
1126 rlm_ldap_check_cached(&our_result, inst, request, group_vb);
1127 switch (our_result.rcode) {
1128 case RLM_MODULE_NOTFOUND:
1129 RDEBUG2("User is not a member of \"%pV\"", group_vb);
1130 return XLAT_ACTION_DONE;
1131
1132 case RLM_MODULE_OK:
1133 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_BOOL, NULL));
1134 vb->vb_bool = true;
1135 fr_dcursor_append(out, vb);
1136 return XLAT_ACTION_DONE;
1137
1138 /*
1139 * Fallback to dynamic search
1140 */
1141 default:
1142 break;
1143 }
1144 }
1145
1146 MEM(xlat_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_group_xlat_ctx_t));
1147
1148 *xlat_ctx = (ldap_group_xlat_ctx_t){
1149 .inst = inst,
1150 .group = group_vb,
1151 .dn = rlm_find_user_dn_cached(inst, request),
1152 .attrs = { inst->group.userobj_membership_attr, NULL },
1153 .group_is_dn = group_is_dn,
1154 .env_data = env_data
1155 };
1156
1157 xlat_ctx->ttrunk = fr_thread_ldap_trunk_get(t, inst->handle_config.server, inst->handle_config.admin_identity,
1158 inst->handle_config.admin_password, request, &inst->handle_config);
1159
1160 if (!xlat_ctx->ttrunk) {
1161 REDEBUG("Unable to get LDAP trunk for group membership check");
1162 error:
1163 talloc_free(xlat_ctx);
1164 return XLAT_ACTION_FAIL;
1165 }
1166
1167 if (unlang_xlat_yield(request, ldap_group_xlat_resume, NULL, 0, xlat_ctx) != XLAT_ACTION_YIELD) goto error;
1168
1169 if (unlang_function_push_with_result(NULL,
1170 request,
1171 xlat_ctx->dn ? NULL : ldap_group_xlat_user_find,
1172 ldap_group_xlat_results,
1173 ldap_group_xlat_cancel, ~FR_SIGNAL_CANCEL,
1174 UNLANG_SUB_FRAME,
1175 xlat_ctx) < 0) goto error;
1176
1177 return XLAT_ACTION_PUSH_UNLANG;
1178}
1179
1186
1187/** Return whether evaluating the profile was successful
1188 *
1189 */
1190static xlat_action_t ldap_profile_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
1191 UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
1192{
1193 ldap_xlat_profile_ctx_t *xlat_ctx = talloc_get_type_abort(xctx->rctx, ldap_xlat_profile_ctx_t);
1194 fr_value_box_t *vb;
1195
1196 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_BOOL, attr_expr_bool_enum));
1197 vb->vb_bool = (xlat_ctx->ret == LDAP_RESULT_SUCCESS) && (xlat_ctx->applied > 0);
1198 fr_dcursor_append(out, vb);
1199
1200 return XLAT_ACTION_DONE;
1201}
1202
1203static int ldap_xlat_profile_ctx_free(ldap_xlat_profile_ctx_t *to_free)
1204{
1205 if (to_free->url) {
1206 ldap_free_urldesc(to_free->url);
1207 to_free->url = NULL;
1208 }
1209 return 0;
1210}
1211
1212/** Expand an LDAP URL into a query, applying the results using the user update map.
1213 *
1214 * For fetching profiles by DN.
1215 *
1216 * @ingroup xlat_functions
1217 */
1218static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out,
1219 xlat_ctx_t const *xctx,
1220 request_t *request, fr_value_box_list_t *in)
1221{
1222 rlm_ldap_t const *inst = talloc_get_type_abort_const(xctx->mctx->mi->data, rlm_ldap_t);
1223 fr_ldap_thread_t *t = talloc_get_type_abort(xctx->mctx->thread, fr_ldap_thread_t);
1224 ldap_xlat_profile_call_env_t *env_data = talloc_get_type_abort(xctx->env_data, ldap_xlat_profile_call_env_t);
1225 fr_value_box_t *uri_components, *uri;
1226 char *host_url, *host = NULL;
1227 fr_ldap_config_t const *handle_config = t->config;
1228 fr_ldap_thread_trunk_t *ttrunk;
1229 ldap_xlat_profile_ctx_t *xlat_ctx = NULL;
1230
1231 int ldap_url_ret;
1232
1233 char const *dn;
1234 char const *filter;
1235 int scope;
1236
1237 bool is_dn;
1238
1239 XLAT_ARGS(in, &uri_components);
1240
1241 is_dn = (fr_uri_has_scheme(&uri_components->vb_group, ldap_uri_scheme_table, ldap_uri_scheme_table_len, -1) < 0);
1242
1243 /*
1244 * Apply different escaping rules based on whether the first
1245 * arg lookgs like a URI or a DN.
1246 */
1247 if (is_dn) {
1248 if (fr_uri_escape_list(&uri_components->vb_group, ldap_dn_parts, NULL) < 0) {
1249 RPERROR("Failed to escape LDAP profile DN");
1250 return XLAT_ACTION_FAIL;
1251 }
1252 } else {
1253 if (fr_uri_escape_list(&uri_components->vb_group, ldap_uri_parts, NULL) < 0) {
1254 RPERROR("Failed to escape LDAP profile URI");
1255 return XLAT_ACTION_FAIL;
1256 }
1257 }
1258
1259 /*
1260 * Smush everything into the first URI box
1261 */
1262 uri = fr_value_box_list_head(&uri_components->vb_group);
1263 if (fr_value_box_list_concat_in_place(uri, uri, &uri_components->vb_group,
1264 FR_TYPE_STRING, FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
1265 RPEDEBUG("Failed concatenating input");
1266 return XLAT_ACTION_FAIL;
1267 }
1268
1269 /*
1270 * Allocate a resumption context to store temporary resource and results
1271 */
1272 MEM(xlat_ctx = talloc_zero(unlang_interpret_frame_talloc_ctx(request), ldap_xlat_profile_ctx_t));
1273 talloc_set_destructor(xlat_ctx, ldap_xlat_profile_ctx_free);
1274
1275 if (is_dn) {
1276 host_url = handle_config->server;
1277 dn = talloc_typed_strdup_buffer(xlat_ctx, uri->vb_strvalue);
1278 filter = env_data->profile_filter.vb_strvalue;
1279 scope = inst->profile.obj_scope;
1280 } else {
1281 ldap_url_ret = ldap_url_parse(uri->vb_strvalue, &xlat_ctx->url);
1282 if (ldap_url_ret != LDAP_URL_SUCCESS){
1283 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret));
1284 error:
1285 talloc_free(xlat_ctx);
1286 return XLAT_ACTION_FAIL;
1287 }
1288
1289 /*
1290 * The URL must specify a DN
1291 */
1292 if (!xlat_ctx->url->lud_dn) {
1293 REDEBUG("LDAP URI must specify a profile DN");
1294 goto error;
1295 }
1296
1297 dn = xlat_ctx->url->lud_dn;
1298 /*
1299 * Either we use the filter from the URL or we use the default filter
1300 * configured for profiles.
1301 */
1302 filter = xlat_ctx->url->lud_filter ? xlat_ctx->url->lud_filter : env_data->profile_filter.vb_strvalue;
1303
1304 /*
1305 * Determine if the URL includes a scope.
1306 */
1307 scope = xlat_ctx->url->lud_scope == LDAP_SCOPE_DEFAULT ? inst->profile.obj_scope : xlat_ctx->url->lud_scope;
1308
1309 /*
1310 * If the URL is <scheme>:/// the parsed host will be NULL - use config default
1311 */
1312 if (!xlat_ctx->url->lud_host) {
1313 host_url = handle_config->server;
1314 } else {
1315 host_url = host = host_uri_canonify(request, xlat_ctx->url, uri);
1316 if (unlikely(host_url == NULL)) goto error;
1317 }
1318 }
1319
1320 /*
1321 * Synchronous expansion of maps (fixme!)
1322 */
1323 if (fr_ldap_map_expand(xlat_ctx, &xlat_ctx->expanded, request, env_data->profile_map,
1324 inst->valuepair_attr, inst->profile.check_attr, inst->profile.fallthrough_attr) < 0) goto error;
1325 ttrunk = fr_thread_ldap_trunk_get(t, host_url, handle_config->admin_identity,
1326 handle_config->admin_password, request, handle_config);
1327 if (host) ldap_memfree(host);
1328 if (!ttrunk) {
1329 REDEBUG("Unable to get LDAP query for xlat");
1330 goto error;
1331 }
1332
1333 if (unlang_xlat_yield(request, ldap_profile_xlat_resume, NULL, 0, xlat_ctx) != XLAT_ACTION_YIELD) goto error;
1334
1335 /*
1336 * Pushes a frame onto the stack to retrieve and evaluate a profile
1337 */
1338 if (rlm_ldap_map_profile(&xlat_ctx->ret, &xlat_ctx->applied, inst, request, ttrunk, dn,
1339 scope, filter, &xlat_ctx->expanded) < 0) goto error;
1340
1341 return XLAT_ACTION_PUSH_UNLANG;
1342}
1343
1344/*
1345 * Verify the result of the map.
1346 */
1347static int ldap_map_verify(CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst,
1348 tmpl_t const *src, UNUSED map_list_t const *maps)
1349{
1350 if (!src) {
1351 cf_log_err(cs, "Missing LDAP URI");
1352
1353 return -1;
1354 }
1355
1356 return 0;
1357}
1358
1359/** Process the results of an LDAP map query
1360 *
1361 * @param[out] p_result Result of map expansion:
1362 * - #RLM_MODULE_NOOP no rows were returned.
1363 * - #RLM_MODULE_UPDATED if one or more #fr_pair_t were added to the #request_t.
1364 * - #RLM_MODULE_FAIL if an error occurred.
1365 * @param[in] mpctx module map ctx.
1366 * @param[in,out] request The current request.
1367 * @param[in] url LDAP url specifying base DN and filter.
1368 * @param[in] maps Head of the map list.
1369 * @return One of UNLANG_ACTION_*
1370 */
1371static unlang_action_t mod_map_resume(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request,
1372 UNUSED fr_value_box_list_t *url, UNUSED map_list_t const *maps)
1373{
1374 ldap_map_ctx_t *map_ctx = talloc_get_type_abort(mpctx->rctx, ldap_map_ctx_t);
1375 fr_ldap_query_t *query = map_ctx->query;
1376 fr_ldap_map_exp_t *expanded = &map_ctx->expanded;
1377 rlm_rcode_t rcode = RLM_MODULE_NOTFOUND;
1378 LDAPMessage *entry;
1379 map_t const *map;
1380
1381 switch (query->ret) {
1382 case LDAP_RESULT_SUCCESS:
1383 rcode = RLM_MODULE_UPDATED;
1384 break;
1385
1386 case LDAP_RESULT_NO_RESULT:
1387 case LDAP_RESULT_BAD_DN:
1388 goto finish;
1389
1390 case LDAP_RESULT_TIMEOUT:
1391 goto finish;
1392
1393 default:
1394 rcode = RLM_MODULE_FAIL;
1395 goto finish;
1396 }
1397
1398 for (entry = ldap_first_entry(query->ldap_conn->handle, query->result);
1399 entry;
1400 entry = ldap_next_entry(query->ldap_conn->handle, entry)) {
1401 char *dn = NULL;
1402 int i;
1403
1404 if (RDEBUG_ENABLED2) {
1405 dn = ldap_get_dn(query->ldap_conn->handle, entry);
1406 RDEBUG2("Processing \"%s\"", dn);
1407 }
1408
1409 RINDENT();
1410 for (map = map_list_head(map_ctx->maps), i = 0;
1411 map != NULL;
1412 map = map_list_next(map_ctx->maps, map), i++) {
1413 int ret;
1414 fr_ldap_result_t attr;
1415
1416 attr.values = ldap_get_values_len(query->ldap_conn->handle, entry, expanded->attrs[i]);
1417 if (!attr.values) {
1418 /*
1419 * Many LDAP directories don't expose the DN of
1420 * the object as an attribute, so we need this
1421 * hack, to allow the user to retrieve it.
1422 */
1423 if (strcmp(LDAP_VIRTUAL_DN_ATTR, expanded->attrs[i]) == 0) {
1424 struct berval value;
1425 struct berval *values[2] = { &value, NULL };
1426
1427 if (!dn) dn = ldap_get_dn(query->ldap_conn->handle, entry);
1428 value.bv_val = dn;
1429 value.bv_len = strlen(dn);
1430
1431 attr.values = values;
1432 attr.count = 1;
1433
1434 ret = map_to_request(request, map, fr_ldap_map_getvalue, &attr);
1435 if (ret == -1) {
1436 rcode = RLM_MODULE_FAIL;
1437 ldap_memfree(dn);
1438 goto finish;
1439 }
1440 continue;
1441 }
1442
1443 RDEBUG3("Attribute \"%s\" not found in LDAP object", expanded->attrs[i]);
1444
1445 continue;
1446 }
1447 attr.count = ldap_count_values_len(attr.values);
1448
1449 ret = map_to_request(request, map, fr_ldap_map_getvalue, &attr);
1450 ldap_value_free_len(attr.values);
1451 if (ret == -1) {
1452 rcode = RLM_MODULE_FAIL;
1453 ldap_memfree(dn);
1454 goto finish;
1455 }
1456 }
1457 ldap_memfree(dn);
1458 REXDENT();
1459 }
1460
1461finish:
1462 RETURN_UNLANG_RCODE(rcode);
1463}
1464
1465/** Ensure map context is properly cleared up
1466 *
1467 */
1468static int map_ctx_free(ldap_map_ctx_t *map_ctx)
1469{
1470 int i = 0;
1471 talloc_free(map_ctx->expanded.ctx);
1472 ldap_free_urldesc(map_ctx->ldap_url);
1473 while ((i < LDAP_MAX_CONTROLS) && map_ctx->serverctrls[i]) {
1474 ldap_control_free(map_ctx->serverctrls[i]);
1475 i++;
1476 }
1477 return (0);
1478}
1479
1480/** Perform a search and map the result of the search to server attributes
1481 *
1482 * Unlike LDAP xlat, this can be used to process attributes from multiple entries.
1483 *
1484 * @todo For xlat expansions we need to parse the raw URL first, and then apply
1485 * different escape functions to the different parts.
1486 *
1487 * @param[out] p_result Result of map expansion:
1488 * - #RLM_MODULE_NOOP no rows were returned.
1489 * - #RLM_MODULE_UPDATED if one or more #fr_pair_t were added to the #request_t.
1490 * - #RLM_MODULE_FAIL if an error occurred.
1491 * @param[in] mpctx module map ctx.
1492 * @param[in,out] request The current request.
1493 * @param[in] url LDAP url specifying base DN and filter.
1494 * @param[in] maps Head of the map list.
1495 * @return UNLANG_ACTION_CALCULATE_RESULT
1496 */
1497static unlang_action_t mod_map_proc(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request,
1498 fr_value_box_list_t *url, map_list_t const *maps)
1499{
1500 rlm_ldap_t const *inst = talloc_get_type_abort_const(mpctx->moi, rlm_ldap_t);
1501 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
1502
1503 LDAPURLDesc *ldap_url;
1504 int ldap_url_ret;
1505 fr_ldap_thread_trunk_t *ttrunk;
1506
1507 fr_value_box_t *url_head;
1508 ldap_map_ctx_t *map_ctx;
1509 char *host_url, *host = NULL;
1510
1511 if (fr_uri_escape_list(url, ldap_uri_parts, NULL) < 0) {
1512 RPERROR("Failed to escape LDAP map URI");
1513 RETURN_UNLANG_FAIL;
1514 }
1515
1516 url_head = fr_value_box_list_head(url);
1517 if (!url_head) {
1518 REDEBUG("LDAP URL cannot be empty");
1519 RETURN_UNLANG_FAIL;
1520 }
1521
1522 if (fr_value_box_list_concat_in_place(url_head, url_head, url, FR_TYPE_STRING,
1523 FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
1524 RPEDEBUG("Failed concatenating input");
1525 RETURN_UNLANG_FAIL;
1526 }
1527
1528 if (!ldap_is_ldap_url(url_head->vb_strvalue)) {
1529 REDEBUG("Map query string does not look like a valid LDAP URI");
1530 RETURN_UNLANG_FAIL;
1531 }
1532
1533 MEM(map_ctx = talloc_zero(unlang_interpret_frame_talloc_ctx(request), ldap_map_ctx_t));
1534 talloc_set_destructor(map_ctx, map_ctx_free);
1535 map_ctx->maps = maps;
1536
1537 ldap_url_ret = ldap_url_parse(url_head->vb_strvalue, &map_ctx->ldap_url);
1538 if (ldap_url_ret != LDAP_URL_SUCCESS){
1539 RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret));
1540 fail:
1541 talloc_free(map_ctx);
1542 RETURN_UNLANG_FAIL;
1543 }
1544 ldap_url = map_ctx->ldap_url;
1545
1546 if (ldap_url->lud_exts) {
1547 if (fr_ldap_parse_url_extensions(map_ctx->serverctrls, NUM_ELEMENTS(map_ctx->serverctrls),
1548 ldap_url->lud_exts) < 0) {
1549 RPERROR("Parsing URL extensions failed");
1550 goto fail;
1551 }
1552 }
1553
1554 /*
1555 * Expand the RHS of the maps to get the name of the attributes.
