lighttpd 1.4.x https://www.lighttpd.net/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

448 lines
14 KiB

#include "first.h"
#include "plugin.h"
#if defined(HAVE_LDAP_H) && defined(HAVE_LBER_H) && defined(HAVE_LIBLDAP) && defined(HAVE_LIBLBER)
#define USE_LDAP
#include <ldap.h>
#include "server.h"
#include "http_auth.h"
#include "log.h"
#include <ctype.h>
#include <errno.h>
#include <string.h>
typedef struct {
LDAP *ldap;
buffer *ldap_filter_pre;
buffer *ldap_filter_post;
buffer *auth_ldap_hostname;
buffer *auth_ldap_basedn;
buffer *auth_ldap_binddn;
buffer *auth_ldap_bindpw;
buffer *auth_ldap_filter;
buffer *auth_ldap_cafile;
unsigned short auth_ldap_starttls;
unsigned short auth_ldap_allow_empty_pw;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_config **config_storage;
plugin_config conf, *anon_conf; /* this is only used as long as no handler_ctx is setup */
buffer *ldap_filter;
} plugin_data;
static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw);
INIT_FUNC(mod_authn_ldap_init) {
static http_auth_backend_t http_auth_backend_ldap =
{ "ldap", mod_authn_ldap_basic, NULL, NULL };
plugin_data *p = calloc(1, sizeof(*p));
p->ldap_filter = buffer_init();
/* register http_auth_backend_ldap */
http_auth_backend_ldap.p_d = p;
http_auth_backend_set(&http_auth_backend_ldap);
return p;
}
FREE_FUNC(mod_authn_ldap_free) {
plugin_data *p = p_d;
UNUSED(srv);
if (!p) return HANDLER_GO_ON;
buffer_free(p->ldap_filter);
if (p->config_storage) {
size_t i;
for (i = 0; i < srv->config_context->used; i++) {
plugin_config *s = p->config_storage[i];
if (NULL == s) continue;
buffer_free(s->auth_ldap_hostname);
buffer_free(s->auth_ldap_basedn);
buffer_free(s->auth_ldap_binddn);
buffer_free(s->auth_ldap_bindpw);
buffer_free(s->auth_ldap_filter);
buffer_free(s->auth_ldap_cafile);
buffer_free(s->ldap_filter_pre);
buffer_free(s->ldap_filter_post);
if (s->ldap) ldap_unbind_s(s->ldap);
free(s);
}
free(p->config_storage);
}
free(p);
return HANDLER_GO_ON;
}
static handler_t mod_authn_ldap_host_init(server *srv, plugin_config *s) {
int ret;
#if 0
if (s->auth_ldap_basedn->used == 0) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.base-dn has to be set");
return HANDLER_ERROR;
}
#endif
if (buffer_string_is_empty(s->auth_ldap_hostname)) return HANDLER_GO_ON;
/* free old context */
if (NULL != s->ldap) ldap_unbind_s(s->ldap);
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return HANDLER_ERROR;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
if (s->auth_ldap_starttls) {
/* if no CA file is given, it is ok, as we will use encryption
* if the server requires a CAfile it will tell us */
if (!buffer_string_is_empty(s->auth_ldap_cafile)) {
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
s->auth_ldap_cafile->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"Loading CA certificate failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
/* 1. */
if (!buffer_string_is_empty(s->auth_ldap_binddn)) {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, s->auth_ldap_binddn->ptr, s->auth_ldap_bindpw->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
} else {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
return HANDLER_GO_ON;
}
SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
plugin_data *p = p_d;
size_t i;
config_values_t cv[] = {
{ "auth.backend.ldap.hostname", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
{ "auth.backend.ldap.base-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
{ "auth.backend.ldap.filter", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
{ "auth.backend.ldap.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
{ "auth.backend.ldap.starttls", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
{ "auth.backend.ldap.bind-dn", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 5 */
{ "auth.backend.ldap.bind-pw", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 6 */
{ "auth.backend.ldap.allow-empty-pw", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 7 */
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
for (i = 0; i < srv->config_context->used; i++) {
data_config const* config = (data_config const*)srv->config_context->data[i];
plugin_config *s;
s = calloc(1, sizeof(plugin_config));
s->auth_ldap_hostname = buffer_init();
s->auth_ldap_basedn = buffer_init();
s->auth_ldap_binddn = buffer_init();
s->auth_ldap_bindpw = buffer_init();
s->auth_ldap_filter = buffer_init();
s->auth_ldap_cafile = buffer_init();
s->auth_ldap_starttls = 0;
s->ldap_filter_pre = buffer_init();
s->ldap_filter_post = buffer_init();
s->ldap = NULL;
cv[0].destination = s->auth_ldap_hostname;
cv[1].destination = s->auth_ldap_basedn;
cv[2].destination = s->auth_ldap_filter;
cv[3].destination = s->auth_ldap_cafile;
cv[4].destination = &(s->auth_ldap_starttls);
cv[5].destination = s->auth_ldap_binddn;
cv[6].destination = s->auth_ldap_bindpw;
cv[7].destination = &(s->auth_ldap_allow_empty_pw);
p->config_storage[i] = s;
if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
return HANDLER_ERROR;
}
