LDAP authorization and authentication module headers. More...

#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/module_rlm.h>
#include <freeradius-devel/ldap/base.h>

Include dependency graph for rlm_ldap.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	ldap_acct_section_t

struct	ldap_autz_call_env_t
	Call environment used in LDAP authorization. More...

struct	ldap_autz_ctx_t
	Holds state of in progress async authorization. More...

struct	ldap_group_xlat_ctx_t
	Holds state of in progress group membership check xlat. More...

struct	ldap_xlat_memberof_call_env_t
	Call environment used in group membership xlat. More...

struct	rlm_ldap_t

struct	rlm_ldap_t.group

struct	rlm_ldap_t.user

Enumerations
enum	ldap_access_state_t { LDAP_ACCESS_ALLOWED = 0 , LDAP_ACCESS_DISALLOWED , LDAP_ACCESS_SUSPENDED }
	User's access state. More...

enum	ldap_autz_status_t { LDAP_AUTZ_FIND = 0 , LDAP_AUTZ_GROUP , LDAP_AUTZ_POST_GROUP , LDAP_AUTZ_MAP , LDAP_AUTZ_DEFAULT_PROFILE , LDAP_AUTZ_POST_DEFAULT_PROFILE , LDAP_AUTZ_USER_PROFILE }
	State list for resumption of authorization. More...

enum	ldap_group_xlat_status_t { GROUP_XLAT_FIND_USER = 0 , GROUP_XLAT_MEMB_FILTER , GROUP_XLAT_MEMB_ATTR }
	State list for xlat evaluation of LDAP group membership. More...

Functions
static char const *	rlm_find_user_dn_cached (request_t *request)

unlang_action_t	rlm_ldap_cacheable_groupobj (rlm_rcode_t p_result, request_t request, ldap_autz_ctx_t *autz_ctx)
	Convert group membership information into attributes. More...

unlang_action_t	rlm_ldap_cacheable_userobj (rlm_rcode_t p_result, request_t request, ldap_autz_ctx_t autz_ctx, char const attr)
	Convert group membership information into attributes. More...

ldap_access_state_t	rlm_ldap_check_access (rlm_ldap_t const inst, request_t request, LDAPMessage *entry)
	Check for presence of access attribute in result. More...

unlang_action_t	rlm_ldap_check_cached (rlm_rcode_t p_result, rlm_ldap_t const inst, request_t request, fr_value_box_t const check)
	Check group membership attributes to see if a user is a member. More...

unlang_action_t	rlm_ldap_check_groupobj_dynamic (rlm_rcode_t p_result, request_t request, ldap_group_xlat_ctx_t *xlat_ctx)
	Initiate an LDAP search to determine group membership, querying group objects. More...

void	rlm_ldap_check_reply (request_t request, rlm_ldap_t const inst, char const inst_name, bool expect_password, fr_ldap_thread_trunk_t const ttrunk)
	Verify we got a password from the search. More...

unlang_action_t	rlm_ldap_check_userobj_dynamic (rlm_rcode_t p_result, request_t request, ldap_group_xlat_ctx_t *xlat_ctx)
	Query the LDAP directory to check if a user object is a member of a group. More...

unlang_action_t	rlm_ldap_find_user_async (TALLOC_CTX ctx, rlm_ldap_t const inst, request_t request, fr_value_box_t base, fr_value_box_t filter_box, fr_ldap_thread_trunk_t ttrunk, char const attrs[], fr_ldap_query_t *query_out)
	Initiate asynchronous retrieval of the DN of a user object. More...

unlang_action_t	rlm_ldap_map_profile (fr_ldap_result_code_t ret, rlm_ldap_t const inst, request_t request, fr_ldap_thread_trunk_t ttrunk, char const dn, int scope, char const filter, fr_ldap_map_exp_t const *expanded)
	Search for and apply an LDAP profile. More...

Variables
HIDDEN fr_dict_attr_t const *	attr_cleartext_password

HIDDEN fr_dict_attr_t const *	attr_crypt_password

HIDDEN fr_dict_attr_t const *	attr_ldap_userdn

HIDDEN fr_dict_attr_t const *	attr_nt_password

HIDDEN fr_dict_attr_t const *	attr_password

HIDDEN fr_dict_attr_t const *	attr_password_with_header

HIDDEN fr_dict_attr_t const *	attr_user_name

HIDDEN fr_dict_attr_t const *	attr_user_password

Detailed Description

LDAP authorization and authentication module headers.

