summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorRich Megginson <rmeggins@redhat.com>2009-07-06 12:11:01 -0600
committerRich Megginson <rmeggins@redhat.com>2009-07-07 08:32:42 -0600
commit209521323f731daad54682fd98715f7b22c88c78 (patch)
tree74a1fa8df06641fe543c8518e4db4357ab610828 /lib
parent3116dbec570b65d2d0a1df5bd000f6e63439e8ee (diff)
downloadds-209521323f731daad54682fd98715f7b22c88c78.tar.gz
ds-209521323f731daad54682fd98715f7b22c88c78.tar.xz
ds-209521323f731daad54682fd98715f7b22c88c78.zip
OpenLDAP support
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes: * #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks * where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs * I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP * I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated * I removed some unused code NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
Diffstat (limited to 'lib')
-rw-r--r--lib/ldaputil/cert.c10
-rw-r--r--lib/ldaputil/init.c4
-rw-r--r--lib/ldaputil/ldapauth.c895
-rw-r--r--lib/ldaputil/ldapdb.c594
-rw-r--r--lib/ldaputil/vtable.c223
-rw-r--r--lib/libaccess/aclcache.cpp8
-rw-r--r--lib/libaccess/aclcache.h1
-rw-r--r--lib/libaccess/ldapacl.cpp857
-rw-r--r--lib/libaccess/oneeval.cpp2
-rw-r--r--lib/libaccess/register.cpp14
-rw-r--r--lib/libaccess/utest/Makefile3
-rw-r--r--lib/libaccess/utest/lasemail.cpp217
-rw-r--r--lib/libaccess/utest/ustubs.cpp5
13 files changed, 13 insertions, 2820 deletions
diff --git a/lib/ldaputil/cert.c b/lib/ldaputil/cert.c
index ceb57118..30fd0f4b 100644
--- a/lib/ldaputil/cert.c
+++ b/lib/ldaputil/cert.c
@@ -55,6 +55,8 @@
#include <ldaputil/cert.h>
#include "ldaputili.h"
+#include "slapi-plugin.h"
+
NSAPI_PUBLIC int ldapu_get_cert (void *SSLendpoint, void **cert)
{
/* TEMPORARY -- not implemented yet*/
@@ -209,7 +211,7 @@ _rdns_free (char*** rdns)
{
auto char*** rdn;
for (rdn = rdns; *rdn; ++rdn) {
- ldap_value_free (*rdn);
+ slapi_ldap_value_free (*rdn);
}
free (rdns);
}
@@ -230,12 +232,12 @@ _explode_dn (const char* dn)
if (exp) {
exp[expLen++] = avas;
} else {
- ldap_value_free (avas);
+ slapi_ldap_value_free (avas);
break;
}
} else { /* parse error */
if (avas) {
- ldap_value_free (avas);
+ slapi_ldap_value_free (avas);
}
if (exp) {
exp[expLen] = NULL;
@@ -248,7 +250,7 @@ _explode_dn (const char* dn)
if (exp) {
exp[expLen] = NULL;
}
- ldap_value_free (rdns);
+ slapi_ldap_value_free (rdns);
}
}
return exp;
diff --git a/lib/ldaputil/init.c b/lib/ldaputil/init.c
index 51a09600..ffbde7e1 100644
--- a/lib/ldaputil/init.c
+++ b/lib/ldaputil/init.c
@@ -54,6 +54,8 @@
#include "ldaputil/errors.h"
#include "ldaputil/init.h"
+#include "slapi-plugin.h"
+
#ifdef XP_WIN32
#define DLL_SUFFIX ".dll"
#ifndef FILE_PATHSEP
@@ -200,7 +202,7 @@ NSAPI_PUBLIC int CertMapDLLInitFn(LDAPUDispatchVector_t **table)
NSAPI_PUBLIC int CertMapDLLInitFn(LDAPUDispatchVector_t **table)
{
- *table = (LDAPUDispatchVector_t *)malloc(sizeof(LDAPUDispatchVector_t));
+ *table = (LDAPUDispatchVector_t *)slapi_ch_malloc(sizeof(LDAPUDispatchVector_t));
if (!*table) return LDAPU_ERR_OUT_OF_MEMORY;
diff --git a/lib/ldaputil/ldapauth.c b/lib/ldaputil/ldapauth.c
index b483e42f..f01e6417 100644
--- a/lib/ldaputil/ldapauth.c
+++ b/lib/ldaputil/ldapauth.c
@@ -60,12 +60,7 @@
#include <ldaputili.h>
-/* If we are not interested in the returned attributes, just ask for one
- * attribute in the call to ldap_search. Also don't ask for the attribute
- * value -- just the attr.