1556 */
1557 if (fr_ldap_map_expand(map_ctx, &map_ctx->expanded, request, maps, NULL, NULL, NULL) < 0) goto fail;
1558
1559 /*
1560 * If the URL is <scheme>:/// the parsed host will be NULL - use config default
1561 */
1562 if (!ldap_url->lud_host) {
1563 host_url = inst->handle_config.server;
1564 } else {
1565 host_url = host = host_uri_canonify(request, ldap_url, url_head);
1566 if (unlikely(host_url == NULL)) goto fail;
1567 }
1568
1569 ttrunk = fr_thread_ldap_trunk_get(thread, host_url, inst->handle_config.admin_identity,
1570 inst->handle_config.admin_password, request, &inst->handle_config);
1571 if (host) ldap_memfree(host);
1572 if (!ttrunk) goto fail;
1573
1574 if (unlikely(unlang_map_yield(request, mod_map_resume, NULL, 0, map_ctx) != UNLANG_ACTION_YIELD)) goto fail;
1575
1576 return fr_ldap_trunk_search(map_ctx, &map_ctx->query, request, ttrunk, ldap_url->lud_dn,
1577 ldap_url->lud_scope, ldap_url->lud_filter, map_ctx->expanded.attrs,
1578 map_ctx->serverctrls, NULL);
1579}
1580
1581static unlang_action_t CC_HINT(nonnull) mod_authenticate(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1582{
1583 rlm_ldap_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_ldap_t);
1584 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
1585 ldap_auth_ctx_t *auth_ctx;
1586 ldap_auth_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, ldap_auth_call_env_t);
1587
1588 if (call_env->password.type != FR_TYPE_STRING) {
1589 RWDEBUG("You have set \"Auth-Type := LDAP\" somewhere");
1590 RWDEBUG("without checking if %s is present", call_env->password_tmpl->name);
1591 RWDEBUG("*********************************************");
1592 RWDEBUG("* THAT CONFIGURATION IS WRONG. DELETE IT. ");
1593 RWDEBUG("* YOU ARE PREVENTING THE SERVER FROM WORKING");
1594 RWDEBUG("*********************************************");
1595
1596 REDEBUG("Attribute \"%s\" is required for authentication", call_env->password_tmpl->name);
1597 RETURN_UNLANG_INVALID;
1598 }
1599
1600 auth_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_auth_ctx_t);
1601 *auth_ctx = (ldap_auth_ctx_t){
1602 .password = call_env->password.vb_strvalue,
1603 .thread = thread,
1604 .inst = inst,
1605 .call_env = call_env
1606 };
1607
1608 /*
1609 * Find the user's DN
1610 */
1611 auth_ctx->dn = rlm_find_user_dn_cached(inst, request);
1612
1613 /*
1614 * The DN is required for non-SASL auth
1615 */
1616 if (!auth_ctx->dn && (call_env->user_sasl_mech.type != FR_TYPE_STRING)) {
1617 REDEBUG("No DN found for authentication. Populate control.%s with the DN to use in authentication.",
1618 inst->user.da->name);
1619 REDEBUG("You should call %s in the recv section and check its return.", inst->mi->name);
1620 talloc_free(auth_ctx);
1621 RETURN_UNLANG_FAIL;
1622 }
1623
1624 /*
1625 * Log the password
1626 */
1627 if (RDEBUG_ENABLED3) {
1628 RDEBUG("Login attempt with password \"%pV\"", &call_env->password);
1629 } else {
1630 RDEBUG2("Login attempt with password");
1631 }
1632
1633 /*
1634 * SASL bind auth will have the mech set.
1635 */
1636 if (auth_ctx->call_env->user_sasl_mech.type == FR_TYPE_STRING) {
1637#ifdef WITH_SASL
1638 RDEBUG2("Login attempt using identity \"%pV\"", &call_env->user_sasl_authname);
1639
1640 return fr_ldap_sasl_bind_auth_async(p_result, request, auth_ctx->thread, call_env->user_sasl_mech.vb_strvalue,
1641 call_env->user_sasl_authname.vb_strvalue,
1642 auth_ctx->password, call_env->user_sasl_proxy.vb_strvalue,
1643 call_env->user_sasl_realm.vb_strvalue);
1644#else
1645 RDEBUG("Configuration item 'sasl.mech' is not supported. "
1646 "The linked version of libldap does not provide ldap_sasl_bind( function");
1647 RETURN_UNLANG_FAIL;
1648#endif
1649 }
1650
1651 RDEBUG2("Login attempt as \"%s\"", auth_ctx->dn);
1652
1653 return fr_ldap_bind_auth_async(p_result, request, auth_ctx->thread, auth_ctx->dn, auth_ctx->password);
1654}
1655
1656#define REPEAT_MOD_AUTHORIZE_RESUME \
1657 if (unlang_module_yield(request, mod_authorize_resume, NULL, 0, autz_ctx) == UNLANG_ACTION_FAIL) do { \
1658 p_result->rcode = RLM_MODULE_FAIL; \
1659 goto finish; \
1660 } while (0)
1661
1662/** Resume function called after each potential yield in LDAP authorization
1663 *
1664 * Some operations may or may not yield. E.g. if group membership is
1665 * read from an attribute returned with the user object and is already
1666 * in the correct form, that will not yield.
1667 * Hence, each state may fall through to the next.
1668 *
1669 * @param p_result Result of current authorization.
1670 * @param mctx Module context.
1671 * @param request Current request.
1672 * @return An rcode.
1673 */
1674static unlang_action_t CC_HINT(nonnull) mod_authorize_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1675{
1676 ldap_autz_ctx_t *autz_ctx = talloc_get_type_abort(mctx->rctx, ldap_autz_ctx_t);
1677 rlm_ldap_t const *inst = talloc_get_type_abort_const(autz_ctx->inst, rlm_ldap_t);
1678 ldap_autz_call_env_t *call_env = talloc_get_type_abort(autz_ctx->call_env, ldap_autz_call_env_t);
1679 int ldap_errno;
1680 LDAP *handle = fr_ldap_handle_thread_local();
1681 unlang_action_t ret = UNLANG_ACTION_CALCULATE_RESULT;
1682
1683 /*
1684 * If a previous async call returned one of the "failure" results just return.
1685 */
1686 switch (p_result->rcode) {
1687 case RLM_MODULE_REJECT:
1688 case RLM_MODULE_FAIL:
1689 case RLM_MODULE_HANDLED:
1690 case RLM_MODULE_INVALID:
1691 case RLM_MODULE_DISALLOW:
1692 goto finish;
1693
1694 default:
1695 break;
1696 }
1697
1698 switch (autz_ctx->status) {
1699 case LDAP_AUTZ_FIND:
1700 /*
1701 * If a user entry has been found the current rcode will be OK
1702 */
1703 if (p_result->rcode != RLM_MODULE_OK) return UNLANG_ACTION_CALCULATE_RESULT;
1704
1705 autz_ctx->entry = ldap_first_entry(handle, autz_ctx->query->result);
1706 if (!autz_ctx->entry) {
1707 ldap_get_option(handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
1708 REDEBUG("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
1709
1710 goto finish;
1711 }
1712
1713 /*
1714 * Check for access.
1715 */
1716 if (inst->user.obj_access_attr) {
1717 autz_ctx->access_state = rlm_ldap_check_access(inst, request, autz_ctx->entry);
1718 switch (autz_ctx->access_state) {
1719 case LDAP_ACCESS_ALLOWED:
1720 break;
1721
1722 case LDAP_ACCESS_SUSPENDED:
1723 if (inst->group.skip_on_suspend) goto post_group;
1724 break;
1725
1726 case LDAP_ACCESS_DISALLOWED:
1727 p_result->rcode = RLM_MODULE_DISALLOW;
1728 goto finish;
1729 }
1730 }
1731
1732 /*
1733 * Check if we need to cache group memberships
1734 */
1735 if ((inst->group.cacheable_dn || inst->group.cacheable_name) && (inst->group.userobj_membership_attr)) {
1736 REPEAT_MOD_AUTHORIZE_RESUME;
1737 if (rlm_ldap_cacheable_userobj(p_result, request, autz_ctx,
1738 inst->group.userobj_membership_attr) == UNLANG_ACTION_PUSHED_CHILD) {
1739 autz_ctx->status = LDAP_AUTZ_GROUP;
1740 return UNLANG_ACTION_PUSHED_CHILD;
1741 }
1742 if (p_result->rcode != RLM_MODULE_OK) goto finish;
1743 }
1744 FALL_THROUGH;
1745
1746 case LDAP_AUTZ_GROUP:
1747 if (inst->group.cacheable_dn || inst->group.cacheable_name) {
1748 REPEAT_MOD_AUTHORIZE_RESUME;
1749 if (rlm_ldap_cacheable_groupobj(p_result, request, autz_ctx) == UNLANG_ACTION_PUSHED_CHILD) {
1750 autz_ctx->status = LDAP_AUTZ_POST_GROUP;
1751 return UNLANG_ACTION_PUSHED_CHILD;
1752 }
1753 if (p_result->rcode != RLM_MODULE_OK) goto finish;
1754 }
1755 FALL_THROUGH;
1756
1757 case LDAP_AUTZ_POST_GROUP:
1758 post_group:
1759#ifdef WITH_EDIR
1760 /*
1761 * We already have a Password.Cleartext. Skip edir.
1762 */
1763 if (fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_cleartext_password)) goto skip_edir;
1764
1765 /*
1766 * Retrieve Universal Password if we use eDirectory
1767 */
1768 if (inst->edir) {
1769 autz_ctx->dn = rlm_find_user_dn_cached(inst, request);
1770
1771 /*
1772 * Retrieve universal password
1773 */
1774 REPEAT_MOD_AUTHORIZE_RESUME;
1775 autz_ctx->status = LDAP_AUTZ_EDIR_BIND;
1776 return fr_ldap_edir_get_password(p_result, request, autz_ctx->dn, autz_ctx->ttrunk,
1777 attr_cleartext_password);
1778 }
1779 FALL_THROUGH;
1780
1781 case LDAP_AUTZ_EDIR_BIND:
1782 if (inst->edir && inst->edir_autz) {
1783 fr_pair_t *password = fr_pair_find_by_da(&request->control_pairs,
1784 NULL, attr_cleartext_password);
1785 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data,
1786 fr_ldap_thread_t);
1787
1788 if (!password) {
1789 REDEBUG("Failed to find control.Password.Cleartext");
1790 p_result->rcode = RLM_MODULE_FAIL;
1791 goto finish;
1792 }
1793
1794 RDEBUG2("Binding as %s for eDirectory authorization checks", autz_ctx->dn);
1795
1796 /*
1797 * Bind as the user
1798 */
1799 REPEAT_MOD_AUTHORIZE_RESUME;
1800 autz_ctx->status = LDAP_AUTZ_POST_EDIR;
1801 return fr_ldap_bind_auth_async(p_result, request, thread, autz_ctx->dn, password->vp_strvalue);
1802 }
1803 goto skip_edir;
1804
1805 case LDAP_AUTZ_POST_EDIR:
1806 {
1807 /*
1808 * The result of the eDirectory user bind will be in p_result.
1809 * Anything other than RLM_MODULE_OK is a failure.
1810 */
1811 break;
1812
1813 }
1814 FALL_THROUGH;
1815
1816#endif
1817 case LDAP_AUTZ_MAP:
1818#ifdef WITH_EDIR
1819 skip_edir:
1820#endif
1821 if (!map_list_empty(call_env->user_map) || inst->valuepair_attr) {
1822 RDEBUG2("Processing user attributes");
1823 RINDENT();
1824 if (fr_ldap_map_do(request, NULL, inst->valuepair_attr,
1825 &autz_ctx->expanded, autz_ctx->entry) > 0) autz_ctx->rcode = RLM_MODULE_UPDATED;
1826 REXDENT();
1827 rlm_ldap_check_reply(request, inst, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk);
1828 }
1829 FALL_THROUGH;
1830
1831 case LDAP_AUTZ_DEFAULT_PROFILE:
1832 /*
1833 * Apply ONE user profile, or a default user profile.
1834 */
1835 if (call_env->default_profile.type == FR_TYPE_STRING) {
1836 REPEAT_MOD_AUTHORIZE_RESUME;
1837 ret = rlm_ldap_map_profile(NULL, NULL, inst, request, autz_ctx->ttrunk,
1838 call_env->default_profile.vb_strvalue,
1839 inst->profile.obj_scope, NULL, &autz_ctx->expanded);
1840 switch (ret) {
1841 case UNLANG_ACTION_FAIL:
1842 p_result->rcode = RLM_MODULE_FAIL;
1843 goto finish;
1844
1845 case UNLANG_ACTION_PUSHED_CHILD:
1846 autz_ctx->status = LDAP_AUTZ_POST_DEFAULT_PROFILE;
1847 return UNLANG_ACTION_PUSHED_CHILD;
1848
1849 default:
1850 break;
1851 }
1852 }
1853 FALL_THROUGH;
1854
1855 case LDAP_AUTZ_POST_DEFAULT_PROFILE:
1856 /*
1857 * Did we jump back her after applying the default profile?
1858 */
1859 if (autz_ctx->status == LDAP_AUTZ_POST_DEFAULT_PROFILE) autz_ctx->rcode = RLM_MODULE_UPDATED;
1860
1861 /*
1862 * Apply a SET of user profiles.
1863 */
1864 switch (autz_ctx->access_state) {
1865 case LDAP_ACCESS_ALLOWED:
1866 if (inst->profile.attr) {
1867 int count;
1868
1869 autz_ctx->profile_values = ldap_get_values_len(handle, autz_ctx->entry, inst->profile.attr);
1870 count = ldap_count_values_len(autz_ctx->profile_values);
1871 if (count > 0) {
1872 RDEBUG2("Processing %i profile(s) found in attribute \"%s\"", count, inst->profile.attr);
1873 if (RDEBUG_ENABLED3) {
1874 for (struct berval **bv_p = autz_ctx->profile_values; *bv_p; bv_p++) {
1875 RDEBUG3("Will evaluate profile with DN \"%pV\"", fr_box_strvalue_len((*bv_p)->bv_val, (*bv_p)->bv_len));
1876 }
1877 }
1878 } else {
1879 RDEBUG2("No profile(s) found in attribute \"%s\"", inst->profile.attr);
1880 }
1881 }
1882 break;
1883
1884 case LDAP_ACCESS_SUSPENDED:
1885 if (inst->profile.attr_suspend) {
1886 int count;
1887
1888 autz_ctx->profile_values = ldap_get_values_len(handle, autz_ctx->entry, inst->profile.attr_suspend);
1889 count = ldap_count_values_len(autz_ctx->profile_values);
1890 if (count > 0) {
1891 RDEBUG2("Processing %i suspension profile(s) found in attribute \"%s\"", count, inst->profile.attr_suspend);
1892 if (RDEBUG_ENABLED3) {
1893 for (struct berval **bv_p = autz_ctx->profile_values; *bv_p; bv_p++) {
1894 RDEBUG3("Will evaluate suspenension profile with DN \"%pV\"",
1895 fr_box_strvalue_len((*bv_p)->bv_val, (*bv_p)->bv_len));
1896 }
1897 }
1898 } else {
1899 RDEBUG2("No suspension profile(s) found in attribute \"%s\"", inst->profile.attr_suspend);
1900 }
1901 }
1902 break;
1903
1904 case LDAP_ACCESS_DISALLOWED:
1905 break;
1906 }
1907
1908 FALL_THROUGH;
1909
1910 case LDAP_AUTZ_USER_PROFILE:
1911 /*
1912 * After each profile has been applied, execution will restart here.
1913 * Start by clearing the previously used value.
1914 */
1915 if (autz_ctx->profile_value) {
1916 TALLOC_FREE(autz_ctx->profile_value);
1917 autz_ctx->rcode = RLM_MODULE_UPDATED; /* We're back here after applying a profile successfully */
1918 }
1919
1920 if (autz_ctx->profile_values && autz_ctx->profile_values[autz_ctx->value_idx]) {
1921 autz_ctx->profile_value = fr_ldap_berval_to_string(autz_ctx, autz_ctx->profile_values[autz_ctx->value_idx++]);
1922 REPEAT_MOD_AUTHORIZE_RESUME;
1923 ret = rlm_ldap_map_profile(NULL, NULL, inst, request, autz_ctx->ttrunk, autz_ctx->profile_value,
1924 inst->profile.obj_scope, autz_ctx->call_env->profile_filter.vb_strvalue, &autz_ctx->expanded);
1925 switch (ret) {
1926 case UNLANG_ACTION_FAIL:
1927 p_result->rcode = RLM_MODULE_FAIL;
1928 goto finish;
1929
1930 case UNLANG_ACTION_PUSHED_CHILD:
1931 autz_ctx->status = LDAP_AUTZ_USER_PROFILE;
1932 return UNLANG_ACTION_PUSHED_CHILD;
1933
1934 default:
1935 break;
1936 }
1937 }
1938 break;
1939 }
1940
1941 p_result->rcode = autz_ctx->rcode;
1942
1943finish:
1944 return ret;
1945}
1946
1947/** Clear up when cancelling a mod_authorize call
1948 *
1949 */
1950static void mod_authorize_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
1951{
1952 ldap_autz_ctx_t *autz_ctx = talloc_get_type_abort(mctx->rctx, ldap_autz_ctx_t);
1953
1954 if (autz_ctx->query && autz_ctx->query->treq) trunk_request_signal_cancel(autz_ctx->query->treq);
1955}
1956
1957/** Ensure authorization context is properly cleared up
1958 *
1959 */
1960static int autz_ctx_free(ldap_autz_ctx_t *autz_ctx)
1961{
1962 talloc_free(autz_ctx->expanded.ctx);
1963 if (autz_ctx->profile_values) ldap_value_free_len(autz_ctx->profile_values);
1964 return 0;
1965}
1966
1967static unlang_action_t CC_HINT(nonnull) mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1968{
1969 rlm_ldap_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_ldap_t);
1970 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
1971 ldap_autz_ctx_t *autz_ctx;
1972 fr_ldap_map_exp_t *expanded;
1973 ldap_autz_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, ldap_autz_call_env_t);
1974
1975 MEM(autz_ctx = talloc_zero(unlang_interpret_frame_talloc_ctx(request), ldap_autz_ctx_t));
1976 talloc_set_destructor(autz_ctx, autz_ctx_free);
1977 expanded = &autz_ctx->expanded;
1978
1979 /*
1980 * Don't be tempted to add a check for User-Name or
1981 * User-Password here. LDAP authorization can be used
1982 * for many things besides searching for users.
