src/server/daemon/ldap_auth.h

Thu, 16 Mar 2023 19:38:18 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Thu, 16 Mar 2023 19:38:18 +0100
changeset 472
d6bc67906c8c
parent 471
9aa5ae3258f5
permissions
-rw-r--r--

implement userNameIsDN and enableGroups for ldap auth

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 2013 Olaf Wintermann. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *   1. Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *
 *   2. Redistributions in binary form must reproduce the above copyright
 *      notice, this list of conditions and the following disclaimer in the
 *      documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef LDAP_AUTH_H
#define	LDAP_AUTH_H

#include "../public/auth.h"
#include <sys/types.h>
#include <ldap.h>
#include <cx/map.h>

#include "config.h"

#ifdef	__cplusplus
extern "C" {
#endif

typedef struct ldap_auth_db     LDAPAuthDB; 
typedef struct ldap_config      LDAPConfig;
typedef struct ldap_user        LDAPUser;
typedef struct ldap_group       LDAPGroup;
typedef struct ldap_member      LDAPMember;
typedef struct ldap_group_cache LDAPGroupCache;

/*

 * 
 * WS_LDAP_GROUP_MEMBER_UID: the member attribute contains the user uid
 *    e.g. member attribute of posixGroup
 *    memberUid: user
 */
enum WSLdapGroupMemberType {
    /*
     * the member attribute contains the full user dn
     * for example object class groupOfUniqueNames attribute uniqueMember
     * uniqueMember: uid=user,ou=People,dc=example,dc=com
     */
    WS_LDAP_GROUP_MEMBER_DN = 0,
    
    /*
     * the member attribute contains the user uid
     * for example object class posixGroup attribute memberUid
     * memberUid: user
     */
    WS_LDAP_GROUP_MEMBER_UID
};

struct ldap_config {
    /*
     * ldap resource pool name
     */
    const char *resource;
    
    /*
     * ldap basedn
     */
    const char *basedn;
    
    /*
     * default bind dn for search operations
     */
    const char *binddn;
    
    /*
     * password for default binddn
     */
    const char *bindpw;
    
    /*
     * the ldap filter used to resolve user names to DN
     * this can be specified in the config file directly or it will 
     * auto-generated later, so it must always be a non-empty string
     */
    const char *userSearchFilter;
    
    /*
     * array of user id attributes
     */
    cxstring *uidAttributes;
    
    /*
     * number of uid attributes
     */
    size_t numUidAttributes;
    
    /*
     * same as userSearchFilter, but for groups
     */
    const char *groupSearchFilter;
    
    /*
     * array of attributes that represent group members
     */
    cxstring *memberAttributes;
    
    /*
     * number of group member attributes
     */
    size_t numMemberAttributes;
    
    /*
     * value type of the group member attribute
     */
    enum WSLdapGroupMemberType groupMemberType;
    
    /*
     * enables/disables support for ldap groups
     */
    WSBool enableGroups;
    
    /*
     * use the full DN internally as user name
     */
    WSBool userNameIsDN;
};

struct ldap_group_cache {
    LDAPGroup *first;
    LDAPGroup *last;
    CxMap    *map;
};

struct ldap_auth_db {
    AuthDB         authdb;
    LDAPConfig     config;
    LDAPGroupCache groups;
};

struct ldap_user {
    User         user;
    LDAPAuthDB   *authdb;
    LDAP         *ldap;
    Session      *sn;
    Request      *rq;
    char         *userdn;
    char         *uid_attr;
    int          uid;
    int          gid;
};

struct ldap_member {
    char *name;
    int  uid;
};

struct ldap_group {
    char        *name;
    char        *dn;
    CxMap       *members; 
    time_t      update;
};

/*
 * Creates an LDAP AuthDB
 * 
 * Config parameters (from ConfigNode *node):
 * Resource           ldap resource pool name
 * Basedn             ldap base dn
 * Binddn             binddn for search operations
 * Bindpw             binddn password
 * DirectoryType      type of the directory service (ldap|ad) which acts as
 *                    config preset for filter and attribute settings
 * UserSearchFilter   ldap search filter for user dn resolution
 * UidAttributes      comma separated list of attributes, that contain the uid
 * GroupSearchFilter  ldap search filter for group resolution
 * MemberAttributes   comma separated list of group member attributes
 * MemberType         member attribute type (dn|uid)
 * EnableGroups       enable or disable support for groups
 * UserNameIsDn       should the uid or the dn used internally as user name
 * 
 * 
 * If no Resource parameter is specified, a resource pool is automatically
 * created with the name _<authdbname>_ldap and all parameters from the
 * ConfigNode are passed to resourcepool_new(). That means, all ldap
 * resource pool parameters can also specified in the AuthDB object.
 */
AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node);

LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb);

User* ldap_get_user(AuthDB *sb, Session *sn, Request *rq, const char *username);

LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group);

int ldap_user_verify_password(User *user, const char *password);
int ldap_user_check_group(User *user, const char *group);
void ldap_user_free(User *user);

#ifdef	__cplusplus
}
#endif

#endif	/* LDAP_AUTH_H */

mercurial