webserver: comparison src/server/daemon/ldap

-:019c22775f7c
+:4d038bc6f86e
 #include <cx/utils.h>
 #include <cx/hash_map.h>
 #include "ldap_auth.h"
+#include "ldap_resource.h"
-static void ws_ldap_close(LDAP *ldap) {
-#ifdef SOLARIS
-ldap_unbind(ldap);
+static LDAPConfig ws_ldap_default_config = {
-#else
+NULL, // resource
-ldap_unbind_ext_s(ldap, NULL, NULL);
+NULL, // basedn
-#endif
+NULL, // binddn
-}
+NULL, // bindpw
+"(&(objectclass=inetorgperson)(!(cn=%s)(uid=%s)))", // userSearchFilter
-AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, LDAPConfig *conf) {
+{"uid"}, // uidAttributes
+1, // numUidAttributes
+"(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))(cn=%s))", // groupSearchFilter
+{"member", "uniqueMember"}, // memberAttributes
+2, // numMemberAttributes
+WS_LDAP_GROUP_MEMBER_DN, // groupMemberType
+TRUE, // enableGroups
+FALSE // userNameIsDN
+};
+// TODO
+static LDAPConfig ws_ldap_ad_config = {
+NULL, // resource
+NULL, // basedn
+NULL, // binddn
+NULL, // bindpw
+"(&(objectclass=inetorgperson)(!(cn=%s)(uid=%s)))", // userSearchFilter
+{"uid"}, // uidAttributes
+1, // numUidAttributes
+"", // groupSearchFilter
+{"uniqueMember", "member"}, // memberAttributes
+2, // numMemberAttributes
+WS_LDAP_GROUP_MEMBER_DN, // groupMemberType
+TRUE, // enableGroups
+FALSE // userNameIsDN
+};
+static LDAPConfig ws_ldap_posix_config = {
+NULL, // resource
+NULL, // basedn
+NULL, // binddn
+NULL, // bindpw
+"(&(objectclass=posixAccount)(uid=%s))", // userSearchFilter
+{"uid"}, // uidAttributes
+1, // numUidAttributes
+"(&(objectclass=posixGroup)(cn=%s))", // groupSearchFilter
+{"memberUid"}, // memberAttributes
+1, // numMemberAttributes
+WS_LDAP_GROUP_MEMBER_UID, // groupMemberType
+TRUE, // enableGroups
+FALSE // userNameIsDN
+};
+AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node) {
 LDAPAuthDB *authdb = cxMalloc(cfg->a, sizeof(LDAPAuthDB));
+if(!authdb) {
+return NULL;
+}
 authdb->authdb.name = pool_strdup(cfg->pool, name);
+if(!authdb->authdb.name) {
+return NULL;
+}
 authdb->authdb.get_user = ldap_get_user;
 authdb->authdb.use_cache = 1;
-authdb->config = *conf;
+// initialize default ldap config
-if (!authdb->config.usersearch) {
+cxstring dirtype = serverconfig_object_directive_value(node, cx_str("DirectoryType"));
-authdb->config.usersearch = "uid";
+LDAPConfig *default_config;
-}
+if(!dirtype.ptr) {
-if (!authdb->config.groupsearch) {
+default_config = &ws_ldap_default_config;
-authdb->config.groupsearch = "uniquemember";
+} else if(!cx_strcmp(dirtype, cx_str("ldap"))) {
+default_config = &ws_ldap_default_config;
+} else if(!cx_strcmp(dirtype, cx_str("posix"))) {
+default_config = &ws_ldap_posix_config;
+} else if(!cx_strcmp(dirtype, cx_str("ad"))) {
+default_config = &ws_ldap_ad_config;
+} else {
+log_ereport(LOG_FAILURE, "cannot create ldap authdb %s: unknown directory type %s", name, dirtype.ptr);
+}
+memcpy(&authdb->config, default_config, sizeof(LDAPConfig));
+// custom config
+cxstring resource = serverconfig_object_directive_value(node, cx_str("Resource"));
+cxstring basedn = serverconfig_object_directive_value(node, cx_str("Basedn"));
+cxstring binddn = serverconfig_object_directive_value(node, cx_str("Binddn"));
+cxstring bindpw = serverconfig_object_directive_value(node, cx_str("Bindpw"));
+cxstring usersearchfilter = serverconfig_object_directive_value(node, cx_str("UserSearchFilter"));
+// TODO ...
+if(!resource.ptr) {
+// TODO: create resource pool
+} else {
+authdb->config.resource = resource.ptr;
 }
 // initialize group cache
 authdb->groups.first = NULL;
 authdb->groups.last = NULL;
 authdb->groups.map = cxHashMapCreate(cfg->a, 32);
