Commit | Line | Data |
---|---|---|
0e333c05 CE |
1 | /* |
2 | ** Copyright 2016 Double Precision, Inc. See COPYING for | |
3 | ** distribution information. | |
4 | */ | |
5 | ||
6 | #if HAVE_CONFIG_H | |
7 | #include "courier_auth_config.h" | |
8 | #endif | |
9 | #include <string> | |
10 | #include <sstream> | |
11 | #include <map> | |
12 | #include <vector> | |
13 | #include <algorithm> | |
14 | #include <cctype> | |
15 | ||
16 | #if HAVE_LBER_H | |
17 | #include <lber.h> | |
18 | #endif | |
19 | #if HAVE_LDAP_H | |
20 | #include <ldap.h> | |
21 | #endif | |
22 | #include <pwd.h> | |
23 | #include <grp.h> | |
24 | #include <errno.h> | |
25 | #include <time.h> | |
26 | #if HAVE_SYS_TIME_H | |
27 | #include <sys/time.h> | |
28 | #endif | |
29 | #if HAVE_SYS_STAT_H | |
30 | #include <sys/stat.h> | |
31 | #endif | |
32 | ||
33 | extern "C" { | |
34 | #include "authldap.h" | |
35 | #include "auth.h" | |
36 | #include "authldaprc.h" | |
37 | #include "courierauthdebug.h" | |
38 | }; | |
39 | ||
40 | #include "authconfigfile.h" | |
41 | #include <stdio.h> | |
42 | ||
43 | #ifndef LDAP_OPT_SUCCESS | |
44 | #define LDAP_OPT_SUCCESS LDAP_SUCCESS | |
45 | #endif | |
46 | ||
47 | /* | |
48 | ** Main connection to the LDAP server, and a separate connection for the | |
49 | ** LDAP_AUTHBIND option. | |
50 | */ | |
51 | ||
52 | class ldap_connection { | |
53 | ||
54 | public: | |
55 | LDAP *connection; | |
56 | ||
57 | ldap_connection() : connection(0) {} | |
58 | ~ldap_connection() { disconnect(); } | |
59 | ||
60 | bool connected() const { return connection != 0; } | |
61 | ||
62 | bool connect(); | |
63 | void disconnect(); | |
64 | void close(); | |
65 | ||
66 | private: | |
67 | bool enable_tls(); | |
68 | ||
69 | public: | |
70 | ||
71 | static bool ok(const char *method, int rc) | |
72 | { | |
73 | if (rc == 0 || LDAP_NAME_ERROR(rc)) | |
74 | return true; | |
75 | ||
76 | courier_auth_err("%s failed: %s", method, | |
77 | ldap_err2string(rc)); | |
78 | return false; | |
79 | } | |
80 | ||
81 | bool bind(const std::string &userid, | |
82 | const std::string &password) | |
83 | { | |
84 | std::vector<char> buffer(password.begin(), password.end()); | |
85 | struct berval cred; | |
86 | ||
87 | cred.bv_len=buffer.size(); | |
88 | cred.bv_val=&buffer[0]; | |
89 | ||
90 | if (connect() && | |
91 | ok("ldap_sasl_bind_s", | |
92 | ldap_sasl_bind_s(connection, userid.c_str(), | |
93 | NULL, &cred, | |
94 | NULL, NULL, NULL))) | |
95 | return true; | |
96 | ||
97 | disconnect(); | |
98 | return connect() && | |
99 | ok("ldap_sasl_bind_s", | |
100 | ldap_sasl_bind_s(connection, userid.c_str(), | |
101 | NULL, &cred, | |
102 | NULL, NULL, NULL)); | |
103 | } | |
104 | }; | |
105 | ||
106 | ldap_connection main_connection, bind_connection; | |
107 | ||
108 | ||
109 | // Loaded and parsed authldaprc configuration file. | |
110 | ||
111 | class authldaprc_file : public courier::auth::config_file { | |
112 | ||
113 | public: | |
114 | ||
115 | int protocol_version; | |
116 | int timeout; | |
117 | int authbind; | |
118 | int initbind; | |
119 | int tls; | |
120 | uid_t uid; | |
121 | gid_t gid; | |
122 | ||
123 | std::string ldap_uri, ldap_binddn, ldap_bindpw, ldap_basedn; | |
124 | int ldap_deref; | |
125 | ||
126 | std::vector<std::string> auxoptions, auxnames; | |
127 | ||
128 | authldaprc_file(); | |
129 | ||
130 | private: | |
131 | bool do_load(); | |
132 | void do_reload(); | |
133 | public: | |
134 | }; | |
135 | ||
136 | /* | |
137 | ** There's a memory leak in OpenLDAP 1.2.11, presumably in earlier versions | |
138 | ** too. See http://www.OpenLDAP.org/its/index.cgi?findid=864 for more | |
139 | ** information. To work around the bug, the first time a connection fails | |
140 | ** we stop trying for 60 seconds. After 60 seconds we kill the process, | |
141 | ** and let the parent process restart it. | |
142 | ** | |
143 | ** We'll control this behavior via LDAP_MEMORY_LEAK. Set it to ZERO to turn | |
144 | ** off this behavior (whenever OpenLDAP gets fixed). | |
145 | */ | |
146 | ||
147 | static time_t ldapfailflag=0; | |
148 | ||
149 | static void ldapconnfailure() | |
150 | { | |
151 | const char *p=getenv("LDAP_MEMORY_LEAK"); | |
152 | ||
153 | if (!p) | |
154 | { | |
155 | #ifdef LDAP_VENDOR_NAME | |
156 | #ifdef LDAP_VENDOR_VERSION | |
157 | #define DO_OPENLDAP_CHECK | |
158 | #endif | |
159 | #endif | |
160 | ||
161 | #ifdef DO_OPENLDAP_CHECK | |
162 | ||
163 | /* It's supposed to be fixed in 20019 */ | |
164 | ||
165 | if (strcmp(LDAP_VENDOR_NAME, "OpenLDAP") == 0 && | |
166 | LDAP_VENDOR_VERSION < 20019) | |
167 | p="1"; | |
168 | else | |
169 | p="0"; | |
170 | #else | |
171 | p="0"; | |
172 | #endif | |
173 | } | |
174 | ||
175 | if (atoi(p) && !ldapfailflag) | |
176 | { | |
177 | time(&ldapfailflag); | |
178 | ldapfailflag += 60; | |
179 | } | |
180 | } | |
181 | ||
182 | static int ldapconncheck() | |
183 | { | |
184 | time_t t; | |
185 | ||
186 | if (!ldapfailflag) | |
187 | return (0); | |
188 | ||
189 | time(&t); | |
190 | ||
191 | if (t >= ldapfailflag) | |
192 | exit(0); | |
193 | return (1); | |
194 | } | |
195 | ||
196 | authldaprc_file::authldaprc_file() | |
197 | : config_file(AUTHLDAPRC) | |
198 | { | |
199 | } | |
200 | ||
201 | bool authldaprc_file::do_load() | |
202 | { | |
203 | bool loaded=true; | |
204 | ||
205 | // Frequently-accessed variables. | |
206 | ||
207 | if (!config("LDAP_TIMEOUT", timeout, false, "5") || | |
208 | !config("LDAP_TLS", tls, false, "0")) | |
209 | { | |
210 | loaded=false; | |
211 | } | |
212 | ||
213 | if (!config("LDAP_URI", ldap_uri, true)) | |
214 | { | |
215 | loaded=false; | |
216 | } | |
217 | ||
218 | ldap_deref=0; | |
219 | ||
220 | std::string deref_setting; | |
