The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Data Structures | Enumerations | Functions | Variables
rlm_ldap.h File Reference

LDAP authorization and authentication module headers. More...

#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/module_rlm.h>
#include <freeradius-devel/ldap/base.h>
+ Include dependency graph for rlm_ldap.h:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  ldap_acct_section_t
 
struct  ldap_autz_call_env_t
 Call environment used in LDAP authorization. More...
 
struct  ldap_autz_ctx_t
 Holds state of in progress async authorization. More...
 
struct  ldap_memberof_xlat_ctx_t
 Holds state of in progress group membership check xlat. More...
 
struct  ldap_xlat_memberof_call_env_t
 Call environment used in group membership xlat. More...
 
struct  rlm_ldap_t
 
struct  rlm_ldap_t.group
 
struct  rlm_ldap_t.user
 

Enumerations

enum  ldap_access_state_t {
  LDAP_ACCESS_ALLOWED = 0 ,
  LDAP_ACCESS_DISALLOWED ,
  LDAP_ACCESS_SUSPENDED
}
 User's access state. More...
 
enum  ldap_autz_status_t {
  LDAP_AUTZ_FIND = 0 ,
  LDAP_AUTZ_GROUP ,
  LDAP_AUTZ_POST_GROUP ,
  LDAP_AUTZ_MAP ,
  LDAP_AUTZ_DEFAULT_PROFILE ,
  LDAP_AUTZ_POST_DEFAULT_PROFILE ,
  LDAP_AUTZ_USER_PROFILE
}
 State list for resumption of authorization. More...
 
enum  ldap_group_xlat_status_t {
  GROUP_XLAT_FIND_USER = 0 ,
  GROUP_XLAT_MEMB_FILTER ,
  GROUP_XLAT_MEMB_ATTR
}
 State list for xlat evaluation of LDAP group membership. More...
 

Functions

static char const * rlm_find_user_dn_cached (request_t *request)
 
unlang_action_t rlm_ldap_cacheable_groupobj (rlm_rcode_t *p_result, request_t *request, ldap_autz_ctx_t *autz_ctx)
 Convert group membership information into attributes. More...
 
unlang_action_t rlm_ldap_cacheable_userobj (rlm_rcode_t *p_result, request_t *request, ldap_autz_ctx_t *autz_ctx, char const *attr)
 Convert group membership information into attributes. More...
 
ldap_access_state_t rlm_ldap_check_access (rlm_ldap_t const *inst, request_t *request, LDAPMessage *entry)
 Check for presence of access attribute in result. More...
 
unlang_action_t rlm_ldap_check_cached (rlm_rcode_t *p_result, rlm_ldap_t const *inst, request_t *request, fr_value_box_t const *check)
 Check group membership attributes to see if a user is a member. More...
 
unlang_action_t rlm_ldap_check_groupobj_dynamic (rlm_rcode_t *p_result, request_t *request, ldap_memberof_xlat_ctx_t *xlat_ctx)
 Initiate an LDAP search to determine group membership, querying group objects. More...
 
void rlm_ldap_check_reply (request_t *request, rlm_ldap_t const *inst, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk)
 Verify we got a password from the search. More...
 
unlang_action_t rlm_ldap_check_userobj_dynamic (rlm_rcode_t *p_result, request_t *request, ldap_memberof_xlat_ctx_t *xlat_ctx)
 Query the LDAP directory to check if a user object is a member of a group. More...
 
unlang_action_t rlm_ldap_find_user_async (TALLOC_CTX *ctx, rlm_ldap_t const *inst, request_t *request, fr_value_box_t *base, fr_value_box_t *filter_box, fr_ldap_thread_trunk_t *ttrunk, char const *attrs[], fr_ldap_query_t **query_out)
 Initiate asynchronous retrieval of the DN of a user object. More...
 
unlang_action_t rlm_ldap_map_profile (fr_ldap_result_code_t *ret, rlm_ldap_t const *inst, request_t *request, fr_ldap_thread_trunk_t *ttrunk, char const *dn, int scope, char const *filter, fr_ldap_map_exp_t const *expanded)
 Search for and apply an LDAP profile. More...
 

