The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
rlm_opendirectory.c
Go to the documentation of this file.
1 /*
2  * This program is is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License, version 2 of the
4  * License as published by the Free Software Foundation.
5  *
6  * This program is distributed in the hope that it will be useful,
7  * but WITHOUT ANY WARRANTY; without even the implied warranty of
8  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9  * GNU General Public License for more details.
10  *
11  * You should have received a copy of the GNU General Public License
12  * along with this program; if not, write to the Free Software
13  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
14  */
15 
16 /**
17  * $Id: 55c4c26babbcb88883144c0f55ad9caf33c682fc $
18  * @file rlm_opendirectory.c
19  * @brief Allows authentication against OpenDirectory and enforces ACLS.
20  *
21  * authentication: Apple Open Directory authentication
22  * authorization: enforces ACLs
23  *
24  * @copyright 2007 Apple Inc.
25  */
26 
27 /*
28  * For a typical Makefile, add linker flag like this:
29  * LDFLAGS = -framework DirectoryService
30  */
31 USES_APPLE_DEPRECATED_API
32 #include <freeradius-devel/server/base.h>
33 #include <freeradius-devel/server/module_rlm.h>
34 #include <freeradius-devel/util/debug.h>
35 #include <freeradius-devel/util/perm.h>
36 
37 #include <ctype.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <grp.h>
41 #include <pwd.h>
42 #include <sys/types.h>
43 #include <sys/stat.h>
44 
45 #include <DirectoryService/DirectoryService.h>
46 #include <membership.h>
47 
48 typedef struct {
49  fr_dict_enum_value_t *auth_type;
50 } rlm_opendirectory_t;
51 
52 #ifndef HAVE_DECL_MBR_CHECK_SERVICE_MEMBERSHIP
53 int mbr_check_service_membership(uuid_t const user, char const *servicename, int *ismember);
54 #endif
55 #ifndef HAVE_DECL_MBR_CHECK_MEMBERSHIP_REFRESH
56 int mbr_check_membership_refresh(uuid_t const user, uuid_t group, int *ismember);
57 #endif
58 
59 /* RADIUS service ACL constants */
60 #define kRadiusSACLName "com.apple.access_radius"
61 #define kRadiusServiceName "radius"
62 
63 static fr_dict_t const *dict_freeradius;
64 static fr_dict_t const *dict_radius;
65 
66 extern fr_dict_autoload_t rlm_opendirectory_dict[];
67 fr_dict_autoload_t rlm_opendirectory_dict[] = {
68  { .out = &dict_freeradius, .proto = "freeradius" },
69  { .out = &dict_radius, .proto = "radius" },
70  { NULL }
71 };
72 
73 static fr_dict_attr_t const *attr_auth_type;
74 static fr_dict_attr_t const *attr_user_name;
75 static fr_dict_attr_t const *attr_user_password;
76 
77 extern fr_dict_attr_autoload_t rlm_opendirectory_dict_attr[];
78 fr_dict_attr_autoload_t rlm_opendirectory_dict_attr[] = {
79  { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
80  { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
81  { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
82  { NULL }
83 };
84 
85 /*
86  * od_check_passwd
87  *
88  * Returns: ds err
89  */
90 
91 static long od_check_passwd(request_t *request, char const *uname, char const *password)
92 {
93  long result = eDSAuthFailed;
94  tDirReference dsRef = 0;
95  tDataBuffer *tDataBuff;
96  tDirNodeReference nodeRef = 0;
97  long status = eDSNoErr;
98  tContextData context = 0;
99  uint32_t nodeCount = 0;
100  uint32_t attrIndex = 0;
101  tDataList *nodeName = NULL;
102  tAttributeEntryPtr pAttrEntry = NULL;
103  tDataList *pRecName = NULL;