221 | ||
222 | config("LDAP_DEREF", deref_setting, false, ""); | |
223 | ||
224 | for (std::string::iterator p=deref_setting.begin(); | |
225 | p != deref_setting.end(); ++p) | |
226 | *p=std::tolower(*p); | |
227 | ||
228 | #ifdef LDAP_OPT_DEREF | |
229 | ||
230 | ldap_deref=LDAP_DEREF_NEVER; | |
231 | ||
232 | if (deref_setting == "never") | |
233 | ldap_deref = LDAP_DEREF_NEVER; | |
234 | else if (deref_setting == "searching") | |
235 | ldap_deref = LDAP_DEREF_SEARCHING; | |
236 | else if (deref_setting == "finding") | |
237 | ldap_deref = LDAP_DEREF_FINDING; | |
238 | else if (deref_setting == "always") | |
239 | ldap_deref = LDAP_DEREF_ALWAYS; | |
240 | else if (deref_setting != "") | |
241 | { | |
242 | loaded=false; | |
243 | courier_auth_err("authldap: INVALID LDAP_OPT_DEREF"); | |
244 | } | |
245 | #endif | |
246 | uid=0; | |
247 | gid=0; | |
248 | ||
249 | std::string uid_str, gid_str; | |
250 | ||
251 | config("LDAP_GLOB_UID", uid_str, false); | |
252 | config("LDAP_GLOB_GID", gid_str, false); | |
253 | ||
254 | if (!uid_str.empty()) | |
255 | { | |
256 | std::istringstream i(uid_str); | |
257 | ||
258 | i >> uid; | |
259 | ||
260 | if (i.fail()) | |
261 | { | |
262 | struct passwd *pwent=getpwnam(uid_str.c_str()); | |
263 | ||
264 | if (!pwent) | |
265 | { | |
266 | courier_auth_err("authldap: INVALID LDAP_GLOB_UID"); | |
267 | loaded=false; | |
268 | } | |
269 | else | |
270 | { | |
271 | uid=pwent->pw_uid; | |
272 | } | |
273 | } | |
274 | } | |
275 | ||
276 | if (!gid_str.empty()) | |
277 | { | |
278 | std::istringstream i(uid_str); | |
279 | ||
280 | i >> gid; | |
281 | ||
282 | if (i.fail()) | |
283 | { | |
284 | struct group *grent=getgrnam(gid_str.c_str()); | |
285 | ||
286 | if (!grent) | |
287 | { | |
288 | courier_auth_err("authldap: INVALID LDAP_GLOB_GID"); | |
289 | loaded=false; | |
290 | } | |
291 | else | |
292 | { | |
293 | gid=grent->gr_gid; | |
294 | } | |
295 | } | |
296 | } | |
297 | ||
298 | if (!config("LDAP_AUTHBIND", authbind, false, "0") | |
299 | || !config("LDAP_INITBIND", initbind, false, "0") | |
300 | || !config("LDAP_BASEDN", ldap_basedn, true)) | |
301 | loaded=false; | |
302 | ||
303 | if (initbind) | |
304 | { | |
305 | if (!config("LDAP_BINDDN", ldap_binddn, true) || | |
306 | !config("LDAP_BINDPW", ldap_bindpw, true)) | |
307 | loaded=false; | |
308 | } | |
309 | ||
310 | if (!config("LDAP_PROTOCOL_VERSION", protocol_version, false, "0")) | |
311 | loaded=false; | |
312 | ||
313 | if (protocol_version) | |
314 | { | |
315 | #ifndef LDAP_OPT_PROTOCOL_VERSION | |
316 | courier_auth_err("authldaplib: LDAP_OPT_PROTOCOL_VERSION ignored"); | |
317 | loaded=false; | |
318 | #endif | |
319 | if (0 | |
320 | #ifdef LDAP_VERSION_MIN | |
321 | || protocol_version < LDAP_VERSION_MIN | |
322 | #endif | |
323 | #ifdef LDAP_VERSION_MAX | |
324 | || protocol_version > LDAP_VERSION_MAX | |
325 | #endif | |
326 | ) | |
327 | { | |
328 | protocol_version=0; | |
329 | courier_auth_err("authldaplib: LDAP_PROTOCOL_VERSION not supported"); | |
330 | loaded=false; | |
331 | } | |
332 | } | |
333 | ||
334 | std::string auxoptions_str; | |
335 | ||
336 | config("LDAP_AUXOPTIONS", auxoptions_str, ""); | |
337 | ||
338 | std::string::iterator p=auxoptions_str.begin(); | |
339 | ||
340 | while (p != auxoptions_str.end()) | |
341 | { | |
342 | if (*p == ',') | |
343 | { | |
344 | ++p; | |
345 | continue; | |
346 | } | |
347 | ||
348 | std::string::iterator q=p; | |
349 | ||
350 | p=std::find(p, auxoptions_str.end(), ','); | |
351 | ||
352 | std::string auxoption(q, p); | |
353 | std::string auxname; | |
354 | ||
355 | q=std::find(auxoption.begin(), auxoption.end(), '='); | |
356 | ||
357 | if (q != auxoption.end()) | |
358 | { | |
359 | auxname=std::string(q+1, auxoption.end()); | |
360 | auxoption=std::string(auxoption.begin(), q); | |
361 | } | |
362 | ||
363 | auxoptions.push_back(auxoption); | |
364 | auxnames.push_back(auxname); | |
365 | } | |
366 | ||
367 | return loaded; | |
368 | } | |
369 | ||
370 | void authldaprc_file::do_reload() | |
371 | { | |
372 | // File changed, try to load it again. | |
373 | ||
374 | authldaprc_file new_file; | |
375 | ||
376 | if (new_file.load(true)) | |
377 | { | |
378 | *this=new_file; | |
379 | DPRINTF("authldap: reloaded %s", filename); | |
380 | ||
381 | // If we reloaded the file, close the | |
382 | // connections, so they can be reopened using | |
383 | // the new config. | |
384 | ||
385 | main_connection.close(); | |
386 | bind_connection.close(); | |
387 | } | |
388 | } | |
389 | ||
390 | static authldaprc_file authldaprc; | |
391 | ||
392 | #if HAVE_LDAP_TLS | |
393 | bool ldap_connection::enable_tls() | |
394 | { | |
395 | int version; | |
396 | ||
397 | if (!ok("ldap_get_option", | |
398 | ldap_get_option(connection, LDAP_OPT_PROTOCOL_VERSION, | |
399 | &version))) | |
400 | return false; | |
401 | ||
402 | if (version < LDAP_VERSION3) | |
403 | { | |
404 | version = LDAP_VERSION3; | |
405 | (void)ldap_set_option (connection, | |
406 | LDAP_OPT_PROTOCOL_VERSION, | |
407 | &version); | |
408 | } | |
409 | ||
410 | if (!ok("ldap_start_tls_s", | |
411 | ldap_start_tls_s(connection, NULL, NULL))) | |
412 | return false; | |
413 | ||
414 | return true; | |
415 | } | |
416 | ||
417 | #else | |
418 | ||
419 | bool ldap_connection::enable_tls() | |
420 | { | |
421 | courier_auth_err("authldaplib: TLS not available"); | |
422 | return (-1); | |
423 | } | |
424 | #endif | |
425 | ||
426 | bool ldap_connection::connect() | |
427 | { | |
428 | if (connected()) return true; | |
429 | ||
430 | DPRINTF("authldaplib: connecting to %s", authldaprc.ldap_uri.c_str()); | |
431 | ||
432 | if (ldapconncheck()) | |
433 | { | |
