helpers/basic_auth/LDAP/basic_ldap_auth.cc

Go to the documentation of this file.
00001 /*
00002  * squid_ldap_auth: authentication via ldap for squid proxy server
00003  *
00004  * Authors:
00005  * Henrik Nordstrom
00006  * hno@squid-cache.org
00007  *
00008  * Glen Newton
00009  * glen.newton@nrc.ca
00010  * Advanced Services
00011  * CISTI
00012  * National Research Council
00013  *
00014  * with contributions from others mentioned in the Changes section below
00015  *
00016  * Usage: squid_ldap_auth -b basedn [-s searchscope]
00017  *                        [-f searchfilter] [-D binddn -w bindpasswd]
00018  *                        [-u attr] [-h host] [-p port] [-P] [-R] [ldap_server_name[:port]] ...
00019  *
00020  * Dependencies: You need to get the OpenLDAP libraries
00021  * from http://www.openldap.org or another compatible LDAP C-API
00022  * implementation.
00023  *
00024  * If you want to make a TLS enabled connection you will also need the
00025  * OpenSSL libraries linked into openldap. See http://www.openssl.org/
00026  *
00027  * License: squid_ldap_auth is free software; you can redistribute it
00028  * and/or modify it under the terms of the GNU General Public License
00029  * as published by the Free Software Foundation; either version 2,
00030  * or (at your option) any later version.
00031  *
00032  * Changes:
00033  * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
00034  *             - Added some sanity checks on login names to avoid
00035  *               users bypassing equality checks by exploring the
00036  *               overly helpful match capabilities of LDAP
00037  * 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
00038  *             - Corrected non-persistent mode to only issue one
00039  *               ldap_bind per connection.
00040  *             - -U option to compare the users password rather
00041  *               than binding.
00042  * 2004-03-01: Henrik Nordstrom <hno@squid-cache.org>
00043  *             - corrected building of search filters to escape
00044  *               unsafe input
00045  *             - -d option for "debug" like squid_ldap_group
00046  * 2004-01-05: Henrik Nordstrom <hno@squid-cache.org>
00047  *             - Corrected TLS mode
00048  * 2003-03-01: David J N Begley
00049  *             - Support for Netscape API method of ldap over SSL
00050  *               connections
00051  *             - Timeout option for better recovery when using
00052  *               multiple LDAP servers
00053  * 2003-03-01: Christoph Lechleitner <lech@ibcl.at>
00054  *             - Added -W option to read bindpasswd from file
00055  * 2003-03-01: Juerg Michel
00056  *             - Added support for ldap URI via the -H option
00057  *               (requires OpenLDAP)
00058  * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
00059  *             - Added TLS support and partial ldap version 3 support.
00060  * 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
00061  *             - Be consistent with the other helpers in how
00062  *               spaces are managed. If there is space characters
00063  *               then these are assumed to be part of the password
00064  * 2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
00065  *             - Added ability to specify another default LDAP port to
00066  *               connect to. Persistent connections moved to -P
00067  * 2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
00068  *             - Support newer OpenLDAP 2.x libraries using the
00069  *               revised Internet Draft API which unfortunately
00070  *               is not backwards compatible with RFC1823..
00071  * 2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
00072  *             - Added command line option for basedn
00073  *             - Added the ability to search for the user DN
00074  * 2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
00075  *             - Added -D binddn -w bindpasswd.
00076  * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
00077  *             - Added -R to disable referrals
00078  *             - Added -a to control alias dereferencing
00079  * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
00080  *             - Added -u, DN username attribute name
00081  * 2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
00082  *             - Allow full filter specifications in -f
00083  */
00084 
00085 #define SQUID_NO_ALLOC_PROTECT 1
00086 #include "config.h"
00087 
00088 #define LDAP_DEPRECATED 1
00089 
00090 #include "rfc1738.h"
00091 #include "util.h"
00092 
00093 #include <stdio.h>
00094 #include <string.h>
00095 #include <ctype.h>
00096 
00097 #ifdef _SQUID_MSWIN_        /* Native Windows port and MinGW */
00098 
00099 #define snprintf _snprintf
00100 #include <windows.h>
00101 #include <winldap.h>
00102 #ifndef LDAPAPI
00103 #define LDAPAPI __cdecl
00104 #endif
00105 #ifdef LDAP_VERSION3
00106 #ifndef LDAP_OPT_X_TLS
00107 #define LDAP_OPT_X_TLS 0x6000
00108 #endif
00109 /* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at
00110  * run time.