104  tDataList *pRecType = NULL;
105  tDataList *pAttrType = NULL;
106  uint32_t recCount = 0;
107  tRecordEntry *pRecEntry = NULL;
108  tAttributeListRef attrListRef = 0;
109  char *pUserLocation = NULL;
110  char *pUserName = NULL;
111  tAttributeValueListRef valueRef = 0;
112  tAttributeValueEntry *pValueEntry = NULL;
113  tDataList *pUserNode = NULL;
114  tDirNodeReference userNodeRef = 0;
115  tDataBuffer *pStepBuff = NULL;
116  tDataNode *pAuthType = NULL;
117  tAttributeValueEntry *pRecordType = NULL;
118  uint32_t uiCurr = 0;
119  uint32_t uiLen = 0;
120  uint32_t pwLen = 0;
121 
122  if (!uname || !password)
123  return result;
124 
125  do
126  {
127  status = dsOpenDirService( &dsRef );
128  if ( status != eDSNoErr )
129  return result;
130 
131  tDataBuff = dsDataBufferAllocate( dsRef, 4096 );
132  if (!tDataBuff)
133  break;
134 
135  /* find user on search node */
136  status = dsFindDirNodes( dsRef, tDataBuff, NULL, eDSSearchNodeName, &nodeCount, &context );
137  if (status != eDSNoErr || nodeCount < 1)
138  break;
139 
140  status = dsGetDirNodeName( dsRef, tDataBuff, 1, &nodeName );
141  if (status != eDSNoErr)
142  break;
143 
144  status = dsOpenDirNode( dsRef, nodeName, &nodeRef );
145  dsDataListDeallocate( dsRef, nodeName );
146  free( nodeName );
147  nodeName = NULL;
148  if (status != eDSNoErr)
149  break;
150 
151  pRecName = dsBuildListFromStrings( dsRef, uname, NULL );
152  pRecType = dsBuildListFromStrings( dsRef, kDSStdRecordTypeUsers, kDSStdRecordTypeComputers, kDSStdRecordTypeMachines, NULL );
153  pAttrType = dsBuildListFromStrings( dsRef, kDSNAttrMetaNodeLocation, kDSNAttrRecordName, kDSNAttrRecordType, NULL );
154 
155  recCount = 1;
156  status = dsGetRecordList( nodeRef, tDataBuff, pRecName, eDSExact, pRecType,
157  pAttrType, 0, &recCount, &context );
158  if ( status != eDSNoErr || recCount == 0 )
159  break;
160 
161  status = dsGetRecordEntry( nodeRef, tDataBuff, 1, &attrListRef, &pRecEntry );
162  if ( status != eDSNoErr )
163  break;
164 
165  for ( attrIndex = 1; (attrIndex <= pRecEntry->fRecordAttributeCount) && (status == eDSNoErr); attrIndex++ )
166  {
167  status = dsGetAttributeEntry( nodeRef, tDataBuff, attrListRef, attrIndex, &valueRef, &pAttrEntry );
168  if ( status == eDSNoErr && pAttrEntry != NULL )
169  {
170  if ( strcmp( pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrMetaNodeLocation ) == 0 )
171  {
172  status = dsGetAttributeValue( nodeRef, tDataBuff, 1, valueRef, &pValueEntry );
173  if ( status == eDSNoErr && pValueEntry != NULL )
174  {
175  pUserLocation = talloc_zero_array(request, char, pValueEntry->fAttributeValueData.fBufferLength + 1);
176  memcpy( pUserLocation, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength );
177  }
178  }
179  else
180  if ( strcmp( pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrRecordName ) == 0 )
181  {
182  status = dsGetAttributeValue( nodeRef, tDataBuff, 1, valueRef, &pValueEntry );
183  if ( status == eDSNoErr && pValueEntry != NULL )
184  {
185  pUserName = talloc_zero_array(request, char, pValueEntry->fAttributeValueData.fBufferLength + 1);
186  memcpy( pUserName, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength );
187  }
188  }
189  else
190  if ( strcmp( pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrRecordType ) == 0 )
191  {
192  status = dsGetAttributeValue( nodeRef, tDataBuff, 1, valueRef, &pValueEntry );
193  if ( status == eDSNoErr && pValueEntry != NULL )
194  {