Variables

HIDDEN fr_dict_attr_t const * attr_cleartext_password
 
HIDDEN fr_dict_attr_t const * attr_crypt_password
 
HIDDEN fr_dict_attr_t const * attr_ldap_userdn
 
HIDDEN fr_dict_attr_t const * attr_nt_password
 
HIDDEN fr_dict_attr_t const * attr_password
 
HIDDEN fr_dict_attr_t const * attr_password_with_header
 
HIDDEN fr_dict_attr_t const * attr_user_name
 
HIDDEN fr_dict_attr_t const * attr_user_password
 

Detailed Description

LDAP authorization and authentication module headers.

Id
d86e8f687a0b729128b313bec560878fe2dca7eb
Note
Do not rename to ldap.h. This causes configure checks to break in stupid ways, where the configure script will use the local ldap.h file, instead of the one from libldap.
Author
Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)
Copyright
2015 Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)
2013 Network RADIUS SAS (legal.nosp@m.@net.nosp@m.workr.nosp@m.adiu.nosp@m.s.com)
2013-2015 The FreeRADIUS Server Project.

Definition in file rlm_ldap.h.

Data Structure Documentation

◆ ldap_acct_section_t

struct ldap_acct_section_t

Definition at line 20 of file rlm_ldap.h.

+ Collaboration diagram for ldap_acct_section_t:
Data Fields
CONF_SECTION * cs Section configuration.
char const * reference Configuration reference string.

◆ ldap_autz_call_env_t

struct ldap_autz_call_env_t

Call environment used in LDAP authorization.

Definition at line 135 of file rlm_ldap.h.

+ Collaboration diagram for ldap_autz_call_env_t:
Data Fields
fr_value_box_t default_profile If this is set, we will search for a profile object with this name, and map any attributes it contains.

No value should be set if profiles are not being used as there is an associated performance penalty.

fr_value_box_t const * expect_password True if the user_map included a mapping between an LDAP attribute and one of our password reference attributes.
fr_value_box_t group_base Base DN in which to search for groups.
tmpl_t * group_filter tmpl to expand as group membership filter.
fr_value_box_t profile_filter Filter to use when searching for profiles.
fr_value_box_t user_base Base DN in which to search for users.
fr_value_box_t user_filter Filter to use when searching for users.
map_list_t * user_map Attribute map applied to users and profiles.

◆ ldap_autz_ctx_t

struct ldap_autz_ctx_t

Holds state of in progress async authorization.

Definition at line 191 of file rlm_ldap.h.

+ Collaboration diagram for ldap_autz_ctx_t:
Data Fields
ldap_access_state_t access_state What state a user's account is in.
ldap_autz_call_env_t * call_env
dl_module_inst_t const * dlinst
char const * dn
LDAPMessage * entry
fr_ldap_map_exp_t expanded
rlm_ldap_t const * inst
char * profile_value
struct berval ** profile_values
fr_ldap_query_t * query
ldap_autz_status_t status
fr_ldap_thread_trunk_t * ttrunk
int value_idx

◆ ldap_memberof_xlat_ctx_t

struct ldap_memberof_xlat_ctx_t

Holds state of in progress group membership check xlat.

Definition at line 218 of file rlm_ldap.h.

+ Collaboration diagram for ldap_memberof_xlat_ctx_t:
Data Fields
char const * attrs[2]
fr_value_box_t * basedn
char const * dn
ldap_xlat_memberof_call_env_t * env_data
fr_value_box_t * filter
bool found
fr_value_box_t * group
bool group_is_dn
rlm_ldap_t const * inst
fr_ldap_query_t * query
ldap_group_xlat_status_t status
fr_ldap_thread_trunk_t * ttrunk

◆ ldap_xlat_memberof_call_env_t

struct ldap_xlat_memberof_call_env_t

Call environment used in group membership xlat.