00111  */
00112 #undef ldap_start_tls_s
00113 #if LDAP_UNICODE
00114 #define LDAP_START_TLS_S "ldap_start_tls_sW"
00115 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
00116 #else
00117 #define LDAP_START_TLS_S "ldap_start_tls_sA"
00118 typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
00119 #endif /* LDAP_UNICODE */
00120 PFldap_start_tls_s Win32_ldap_start_tls_s;
00121 #define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l,NULL,NULL,s,c)
00122 #endif /* LDAP_VERSION3 */
00123 
00124 #else
00125 
00126 #include <lber.h>
00127 #include <ldap.h>
00128 
00129 #endif
00130 
00131 #define PROGRAM_NAME "basic_ldap_auth"
00132 
00133 /* Global options */
00134 static const char *basedn;
00135 static const char *searchfilter = NULL;
00136 static const char *binddn = NULL;
00137 static const char *bindpasswd = NULL;
00138 static const char *userattr = "uid";
00139 static const char *passwdattr = NULL;
00140 static int searchscope = LDAP_SCOPE_SUBTREE;
00141 static int persistent = 0;
00142 static int bind_once = 0;
00143 static int noreferrals = 0;
00144 static int aliasderef = LDAP_DEREF_NEVER;
00145 #if defined(NETSCAPE_SSL)
00146 static const char *sslpath = NULL;
00147 static int sslinit = 0;
00148 #endif
00149 static int connect_timeout = 0;
00150 static int timelimit = LDAP_NO_LIMIT;
00151 
00152 /* Added for TLS support and version 3 */
00153 static int use_tls = 0;
00154 static int version = -1;
00155 
00156 static int checkLDAP(LDAP * ld, const char *userid, const char *password, const char *server, int port);
00157 static int readSecret(const char *filename);
00158 
00159 /* Yuck.. we need to glue to different versions of the API */
00160 
00161 #ifndef LDAP_NO_ATTRS
00162 #define LDAP_NO_ATTRS "1.1"
00163 #endif
00164 
00165 #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
00166 static int
00167 squid_ldap_errno(LDAP * ld)
00168 {
00169     int err = 0;
00170     ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
00171     return err;
00172 }
00173 static void
00174 squid_ldap_set_aliasderef(LDAP * ld, int deref)
00175 {
00176     ldap_set_option(ld, LDAP_OPT_DEREF, &deref);
00177 }
00178 static void
00179 squid_ldap_set_referrals(LDAP * ld, int referrals)
00180 {
00181     int *value = static_cast<int*>(referrals ? LDAP_OPT_ON :LDAP_OPT_OFF);
00182     ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
00183 }
00184 static void
00185 squid_ldap_set_timelimit(LDAP * ld, int aTimeLimit)
00186 {
00187     ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &aTimeLimit);
00188 }
00189 static void
00190 squid_ldap_set_connect_timeout(LDAP * ld, int aTimeLimit)
00191 {
00192 #if defined(LDAP_OPT_NETWORK_TIMEOUT)
00193     struct timeval tv;
00194     tv.tv_sec = aTimeLimit;
00195     tv.tv_usec = 0;
00196     ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
00197 #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
00198     aTimeLimit *= 1000;
00199     ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &aTimeLimit);
00200 #endif
00201 }
00202 static void
00203 squid_ldap_memfree(char *p)
00204 {
00205     ldap_memfree(p);
00206 }
00207 
00208 #else
00209 static int
00210 squid_ldap_errno(LDAP * ld)
00211 {
00212     return ld->ld_errno;
00213 }
00214 static void
00215 squid_ldap_set_aliasderef(LDAP * ld, int deref)
00216 {
00217     ld->ld_deref = deref;
00218 }
00219 static void
00220 squid_ldap_set_referrals(LDAP * ld, int referrals)
00221 {
00222     if (referrals)
00223         ld->ld_options |= ~LDAP_OPT_REFERRALS;
00224     else
00225         ld->ld_options &= ~LDAP_OPT_REFERRALS;
00226 }
00227 static void
00228 squid_ldap_set_timelimit(LDAP * ld, int timelimit)
00229 {
00230     ld->ld_timelimit = timelimit;
00231 }
00232 static void
00233 squid_ldap_set_connect_timeout(LDAP * ld, int timelimit)
00234 {
00235     fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
00236 }
00237 static void
00238 squid_ldap_memfree(char *p)
00239 {
00240     free(p);
00241 }
00242 
00243 #endif
00244 
00245 #ifdef LDAP_API_FEATURE_X_OPENLDAP
00246 #if LDAP_VENDOR_VERSION > 194
00247 #define HAS_URI_SUPPORT 1
00248 #endif
00249 #endif
00250 
00251 static LDAP *
00252 open_ldap_connection(const char *ldapServer, int port)
00253 {
00254     LDAP *ld = NULL;
00255 #if HAS_URI_SUPPORT
00256     if (strstr(ldapServer, "://") != NULL) {
00257         int rc = ldap_initialize(&ld, ldapServer);
00258         if (rc != LDAP_SUCCESS) {
00259             fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
00260             exit(1);