1983 */
1984 if (fr_ldap_map_expand(autz_ctx, expanded, request, call_env->user_map, inst->valuepair_attr,
1985 inst->profile.check_attr, inst->profile.fallthrough_attr) < 0) {
1986 fail:
1987 talloc_free(autz_ctx);
1988 RETURN_UNLANG_FAIL;
1989 }
1990
1991 autz_ctx->ttrunk = fr_thread_ldap_trunk_get(thread, inst->handle_config.server, inst->handle_config.admin_identity,
1992 inst->handle_config.admin_password, request, &inst->handle_config);
1993 if (!autz_ctx->ttrunk) goto fail;
1994
1995#define CHECK_EXPANDED_SPACE(_expanded) fr_assert((size_t)_expanded->count < (NUM_ELEMENTS(_expanded->attrs) - 1));
1996
1997 /*
1998 * Add any additional attributes we need for checking access, memberships, and profiles
1999 */
2000 if (inst->user.obj_access_attr) {
2001 CHECK_EXPANDED_SPACE(expanded);
2002 expanded->attrs[expanded->count++] = inst->user.obj_access_attr;
2003 }
2004
2005 if (inst->group.userobj_membership_attr && (inst->group.cacheable_dn || inst->group.cacheable_name)) {
2006 CHECK_EXPANDED_SPACE(expanded);
2007 expanded->attrs[expanded->count++] = inst->group.userobj_membership_attr;
2008 }
2009
2010 if (inst->profile.attr) {
2011 CHECK_EXPANDED_SPACE(expanded);
2012 expanded->attrs[expanded->count++] = inst->profile.attr;
2013 }
2014
2015 if (inst->profile.attr_suspend) {
2016 CHECK_EXPANDED_SPACE(expanded);
2017 expanded->attrs[expanded->count++] = inst->profile.attr_suspend;
2018 }
2019 expanded->attrs[expanded->count] = NULL;
2020
2021 autz_ctx->dlinst = mctx->mi;
2022 autz_ctx->inst = inst;
2023 autz_ctx->call_env = call_env;
2024 autz_ctx->status = LDAP_AUTZ_FIND;
2025 autz_ctx->rcode = RLM_MODULE_OK;
2026
2027 if (unlikely(unlang_module_yield(request,
2028 mod_authorize_resume,
2029 mod_authorize_cancel, ~FR_SIGNAL_CANCEL,
2030 autz_ctx) == UNLANG_ACTION_FAIL)) {
2031 talloc_free(autz_ctx);
2032 RETURN_UNLANG_FAIL;
2033 }
2034
2035 return rlm_ldap_find_user_async(autz_ctx, p_result,
2036 autz_ctx->inst, request, &autz_ctx->call_env->user_base,
2037 &autz_ctx->call_env->user_filter, autz_ctx->ttrunk, autz_ctx->expanded.attrs,
2038 &autz_ctx->query);
2039}
2040
2041/** Cancel an in progress user modification.
2042 *
2043 */
2044static void user_modify_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
2045{
2046 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2047
2048 if (!usermod_ctx->query || !usermod_ctx->query->treq) return;
2049
2050 trunk_request_signal_cancel(usermod_ctx->query->treq);
2051}
2052
2053/** Handle results of user modification.
2054 *
2055 */
2056static unlang_action_t CC_HINT(nonnull) user_modify_final(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2057{
2058 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2059 fr_ldap_query_t *query = usermod_ctx->query;
2060 rlm_rcode_t rcode = RLM_MODULE_OK;
2061
2062 switch (query->ret) {
2063 case LDAP_RESULT_SUCCESS:
2064 break;
2065
2066 case LDAP_RESULT_NO_RESULT:
2067 case LDAP_RESULT_BAD_DN:
2068 RDEBUG2("User object \"%s\" not modified", usermod_ctx->dn);
2069 rcode = RLM_MODULE_INVALID;
2070 break;
2071
2072 case LDAP_RESULT_TIMEOUT:
2073 rcode = RLM_MODULE_TIMEOUT;
2074 break;
2075
2076 default:
2077 rcode = RLM_MODULE_FAIL;
2078 break;
2079 }
2080
2081 talloc_free(usermod_ctx);
2082 RETURN_UNLANG_RCODE(rcode);
2083}
2084
2085static unlang_action_t CC_HINT(nonnull) user_modify_mod_build_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2086{
2087 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2088 ldap_usermod_call_env_t *call_env = usermod_ctx->call_env;
2089 LDAPMod **modify;
2090 ldap_mod_tmpl_t *mod;
2091 fr_value_box_t *vb = NULL;
2092 int mod_no = usermod_ctx->expanded_mods, i = 0;
2093 struct berval **value_refs;
2094 struct berval *values;
2095
2096 mod = call_env->mod[usermod_ctx->current_mod];
2097
2098 /*
2099 * If the tmpl produced no boxes, skip
2100 */
2101 if ((mod->op != T_OP_CMP_FALSE) && (fr_value_box_list_num_elements(&usermod_ctx->expanded) == 0)) {
2102 RDEBUG2("Expansion \"%s\" produced no value, skipping attribute \"%s\"", mod->tmpl->name, mod->attr);
2103 goto next;
2104 }
2105
2106 switch (mod->op) {
2107 /*
2108 * T_OP_EQ is *NOT* supported, it is impossible to
2109 * support because of the lack of transactions in LDAP
2110 *
2111 * To allow for binary data, all data is provided as berval which
2112 * requires the operation to be logical ORed with LDAP_MOD_BVALUES
2113 */
2114 case T_OP_ADD_EQ:
2115 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
2116 break;
2117
2118 case T_OP_SET:
2119 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
2120 break;
2121
2122 case T_OP_SUB_EQ:
2123 case T_OP_CMP_FALSE:
2124 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_DELETE | LDAP_MOD_BVALUES;
2125 break;
2126
2127 case T_OP_INCRM:
2128 usermod_ctx->mod_s[mod_no].mod_op = LDAP_MOD_INCREMENT | LDAP_MOD_BVALUES;
2129 break;
2130
2131 default:
2132 REDEBUG("Operator '%s' is not supported for LDAP modify operations",
2133 fr_table_str_by_value(fr_tokens_table, mod->op, "<INVALID>"));
2134
2135 RETURN_UNLANG_INVALID;
2136 }
2137
2138 if (mod->op == T_OP_CMP_FALSE) {
2139 MEM(value_refs = talloc_zero_array(usermod_ctx, struct berval *, 1));
2140 } else {
2141 MEM(value_refs = talloc_zero_array(usermod_ctx, struct berval *,
2142 fr_value_box_list_num_elements(&usermod_ctx->expanded) + 1));
2143 MEM(values = talloc_zero_array(usermod_ctx, struct berval,
2144 fr_value_box_list_num_elements(&usermod_ctx->expanded)));
2145 while ((vb = fr_value_box_list_pop_head(&usermod_ctx->expanded))) {
2146 switch (vb->type) {
2147 case FR_TYPE_OCTETS:
2148 if (vb->vb_length == 0) continue;
2149 memcpy(&values[i].bv_val, &vb->vb_octets, sizeof(values[i].bv_val));
2150 values[i].bv_len = vb->vb_length;
2151 break;
2152
2153 case FR_TYPE_STRING:
2154 populate_string:
2155 if (vb->vb_length == 0) continue;
2156 memcpy(&values[i].bv_val, &vb->vb_strvalue, sizeof(values[i].bv_val));
2157 values[i].bv_len = vb->vb_length;
2158 break;
2159
2160 case FR_TYPE_GROUP:
2161 {
2162 fr_value_box_t *vb_head = fr_value_box_list_head(&vb->vb_group);
2163 if (fr_value_box_list_concat_in_place(vb_head, vb_head, &vb->vb_group, FR_TYPE_STRING,
2164 FR_VALUE_BOX_LIST_FREE, true, SIZE_MAX) < 0) {
2165 RPEDEBUG("Failed concatenating update value");
2166 RETURN_UNLANG_FAIL;
2167 }
2168 vb = vb_head;
2169 goto populate_string;
2170 }
2171
2172 case FR_TYPE_FIXED_SIZE:
2173 if (fr_value_box_cast_in_place(vb, vb, FR_TYPE_STRING, NULL) < 0) {
2174 RPEDEBUG("Failed casting update value");
2175 RETURN_UNLANG_FAIL;
2176 }
2177 goto populate_string;
2178
2179 default:
2180 fr_assert(0);
2181
2182 }
2183 value_refs[i] = &values[i];
2184 i++;
2185 }
2186 if (i == 0) {
2187 RDEBUG2("Expansion \"%s\" produced zero length value, skipping attribute \"%s\"", mod->tmpl->name, mod->attr);
2188 goto next;
2189 }
2190 }
2191
2192 /*
2193 * Now everything is evaluated, set up the pointers for the LDAPMod
2194 */
2195 memcpy(&(usermod_ctx->mod_s[mod_no].mod_type), &mod->attr, sizeof(usermod_ctx->mod_s[mod_no].mod_type));
2196 usermod_ctx->mod_s[mod_no].mod_bvalues = value_refs;
2197 usermod_ctx->mod_p[mod_no] = &usermod_ctx->mod_s[mod_no];
2198
2199 usermod_ctx->expanded_mods++;
2200 usermod_ctx->mod_p[usermod_ctx->expanded_mods] = NULL;
2201
2202next:
2203 usermod_ctx->current_mod++;
2204
2205 /*
2206 * Keep calling until we've completed all the modifications
2207 */
2208 if (usermod_ctx->current_mod < usermod_ctx->num_mods) {
2209 if (unlang_module_yield(request, user_modify_mod_build_resume, NULL, 0, usermod_ctx) == UNLANG_ACTION_FAIL) RETURN_UNLANG_FAIL;
2210 if (unlang_tmpl_push(usermod_ctx, NULL, &usermod_ctx->expanded, request,
2211 usermod_ctx->call_env->mod[usermod_ctx->current_mod]->tmpl, NULL, UNLANG_SUB_FRAME) < 0) RETURN_UNLANG_FAIL;
2212 return UNLANG_ACTION_PUSHED_CHILD;
2213 }
2214
2215 modify = usermod_ctx->mod_p;
2216
2217 if (unlang_module_yield(request, user_modify_final, user_modify_cancel, ~FR_SIGNAL_CANCEL, usermod_ctx) == UNLANG_ACTION_FAIL) RETURN_UNLANG_FAIL;
2218
2219 return fr_ldap_trunk_modify(usermod_ctx, &usermod_ctx->query, request, usermod_ctx->ttrunk,
2220 usermod_ctx->dn, modify, NULL, NULL);
2221}
2222
2223/** Take the retrieved user DN and launch the async tmpl expansion of mod_values.
2224 *
2225 */
2226static unlang_action_t CC_HINT(nonnull) user_modify_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2227{
2228 ldap_user_modify_ctx_t *usermod_ctx = talloc_get_type_abort(mctx->rctx, ldap_user_modify_ctx_t);
2229
2230 /*
2231 * If an LDAP search was used to find the user DN
2232 * usermod_ctx->dn will be NULL.
2233 */
2234 if (!usermod_ctx->dn) usermod_ctx->dn = rlm_find_user_dn_cached(mctx->mi->data, request);
2235
2236 if (!usermod_ctx->dn) {
2237 fail:
2238 talloc_free(usermod_ctx);
2239 RETURN_UNLANG_FAIL;
2240 }
2241
2242 /*
2243 * Allocate arrays to hold mods. mod_p is one element longer to hold a terminating NULL entry
2244 */
2245 MEM(usermod_ctx->mod_p = talloc_zero_array(usermod_ctx, LDAPMod *, usermod_ctx->num_mods + 1));
2246 MEM(usermod_ctx->mod_s = talloc_array(usermod_ctx, LDAPMod, usermod_ctx->num_mods));
2247 fr_value_box_list_init(&usermod_ctx->expanded);
2248
2249 if (unlang_module_yield(request, user_modify_mod_build_resume, NULL, 0, usermod_ctx) == UNLANG_ACTION_FAIL) goto fail;
2250;
2251 if (unlang_tmpl_push(usermod_ctx, NULL, &usermod_ctx->expanded, request,
2252 usermod_ctx->call_env->mod[0]->tmpl, NULL, UNLANG_SUB_FRAME) < 0) goto fail;
2253
2254 return UNLANG_ACTION_PUSHED_CHILD;
2255}
2256
2257/** Modify user's object in LDAP
2258 *
2259 * Process a modification map to update a user object in the LDAP directory.
2260 *
2261 * The module method called in "accouting" and "send" sections.
2262 */
2263static unlang_action_t CC_HINT(nonnull) mod_modify(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
2264{
2265 rlm_ldap_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_ldap_t);
2266 ldap_usermod_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, ldap_usermod_call_env_t);
2267 fr_ldap_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, fr_ldap_thread_t);
2268 ldap_user_modify_ctx_t *usermod_ctx = NULL;
2269
2270 size_t num_mods = talloc_array_length(call_env->mod);
2271
2272 if (num_mods == 0) RETURN_UNLANG_NOOP;
2273
2274 /*
2275 * Include a talloc pool allowing for one value per modification
2276 */
2277 MEM(usermod_ctx = talloc_pooled_object(unlang_interpret_frame_talloc_ctx(request), ldap_user_modify_ctx_t,
2278 2 * num_mods + 2,
2279 (sizeof(struct berval) + (sizeof(struct berval *) * 2) +
2280 (sizeof(LDAPMod) + sizeof(LDAPMod *))) * num_mods));
2281 *usermod_ctx = (ldap_user_modify_ctx_t) {
2282 .inst = inst,
2283 .call_env = call_env,
2284 .num_mods = num_mods
2285 };
2286
2287 usermod_ctx->ttrunk = fr_thread_ldap_trunk_get(thread, inst->handle_config.server,
2288 inst->handle_config.admin_identity,
2289 inst->handle_config.admin_password,
2290 request, &inst->handle_config);
2291 if (!usermod_ctx->ttrunk) {
2292 REDEBUG("Unable to get LDAP trunk for update");
2293 talloc_free(usermod_ctx);
2294 RETURN_UNLANG_FAIL;
2295 }
2296
2297 usermod_ctx->dn = rlm_find_user_dn_cached(inst, request);
2298 /*
2299 * Find the user first
2300 */
2301 if (!usermod_ctx->dn) {
2302 if (unlang_module_yield(request, user_modify_resume, NULL, 0, usermod_ctx) == UNLANG_ACTION_FAIL) {
2303 talloc_free(usermod_ctx);
2304 RETURN_UNLANG_FAIL;
2305 }
2306
2307 /* Pushes a frame for user resolution */
2308 if (rlm_ldap_find_user_async(usermod_ctx,
2309 p_result,
2310 usermod_ctx->inst, request,
2311 &usermod_ctx->call_env->user_base,
2312 &usermod_ctx->call_env->user_filter,
2313 usermod_ctx->ttrunk, NULL, NULL) == UNLANG_ACTION_FAIL) {
2314 RETURN_UNLANG_FAIL;
2315 }
2316
2317 return UNLANG_ACTION_PUSHED_CHILD;
2318 }
2319
2320 {
2321 module_ctx_t our_mctx = *mctx;
2322 our_mctx.rctx = usermod_ctx;
2323
2324 return user_modify_resume(p_result, &our_mctx, request);
2325 }
2326}
2327
2328/** Detach from the LDAP server and cleanup internal state.
2329 *
2330 */
2331static int mod_detach(module_detach_ctx_t const *mctx)
2332{
2333 rlm_ldap_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2334
2335 if (inst->user.obj_sort_ctrl) ldap_control_free(inst->user.obj_sort_ctrl);
2336 if (inst->profile.obj_sort_ctrl) ldap_control_free(inst->profile.obj_sort_ctrl);
2337
2338 return 0;
2339}
2340
2341static int ldap_update_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules,
2342 CONF_ITEM *ci,
2343 UNUSED call_env_ctx_t const *cec, call_env_parser_t const *rule)
2344{
2345 map_list_t *maps;
2346 CONF_SECTION *update = cf_item_to_section(ci);
2347 ldap_update_rules_t const *ur = rule->uctx;
2348
2349 bool expect_password = false;
2350
2351 /*
2352 * Build the attribute map
2353 */
2354 {
2355 map_t const *map = NULL;
2356 tmpl_attr_t const *ar;
2357 call_env_parsed_t *parsed;
2358
2359 MEM(parsed = call_env_parsed_add(ctx, out,
2360 &(call_env_parser_t){
2361 .name = "update",
2362 .flags = CALL_ENV_FLAG_PARSE_ONLY,
2363 .pair = {
2364 .parsed = {
2365 .offset = ur->map_offset,
2366 .type = CALL_ENV_PARSE_TYPE_VOID
2367 }
2368 }
2369 }));
2370
2371 MEM(maps = talloc(parsed, map_list_t));
2372 map_list_init(maps);
2373
2374 if (update && (map_afrom_cs(maps, maps, update, t_rules, t_rules, fr_ldap_map_verify,
2375 NULL, LDAP_MAX_ATTRMAP)) < 0) {
2376 call_env_parsed_free(out, parsed);
2377 return -1;
2378 }
2379 /*
2380 * Check map to see if a password is being retrieved.
2381 * fr_ldap_map_verify ensures that all maps have attributes on the LHS.