195  pRecordType = pValueEntry;
196  pValueEntry = NULL;
197  }
198  }
199 
200  if ( pValueEntry != NULL ) {
201  dsDeallocAttributeValueEntry( dsRef, pValueEntry );
202  pValueEntry = NULL;
203  }
204  if ( pAttrEntry != NULL ) {
205  dsDeallocAttributeEntry( dsRef, pAttrEntry );
206  pAttrEntry = NULL;
207  }
208  dsCloseAttributeValueList( valueRef );
209  valueRef = 0;
210  }
211  }
212 
213  pUserNode = dsBuildFromPath( dsRef, pUserLocation, "/" );
214  status = dsOpenDirNode( dsRef, pUserNode, &userNodeRef );
215  dsDataListDeallocate( dsRef, pUserNode );
216  free( pUserNode );
217  pUserNode = NULL;
218  if ( status != eDSNoErr )
219  break;
220 
221  pStepBuff = dsDataBufferAllocate( dsRef, 128 );
222 
223  pAuthType = dsDataNodeAllocateString( dsRef, kDSStdAuthNodeNativeClearTextOK );
224  uiCurr = 0;
225 
226  if (!pUserName) {
227  RDEBUG2("Failed to find user name");
228  break;
229  }
230 
231  /* User name */
232  uiLen = (uint32_t)strlen( pUserName );
233  memcpy( &(tDataBuff->fBufferData[ uiCurr ]), &uiLen, sizeof(uiLen) );
234  uiCurr += (uint32_t)sizeof( uiLen );
235  memcpy( &(tDataBuff->fBufferData[ uiCurr ]), pUserName, uiLen );
236  uiCurr += uiLen;
237 
238  /* pw */
239  pwLen = (uint32_t)strlen( password );
240  memcpy( &(tDataBuff->fBufferData[ uiCurr ]), &pwLen, sizeof(pwLen) );
241  uiCurr += (uint32_t)sizeof( pwLen );
242  memcpy( &(tDataBuff->fBufferData[ uiCurr ]), password, pwLen );
243  uiCurr += pwLen;
244 
245  tDataBuff->fBufferLength = uiCurr;
246 
247  result = dsDoDirNodeAuthOnRecordType( userNodeRef, pAuthType, 1, tDataBuff, pStepBuff, NULL, &pRecordType->fAttributeValueData );
248  }
249  while ( 0 );
250 
251  /* clean up */
252  if (pAuthType != NULL) {
253  dsDataNodeDeAllocate( dsRef, pAuthType );
254  pAuthType = NULL;
255  }
256  if (pRecordType != NULL) {
257  dsDeallocAttributeValueEntry( dsRef, pRecordType );
258  pRecordType = NULL;
259  }
260  if (tDataBuff != NULL) {
261  bzero( tDataBuff, tDataBuff->fBufferSize );
262  dsDataBufferDeAllocate( dsRef, tDataBuff );
263  tDataBuff = NULL;
264  }
265  if (pStepBuff != NULL) {
266  dsDataBufferDeAllocate( dsRef, pStepBuff );
267  pStepBuff = NULL;
268  }
269  if (pUserLocation != NULL) {
270  talloc_free(pUserLocation);
271  pUserLocation = NULL;
272  }
273  if (pUserName != NULL) {
274  talloc_free(pUserName);
275  pUserName = NULL;
276  }
277  if (pRecName != NULL) {
278  dsDataListDeallocate( dsRef, pRecName );
279  free( pRecName );
280  pRecName = NULL;
281  }
282  if (pRecType != NULL) {
283  dsDataListDeallocate( dsRef, pRecType );
284  free( pRecType );
285  pRecType = NULL;
286  }
287  if (pAttrType != NULL) {
288  dsDataListDeallocate( dsRef, pAttrType );
289  free( pAttrType );
290  pAttrType = NULL;
291  }
292  if (nodeRef != 0) {
293  dsCloseDirNode(nodeRef);
294  nodeRef = 0;
295  }
296  if (dsRef != 0) {
297  dsCloseDirService(dsRef);
298  dsRef = 0;
299  }
300 
301  return result;
302 }
303 
304 
305 /*
306  * Check the users password against the standard UNIX
307  * password table.
308  */
309 static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
310 {
311  int ret;
312  long odResult = eDSAuthFailed;
313  fr_pair_t *username, *password;
314 
315  username = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
316  password = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_password);
317 
318  /*
319  * We can only authenticate user requests which HAVE
320  * a User-Name attribute.