434 | DPRINTF("authldaplib: timing out after failed connection"); | |
435 | return (false); | |
436 | } | |
437 | ||
438 | ldap_initialize(&connection, authldaprc.ldap_uri.c_str()); | |
439 | ||
440 | if (connection==NULL) | |
441 | { | |
442 | courier_auth_err("cannot connect to LDAP server (%s): %s", | |
443 | authldaprc.ldap_uri.c_str(), strerror(errno)); | |
444 | ldapconnfailure(); | |
445 | } | |
446 | #ifdef LDAP_OPT_NETWORK_TIMEOUT | |
447 | else if (authldaprc.timeout > 0) | |
448 | { | |
449 | DPRINTF("timeout set to %d", authldaprc.timeout); | |
450 | ldap_set_option (connection, LDAP_OPT_NETWORK_TIMEOUT, &authldaprc.timeout); | |
451 | #endif | |
452 | } | |
453 | ||
454 | #ifdef LDAP_OPT_PROTOCOL_VERSION | |
455 | ||
456 | if (authldaprc.protocol_version && | |
457 | !ok("ldap_set_option", | |
458 | ldap_set_option(connection, | |
459 | LDAP_OPT_PROTOCOL_VERSION, | |
460 | (void *) &authldaprc.protocol_version))) | |
461 | { | |
462 | disconnect(); | |
463 | return false; | |
464 | } | |
465 | ||
466 | if (authldaprc.protocol_version) | |
467 | { | |
468 | DPRINTF("selected ldap protocol version %d", authldaprc.protocol_version); | |
469 | } | |
470 | #endif | |
471 | ||
472 | if (authldaprc.tls && !enable_tls()) | |
473 | { | |
474 | disconnect(); | |
475 | return false; | |
476 | } | |
477 | ||
478 | #ifdef LDAP_OPT_DEREF | |
479 | if (!ok("ldap_set_option", | |
480 | ldap_set_option(connection, LDAP_OPT_DEREF, | |
481 | (void *)&authldaprc.ldap_deref))) | |
482 | { | |
483 | disconnect(); | |
484 | return (false); | |
485 | } | |
486 | #else | |
487 | if (!deref_setting.empty()) | |
488 | { | |
489 | courier_auth_err("authldaplib: LDAP_OPT_DEREF not available, ignored"); | |
490 | } | |
491 | #endif | |
492 | ||
493 | return true; | |
494 | } | |
495 | ||
496 | void ldap_connection::disconnect() | |
497 | { | |
498 | close(); | |
499 | ldapconnfailure(); | |
500 | } | |
501 | ||
502 | void ldap_connection::close() | |
503 | { | |
504 | if (connection == NULL) | |
505 | return; | |
506 | ||
507 | ldap_unbind_ext(connection, 0, 0); | |
508 | connection=NULL; | |
509 | } | |
510 | ||
511 | static int ldapopen() | |
512 | { | |
513 | if (main_connection.connected()) return 0; | |
514 | ||
515 | if (!main_connection.connect()) | |
516 | return 1; | |
517 | ||
518 | if (authldaprc.initbind) | |
519 | { | |
520 | /* Bind to server */ | |
521 | if (courier_authdebug_login_level >= 2) | |
522 | { | |
523 | DPRINTF("binding to LDAP server as DN '%s', password '%s'", | |
524 | authldaprc.ldap_binddn.empty() ? "<null>" | |
525 | : authldaprc.ldap_binddn.c_str(), | |
526 | authldaprc.ldap_bindpw.empty() ? "<null>" | |
527 | : authldaprc.ldap_bindpw.c_str()); | |
528 | } | |
529 | else | |
530 | { | |
531 | DPRINTF("binding to LDAP server as DN '%s'", | |
532 | authldaprc.ldap_binddn.empty() ? "<null>" | |
533 | : authldaprc.ldap_binddn.c_str()); | |
534 | } | |
535 | ||
536 | if (!main_connection.bind(authldaprc.ldap_binddn, | |
537 | authldaprc.ldap_bindpw)) | |
538 | { | |
539 | authldapclose(); | |
540 | ldapconnfailure(); | |
541 | return (-1); | |
542 | } | |
543 | } | |
544 | return (0); | |
545 | } | |
546 | ||
547 | class authldaprc_attributes { | |
548 | ||
549 | public: | |
550 | ||
551 | std::map<std::string, std::string *> attributes; | |
552 | ||
553 | std::string attribute(const char *name, | |
554 | const char *default_value, | |
555 | std::string &return_value) | |
556 | { | |
557 | std::string value; | |
558 | ||
559 | authldaprc.config(name, value, false, default_value); | |
560 | ||
561 | if (!value.empty()) | |
562 | attributes[value]=&return_value; | |
563 | return value; | |
564 | } | |
565 | }; | |
566 | ||
567 | class authldaprc_attribute_vector : public std::vector<std::string> { | |
568 | ||
569 | public: | |
570 | ||
571 | authldaprc_attribute_vector(const std::map<std::string, std::string *> | |
572 | &attributes) | |
573 | { | |
574 | for (std::map<std::string, std::string *>::const_iterator | |
575 | p=attributes.begin(); p != attributes.end(); ++p) | |
576 | { | |
577 | push_back(p->first); | |
578 | } | |
579 | } | |
580 | }; | |
581 | ||
582 | class authldaprc_search_attributes { | |
583 | ||
584 | std::vector<std::string> copy_buffer; | |
585 | ||
586 | public: | |
587 | ||
588 | std::vector<char *> all_attributes_ptr; | |
589 | ||
590 | authldaprc_search_attributes(const std::vector<std::string> &attributes) | |
591 | : copy_buffer(attributes) | |
592 | { | |
593 | for (std::vector<std::string>::iterator | |
594 | p=copy_buffer.begin(); | |
595 | p != copy_buffer.end(); ++p) | |
596 | { | |
597 | if (p->empty()) | |
598 | continue; | |
599 | ||
600 | p->push_back(0); | |
601 | all_attributes_ptr.push_back(& (*p)[0]); | |
602 | } | |
603 | ||
604 | all_attributes_ptr.push_back(0); | |
605 | } | |
606 | ||
607 | char **search_attributes() | |
608 | { | |
609 | return &all_attributes_ptr[0]; | |
610 | } | |
611 | }; | |
612 | ||
613 | class authldaprc_search_result : authldaprc_search_attributes { | |
614 | ||
615 | public: | |
616 | ||
617 | LDAPMessage *ptr; | |
618 | bool finished; | |
619 | ||
620 | authldaprc_search_result(ldap_connection &conn, | |
621 | const std::string &basedn, | |
622 | const std::string &query, | |
623 | const std::vector<std::string> &attributes, | |
624 | const struct timeval &timeout) | |
625 | : authldaprc_search_attributes(attributes), | |
626 | ptr(NULL), finished(false) | |
627 | { | |
628 | struct timeval timeout_copy=timeout; | |
629 | ||
630 | if (!conn.connect() || | |
631 | !conn.ok("ldap_search_ext_s", | |
632 | ldap_search_ext_s(conn.connection, | |
633 | basedn.c_str(), | |
634 | LDAP_SCOPE_SUBTREE, | |
635 | query.c_str(), | |