Id: 550b3edf7b2e043a1c07c209c78729f015d3af1a

Note: Do not rename to ldap.h. This causes configure checks to break in stupid ways, where the configure script will use the local ldap.h file, instead of the one from libldap.

Author: Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)

Copyright: 2015 Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg); 2013 Network RADIUS SAS (legal.nosp@m.@net.nosp@m.workr.nosp@m.adiu.nosp@m.s.com); 2013-2015 The FreeRADIUS Server Project.

Definition in file rlm_ldap.h.

Data Structure Documentation

◆ ldap_acct_section_t

struct ldap_acct_section_t

Definition at line 20 of file rlm_ldap.h.

Collaboration diagram for ldap_acct_section_t:

Data Fields
CONF_SECTION *	cs	Section configuration.
char const *	reference	Configuration reference string.

◆ ldap_autz_call_env_t

struct ldap_autz_call_env_t

Call environment used in LDAP authorization.

Definition at line 137 of file rlm_ldap.h.

Collaboration diagram for ldap_autz_call_env_t:

Data Fields
fr_value_box_t	default_profile	If this is set, we will search for a profile object with this name, and map any attributes it contains. No value should be set if profiles are not being used as there is an associated performance penalty.
fr_value_box_t const *	expect_password	True if the user_map included a mapping between an LDAP attribute and one of our password reference attributes.
fr_value_box_t	group_base	Base DN in which to search for groups.
tmpl_t *	group_filter	tmpl to expand as group membership filter.
fr_value_box_t	profile_filter	Filter to use when searching for profiles.
fr_value_box_t	user_base	Base DN in which to search for users.
fr_value_box_t	user_filter	Filter to use when searching for users.
map_list_t *	user_map	Attribute map applied to users and profiles.

◆ ldap_autz_ctx_t

struct ldap_autz_ctx_t

Holds state of in progress async authorization.

Definition at line 193 of file rlm_ldap.h.

Collaboration diagram for ldap_autz_ctx_t:

Data Fields
ldap_access_state_t	access_state	What state a user's account is in.
ldap_autz_call_env_t *	call_env
module_instance_t const *	dlinst
char const *	dn
LDAPMessage *	entry
fr_ldap_map_exp_t	expanded
rlm_ldap_t const *	inst
char *	profile_value
struct berval **	profile_values
fr_ldap_query_t *	query
ldap_autz_status_t	status
fr_ldap_thread_trunk_t *	ttrunk
int	value_idx

◆ ldap_group_xlat_ctx_t

struct ldap_group_xlat_ctx_t

Holds state of in progress group membership check xlat.

Definition at line 220 of file rlm_ldap.h.

Collaboration diagram for ldap_group_xlat_ctx_t:

Data Fields
char const *	attrs[2]
fr_value_box_t *	basedn
char const *	dn
ldap_xlat_memberof_call_env_t *	env_data
fr_value_box_t *	filter
bool	found
fr_value_box_t *	group
bool	group_is_dn
rlm_ldap_t const *	inst
fr_ldap_query_t *	query
ldap_group_xlat_status_t	status
fr_ldap_thread_trunk_t *	ttrunk

◆ ldap_xlat_memberof_call_env_t

struct ldap_xlat_memberof_call_env_t

Call environment used in group membership xlat.

Definition at line 157 of file rlm_ldap.h.

Collaboration diagram for ldap_xlat_memberof_call_env_t:

Data Fields
fr_value_box_t	group_base	Base DN in which to search for groups.
tmpl_t *	group_filter	tmpl to expand as group membership filter.
fr_value_box_t	user_base	Base DN in which to search for users.
fr_value_box_t	user_filter	Filter to use when searching for users.

◆ rlm_ldap_t

struct rlm_ldap_t

Definition at line 26 of file rlm_ldap.h.