321  */
322  if (!username) {
323  REDEBUG("Attribute \"User-Name\" is required for authentication");
324  RETURN_MODULE_INVALID;
325  }
326 
327  if (!password) {
328  REDEBUG("Attribute \"User-Password\" is required for authentication");
329  RETURN_MODULE_INVALID;
330  }
331 
332  /*
333  * Make sure the supplied password isn't empty
334  */
335  if (password->vp_length == 0) {
336  REDEBUG("User-Password must not be empty");
337  RETURN_MODULE_INVALID;
338  }
339 
340  /*
341  * Log the password
342  */
343  if (RDEBUG_ENABLED3) {
344  RDEBUG("Login attempt with password \"%pV\"", &password->data);
345  } else {
346  RDEBUG2("Login attempt with password");
347  }
348 
349  odResult = od_check_passwd(request, username->vp_strvalue,
350  password->vp_strvalue);
351  switch (odResult) {
352  case eDSNoErr:
353  ret = RLM_MODULE_OK;
354  break;
355 
356  case eDSAuthUnknownUser:
357  case eDSAuthInvalidUserName:
358  case eDSAuthNewPasswordRequired:
359  case eDSAuthPasswordExpired:
360  case eDSAuthAccountDisabled:
361  case eDSAuthAccountExpired:
362  case eDSAuthAccountInactive:
363  case eDSAuthInvalidLogonHours:
364  case eDSAuthInvalidComputer:
365  ret = RLM_MODULE_DISALLOW;
366  break;
367 
368  default:
369  ret = RLM_MODULE_REJECT;
370  break;
371  }
372 
373  if (ret != RLM_MODULE_OK) {
374  RDEBUG2("Invalid password: %pV", &username->data);
375  return ret;
376  }
377 
378  RETURN_MODULE_OK;
379 }
380 
381 
382 /*
383  * member of the radius group?
384  */
385 static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
386 {
387  rlm_opendirectory_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_opendirectory_t);
388  struct passwd *userdata = NULL;
389  int ismember = 0;
390  fr_client_t *client = NULL;
391  uuid_t uuid;
392  uuid_t guid_sacl;
393  uuid_t guid_nasgroup;
394  int err;
395  char host_ipaddr[128] = {0};
396  gid_t gid;
397  fr_pair_t *username;
398 
399  /*
400  * We can only authenticate user requests which HAVE
401  * a User-Name attribute.
402  */
403  username = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
404  if (!username) {
405  RDEBUG2("OpenDirectory requires a User-Name attribute");
406  RETURN_MODULE_NOOP;
407  }
408 
409  /* resolve SACL */
410  uuid_clear(guid_sacl);
411 
412  if (fr_perm_gid_from_str(request, &gid, kRadiusSACLName) < 0) {
413  RDEBUG2("The SACL group \"%s\" does not exist on this system", kRadiusSACLName);
414  } else {
415  err = mbr_gid_to_uuid(gid, guid_sacl);
416  if (err != 0) {
417  REDEBUG("The group \"%s\" does not have a GUID", kRadiusSACLName);
418  RETURN_MODULE_FAIL;
419  }
420  }
421 
422  /* resolve client access list */
423  uuid_clear(guid_nasgroup);
424 
425  client = client_from_request(request);
426 #if 0
427  if (client->community[0] != '\0' ) {
428  /*
429  * The "community" can be a GUID (Globally Unique ID) or
430  * a group name
431  */
432  if (uuid_parse(client->community, guid_nasgroup) != 0) {
433  /* attempt to resolve the name */
434  groupdata = getgrnam(client->community);
435  if (!groupdata) {
436  REDEBUG("The group \"%s\" does not exist on this system", client->community);
437  RETURN_MODULE_FAIL;
438  }
439  err = mbr_gid_to_uuid(groupdata->gr_gid, guid_nasgroup);
440  if (err != 0) {
441  REDEBUG("The group \"%s\" does not have a GUID", client->community);
442  RETURN_MODULE_FAIL;
443  }
444  }
445  }
446  else
447 #endif
448  {
449  if (!client) {
450  RDEBUG2("The client record could not be found for host %s",
451  fr_inet_ntoh(&request->packet->socket.inet.src_ipaddr, host_ipaddr, sizeof(host_ipaddr)));
452  } else {
453  RDEBUG2("The host %s does not have an access group",
454  fr_inet_ntoh(&request->packet->socket.inet.src_ipaddr, host_ipaddr, sizeof(host_ipaddr)));
455  }
456  }
457 
