--- a/src/server/daemon/ldap_auth.h Sun Mar 12 11:42:17 2023 +0100 +++ b/src/server/daemon/ldap_auth.h Sun Mar 12 20:02:04 2023 +0100 @@ -47,15 +47,96 @@ typedef struct ldap_member LDAPMember; typedef struct ldap_group_cache LDAPGroupCache; +/* + + * + * WS_LDAP_GROUP_MEMBER_UID: the member attribute contains the user uid + * e.g. member attribute of posixGroup + * memberUid: user + */ +enum WSLdapGroupMemberType { + /* + * the member attribute contains the full user dn + * for example object class groupOfUniqueNames attribute uniqueMember + * uniqueMember: uid=user,ou=People,dc=example,dc=com + */ + WS_LDAP_GROUP_MEMBER_DN = 0, + + /* + * the member attribute contains the user uid + * for example object class posixGroup attribute memberUid + * memberUid: user + */ + WS_LDAP_GROUP_MEMBER_UID +}; + struct ldap_config { - char *hostname; - int port; - int ssl; - char *basedn; - char *binddn; - char *bindpw; - char *usersearch; - char *groupsearch; + /* + * ldap resource pool name + */ + const char *resource; + + /* + * ldap basedn + */ + const char *basedn; + + /* + * default bind dn for search operations + */ + const char *binddn; + + /* + * password for default binddn + */ + const char *bindpw; + + /* + * the ldap filter used to resolve user names to DN + * this can be specified in the config file directly or it will + * auto-generated later, so it must always be a non-empty string + */ + const char *userSearchFilter; + + /* + * array of user id attributes + */ + char *uidAttributes[10]; + + /* + * number of uid attributes + */ + size_t numUidAttributes; + + /* + * same as userSearchFilter, but for groups + */ + const char *groupSearchFilter; + + /* + * array of attributes that represent group members + */ + char *memberAttributes[10]; + + /* + * number of group member attributes + */ + size_t numMemberAttributes; + + /* + * value type of the group member attribute + */ + enum WSLdapGroupMemberType groupMemberType; + + /* + * enables/disables support for ldap groups + */ + WSBool enableGroups; + + /* + * use the full DN internally as user name + */ + WSBool userNameIsDN; }; struct ldap_group_cache { @@ -74,6 +155,8 @@ User user; LDAPAuthDB *authdb; LDAP *ldap; + Session *sn; + Request *rq; char *userdn; int uid; int gid; @@ -92,13 +175,37 @@ LDAPGroup *next; }; -AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, LDAPConfig *conf); - -LDAP* get_ldap_session(LDAPAuthDB *authdb); +/* + * Creates an LDAP AuthDB + * + * Config parameters (from ConfigNode *node): + * Resource ldap resource pool name + * Basedn ldap base dn + * Binddn binddn for search operations + * Bindpw binddn password + * DirectoryType type of the directory service (ldap|ad) which acts as + * config preset for filter and attribute settings + * UserSearchFilter ldap search filter for user dn resolution + * UidAttributes comma separated list of attributes, that contain the uid + * GroupSearchFilter ldap search filter for group resolution + * MemberAttributes comma separated list of group member attributes + * MemberType member attribute type (dn|uid) + * EnableGroups enable or disable support for groups + * UserNameIsDn should the uid or the dn used internally as user name + * + * + * If no Resource parameter is specified, a resource pool is automatically + * created with the name _<authdbname>_ldap and all parameters from the + * ConfigNode are passed to resourcepool_new(). That means, all ldap + * resource pool parameters can also specified in the AuthDB object. + */ +AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node); -User* ldap_get_user(AuthDB *sb, const char *username); +LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb); -LDAPGroup* ldap_get_group(LDAPAuthDB *authdb, const char *group); +User* ldap_get_user(AuthDB *sb, Session *sn, Request *rq, const char *username); + +LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group); int ldap_user_verify_password(User *user, const char *password); int ldap_user_check_group(User *user, const char *group);