Collaboration diagram for rlm_ldap_t:

Data Fields
ldap_acct_section_t *	accounting	Modify mappings for accounting.
trunk_conf_t	bind_trunk_conf	Trunk configuration for trunk used for bind auths.
struct rlm_ldap_t	group
fr_ldap_config_t	handle_config	Connection configuration instance.
module_instance_t const *	mi	Module instance data for thread lookups.
ldap_acct_section_t *	postauth	Modify mappings for post-auth.
char const *	profile_attr	Attribute that identifies profiles to apply. May appear in userobj or groupobj.
char const *	profile_attr_suspend	Attribute that identifies profiles to apply when the user's account is suspended. May appear in userobj or groupobj.
int	profile_scope	Search scope.
trunk_conf_t	trunk_conf	Trunk configuration.
struct rlm_ldap_t	user
char const *	valuepair_attr	Generic dynamic mapping attribute, contains a RADIUS attribute and value.

◆ rlm_ldap_t.group

struct rlm_ldap_t.group

Definition at line 61 of file rlm_ldap.h.

Data Fields
bool	allow_dangling_refs	Don't error if we fail to resolve a group DN referenced from a user object.
char const *	attribute	Sets the attribute we use when comparing group group memberships.
char const *	cache_attribute	Sets the attribute we use when creating and retrieving cached group memberships.
fr_dict_attr_t const *	cache_da	The DA associated with this specific instance of the rlm_ldap module.
bool	cacheable_dn	If true the server will determine complete set of group memberships for the current user object, and perform any resolution necessary to determine the DNs of those groups, then right them to the control list (LDAP-GroupDN).
bool	cacheable_name	If true the server will determine complete set of group memberships for the current user object, and perform any resolution necessary to determine the names of those groups, then right them to the control list (LDAP-Group).
fr_dict_attr_t const *	da	The DA associated with this specific instance of the rlm_ldap module.
char const *	obj_filter	Filter to retrieve only group objects.
char const *	obj_membership_filter	Filter to only retrieve groups which contain the user as a member.
char const *	obj_name_attr	The name of the group.
int	obj_scope	Search scope.
bool	skip_on_suspend	Don't process groups if the user is suspended.
char const *	userobj_membership_attr	Attribute that describes groups the user is a member of.

◆ rlm_ldap_t.user

struct rlm_ldap_t.user

Definition at line 35 of file rlm_ldap.h.

Data Fields
bool	access_positive	If true the presence of the attribute will allow access, else it will deny access.
char const *	access_value_negate	If the value of the access_attr matches this, the result will be negated.
char const *	access_value_suspend	Value that indicates suspension. Is not affected by access_positive and will always allow access, but will apply a different profile.
bool	expect_password	Allow the user to forcefully decide if a password should be expected. Controls whether warnings are issued.
bool	expect_password_is_set	Whether an expect password value was provided.
char const *	obj_access_attr	Attribute to check to see if the user should be locked out.
int	obj_scope	Search scope.
char const *	obj_sort_by	List of attributes to sort by.
LDAPControl *	obj_sort_ctrl	Server side sort control.

Enumeration Type Documentation

◆ ldap_access_state_t

enum ldap_access_state_t

User's access state.

Enumerator
LDAP_ACCESS_ALLOWED	User is allowed to login.
LDAP_ACCESS_DISALLOWED	User it not allow to login (disabled)
LDAP_ACCESS_SUSPENDED	User account has been suspended.

Definition at line 184 of file rlm_ldap.h.

◆ ldap_autz_status_t

enum ldap_autz_status_t

State list for resumption of authorization.

Enumerator
LDAP_AUTZ_FIND
LDAP_AUTZ_GROUP
LDAP_AUTZ_POST_GROUP
LDAP_AUTZ_MAP
LDAP_AUTZ_DEFAULT_PROFILE
LDAP_AUTZ_POST_DEFAULT_PROFILE
LDAP_AUTZ_USER_PROFILE

Definition at line 167 of file rlm_ldap.h.

◆ ldap_group_xlat_status_t

enum ldap_group_xlat_status_t

State list for xlat evaluation of LDAP group membership.

Enumerator
GROUP_XLAT_FIND_USER
GROUP_XLAT_MEMB_FILTER
GROUP_XLAT_MEMB_ATTR

Definition at line 211 of file rlm_ldap.h.

Function Documentation

◆ rlm_find_user_dn_cached()

static char const* rlm_find_user_dn_cached ( request_t * request )

inlinestatic

Definition at line 248 of file rlm_ldap.h.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_cacheable_groupobj()

unlang_action_t rlm_ldap_cacheable_groupobj	(	rlm_rcode_t *	p_result,
		request_t *	request,
		ldap_autz_ctx_t *	autz_ctx
	)

Convert group membership information into attributes.

