implement userNameIsDN and enableGroups for ldap auth

Thu, 16 Mar 2023 19:38:18 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Thu, 16 Mar 2023 19:38:18 +0100
changeset 472
d6bc67906c8c
parent 471
9aa5ae3258f5
child 473
102322b6f4ee

implement userNameIsDN and enableGroups for ldap auth

src/server/daemon/ldap_auth.c file | annotate | diff | comparison | revisions
--- a/src/server/daemon/ldap_auth.c	Wed Mar 15 19:46:02 2023 +0100
+++ b/src/server/daemon/ldap_auth.c	Thu Mar 16 19:38:18 2023 +0100
@@ -541,11 +541,27 @@
         return NULL;
     }
     
-    cxstring groupSearch = cx_str(config->groupSearchFilter);
-    cxmutstr filter = cx_strreplace_a(a, groupSearch, cx_str("%s"), cx_str(group));
-    if(!filter.ptr) {
-        return NULL;
+    // if userNameIsDN is true, group will be the full group dn and we
+    // don't need to search with a filter, to get the entry
+    char *filterStr;
+    const char *basedn;
+    int scope;
+    if(config->userNameIsDN) {
+        filterStr = NULL;
+        basedn = group;
+        scope = LDAP_SCOPE_BASE;
+    } else {
+        cxstring groupSearch = cx_str(config->groupSearchFilter);
+        cxmutstr filter = cx_strreplace_a(a, groupSearch, cx_str("%s"), cx_str(group));
+        if(!filter.ptr) {
+            return NULL;
+        }
+        filterStr = filter.ptr;
+        basedn = config->basedn;
+        scope = LDAP_SCOPE_SUBTREE;
     }
+    
+    log_ereport(LOG_DEBUG, "ldap_get_group: basedn: %s filter: %s", basedn, filterStr);
 
     LDAPMessage *result;
     struct timeval timeout;
@@ -553,9 +569,9 @@
     timeout.tv_usec = 0;
     int r = ldap_search_ext_s(
             ld,
-            config->basedn,
-            LDAP_SCOPE_SUBTREE,
-            filter.ptr,
+            basedn,
+            scope,
+            filterStr,
             NULL,
             0,
             NULL,        // server controls
@@ -563,11 +579,15 @@
             &timeout,
             2,           // size limit
             &result);
+    if(filterStr) {
+        cxFree(a, filterStr);
+    }
+    
     if (r != LDAP_SUCCESS) {
         if(result) {
             ldap_msgfree(result);
         }
-        log_ereport(LOG_FAILURE, "ldap_get_group: search failed: %s", ldap_err2string(r));
+        log_ereport(LOG_FAILURE, "ldap_get_group %s: search failed: %s", group, ldap_err2string(r));
         return NULL;
     }
     
@@ -582,53 +602,6 @@
     }
     ldap_msgfree(result);
     
-    /*
-    LDAPMessage *msg = ldap_first_entry(ld, result);
-    if (msg) {
-        // create group object
-        wsgroup = malloc(sizeof(LDAPGroup));
-        wsgroup->name = strdup(group);
-        wsgroup->members = NULL;
-        wsgroup->nmembers = 0;
-        wsgroup->update = 0;
-        wsgroup->next = NULL;
-        
-        // get attributes
-        BerElement *ber = NULL;
-        char *attribute = attribute=ldap_first_attribute(ld, msg, &ber);
-        while(attribute != NULL) {
-            printf("attribute: %s\n", attribute);
-            if(!strcasecmp(attribute, "memberuid")) {
-                // get all memberuid values and add the users to the group obj
-                
-                struct berval **values = ldap_get_values_len(ld, msg, attribute);
-                if(values) {
-                    int count = ldap_count_values_len(values);
-                    wsgroup->members = calloc(count, sizeof(LDAPMember));
-                    wsgroup->nmembers = count;
-                    for(int i=0;i<count;i++) {
-                        cxstring member = cx_strn(
-                                values[i]->bv_val,
-                                values[i]->bv_len);
-                        wsgroup->members[i].name = cx_strdup(member).ptr;
-                        // TODO: uid?
-                        printf("added member: %.*s\n", (int)member.length, member.ptr);
-                    }
-                }
-            }
-            
-            attribute = ldap_next_attribute(ld, msg, ber); 
-        }
-        
-        if(ber) {
-            //ldap_ber_free(ber, 0);
-        }
-        if(attribute) {
-            ldap_memfree(attribute);
-        }
-    }
-    */
-    
     return wsgroup;
 }
 
@@ -658,25 +631,31 @@
 
 int ldap_user_check_group(User *u, const char *group_str) {
     LDAPUser *user = (LDAPUser*)u;
+    LDAPAuthDB *authdb = user->authdb;
+    if(!authdb->config.enableGroups) {
+        log_ereport(
+                LOG_DEBUG,
+                "ldap_user_check_group: authdb %s: groups disabled",
+                authdb->authdb.name);
+        return 0;
+    }
     
     int ret = 0;
-    
-    LDAPGroup *group = ldap_get_group(user->sn, user->rq, user->authdb, group_str);
+    LDAPGroup *group = ldap_get_group(user->sn, user->rq, authdb, group_str);
     if(group) {
-        char *member = cxMapGet(group->members, cx_hash_key_str(u->name));
+        const char *usr = authdb->config.groupMemberType == WS_LDAP_GROUP_MEMBER_DN ? user->userdn : user->uid_attr;
+        char *member = cxMapGet(group->members, cx_hash_key_str(usr));
         if(member) {
             ret = 1;
         }
     }
-
     
     return ret;
 }
 
 void ldap_user_free(User *u) {
     LDAPUser *user = (LDAPUser*)u;
-    ldap_memfree(user->userdn);
-    // TODO: use connection pool
-    //ws_ldap_close(user->ldap);
-    free(user);
+    pool_free(user->sn->pool, user->userdn);
+    pool_free(user->sn->pool, user->uid_attr);
+    pool_free(user->sn->pool, user);
 }

mercurial