+if(!authdb->groups.map) {
+return NULL;
+}
 return (AuthDB*) authdb;
 }
-LDAP* get_ldap_session(LDAPAuthDB *authdb) {
+LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb) {
-LDAPConfig *config = &authdb->config;
+ResourceData *res = resourcepool_lookup(sn, rq, authdb->config.resource, 0);
-LDAP *ld = NULL;
+if(!res) {
+log_ereport(LOG_FAILURE, "AuthDB %s: cannot get resource %s", authdb->authdb.name, authdb->config.resource);
-#ifdef SOLARIS
+return NULL;
-ld = ldap_init(config->hostname, config->port);
+}
-#else
-char *ldap_uri = NULL;
+LDAP *ldap = res->data;
-asprintf(&ldap_uri, "ldap://%s:%d", config->hostname, config->port);
-int init_ret = ldap_initialize(&ld, ldap_uri);
+if(authdb->config.binddn) {
-free(ldap_uri);
+struct berval *server_cred;
-if(init_ret) {
+int r = ws_ldap_bind(ldap, authdb->config.binddn, authdb->config.bindpw, &server_cred);
-fprintf(stderr, "ldap_initialize failed\n");
+if(r != LDAP_SUCCESS) {
-}
+log_ereport(LOG_FAILURE, "AuthDB %s: bind to %s failed: %s", authdb->config.binddn, ldap_err2string(r));
-#endif
+resourcepool_free(sn, rq, res);
-if(!ld) {
+return NULL;
-return NULL;
+}
 }
-int ldapv = LDAP_VERSION3;
+return ldap;
-ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldapv);
+}
-// admin bind
+User* ldap_get_user(AuthDB *db, Session *sn, Request *rq, const char *username) {
-struct berval cred;
-cred.bv_val = config->bindpw;
-cred.bv_len = strlen(config->bindpw);
-struct berval *server_cred;
-int r = ldap_sasl_bind_s(
-ld,
-config->binddn,
-LDAP_SASL_SIMPLE,
-&cred,
-NULL,
-NULL,
-&server_cred);
-if (r != LDAP_SUCCESS) {
-ws_ldap_close(ld);
-fprintf(stderr, "ldap_simple_bind_s failed: %s\n", ldap_err2string(r));
-return NULL;
-}
-return ld;
-}
-User* ldap_get_user(AuthDB *db, const char *username) {
 LDAPAuthDB *authdb = (LDAPAuthDB*) db;
 LDAPConfig *config = &authdb->config;
-LDAP *ld = get_ldap_session(authdb);
+LDAP *ld = get_ldap_session(sn, rq, authdb);
 if (ld == NULL) {
 fprintf(stderr, "ldap_init failed\n");
 return NULL;
 }
 return NULL;
 }
 LDAPMessage *msg = ldap_first_entry(ld, result);
 if (msg) {
-LDAPUser *user = malloc(sizeof(LDAPUser));
+LDAPUser *user = pool_malloc(sn->pool, sizeof(LDAPUser));
 if (user != NULL) {
 user->authdb = authdb;
 user->user.verify_password = ldap_user_verify_password;
 user->user.check_group = ldap_user_check_group;
 user->user.free = ldap_user_free;
-user->user.name = (char*)username; // must not be freed TODO: maybe copy
+user->user.name = pool_strdup(sn->pool, username);
+user->sn = sn;
+user->rq = rq;
 // TODO: get uid/gid from ldap
 user->user.uid = -1;
 user->user.gid = -1;
 ws_ldap_close(ld);
 return NULL;
 }
-LDAPGroup* ldap_get_group(LDAPAuthDB *authdb, const char *group) {
+LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group) {
 printf("ldap_get_group: %s\n", group);
 LDAPConfig *config = &authdb->config;
-LDAP *ld = get_ldap_session(authdb);
+LDAP *ld = get_ldap_session(sn, rq, authdb);
 if (ld == NULL) {
 fprintf(stderr, "ldap_init failed\n");
 return NULL;
 }
 int ldap_user_check_group(User *u, const char *group_str) {
 LDAPUser *user = (LDAPUser*)u;
 int ret = 0;
-LDAPGroup *group = ldap_get_group(user->authdb, group_str);
+LDAPGroup *group = ldap_get_group(user->sn, user->rq, user->authdb, group_str);
 for(int i=0;i<group->nmembers;i++) {
 char *member = group->members[i].name;
 if(!strcmp(member, u->name)) {
 printf("is member\n");
 ret = 1;

comparison: src/server/daemon/ldap_auth.c

src/server/daemon/ldap_auth.c

Mercurial > hg > webserver / file comparison

comparison: src/server/daemon/ldap_auth.c

src/server/daemon/ldap_auth.c