636 | search_attributes(), | |
637 | 0, | |
638 | NULL, NULL, | |
639 | &timeout_copy, | |
640 | 100, &ptr))) | |
641 | { | |
642 | ptr=NULL; | |
643 | conn.disconnect(); | |
644 | if (!conn.connect() | |
645 | || !conn.ok("ldap_search_ext_s", | |
646 | ldap_search_ext_s(conn.connection, | |
647 | basedn.c_str(), | |
648 | LDAP_SCOPE_SUBTREE, | |
649 | query.c_str(), | |
650 | search_attributes(), | |
651 | 0, | |
652 | NULL, NULL, | |
653 | &timeout_copy, | |
654 | 100, &ptr))) | |
655 | { | |
656 | ptr=NULL; | |
657 | } | |
658 | } | |
659 | } | |
660 | ||
661 | authldaprc_search_result(ldap_connection &conn, | |
662 | int msgid, | |
663 | bool all, | |
664 | const struct timeval &timeout) | |
665 | :authldaprc_search_attributes(std::vector<std::string>()), | |
666 | ptr(NULL), finished(false) | |
667 | { | |
668 | while (1) | |
669 | { | |
670 | struct timeval timeout_copy=timeout; | |
671 | ||
672 | int rc=ldap_result(conn.connection, msgid, all ? 1:0, | |
673 | &timeout_copy, | |
674 | &ptr); | |
675 | ||
676 | switch (rc) | |
677 | { | |
678 | case -1: | |
679 | DPRINTF("ldap_result() failed"); | |
680 | ldap_msgfree(ptr); | |
681 | ptr=NULL; | |
682 | return; | |
683 | case 0: | |
684 | DPRINTF("ldap_result() timed out"); | |
685 | ldap_msgfree(ptr); | |
686 | ptr=NULL; | |
687 | return; | |
688 | case LDAP_RES_SEARCH_ENTRY: | |
689 | break; /* deal with below */ | |
690 | case LDAP_RES_SEARCH_RESULT: | |
691 | if (ldap_parse_result(conn.connection, ptr, | |
692 | &rc, | |
693 | NULL, NULL, NULL, NULL, | |
694 | 0) != LDAP_SUCCESS) | |
695 | { | |
696 | DPRINTF("ldap_parse_result failed"); | |
697 | ldap_msgfree(ptr); | |
698 | ptr=NULL; | |
699 | return; | |
700 | } | |
701 | ldap_msgfree(ptr); | |
702 | ptr=NULL; | |
703 | if (rc != LDAP_SUCCESS) | |
704 | { | |
705 | DPRINTF("search failed: %s", | |
706 | ldap_err2string(rc)); | |
707 | return; | |
708 | } | |
709 | finished=true; | |
710 | return; | |
711 | default: | |
712 | DPRINTF("ldap_result(): ignored 0x%02X status", | |
713 | rc); | |
714 | ldap_msgfree(ptr); | |
715 | ptr=NULL; | |
716 | continue; | |
717 | } | |
718 | break; | |
719 | } | |
720 | } | |
721 | ||
722 | bool operator!() const | |
723 | { | |
724 | return ptr == NULL; | |
725 | } | |
726 | ||
727 | operator bool() const | |
728 | { | |
729 | return ptr != NULL; | |
730 | } | |
731 | ||
732 | ~authldaprc_search_result() | |
733 | { | |
734 | if (ptr) | |
735 | ldap_msgfree(ptr); | |
736 | } | |
737 | }; | |
738 | ||
739 | static std::vector<std::string> | |
740 | authldap_entry_values(LDAP *connection, LDAPMessage *msg, | |
741 | const std::string &attrname) | |
742 | { | |
743 | std::vector<std::string> values; | |
744 | ||
745 | struct berval **p=ldap_get_values_len(connection, msg, | |
746 | attrname.c_str()); | |
747 | ||
748 | if (p) | |
749 | { | |
750 | ||
751 | size_t n=ldap_count_values_len(p); | |
752 | ||
753 | values.reserve(n); | |
754 | ||
755 | for (size_t i=0; i<n; i++) | |
756 | { | |
757 | const char *ptr= | |
758 | reinterpret_cast<const char *>(p[i]->bv_val); | |
759 | ||
760 | values.push_back(std::string(ptr, ptr+p[i]->bv_len)); | |
761 | } | |
762 | ||
763 | ldap_value_free_len(p); | |
764 | } | |
765 | return values; | |
766 | } | |
767 | ||
768 | class authldap_get_values { | |
769 | ||
770 | LDAP *connection; | |
771 | LDAPMessage *entry; | |
772 | std::string context; | |
773 | ||
774 | public: | |
775 | ||
776 | authldap_get_values(LDAP *connectionArg, | |
777 | LDAPMessage *entryArg, | |
778 | const std::string &contextArg) | |
779 | : connection(connectionArg), | |
780 | entry(entryArg), | |
781 | context(contextArg) | |
782 | { | |
783 | } | |
784 | ||
785 | bool operator()(const std::string &attrname, | |
786 | std::string &value) | |
787 | { | |
788 | std::vector<std::string> values= | |
789 | authldap_entry_values(connection, entry, attrname); | |
790 | ||
791 | if (values.empty()) | |
792 | return false; | |
793 | ||
794 | if (values.size() > 1) | |
795 | { | |
796 | fprintf(stderr, | |
797 | "WARN: authldaplib: duplicate attribute %s for %s\n", | |
798 | attrname.c_str(), | |
799 | context.c_str()); | |
800 | } | |
801 | ||
802 | value=values[0]; | |
803 | return true; | |
804 | } | |
805 | ||
806 | std::string options() | |
807 | { | |
808 | size_t i; | |
809 | ||
810 | std::ostringstream options; | |
811 | const char *options_sep=""; | |
812 | ||
813 | for (i=0; i<authldaprc.auxoptions.size(); ++i) | |
814 | { | |
815 | std::string value; | |
816 | ||
817 | if (operator()(authldaprc.auxoptions[i], value) | |
818 | && !value.empty()) | |
819 | { | |
820 | options << options_sep | |
821 | << authldaprc.auxnames[i] | |
822 | << "=" | |
823 | << value; | |
824 | options_sep=","; | |
825 | } | |
826 | } | |
827 | return options.str(); | |
828 | } | |
829 | }; | |
830 | ||
831 | static void cpp_auth_ldap_enumerate( void(*cb_func)(const char *name, | |
832 | uid_t uid, | |
833 | gid_t gid, | |
834 | const char *homedir, | |
835 | const char *maildir, | |
836 | const char *options, | |
837 | void *void_arg), | |
838 | void *void_arg) | |
839 | { | |
840 | int msgid; | |
841 | ||
842 | if (ldapopen()) | |
843 | { | |
844 | (*cb_func)(NULL, 0, 0, NULL, NULL, NULL, void_arg); | |
845 | return; | |
846 | } | |
847 | ||
848 | std::string mail_field, uid_field, gid_field, | |
849 | homedir_field, maildir_field; | |
850 | ||
851 | authldaprc.config("LDAP_MAIL", mail_field, false, "mail"); | |
852 | authldaprc.config("LDAP_UID", uid_field, false); | |
853 | authldaprc.config("LDAP_GID", gid_field, false); | |
854 | authldaprc.config("LDAP_HOMEDIR", homedir_field, false, "homeDir"); | |
855 | authldaprc.config("LDAP_MAILDIR", maildir_field, false); | |