00261         }
00262     } else
00263 #endif
00264 #if NETSCAPE_SSL
00265         if (sslpath) {
00266             if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
00267                 fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
00268                         sslpath);
00269                 exit(1);
00270             } else {
00271                 sslinit++;
00272             }
00273             if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
00274                 fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
00275                         ldapServer, port);
00276                 exit(1);
00277             }
00278         } else
00279 #endif
00280             if ((ld = ldap_init(ldapServer, port)) == NULL) {
00281                 fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
00282                         ldapServer, port);
00283                 exit(1);
00284             }
00285     if (connect_timeout)
00286         squid_ldap_set_connect_timeout(ld, connect_timeout);
00287 
00288 #ifdef LDAP_VERSION3
00289     if (version == -1) {
00290         version = LDAP_VERSION3;
00291     }
00292     if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_SUCCESS) {
00293         fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
00294                 version);
00295         exit(1);
00296     }
00297     if (use_tls) {
00298 #ifdef LDAP_OPT_X_TLS
00299         if (version != LDAP_VERSION3) {
00300             fprintf(stderr, "TLS requires LDAP version 3\n");
00301             exit(1);
00302         } else if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
00303             fprintf(stderr, "Could not Activate TLS connection\n");
00304             exit(1);
00305         }
00306 #else
00307         fprintf(stderr, "TLS not supported with your LDAP library\n");
00308         exit(1);
00309 #endif
00310     }
00311 #endif
00312     squid_ldap_set_timelimit(ld, timelimit);
00313     squid_ldap_set_referrals(ld, !noreferrals);
00314     squid_ldap_set_aliasderef(ld, aliasderef);
00315     return ld;
00316 }
00317 
00318 /* Make a sanity check on the username to reject oddly typed names */
00319 static int
00320 validUsername(const char *user)
00321 {
00322     const unsigned char *p = (const unsigned char *) user;
00323 
00324     /* Leading whitespace? */
00325     if (xisspace(p[0]))
00326         return 0;
00327     while (p[0] && p[1]) {
00328         if (xisspace(p[0])) {
00329             /* More than one consequitive space? */
00330             if (xisspace(p[1]))
00331                 return 0;
00332             /* or odd space type character used? */
00333             if (p[0] != ' ')
00334                 return 0;
00335         }
00336         p++;
00337     }
00338     /* Trailing whitespace? */
00339     if (xisspace(p[0]))
00340         return 0;
00341     return 1;
00342 }
00343 
00344 int
00345 main(int argc, char **argv)
00346 {
00347     char buf[1024];
00348     char *user, *passwd;
00349     char *ldapServer = NULL;
00350     LDAP *ld = NULL;
00351     int tryagain;
00352     int port = LDAP_PORT;
00353 
00354     setbuf(stdout, NULL);
00355 
00356     while (argc > 1 && argv[1][0] == '-') {
00357         const char *value = "";
00358         char option = argv[1][1];
00359         switch (option) {
00360         case 'P':
00361         case 'R':
00362         case 'z':
00363         case 'Z':
00364         case 'd':
00365         case 'O':
00366             break;
00367         default:
00368             if (strlen(argv[1]) > 2) {
00369                 value = argv[1] + 2;
00370             } else if (argc > 2) {
00371                 value = argv[2];
00372                 argv++;
00373                 argc--;
00374             } else
00375                 value = "";
00376             break;
00377         }
00378         argv++;
00379         argc--;
00380         switch (option) {
00381         case 'H':
00382 #if !HAS_URI_SUPPORT
00383             fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
00384             exit(1);
00385 #endif
00386             /* Fall thru to -h */
00387         case 'h':
00388             if (ldapServer) {
00389                 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
00390                 char *newhost = static_cast<char*>(malloc(len));
00391                 snprintf(newhost, len, "%s %s", ldapServer, value);
00392                 free(ldapServer);
00393                 ldapServer = newhost;
00394             } else {
00395                 ldapServer = xstrdup(value);
