src/server/daemon/ldap_auth.h@467ed0f559af
src/server/daemon/ldap_auth.h
Mon, 13 Mar 2023 22:39:51 +0100
- author
- Olaf Wintermann <olaf.wintermann@gmail.com>
- date
- Mon, 13 Mar 2023 22:39:51 +0100
- changeset 470
- 467ed0f559af
- parent 469
- 9a36a6b52e4c
- child 471
- 9aa5ae3258f5
- permissions
- -rw-r--r--
refactor ldap user authentication, use new filter config
/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright 2013 Olaf Wintermann. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #ifndef LDAP_AUTH_H #define LDAP_AUTH_H #include "../public/auth.h" #include <sys/types.h> #include <ldap.h> #include <cx/map.h> #include "config.h" #ifdef __cplusplus extern "C" { #endif typedef struct ldap_auth_db LDAPAuthDB; typedef struct ldap_config LDAPConfig; typedef struct ldap_user LDAPUser; typedef struct ldap_group LDAPGroup; typedef struct ldap_member LDAPMember; typedef struct ldap_group_cache LDAPGroupCache; /* * * WS_LDAP_GROUP_MEMBER_UID: the member attribute contains the user uid * e.g. member attribute of posixGroup * memberUid: user */ enum WSLdapGroupMemberType { /* * the member attribute contains the full user dn * for example object class groupOfUniqueNames attribute uniqueMember * uniqueMember: uid=user,ou=People,dc=example,dc=com */ WS_LDAP_GROUP_MEMBER_DN = 0, /* * the member attribute contains the user uid * for example object class posixGroup attribute memberUid * memberUid: user */ WS_LDAP_GROUP_MEMBER_UID }; struct ldap_config { /* * ldap resource pool name */ const char *resource; /* * ldap basedn */ const char *basedn; /* * default bind dn for search operations */ const char *binddn; /* * password for default binddn */ const char *bindpw; /* * the ldap filter used to resolve user names to DN * this can be specified in the config file directly or it will * auto-generated later, so it must always be a non-empty string */ const char *userSearchFilter; /* * array of user id attributes */ cxstring *uidAttributes; /* * number of uid attributes */ size_t numUidAttributes; /* * same as userSearchFilter, but for groups */ const char *groupSearchFilter; /* * array of attributes that represent group members */ cxstring *memberAttributes; /* * number of group member attributes */ size_t numMemberAttributes; /* * value type of the group member attribute */ enum WSLdapGroupMemberType groupMemberType; /* * enables/disables support for ldap groups */ WSBool enableGroups; /* * use the full DN internally as user name */ WSBool userNameIsDN; }; struct ldap_group_cache { LDAPGroup *first; LDAPGroup *last; CxMap *map; }; struct ldap_auth_db { AuthDB authdb; LDAPConfig config; LDAPGroupCache groups; }; struct ldap_user { User user; LDAPAuthDB *authdb; LDAP *ldap; Session *sn; Request *rq; char *userdn; char *uid_attr; int uid; int gid; }; struct ldap_member { char *name; int uid; }; struct ldap_group { char *name; LDAPMember *members; size_t nmembers; time_t update; LDAPGroup *next; }; /* * Creates an LDAP AuthDB * * Config parameters (from ConfigNode *node): * Resource ldap resource pool name * Basedn ldap base dn * Binddn binddn for search operations * Bindpw binddn password * DirectoryType type of the directory service (ldap|ad) which acts as * config preset for filter and attribute settings * UserSearchFilter ldap search filter for user dn resolution * UidAttributes comma separated list of attributes, that contain the uid * GroupSearchFilter ldap search filter for group resolution * MemberAttributes comma separated list of group member attributes * MemberType member attribute type (dn|uid) * EnableGroups enable or disable support for groups * UserNameIsDn should the uid or the dn used internally as user name * * * If no Resource parameter is specified, a resource pool is automatically * created with the name _<authdbname>_ldap and all parameters from the * ConfigNode are passed to resourcepool_new(). That means, all ldap * resource pool parameters can also specified in the AuthDB object. */ AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node); LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb); User* ldap_get_user(AuthDB *sb, Session *sn, Request *rq, const char *username); LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group); int ldap_user_verify_password(User *user, const char *password); int ldap_user_check_group(User *user, const char *group); void ldap_user_free(User *user); #ifdef __cplusplus } #endif #endif /* LDAP_AUTH_H */