856 | ||
857 | std::vector<std::string> attribute_vector; | |
858 | ||
859 | attribute_vector.push_back(mail_field); | |
860 | attribute_vector.push_back(uid_field); | |
861 | attribute_vector.push_back(gid_field); | |
862 | attribute_vector.push_back(homedir_field); | |
863 | attribute_vector.push_back(maildir_field); | |
864 | ||
865 | for (size_t i=0; i<authldaprc.auxoptions.size(); i++) | |
866 | { | |
867 | attribute_vector.push_back(authldaprc.auxoptions[i]); | |
868 | } | |
869 | ||
870 | std::string enumerate_filter; | |
871 | ||
872 | authldaprc.config("LDAP_ENUMERATE_FILTER", enumerate_filter, false); | |
873 | ||
874 | if (enumerate_filter.empty()) | |
875 | { | |
876 | std::string filter; | |
877 | ||
878 | authldaprc.config("LDAP_FILTER", filter, false); | |
879 | ||
880 | if (!filter.empty()) | |
881 | { | |
882 | enumerate_filter=filter; | |
883 | } | |
884 | else | |
885 | { | |
886 | std::string s; | |
887 | ||
888 | authldaprc.config("LDAP_MAIL", s, false); | |
889 | ||
890 | enumerate_filter = s + "=*"; | |
891 | } | |
892 | } | |
893 | ||
894 | DPRINTF("ldap_search: basedn='%s', filter='%s'", | |
895 | authldaprc.ldap_basedn.c_str(), enumerate_filter.c_str()); | |
896 | ||
897 | authldaprc_search_attributes search_attributes(attribute_vector); | |
898 | ||
899 | struct timeval tv; | |
900 | tv.tv_sec=60*60; | |
901 | tv.tv_usec=0; | |
902 | ||
903 | if (ldap_search_ext(main_connection.connection, | |
904 | authldaprc.ldap_basedn.c_str(), | |
905 | LDAP_SCOPE_SUBTREE, | |
906 | enumerate_filter.c_str(), | |
907 | search_attributes.search_attributes(), | |
908 | 0, | |
909 | NULL, NULL, &tv, 1000000, &msgid) < 0) | |
910 | { | |
911 | DPRINTF("ldap_search_ext failed"); | |
912 | return; | |
913 | } | |
914 | ||
915 | /* Process results */ | |
916 | ||
917 | while (1) | |
918 | { | |
919 | struct timeval timeout; | |
920 | LDAPMessage *entry; | |
921 | ||
922 | timeout.tv_sec=authldaprc.timeout; | |
923 | timeout.tv_usec=0; | |
924 | ||
925 | authldaprc_search_result search_result(main_connection, | |
926 | msgid, | |
927 | false, | |
928 | timeout); | |
929 | ||
930 | if (search_result.finished) | |
931 | break; | |
932 | ||
933 | if (!search_result) | |
934 | return; | |
935 | ||
936 | entry = ldap_first_entry(main_connection.connection, search_result.ptr); | |
937 | ||
938 | while (entry) | |
939 | { | |
940 | std::vector<std::string> | |
941 | names=authldap_entry_values(main_connection.connection, | |
942 | entry, | |
943 | mail_field); | |
944 | ||
945 | if (names.empty()) | |
946 | { | |
947 | entry = ldap_next_entry(main_connection.connection, entry); | |
948 | continue; | |
949 | } | |
950 | ||
951 | size_t n=names.size(); | |
952 | ||
953 | if (n > 0) | |
954 | { | |
955 | std::string uid_s, gid_s, homedir, maildir; | |
956 | uid_t uid=authldaprc.uid; | |
957 | gid_t gid=authldaprc.gid; | |
958 | ||
959 | authldap_get_values | |
960 | get_value(main_connection.connection, entry, | |
961 | names[0]); | |
962 | ||
963 | if (!uid_field.empty()) | |
964 | get_value(uid_field, uid_s); | |
965 | ||
966 | if (!gid_field.empty()) | |
967 | { | |
968 | get_value(gid_field, gid_s); | |
969 | } | |
970 | ||
971 | get_value(homedir_field, homedir); | |
972 | get_value(maildir_field, maildir); | |
973 | ||
974 | if (!uid_s.empty()) | |
975 | std::istringstream(uid_s) | |
976 | >> uid; | |
977 | ||
978 | if (!gid_s.empty()) | |
979 | std::istringstream(gid_s) | |
980 | >> gid; | |
981 | ||
982 | std::string options=get_value.options(); | |
983 | ||
984 | for (size_t j=0; j < n; j++) | |
985 | { | |
986 | if (!homedir.empty()) | |
987 | (*cb_func)(names[j].c_str(), | |
988 | uid, gid, | |
989 | homedir.c_str(), | |
990 | maildir.empty() | |
991 | ? 0:maildir.c_str(), | |
992 | options.empty() | |
993 | ? 0:options.c_str(), | |
994 | void_arg); | |
995 | } | |
996 | } | |
997 | ||
998 | entry = ldap_next_entry(main_connection.connection, entry); | |
999 | } | |
1000 | } | |
1001 | ||
1002 | /* Success */ | |
1003 | (*cb_func)(NULL, 0, 0, NULL, NULL, NULL, void_arg); | |
1004 | } | |
1005 | ||
1006 | static void cpp_authldapclose() | |
1007 | { | |
1008 | main_connection.disconnect(); | |
1009 | bind_connection.disconnect(); | |
1010 | } | |
1011 | ||
1012 | class authldap_lookup : private authldaprc_attributes { | |
1013 | ||
1014 | struct authinfo auth; | |
1015 | const char *service; | |
1016 | std::string attrname; | |
1017 | std::string user; | |
1018 | const char *pass; | |
1019 | const char *newpass; | |
1020 | const char *authaddr; | |
1021 | ||
1022 | public: | |
1023 | authldap_lookup(const char *serviceArg, | |
1024 | const std::string &attrnameArg, | |
1025 | const std::string &userArg, | |
1026 | const char *passArg, | |
1027 | const char *newpassArg, | |
1028 | const char *authaddrArg); | |
1029 | ||
1030 | int operator()(int (*callback)(struct authinfo *, void *), void *arg); | |
1031 | ||
1032 | private: | |
1033 | int verify_password(const std::string &dn); | |
1034 | int verify_password_myself(const std::string &dn); | |
1035 | int verify_password_authbind(const std::string &dn); | |
1036 | }; | |
1037 | ||
1038 | authldap_lookup::authldap_lookup(const char *serviceArg, | |
1039 | const std::string &attrnameArg, | |
1040 | const std::string &userArg, | |
1041 | const char *passArg, | |
1042 | const char *newpassArg, | |
1043 | const char *authaddrArg) | |
1044 | : service(serviceArg), | |
1045 | attrname(attrnameArg), | |
1046 | user(userArg), | |
1047 | pass(passArg), | |
1048 | newpass(newpassArg), | |
1049 | authaddr(authaddrArg) | |
1050 | { | |
1051 | } | |
1052 | ||
1053 | int authldap_lookup::operator()(int (*callback)(struct authinfo *, void *), | |
1054 | void *arg) | |
