45 return LDAP_SCOPE_CHILDREN; |
45 return LDAP_SCOPE_CHILDREN; |
46 } |
46 } |
47 return -1; |
47 return -1; |
48 } |
48 } |
49 |
49 |
50 int ldap_query_saf(pblock *pb, Session *sn, Request *rq) { |
50 int service_ldap_search(pblock *pb, Session *sn, Request *rq) { |
51 char *resource_name = pblock_findval("resource", pb); |
51 char *resource_name = pblock_findval("resource", pb); |
52 char *basedn = pblock_findval("basedn", pb); |
52 char *basedn = pblock_findval("basedn", pb); |
53 char *binddn = pblock_findval("bindnd", pb); |
53 char *binddn = pblock_findval("bindnd", pb); |
54 char *bindpw = pblock_findval("bindpw", pb); |
54 char *bindpw = pblock_findval("bindpw", pb); |
55 char *ldap_query = pblock_findval("query", pb); |
55 char *filter = pblock_findval("filter", pb); |
56 char *empty_query_error = pblock_findval("empty_query_error", pb); |
56 char *empty_query_error = pblock_findval("empty_filter_error", pb); |
57 char *empty_result_error = pblock_findval("empty_result_error", pb); |
57 char *empty_result_error = pblock_findval("empty_result_error", pb); |
58 char *scope_str = pblock_findval("scope", pb); |
58 char *scope_str = pblock_findval("scope", pb); |
59 char *timeout_str = pblock_findval("timeout", pb); |
59 char *timeout_str = pblock_findval("timeout", pb); |
60 char *sizelimit_str = pblock_findval("sizelimit", pb); |
60 char *sizelimit_str = pblock_findval("sizelimit", pb); |
61 |
61 |
62 int status_empty_query = WS_SAFS_LDAP_EMPTY_QUERY_ERROR; |
62 int status_empty_filter = WS_SAFS_LDAP_EMPTY_FILTER_ERROR; |
63 int status_empty_result = WS_SAFS_LDAP_EMPTY_RESULT_ERROR; |
63 int status_empty_result = WS_SAFS_LDAP_EMPTY_RESULT_ERROR; |
64 |
64 |
65 if(empty_query_error) { |
65 if(empty_query_error) { |
66 int64_t status = 0; |
66 int64_t status = 0; |
67 util_strtoint(empty_query_error, &status); |
67 util_strtoint(empty_query_error, &status); |
68 if(status < 200 || status > 999) { |
68 if(status < 200 || status > 999) { |
69 log_ereport(LOG_MISCONFIG, "ldap-query: empty_query_error parameter must be an integer between 200 and 999"); |
69 log_ereport(LOG_MISCONFIG, "ldap-search: empty_query_error parameter must be an integer between 200 and 999"); |
70 return REQ_ABORTED; |
70 return REQ_ABORTED; |
71 } |
71 } |
72 status_empty_query = status; |
72 status_empty_filter = status; |
73 } |
73 } |
74 if(empty_result_error) { |
74 if(empty_result_error) { |
75 int64_t status = 0; |
75 int64_t status = 0; |
76 util_strtoint(empty_result_error, &status); |
76 util_strtoint(empty_result_error, &status); |
77 if(status < 200 || status > 999) { |
77 if(status < 200 || status > 999) { |
78 log_ereport(LOG_MISCONFIG, "ldap-query: empty_result_error parameter must be an integer between 200 and 999"); |
78 log_ereport(LOG_MISCONFIG, "ldap-search: empty_result_error parameter must be an integer between 200 and 999"); |
79 return REQ_ABORTED; |
79 return REQ_ABORTED; |
80 } |
80 } |
81 status_empty_result = status; |
81 status_empty_result = status; |
82 } |
82 } |
83 |
83 |
84 // should we sent an empty response in case of an empty query/result |
84 // should we sent an empty response in case of an empty query/result |
85 // or the standard error message? |
85 // or the standard error message? |
86 WSBool empty_query_response = status_empty_query < 300 ? TRUE : FALSE; |
86 WSBool empty_query_response = status_empty_filter < 300 ? TRUE : FALSE; |
87 WSBool empty_result_response = status_empty_result < 300 ? TRUE : FALSE; |
87 WSBool empty_result_response = status_empty_result < 300 ? TRUE : FALSE; |
88 |
88 |
89 int scope = WS_SAFS_LDAP_DEFAULT_SCOPE; |
89 int scope = WS_SAFS_LDAP_DEFAULT_SCOPE; |
90 if(scope_str) { |
90 if(scope_str) { |
91 scope = get_ldap_scope(scope_str); |
91 scope = get_ldap_scope(scope_str); |
92 if(scope < 0) { |
92 if(scope < 0) { |
93 log_ereport(LOG_MISCONFIG, "ldap-query: unknown scope %s", scope_str); |
93 log_ereport(LOG_MISCONFIG, "ldap-search: unknown scope %s", scope_str); |
94 return REQ_ABORTED; |
94 return REQ_ABORTED; |
95 } |
95 } |
96 } |
96 } |
97 int timeout = WS_SAFS_LDAP_DEFAULT_TIMEOUT; |
97 int timeout = WS_SAFS_LDAP_DEFAULT_TIMEOUT; |
98 if(timeout_str) { |
98 if(timeout_str) { |
99 int64_t t; |
99 int64_t t; |
100 if(util_strtoint(timeout_str, &t)) { |
100 if(util_strtoint(timeout_str, &t)) { |