Parameters

[out]	p_result	The result of trying to resolve a dn to a group name.
[in]	request	Current request.
[in]	autz_ctx	Authentication context being processed.

Returns: One of the RLM_MODULE_* values.

Definition at line 700 of file groups.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_cacheable_userobj()

unlang_action_t rlm_ldap_cacheable_userobj	(	rlm_rcode_t *	p_result,
		request_t *	request,
		ldap_autz_ctx_t *	autz_ctx,
		char const *	attr
	)

Convert group membership information into attributes.

This may just be able to parse attribute values in the user object or it may need to yield to other LDAP searches depending on what was returned and what is set to be cached.

Parameters

[out]	p_result	The result of trying to resolve a dn to a group name.
[in]	request	Current request.
[in]	autz_ctx	LDAP authorization context being processed.
[in]	attr	membership attribute to look for in the entry.

Returns: One of the RLM_MODULE_* values.

Definition at line 443 of file groups.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_check_access()

ldap_access_state_t rlm_ldap_check_access	(	rlm_ldap_t const *	inst,
		request_t *	request,
		LDAPMessage *	entry
	)

Check for presence of access attribute in result.

Parameters

[in]	inst	rlm_ldap configuration.
[in]	request	Current request.
[in]	entry	retrieved by rlm_ldap_find_user or fr_ldap_search.

Returns

RLM_MODULE_DISALLOW if the user was denied access.
RLM_MODULE_OK otherwise.

Definition at line 199 of file user.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_check_cached()

unlang_action_t rlm_ldap_check_cached	(	rlm_rcode_t *	p_result,
		rlm_ldap_t const *	inst,
		request_t *	request,
		fr_value_box_t const *	check
	)

Check group membership attributes to see if a user is a member.

Parameters

[out]	p_result	Result of calling the module.
[in]	inst	rlm_ldap configuration.
[in]	request	Current request.
[in]	check	vb containing the group value (name or dn).

Definition at line 1155 of file groups.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_check_groupobj_dynamic()

unlang_action_t rlm_ldap_check_groupobj_dynamic	(	rlm_rcode_t *	p_result,
		request_t *	request,
		ldap_group_xlat_ctx_t *	xlat_ctx
	)

Initiate an LDAP search to determine group membership, querying group objects.

Used by LDAP group membership xlat

Parameters

p_result	Current module result code.
request	Current request.
xlat_ctx	xlat context being processed.

Definition at line 786 of file groups.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_check_reply()

void rlm_ldap_check_reply	(	request_t *	request,
		rlm_ldap_t const *	inst,
		char const *	inst_name,
		bool	expect_password,
		fr_ldap_thread_trunk_t const *	ttrunk
	)

Verify we got a password from the search.

Checks to see if after the LDAP to RADIUS mapping has been completed that a reference password.

Parameters

[in]	request	Current request.
[in]	inst	Current LDAP instance.
[in]	inst_name	Name of LDAP module instance for debug messages.
[in]	expect_password	Whether we should be expecting a password.
[in]	ttrunk	the connection thread trunk.

Definition at line 251 of file user.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_check_userobj_dynamic()

unlang_action_t rlm_ldap_check_userobj_dynamic	(	rlm_rcode_t *	p_result,
		request_t *	request,
		ldap_group_xlat_ctx_t *	xlat_ctx
	)

Query the LDAP directory to check if a user object is a member of a group.

Parameters

[out]	p_result	Result of calling the module.
[in]	request	Current request.
[in]	xlat_ctx	Context of the xlat being evaluated.

Definition at line 1117 of file groups.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_find_user_async()

unlang_action_t rlm_ldap_find_user_async	(	TALLOC_CTX *	ctx,
		rlm_ldap_t const *	inst,
		request_t *	request,
		fr_value_box_t *	base,
		fr_value_box_t *	filter,
		fr_ldap_thread_trunk_t *	ttrunk,
		char const *	attrs[],
		fr_ldap_query_t **	query_out
	)

Initiate asynchronous retrieval of the DN of a user object.

Retrieves the DN of a user and adds it to the control list as LDAP-UserDN. Will also retrieve any attributes passed.