- */
-static const char *default_search_attrs[] = { "c" , 0 };
-static int default_search_attrsonly = 1;
+#include "slapi-plugin.h"
/*
* ldapu_find
@@ -188,7 +183,7 @@ int ldapu_find_entire_tree (LDAP *ld, int scope,
result_entry = ldapu_first_entry(ld, result);
suffix = ldapu_get_values(ld, result_entry, suffix_attr[0]);
suffix_list = suffix;
- num_namingcontexts = ldap_count_values(suffix);
+ num_namingcontexts = slapi_ldap_count_values(suffix);
/* add private suffixes to our list of suffixes to search */
if (num_private_suffix) {
suffix_list = ldapu_realloc(suffix_list,
@@ -249,889 +244,3 @@ int ldapu_find_entire_tree (LDAP *ld, int scope,
return retval;
}
-
-
-/*
- * ldapu_find_uid_attrs
- * Description:
- * Maps the given uid to a user dn. Caller should free res if it is not
- * NULL. Accepts the attrs & attrsonly args.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's name
- * base basedn (where to start the search)
- * attrs list of attributes to retrieve
- * attrsonly flag indicating if attr values are to be retrieved
- * res A result parameter which will contain the results of
- * the search upon completion of the call.
- * Return Values:
- * LDAPU_SUCCESS if entry is found
- * LDAPU_FAILED if entry is not found
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_find_uid_attrs (LDAP *ld, const char *uid, const char *base,
- const char **attrs, int attrsonly,
- LDAPMessage **res)
-{
- int scope = LDAP_SCOPE_SUBTREE;
- char filter[ BUFSIZ ];
- int retval;
-
- /* setup filter as (uid=<uid>) */
- PR_snprintf(filter, sizeof(filter), ldapu_strings[LDAPU_STR_FILTER_USER], uid);
-
- retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, res);
-
- return retval;
-}
-
-/*
- * ldapu_find_uid
- * Description:
- * Maps the given uid to a user dn. Caller should free res if it is not
- * NULL.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's name
- * base basedn (where to start the search)
- * res A result parameter which will contain the results of
- * the search upon completion of the call.
- * Return Values:
- * LDAPU_SUCCESS if entry is found
- * LDAPU_FAILED if entry is not found
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_find_uid (LDAP *ld, const char *uid, const char *base,
- LDAPMessage **res)
-{
- const char **attrs = 0; /* get all attributes ... */
- int attrsonly = 0; /* ... and their values */
- int retval;
-
- retval = ldapu_find_uid_attrs(ld, uid, base, attrs, attrsonly, res);
-
- return retval;
-}
-
-/*
- * ldapu_find_userdn
- * Description:
- * Maps the given uid to a user dn. Caller should free dn if it is not
- * NULL.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's name
- * base basedn (where to start the search)
- * dn user dn
- * Return Values:
- * LDAPU_SUCCESS if entry is found
- * LDAPU_FAILED if entry is not found
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_find_userdn (LDAP *ld, const char *uid, const char *base,
- char **dn)
-{
- LDAPMessage *res = 0;
- int retval;
-
- retval = ldapu_find_uid_attrs(ld, uid, base, default_search_attrs,
- default_search_attrsonly, &res);
-
- if (retval == LDAPU_SUCCESS) {
- LDAPMessage *entry;
-
- entry = ldapu_first_entry(ld, res);
- *dn = ldapu_get_dn(ld, entry);
- }
- else {
- *dn = 0;
- }
-
- if (res) ldapu_msgfree(ld, res);
-
- return retval;
-}
-
-/*
- * ldapu_find_group_attrs
- * Description:
- * Maps the given groupid to a group dn. Caller should free res if it is
- * not NULL. Accepts the attrs & attrsonly args.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * groupid Groups's name
- * base basedn (where to start the search)
- * attrs list of attributes to retrieve
- * attrsonly flag indicating if attr values are to be retrieved
- * res A result parameter which will contain the results of
- * the search upon completion of the call.
- * Return Values:
- * LDAPU_SUCCESS if entry is found
- * LDAPU_FAILED if entry is not found
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_find_group_attrs (LDAP *ld, const char *groupid,
- const char *base, const char **attrs,
- int attrsonly, LDAPMessage **res)
-{
- int scope = LDAP_SCOPE_SUBTREE;
- char filter[ BUFSIZ ];
- int retval;
-
- /* setup the filter */
- PR_snprintf(filter, sizeof(filter),
- ldapu_strings[LDAPU_STR_FILTER_GROUP],
- groupid);
-
- retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, res);
-
- return retval;
-}
-
-/*
- * ldapu_find_group
- * Description:
- * Maps the given groupid to a group dn. Caller should free res if it is
- * not NULL.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * groupid Groups's name
- * base basedn (where to start the search)
- * res A result parameter which will contain the results of
- * the search upon completion of the call.