2382 * All passwords have a common parent attribute of attr_password
2383 */
2384 while ((map = map_list_next(maps, map))) {
2385 ar = tmpl_attr_tail(map->lhs);
2386 if (ar->da->parent == attr_password) {
2387 expect_password = true;
2388 break;
2389 }
2390 }
2391 call_env_parsed_set_data(parsed, maps);
2392 }
2393
2394 /*
2395 * Write out whether we expect a password to be returned from the ldap data
2396 */
2397 if (ur->expect_password_offset >= 0) {
2398 call_env_parsed_t *parsed;
2399 fr_value_box_t *vb;
2400
2401 MEM(parsed = call_env_parsed_add(ctx, out,
2402 &(call_env_parser_t){
2403 .name = "expect_password",
2404 .flags = CALL_ENV_FLAG_PARSE_ONLY,
2405 .pair = {
2406 .parsed = {
2407 .offset = ur->expect_password_offset,
2408 .type = CALL_ENV_PARSE_TYPE_VALUE_BOX
2409 }
2410 }
2411 }));
2412 MEM(vb = fr_value_box_alloc(parsed, FR_TYPE_BOOL, NULL));
2413 vb->vb_bool = expect_password;
2414 call_env_parsed_set_value(parsed, vb);
2415 }
2416
2417 return 0;
2418}
2419
2420static int ldap_mod_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules,
2421 CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
2422{
2423 CONF_SECTION const *subcs = NULL;
2424 CONF_PAIR const *to_parse = NULL;
2425 tmpl_t *parsed_tmpl;
2426 call_env_parsed_t *parsed_env;
2427 char *section2, *p;
2428 ssize_t count, slen, multi_index = 0;
2429 ldap_mod_tmpl_t *mod;
2430
2431 fr_assert(cec->type == CALL_ENV_CTX_TYPE_MODULE);
2432
2433 section2 = talloc_strdup(NULL, section_name_str(cec->asked->name2));
2434 p = section2;
2435 while (*p != '\0') {
2436 *(p) = tolower((uint8_t)*p);
2437 p++;
2438 }
2439
2440 if (!ci) {
2441 not_found:
2442 cf_log_warn(ci, "No section found for \"%s.%s\" in module \"%s\", this call will have no effect.",
2443 section_name_str(cec->asked->name1), section2, cec->mi->name);
2444 free:
2445 talloc_free(section2);
2446 return 0;
2447 }
2448
2449 subcs = cf_section_find(cf_item_to_section(ci), section2, CF_IDENT_ANY);
2450 if (!subcs) goto not_found;
2451
2452 subcs = cf_section_find(subcs, "update", CF_IDENT_ANY);
2453 if (!subcs) {
2454 cf_log_warn(ci, "No update found inside \"%s -> %s\" in module \"%s\"",
2455 section_name_str(cec->asked->name1), section2, cec->mi->name);
2456 goto free;
2457 }
2458
2459 count = cf_pair_count_descendents(subcs);
2460 if (count == 0) {
2461 cf_log_warn(ci, "No modifications found for \"%s.%s\" in module \"%s\"",
2462 section_name_str(cec->asked->name1), section2, cec->mi->name);
2463 goto free;
2464 }
2465 talloc_free(section2);
2466
2467 while ((to_parse = cf_pair_next(subcs, to_parse))) {
2468 switch (cf_pair_operator(to_parse)) {
2469 case T_OP_SET:
2470 case T_OP_ADD_EQ:
2471 case T_OP_SUB_EQ:
2472 case T_OP_CMP_FALSE:
2473 case T_OP_INCRM:
2474 break;
2475
2476 default:
2477 cf_log_perr(to_parse, "Invalid operator for LDAP modification");
2478 return -1;
2479 }
2480
2481 MEM(parsed_env = call_env_parsed_add(ctx, out,
2482 &(call_env_parser_t){
2483 FR_CALL_ENV_PARSE_ONLY_OFFSET(cf_pair_attr(to_parse), FR_TYPE_VOID,
2484 CALL_ENV_FLAG_MULTI,
2485 ldap_usermod_call_env_t, mod)
2486 }));
2487
2488 slen = tmpl_afrom_substr(parsed_env, &parsed_tmpl,
2489 &FR_SBUFF_IN(cf_pair_value(to_parse), talloc_strlen(cf_pair_value(to_parse))),
2490 cf_pair_value_quote(to_parse), value_parse_rules_quoted[cf_pair_value_quote(to_parse)],
2491 t_rules);
2492
2493 if (slen <= 0) {
2494 cf_canonicalize_error(to_parse, slen, "Failed parsing LDAP modification \"%s\"", cf_pair_value(to_parse));
2495 error:
2496 call_env_parsed_free(out, parsed_env);
2497 return -1;
2498 }
2499 if (tmpl_needs_resolving(parsed_tmpl) &&
2500 (tmpl_resolve(parsed_tmpl, &(tmpl_res_rules_t){ .dict_def = t_rules->attr.dict_def }) <0)) {
2501 cf_log_perr(to_parse, "Failed resolving LDAP modification \"%s\"", cf_pair_value(to_parse));
2502 goto error;
2503 }
2504
2505 MEM(mod = talloc(parsed_env, ldap_mod_tmpl_t));
2506 mod->attr = cf_pair_attr(to_parse);
2507 mod->tmpl = parsed_tmpl;
2508 mod->op = cf_pair_operator(to_parse);
2509
2510 call_env_parsed_set_multi_index(parsed_env, count, multi_index++);
2511 call_env_parsed_set_data(parsed_env, mod);
2512 }
2513
2514 return 0;
2515}
2516
2517static int ldap_group_filter_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, UNUSED CONF_ITEM *ci,
2518 call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
2519{
2520 rlm_ldap_t const *inst = talloc_get_type_abort_const(cec->mi->data, rlm_ldap_t);
2521 char const *filters[] = { inst->group.obj_filter, inst->group.obj_membership_filter };
2522 tmpl_t *parsed;
2523
2524 if (fr_ldap_filter_to_tmpl(ctx, t_rules, filters, NUM_ELEMENTS(filters), &parsed) < 0) return -1;
2525
2526 *(void **)out = parsed;
2527 return 0;
2528}
2529
2530/** Clean up thread specific data structure
2531 *
2532 */
2533static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
2534{
2535 fr_ldap_thread_t *t = talloc_get_type_abort(mctx->thread, fr_ldap_thread_t);
2536 void **trunks_to_free;
2537 int i;
2538
2539 if (fr_rb_flatten_inorder(NULL, &trunks_to_free, t->trunks) < 0) return -1;
2540
2541 for (i = talloc_array_length(trunks_to_free) - 1; i >= 0; i--) talloc_free(trunks_to_free[i]);
2542 talloc_free(trunks_to_free);
2543 talloc_free(t->trunks);
2544
2545 return 0;
2546}
2547
2548/** Initialise thread specific data structure
2549 *
2550 */
2551static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
2552{
2553 rlm_ldap_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2554 fr_ldap_thread_t *t = talloc_get_type_abort(mctx->thread, fr_ldap_thread_t);
2555 fr_ldap_thread_trunk_t *ttrunk;
2556
2557 /*
2558 * Initialise tree for connection trunks used by this thread
2559 */
2560 MEM(t->trunks = fr_rb_inline_talloc_alloc(t, fr_ldap_thread_trunk_t, node, fr_ldap_trunk_cmp, NULL));
2561
2562 t->config = &inst->handle_config;
2563 t->trunk_conf = &inst->trunk_conf;
2564 t->bind_trunk_conf = &inst->bind_trunk_conf;
2565 t->el = mctx->el;
2566 t->trigger_args = inst->trigger_args;
2567 t->bind_trigger_args = inst->bind_trigger_args;
2568
2569 /*
2570 * Launch trunk for module default connection
2571 */
2572 ttrunk = fr_thread_ldap_trunk_get(t, inst->handle_config.server, inst->handle_config.admin_identity,
2573 inst->handle_config.admin_password, NULL, &inst->handle_config);
2574 if (!ttrunk) {
2575 ERROR("Unable to launch LDAP trunk");
2576 return -1;
2577 }
2578
2579 /*
2580 * Set up a per-thread LDAP trunk to use for bind auths
2581 */
2582 t->bind_trunk = fr_thread_ldap_bind_trunk_get(t);
2583
2584 MEM(t->binds = fr_rb_inline_talloc_alloc(t, fr_ldap_bind_auth_ctx_t, node, fr_ldap_bind_auth_cmp, NULL));
2585
2586 return 0;
2587}
2588
2589/** Instantiate the module
2590 *
2591 * Creates a new instance of the module reading parameters from a configuration section.
2592 *
2593 * @param [in] mctx configuration data.
2594 * @return
2595 * - 0 on success.
2596 * - < 0 on failure.
2597 */
2598static int mod_instantiate(module_inst_ctx_t const *mctx)
2599{
2600 size_t i;
2601
2602 CONF_SECTION *options;
2603 rlm_ldap_boot_t const *boot = talloc_get_type_abort(mctx->mi->boot, rlm_ldap_boot_t);
2604 rlm_ldap_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2605 CONF_SECTION *conf = mctx->mi->conf;
2606
2607 inst->mi = mctx->mi; /* Cached for IO callbacks */
2608 inst->group.da = boot->group_da;
2609 inst->group.cache_da = boot->cache_da;
2610 inst->user.da = boot->user_da;
2611
2612 inst->handle_config.name = talloc_typed_asprintf(inst, "rlm_ldap (%s)", mctx->mi->name);
2613
2614 /*
2615 * Trunks used for bind auth can only have one request in flight per connection.
2616 */
2617 inst->bind_trunk_conf.target_req_per_conn = 1;
2618 inst->bind_trunk_conf.max_req_per_conn = 1;
2619
2620 /*
2621 * Set sizes for trunk request pool.
2622 */
2623 inst->bind_trunk_conf.req_pool_headers = 2;
2624 inst->bind_trunk_conf.req_pool_size = sizeof(fr_ldap_bind_auth_ctx_t) + sizeof(fr_ldap_sasl_ctx_t);
2625
2626 options = cf_section_find(conf, "options", NULL);
2627 if (!options || !cf_pair_find(options, "chase_referrals")) {
2628 inst->handle_config.chase_referrals_unset = true; /* use OpenLDAP defaults */
2629 }
2630
2631 /*
2632 * Sanity checks for cacheable groups code.
2633 */
2634 if (inst->group.cacheable_name && inst->group.obj_membership_filter) {
2635 if (!inst->group.obj_name_attr) {
2636 cf_log_err(conf, "Configuration item 'group.name_attribute' must be set if cacheable "
2637 "group names are enabled");
2638
2639 return -1;
2640 }
2641 }
2642
2643 /*
2644 * If we have a *pair* as opposed to a *section*
2645 * then the module is referencing another ldap module's
2646 * connection pool.
2647 */
2648 if (!cf_pair_find(conf, "pool")) {
2649 if (!inst->handle_config.server_str) {
2650 cf_log_err(conf, "Configuration item 'server' must have a value");
2651 return -1;
2652 }
2653 }
2654
2655#ifndef WITH_SASL
2656 if (inst->handle_config.admin_sasl.mech) {
2657 cf_log_err(conf, "Configuration item 'sasl.mech' not supported. "
2658 "Linked libldap does not provide ldap_sasl_interactive_bind function");
2659 return -1;
2660 }
2661#endif
2662
2663 /*
2664 * Initialise server with zero length string to
2665 * make code below simpler.
2666 */
2667 inst->handle_config.server = talloc_strdup(inst, "");
2668
2669 /*
2670 * Now iterate over all the 'server' config items
2671 */
2672 for (i = 0; i < talloc_array_length(inst->handle_config.server_str); i++) {
2673 char const *value = inst->handle_config.server_str[i];
2674 size_t j;
2675
2676 /*
2677 * Explicitly prevent multiple server definitions
2678 * being used in the same string.
2679 */
2680 for (j = 0; j < talloc_strlen(value); j++) {
2681 switch (value[j]) {
2682 case ' ':
2683 case ',':
2684 case ';':
2685 cf_log_err(conf, "Invalid character '%c' found in 'server' configuration item",
2686 value[j]);
2687 return -1;
2688
2689 default:
2690 continue;
2691 }
2692 }
2693
2694 /*
2695 * Split original server value out into URI, server and port
2696 * so whatever initialization function we use later will have
2697 * the server information in the format it needs.
2698 */
2699 if (ldap_is_ldap_url(value)) {
2700 if (fr_ldap_server_url_check(&inst->handle_config, value, conf) < 0) return -1;
2701 } else
2702 /*
2703 * If it's not an URL, then just treat server as a hostname.
2704 */
2705 {
2706 if (fr_ldap_server_config_check(&inst->handle_config, value, conf) < 0) return -1;
2707 }
2708 }
2709
2710 /*
2711 * inst->handle_config.server be unset if connection pool sharing is used.
2712 */
2713 if (inst->handle_config.server) {
2714 inst->handle_config.server[talloc_array_length(inst->handle_config.server) - 2] = '\0';
2715 DEBUG4("rlm_ldap (%s) - LDAP server string: %s", mctx->mi->name, inst->handle_config.server);
2716 }
2717
2718 /*
2719 * Workaround for servers which support LDAPS but not START TLS
2720 */
2721 if (inst->handle_config.port == LDAPS_PORT || inst->handle_config.tls_mode) {
2722 inst->handle_config.tls_mode = LDAP_OPT_X_TLS_HARD;
2723 } else {
2724 inst->handle_config.tls_mode = 0;
2725 }
2726
2727 /*
2728 * Convert dereference strings to enumerated constants
2729 */
2730 if (inst->handle_config.dereference_str) {
2731 inst->handle_config.dereference = fr_table_value_by_str(fr_ldap_dereference,
2732 inst->handle_config.dereference_str, -1);
2733 if (inst->handle_config.dereference < 0) {
2734 cf_log_err(conf, "Invalid 'dereference' value \"%s\", expected 'never', 'searching', "
2735 "'finding' or 'always'", inst->handle_config.dereference_str);
2736 return -1;
2737 }
2738 }
2739
2740 /*
2741 * Build the server side sort control for user / profile objects
2742 */
2743#define SSS_CONTROL_BUILD(_obj) if (inst->_obj.obj_sort_by) { \
2744 LDAPSortKey **keys; \
2745 int ret; \
2746 ret = ldap_create_sort_keylist(&keys, UNCONST(char *, inst->_obj.obj_sort_by)); \
2747 if (ret != LDAP_SUCCESS) { \
2748 cf_log_err(conf, "Invalid " STRINGIFY(_obj) ".sort_by value \"%s\": %s", \
2749 inst->_obj.obj_sort_by, ldap_err2string(ret)); \
2750 return -1; \
2751 } \
2752 /* \
2753 * Always set the control as critical, if it's not needed \
2754 * the user can comment it out... \
2755 */ \
2756 ret = ldap_create_sort_control(ldap_global_handle, keys, 1, &inst->_obj.obj_sort_ctrl); \
2757 ldap_free_sort_keylist(keys); \
2758 if (ret != LDAP_SUCCESS) { \
2759 ERROR("Failed creating server sort control: %s", ldap_err2string(ret)); \
2760 return -1; \
2761 } \
2762 }
2763
2764 SSS_CONTROL_BUILD(user)
2765 SSS_CONTROL_BUILD(profile)
2766
2767 if (inst->handle_config.tls_require_cert_str) {
2768 /*
2769 * Convert cert strictness to enumerated constants
2770 */
2771 inst->handle_config.tls_require_cert = fr_table_value_by_str(fr_ldap_tls_require_cert,
2772 inst->handle_config.tls_require_cert_str, -1);
2773 if (inst->handle_config.tls_require_cert < 0) {
2774 cf_log_err(conf, "Invalid 'tls.require_cert' value \"%s\", expected 'never', "
2775 "'demand', 'allow', 'try' or 'hard'", inst->handle_config.tls_require_cert_str);
2776 return -1;
2777 }
2778 }
2779
2780 if (inst->handle_config.tls_min_version_str) {
2781#ifdef LDAP_OPT_X_TLS_PROTOCOL_TLS1_3
2782 if (strcmp(inst->handle_config.tls_min_version_str, "1.3") == 0) {
2783 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_3;
2784
2785 } else
2786#endif
2787 if (strcmp(inst->handle_config.tls_min_version_str, "1.2") == 0) {
2788 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
2789
2790 } else if (strcmp(inst->handle_config.tls_min_version_str, "1.1") == 0) {
2791 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1;
2792
2793 } else if (strcmp(inst->handle_config.tls_min_version_str, "1.0") == 0) {
2794 inst->handle_config.tls_min_version = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
2795
2796 } else {
2797 cf_log_err(conf, "Invalid 'tls.tls_min_version' value \"%s\"", inst->handle_config.tls_min_version_str);
2798 return -1;
2799 }
2800 }
2801
2802 if (inst->trunk_conf.conn_triggers) {
2803 MEM(inst->trigger_args = fr_pair_list_alloc(inst));
2804 if (module_trigger_args_build(inst->trigger_args, inst->trigger_args, cf_section_find(conf, "pool", NULL),
2805 &(module_trigger_args_t) {
2806 .module = mctx->mi->module->name,
2807 .name = mctx->mi->name,
2808 .server = inst->handle_config.server,
2809 .port = inst->handle_config.port
2810 }) < 0) return -1;
2811 }
2812
2813 if (inst->bind_trunk_conf.conn_triggers) {
2814 MEM(inst->bind_trigger_args = fr_pair_list_alloc(inst));
2815 if (module_trigger_args_build(inst->bind_trigger_args, inst->bind_trigger_args, cf_section_find(conf, "bind_pool", NULL),
2816 &(module_trigger_args_t) {
2817 .module = mctx->mi->module->name,
2818 .name = mctx->mi->name,
2819 .server = inst->handle_config.server,
2820 .port = inst->handle_config.port
2821 }) < 0) return -1;
2822 }
2823 return 0;
2824}
2825
2826/** Bootstrap the module
2827 *
2828 * Define attributes.
2829 *
2830 * @param[in] mctx configuration data.
2831 * @return
2832 * - 0 on success.
2833 * - < 0 on failure.
