Makefile- acl.c
- acl.h
- acldata.c
- acldata.h
- auth.c
- auth.h
- config.c
- config.h
- configmanager.c
- configmanager.h
- error.c
- error.h
- event.c
- event.h
- event_bsd.c
- event_bsd.h
- event_linux.c
- event_linux.h
- event_solaris.c
- event_solaris.h
- func.c
- func.h
- http.c
- http.h
- httplistener.c
- httplistener.h
- httpparser.c
- httpparser.h
- httprequest.c
- httprequest.h
- keyfile_auth.c
- keyfile_auth.h
- ldap_auth.c
- ldap_auth.h
- ldap_resource.c
- ldap_resource.h
- log.c
- log.h
- main.c
- netsite.h
- objs.mk
- protocol.c
- protocol.h
- request.c
- request.h
- resourcepool.c
- resourcepool.h
- session.c
- session.h
- sessionhandler.c
- sessionhandler.h
- srvctrl.c
- srvctrl.h
- threadpools.c
- threadpools.h
- vfs.c
- vfs.h
- vserver.c
- vserver.h
- webserver.c
- webserver.h
- websocket.c
- websocket.h
- ws-fn.c
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright 2013 Olaf Wintermann. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef LDAP_AUTH_H
#define LDAP_AUTH_H
#include "../public/auth.h"
#include <sys/types.h>
#include <ldap.h>
#include <cx/map.h>
#include "config.h"
#ifdef __cplusplus
extern "C" {
#endif
typedef struct ldap_auth_db LDAPAuthDB;
typedef struct ldap_config LDAPConfig;
typedef struct ldap_user LDAPUser;
typedef struct ldap_group LDAPGroup;
typedef struct ldap_member LDAPMember;
typedef struct ldap_group_cache LDAPGroupCache;
/*
*
* WS_LDAP_GROUP_MEMBER_UID: the member attribute contains the user uid
* e.g. member attribute of posixGroup
* memberUid: user
*/
enum WSLdapGroupMemberType {
/*
* the member attribute contains the full user dn
* for example object class groupOfUniqueNames attribute uniqueMember
* uniqueMember: uid=user,ou=People,dc=example,dc=com
*/
WS_LDAP_GROUP_MEMBER_DN = 0,
/*
* the member attribute contains the user uid
* for example object class posixGroup attribute memberUid
* memberUid: user
*/
WS_LDAP_GROUP_MEMBER_UID
};
struct ldap_config {
/*
* ldap resource pool name
*/
const char *resource;
/*
* ldap basedn
*/
const char *basedn;
/*
* default bind dn for search operations
*/
const char *binddn;
/*
* password for default binddn
*/
const char *bindpw;
/*
* the ldap filter used to resolve user names to DN
* this can be specified in the config file directly or it will
* auto-generated later, so it must always be a non-empty string
*/
const char *userSearchFilter;
/*
* array of user id attributes
*/
cxstring *uidAttributes;
/*
* number of uid attributes
*/
size_t numUidAttributes;
/*
* same as userSearchFilter, but for groups
*/
const char *groupSearchFilter;
/*
* array of attributes that represent group members
*/
cxstring *memberAttributes;
/*
* number of group member attributes
*/
size_t numMemberAttributes;
/*
* value type of the group member attribute
*/
enum WSLdapGroupMemberType groupMemberType;
/*
* enables/disables support for ldap groups
*/
WSBool enableGroups;
/*
* use the full DN internally as user name
*/
WSBool userNameIsDN;
};
struct ldap_group_cache {
LDAPGroup *first;
LDAPGroup *last;
CxMap *map;
};
struct ldap_auth_db {
AuthDB authdb;
LDAPConfig config;
LDAPGroupCache groups;
};
struct ldap_user {
User user;
LDAPAuthDB *authdb;
LDAP *ldap;
Session *sn;
Request *rq;
char *userdn;
char *uid_attr;
int uid;
int gid;
};
struct ldap_member {
char *name;
int uid;
};
struct ldap_group {
char *name;
char *dn;
CxMap *members;
time_t update;
};
/*
* Creates an LDAP AuthDB
*
* Config parameters (from ConfigNode *node):
* Resource ldap resource pool name
* Basedn ldap base dn
* Binddn binddn for search operations
* Bindpw binddn password
* DirectoryType type of the directory service (ldap|ad) which acts as
* config preset for filter and attribute settings
* UserSearchFilter ldap search filter for user dn resolution
* UidAttributes comma separated list of attributes, that contain the uid
* GroupSearchFilter ldap search filter for group resolution
* MemberAttributes comma separated list of group member attributes
* MemberType member attribute type (dn|uid)
* EnableGroups enable or disable support for groups
* UserNameIsDn should the uid or the dn used internally as user name
*
*
* If no Resource parameter is specified, a resource pool is automatically
* created with the name _<authdbname>_ldap and all parameters from the
* ConfigNode are passed to resourcepool_new(). That means, all ldap
* resource pool parameters can also specified in the AuthDB object.
*/
AuthDB* create_ldap_authdb(ServerConfiguration *cfg, const char *name, ConfigNode *node);
LDAP* get_ldap_session(Session *sn, Request *rq, LDAPAuthDB *authdb);
User* ldap_get_user(AuthDB *sb, Session *sn, Request *rq, const char *username);
LDAPGroup* ldap_get_group(Session *sn, Request *rq, LDAPAuthDB *authdb, const char *group);
int ldap_user_verify_password(User *user, const char *password);
int ldap_user_check_group(User *user, const char *group);
void ldap_user_free(User *user);
#ifdef __cplusplus
}
#endif
#endif /* LDAP_AUTH_H */