Definition at line 155 of file rlm_ldap.h.

+ Collaboration diagram for ldap_xlat_memberof_call_env_t:
Data Fields
fr_value_box_t group_base Base DN in which to search for groups.
tmpl_t * group_filter tmpl to expand as group membership filter.
fr_value_box_t user_base Base DN in which to search for users.
fr_value_box_t user_filter Filter to use when searching for users.

◆ rlm_ldap_t

struct rlm_ldap_t

Definition at line 26 of file rlm_ldap.h.

+ Collaboration diagram for rlm_ldap_t:
Data Fields
ldap_acct_section_t * accounting Modify mappings for accounting.
fr_trunk_conf_t bind_trunk_conf Trunk configuration for trunk used for bind auths.
struct rlm_ldap_t group
fr_ldap_config_t handle_config Connection configuration instance.
ldap_acct_section_t * postauth Modify mappings for post-auth.
char const * profile_attr Attribute that identifies profiles to apply.

May appear in userobj or groupobj.

char const * profile_attr_suspend Attribute that identifies profiles to apply when the user's account is suspended.

May appear in userobj or groupobj.

int profile_scope Search scope.
fr_trunk_conf_t trunk_conf Trunk configuration.
struct rlm_ldap_t user
char const * valuepair_attr Generic dynamic mapping attribute, contains a RADIUS attribute and value.

◆ rlm_ldap_t.group

struct rlm_ldap_t.group

Definition at line 61 of file rlm_ldap.h.

Data Fields
bool allow_dangling_refs Don't error if we fail to resolve a group DN referenced from a user object.
char const * attribute Sets the attribute we use when comparing group group memberships.
char const * cache_attribute Sets the attribute we use when creating and retrieving cached group memberships.
fr_dict_attr_t const * cache_da The DA associated with this specific instance of the rlm_ldap module.
bool cacheable_dn If true the server will determine complete set of group memberships for the current user object, and perform any resolution necessary to determine the DNs of those groups, then right them to the control list (LDAP-GroupDN).
bool cacheable_name If true the server will determine complete set of group memberships for the current user object, and perform any resolution necessary to determine the names of those groups, then right them to the control list (LDAP-Group).
fr_dict_attr_t const * da The DA associated with this specific instance of the rlm_ldap module.
char const * obj_filter Filter to retrieve only group objects.
char const * obj_membership_filter Filter to only retrieve groups which contain the user as a member.
char const * obj_name_attr The name of the group.
int obj_scope Search scope.
bool skip_on_suspend Don't process groups if the user is suspended.
char const * userobj_membership_attr Attribute that describes groups the user is a member of.

◆ rlm_ldap_t.user

struct rlm_ldap_t.user

Definition at line 35 of file rlm_ldap.h.

Data Fields
bool access_positive If true the presence of the attribute will allow access, else it will deny access.
char const * access_value_negate If the value of the access_attr matches this, the result will be negated.
char const * access_value_suspend Value that indicates suspension.

Is not affected by access_positive and will always allow access, but will apply a different profile.

bool expect_password Allow the user to forcefully decide if a password should be expected.

Controls whether warnings are issued.

bool expect_password_is_set Whether an expect password value was provided.
char const * obj_access_attr Attribute to check to see if the user should be locked out.
int obj_scope Search scope.
char const * obj_sort_by List of attributes to sort by.
LDAPControl * obj_sort_ctrl Server side sort control.

Enumeration Type Documentation

◆ ldap_access_state_t

enum ldap_access_state_t

User's access state.

Enumerator
LDAP_ACCESS_ALLOWED 

User is allowed to login.

LDAP_ACCESS_DISALLOWED 

User it not allow to login (disabled)

LDAP_ACCESS_SUSPENDED 

User account has been suspended.

Definition at line 182 of file rlm_ldap.h.

◆ ldap_autz_status_t

enum ldap_autz_status_t

State list for resumption of authorization.