2834 */
2835static int mod_bootstrap(module_inst_ctx_t const *mctx)
2836{
2837 rlm_ldap_boot_t *boot = talloc_get_type_abort(mctx->mi->boot, rlm_ldap_boot_t);
2838 rlm_ldap_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_ldap_t);
2839 CONF_SECTION *conf = mctx->mi->conf;
2840 char buffer[256];
2841 char const *group_attribute;
2842 xlat_t *xlat;
2843
2844 if (inst->group.attribute) {
2845 group_attribute = inst->group.attribute;
2846 } else if (cf_section_name2(conf)) {
2847 snprintf(buffer, sizeof(buffer), "%s-LDAP-Group", mctx->mi->name);
2848 group_attribute = buffer;
2849 } else {
2850 group_attribute = "LDAP-Group";
2851 }
2852
2853 boot->group_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), group_attribute);
2854
2855 /*
2856 * If the group attribute was not in the dictionary, create it
2857 */
2858 if (!boot->group_da) {
2859 if (fr_dict_attr_add_name_only(fr_dict_unconst(dict_freeradius), fr_dict_root(dict_freeradius),
2860 group_attribute, FR_TYPE_STRING, NULL) < 0) {
2861 PERROR("Error creating group attribute");
2862 return -1;
2863
2864 }
2865 boot->group_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), group_attribute);
2866 }
2867
2868 /*
2869 * Setup the cache attribute
2870 */
2871 if (inst->group.cache_attr_str) {
2872 boot->cache_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), inst->group.cache_attr_str);
2873 if (!boot->cache_da) {
2874 if (fr_dict_attr_add_name_only(fr_dict_unconst(dict_freeradius), fr_dict_root(dict_freeradius),
2875 inst->group.cache_attr_str, FR_TYPE_STRING, NULL) < 0) {
2876 PERROR("Error creating cache attribute");
2877 return -1;
2878 }
2879 boot->cache_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), inst->group.cache_attr_str);
2880 }
2881 } else {
2882 boot->cache_da = boot->group_da; /* Default to the group_da */
2883 }
2884
2885
2886 if (inst->user.dn_attr_str) {
2887 boot->user_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), inst->user.dn_attr_str);
2888 if (!boot->user_da) {
2889 if (fr_dict_attr_add_name_only(fr_dict_unconst(dict_freeradius), fr_dict_root(dict_freeradius),
2890 inst->user.dn_attr_str, FR_TYPE_STRING, NULL) < 0) {
2891 PERROR("Error creating user DN cache attribute");
2892 return -1;
2893 }
2894 boot->user_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), inst->user.dn_attr_str);
2895 }
2896 }
2897
2898 xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, NULL, ldap_xlat, FR_TYPE_STRING);
2899 xlat_func_args_set(xlat, ldap_xlat_arg);
2900
2901 if (unlikely(!(xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "group", ldap_group_xlat,
2902 FR_TYPE_BOOL)))) return -1;
2903 xlat_func_args_set(xlat, ldap_group_xlat_arg);
2904 xlat_func_call_env_set(xlat, &xlat_memberof_method_env);
2905
2906 if (unlikely(!(xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "profile", ldap_profile_xlat,
2907 FR_TYPE_BOOL)))) return -1;
2908 xlat_func_args_set(xlat, ldap_xlat_arg);
2909 xlat_func_call_env_set(xlat, &xlat_profile_method_env);
2910
2911 map_proc_register(mctx->mi->boot, inst, mctx->mi->name, mod_map_proc, ldap_map_verify, 0, LDAP_DN_SAFE_FOR);
2912
2913 return 0;
2914}
2915
2916static int mod_load(void)
2917{
2918 xlat_t *xlat;
2919
2920 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.dn.escape", ldap_dn_escape_xlat, FR_TYPE_STRING)))) return -1;
2921 xlat_func_args_set(xlat, ldap_escape_xlat_arg);
2922 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2923 xlat_func_safe_for_set(xlat, LDAP_DN_SAFE_FOR);
2924
2925 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.dn.safe", xlat_transparent, FR_TYPE_STRING)))) return -1;
2926 xlat_func_args_set(xlat, ldap_safe_xlat_arg);
2927 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2928 xlat_func_safe_for_set(xlat, LDAP_DN_SAFE_FOR);
2929
2930 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.dn.unescape", ldap_uri_unescape_xlat, FR_TYPE_STRING)))) return -1;
2931 xlat_func_args_set(xlat, ldap_uri_unescape_xlat_arg);
2932 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2933
2934 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.filter.escape", ldap_filter_escape_xlat, FR_TYPE_STRING)))) return -1;
2935 xlat_func_args_set(xlat, ldap_escape_xlat_arg);
2936 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2937 xlat_func_safe_for_set(xlat, LDAP_FILTER_SAFE_FOR);
2938
2939 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.filter.safe", xlat_transparent, FR_TYPE_STRING)))) return -1;
2940 xlat_func_args_set(xlat, ldap_safe_xlat_arg);
2941 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2942 xlat_func_safe_for_set(xlat, LDAP_FILTER_SAFE_FOR);
2943
2944 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.filter.unescape", ldap_uri_unescape_xlat, FR_TYPE_STRING)))) return -1;
2945 xlat_func_args_set(xlat, ldap_uri_unescape_xlat_arg);
2946 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2947
2948 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.attr_option", ldap_xlat_uri_attr_option, FR_TYPE_STRING)))) return -1;
2949 xlat_func_args_set(xlat, ldap_uri_attr_option_xlat_arg);
2950 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2951
2952 /*
2953 * ldap.uri.* are kept as aliases for ldap.dn.* so that existing configs
2954 * continue to work. They use the same safe_for token for now; if the URI
2955 * context ever needs its own rules, a separate token can be introduced.
2956 */
2957 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.escape", ldap_dn_escape_xlat, FR_TYPE_STRING)))) return -1;
2958 xlat_func_args_set(xlat, ldap_escape_xlat_arg);
2959 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2960 xlat_func_safe_for_set(xlat, LDAP_DN_SAFE_FOR);
2961
2962 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.safe", xlat_transparent, FR_TYPE_STRING)))) return -1;
2963 xlat_func_args_set(xlat, ldap_safe_xlat_arg);
2964 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2965 xlat_func_safe_for_set(xlat, LDAP_DN_SAFE_FOR);
2966
2967 if (unlikely(!(xlat = xlat_func_register(NULL, "ldap.uri.unescape", ldap_uri_unescape_xlat, FR_TYPE_STRING)))) return -1;
2968 xlat_func_args_set(xlat, ldap_uri_unescape_xlat_arg);
2969 xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE);
2970
2971 return 0;
2972}
2973
2974static void mod_unload(void)
2975{
2976 xlat_func_unregister("ldap.dn.escape");
2977 xlat_func_unregister("ldap.dn.safe");
2978 xlat_func_unregister("ldap.dn.unescape");
2979 xlat_func_unregister("ldap.filter.escape");
2980 xlat_func_unregister("ldap.filter.safe");
2981 xlat_func_unregister("ldap.filter.unescape");
2982 xlat_func_unregister("ldap.uri.escape");
2983 xlat_func_unregister("ldap.uri.safe");
2984 xlat_func_unregister("ldap.uri.unescape");
2985}
2986
2987/* globally exported name */
2988extern module_rlm_t rlm_ldap;
2989module_rlm_t rlm_ldap = {
2990 .common = {
2991 .magic = MODULE_MAGIC_INIT,
2992 .name = "ldap",
2993 .flags = 0,
2994 MODULE_BOOT(rlm_ldap_boot_t),
2995 MODULE_INST(rlm_ldap_t),
2996 .config = module_config,
2997 .onload = mod_load,
2998 .unload = mod_unload,
2999 .bootstrap = mod_bootstrap,
3000 .instantiate = mod_instantiate,
3001 .detach = mod_detach,
3002 MODULE_THREAD_INST(fr_ldap_thread_t),
3003 .thread_instantiate = mod_thread_instantiate,
3004 .thread_detach = mod_thread_detach,
3005 },
3006 .method_group = {
3007 .bindings = (module_method_binding_t[]){
3008 /*
3009 * Hack to support old configurations
3010 */
3011 { .section = SECTION_NAME("accounting", CF_IDENT_ANY), .method = mod_modify, .method_env = &accounting_usermod_method_env },
3012 { .section = SECTION_NAME("authenticate", CF_IDENT_ANY), .method = mod_authenticate, .method_env = &authenticate_method_env },
3013 { .section = SECTION_NAME("authorize", CF_IDENT_ANY), .method = mod_authorize, .method_env = &authorize_method_env },
3014
3015 { .section = SECTION_NAME("recv", CF_IDENT_ANY), .method = mod_authorize, .method_env = &authorize_method_env },
3016 { .section = SECTION_NAME("send", CF_IDENT_ANY), .method = mod_modify, .method_env = &send_usermod_method_env },
3017 MODULE_BINDING_TERMINATOR
3018 }
3019 }
3020};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_PUSHED_CHILD
@ UNLANG_ACTION_PUSHED_CHILD
unlang_t pushed a new child onto the stack, execute it instead of continuing.
Definition action.h:39
UNLANG_ACTION_FAIL
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition action.h:36
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
UNLANG_ACTION_YIELD
@ UNLANG_ACTION_YIELD
Temporarily pause execution until an event occurs.
Definition action.h:41
buffer
static int const char char buffer[256]
Definition acutest.h:576
msg
log_entry msg
Definition acutest.h:794
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:499
RCSID
#define RCSID(id)
Definition build.h:512
L
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:228
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:343
unlikely
#define unlikely(_x)
Definition build.h:407
UNUSED
#define UNUSED
Definition build.h:336
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:358
call_env_parsed_free
void call_env_parsed_free(call_env_parsed_head_t *parsed, call_env_parsed_t *ptr)
Remove a call_env_parsed_t from the list of parsed call envs.
Definition call_env.c:777
call_env_parsed_add
call_env_parsed_t * call_env_parsed_add(TALLOC_CTX *ctx, call_env_parsed_head_t *head, call_env_parser_t const *rule)
Allocate a new call_env_parsed_t structure and add it to the list of parsed call envs.
Definition call_env.c:690
call_env_parsed_set_multi_index
void call_env_parsed_set_multi_index(call_env_parsed_t *parsed, size_t count, size_t index)
Assign a count and index to a call_env_parsed_t.
Definition call_env.c:762
call_env_parsed_set_data
void call_env_parsed_set_data(call_env_parsed_t *parsed, void const *data)
Assign data to a call_env_parsed_t.
Definition call_env.c:747
call_env_parsed_set_value
void call_env_parsed_set_value(call_env_parsed_t *parsed, fr_value_box_t const *vb)
Assign a value box to a call_env_parsed_t.
Definition call_env.c:733
call_env_parsed_s
Definition call_env.c:38
CALL_ENV_TERMINATOR
#define CALL_ENV_TERMINATOR
Definition call_env.h:236
call_env_ctx_s::type
call_env_ctx_type_t type
Type of callenv ctx.
Definition call_env.h:227
CALL_ENV_CTX_TYPE_MODULE
@ CALL_ENV_CTX_TYPE_MODULE
The callenv is registered to a module method.
Definition call_env.h:222
FR_CALL_ENV_PARSE_OFFSET
#define FR_CALL_ENV_PARSE_OFFSET(_name, _cast_type, _flags, _struct, _field, _parse_field)
Specify a call_env_parser_t which writes out runtime results and the result of the parsing phase to t...
Definition call_env.h:365
FR_CALL_ENV_METHOD_OUT
#define FR_CALL_ENV_METHOD_OUT(_inst)
Helper macro for populating the size/type fields of a call_env_method_t from the output structure typ...
Definition call_env.h:240
call_env_method_s::env
call_env_parser_t const * env
Parsing rules for call method env.
Definition call_env.h:247
call_env_ctx_s::asked
section_name_t const * asked
The actual name1/name2 that resolved to a module_method_binding_t.
Definition call_env.h:232
call_env_parser_s::uctx
void const * uctx
User context for callback functions.
Definition call_env.h:218
FR_CALL_ENV_SUBSECTION
#define FR_CALL_ENV_SUBSECTION(_name, _name2, _flags, _subcs)
Specify a call_env_parser_t which defines a nested subsection.
Definition call_env.h:402
CALL_ENV_FLAG_CONCAT
@ CALL_ENV_FLAG_CONCAT
If the tmpl produced multiple boxes they should be concatenated.
Definition call_env.h:76
CALL_ENV_FLAG_ATTRIBUTE
@ CALL_ENV_FLAG_ATTRIBUTE
Tmpl MUST contain an attribute reference.
Definition call_env.h:86
CALL_ENV_FLAG_PARSE_ONLY
@ CALL_ENV_FLAG_PARSE_ONLY
The result of parsing will not be evaluated at runtime.
Definition call_env.h:85
CALL_ENV_FLAG_NONE
@ CALL_ENV_FLAG_NONE
Definition call_env.h:74
CALL_ENV_FLAG_MULTI
@ CALL_ENV_FLAG_MULTI
Multiple instances of the conf pairs are allowed.
Definition call_env.h:78
CALL_ENV_FLAG_REQUIRED
@ CALL_ENV_FLAG_REQUIRED
Associated conf pair or section is required.
Definition call_env.h:75
CALL_ENV_FLAG_PARSE_MISSING
@ CALL_ENV_FLAG_PARSE_MISSING
If this subsection is missing, still parse it.
Definition call_env.h:88
CALL_ENV_FLAG_BARE_WORD_ATTRIBUTE
@ CALL_ENV_FLAG_BARE_WORD_ATTRIBUTE
bare words are treated as an attribute, but strings may be xlats.
Definition call_env.h:92
CALL_ENV_FLAG_NULLABLE
@ CALL_ENV_FLAG_NULLABLE
Tmpl expansions are allowed to produce no output.
Definition call_env.h:80
CALL_ENV_PARSE_TYPE_VALUE_BOX
@ CALL_ENV_PARSE_TYPE_VALUE_BOX
Output of the parsing phase is a single value box (static data).
Definition call_env.h:61
CALL_ENV_PARSE_TYPE_VOID
@ CALL_ENV_PARSE_TYPE_VOID
Output of the parsing phase is undefined (a custom structure).
Definition call_env.h:62
call_env_ctx_s::mi
module_instance_t const * mi
Module instance that the callenv is registered to.
Definition call_env.h:229
FR_CALL_ENV_SUBSECTION_FUNC
#define FR_CALL_ENV_SUBSECTION_FUNC(_name, _name2, _flags, _func)
Specify a call_env_parser_t which parses a subsection using a callback function.
Definition call_env.h:412
FR_CALL_ENV_OFFSET
#define FR_CALL_ENV_OFFSET(_name, _cast_type, _flags, _struct, _field)
Specify a call_env_parser_t which writes out runtime results to the specified field.
Definition call_env.h:340
FR_CALL_ENV_PARSE_ONLY_OFFSET
#define FR_CALL_ENV_PARSE_ONLY_OFFSET(_name, _cast_type, _flags, _struct, _parse_field)
Specify a call_env_parser_t which writes out the result of the parsing phase to the field specified.
Definition call_env.h:389
call_env_ctx_s
Definition call_env.h:226
call_env_method_s
Definition call_env.h:244
call_env_parser_s
Per method call config.
Definition call_env.h:180
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1707
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:669
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:623
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:280
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:334
FR_CONF_OFFSET_IS_SET
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:294
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:268
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:309
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:446
CONF_FLAG_XLAT
@ CONF_FLAG_XLAT
string will be dynamically expanded.
Definition cf_parse.h:443
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:423
cf_table_parse_ctx_t
Definition cf_parse.h:664
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:606
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_pair
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:72
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_pair_count_descendents
unsigned int cf_pair_count_descendents(CONF_SECTION const *cs)
Count the number of conf pairs beneath a section.
Definition cf_util.c:1488
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1187
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1029
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:685
cf_pair_find
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1422
cf_pair_operator
fr_token_t cf_pair_operator(CONF_PAIR const *pair)
Return the operator of a pair.
Definition cf_util.c:1595
cf_pair_value_quote
fr_token_t cf_pair_value_quote(CONF_PAIR const *pair)
Return the value (rhs) quoting of a pair.
Definition cf_util.c:1625
cf_pair_next
CONF_PAIR * cf_pair_next(CONF_SECTION const *cs, CONF_PAIR const *curr)
Return the next child that's a CONF_PAIR.
Definition cf_util.c:1396
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1581
cf_pair_attr
char const * cf_pair_attr(CONF_PAIR const *pair)
Return the attr of a CONF_PAIR.
Definition cf_util.c:1565
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:287
cf_canonicalize_error
#define cf_canonicalize_error(_ci, _slen, _msg, _str)
Definition cf_util.h:365
cf_log_perr
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:294
cf_log_warn
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:288
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:75
fr_dcursor_append
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:406
fr_dcursor_s
Definition dcursor.h:91
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:40
fr_dict_attr_add_name_only
int fr_dict_attr_add_name_only(fr_dict_t *dict, fr_dict_attr_t const *parent, char const *name, fr_type_t type, fr_dict_attr_flags_t const *flags))
Add an attribute to the dictionary.
Definition dict_util.c:2006
fr_dict_unconst
fr_dict_t * fr_dict_unconst(fr_dict_t const *dict)
Coerce to non-const.
Definition dict_util.c:4903
fr_dict_attr_by_name
fr_dict_attr_t const * fr_dict_attr_by_name(fr_dict_attr_err_t *err, fr_dict_attr_t const *parent, char const *attr))
Locate a fr_dict_attr_t by its name.
Definition dict_util.c:3528
fr_dict_root
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2665
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:292
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:305
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:311
in
static fr_slen_t in
Definition dict.h:882
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:291
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:304
value
Test enumeration values.
Definition dict_test.h:92
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
unlang_function_push_with_result
#define unlang_function_push_with_result(_result_p, _request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack that produces a result.
Definition function.h:144
GLOBAL_LIB_TERMINATOR
#define GLOBAL_LIB_TERMINATOR
Definition global_lib.h:51
global_lib_autoinst_t
Structure to define how to initialise libraries with global configuration.
Definition global_lib.h:38
ldap_filter_escape_xlat
static xlat_action_t ldap_filter_escape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Escape a string for use as an RFC 4515 filter assertion value.
Definition rlm_ldap.c:469
ldap_dn_escape_xlat
static xlat_action_t ldap_dn_escape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Escape a string for use in an RFC 4514 DN attribute value.
Definition rlm_ldap.c:429
ldap_xlat
static xlat_action_t ldap_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Expand an LDAP URL into a query, and return a string result from that query.
Definition rlm_ldap.c:880
ldap_group_xlat
static xlat_action_t ldap_group_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Check for a user being in a LDAP group.
Definition rlm_ldap.c:1087
ldap_profile_xlat
static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Expand an LDAP URL into a query, applying the results using the user update map.
Definition rlm_ldap.c:1218
ldap_xlat_uri_attr_option
static xlat_action_t ldap_xlat_uri_attr_option(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Modify an LDAP URI to append an option to all attributes.
Definition rlm_ldap.c:623
ldap_uri_unescape_xlat
static xlat_action_t ldap_uri_unescape_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Unescape LDAP string.
Definition rlm_ldap.c:514
rlm_ldap_cacheable_groupobj
unlang_action_t rlm_ldap_cacheable_groupobj(unlang_result_t *p_result, request_t *request, ldap_autz_ctx_t *autz_ctx)
Convert group membership information into attributes.
Definition groups.c:697
rlm_ldap_check_groupobj_dynamic
unlang_action_t rlm_ldap_check_groupobj_dynamic(unlang_result_t *p_result, request_t *request, ldap_group_xlat_ctx_t *xlat_ctx)
Initiate an LDAP search to determine group membership, querying group objects.
