[mod_auth] refactor LDAP code into smaller funcs

better handling and freeing of resources
replace deprecated LDAP routines
personal/stbuehler/mod-csrf
Glenn Strauss 6 years ago
parent a661944d7e
commit d4f812550c
  1. 362
      src/mod_authn_ldap.c

@ -80,8 +80,7 @@ FREE_FUNC(mod_authn_ldap_free) {
buffer_free(s->ldap_filter_pre);
buffer_free(s->ldap_filter_post);
if (s->ldap) ldap_unbind_s(s->ldap);
if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
free(s);
}
free(p->config_storage);
@ -92,73 +91,6 @@ FREE_FUNC(mod_authn_ldap_free) {
return HANDLER_GO_ON;
}
static handler_t mod_authn_ldap_host_init(server *srv, plugin_config *s) {
int ret;
#if 0
if (s->auth_ldap_basedn->used == 0) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.base-dn has to be set");
return HANDLER_ERROR;
}
#endif
if (buffer_string_is_empty(s->auth_ldap_hostname)) return HANDLER_GO_ON;
/* free old context */
if (NULL != s->ldap) ldap_unbind_s(s->ldap);
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return HANDLER_ERROR;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
if (s->auth_ldap_starttls) {
/* if no CA file is given, it is ok, as we will use encryption
* if the server requires a CAfile it will tell us */
if (!buffer_string_is_empty(s->auth_ldap_cafile)) {
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
s->auth_ldap_cafile->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"Loading CA certificate failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
/* 1. */
if (!buffer_string_is_empty(s->auth_ldap_binddn)) {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, s->auth_ldap_binddn->ptr, s->auth_ldap_bindpw->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
} else {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
return HANDLER_GO_ON;
}
SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
plugin_data *p = p_d;
size_t i;
@ -284,144 +216,258 @@ static int mod_authn_ldap_patch_connection(server *srv, connection *con, plugin_
}
#undef PATCH
static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
plugin_data *p = (plugin_data *)p_d;
LDAP *ldap;
LDAPMessage *lm, *first;
char *dn;
int ret;
char *attrs[] = { LDAP_NO_ATTRS, NULL };
size_t i, len;
UNUSED(realm);
static void mod_authn_ldap_err(server *srv, const char *file, unsigned long line, const char *fn, int err)
{
log_error_write(srv,file,line,"sSss","ldap:",fn,":",ldap_err2string(err));
}
mod_authn_ldap_patch_connection(srv, con, p);
static void mod_authn_ldap_opt_err(server *srv, const char *file, unsigned long line, const char *fn, LDAP *ld)
{
int err;
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
mod_authn_ldap_err(srv, file, line, fn, err);
}
/* for now we stay synchronous */
static LDAP * mod_authn_ldap_host_init(server *srv, plugin_config *s) {
LDAP *ld;
int ret;
/*
* 1. connect anonymously (done in plugin init)
* 2. get DN for uid = username
* 3. auth against ldap server
* 4. (optional) check a field
* 5. disconnect
*
*/
if (buffer_string_is_empty(s->auth_ldap_hostname)) return NULL;
/* check username
*
* we have to protect againt username which modifies our filter in
* an unpleasant way
*/
len = buffer_string_length(username);
for (i = 0; i < len; i++) {
char c = username->ptr[i];
ld = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT);
if (NULL == ld) {
log_error_write(srv, __FILE__, __LINE__, "sss", "ldap:", "ldap_init():",
strerror(errno));
return NULL;
}
if (!isalpha(c) &&
!isdigit(c) &&
(c != ' ') &&
(c != '@') &&
(c != '-') &&
(c != '_') &&
(c != '.') ) {
ret = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret);
if (LDAP_OPT_SUCCESS != ret) {
mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_set_options()", ret);
ldap_memfree(ld);
return NULL;
}
log_error_write(srv, __FILE__, __LINE__, "sbd", "ldap: invalid character (- _.@a-zA-Z0-9 allowed) in username:", username, i);
if (s->auth_ldap_starttls) {
/* if no CA file is given, it is ok, as we will use encryption
* if the server requires a CAfile it will tell us */
if (!buffer_string_is_empty(s->auth_ldap_cafile)) {
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
s->auth_ldap_cafile->ptr);
if (LDAP_OPT_SUCCESS != ret) {
mod_authn_ldap_err(srv, __FILE__, __LINE__,
"ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
ret);
ldap_memfree(ld);
return NULL;
}
}
con->http_status = 400; /* Bad Request */
con->mode = DIRECT;
return HANDLER_FINISHED;
ret = ldap_start_tls_s(ld, NULL, NULL);
if (LDAP_OPT_SUCCESS != ret) {
mod_authn_ldap_err(srv,__FILE__,__LINE__,"ldap_start_tls_s()",ret);
ldap_memfree(ld);
return NULL;
}
}
if (p->conf.auth_ldap_allow_empty_pw != 1 && pw[0] == '\0')
return HANDLER_ERROR;
return ld;
}
/* build filter */
buffer_copy_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
buffer_append_string_buffer(p->ldap_filter, username);
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
static int mod_authn_ldap_bind(server *srv, LDAP *ld, const char *dn, const char *pw) {
#if 0
struct berval creds;
int ret;
if (NULL != pw) {
*((const char **)&creds.bv_val) = pw; /*(cast away const)*/
creds.bv_len = strlen(pw);
} else {
creds.bv_val = NULL;
creds.bv_len = 0;
}
/* 2. */
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
/* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
/* try again (or initial request); the ldap library sometimes fails for the first call but reconnects */
if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL);
if (ret != LDAP_SUCCESS) {
mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret);
}
#else
int ret = ldap_simple_bind_s(ld, dn, pw);
if (ret != LDAP_SUCCESS) {
mod_authn_ldap_err(srv, __FILE__, __LINE__, "ldap_simple_bind_s()",ret);
}
#endif
if (mod_authn_ldap_host_init(srv, p->anon_conf) != HANDLER_GO_ON)
return HANDLER_ERROR;
return ret;
}
if (NULL == p->anon_conf->ldap) return HANDLER_ERROR;
static LDAPMessage * mod_authn_ldap_search(server *srv, plugin_config *s, char *base, char *filter) {
LDAPMessage *lm = NULL;
char *attrs[] = { LDAP_NO_ATTRS, NULL };
int ret;
if (LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
log_error_write(srv, __FILE__, __LINE__, "sssb",
"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
return HANDLER_ERROR;
/*
* 1. connect anonymously (if not already connected)
* (ldap connection is kept open unless connection-level error occurs)
* 2. issue search using filter
*/
if (s->ldap != NULL) {
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
attrs, 0, NULL, NULL, NULL, 0, &lm);
if (LDAP_SUCCESS == ret) {
return lm;
} else if (LDAP_SERVER_DOWN != ret) {
/* try again (or initial request);
* ldap lib sometimes fails for the first call but reconnects */
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
attrs, 0, NULL, NULL, NULL, 0, &lm);
if (LDAP_SUCCESS == ret) {
return lm;
}
}
ldap_unbind_ext_s(s->ldap, NULL, NULL);
}
if (NULL == (first = ldap_first_entry(p->anon_conf->ldap, lm))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
s->ldap = mod_authn_ldap_host_init(srv, s);
if (NULL == s->ldap) {
return NULL;
}
ldap_msgfree(lm);
ret = !buffer_string_is_empty(s->auth_ldap_binddn)
? mod_authn_ldap_bind(srv, s->ldap,
s->auth_ldap_binddn->ptr,
s->auth_ldap_bindpw->ptr)
: mod_authn_ldap_bind(srv, s->ldap, NULL, NULL);