if (!buffer_string_is_empty(s->auth_ldap_filter)) {
char *dollar;
/* parse filter */
if (NULL == (dollar = strchr(s->auth_ldap_filter->ptr, '$'))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.filter is missing a replace-operator '$'");
return HANDLER_ERROR;
}
buffer_copy_string_len(s->ldap_filter_pre, s->auth_ldap_filter->ptr, dollar - s->auth_ldap_filter->ptr);
buffer_copy_string(s->ldap_filter_post, dollar+1);
}
}
return HANDLER_GO_ON;
}
#define PATCH(x) \
p->conf.x = s->x;
static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_data *p) {
size_t i, j;
plugin_config *s = p->config_storage[0];
PATCH(auth_ldap_hostname);
PATCH(auth_ldap_basedn);
PATCH(auth_ldap_binddn);
PATCH(auth_ldap_bindpw);
PATCH(auth_ldap_filter);
PATCH(auth_ldap_cafile);
PATCH(auth_ldap_starttls);
PATCH(auth_ldap_allow_empty_pw);
p->anon_conf = s;
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
data_config *dc = (data_config *)srv->config_context->data[i];
s = p->config_storage[i];
/* condition didn't match */
if (!config_check_cond(srv, con, dc)) continue;
/* merge config */
for (j = 0; j < dc->value->used; j++) {
data_unset *du = dc->value->data[j];
if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
PATCH(auth_ldap_hostname);
p->anon_conf = s;
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
PATCH(auth_ldap_basedn);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.filter"))) {
PATCH(auth_ldap_filter);
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
PATCH(auth_ldap_cafile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
PATCH(auth_ldap_starttls);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.bind-dn"))) {
PATCH(auth_ldap_binddn);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.bind-pw"))) {
PATCH(auth_ldap_bindpw);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
PATCH(auth_ldap_allow_empty_pw);
}
}
}
return 0;
}
#undef PATCH
static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
plugin_data *p = (plugin_data *)p_d;
LDAP *ldap;
LDAPMessage *lm, *first;
char *dn;
int ret;
char *attrs[] = { LDAP_NO_ATTRS, NULL };
size_t i, len;
UNUSED(realm);
mod_authn_ldap_patch_connection(srv, con, p);
/* for now we stay synchronous */
/*
* 1. connect anonymously (done in plugin init)
* 2. get DN for uid = username
* 3. auth against ldap server
* 4. (optional) check a field
* 5. disconnect
*
*/
/* check username
*
* we have to protect againt username which modifies our filter in
* an unpleasant way
*/
len = buffer_string_length(username);
for (i = 0; i < len; i++) {
char c = username->ptr[i];
if (!isalpha(c) &&
!isdigit(c) &&
(c != ' ') &&
(c != '@') &&
(c != '-') &&
(c != '_') &&
(c != '.') ) {
log_error_write(srv, __FILE__, __LINE__, "sbd", "ldap: invalid character (- _.@a-zA-Z0-9 allowed) in username:", username, i);
con->http_status = 400; /* Bad Request */
con->mode = DIRECT;
return HANDLER_FINISHED;
}
}
if (p->conf.auth_ldap_allow_empty_pw != 1 && pw[0] == '\0')
return HANDLER_ERROR;
/* build filter */
buffer_copy_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
buffer_append_string_buffer(p->ldap_filter, username);
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
/* 2. */
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
/* try again (or initial request); the ldap library sometimes fails for the first call but reconnects */
if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (mod_authn_ldap_host_init(srv, p->anon_conf) != HANDLER_GO_ON)
return HANDLER_ERROR;
if (NULL == p->anon_conf->ldap) return HANDLER_ERROR;
if (LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
log_error_write(srv, __FILE__, __LINE__, "sssb",
"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
return HANDLER_ERROR;
}
}
}
if (NULL == (first = ldap_first_entry(p->anon_conf->ldap, lm))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
ldap_msgfree(lm);
return HANDLER_ERROR;
}
if (NULL == (dn = ldap_get_dn(p->anon_conf->ldap, first))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
ldap_msgfree(lm);
return HANDLER_ERROR;
}
ldap_msgfree(lm);
/* 3. */
if (NULL == (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return HANDLER_ERROR;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
ldap_unbind_s(ldap);
return HANDLER_ERROR;
}
if (p->conf.auth_ldap_starttls == 1) {
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
ldap_unbind_s(ldap);
return HANDLER_ERROR;
}
}
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(ldap, dn, pw))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
ldap_unbind_s(ldap);
return HANDLER_ERROR;
}
/* 5. */
ldap_unbind_s(ldap);
/* everything worked, good, access granted */
return HANDLER_GO_ON;
}
int mod_authn_ldap_plugin_init(plugin *p);
int mod_authn_ldap_plugin_init(plugin *p) {
p->version = LIGHTTPD_VERSION_ID;
p->name = buffer_init_string("authn_ldap");
p->init = mod_authn_ldap_init;
p->set_defaults = mod_authn_ldap_set_defaults;
p->cleanup = mod_authn_ldap_free;
p->data = NULL;
return 0;
}
#else
int mod_authn_ldap_plugin_init(plugin *p);
int mod_authn_ldap_plugin_init(plugin *p) {
UNUSED(p);
return -1;
}
#endif