# HG changeset patch # User Olaf Wintermann # Date 1678991898 -3600 # Node ID d6bc67906c8c925e74117f3dc2faf5302b55c27e # Parent 9aa5ae3258f51ad196af543a789a9d285f651266 implement userNameIsDN and enableGroups for ldap auth diff -r 9aa5ae3258f5 -r d6bc67906c8c src/server/daemon/ldap_auth.c --- a/src/server/daemon/ldap_auth.c Wed Mar 15 19:46:02 2023 +0100 +++ b/src/server/daemon/ldap_auth.c Thu Mar 16 19:38:18 2023 +0100 @@ -541,11 +541,27 @@ return NULL; } - cxstring groupSearch = cx_str(config->groupSearchFilter); - cxmutstr filter = cx_strreplace_a(a, groupSearch, cx_str("%s"), cx_str(group)); - if(!filter.ptr) { - return NULL; + // if userNameIsDN is true, group will be the full group dn and we + // don't need to search with a filter, to get the entry + char *filterStr; + const char *basedn; + int scope; + if(config->userNameIsDN) { + filterStr = NULL; + basedn = group; + scope = LDAP_SCOPE_BASE; + } else { + cxstring groupSearch = cx_str(config->groupSearchFilter); + cxmutstr filter = cx_strreplace_a(a, groupSearch, cx_str("%s"), cx_str(group)); + if(!filter.ptr) { + return NULL; + } + filterStr = filter.ptr; + basedn = config->basedn; + scope = LDAP_SCOPE_SUBTREE; } + + log_ereport(LOG_DEBUG, "ldap_get_group: basedn: %s filter: %s", basedn, filterStr); LDAPMessage *result; struct timeval timeout; @@ -553,9 +569,9 @@ timeout.tv_usec = 0; int r = ldap_search_ext_s( ld, - config->basedn, - LDAP_SCOPE_SUBTREE, - filter.ptr, + basedn, + scope, + filterStr, NULL, 0, NULL, // server controls @@ -563,11 +579,15 @@ &timeout, 2, // size limit &result); + if(filterStr) { + cxFree(a, filterStr); + } + if (r != LDAP_SUCCESS) { if(result) { ldap_msgfree(result); } - log_ereport(LOG_FAILURE, "ldap_get_group: search failed: %s", ldap_err2string(r)); + log_ereport(LOG_FAILURE, "ldap_get_group %s: search failed: %s", group, ldap_err2string(r)); return NULL; } @@ -582,53 +602,6 @@ } ldap_msgfree(result); - /* - LDAPMessage *msg = ldap_first_entry(ld, result); - if (msg) { - // create group object - wsgroup = malloc(sizeof(LDAPGroup)); - wsgroup->name = strdup(group); - wsgroup->members = NULL; - wsgroup->nmembers = 0; - wsgroup->update = 0; - wsgroup->next = NULL; - - // get attributes - BerElement *ber = NULL; - char *attribute = attribute=ldap_first_attribute(ld, msg, &ber); - while(attribute != NULL) { - printf("attribute: %s\n", attribute); - if(!strcasecmp(attribute, "memberuid")) { - // get all memberuid values and add the users to the group obj - - struct berval **values = ldap_get_values_len(ld, msg, attribute); - if(values) { - int count = ldap_count_values_len(values); - wsgroup->members = calloc(count, sizeof(LDAPMember)); - wsgroup->nmembers = count; - for(int i=0;ibv_val, - values[i]->bv_len); - wsgroup->members[i].name = cx_strdup(member).ptr; - // TODO: uid? - printf("added member: %.*s\n", (int)member.length, member.ptr); - } - } - } - - attribute = ldap_next_attribute(ld, msg, ber); - } - - if(ber) { - //ldap_ber_free(ber, 0); - } - if(attribute) { - ldap_memfree(attribute); - } - } - */ - return wsgroup; } @@ -658,25 +631,31 @@ int ldap_user_check_group(User *u, const char *group_str) { LDAPUser *user = (LDAPUser*)u; + LDAPAuthDB *authdb = user->authdb; + if(!authdb->config.enableGroups) { + log_ereport( + LOG_DEBUG, + "ldap_user_check_group: authdb %s: groups disabled", + authdb->authdb.name); + return 0; + } int ret = 0; - - LDAPGroup *group = ldap_get_group(user->sn, user->rq, user->authdb, group_str); + LDAPGroup *group = ldap_get_group(user->sn, user->rq, authdb, group_str); if(group) { - char *member = cxMapGet(group->members, cx_hash_key_str(u->name)); + const char *usr = authdb->config.groupMemberType == WS_LDAP_GROUP_MEMBER_DN ? user->userdn : user->uid_attr; + char *member = cxMapGet(group->members, cx_hash_key_str(usr)); if(member) { ret = 1; } } - return ret; } void ldap_user_free(User *u) { LDAPUser *user = (LDAPUser*)u; - ldap_memfree(user->userdn); - // TODO: use connection pool - //ws_ldap_close(user->ldap); - free(user); + pool_free(user->sn->pool, user->userdn); + pool_free(user->sn->pool, user->uid_attr); + pool_free(user->sn->pool, user); }