Makefile- acl.c
- acl.h
- acldata.c
- acldata.h
- auth.c
- auth.h
- config.c
- config.h
- configmanager.c
- configmanager.h
- error.c
- error.h
- event.c
- event.h
- event_bsd.c
- event_bsd.h
- event_linux.c
- event_linux.h
- event_solaris.c
- event_solaris.h
- func.c
- func.h
- http.c
- http.h
- httplistener.c
- httplistener.h
- httpparser.c
- httpparser.h
- httprequest.c
- httprequest.h
- keyfile_auth.c
- keyfile_auth.h
- ldap_auth.c
- ldap_auth.h
- ldap_resource.c
- ldap_resource.h
- log.c
- log.h
- main.c
- netsite.h
- objs.mk
- protocol.c
- protocol.h
- request.c
- request.h
- resourcepool.c
- resourcepool.h
- session.c
- session.h
- sessionhandler.c
- sessionhandler.h
- srvctrl.c
- srvctrl.h
- threadpools.c
- threadpools.h
- vfs.c
- vfs.h
- vserver.c
- vserver.h
- webserver.c
- webserver.h
- websocket.c
- websocket.h
- ws-fn.c
1 /*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 *
4 * Copyright 2013 Olaf Wintermann. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #ifndef LDAP_AUTH_H
30 #define LDAP_AUTH_H
31
32 #include "../public/auth.h"
33 #include <sys/types.h>
34 #include <ldap.h>
35 #include <cx/map.h>
36
37 #include "config.h"
38
39 #ifdef __cplusplus
40 extern "C" {
41 #endif
42
43 typedef struct ldap_auth_db LDAPAuthDB;
44 typedef struct ldap_config LDAPConfig;
45 typedef struct ldap_user LDAPUser;
46 typedef struct ldap_group LDAPGroup;
47 typedef struct ldap_member LDAPMember;
48 typedef struct ldap_group_cache LDAPGroupCache;
49
50 /*
51
52 *
53 * WS_LDAP_GROUP_MEMBER_UID: the member attribute contains the user uid
54 * e.g. member attribute of posixGroup
55 * memberUid: user
56 */
57 enum WSLdapGroupMemberType {
58 /*
59 * the member attribute contains the full user dn
60 * for example object class groupOfUniqueNames attribute uniqueMember
61 * uniqueMember: uid=user,ou=People,dc=example,dc=com
62 */
63 WS_LDAP_GROUP_MEMBER_DN = 0,
64
65 /*
66 * the member attribute contains the user uid
67 * for example object class posixGroup attribute memberUid
68 * memberUid: user
69 */
70 WS_LDAP_GROUP_MEMBER_UID
71 };
72
73 struct ldap_config {
74 /*
75 * ldap resource pool name
76 */
77 const char *resource;
78
79 /*
80 * ldap basedn
81 */
82 const char *basedn;
83
84 /*
85 * default bind dn for search operations
86 */
87 const char *binddn;
88
89 /*
90 * password for default binddn
91 */
92 const char *bindpw;
93
94 /*
95 * the ldap filter used to resolve user names to DN
96 * this can be specified in the config file directly or it will
97 * auto-generated later, so it must always be a non-empty string
98 */
99 const char *userSearchFilter;
100
101 /*
102 * array of user id attributes
103 */
104 cxstring *uidAttributes;
105
106 /*
107 * number of uid attributes
108 */
109 size_t numUidAttributes;
110
111 /*
112 * same as userSearchFilter, but for groups
113 */
114 const char *groupSearchFilter;
115
116 /*
117 * array of attributes that represent group members
118 */
119 cxstring *memberAttributes;
120
121 /*
122 * number of group member attributes
123 */
124 size_t numMemberAttributes;
125
126 /*
127 * value type of the group member attribute
128 */
129 enum WSLdapGroupMemberType groupMemberType;
130
131 /*
132 * enables/disables support for ldap groups
133 */
134 WSBool enableGroups;
135
136 /*
137 * use the full DN internally as user name
138 */
139 WSBool userNameIsDN;
140 };
141
142 struct ldap_group_cache {
143 LDAPGroup *first;
144 LDAPGroup *last;
145 CxMap *map;
146 };
147
148 struct ldap_auth_db {
149 AuthDB authdb;
150 LDAPConfig config;
151 LDAPGroupCache groups;
152 };
153
154 struct ldap_user {
155 User user;
156 LDAPAuthDB *authdb;
157 LDAP *ldap;
158 Session *sn;
159 Request *rq;
160 char *userdn;
161 char *uid_attr;
162 int uid;
163 int gid;
164 };
165
166 struct ldap_member {
167 char *name;
168 int uid;
169 };
170
171 struct ldap_group {
172 char *name;
173 char *dn;
174 CxMap *members;
175 time_t update;
176 };
177
178 /*
179 * Creates an LDAP AuthDB
180 *
181 * Config parameters (from ConfigNode *node):
182 * Resource ldap resource pool name
183 * Basedn ldap base dn
184 * Binddn binddn for search operations
185 * Bindpw binddn password
186 * DirectoryType type of the directory service (ldap|ad) which acts as
187 * config preset for filter and attribute settings
188 * UserSearchFilter ldap search filter for user dn resolution
189 * UidAttributes comma separated list of attributes, that contain the uid
190 * GroupSearchFilter ldap search filter for group resolution
191 * MemberAttributes comma separated list of group member attributes
192 * MemberType member attribute type (dn|uid)
193 * EnableGroups enable or disable support for groups
194 * UserNameIsDn should the uid or the dn used internally as user name
195 *
196 *
197 * If no Resource parameter is specified, a resource pool is automatically
198 * created with the name _<authdbname>_ldap and all parameters from the
199 * ConfigNode are passed to resourcepool_new(). That means, all ldap
200 * resource pool parameters can also specified in the AuthDB object.
201 */
202 AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node);
203
204 LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb);
205
206 User* ldap_get_user(AuthDB *sb, Session *sn, Request *rq, const char *username);
207
208 LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group);
209
210 int ldap_user_verify_password(User *user, const char *password);
211 int ldap_user_check_group(User *user, const char *group);
212 void ldap_user_free(User *user);
213
214 #ifdef __cplusplus
215 }
216 #endif
217
218 #endif /* LDAP_AUTH_H */
219
220