- * Return Values:
- * LDAPU_SUCCESS if entry is found
- * LDAPU_FAILED if entry is not found
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_find_group (LDAP *ld, const char *groupid, const char *base,
- LDAPMessage **res)
-{
- const char **attrs = 0; /* get all attributes ... */
- int attrsonly = 0; /* ... and their values */
- int retval;
-
- retval = ldapu_find_group_attrs (ld, groupid, base, attrs, attrsonly, res);
-
- return retval;
-}
-
-/*
- * ldapu_find_groupdn
- * Description:
- * Maps the given groupid to a group dn. Caller should free dn if it is
- * not NULL.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * groupid Groups's name
- * base basedn (where to start the search)
- * dn group dn
- * Return Values:
- * LDAPU_SUCCESS if entry is found
- * LDAPU_FAILED if entry is not found
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_find_groupdn (LDAP *ld, const char *groupid, const char *base,
- char **dn)
-{
- LDAPMessage *res = 0;
- int retval;
-
- retval = ldapu_find_group_attrs(ld, groupid, base, default_search_attrs,
- default_search_attrsonly, &res);
-
- if (retval == LDAPU_SUCCESS) {
- LDAPMessage *entry;
-
- /* get ldap entry */
- entry = ldapu_first_entry(ld, res);
- *dn = ldapu_get_dn(ld, entry);
- }
- else {
- *dn = 0;
- }
-
- if (res) ldapu_msgfree(ld, res);
-
- return retval;
-}
-
-
-/*
- * continuable_err
- * Description:
- * Returns true for benign errors (i.e. errors for which recursive
- * search can continue.
- * Return Values:
- * 0 (zero) - if not a benign error
- * 1 - if a benign error -- search can continue.
- */
-static int continuable_err (int err)
-{
- return (err == LDAPU_FAILED);
-}
-
-int ldapu_auth_udn_gdn_recurse (LDAP *ld, const char *userdn,
- const char *groupdn, const char *base,
- int recurse_cnt)
-{
- char filter[ BUFSIZ ];
- const char **attrs = default_search_attrs;
- int attrsonly = default_search_attrsonly;
- LDAPMessage *res = 0;
- int retval;
- char member_filter[ BUFSIZ ];
-
- if (recurse_cnt >= 30)
- return LDAPU_ERR_CIRCULAR_GROUPS;
-
- /* setup the filter */
- PR_snprintf(member_filter, sizeof(member_filter), ldapu_strings[LDAPU_STR_FILTER_MEMBER], userdn, userdn);
-
- retval = ldapu_find(ld, groupdn, LDAP_SCOPE_BASE, member_filter, attrs,
- attrsonly, &res);
-
- if (res) ldap_msgfree(res);
-
- if (retval != LDAPU_SUCCESS && continuable_err(retval)) {
- LDAPMessage *entry;
-
- DBG_PRINT2("Find parent groups of \"%s\"\n", userdn);
-
- /* Modify the filter to include the objectclass check */
- PR_snprintf(filter, sizeof(filter), ldapu_strings[LDAPU_STR_FILTER_MEMBER_RECURSE],
- member_filter);
- retval = ldapu_find(ld, base, LDAP_SCOPE_SUBTREE, filter,
- attrs, attrsonly, &res);
-
- if (retval == LDAPU_SUCCESS || retval == LDAPU_ERR_MULTIPLE_MATCHES) {
- /* Found at least one group the userdn is member of */
-
- if (!res) {
- /* this should never happen */
- retval = LDAPU_ERR_EMPTY_LDAP_RESULT;
- }
- else {
- retval = LDAPU_ERR_MISSING_RES_ENTRY;
-
- for (entry = ldap_first_entry(ld, res); entry != NULL;
- entry = ldap_next_entry(ld, entry))
- {
- char *dn = ldap_get_dn(ld, entry);
-
- retval = ldapu_auth_udn_gdn_recurse(ld, dn, groupdn,
- base, recurse_cnt+1);
- ldap_memfree(dn);
-
- if (retval == LDAPU_SUCCESS || !continuable_err(retval)) {
- break;
- }
- }
- }
- }
-
- if (res) ldap_msgfree(res);
- }
-
- return retval;
-}
-
-/*
- * ldapu_auth_userdn_groupdn:
- * Description:
- * Checks if the user (userdn) belongs to the given group (groupdn).