This potentially allows for all authorization and authentication checks to be performed in one ldap search operation, which is a big bonus given the number of crappy, slow cough*AD*cough LDAP directory servers out there.

Parameters

[in]	ctx	in which to allocate the query.
[in]	inst	rlm_ldap configuration.
[in]	request	Current request.
[in]	base	DN to search in.
[in]	filter	to use in LDAP search.
[in]	ttrunk	LDAP thread trunk to use.
[in]	attrs	Additional attributes to retrieve, may be NULL.
[in]	query_out	Where to put a pointer to the LDAP query structure - for extracting extra returned attributes, may be NULL.

Returns

UNLANG_ACTION_PUSHED_CHILD on success.
UNLANG_ACTION_FAIL on failure.

Definition at line 159 of file user.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ rlm_ldap_map_profile()

unlang_action_t rlm_ldap_map_profile	(	fr_ldap_result_code_t *	ret,
		rlm_ldap_t const *	inst,
		request_t *	request,
		fr_ldap_thread_trunk_t *	ttrunk,
		char const *	dn,
		int	scope,
		char const *	filter,
		fr_ldap_map_exp_t const *	expanded
	)

Search for and apply an LDAP profile.

LDAP profiles are mapped using the same attribute map as user objects, they're used to add common sets of attributes to the request.

Parameters

[out]	ret	Where to write the result of the query.
[in]	inst	LDAP module instance.
[in]	request	Current request.
[in]	ttrunk	Trunk connection on which to run LDAP queries.
[in]	dn	of profile object to apply.
[in]	scope	to apply when looking up profiles.
[in]	filter	to apply when looking up profiles.
[in]	expanded	Structure containing a list of xlat expanded attribute names and mapping information.

Returns: One of the RLM_MODULE_* values.

Definition at line 144 of file profile.c.

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

◆ attr_cleartext_password

HIDDEN fr_dict_attr_t const* attr_cleartext_password

extern

Definition at line 317 of file rlm_ldap.c.

◆ attr_crypt_password

HIDDEN fr_dict_attr_t const* attr_crypt_password

extern

Definition at line 318 of file rlm_ldap.c.

◆ attr_ldap_userdn

HIDDEN fr_dict_attr_t const* attr_ldap_userdn

extern

Definition at line 319 of file rlm_ldap.c.

◆ attr_nt_password

HIDDEN fr_dict_attr_t const* attr_nt_password

extern

Definition at line 320 of file rlm_ldap.c.

◆ attr_password

HIDDEN fr_dict_attr_t const* attr_password

extern

Definition at line 316 of file rlm_ldap.c.

◆ attr_password_with_header

HIDDEN fr_dict_attr_t const* attr_password_with_header

extern

Definition at line 321 of file rlm_ldap.c.

◆ attr_user_name

HIDDEN fr_dict_attr_t const* attr_user_name

extern

Definition at line 102 of file base.c.

◆ attr_user_password

HIDDEN fr_dict_attr_t const* attr_user_password

extern

Definition at line 107 of file rlm_eap_fast.c.

Data Structures

Enumerations

Functions

Variables

Detailed Description

Data Structure Documentation

◆ ldap_acct_section_t

◆ ldap_autz_call_env_t

◆ ldap_autz_ctx_t

◆ ldap_group_xlat_ctx_t

◆ ldap_xlat_memberof_call_env_t

◆ rlm_ldap_t

◆ rlm_ldap_t.group

◆ rlm_ldap_t.user

Enumeration Type Documentation

◆ ldap_access_state_t

◆ ldap_autz_status_t

◆ ldap_group_xlat_status_t

Function Documentation

◆ rlm_find_user_dn_cached()

◆ rlm_ldap_cacheable_groupobj()

◆ rlm_ldap_cacheable_userobj()

◆ rlm_ldap_check_access()

◆ rlm_ldap_check_cached()

◆ rlm_ldap_check_groupobj_dynamic()

◆ rlm_ldap_check_reply()

◆ rlm_ldap_check_userobj_dynamic()

◆ rlm_ldap_find_user_async()

◆ rlm_ldap_map_profile()

Variable Documentation

◆ attr_cleartext_password

◆ attr_crypt_password

◆ attr_ldap_userdn

◆ attr_nt_password

◆ attr_password

◆ attr_password_with_header

◆ attr_user_name

◆ attr_user_password