if (LDAP_SUCCESS != ret) {
ldap_memfree(s->ldap);
s->ldap = NULL;
return NULL;
}
return HANDLER_ERROR;
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
attrs, 0, NULL, NULL, NULL, 0, &lm);
if (LDAP_SUCCESS != ret) {
log_error_write(srv, __FILE__, __LINE__, "sSss",
"ldap:", ldap_err2string(ret), "; filter:", filter);
ldap_unbind_ext_s(s->ldap, NULL, NULL);
s->ldap = NULL;
return NULL;
}
if (NULL == (dn = ldap_get_dn(p->anon_conf->ldap, first))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
return lm;
}
ldap_msgfree(lm);
static char * mod_authn_ldap_get_dn(server *srv, plugin_config *s, char *base, char *filter) {
LDAP *ld;
LDAPMessage *lm, *first;
char *dn;
int count;
return HANDLER_ERROR;
lm = mod_authn_ldap_search(srv, s, base, filter);
if (NULL == lm) {
return NULL;
}
ldap_msgfree(lm);
ld = s->ldap; /*(must be after mod_authn_ldap_search(); might reconnect)*/
count = ldap_count_entries(ld, lm);
if (0 == count) { /*(no entires found)*/
ldap_msgfree(lm);
return NULL;
} else if (count > 1) {
log_error_write(srv, __FILE__, __LINE__, "sss",
"ldap:", "more than one record returned. "
"you might have to refine the filter:", filter);
}
/* 3. */
if (NULL == (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return HANDLER_ERROR;
if (NULL == (first = ldap_first_entry(ld, lm))) {
mod_authn_ldap_opt_err(srv,__FILE__,__LINE__,"ldap_first_entry()",ld);
ldap_msgfree(lm);
return NULL;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
if (NULL == (dn = ldap_get_dn(ld, first))) {
mod_authn_ldap_opt_err(srv,__FILE__,__LINE__,"ldap_get_dn()",ld);
ldap_msgfree(lm);
return NULL;
}
ldap_msgfree(lm);
return dn;
}
ldap_unbind_s(ldap);
static handler_t mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
plugin_data *p = (plugin_data *)p_d;
LDAP *ld;
char *dn;
UNUSED(realm);
mod_authn_ldap_patch_connection(srv, con, p);
if (pw[0] == '\0' && !p->conf.auth_ldap_allow_empty_pw)
return HANDLER_ERROR;
}
if (p->conf.auth_ldap_starttls == 1) {
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
/* check username
*
* we have to protect againt username which modifies our filter in
* an unpleasant way
*/
ldap_unbind_s(ldap);
for (size_t i = 0, len = buffer_string_length(username); i < len; i++) {
char c = username->ptr[i];
return HANDLER_ERROR;
if (!isalpha(c) &&
!isdigit(c) &&
(c != ' ') &&
(c != '@') &&
(c != '-') &&
(c != '_') &&
(c != '.') ) {
log_error_write(srv, __FILE__, __LINE__, "sbd",
"ldap: invalid character (- _.@a-zA-Z0-9 allowed) "
"in username:", username, i);
con->http_status = 400; /* Bad Request */
con->mode = DIRECT;
return HANDLER_FINISHED;
}
}
/* build filter to get DN for uid = username */
buffer_copy_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
buffer_append_string_buffer(p->ldap_filter, username);
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(ldap, dn, pw))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
ldap_unbind_s(ldap);
/* auth against LDAP server */
/* for now we stay synchronous */
dn = mod_authn_ldap_get_dn(srv, p->anon_conf, p->conf.auth_ldap_basedn->ptr,
p->ldap_filter->ptr);
if (NULL == dn) {
return HANDLER_ERROR;
}
/* 5. */
ldap_unbind_s(ldap);
ld = mod_authn_ldap_host_init(srv, &p->conf);
if (NULL == ld) {
ldap_memfree(dn);
return HANDLER_ERROR;
}
/* everything worked, good, access granted */
if (LDAP_SUCCESS != mod_authn_ldap_bind(srv, ld, dn, pw)) {
ldap_memfree(ld);
ldap_memfree(dn);
return HANDLER_ERROR;
}
return HANDLER_GO_ON;
ldap_unbind_ext_s(ld, NULL, NULL); /* disconnect */
ldap_memfree(dn);
return HANDLER_GO_ON; /* access granted */
}
int mod_authn_ldap_plugin_init(plugin *p);

Loading…
Cancel
Save