00396             }
00397             break;
00398         case 'b':
00399             basedn = value;
00400             break;
00401         case 'f':
00402             searchfilter = value;
00403             break;
00404         case 'u':
00405             userattr = value;
00406             break;
00407         case 'U':
00408             passwdattr = value;
00409             break;
00410         case 's':
00411             if (strcmp(value, "base") == 0)
00412                 searchscope = LDAP_SCOPE_BASE;
00413             else if (strcmp(value, "one") == 0)
00414                 searchscope = LDAP_SCOPE_ONELEVEL;
00415             else if (strcmp(value, "sub") == 0)
00416                 searchscope = LDAP_SCOPE_SUBTREE;
00417             else {
00418                 fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown search scope '%s'\n", value);
00419                 exit(1);
00420             }
00421             break;
00422         case 'E':
00423 #if defined(NETSCAPE_SSL)
00424             sslpath = value;
00425             if (port == LDAP_PORT)
00426                 port = LDAPS_PORT;
00427 #else
00428             fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
00429             exit(1);
00430 #endif
00431             break;
00432         case 'c':
00433             connect_timeout = atoi(value);
00434             break;
00435         case 't':
00436             timelimit = atoi(value);
00437             break;
00438         case 'a':
00439             if (strcmp(value, "never") == 0)
00440                 aliasderef = LDAP_DEREF_NEVER;
00441             else if (strcmp(value, "always") == 0)
00442                 aliasderef = LDAP_DEREF_ALWAYS;
00443             else if (strcmp(value, "search") == 0)
00444                 aliasderef = LDAP_DEREF_SEARCHING;
00445             else if (strcmp(value, "find") == 0)
00446                 aliasderef = LDAP_DEREF_FINDING;
00447             else {
00448                 fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown alias dereference method '%s'\n", value);
00449                 exit(1);
00450             }
00451             break;
00452         case 'D':
00453             binddn = value;
00454             break;
00455         case 'w':
00456             bindpasswd = value;
00457             break;
00458         case 'W':
00459             readSecret(value);
00460             break;
00461         case 'P':
00462             persistent = !persistent;
00463             break;
00464         case 'O':
00465             bind_once = !bind_once;
00466             break;
00467         case 'p':
00468             port = atoi(value);
00469             break;
00470         case 'R':
00471             noreferrals = !noreferrals;
00472             break;
00473 #ifdef LDAP_VERSION3
00474         case 'v':
00475             switch (atoi(value)) {
00476             case 2:
00477                 version = LDAP_VERSION2;
00478                 break;
00479             case 3:
00480                 version = LDAP_VERSION3;
00481                 break;
00482             default:
00483                 fprintf(stderr, "Protocol version should be 2 or 3\n");
00484                 exit(1);
00485             }
00486             break;
00487         case 'Z':
00488             if (version == LDAP_VERSION2) {
00489                 fprintf(stderr, "TLS (-Z) is incompatible with version %d\n",
00490                         version);
00491                 exit(1);
00492             }
00493             version = LDAP_VERSION3;
00494             use_tls = 1;
00495             break;
00496 #endif
00497         case 'd':
00498             debug_enabled = 1;
00499             break;
00500         default:
00501             fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
00502             exit(1);
00503         }
00504     }
00505 
00506     while (argc > 1) {
00507         char *value = argv[1];
00508         if (ldapServer) {
00509             int len = strlen(ldapServer) + 1 + strlen(value) + 1;
00510             char *newhost = static_cast<char*>(malloc(len));
00511             snprintf(newhost, len, "%s %s", ldapServer, value);
00512             free(ldapServer);
00513             ldapServer = newhost;
00514         } else {
00515             ldapServer = xstrdup(value);
00516         }
00517         argc--;
00518         argv++;
00519     }
00520     if (!ldapServer)
00521         ldapServer = xstrdup("localhost");
00522 
00523     if (!basedn) {
