--- a/src/server/daemon/ldap_auth.h Sun Mar 12 11:42:17 2023 +0100
+++ b/src/server/daemon/ldap_auth.h Sun Mar 12 20:02:04 2023 +0100
@@ -47,15 +47,96 @@
typedef struct ldap_member LDAPMember;
typedef struct ldap_group_cache LDAPGroupCache;
+/*
+
+ *
+ * WS_LDAP_GROUP_MEMBER_UID: the member attribute contains the user uid
+ * e.g. member attribute of posixGroup
+ * memberUid: user
+ */
+enum WSLdapGroupMemberType {
+ /*
+ * the member attribute contains the full user dn
+ * for example object class groupOfUniqueNames attribute uniqueMember
+ * uniqueMember: uid=user,ou=People,dc=example,dc=com
+ */
+ WS_LDAP_GROUP_MEMBER_DN = 0,
+
+ /*
+ * the member attribute contains the user uid
+ * for example object class posixGroup attribute memberUid
+ * memberUid: user
+ */
+ WS_LDAP_GROUP_MEMBER_UID
+};
+
struct ldap_config {
- char *hostname;
- int port;
- int ssl;
- char *basedn;
- char *binddn;
- char *bindpw;
- char *usersearch;
- char *groupsearch;
+ /*
+ * ldap resource pool name
+ */
+ const char *resource;
+
+ /*
+ * ldap basedn
+ */
+ const char *basedn;
+
+ /*
+ * default bind dn for search operations
+ */
+ const char *binddn;
+
+ /*
+ * password for default binddn
+ */
+ const char *bindpw;
+
+ /*
+ * the ldap filter used to resolve user names to DN
+ * this can be specified in the config file directly or it will
+ * auto-generated later, so it must always be a non-empty string
+ */
+ const char *userSearchFilter;
+
+ /*
+ * array of user id attributes
+ */
+ char *uidAttributes[10];
+
+ /*
+ * number of uid attributes
+ */
+ size_t numUidAttributes;
+
+ /*
+ * same as userSearchFilter, but for groups
+ */
+ const char *groupSearchFilter;
+
+ /*
+ * array of attributes that represent group members
+ */
+ char *memberAttributes[10];
+
+ /*
+ * number of group member attributes
+ */
+ size_t numMemberAttributes;
+
+ /*
+ * value type of the group member attribute
+ */
+ enum WSLdapGroupMemberType groupMemberType;
+
+ /*
+ * enables/disables support for ldap groups
+ */
+ WSBool enableGroups;
+
+ /*
+ * use the full DN internally as user name
+ */
+ WSBool userNameIsDN;
};
struct ldap_group_cache {
@@ -74,6 +155,8 @@
User user;
LDAPAuthDB *authdb;
LDAP *ldap;
+ Session *sn;
+ Request *rq;
char *userdn;
int uid;
int gid;
@@ -92,13 +175,37 @@
LDAPGroup *next;
};
-AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, LDAPConfig *conf);
-
-LDAP* get_ldap_session(LDAPAuthDB *authdb);
+/*
+ * Creates an LDAP AuthDB
+ *
+ * Config parameters (from ConfigNode *node):
+ * Resource ldap resource pool name
+ * Basedn ldap base dn
+ * Binddn binddn for search operations
+ * Bindpw binddn password
+ * DirectoryType type of the directory service (ldap|ad) which acts as
+ * config preset for filter and attribute settings
+ * UserSearchFilter ldap search filter for user dn resolution
+ * UidAttributes comma separated list of attributes, that contain the uid
+ * GroupSearchFilter ldap search filter for group resolution
+ * MemberAttributes comma separated list of group member attributes
+ * MemberType member attribute type (dn|uid)
+ * EnableGroups enable or disable support for groups
+ * UserNameIsDn should the uid or the dn used internally as user name
+ *
+ *
+ * If no Resource parameter is specified, a resource pool is automatically
+ * created with the name _<authdbname>_ldap and all parameters from the
+ * ConfigNode are passed to resourcepool_new(). That means, all ldap
+ * resource pool parameters can also specified in the AuthDB object.
+ */
+AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node);
-User* ldap_get_user(AuthDB *sb, const char *username);
+LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb);
-LDAPGroup* ldap_get_group(LDAPAuthDB *authdb, const char *group);
+User* ldap_get_user(AuthDB *sb, Session *sn, Request *rq, const char *username);
+
+LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group);
int ldap_user_verify_password(User *user, const char *password);
int ldap_user_check_group(User *user, const char *group);