458  if (uuid_is_null(guid_sacl) && uuid_is_null(guid_nasgroup)) {
459  RDEBUG2("No access control groups, all users allowed");
460  goto setup_auth_type;
461  }
462 
463  /* resolve user */
464  uuid_clear(uuid);
465 
466  fr_perm_getpwnam(request, &userdata, username->vp_strvalue);
467  if (userdata != NULL) {
468  err = mbr_uid_to_uuid(userdata->pw_uid, uuid);
469  if (err != 0)
470  uuid_clear(uuid);
471  }
472  talloc_free(userdata);
473 
474  if (uuid_is_null(uuid)) {
475  REDEBUG("Could not get the user's uuid");
476  RETURN_MODULE_NOTFOUND;
477  }
478 
479  if (!uuid_is_null(guid_sacl)) {
480  err = mbr_check_service_membership(uuid, kRadiusServiceName, &ismember);
481  if (err != 0) {
482  REDEBUG("Failed to check group membership");
483  RETURN_MODULE_FAIL;
484  }
485 
486  if (ismember == 0) {
487  REDEBUG("User is not authorized");
488  RETURN_MODULE_DISALLOW;
489  }
490  }
491 
492  if (!uuid_is_null(guid_nasgroup)) {
493  err = mbr_check_membership_refresh(uuid, guid_nasgroup, &ismember);
494  if (err != 0) {
495  REDEBUG("Failed to check group membership");
496  RETURN_MODULE_FAIL;
497  }
498 
499  if (ismember == 0) {
500  REDEBUG("User is not authorized");
501  RETURN_MODULE_DISALLOW;
502  }
503  }
504 
505 setup_auth_type:
506  if (!inst->auth_type) {
507  WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set. Cannot setup OpenDirectory authentication",
508  mctx->mi->name, mctx->mi->name);
509  RETURN_MODULE_NOOP;
510  }
511 
512  if (!module_rlm_section_type_set(request, attr_auth_type, inst->auth_type)) RETURN_MODULE_NOOP;
513 
514  RETURN_MODULE_OK;
515 }
516 
517 static int mod_instantiate(module_inst_ctx_t const *mctx)
518 {
519  rlm_opendirectory_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_opendirectory_t);
520 
521  inst->auth_type = fr_dict_enum_by_name(attr_auth_type, mctx->mi->name, -1);
522  if (!inst->auth_type) {
523  WARN("Failed to find 'authenticate %s {...}' section. OpenDirectory authentication will likely not work",
524  mctx->mi->name);
525  }
526 
527  return 0;
528 }
529 
530 /* globally exported name */
531 extern module_rlm_t rlm_opendirectory;
532 module_rlm_t rlm_opendirectory = {
533  .common = {
534  .magic = MODULE_MAGIC_INIT,
535  .name = "opendirectory",
536  .inst_size = sizeof(rlm_opendirectory_t),
537  .instantiate = mod_instantiate
538  },
539  .method_group = {
540  .bindings = (module_method_binding_t[]){
541  { .section = SECTION_NAME("authenticate", CF_IDENT_ANY), .method = mod_authenticate },
542  { .section = SECTION_NAME("recv", CF_IDENT_ANY), .method = mod_authorize },
543  MODULE_BINDING_TERMINATOR
544  }
545  }
546 };
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35
context
static int context
Definition: radmin.c:71
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition: build.h:468
UNUSED
#define UNUSED
Definition: build.h:313
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition: cf_util.h:78
err
static fr_slen_t err
Definition: dict.h:821
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition: dict.h:267
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition: dict.h:280
fr_dict_enum_by_name
fr_dict_enum_value_t * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition: dict_util.c:3395
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition: dict.h:266
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition: dict.h:279
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition: dict.h:226
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:63
free
free(array)
fr_inet_ntoh
char const * fr_inet_ntoh(fr_ipaddr_t const *src, char *out, size_t outlen)
Perform reverse resolution of an IP address.
Definition: inet.c:355
fr_client_s
Describes a host allowed to send packets to the server.