00524         fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn [options] [ldap_server_name[:port]]...\n\n");
00525         fprintf(stderr, "\t-b basedn (REQUIRED)\tbase dn under which to search\n");
00526         fprintf(stderr, "\t-f filter\t\tsearch filter to locate user DN\n");
00527         fprintf(stderr, "\t-u userattr\t\tusername DN attribute\n");
00528         fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
00529         fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
00530         fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
00531         fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
00532 #if HAS_URI_SUPPORT
00533         fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
00534 #endif
00535         fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
00536         fprintf(stderr, "\t-p port\t\t\tLDAP server port\n");
00537         fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
00538 #if defined(NETSCAPE_SSL)
00539         fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
00540 #endif
00541         fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
00542         fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
00543         fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
00544         fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
00545 #ifdef LDAP_VERSION3
00546         fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
00547         fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires LDAP version 3\n");
00548 #endif
00549         fprintf(stderr, "\t-d\t\t\tenable debug mode\n");
00550         fprintf(stderr, "\n");
00551         fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
00552         fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
00553         exit(1);
00554     }
00555     /* On Windows ldap_start_tls_s is available starting from Windows XP,
00556      * so we need to bind at run-time with the function entry point
00557      */
00558 #ifdef _SQUID_MSWIN_
00559     if (use_tls) {
00560 
00561         HMODULE WLDAP32Handle;
00562 
00563         WLDAP32Handle = GetModuleHandle("wldap32");
00564         if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
00565             fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
00566             exit(1);
00567         }
00568     }
00569 #endif
00570 
00571     while (fgets(buf, sizeof(buf), stdin) != NULL) {
00572         user = strtok(buf, " \r\n");
00573         passwd = strtok(NULL, "\r\n");
00574 
00575         if (!user || !passwd || !passwd[0]) {
00576             printf("ERR\n");
00577             continue;
00578         }
00579         rfc1738_unescape(user);
00580         rfc1738_unescape(passwd);
00581         if (!validUsername(user)) {
00582             printf("ERR No such user\n");
00583             continue;
00584         }
00585         tryagain = (ld != NULL);
00586 recover:
00587         if (ld == NULL && persistent)
00588             ld = open_ldap_connection(ldapServer, port);
00589         if (checkLDAP(ld, user, passwd, ldapServer, port) != 0) {
00590             if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) {
00591                 tryagain = 0;
00592                 ldap_unbind(ld);
00593                 ld = NULL;
00594                 goto recover;
00595             }
00596             printf("ERR %s\n", ldap_err2string(squid_ldap_errno(ld)));
00597         } else {
00598             printf("OK\n");
00599         }
00600         if (ld && (squid_ldap_errno(ld) != LDAP_SUCCESS && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS)) {
00601             ldap_unbind(ld);
00602             ld = NULL;
00603         }
00604     }
00605     if (ld)
00606         ldap_unbind(ld);
00607     return 0;
00608 }
00609 
00610 static int
00611 ldap_escape_value(char *escaped, int size, const char *src)
00612 {
00613     int n = 0;
00614     while (size > 4 && *src) {
00615         switch (*src) {
00616         case '*':
00617         case '(':
00618         case ')':
00619         case '\\':
00620             n += 3;
00621             size -= 3;
00622             if (size > 0) {
00623                 *escaped++ = '\\';
00624                 snprintf(escaped, 3, "%02x", (unsigned char) *src++);
00625                 escaped += 2;
00626             }
00627             break;
00628         default:
00629             *escaped++ = *src++;
00630             n++;
00631             size--;
00632         }
00633     }
00634     *escaped = '\0';
00635     return n;
00636 }
00637 
00638 /* Check the userid & password.