Definition groups.c:786
rlm_ldap_cacheable_userobj
unlang_action_t rlm_ldap_cacheable_userobj(unlang_result_t *p_result, request_t *request, ldap_autz_ctx_t *autz_ctx, char const *attr)
Convert group membership information into attributes.
Definition groups.c:440
rlm_ldap_check_userobj_dynamic
unlang_action_t rlm_ldap_check_userobj_dynamic(unlang_result_t *p_result, request_t *request, ldap_group_xlat_ctx_t *xlat_ctx)
Query the LDAP directory to check if a user object is a member of a group.
Definition groups.c:1137
rlm_ldap_check_cached
unlang_action_t rlm_ldap_check_cached(unlang_result_t *p_result, rlm_ldap_t const *inst, request_t *request, fr_value_box_t const *check)
Check group membership attributes to see if a user is a member.
Definition groups.c:1180
free
free(array)
talloc_free
talloc_free(hp)
unlang_interpret_mark_runnable
void unlang_interpret_mark_runnable(request_t *request)
Mark a request as resumable.
Definition interpret.c:1988
unlang_interpret_frame_talloc_ctx
TALLOC_CTX * unlang_interpret_frame_talloc_ctx(request_t *request)
Get a talloc_ctx which is valid only for this frame.
Definition interpret.c:2033
unlang_interpret_event_list
fr_event_list_t * unlang_interpret_event_list(request_t *request)
Get the event list for the current interpreter.
Definition interpret.c:2409
UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition interpret.h:37
unlang_result_t::rcode
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:139
unlang_result_t
Definition interpret.h:138
fr_ldap_url_err_to_str
char const * fr_ldap_url_err_to_str(int ldap_url_err)
Translate the error code emitted from ldap_url_parse and friends into something accessible with fr_st...
Definition util.c:863
fr_ldap_map_verify
int fr_ldap_map_verify(map_t *map, void *instance)
fr_ldap_uri_unescape_func
size_t fr_ldap_uri_unescape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg))
Converts escaped DNs and filter strings into normal.
Definition util.c:227
fr_ldap_util_normalise_dn
size_t fr_ldap_util_normalise_dn(char *out, char const *in)
Normalise escape sequences in a DN.
Definition util.c:560
fr_ldap_map_getvalue
int fr_ldap_map_getvalue(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, map_t const *map, void *uctx)
Callback for map_to_request.
Definition map.c:39
fr_ldap_filter_to_tmpl
int fr_ldap_filter_to_tmpl(TALLOC_CTX *ctx, tmpl_rules_t const *t_rules, char const **sub, size_t sublen, tmpl_t **out))
Combine filters and tokenize to a tmpl.
Definition util.c:638
fr_ldap_result_t::values
struct berval ** values
libldap struct containing bv_val (char *) and length bv_len.
Definition base.h:361
fr_ldap_query_s::serverctrls
fr_ldap_control_t serverctrls[LDAP_MAX_CONTROLS]
Server controls specific to this query.
Definition base.h:452
fr_ldap_map_do
int fr_ldap_map_do(request_t *request, char const *check_attr, char const *valuepair_attr, fr_ldap_map_exp_t const *expanded, LDAPMessage *entry)
Convert attribute map into valuepairs.
Definition map.c:369
fr_ldap_config_t::res_timeout
fr_time_delta_t res_timeout
How long we wait for results.
Definition base.h:298
fr_ldap_config_t::admin_password
char const * admin_password
Password used in administrative bind.
Definition base.h:231
fr_ldap_thread_t::config
fr_ldap_config_t * config
Module instance config.
Definition base.h:383
fr_ldap_map_exp_t::count
int count
Index on next free element.
Definition base.h:375
fr_ldap_util_is_dn
bool fr_ldap_util_is_dn(char const *in, size_t inlen)
Check whether a string looks like a DN.
Definition util.c:274
fr_ldap_filter_escape_func
size_t fr_ldap_filter_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg))
Escape a string for use as an RFC 4515 filter assertion value.
Definition util.c:155
fr_ldap_config_t::server
char * server
Initial server to bind to.
Definition base.h:224
fr_ldap_bind_auth_cmp
static int8_t fr_ldap_bind_auth_cmp(void const *one, void const *two)
Compare two ldap bind auth structures on msgid.
Definition base.h:726
fr_ldap_connection_t::handle
LDAP * handle
libldap handle.
Definition base.h:333
fr_ldap_config_t::admin_identity
char const * admin_identity
Identity we bind as when we need to query the LDAP directory.
Definition base.h:229
fr_ldap_query_s::ret
fr_ldap_result_code_t ret
Result code.
Definition base.h:472
fr_ldap_control_t::freeit
bool freeit
Whether the control should be freed after we've finished using it.
Definition base.h:136
fr_ldap_thread_t::trunks
fr_rb_tree_t * trunks
Tree of LDAP trunks used by this thread.
Definition base.h:382
fr_ldap_thread_t::trunk_conf
trunk_conf_t * trunk_conf
Module trunk config.
Definition base.h:384
fr_ldap_query_s::treq
trunk_request_t * treq
Trunk request this query is associated with.
Definition base.h:458
fr_ldap_dn_escape_func
size_t fr_ldap_dn_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, UNUSED void *arg))
Escape a string for use as an RFC 4514 DN attribute value.
Definition util.c:69
fr_thread_ldap_trunk_get
fr_ldap_thread_trunk_t * fr_thread_ldap_trunk_get(fr_ldap_thread_t *thread, char const *uri, char const *bind_dn, char const *bind_password, request_t *request, fr_ldap_config_t const *config)
Find a thread specific LDAP connection for a specific URI / bind DN.
Definition connection.c:917
fr_ldap_server_url_check
int fr_ldap_server_url_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION const *cs)
Check an LDAP server entry in URL format is valid.
Definition util.c:726
fr_ldap_berval_to_string
char * fr_ldap_berval_to_string(TALLOC_CTX *ctx, struct berval const *in)
Convert a berval to a talloced string.
Definition util.c:511
fr_ldap_result_t::count
int count
Number of values.
Definition base.h:363
LDAP_MAX_ATTRMAP
#define LDAP_MAX_ATTRMAP
Maximum number of mappings between LDAP and FreeRADIUS attributes.
Definition base.h:96
fr_ldap_trunk_cmp
static int8_t fr_ldap_trunk_cmp(void const *one, void const *two)
Compare two ldap trunk structures on connection URI / DN.
Definition base.h:697
fr_ldap_server_config_check
int fr_ldap_server_config_check(fr_ldap_config_t *handle_config, char const *server, CONF_SECTION *cs)
Check an LDAP server config in server:port format is valid.
Definition util.c:822
fr_ldap_edir_get_password
unlang_action_t fr_ldap_edir_get_password(unlang_result_t *p_result, request_t *request, char const *dn, fr_ldap_thread_trunk_t *ttrunk, fr_dict_attr_t const *password_da)
Initiate retrieval of the universal password from Novell eDirectory.
Definition edir.c:292
fr_ldap_thread_t::bind_trigger_args
fr_pair_list_t * bind_trigger_args
Passed to trigger request for bind trunks.
Definition base.h:390
fr_ldap_query_s::ldap_conn
fr_ldap_connection_t * ldap_conn
LDAP connection this query is running on.
Definition base.h:459
fr_ldap_result_code_t
fr_ldap_result_code_t
LDAP query result codes.
Definition base.h:188
LDAP_RESULT_TIMEOUT
@ LDAP_RESULT_TIMEOUT
The query timed out.
Definition base.h:192
LDAP_RESULT_SUCCESS
@ LDAP_RESULT_SUCCESS
Successfully got LDAP results.
Definition base.h:190
LDAP_RESULT_NO_RESULT
@ LDAP_RESULT_NO_RESULT
No results returned.
Definition base.h:194
LDAP_RESULT_BAD_DN
@ LDAP_RESULT_BAD_DN
The requested DN does not exist.
Definition base.h:193
fr_thread_ldap_bind_trunk_get
fr_ldap_thread_trunk_t * fr_thread_ldap_bind_trunk_get(fr_ldap_thread_t *thread)
Find the thread specific trunk to use for LDAP bind auths.
Definition connection.c:1294
fr_ldap_map_expand
int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t *request, map_list_t const *maps, char const *generic_attr, char const *check_attr, char const *fallthrough_attr)
Expand values in an attribute map where needed.
Definition map.c:313
LDAP_MAX_CONTROLS
#define LDAP_MAX_CONTROLS
Maximum number of client/server controls.
Definition base.h:94
fr_ldap_thread_t::bind_trunk_conf
trunk_conf_t * bind_trunk_conf
Trunk config for bind auth trunk.
Definition base.h:385
LDAP_VIRTUAL_DN_ATTR
#define LDAP_VIRTUAL_DN_ATTR
'Virtual' attribute which maps to the DN of the object.
Definition base.h:113
fr_ldap_parse_url_extensions
int fr_ldap_parse_url_extensions(LDAPControl **sss, size_t sss_len, char *extensions[])
Parse a subset (just server side sort and virtual list view for now) of LDAP URL extensions.
Definition util.c:372
fr_ldap_query_s::result
LDAPMessage * result
Head of LDAP results list.
Definition base.h:470
fr_ldap_thread_t::el
fr_event_list_t * el
Thread event list for callbacks / timeouts.
Definition base.h:386
fr_ldap_control_t::control
LDAPControl * control
LDAP control.
Definition base.h:135
fr_ldap_map_exp_t::attrs
char const * attrs[LDAP_MAX_ATTRMAP+LDAP_MAP_RESERVED+1]
Reserve some space for access attributes.
Definition base.h:372
fr_ldap_thread_t::bind_trunk
fr_ldap_thread_trunk_t * bind_trunk
LDAP trunk used for bind auths.
Definition base.h:387
fr_ldap_thread_trunk_s::trunk
trunk_t * trunk
Connection trunk.
Definition base.h:407
fr_ldap_thread_t::trigger_args
fr_pair_list_t * trigger_args
Passed to trigger request for normal trunks.
Definition base.h:389
fr_ldap_bind_auth_async
unlang_action_t fr_ldap_bind_auth_async(unlang_result_t *p_result, request_t *request, fr_ldap_thread_t *thread, char const *bind_dn, char const *password)
Initiate an async LDAP bind for authentication.
Definition bind.c:326
fr_ldap_query_s::ev
fr_timer_t * ev
Event for timing out the query.
Definition base.h:461
fr_ldap_map_exp_t::ctx
TALLOC_CTX * ctx
Context to allocate new attributes in.
Definition base.h:374
fr_ldap_thread_t::binds
fr_rb_tree_t * binds
Tree of outstanding bind auths.
Definition base.h:388
fr_ldap_query_s::ldap_url
LDAPURLDesc * ldap_url
parsed URL for current query if the source of the query was a URL.
Definition base.h:428
fr_ldap_bind_auth_ctx_t
Holds arguments for async bind auth requests.
Definition base.h:615
fr_ldap_config_t
Connection configuration.
Definition base.h:221
fr_ldap_connection_t
Tracks the state of a libldap connection handle.
Definition base.h:332
fr_ldap_map_exp_t
Result of expanding the RHS of a set of maps.
Definition base.h:370
fr_ldap_query_s
LDAP query structure.
Definition base.h:424
fr_ldap_result_t
Contains a collection of values.
Definition base.h:360
fr_ldap_sasl_ctx_t
Holds arguments for the async SASL bind operation.
Definition base.h:508
fr_ldap_thread_t
Thread specific structure to manage LDAP trunk connections.
Definition base.h:381
fr_ldap_thread_trunk_s
Thread LDAP trunk structure.
Definition base.h:401
FR_LDAP_COMMON_CONF
#define FR_LDAP_COMMON_CONF(_conf)
Definition conf.h:19
fr_ldap_scope_len
size_t fr_ldap_scope_len
Definition base.c:74
fr_ldap_handle_thread_local
LDAP * fr_ldap_handle_thread_local(void)
Get a thread local dummy LDAP handle.
Definition base.c:1129
fr_libldap_global_config
global_lib_autoinst_t fr_libldap_global_config
Definition base.c:133
fr_ldap_trunk_modify
unlang_action_t fr_ldap_trunk_modify(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, LDAPMod *mods[], LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async modification LDAP query on a trunk connection.
Definition base.c:769
fr_ldap_tls_require_cert
fr_table_num_sorted_t const fr_ldap_tls_require_cert[]
Definition base.c:76
fr_ldap_dereference
fr_table_num_sorted_t const fr_ldap_dereference[]
Definition base.c:85
fr_ldap_search_alloc
fr_ldap_query_t * fr_ldap_search_alloc(TALLOC_CTX *ctx, char const *base_dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Allocate a new search object.
Definition base.c:1050
fr_ldap_trunk_search
unlang_action_t fr_ldap_trunk_search(TALLOC_CTX *ctx, fr_ldap_query_t **out, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *base_dn, int scope, char const *filter, char const *const *attrs, LDAPControl **serverctrls, LDAPControl **clientctrls)
Run an async search LDAP query on a trunk connection.
Definition base.c:717
fr_ldap_scope
fr_table_num_sorted_t const fr_ldap_scope[]
Definition base.c:68
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
ROPTIONAL
#define ROPTIONAL(_l_request, _l_global, _fmt,...)
Use different logging functions depending on whether request is NULL or not.
Definition log.h:540
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:373
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:347
RDEBUG3
#define RDEBUG3(fmt,...)
Definition log.h:355
RERROR
#define RERROR(fmt,...)
Definition log.h:310
DEBUG4
#define DEBUG4(_fmt,...)
Definition log.h:267
RPERROR
#define RPERROR(fmt,...)
Definition log.h:314
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:388
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
map_afrom_cs
int map_afrom_cs(TALLOC_CTX *ctx, map_list_t *out, CONF_SECTION const *cs, tmpl_rules_t const *lhs_rules, tmpl_rules_t const *rhs_rules, map_validate_t validate, void *uctx, unsigned int max)
Convert a config section into an attribute map.
Definition map.c:1136
map_to_request
int map_to_request(request_t *request, map_t const *map, radius_map_getvalue_t func, void *ctx)
Convert map_t to fr_pair_t (s) and add them to a request_t.
Definition map.c:1884
unlang_map_yield
unlang_action_t unlang_map_yield(request_t *request, map_proc_func_t resume, unlang_map_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition map.c:109
map_ctx
static TALLOC_CTX * map_ctx
Definition map_builtin.c:32
map_proc_register
int map_proc_register(TALLOC_CTX *ctx, void const *mod_inst, char const *name, map_proc_func_t evaluate, map_proc_instantiate_t instantiate, size_t inst_size, fr_value_box_safe_for_t literals_safe_for)
Register a map processor.
Definition map_proc.c:124
map_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition map_proc.h:53
map_ctx_t::moi
void const * moi
Map module instance.
Definition map_proc.h:54
map_ctx_t
Temporary structure to hold arguments for map calls.
Definition map_proc.h:52
FR_TYPE_TLV
@ FR_TYPE_TLV
Contains nested attributes.
Definition merged_model.c:118
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
FR_TYPE_BOOL
@ FR_TYPE_BOOL
A truth value.
Definition merged_model.c:95
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
FR_TYPE_GROUP
@ FR_TYPE_GROUP
A grouping of other attributes.
Definition merged_model.c:124
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_sbuff_t
Definition merged_model.c:37
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
tmpl_t
Definition merged_model.c:225
module_ctx_t::env_data
void * env_data
Per call environment data.
Definition module_ctx.h:44
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t::thread
void * thread
Thread specific instance data.
Definition module_ctx.h:43
module_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
module_thread_inst_ctx_t::el
fr_event_list_t * el
Event list to register any IO handlers and timers against.
Definition module_ctx.h:68
module_detach_ctx_t::mi
module_instance_t * mi
Module instance to detach.
Definition module_ctx.h:57
module_thread_inst_ctx_t::thread
void * thread
Thread instance data.
Definition module_ctx.h:67
module_thread_inst_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:64
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_detach_ctx_t
Temporary structure to hold arguments for detach calls.
Definition module_ctx.h:56
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
module_thread_inst_ctx_t
Temporary structure to hold arguments for thread_instantiation calls.
Definition module_ctx.h:63
module_rlm_xlat_register
xlat_t * module_rlm_xlat_register(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, char const *name, xlat_func_t func, fr_type_t return_type)
Definition module_rlm.c:232
module_rlm_s::common
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
module_rlm_s
Definition module_rlm.h:38
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
fr_pair_list_alloc
fr_pair_list_t * fr_pair_list_alloc(TALLOC_CTX *ctx)
Allocate a new pair list on the heap.
Definition pair.c:119
rlm_ldap_map_profile
unlang_action_t rlm_ldap_map_profile(fr_ldap_result_code_t *ret, int *applied, rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)
Search for and apply an LDAP profile.
Definition profile.c:212
url
static char const * url[FR_RADIUS_FAIL_MAX+1]
Definition proto_radius.c:193
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition radclient-ng.h:50
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient-ng.h:53
done
static bool done
Definition radclient.c:80
conf
static rs_t * conf
Definition radsniff.c:52
fr_rb_inline_talloc_alloc
#define fr_rb_inline_talloc_alloc(_ctx, _type, _field, _data_cmp, _data_free)
Allocs a red black that verifies elements are of a specific talloc type.
Definition rb.h:244
fr_rb_flatten_inorder
int fr_rb_flatten_inorder(TALLOC_CTX *ctx, void **out[], fr_rb_tree_t *tree)
RETURN_UNLANG_INVALID
#define RETURN_UNLANG_INVALID
Definition rcode.h:66
RETURN_UNLANG_RCODE
#define RETURN_UNLANG_RCODE(_rcode)
Definition rcode.h:61
RETURN_UNLANG_NOTFOUND
#define RETURN_UNLANG_NOTFOUND
Definition rcode.h:68
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63
RETURN_UNLANG_OK
#define RETURN_UNLANG_OK
Definition rcode.h:64
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:51
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:52
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:47
RLM_MODULE_TIMEOUT
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:56
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:53
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:55
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:50
RETURN_UNLANG_NOOP
#define RETURN_UNLANG_NOOP
Definition rcode.h:69
mod_map_proc
static unlang_action_t mod_map_proc(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, fr_value_box_list_t *url, map_list_t const *maps)
Perform a search and map the result of the search to server attributes.