1055 | { | |
1056 | struct timeval timeout; | |
1057 | ||
1058 | LDAPMessage *entry; | |
1059 | ||
1060 | std::string dn; | |
1061 | ||
1062 | std::string homeDir, mailDir, userPassword, | |
1063 | cryptPassword, | |
1064 | cn, | |
1065 | uidNumber, | |
1066 | gidNumber, quota; | |
1067 | ||
1068 | uid_t au; | |
1069 | gid_t ag; | |
1070 | int rc; | |
1071 | ||
1072 | std::ostringstream query; | |
1073 | ||
1074 | std::string filter; | |
1075 | ||
1076 | authldaprc.config("LDAP_FILTER", filter, false); | |
1077 | ||
1078 | if (!filter.empty()) | |
1079 | { | |
1080 | query << "(&" << filter; | |
1081 | } | |
1082 | ||
1083 | query << "(" << attrname << "=" << user; | |
1084 | ||
1085 | std::string domain; | |
1086 | ||
1087 | authldaprc.config("LDAP_DOMAIN", domain, false); | |
1088 | ||
1089 | if (!domain.empty() && | |
1090 | std::find(user.begin(), user.end(), '@') == user.end()) | |
1091 | query << "@" << domain; | |
1092 | query << ")"; | |
1093 | ||
1094 | if (!filter.empty()) | |
1095 | query << ")"; | |
1096 | ||
1097 | std::string query_str=query.str(); | |
1098 | ||
1099 | DPRINTF("Query: %s", query_str.c_str()); | |
1100 | ||
1101 | timeout.tv_sec=authldaprc.timeout; | |
1102 | timeout.tv_usec=0; | |
1103 | ||
1104 | attribute("LDAP_HOMEDIR", "homeDir", homeDir); | |
1105 | attribute(service && strcmp(service, "courier") == 0 | |
1106 | ? "LDAP_DEFAULTDELIVERY":"LDAP_MAILDIR", 0, mailDir); | |
1107 | attribute("LDAP_FULLNAME", 0, cn); | |
1108 | std::string clearpw_value=attribute("LDAP_CLEARPW", 0, userPassword); | |
1109 | std::string cryptpw_value=attribute("LDAP_CRYPTPW", 0, cryptPassword); | |
1110 | attribute("LDAP_UID", 0, uidNumber); | |
1111 | attribute("LDAP_GID", 0, gidNumber); | |
1112 | attribute("LDAP_MAILDIRQUOTA", 0, quota); | |
1113 | ||
1114 | authldaprc_attribute_vector all_attributes(attributes); | |
1115 | ||
1116 | for (size_t i=0; i<authldaprc.auxoptions.size(); i++) | |
1117 | { | |
1118 | all_attributes.push_back(authldaprc.auxoptions[i]); | |
1119 | } | |
1120 | ||
1121 | authldaprc_search_result result(main_connection, | |
1122 | authldaprc.ldap_basedn, | |
1123 | query_str, | |
1124 | all_attributes, | |
1125 | timeout); | |
1126 | ||
1127 | int n_entries=ldap_count_entries(main_connection.connection, result.ptr); | |
1128 | ||
1129 | if (n_entries != 1) | |
1130 | { | |
1131 | if (n_entries == 0) | |
1132 | { | |
1133 | DPRINTF("Not found"); | |
1134 | } | |
1135 | else | |
1136 | { | |
1137 | DPRINTF("Returned multiple entries (%d)", n_entries); | |
1138 | } | |
1139 | return -1; | |
1140 | } | |
1141 | ||
1142 | char *dn_p = ldap_get_dn(main_connection.connection, result.ptr); | |
1143 | ||
1144 | DPRINTF("Returned DN: %s", dn_p ? dn_p : "<null>"); | |
1145 | ||
1146 | if (dn_p == NULL) | |
1147 | { | |
1148 | DPRINTF("ldap_get_dn failed"); | |
1149 | return -1; | |
1150 | } | |
1151 | ||
1152 | dn=dn_p; | |
1153 | free(dn_p); | |
1154 | ||
1155 | /* Get the pointer on this result */ | |
1156 | entry=ldap_first_entry(main_connection.connection, result.ptr); | |
1157 | if (entry==NULL) | |
1158 | { | |
1159 | DPRINTF("ldap_first_entry failed"); | |
1160 | return -1; | |
1161 | } | |
1162 | ||
1163 | /* print all the raw attributes */ | |
1164 | if (courier_authdebug_login_level >= 2) | |
1165 | { | |
1166 | BerElement *berptr = 0; | |
1167 | char *attr= | |
1168 | ldap_first_attribute(main_connection.connection, entry, &berptr); | |
1169 | ||
1170 | while (attr) | |
1171 | { | |
1172 | std::vector<std::string> | |
1173 | values=authldap_entry_values(main_connection.connection, | |
1174 | entry, | |
1175 | attr); | |
1176 | for (size_t i=0; i<values.size(); ++i) | |
1177 | DPRINTF(" %s: %s", attr, values[i].c_str()); | |
1178 | ||
1179 | ldap_memfree(attr); | |
1180 | attr = ldap_next_attribute(main_connection.connection, entry, | |
1181 | berptr); | |
1182 | } | |
1183 | ||
1184 | ber_free(berptr, 0); | |
1185 | } | |
1186 | ||
1187 | authldap_get_values get_value(main_connection.connection, entry, dn.c_str()); | |
1188 | ||
1189 | for (std::map<std::string, std::string *>::iterator | |
1190 | p=attributes.begin(); p != attributes.end(); ++p) | |
1191 | { | |
1192 | get_value(p->first, *p->second); | |
1193 | } | |
1194 | ||
1195 | au=authldaprc.uid; | |
1196 | ag=authldaprc.gid; | |
1197 | if (!uidNumber.empty()) | |
1198 | { | |
1199 | std::istringstream(uidNumber) >> au; | |
1200 | } | |
1201 | ||
1202 | if (!gidNumber.empty()) | |
1203 | { | |
1204 | std::istringstream(gidNumber) >> ag; | |
1205 | } | |
1206 | ||
1207 | std::string mailroot; | |
1208 | ||
1209 | authldaprc.config("LDAP_MAILROOT", mailroot, false); | |
1210 | ||
1211 | if (!homeDir.empty() && !mailroot.empty()) | |
1212 | { | |
1213 | homeDir = mailroot + "/" + homeDir; | |
1214 | } | |
1215 | ||
1216 | std::string options=get_value.options(); | |
1217 | ||
1218 | memset(&auth, 0, sizeof(auth)); | |
1219 | ||
1220 | auth.sysuserid= &au; | |
1221 | auth.sysgroupid= ag; | |
1222 | auth.homedir=homeDir.c_str(); | |
1223 | auth.address=authaddr; | |
1224 | auth.fullname=cn.c_str(); | |
1225 | ||
1226 | if (!mailDir.empty()) | |
1227 | auth.maildir=mailDir.c_str(); | |
1228 | ||
1229 | if (!userPassword.empty()) | |
1230 | auth.clearpasswd=userPassword.c_str(); | |
1231 | ||
1232 | if (!cryptPassword.empty()) | |
1233 | auth.passwd=cryptPassword.c_str(); | |
1234 | ||
1235 | if (!quota.empty()) | |
1236 | auth.quota=quota.c_str(); | |
1237 | ||
1238 | if (!options.empty()) | |
1239 | auth.options=options.c_str(); | |
1240 | ||
1241 | rc=0; | |
1242 | ||
1243 | if (au == 0 || ag == 0) | |
1244 | { | |
1245 | courier_auth_err("authldaplib: refuse to authenticate %s: uid=%d, gid=%d (zero uid or gid not permitted)", | |