Enumerator
LDAP_AUTZ_FIND 
LDAP_AUTZ_GROUP 
LDAP_AUTZ_POST_GROUP 
LDAP_AUTZ_MAP 
LDAP_AUTZ_DEFAULT_PROFILE 
LDAP_AUTZ_POST_DEFAULT_PROFILE 
LDAP_AUTZ_USER_PROFILE 

Definition at line 165 of file rlm_ldap.h.

◆ ldap_group_xlat_status_t

enum ldap_group_xlat_status_t

State list for xlat evaluation of LDAP group membership.

Enumerator
GROUP_XLAT_FIND_USER 
GROUP_XLAT_MEMB_FILTER 
GROUP_XLAT_MEMB_ATTR 

Definition at line 209 of file rlm_ldap.h.

Function Documentation

◆ rlm_find_user_dn_cached()

static char const* rlm_find_user_dn_cached ( request_t request)
inlinestatic

Definition at line 246 of file rlm_ldap.h.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_cacheable_groupobj()

unlang_action_t rlm_ldap_cacheable_groupobj ( rlm_rcode_t p_result,
request_t request,
ldap_autz_ctx_t autz_ctx 
)

Convert group membership information into attributes.

Parameters
[out]p_resultThe result of trying to resolve a dn to a group name.
[in]requestCurrent request.
[in]autz_ctxAuthentication context being processed.
Returns
One of the RLM_MODULE_* values.

Definition at line 700 of file groups.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_cacheable_userobj()

unlang_action_t rlm_ldap_cacheable_userobj ( rlm_rcode_t p_result,
request_t request,
ldap_autz_ctx_t autz_ctx,
char const *  attr 
)

Convert group membership information into attributes.

This may just be able to parse attribute values in the user object or it may need to yield to other LDAP searches depending on what was returned and what is set to be cached.

Parameters
[out]p_resultThe result of trying to resolve a dn to a group name.
[in]requestCurrent request.
[in]autz_ctxLDAP authorization context being processed.
[in]attrmembership attribute to look for in the entry.
Returns
One of the RLM_MODULE_* values.

Definition at line 443 of file groups.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_check_access()

ldap_access_state_t rlm_ldap_check_access ( rlm_ldap_t const *  inst,
request_t request,
LDAPMessage *  entry 
)

Check for presence of access attribute in result.

Parameters
[in]instrlm_ldap configuration.
[in]requestCurrent request.
[in]entryretrieved by rlm_ldap_find_user or fr_ldap_search.
Returns

Definition at line 195 of file user.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_check_cached()

unlang_action_t rlm_ldap_check_cached ( rlm_rcode_t p_result,
rlm_ldap_t const *  inst,
request_t request,
fr_value_box_t const *  check 
)

Check group membership attributes to see if a user is a member.

Parameters
[out]p_resultResult of calling the module.
[in]instrlm_ldap configuration.
[in]requestCurrent request.
[in]checkvb containing the group value (name or dn).

Definition at line 1155 of file groups.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_check_groupobj_dynamic()

unlang_action_t rlm_ldap_check_groupobj_dynamic ( rlm_rcode_t p_result,
request_t request,
ldap_memberof_xlat_ctx_t xlat_ctx 
)

Initiate an LDAP search to determine group membership, querying group objects.

Used by LDAP group membership xlat

Parameters
p_resultCurrent module result code.
requestCurrent request.
xlat_ctxxlat context being processed.

Definition at line 786 of file groups.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_check_reply()

void rlm_ldap_check_reply ( request_t request,
rlm_ldap_t const *  inst,
char const *  inst_name,
bool  expect_password,
fr_ldap_thread_trunk_t const *  ttrunk 
)

Verify we got a password from the search.

Checks to see if after the LDAP to RADIUS mapping has been completed that a reference password.

Parameters
[in]requestCurrent request.
[in]instCurrent LDAP instance.
[in]inst_nameName of LDAP module instance for debug messages.
[in]expect_passwordWhether we should be expecting a password.
[in]ttrunkthe connection thread trunk.