Definition rlm_ldap.c:1497
ldap_mod_tmpl_t::tmpl
tmpl_t const * tmpl
Definition rlm_ldap.c:66
mod_authorize_cancel
static void mod_authorize_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
Clear up when cancelling a mod_authorize call.
Definition rlm_ldap.c:1950
xlat_memberof_method_env
static const call_env_method_t xlat_memberof_method_env
Definition rlm_ldap.c:289
mod_detach
static int mod_detach(module_detach_ctx_t const *mctx)
Detach from the LDAP server and cleanup internal state.
Definition rlm_ldap.c:2331
mod_load
static int mod_load(void)
Definition rlm_ldap.c:2913
ldap_profile_xlat_resume
static xlat_action_t ldap_profile_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
Return whether evaluating the profile was successful.
Definition rlm_ldap.c:1190
ldap_xlat_profile_call_env_t::profile_map
map_list_t * profile_map
List of maps to apply to the profile.
Definition rlm_ldap.c:78
REPEAT_LDAP_MEMBEROF_XLAT_RESULTS
#define REPEAT_LDAP_MEMBEROF_XLAT_RESULTS
Definition rlm_ldap.c:1003
profile_config
static conf_parser_t profile_config[]
Definition rlm_ldap.c:94
ldap_map_verify
static int ldap_map_verify(CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst, tmpl_t const *src, UNUSED map_list_t const *maps)
Definition rlm_ldap.c:1347
attr_nt_password
fr_dict_attr_t const * attr_nt_password
Definition rlm_ldap.c:341
LDAP_DN_SAFE_FOR
#define LDAP_DN_SAFE_FOR
Definition rlm_ldap.c:184
ldap_safe_xlat_arg
static xlat_arg_parser_t const ldap_safe_xlat_arg[]
Definition rlm_ldap.c:420
ldap_auth_ctx_t::call_env
ldap_auth_call_env_t * call_env
Definition rlm_ldap.c:371
authenticate_method_env
static const call_env_method_t authenticate_method_env
Definition rlm_ldap.c:215
ldap_xlat_profile_ctx_t::ret
fr_ldap_result_code_t ret
Definition rlm_ldap.c:1181
ldap_user_modify_ctx_t::num_mods
size_t num_mods
Definition rlm_ldap.c:386
rlm_ldap_lib
global_lib_autoinst_t const * rlm_ldap_lib[]
Definition rlm_ldap.c:358
authorize_method_env
static const call_env_method_t authorize_method_env
Definition rlm_ldap.c:238
USERMOD_ENV
#define USERMOD_ENV(_section)
Definition rlm_ldap.c:274
ldap_auth_call_env_t::password
fr_value_box_t password
Definition rlm_ldap.c:55
SSS_CONTROL_BUILD
#define SSS_CONTROL_BUILD(_obj)
ldap_uri_unescape_xlat_arg
static xlat_arg_parser_t const ldap_uri_unescape_xlat_arg[]
Definition rlm_ldap.c:505
xlat_profile_method_env
static const call_env_method_t xlat_profile_method_env
Definition rlm_ldap.c:311
ldap_uri_attr_option_xlat_arg
static xlat_arg_parser_t const ldap_uri_attr_option_xlat_arg[]
Definition rlm_ldap.c:608
ldap_mod_section_parse
static int ldap_mod_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule)
CHECK_EXPANDED_SPACE
#define CHECK_EXPANDED_SPACE(_expanded)
mod_map_resume
static unlang_action_t mod_map_resume(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, UNUSED fr_value_box_list_t *url, UNUSED map_list_t const *maps)
Process the results of an LDAP map query.
Definition rlm_ldap.c:1371
mod_authorize_resume
static unlang_action_t mod_authorize_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resume function called after each potential yield in LDAP authorization.
Definition rlm_ldap.c:1674
ldap_user_modify_ctx_t::mod_s
LDAPMod * mod_s
Definition rlm_ldap.c:382
LDAP_FILTER_CALL_ENV_ESCAPE
#define LDAP_FILTER_CALL_ENV_ESCAPE
Definition rlm_ldap.c:198
ldap_map_ctx_t::maps
map_list_t const * maps
Definition rlm_ldap.c:395
attr_crypt_password
fr_dict_attr_t const * attr_crypt_password
Definition rlm_ldap.c:340
ldap_usermod_call_env_t::user_filter
fr_value_box_t user_filter
Definition rlm_ldap.c:70
ldap_group_filter_parse
static int ldap_group_filter_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition rlm_ldap.c:330
ldap_xlat_profile_ctx_t::applied
int applied
Definition rlm_ldap.c:1182
map_ctx_free
static int map_ctx_free(ldap_map_ctx_t *map_ctx)
Ensure map context is properly cleared up.
Definition rlm_ldap.c:1468
ldap_user_modify_ctx_t::mod_p
LDAPMod ** mod_p
Definition rlm_ldap.c:381
rlm_ldap_boot_t::cache_da
fr_dict_attr_t const * cache_da
Definition rlm_ldap.c:50
ldap_query_timeout
static void ldap_query_timeout(UNUSED fr_timer_list_t *tl, UNUSED fr_time_t now, void *uctx)
Callback when LDAP query times out.
Definition rlm_ldap.c:585
user_modify_mod_build_resume
static unlang_action_t user_modify_mod_build_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_ldap.c:2085
user_config
static conf_parser_t user_config[]
Definition rlm_ldap.c:109
attr_expr_bool_enum
static fr_dict_attr_t const * attr_expr_bool_enum
Definition rlm_ldap.c:343
LDAP_FILTER_SAFE_FOR
#define LDAP_FILTER_SAFE_FOR
Definition rlm_ldap.c:185
ldap_uri_scheme_table
static fr_table_num_sorted_t const ldap_uri_scheme_table[]
Definition rlm_ldap.c:408
ldap_xlat_arg
static xlat_arg_parser_t const ldap_xlat_arg[]
Definition rlm_ldap.c:781
mod_modify
static unlang_action_t mod_modify(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Modify user's object in LDAP.
Definition rlm_ldap.c:2263
ldap_uri_part_escape
static int ldap_uri_part_escape(fr_value_box_t *vb, UNUSED void *uctx)
Escape function for a part of an LDAP URI.
Definition rlm_ldap.c:556
ldap_escape_xlat_arg
static xlat_arg_parser_t const ldap_escape_xlat_arg[]
Definition rlm_ldap.c:415
rlm_ldap_boot_t::group_da
fr_dict_attr_t const * group_da
Definition rlm_ldap.c:49
ldap_group_xlat_user_find
static unlang_action_t ldap_group_xlat_user_find(UNUSED unlang_result_t *p_result, request_t *request, void *uctx)
User object lookup as part of group membership xlat.
Definition rlm_ldap.c:976
attr_password
fr_dict_attr_t const * attr_password
Definition rlm_ldap.c:338
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Bootstrap the module.
Definition rlm_ldap.c:2832
REPEAT_MOD_AUTHORIZE_RESUME
#define REPEAT_MOD_AUTHORIZE_RESUME
Definition rlm_ldap.c:1656
ldap_auth_call_env_t::user_sasl_proxy
fr_value_box_t user_sasl_proxy
Definition rlm_ldap.c:59
ldap_user_modify_ctx_t::ttrunk
fr_ldap_thread_trunk_t * ttrunk
Definition rlm_ldap.c:383
ldap_auth_call_env_t::user_sasl_authname
fr_value_box_t user_sasl_authname
Definition rlm_ldap.c:58
attr_password_with_header
fr_dict_attr_t const * attr_password_with_header
Definition rlm_ldap.c:342
ldap_update_section_parse
static int ldap_update_section_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, call_env_parser_t const *rule)
mod_authorize
static unlang_action_t mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_ldap.c:1967
ldap_user_modify_ctx_t::inst
rlm_ldap_t const * inst
Definition rlm_ldap.c:378
group_config
static conf_parser_t group_config[]
Definition rlm_ldap.c:126
ldap_map_ctx_t::query
fr_ldap_query_t * query
Definition rlm_ldap.c:397
mod_unload
static void mod_unload(void)
Definition rlm_ldap.c:2971
rlm_ldap_dict_attr
fr_dict_attr_autoload_t rlm_ldap_dict_attr[]
Definition rlm_ldap.c:346
LDAP_DN_CALL_ENV_ESCAPE
#define LDAP_DN_CALL_ENV_ESCAPE
Definition rlm_ldap.c:187
ldap_usermod_call_env_t::mod
ldap_mod_tmpl_t ** mod
Definition rlm_ldap.c:71
ldap_group_xlat_resume
static xlat_action_t ldap_group_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, UNUSED fr_value_box_list_t *in)
Process the results of evaluating LDAP group membership.
Definition rlm_ldap.c:1065
ldap_mod_tmpl_t::attr
char const * attr
Definition rlm_ldap.c:64
ldap_group_xlat_results
static unlang_action_t ldap_group_xlat_results(unlang_result_t *p_result, request_t *request, void *uctx)
Run the state machine for the LDAP membership xlat.
Definition rlm_ldap.c:1014
ldap_group_xlat_cancel
static void ldap_group_xlat_cancel(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
Cancel an in-progress query for the LDAP group membership xlat.
Definition rlm_ldap.c:994
ldap_update_rules_t::expect_password_offset
ssize_t expect_password_offset
Definition rlm_ldap.c:235
ldap_xlat_uri_parse
static int ldap_xlat_uri_parse(LDAPURLDesc **uri_parsed, char **host_out, bool *free_host_out, request_t *request, char *host_default, fr_value_box_t *uri_in)
Utility function for parsing LDAP URLs.
Definition rlm_ldap.c:821
user_modify_final
static unlang_action_t user_modify_final(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Handle results of user modification.
Definition rlm_ldap.c:2056
ldap_xlat_profile_ctx_free
static int ldap_xlat_profile_ctx_free(ldap_xlat_profile_ctx_t *to_free)
Definition rlm_ldap.c:1203
host_uri_canonify
static char * host_uri_canonify(request_t *request, LDAPURLDesc *url_parsed, fr_value_box_t *url_in)
Produce canonical LDAP host URI for finding trunks.
Definition rlm_ldap.c:790
attr_cleartext_password
fr_dict_attr_t const * attr_cleartext_password
Definition rlm_ldap.c:339
ldap_auth_call_env_t::password_tmpl
tmpl_t const * password_tmpl
Definition rlm_ldap.c:56
ldap_xlat_resume
static xlat_action_t ldap_xlat_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Callback when resuming after async ldap query is completed.
Definition rlm_ldap.c:699
ldap_auth_call_env_t::user_sasl_mech
fr_value_box_t user_sasl_mech
Definition rlm_ldap.c:57
rlm_ldap_dict
fr_dict_autoload_t rlm_ldap_dict[]
Definition rlm_ldap.c:333
mod_thread_instantiate
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Initialise thread specific data structure.
Definition rlm_ldap.c:2551
rlm_ldap
module_rlm_t rlm_ldap
Definition rlm_ldap.c:2986
ldap_auth_ctx_t::password
char const * password
Definition rlm_ldap.c:368
mod_authenticate
static unlang_action_t mod_authenticate(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_ldap.c:1581
autz_ctx_free
static int autz_ctx_free(ldap_autz_ctx_t *autz_ctx)
Ensure authorization context is properly cleared up.
Definition rlm_ldap.c:1960
ldap_schemes_t
ldap_schemes_t
Definition rlm_ldap.c:402
LDAP_SCHEME_UNIX
@ LDAP_SCHEME_UNIX
Definition rlm_ldap.c:403
LDAP_SCHEME_TCP_SSL
@ LDAP_SCHEME_TCP_SSL
Definition rlm_ldap.c:405
LDAP_SCHEME_TCP
@ LDAP_SCHEME_TCP
Definition rlm_ldap.c:404
ldap_mod_tmpl_t::op
fr_token_t op
Definition rlm_ldap.c:65
ldap_xlat_profile_ctx_t::url
LDAPURLDesc * url
Definition rlm_ldap.c:1183
ldap_usermod_call_env_t::user_base
fr_value_box_t user_base
Definition rlm_ldap.c:69
ldap_xlat_profile_ctx_t::expanded
fr_ldap_map_exp_t expanded
Definition rlm_ldap.c:1184
ldap_xlat_signal
static void ldap_xlat_signal(xlat_ctx_t const *xctx, request_t *request, UNUSED fr_signal_t action)
Callback for signalling async ldap query.
Definition rlm_ldap.c:746
ldap_user_modify_ctx_t::query
fr_ldap_query_t * query
Definition rlm_ldap.c:384
ldap_user_modify_ctx_t::current_mod
size_t current_mod
Definition rlm_ldap.c:387
ldap_auth_ctx_t::thread
fr_ldap_thread_t * thread
Definition rlm_ldap.c:370
ldap_uri_scheme_table_len
static size_t ldap_uri_scheme_table_len
Definition rlm_ldap.c:413
ldap_user_modify_ctx_t::dn
char const * dn
Definition rlm_ldap.c:380
ldap_user_modify_ctx_t::expanded_mods
size_t expanded_mods
Definition rlm_ldap.c:388
ldap_dn_parts
static fr_uri_part_t const ldap_dn_parts[]
Definition rlm_ldap.c:776
module_config
static const conf_parser_t module_config[]
Definition rlm_ldap.c:143
USER_CALL_ENV_COMMON
#define USER_CALL_ENV_COMMON(_struct)
Definition rlm_ldap.c:209
ldap_user_modify_ctx_t::call_env
ldap_usermod_call_env_t * call_env
Definition rlm_ldap.c:379
ldap_xlat_profile_call_env_t::profile_filter
fr_value_box_t profile_filter
Filter to use when searching for users.
Definition rlm_ldap.c:77
user_modify_cancel
static void user_modify_cancel(module_ctx_t const *mctx, UNUSED request_t *request, UNUSED fr_signal_t action)
Cancel an in progress user modification.
Definition rlm_ldap.c:2044
mod_thread_detach
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
Clean up thread specific data structure.
Definition rlm_ldap.c:2533
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the module.
Definition rlm_ldap.c:2598
ldap_map_ctx_t::expanded
fr_ldap_map_exp_t expanded
Definition rlm_ldap.c:398
ldap_map_ctx_t::ldap_url
LDAPURLDesc * ldap_url
Definition rlm_ldap.c:396
sasl_call_env
static const call_env_parser_t sasl_call_env[]
Definition rlm_ldap.c:86
ldap_update_rules_t::map_offset
size_t map_offset
Definition rlm_ldap.c:234
ldap_auth_call_env_t::user_sasl_realm
fr_value_box_t user_sasl_realm
Definition rlm_ldap.c:60
ldap_user_modify_ctx_t::expanded
fr_value_box_list_t expanded
Definition rlm_ldap.c:385
ldap_uri_parts
static fr_uri_part_t const ldap_uri_parts[]
Definition rlm_ldap.c:764
rlm_ldap_boot_t::user_da
fr_dict_attr_t const * user_da
Definition rlm_ldap.c:51
user_modify_resume
static unlang_action_t user_modify_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Take the retrieved user DN and launch the async tmpl expansion of mod_values.
Definition rlm_ldap.c:2226
ldap_auth_ctx_t::dn
char const * dn
Definition rlm_ldap.c:367
ldap_group_xlat_arg
static xlat_arg_parser_t const ldap_group_xlat_arg[]
Definition rlm_ldap.c:1078
ldap_auth_ctx_t::inst
rlm_ldap_t const * inst
Definition rlm_ldap.c:369
ldap_auth_call_env_t
Definition rlm_ldap.c:54
ldap_auth_ctx_t
Holds state of in progress async authentication.
Definition rlm_ldap.c:366
ldap_map_ctx_t
Holds state of in progress LDAP map.
Definition rlm_ldap.c:394
ldap_mod_tmpl_t
Definition rlm_ldap.c:63
ldap_update_rules_t
Parameters to allow ldap_update_section_parse to be reused.
Definition rlm_ldap.c:233
ldap_user_modify_ctx_t
Holds state of in progress ldap user modifications.
Definition rlm_ldap.c:377
ldap_usermod_call_env_t
Definition rlm_ldap.c:68
ldap_xlat_profile_call_env_t
Call environment used in the profile xlat.
Definition rlm_ldap.c:76
ldap_xlat_profile_ctx_t
Definition rlm_ldap.c:1180
rlm_ldap_boot_t
Definition rlm_ldap.c:48
rlm_ldap.h
LDAP authorization and authentication module headers.
ldap_autz_ctx_t::expanded
fr_ldap_map_exp_t expanded
Definition rlm_ldap.h:204
ldap_autz_ctx_t::call_env
ldap_autz_call_env_t * call_env
Definition rlm_ldap.h:207
ldap_autz_ctx_t::profile_values
struct berval ** profile_values
Definition rlm_ldap.h:210
LDAP_ACCESS_SUSPENDED
@ LDAP_ACCESS_SUSPENDED
User account has been suspended.
Definition rlm_ldap.h:195
LDAP_ACCESS_ALLOWED
@ LDAP_ACCESS_ALLOWED
User is allowed to login.
Definition rlm_ldap.h:193
LDAP_ACCESS_DISALLOWED
@ LDAP_ACCESS_DISALLOWED
User it not allow to login (disabled)
Definition rlm_ldap.h:194
ldap_autz_ctx_t::ttrunk
fr_ldap_thread_trunk_t * ttrunk
Definition rlm_ldap.h:206
ldap_autz_ctx_t::value_idx
int value_idx
Definition rlm_ldap.h:211
ldap_autz_ctx_t::inst
rlm_ldap_t const * inst
Definition rlm_ldap.h:203
ldap_autz_call_env_t::profile_filter
fr_value_box_t profile_filter
Filter to use when searching for profiles.
Definition rlm_ldap.h:154
ldap_autz_call_env_t::user_filter
fr_value_box_t user_filter
Filter to use when searching for users.