1246 | user.c_str(), au, ag); | |
1247 | rc= 1; | |
1248 | } | |
1249 | ||
1250 | courier_authdebug_authinfo("DEBUG: authldaplib: ", &auth, | |
1251 | userPassword.c_str(), | |
1252 | cryptPassword.c_str()); | |
1253 | ||
1254 | if (rc == 0) | |
1255 | rc=verify_password(dn); | |
1256 | ||
1257 | std::string newpass_crypt; | |
1258 | ||
1259 | if (rc == 0 && newpass) | |
1260 | { | |
1261 | char *p=authcryptpasswd(newpass, auth.passwd); | |
1262 | ||
1263 | if (!p) | |
1264 | rc=-1; | |
1265 | else | |
1266 | { | |
1267 | newpass_crypt=p; | |
1268 | free(p); | |
1269 | } | |
1270 | ||
1271 | LDAPMod *mods[3]; | |
1272 | int mod_index=0; | |
1273 | ||
1274 | LDAPMod mod_clear, mod_crypt; | |
1275 | char *mod_clear_vals[2], *mod_crypt_vals[2]; | |
1276 | ||
1277 | std::vector<char> clearpw_buffer, cryptpw_buffer; | |
1278 | ||
1279 | if (!clearpw_value.empty() && auth.clearpasswd) | |
1280 | { | |
1281 | clearpw_buffer.insert(clearpw_buffer.end(), | |
1282 | clearpw_value.begin(), | |
1283 | clearpw_value.end()); | |
1284 | ||
1285 | clearpw_buffer.push_back(0); | |
1286 | ||
1287 | mods[mod_index]= &mod_clear; | |
1288 | mod_clear.mod_op=LDAP_MOD_REPLACE; | |
1289 | mod_clear.mod_type=&clearpw_buffer[0]; | |
1290 | mod_clear.mod_values=mod_clear_vals; | |
1291 | ||
1292 | DPRINTF("Modify: %s", mod_clear.mod_type); | |
1293 | ||
1294 | mod_clear_vals[0]=(char *)newpass; | |
1295 | mod_clear_vals[1]=NULL; | |
1296 | ++mod_index; | |
1297 | } | |
1298 | ||
1299 | if (!cryptpw_value.empty() && | |
1300 | !newpass_crypt.empty() && auth.passwd) | |
1301 | { | |
1302 | cryptpw_buffer.insert(cryptpw_buffer.end(), | |
1303 | cryptpw_value.begin(), | |
1304 | cryptpw_value.end()); | |
1305 | ||
1306 | cryptpw_buffer.push_back(0); | |
1307 | ||
1308 | mods[mod_index]= &mod_crypt; | |
1309 | mod_crypt.mod_op=LDAP_MOD_REPLACE; | |
1310 | mod_crypt.mod_type=&cryptpw_buffer[0]; | |
1311 | mod_crypt.mod_values=mod_crypt_vals; | |
1312 | ||
1313 | DPRINTF("Modify: %s", mod_crypt.mod_type); | |
1314 | ||
1315 | newpass_crypt.push_back(0); | |
1316 | mod_crypt_vals[0]=&newpass_crypt[0]; | |
1317 | mod_crypt_vals[1]=NULL; | |
1318 | ++mod_index; | |
1319 | } | |
1320 | if (mod_index == 0) | |
1321 | rc= -1; | |
1322 | else | |
1323 | { | |
1324 | mods[mod_index]=0; | |
1325 | ||
1326 | /* | |
1327 | ** Use the user connection for updating the password. | |
1328 | */ | |
1329 | ||
1330 | int ld_errno= | |
1331 | ldap_modify_ext_s(bind_connection.connected() | |
1332 | ? bind_connection.connection | |
1333 | : main_connection.connection, | |
1334 | dn.c_str(), mods, | |
1335 | NULL, NULL); | |
1336 | ||
1337 | if (ld_errno != LDAP_SUCCESS) | |
1338 | { | |
1339 | rc= -1; | |
1340 | DPRINTF("Password update failed: %s", | |
1341 | ldap_err2string(ld_errno)); | |
1342 | } | |
1343 | } | |
1344 | } | |
1345 | ||
1346 | if (rc == 0 && callback) | |
1347 | { | |
1348 | if (!auth.clearpasswd) | |
1349 | auth.clearpasswd=pass; | |
1350 | rc= (*callback)(&auth, arg); | |
1351 | } | |
1352 | ||
1353 | return (rc); | |
1354 | } | |
1355 | ||
1356 | int authldap_lookup::verify_password(const std::string &dn) | |
1357 | { | |
1358 | if (!pass) | |
1359 | return 0; | |
1360 | ||
1361 | if (authldaprc.authbind) | |
1362 | return verify_password_authbind(dn); | |
1363 | ||
1364 | return verify_password_myself(dn); | |
1365 | } | |
1366 | ||
1367 | int authldap_lookup::verify_password_authbind(const std::string &dn) | |
1368 | { | |
1369 | if (!bind_connection.connect()) | |
1370 | return 1; | |
1371 | ||
1372 | if (!bind_connection.bind(dn, pass)) | |
1373 | { | |
1374 | bind_connection.close(); | |
1375 | return 1; | |
1376 | } | |
1377 | ||
1378 | if (authldaprc.protocol_version == 2) | |
1379 | { | |
1380 | // protocol version 2 does not allow rebinds. | |
1381 | ||
1382 | bind_connection.close(); | |
1383 | } | |
1384 | ||
1385 | return 0; | |
1386 | } | |
1387 | ||
1388 | int authldap_lookup::verify_password_myself(const std::string &dn) | |
1389 | { | |
1390 | if (auth.clearpasswd) | |
1391 | { | |
1392 | if (strcmp(pass, auth.clearpasswd)) | |
1393 | { | |
1394 | if (courier_authdebug_login_level >= 2) | |
1395 | { | |
1396 | DPRINTF("Password for %s: '%s' does not match clearpasswd '%s'", | |
1397 | dn.c_str(), pass, auth.clearpasswd); | |
1398 | } | |
1399 | else | |
1400 | { | |
1401 | DPRINTF("Password for %s does not match", | |
1402 | dn.c_str()); | |
1403 | } | |
1404 | return -1; | |
1405 | } | |
1406 | } | |
1407 | else | |
1408 | { | |
1409 | const char *p=auth.passwd; | |
1410 | ||
1411 | if (!p) | |
1412 | { | |
1413 | DPRINTF("Missing password in LDAP!"); | |
1414 | return -1; | |
1415 | } | |
1416 | ||
1417 | if (authcheckpassword(pass, p)) | |
1418 | { | |
1419 | DPRINTF("Password for %s does not match", | |
1420 | dn.c_str()); | |
1421 | return -1; | |
1422 | } | |
1423 | } | |
1424 | ||
1425 | return 0; | |
1426 | } | |
1427 | ||
1428 | /* | |
1429 | ** Replace keywords in the emailmap string. | |
1430 | */ | |
1431 | ||
1432 | static std::string emailmap_replace(const char *str, | |
1433 | const std::string &user_value, | |
1434 | const std::string &realm_value) | |
1435 | { | |
1436 | std::ostringstream o; | |
1437 | ||
1438 | while (*str) | |
1439 | { | |
1440 | const char *p=str; | |
1441 | ||
1442 | while (*str && *str != '@') | |
1443 | ++str; | |
1444 | ||
1445 | o << std::string(p, str); | |
1446 | ||
1447 | if (*str != '@') | |
1448 | continue; | |
1449 | ||
1450 | ++str; | |
1451 | ||
1452 | p=str; | |
1453 | while (*str && *str != '@') | |
1454 | ++str; | |
1455 | ||
1456 | std::string key(p, str); | |
1457 | ||
1458 | if (*str) | |
1459 | ++str; | |
1460 | ||