101 if(t < 0 || t > WS_SAFS_LDAP_MAX_TIMEOUT) { |
101 if(t < 0 || t > WS_SAFS_LDAP_MAX_TIMEOUT) { |
102 log_ereport(LOG_MISCONFIG, "ldap-query: timeout out of range"); |
102 log_ereport(LOG_MISCONFIG, "ldap-search: timeout out of range"); |
103 return REQ_ABORTED; |
103 return REQ_ABORTED; |
104 } |
104 } |
105 timeout = t; |
105 timeout = t; |
106 } else { |
106 } else { |
107 log_ereport(LOG_MISCONFIG, "ldap-query: timeout %s is not a number", timeout_str); |
107 log_ereport(LOG_MISCONFIG, "ldap-search: timeout %s is not a number", timeout_str); |
108 } |
108 } |
109 } |
109 } |
110 int sizelimit = WS_SAFS_LDAP_DEFAULT_SIZELIMIT; |
110 int sizelimit = WS_SAFS_LDAP_DEFAULT_SIZELIMIT; |
111 if(timeout_str) { |
111 if(sizelimit_str) { |
112 int64_t v; |
112 int64_t v; |
113 if(util_strtoint(timeout_str, &v)) { |
113 if(util_strtoint(sizelimit_str, &v)) { |
114 if(v > INT_MAX) { |
114 if(v > INT_MAX) { |
115 log_ereport(LOG_MISCONFIG, "ldap-query: sizelimit out of range"); |
115 log_ereport(LOG_MISCONFIG, "ldap-search: sizelimit out of range"); |
116 return REQ_ABORTED; |
116 return REQ_ABORTED; |
117 } |
117 } |
118 sizelimit = v; |
118 sizelimit = v; |
119 } else { |
119 } else { |
120 log_ereport(LOG_MISCONFIG, "ldap-query: sizelimit %s is not a number", timeout_str); |
120 log_ereport(LOG_MISCONFIG, "ldap-search: sizelimit %s is not a number", timeout_str); |
121 } |
121 } |
122 } |
122 } |
123 |
123 |
124 |
124 |
125 if(!resource_name) { |
125 if(!resource_name) { |
126 log_ereport(LOG_MISCONFIG, "ldap-query: missing resource parameter"); |
126 log_ereport(LOG_MISCONFIG, "ldap-search: missing resource parameter"); |
127 return REQ_ABORTED; |
127 return REQ_ABORTED; |
128 } |
128 } |
129 if(!basedn) { |
129 if(!basedn) { |
130 log_ereport(LOG_MISCONFIG, "ldap-query: missing basedn parameter"); |
130 log_ereport(LOG_MISCONFIG, "ldap-search: missing basedn parameter"); |
131 return REQ_ABORTED; |
131 return REQ_ABORTED; |
132 } |
132 } |
133 |
133 |
134 if(!ldap_query) { |
134 if(!filter) { |
135 // alternatively get query from rq->vars |
135 // alternatively get filter from rq->vars |
136 ldap_query = pblock_findval("ldap_query", rq->vars); |
136 filter = pblock_findval("ldap_filter", rq->vars); |
137 if(!ldap_query) { |
137 log_ereport(LOG_DEBUG, "ldap-search: no filter parameter, rq.vars ldap_filter: %s", filter); |
138 // no ldap query |
138 if(!filter) { |
139 protocol_status(sn, rq, status_empty_query, NULL); |
139 // no ldap filter |
|
140 protocol_status(sn, rq, status_empty_filter, NULL); |
140 if(empty_query_response) { |
141 if(empty_query_response) { |
141 pblock_nvinsert("content-length", "0", rq->srvhdrs); |
142 pblock_nvinsert("content-length", "0", rq->srvhdrs); |
142 http_start_response(sn, rq); |
143 http_start_response(sn, rq); |
|
144 } else { |
|
145 log_ereport(LOG_FAILURE, "ldap-search: no filter specified"); |
143 } |
146 } |
144 return REQ_PROCEED; |
147 return REQ_PROCEED; |
145 } |
148 } |
146 } |
149 } |
147 |
150 |
148 // get the resource |
151 // get the resource |
149 ResourceData *resdata = resourcepool_lookup(sn, rq, resource_name, 0); |
152 ResourceData *resdata = resourcepool_lookup(sn, rq, resource_name, 0); |
150 if(!resdata) { |
153 if(!resdata) { |
151 log_ereport(LOG_FAILURE, "ldap-query: cannot get resource %s", resource_name); |
154 log_ereport(LOG_FAILURE, "ldap-search: cannot get resource %s", resource_name); |
152 return REQ_ABORTED; |
155 return REQ_ABORTED; |
153 } |
156 } |
154 LDAP *ldap = resdata->data; |
157 LDAP *ldap = resdata->data; |
155 |
158 |
156 // optionally, use binddn |
159 // optionally, use binddn |
157 if(binddn) { |
160 if(binddn) { |
158 struct berval *server_cred; |
161 struct berval *server_cred; |
159 if(ws_ldap_bind(ldap, binddn, bindpw ? bindpw : "", &server_cred) != LDAP_SUCCESS) { |
162 if(ws_ldap_bind(ldap, binddn, bindpw ? bindpw : "", &server_cred) != LDAP_SUCCESS) { |
160 log_ereport(LOG_FAILURE, "ldap-query: resource %s: cannot bind %s", resource_name, binddn); |
163 log_ereport(LOG_FAILURE, "ldap-search: resource %s: cannot bind %s", resource_name, binddn); |
161 resourcepool_free(sn, rq, resdata); |
164 resourcepool_free(sn, rq, resdata); |
162 return REQ_ABORTED; |
165 return REQ_ABORTED; |
163 } |
166 } |
164 } |
167 } |
165 |
168 |