Definition rlm_ldap.h:147
ldap_autz_ctx_t::entry
LDAPMessage * entry
Definition rlm_ldap.h:208
LDAP_AUTZ_GROUP
@ LDAP_AUTZ_GROUP
Definition rlm_ldap.h:177
LDAP_AUTZ_FIND
@ LDAP_AUTZ_FIND
Definition rlm_ldap.h:176
LDAP_AUTZ_DEFAULT_PROFILE
@ LDAP_AUTZ_DEFAULT_PROFILE
Definition rlm_ldap.h:184
LDAP_AUTZ_USER_PROFILE
@ LDAP_AUTZ_USER_PROFILE
Definition rlm_ldap.h:186
LDAP_AUTZ_MAP
@ LDAP_AUTZ_MAP
Definition rlm_ldap.h:183
LDAP_AUTZ_POST_DEFAULT_PROFILE
@ LDAP_AUTZ_POST_DEFAULT_PROFILE
Definition rlm_ldap.h:185
LDAP_AUTZ_POST_GROUP
@ LDAP_AUTZ_POST_GROUP
Definition rlm_ldap.h:178
ldap_autz_ctx_t::status
ldap_autz_status_t status
Definition rlm_ldap.h:209
ldap_autz_ctx_t::query
fr_ldap_query_t * query
Definition rlm_ldap.h:205
ldap_autz_ctx_t::profile_value
char * profile_value
Definition rlm_ldap.h:212
ldap_autz_ctx_t::access_state
ldap_access_state_t access_state
What state a user's account is in.
Definition rlm_ldap.h:214
rlm_ldap_find_user_async
unlang_action_t rlm_ldap_find_user_async(TALLOC_CTX *ctx, unlang_result_t *p_result, rlm_ldap_t const *inst, request_t *request, fr_value_box_t *base, fr_value_box_t *filter_box, fr_ldap_thread_trunk_t *ttrunk, char const *attrs[], fr_ldap_query_t **query_out)
Initiate asynchronous retrieval of the DN of a user object.
Definition user.c:166
ldap_autz_call_env_t::user_base
fr_value_box_t user_base
Base DN in which to search for users.
Definition rlm_ldap.h:146
ldap_autz_ctx_t::dn
char const * dn
Definition rlm_ldap.h:213
ldap_autz_call_env_t::user_map
map_list_t * user_map
Attribute map applied to users and profiles.
Definition rlm_ldap.h:156
ldap_autz_ctx_t::rcode
rlm_rcode_t rcode
What rcode we'll finally respond with.
Definition rlm_ldap.h:215
rlm_find_user_dn_cached
static char const * rlm_find_user_dn_cached(rlm_ldap_t const *inst, request_t *request)
Definition rlm_ldap.h:257
rlm_ldap_check_reply
void rlm_ldap_check_reply(request_t *request, rlm_ldap_t const *inst, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk)
Verify we got a password from the search.
Definition user.c:264
ldap_autz_call_env_t::expect_password
fr_value_box_t const * expect_password
True if the user_map included a mapping between an LDAP attribute and one of our password reference a...
Definition rlm_ldap.h:158
ldap_autz_call_env_t::default_profile
fr_value_box_t default_profile
If this is set, we will search for a profile object with this name, and map any attributes it contain...
Definition rlm_ldap.h:150
GROUP_XLAT_MEMB_FILTER
@ GROUP_XLAT_MEMB_FILTER
Definition rlm_ldap.h:222
GROUP_XLAT_MEMB_ATTR
@ GROUP_XLAT_MEMB_ATTR
Definition rlm_ldap.h:223
GROUP_XLAT_FIND_USER
@ GROUP_XLAT_FIND_USER
Definition rlm_ldap.h:221
ldap_autz_ctx_t::dlinst
module_instance_t const * dlinst
Definition rlm_ldap.h:202
rlm_ldap_check_access
ldap_access_state_t rlm_ldap_check_access(rlm_ldap_t const *inst, request_t *request, LDAPMessage *entry)
Check for presence of access attribute in result.
Definition user.c:212
ldap_autz_call_env_t
Call environment used in LDAP authorization.
Definition rlm_ldap.h:145
ldap_autz_ctx_t
Holds state of in progress async authorization.
Definition rlm_ldap.h:201
ldap_group_xlat_ctx_t
Holds state of in progress group membership check xlat.
Definition rlm_ldap.h:229
ldap_xlat_memberof_call_env_t
Call environment used in group membership xlat.
Definition rlm_ldap.h:165
rlm_ldap_t
Definition rlm_ldap.h:20
fr_ldap_sasl_bind_auth_async
unlang_action_t fr_ldap_sasl_bind_auth_async(unlang_result_t *p_result, request_t *request, fr_ldap_thread_t *thread, char const *mechs, char const *identity, char const *password, char const *proxy, char const *realm)
Initiate an async SASL LDAP bind for authentication.
Definition sasl.c:504
fr_sbuff_trim_talloc
int fr_sbuff_trim_talloc(fr_sbuff_t *sbuff, size_t len)
Trim a talloced sbuff to the minimum length required to represent the contained string.
Definition sbuff.c:433
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
FR_SBUFF_TERMS
#define FR_SBUFF_TERMS(...)
Initialise a terminal structure with a list of sorted strings.
Definition sbuff.h:190
fr_sbuff_buff
#define fr_sbuff_buff(_sbuff_or_marker)
fr_sbuff_uctx_talloc_t
Talloc sbuff extension structure.
Definition sbuff.h:137
section_name_str
static char const * section_name_str(char const *name)
Return a printable string for the section name.
Definition section.h:97
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:39
section_name_t::name2
char const * name2
Second section name. Usually a packet type like 'access-request', 'access-accept',...
Definition section.h:45
section_name_t::name1
char const * name1
First section name. Usually a verb like 'recv', 'send', etc...
Definition section.h:44
MODULE_THREAD_INST
#define MODULE_THREAD_INST(_ctype)
Definition module.h:258
module_instance_s::name
char const * name
Instance name e.g. user_database.
Definition module.h:357
module_s::flags
module_flags_t flags
Flags that control how a module starts up and how a module is called.
Definition module.h:236
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:351
module_instance_s::data
void * data
Module's instance data.
Definition module.h:293
MODULE_BOOT
#define MODULE_BOOT(_ctype)
Definition module.h:256
module_instance_s::boot
void * boot
Data allocated during the boostrap phase.
Definition module.h:296
module_thread_instance_s::data
void * data
Thread specific instance data.
Definition module.h:374
module_thread
static module_thread_instance_t * module_thread(module_instance_t const *mi)
Retrieve module/thread specific instance for a module.
Definition module.h:503
MODULE_BINDING_TERMINATOR
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:152
MODULE_INST
#define MODULE_INST(_ctype)
Definition module.h:257
module_method_binding_s
Named methods exported by a module.
Definition module.h:174
tmpl_attr_tail
static tmpl_attr_t const * tmpl_attr_tail(tmpl_t const *vpt)
Return the last attribute reference.
Definition tmpl.h:790
tmpl_resolve
int tmpl_resolve(tmpl_t *vpt, tmpl_res_rules_t const *tr_rules))
Attempt to resolve functions and attributes in xlats and attribute references.
Definition tmpl_tokenize.c:4384
tmpl_afrom_substr
ssize_t tmpl_afrom_substr(TALLOC_CTX *ctx, tmpl_t **out, fr_sbuff_t *in, fr_token_t quote, fr_sbuff_parse_rules_t const *p_rules, tmpl_rules_t const *t_rules))
Convert an arbitrary string into a tmpl_t.
Definition tmpl_tokenize.c:3306
tmpl_rules_s::attr
tmpl_attr_rules_t attr
Rules/data for parsing attribute references.
Definition tmpl.h:339
tmpl_needs_resolving
#define tmpl_needs_resolving(vpt)
Definition tmpl.h:223
tmpl_res_rules_s
Similar to tmpl_rules_t, but used to specify parameters that may change during subsequent resolution ...
Definition tmpl.h:368
tmpl_rules_s
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:336
fr_signal_t
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38
FR_SIGNAL_CANCEL
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
count
return count
Definition module.c:155
unlang_module_yield
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition module.c:431
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3645
map_s
Value pair map.
Definition map.h:77
map_s::lhs
tmpl_t * lhs
Typically describes the attribute to add, modify or compare.
Definition map.h:78
tmpl_attr_rules_s::dict_def
fr_dict_t const * dict_def
Default dictionary to use with unqualified attribute references.
Definition tmpl.h:273
tmpl_attr_t
An element in a list of nested attribute references.
Definition tmpl.h:434
tmpl_attr_t::da
fr_dict_attr_t const *_CONST da
Resolved dictionary attribute.
Definition tmpl.h:438
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_table_value_by_str
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
fr_table_num_sorted_t
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
talloc_typed_strdup_buffer
char * talloc_typed_strdup_buffer(TALLOC_CTX *ctx, char const *p)
Call talloc_strndup, setting the type on the new chunk correctly.
Definition talloc.c:496
talloc_typed_asprintf
char * talloc_typed_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Call talloc vasprintf, setting the type on the new chunk correctly.
Definition talloc.c:546
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:117
talloc_asprintf
#define talloc_asprintf
Definition talloc.h:151
talloc_pooled_object
#define talloc_pooled_object(_ctx, _type, _num_subobjects, _total_subobjects_size)
Definition talloc.h:211
talloc_strdup
#define talloc_strdup(_ctx, _str)
Definition talloc.h:149
talloc_strlen
static size_t talloc_strlen(char const *s)
Returns the length of a talloc array containing a string.
Definition talloc.h:143
fr_time_s
"server local" time.
Definition time.h:69
fr_timer_list_s
An event timer list.
Definition timer.c:49
fr_timer_in
#define fr_timer_in(...)
Definition timer.h:87
unlang_tmpl_push
int unlang_tmpl_push(TALLOC_CTX *ctx, unlang_result_t *p_result, fr_value_box_list_t *out, request_t *request, tmpl_t const *tmpl, unlang_tmpl_args_t *args, bool top_frame)
Push a tmpl onto the stack for evaluation.
Definition tmpl.c:276
fr_tokens_table
fr_table_num_ordered_t const fr_tokens_table[]
Definition token.c:33
fr_token_t
enum fr_token fr_token_t
T_OP_SUB_EQ
@ T_OP_SUB_EQ
Definition token.h:68
T_SINGLE_QUOTED_STRING
@ T_SINGLE_QUOTED_STRING
Definition token.h:120
T_BARE_WORD
@ T_BARE_WORD
Definition token.h:118
T_OP_SET
@ T_OP_SET
Definition token.h:82
T_OP_ADD_EQ
@ T_OP_ADD_EQ
Definition token.h:67
T_OP_CMP_FALSE
@ T_OP_CMP_FALSE
Definition token.h:103
T_OP_INCRM
@ T_OP_INCRM
Definition token.h:111
module_trigger_args_build
int module_trigger_args_build(TALLOC_CTX *ctx, fr_pair_list_t *list, CONF_SECTION const *cs, module_trigger_args_t *args)
Build trigger args pair list for modules.
Definition trigger.c:497
module_trigger_args_t
Common values used by modules when building trigger args.
Definition trigger.h:42
trunk_request_enqueue
trunk_enqueue_t trunk_request_enqueue(trunk_request_t **treq_out, trunk_t *trunk, request_t *request, void *preq, void *rctx)
Enqueue a request that needs data written to the trunk.
Definition trunk.c:2639
trunk_request_signal_cancel
void trunk_request_signal_cancel(trunk_request_t *treq)
Cancel a trunk request.
Definition trunk.c:2198
trunk_config
conf_parser_t const trunk_config[]
Config parser definitions to populate a trunk_conf_t.
Definition trunk.c:341
trunk_request_s
Wraps a normal request.
Definition trunk.c:99
TRUNK_ENQUEUE_OK
@ TRUNK_ENQUEUE_OK
Operation was successful.
Definition trunk.h:151
TRUNK_ENQUEUE_IN_BACKLOG
@ TRUNK_ENQUEUE_IN_BACKLOG
Request should be enqueued in backlog.
Definition trunk.h:150
unlang_xlat_yield
xlat_action_t unlang_xlat_yield(request_t *request, xlat_func_t resume, xlat_func_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition xlat.c:543
xlat_arg_copy_out
void xlat_arg_copy_out(TALLOC_CTX *ctx, fr_dcursor_t *cursor, fr_value_box_list_t *in, fr_value_box_t *vb)
Copy an argument from the input list to the output cursor.
Definition xlat_builtin.c:65
xlat_transparent
xlat_action_t xlat_transparent(UNUSED TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
XLAT_ARGS
#define XLAT_ARGS(_list,...)
Populate local variables with value boxes from the input list.
Definition xlat.h:383
xlat_arg_parser_t::required
unsigned int required
Argument must be present, and non-empty.
Definition xlat.h:146
XLAT_ARG_PARSER_TERMINATOR
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
xlat_action_t
Definition xlat.h:37
XLAT_ACTION_FAIL
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
XLAT_ACTION_YIELD
@ XLAT_ACTION_YIELD
An xlat function pushed a resume frame onto the stack.
Definition xlat.h:42
XLAT_ACTION_PUSH_UNLANG
@ XLAT_ACTION_PUSH_UNLANG
An xlat function pushed an unlang frame onto the unlang stack.
Definition xlat.h:39
XLAT_ACTION_DONE
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
xlat_arg_parser_t
Definition for a single argument consumed by an xlat function.
Definition xlat.h:145
fr_uri_escape_list
int fr_uri_escape_list(fr_value_box_list_t *uri, fr_uri_part_t const *uri_parts, void *uctx)
Parse a list of value boxes representing a URI.
Definition uri.c:140
fr_uri_has_scheme
int fr_uri_has_scheme(fr_value_box_list_t *uri, fr_table_num_sorted_t const *schemes, size_t schemes_len, int def)
Searches for a matching scheme in the table of schemes, using a list of value boxes representing the ...
Definition uri.c:167
XLAT_URI_PART_TERMINATOR
#define XLAT_URI_PART_TERMINATOR
Definition uri.h:66
fr_uri_part_t::name
char const * name
Name of this part of the URI.
Definition uri.h:47
fr_uri_part_t
Definition for a single part of a URI.
Definition uri.h:46
fr_strerror_printf_push
#define fr_strerror_printf_push(_fmt,...)
Add a message to an existing stack of messages at the tail.
Definition strerror.h:84
FR_TYPE_FIXED_SIZE
#define FR_TYPE_FIXED_SIZE
Definition types.h:310
fr_value_box_asprintf
int fr_value_box_asprintf(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, bool tainted, char const *fmt,...)
Print a formatted string using our internal printf wrapper and assign it to a value box.
Definition value.c:4707
value_parse_rules_quoted
fr_sbuff_parse_rules_t const * value_parse_rules_quoted[T_TOKEN_LAST]
Parse rules for quoted strings.
Definition value.c:611
fr_value_box_cast_in_place
int fr_value_box_cast_in_place(TALLOC_CTX *ctx, fr_value_box_t *vb, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv)
Convert one type of fr_value_box_t to another in place.
Definition value.c:4196
fr_value_box_strdup_shallow_replace
void fr_value_box_strdup_shallow_replace(fr_value_box_t *vb, char const *src, ssize_t len)
Free the existing buffer (if talloced) associated with the valuebox, and replace it with a new one.
Definition value.c:4745
fr_value_box_strdup_shallow
void fr_value_box_strdup_shallow(fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, bool tainted)
Assign a buffer containing a nul terminated string to a box, but don't copy it.
Definition value.c:4729
fr_value_box_bstr_realloc
int fr_value_box_bstr_realloc(TALLOC_CTX *ctx, char **out, fr_value_box_t *dst, size_t len)
Change the length of a buffer already allocated to a value box.
Definition value.c:4797
fr_value_box_bstrndup
int fr_value_box_bstrndup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, size_t len, bool tainted)
Copy a string to to a fr_value_box_t.
Definition value.c:4838
fr_value_box_bstrdup_buffer_shallow
int fr_value_box_bstrdup_buffer_shallow(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, bool tainted)
Assign a talloced buffer containing a nul terminated string to a box, but don't copy it.
Definition value.c:4946
fr_value_box_list_concat_in_place
int fr_value_box_list_concat_in_place(TALLOC_CTX *ctx, fr_value_box_t *out, fr_value_box_list_t *list, fr_type_t type, fr_value_box_list_action_t proc_action, bool flatten, size_t max_size)
Concatenate a list of value boxes.
Definition value.c:6604
FR_VALUE_BOX_LIST_FREE
@ FR_VALUE_BOX_LIST_FREE
Definition value.h:238
fr_value_box_alloc
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:644
fr_value_box_is_safe_for_only
#define fr_value_box_is_safe_for_only(_box, _safe_for)
Definition value.h:1101
fr_box_strvalue_len
#define fr_box_strvalue_len(_val, _len)
Definition value.h:309
nonnull
int nonnull(2, 5))
fr_value_box_alloc_null
#define fr_value_box_alloc_null(_ctx)
Allocate a value box for later use with a value assignment function.
Definition value.h:655
out
static size_t char ** out
Definition value.h:1030
xlat_ctx
static TALLOC_CTX * xlat_ctx
Definition xlat_builtin.c:48
xlat_ctx_s::rctx
void * rctx
Resume context.
Definition xlat_ctx.h:54
xlat_ctx_s::env_data
void * env_data
Expanded call env data.
Definition xlat_ctx.h:53
xlat_ctx_s::mctx
module_ctx_t const * mctx
Synthesised module calling ctx.
Definition xlat_ctx.h:52
xlat_ctx_s
An xlat calling ctx.
Definition xlat_ctx.h:49
xlat_func_flags_set
void xlat_func_flags_set(xlat_t *x, xlat_func_flags_t flags)
Specify flags that alter the xlat's behaviour.
Definition xlat_func.c:390
xlat_func_args_set
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363
xlat_func_call_env_set
void xlat_func_call_env_set(xlat_t *x, call_env_method_t const *env_method)
Register call environment of an xlat.
Definition xlat_func.c:380
xlat_func_register
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
xlat_func_unregister
void xlat_func_unregister(char const *name)
Unregister an xlat function.
Definition xlat_func.c:507
xlat_func_safe_for_set
#define xlat_func_safe_for_set(_xlat, _escaped)
Set the escaped values for output boxes.
Definition xlat_func.h:82
XLAT_FUNC_FLAG_PURE
@ XLAT_FUNC_FLAG_PURE
Definition xlat_func.h:38
xlat_s
Definition xlat_priv.h:59
Generated by   doxygen 1.9.8