1461 | if (key == "user") | |
1462 | o << user_value; | |
1463 | else if (key == "realm") | |
1464 | o << realm_value; | |
1465 | } | |
1466 | ||
1467 | return o.str(); | |
1468 | } | |
1469 | ||
1470 | static int auth_ldap_try(const char *service, | |
1471 | const char *unquoted_user, const char *pass, | |
1472 | int (*callback)(struct authinfo *, void *), | |
1473 | void *arg, const char *newpass) | |
1474 | { | |
1475 | std::string user; | |
1476 | ||
1477 | { | |
1478 | char *q=courier_auth_ldap_escape(unquoted_user); | |
1479 | ||
1480 | user=q; | |
1481 | free(q); | |
1482 | } | |
1483 | ||
1484 | if (ldapopen()) return (-1); | |
1485 | ||
1486 | std::string::iterator at=std::find(user.begin(), user.end(), '@'); | |
1487 | ||
1488 | std::string emailmap; | |
1489 | ||
1490 | authldaprc.config("LDAP_EMAILMAP", emailmap, false); | |
1491 | ||
1492 | std::string mail; | |
1493 | ||
1494 | if (!authldaprc.config("LDAP_MAIL", mail, false, "mail")) | |
1495 | return -1; | |
1496 | ||
1497 | if (emailmap.empty() || at == user.end()) | |
1498 | { | |
1499 | authldap_lookup real_lookup(service, mail, user, pass, | |
1500 | newpass, user.c_str()); | |
1501 | ||
1502 | return real_lookup(callback, arg); | |
1503 | } | |
1504 | ||
1505 | std::string user_value(user.begin(), at); | |
1506 | std::string realm_value(++at, user.end()); | |
1507 | ||
1508 | std::string query= | |
1509 | emailmap_replace(emailmap.c_str(), user_value, realm_value); | |
1510 | ||
1511 | DPRINTF("using emailmap search: %s", query.c_str()); | |
1512 | ||
1513 | struct timeval tv; | |
1514 | ||
1515 | tv.tv_sec=authldaprc.timeout; | |
1516 | tv.tv_usec=0; | |
1517 | ||
1518 | std::vector<std::string> attributes; | |
1519 | ||
1520 | attributes.push_back(""); | |
1521 | ||
1522 | authldaprc.config("LDAP_EMAILMAP_ATTRIBUTE", attributes[0], false); | |
1523 | ||
1524 | if (attributes[0].empty()) | |
1525 | attributes[0]="handle"; | |
1526 | ||
1527 | std::string basedn; | |
1528 | ||
1529 | if (!authldaprc.config("LDAP_EMAILMAP_BASEDN", basedn, true)) | |
1530 | return -1; | |
1531 | ||
1532 | authldaprc_search_result | |
1533 | lookup(main_connection, | |
1534 | basedn, | |
1535 | query, | |
1536 | attributes, | |
1537 | tv); | |
1538 | ||
1539 | if (!lookup) | |
1540 | { | |
1541 | if (main_connection.connection) return (-1); | |
1542 | return (1); | |
1543 | } | |
1544 | ||
1545 | int cnt=ldap_count_entries(main_connection.connection, lookup.ptr); | |
1546 | ||
1547 | if (cnt != 1) | |
1548 | { | |
1549 | courier_auth_err("emailmap: %d entries returned from search %s (but we need exactly 1)", | |
1550 | cnt, query.c_str()); | |
1551 | return -1; | |
1552 | } | |
1553 | ||
1554 | LDAPMessage *entry=ldap_first_entry(main_connection.connection, lookup.ptr); | |
1555 | ||
1556 | if (!entry) | |
1557 | { | |
1558 | courier_auth_err("authldap: unexpected NULL from ldap_first_entry"); | |
1559 | return -1; | |
1560 | } | |
1561 | ||
1562 | authldap_get_values get_value(main_connection.connection, entry, query); | |
1563 | ||
1564 | std::string v; | |
1565 | ||
1566 | get_value(attributes[0], v); | |
1567 | ||
1568 | if (v.empty()) | |
1569 | { | |
1570 | DPRINTF("emailmap: empty attribute"); | |
1571 | return (-1); | |
1572 | } | |
1573 | ||
1574 | ||
1575 | std::string attrname; | |
1576 | ||
1577 | authldaprc.config("LDAP_EMAILMAP_MAIL", attrname, false); | |
1578 | ||
1579 | if (attrname.empty()) | |
1580 | { | |
1581 | attrname=mail; | |
1582 | } | |
1583 | ||
1584 | DPRINTF("emailmap: attribute=%s, value=%s", attrname.c_str(), | |
1585 | v.c_str()); | |
1586 | ||
1587 | authldap_lookup real_lookup(service, attrname, v.c_str(), pass, | |
1588 | newpass, user.c_str()); | |
1589 | ||
1590 | return real_lookup(callback, arg); | |
1591 | } | |
1592 | ||
1593 | // Try the query once. If there's a connection-level error, try again. | |
1594 | ||
1595 | static int auth_ldap_retry(const char *service, | |
1596 | const char *unquoted_user, | |
1597 | const char *pass, | |
1598 | int (*callback)(struct authinfo *, void *), | |
1599 | void *arg, const char *newpass) | |
1600 | { | |
1601 | int rc=auth_ldap_try(service, unquoted_user, pass, callback, arg, | |
1602 | newpass); | |
1603 | ||
1604 | if (rc > 0) | |
1605 | rc=auth_ldap_try(service, unquoted_user, pass, callback, arg, | |
1606 | newpass); | |
1607 | ||
1608 | return rc; | |
1609 | } | |
1610 | ||
1611 | extern "C" { | |
1612 | ||
1613 | #if 0 | |
1614 | }; | |
1615 | #endif | |
1616 | ||
1617 | int auth_ldap_changepw(const char *dummy, const char *user, | |
1618 | const char *pass, | |
1619 | const char *newpass) | |
1620 | { | |
1621 | if (!authldaprc.load()) | |
1622 | return 1; | |
1623 | ||
1624 | return auth_ldap_retry("authlib", user, pass, NULL, NULL, newpass); | |
1625 | } | |
1626 | ||
1627 | int authldapcommon(const char *service, | |
1628 | const char *user, const char *pass, | |
1629 | int (*callback)(struct authinfo *, void *), | |
1630 | void *arg) | |
1631 | { | |
1632 | if (!authldaprc.load()) | |
1633 | return 1; | |
1634 | return (auth_ldap_retry(service, user, pass, callback, arg, NULL)); | |
1635 | } | |
1636 | ||
1637 | void authldapclose() | |
1638 | { | |
1639 | cpp_authldapclose(); | |
1640 | } | |
1641 | ||
1642 | void auth_ldap_enumerate( void(*cb_func)(const char *name, | |
1643 | uid_t uid, | |
1644 | gid_t gid, | |
1645 | const char *homedir, | |
1646 | const char *maildir, | |
1647 | const char *options, | |
1648 | void *void_arg), | |
1649 | void *void_arg) | |
1650 | { | |
1651 | if (!authldaprc.load()) | |
1652 | return; | |
1653 | ||
1654 | cpp_auth_ldap_enumerate(cb_func, void_arg); | |
1655 | } | |
1656 | ||
1657 | #if 0 | |
1658 | { | |
1659 | #endif | |
1660 | } |