Definition at line 247 of file user.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_check_userobj_dynamic()

unlang_action_t rlm_ldap_check_userobj_dynamic ( rlm_rcode_t p_result,
request_t request,
ldap_memberof_xlat_ctx_t xlat_ctx 
)

Query the LDAP directory to check if a user object is a member of a group.

Parameters
[out]p_resultResult of calling the module.
[in]requestCurrent request.
[in]xlat_ctxContext of the xlat being evaluated.

Definition at line 1117 of file groups.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_find_user_async()

unlang_action_t rlm_ldap_find_user_async ( TALLOC_CTX *  ctx,
rlm_ldap_t const *  inst,
request_t request,
fr_value_box_t base,
fr_value_box_t filter,
fr_ldap_thread_trunk_t ttrunk,
char const *  attrs[],
fr_ldap_query_t **  query_out 
)

Initiate asynchronous retrieval of the DN of a user object.

Retrieves the DN of a user and adds it to the control list as LDAP-UserDN. Will also retrieve any attributes passed.

This potentially allows for all authorization and authentication checks to be performed in one ldap search operation, which is a big bonus given the number of crappy, slow cough*AD*cough LDAP directory servers out there.

Parameters
[in]ctxin which to allocate the query.
[in]instrlm_ldap configuration.
[in]requestCurrent request.
[in]baseDN to search in.
[in]filterto use in LDAP search.
[in]ttrunkLDAP thread trunk to use.
[in]attrsAdditional attributes to retrieve, may be NULL.
[in]query_outWhere to put a pointer to the LDAP query structure - for extracting extra returned attributes, may be NULL.
Returns
  • UNLANG_ACTION_PUSHED_CHILD on success.
  • UNLANG_ACTION_FAIL on failure.

Definition at line 155 of file user.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ rlm_ldap_map_profile()

unlang_action_t rlm_ldap_map_profile ( fr_ldap_result_code_t ret,
rlm_ldap_t const *  inst,
request_t request,
fr_ldap_thread_trunk_t ttrunk,
char const *  dn,
int  scope,
char const *  filter,
fr_ldap_map_exp_t const *  expanded 
)

Search for and apply an LDAP profile.

LDAP profiles are mapped using the same attribute map as user objects, they're used to add common sets of attributes to the request.

Parameters
[out]retWhere to write the result of the query.
[in]instLDAP module instance.
[in]requestCurrent request.
[in]ttrunkTrunk connection on which to run LDAP queries.
[in]dnof profile object to apply.
[in]scopeto apply when looking up profiles.
[in]filterto apply when looking up profiles.
[in]expandedStructure containing a list of xlat expanded attribute names and mapping information.
Returns
One of the RLM_MODULE_* values.

Definition at line 134 of file profile.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Variable Documentation

◆ attr_cleartext_password

HIDDEN fr_dict_attr_t const* attr_cleartext_password
extern

Definition at line 312 of file rlm_ldap.c.

◆ attr_crypt_password

HIDDEN fr_dict_attr_t const* attr_crypt_password
extern

Definition at line 313 of file rlm_ldap.c.

◆ attr_ldap_userdn

HIDDEN fr_dict_attr_t const* attr_ldap_userdn
extern

Definition at line 314 of file rlm_ldap.c.

◆ attr_nt_password

HIDDEN fr_dict_attr_t const* attr_nt_password
extern

Definition at line 315 of file rlm_ldap.c.

◆ attr_password

HIDDEN fr_dict_attr_t const* attr_password
extern

Definition at line 311 of file rlm_ldap.c.

◆ attr_password_with_header

HIDDEN fr_dict_attr_t const* attr_password_with_header
extern

Definition at line 316 of file rlm_ldap.c.

◆ attr_user_name

HIDDEN fr_dict_attr_t const* attr_user_name
extern

Definition at line 97 of file base.c.

◆ attr_user_password

HIDDEN fr_dict_attr_t const* attr_user_password
extern

Definition at line 106 of file rlm_eap_fast.c.

Generated by   doxygen 1.9.1