Definition: client.h:80
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition: log.h:335
talloc_free
talloc_free(reap)
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition: merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
fr_dict_attr_t
Definition: merged_model.c:133
fr_dict_t
Definition: merged_model.c:198
request_t
Definition: merged_model.c:210
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition: module_ctx.h:42
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition: module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition: module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:50
module_rlm_section_type_set
bool module_rlm_section_type_set(request_t *request, fr_dict_attr_t const *type_da, fr_dict_enum_value_t const *enumv)
Set the next section type if it's not already set.
Definition: module_rlm.c:427
module_rlm_s::common
module_t common
Common fields presented by all modules.
Definition: module_rlm.h:39
module_rlm_s
Definition: module_rlm.h:38
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition: pair.c:693
fr_perm_getpwnam
int fr_perm_getpwnam(TALLOC_CTX *ctx, struct passwd **out, char const *name)
Resolve a username to a passwd entry.
Definition: perm.c:138
fr_perm_gid_from_str
int fr_perm_gid_from_str(TALLOC_CTX *ctx, gid_t *out, char const *name)
Resolve a group name to a GID.
Definition: perm.c:345
REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition: radclient.h:53
WARN
#define WARN(fmt,...)
Definition: radclient.h:47
RETURN_MODULE_NOOP
#define RETURN_MODULE_NOOP
Definition: rcode.h:62
RETURN_MODULE_INVALID
#define RETURN_MODULE_INVALID
Definition: rcode.h:59
RETURN_MODULE_OK
#define RETURN_MODULE_OK
Definition: rcode.h:57
RETURN_MODULE_DISALLOW
#define RETURN_MODULE_DISALLOW
Definition: rcode.h:60
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition: rcode.h:43
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition: rcode.h:46
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition: rcode.h:41
RETURN_MODULE_NOTFOUND
#define RETURN_MODULE_NOTFOUND
Definition: rcode.h:61
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition: rlm_opendirectory.c:75
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition: rlm_opendirectory.c:63
rlm_opendirectory_t::auth_type
fr_dict_enum_value_t * auth_type
Definition: rlm_opendirectory.c:49
mod_authenticate
static unlang_action_t mod_authenticate(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
Definition: rlm_opendirectory.c:309
kRadiusSACLName
#define kRadiusSACLName
Definition: rlm_opendirectory.c:60
dict_radius
static fr_dict_t const * dict_radius
Definition: rlm_opendirectory.c:64
kRadiusServiceName
#define kRadiusServiceName
Definition: rlm_opendirectory.c:61
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition: rlm_opendirectory.c:73
mbr_check_membership_refresh
int mbr_check_membership_refresh(uuid_t const user, uuid_t group, int *ismember)
mod_authorize
static unlang_action_t mod_authorize(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition: rlm_opendirectory.c:385
rlm_opendirectory_dict_attr
fr_dict_attr_autoload_t rlm_opendirectory_dict_attr[]
Definition: rlm_opendirectory.c:78
mbr_check_service_membership
int mbr_check_service_membership(uuid_t const user, char const *servicename, int *ismember)
attr_user_name
static fr_dict_attr_t const * attr_user_name
Definition: rlm_opendirectory.c:74
od_check_passwd
static long od_check_passwd(request_t *request, char const *uname, char const *password)
Definition: rlm_opendirectory.c:91
rlm_opendirectory
module_rlm_t rlm_opendirectory
Definition: rlm_opendirectory.c:532
rlm_opendirectory_dict
fr_dict_autoload_t rlm_opendirectory_dict[]
Definition: rlm_opendirectory.c:67
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_opendirectory.c:517
rlm_opendirectory_t
Definition: rlm_opendirectory.c:48
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_rest.c:1302
username
username
Definition: rlm_securid.c:420
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition: section.h:40
module_instance_s::name
char const * name
Instance name e.g. user_database.
Definition: module.h:335
module_instance_s::data
void * data
Module's instance data.
Definition: module.h:271
MODULE_BINDING_TERMINATOR
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition: module.h:151
module_method_binding_s
Named methods exported by a module.
Definition: module.h:173
client_from_request
fr_client_t * client_from_request(request_t *request)
Search up a list of requests trying to locate one which has a client.
Definition: client.c:1112
RETURN_MODULE_FAIL
RETURN_MODULE_FAIL
Definition: state_machine.c:1215
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3620
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition: talloc.h:282
nonnull
int nonnull(2, 5))
Generated by   doxygen 1.9.1