|
|
|
@ -519,85 +519,86 @@ SETDEFAULTS_FUNC(mod_auth_set_defaults) {
|
|
|
|
|
|
|
|
|
|
handler_t auth_ldap_init(server *srv, mod_auth_plugin_config *s) {
|
|
|
|
|
#ifdef USE_LDAP
|
|
|
|
|
int ret;
|
|
|
|
|
int ret;
|
|
|
|
|
#if 0
|
|
|
|
|
if (s->auth_ldap_basedn->used == 0) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.base-dn has to be set");
|
|
|
|
|
if (s->auth_ldap_basedn->used == 0) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.base-dn has to be set");
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if (s->auth_ldap_filter->used) {
|
|
|
|
|
char *dollar;
|
|
|
|
|
if (s->auth_ldap_filter->used) {
|
|
|
|
|
char *dollar;
|
|
|
|
|
|
|
|
|
|
/* parse filter */
|
|
|
|
|
/* parse filter */
|
|
|
|
|
|
|
|
|
|
if (NULL == (dollar = strchr(s->auth_ldap_filter->ptr, '$'))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '$'");
|
|
|
|
|
if (NULL == (dollar = strchr(s->auth_ldap_filter->ptr, '$'))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '$'");
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buffer_copy_string_len(s->ldap_filter_pre, s->auth_ldap_filter->ptr, dollar - s->auth_ldap_filter->ptr);
|
|
|
|
|
buffer_copy_string(s->ldap_filter_post, dollar+1);
|
|
|
|
|
}
|
|
|
|
|
buffer_copy_string_len(s->ldap_filter_pre, s->auth_ldap_filter->ptr, dollar - s->auth_ldap_filter->ptr);
|
|
|
|
|
buffer_copy_string(s->ldap_filter_post, dollar+1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->auth_ldap_hostname->used) {
|
|
|
|
|
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
|
|
|
|
|
if (s->auth_ldap_hostname->used) {
|
|
|
|
|
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = LDAP_VERSION3;
|
|
|
|
|
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = LDAP_VERSION3;
|
|
|
|
|
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
|
|
|
|
|
if (s->auth_ldap_starttls) {
|
|
|
|
|
/* if no CA file is given, it is ok, as we will use encryption
|
|
|
|
|
* if the server requires a CAfile it will tell us */
|
|
|
|
|
if (!buffer_is_empty(s->auth_ldap_cafile)) {
|
|
|
|
|
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
|
|
|
|
|
s->auth_ldap_cafile->ptr))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss",
|
|
|
|
|
"Loading CA certificate failed:", ldap_err2string(ret));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->auth_ldap_starttls) {
|
|
|
|
|
/* if no CA file is given, it is ok, as we will use encryption
|
|
|
|
|
* if the server requires a CAfile it will tell us */
|
|
|
|
|
if (!buffer_is_empty(s->auth_ldap_cafile)) {
|
|
|
|
|
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
|
|
|
|
|
s->auth_ldap_cafile->ptr))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss",
|
|
|
|
|
"Loading CA certificate failed:", ldap_err2string(ret));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
|
|
|
|
|
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* 1. */
|
|
|
|
|
if (s->auth_ldap_binddn->used) {
|
|
|
|
|
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, s->auth_ldap_binddn->ptr, s->auth_ldap_bindpw->ptr))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
|
|
|
|
|
/* 1. */
|
|
|
|
|
if (s->auth_ldap_binddn->used) {
|
|
|
|
|
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, s->auth_ldap_binddn->ptr, s->auth_ldap_bindpw->ptr))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, NULL, NULL))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, NULL, NULL))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
|
|
|
|
|
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
#else
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "no ldap support available");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
UNUSED(s);
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "no ldap support available");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
#endif
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int mod_auth_plugin_init(plugin *p) {
|
|
|
|
|