00639  * Return 0 on success, 1 on failure
00640  */
00641 static int
00642 checkLDAP(LDAP * persistent_ld, const char *userid, const char *password, const char *ldapServer, int port)
00643 {
00644     char dn[1024];
00645     int ret = 0;
00646     LDAP *bind_ld = NULL;
00647 
00648     if (!*password) {
00649         /* LDAP can't bind with a blank password. Seen as "anonymous"
00650          * and always granted access
00651          */
00652         debug("Blank password given\n");
00653         return 1;
00654     }
00655     if (searchfilter) {
00656         char filter[16384];
00657         char escaped_login[1024];
00658         LDAPMessage *res = NULL;
00659         LDAPMessage *entry;
00660         char *searchattr[] = {(char *)LDAP_NO_ATTRS, NULL};
00661         char *userdn;
00662         int rc;
00663         LDAP *search_ld = persistent_ld;
00664 
00665         if (!search_ld)
00666             search_ld = open_ldap_connection(ldapServer, port);
00667 
00668         ldap_escape_value(escaped_login, sizeof(escaped_login), userid);
00669         if (binddn) {
00670             rc = ldap_simple_bind_s(search_ld, binddn, bindpasswd);
00671             if (rc != LDAP_SUCCESS) {
00672                 fprintf(stderr, PROGRAM_NAME ": WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
00673                 ret = 1;
00674                 goto search_done;
00675             }
00676         }
00677         snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
00678         debug("user filter '%s', searchbase '%s'\n", filter, basedn);
00679         rc = ldap_search_s(search_ld, basedn, searchscope, filter, searchattr, 1, &res);
00680         if (rc != LDAP_SUCCESS) {
00681             if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
00682                 /* Everything is fine. This is expected when referrals
00683                  * are disabled.
00684                  */
00685                 debug("noreferrals && rc == LDAP_PARTIAL_RESULTS\n");
00686             } else {
00687                 fprintf(stderr, PROGRAM_NAME ": WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
00688 #if defined(NETSCAPE_SSL)
00689                 if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
00690                     int sslerr = PORT_GetError();
00691                     fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
00692                 }
00693 #endif
00694                 ret = 1;
00695                 goto search_done;
00696             }
00697         }
00698         entry = ldap_first_entry(search_ld, res);
00699         if (!entry) {
00700             debug("Ldap search returned nothing\n");
00701             ret = 1;
00702             goto search_done;
00703         }
00704         userdn = ldap_get_dn(search_ld, entry);
00705         if (!userdn) {
00706             fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", userid);
00707             ret = 1;
00708             goto search_done;
00709         }
00710         snprintf(dn, sizeof(dn), "%s", userdn);
00711         squid_ldap_memfree(userdn);
00712 
00713         if (ret == 0 && (!binddn || !bind_once || passwdattr)) {
00714             /* Reuse the search connection for comparing the user password attribute */
00715             bind_ld = search_ld;
00716             search_ld = NULL;
00717         }
00718 search_done:
00719         if (res) {
00720             ldap_msgfree(res);
00721             res = NULL;
00722         }
00723         if (search_ld && search_ld != persistent_ld) {
00724             ldap_unbind(search_ld);
00725             search_ld = NULL;
00726         }
00727         if (ret != 0)
00728             return ret;
00729     } else {
00730         snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
00731     }
00732 
00733     debug("attempting to authenticate user '%s'\n", dn);
00734     if (!bind_ld && !bind_once)
00735         bind_ld = persistent_ld;
00736     if (!bind_ld)
00737         bind_ld = open_ldap_connection(ldapServer, port);
00738     if (passwdattr) {
00739         if (ldap_compare_s(bind_ld, dn, passwdattr, password) != LDAP_COMPARE_TRUE) {
00740             ret = 1;
00741         }
00742     } else if (ldap_simple_bind_s(bind_ld, dn, password) != LDAP_SUCCESS)
00743         ret = 1;
00744     if (bind_ld != persistent_ld) {
00745         ldap_unbind(bind_ld);
00746         bind_ld = NULL;
00747     }
00748     return ret;
00749 }
00750 
00751 int
00752 readSecret(const char *filename)
00753 {
00754     char buf[BUFSIZ];
00755     char *e = NULL;
00756     FILE *f;
00757     char *passwd = NULL;
00758 
00759     if (!(f = fopen(filename, "r"))) {
00760         fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
00761         return 1;
00762     }
00763     if (!fgets(buf, sizeof(buf) - 1, f)) {
00764         fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
00765         fclose(f);
00766         return 1;
00767     }
00768     /* strip whitespaces on end */
00769     if ((e = strrchr(buf, '\n')))
00770         *e = 0;
00771     if ((e = strrchr(buf, '\r')))
00772         *e = 0;
00773 
00774     passwd = (char *) calloc(sizeof(char), strlen(buf) + 1);
00775     if (!passwd) {
00776         fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
00777         exit(1);
00778     }
00779     strcpy(passwd, buf);
00780     bindpasswd = passwd;
00781 
00782     fclose(f);
00783 
00784     return 0;
00785 }
squid-cache.org

Optimising Web Delivery

helpers/basic_auth/LDAP/basic_ldap_auth.cc

Search

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors