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * userdn User's full DN -- actually it could be a group
- * dn to check subgroup membership.
- * groupdn Group's full DN
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of the group
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_userdn_groupdn (LDAP *ld, const char *userdn,
- const char *groupdn, const char *base)
-{
- return ldapu_auth_udn_gdn_recurse(ld, userdn, groupdn, base, 0);
-}
-
-
-/*
- * ldapu_auth_uid_groupdn:
- * Description:
- * Similar to ldapu_auth_userdn_groupdn but first maps the uid to a
- * full user DN before calling ldapu_auth_userdn_groupdn.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's login name
- * groupdn Group's full DN
- * base basedn (where to start the search)
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of the group
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_uid_groupdn (LDAP *ld, const char *uid, const char *groupdn,
- const char *base)
-{
- int retval;
- char *dn;
-
- /* First find userdn for the given uid and
- then call ldapu_auth_userdn_groupdn */
- retval = ldapu_find_userdn(ld, uid, base, &dn);
-
- if (retval == LDAPU_SUCCESS) {
-
- retval = ldapu_auth_userdn_groupdn(ld, dn, groupdn, base);
- ldap_memfree(dn);
- }
-
- return retval;
-}
-
-/*
- * ldapu_auth_uid_groupid:
- * Description:
- * Similar to ldapu_auth_uid_groupdn but first maps the groupid to a
- * full group DN before calling ldapu_auth_uid_groupdn.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's login name
- * groupid Group's name
- * base basedn (where to start the search)
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of the group
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_uid_groupid (LDAP *ld, const char *uid,
- const char *groupid, const char *base)
-{
- int retval;
- char *dn;
-
- /* First find groupdn for the given groupid and
- then call ldapu_auth_uid_groupdn */
- retval = ldapu_find_groupdn(ld, groupid, base, &dn);
-
- if (retval == LDAPU_SUCCESS) {
- retval = ldapu_auth_uid_groupdn(ld, uid, dn, base);
- ldapu_memfree(ld, dn);
- }
-
- return retval;
-}
-
-/*
- * ldapu_auth_userdn_groupid:
- * Description:
- * Similar to ldapu_auth_userdn_groupdn but first maps the groupid to a
- * full group DN before calling ldapu_auth_userdn_groupdn.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * userdn User's full DN
- * groupid Group's name
- * base basedn (where to start the search)
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of the group
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_userdn_groupid (LDAP *ld, const char *userdn,
- const char *groupid, const char *base)
-{
- int retval;
- char *groupdn;
-
- /* First find groupdn for the given groupid and
- then call ldapu_auth_userdn_groupdn */
- retval = ldapu_find_groupdn(ld, groupid, base, &groupdn);
-
- if (retval == LDAPU_SUCCESS) {
- retval = ldapu_auth_userdn_groupdn(ld, userdn, groupdn, base);
- ldap_memfree(groupdn);
- }
-
- return retval;
-}
-
-
-LDAPUStr_t *ldapu_str_alloc (const int size)
-{
- LDAPUStr_t *lstr = (LDAPUStr_t *)ldapu_malloc(sizeof(LDAPUStr_t));
-
- if (!lstr) return 0;
- lstr->size = size < 0 ? 1024 : size;
- lstr->str = (char *)ldapu_malloc(lstr->size*sizeof(char));
- lstr->len = 0;
- lstr->str[lstr->len] = 0;
-
- return lstr;
-}
-
-
-void ldapu_str_free (LDAPUStr_t *lstr)
-{
- if (lstr) {
- if (lstr->str) ldapu_free(lstr->str);
- ldapu_free((void *)lstr);
- }
-}
-
-
-int ldapu_str_append(LDAPUStr_t *lstr, const char *arg)
-{
- int arglen = strlen(arg);
- int len = lstr->len + arglen;
-
- if (len >= lstr->size) {
- /* realloc some more */
- lstr->size += arglen > 4095 ? arglen+1 : 4096;
- lstr->str = (char *)ldapu_realloc(lstr->str, lstr->size);
- if (!lstr->str) return LDAPU_ERR_OUT_OF_MEMORY;
- }
-
- memcpy((void *)&(lstr->str[lstr->len]), (void *)arg, arglen);
- lstr->len += arglen;
- lstr->str[lstr->len] = 0;
- return LDAPU_SUCCESS;
-}
-
-
-/*
- * ldapu_auth_userdn_groupids_recurse:
- * Description:
- * Checks if the user is member of the given comma separated list of
- * group names.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * filter filter to use in the search
- * groupids some representation of group names. Example,
- * a comma separated names in a string, hash
- * table, etc. This function doesn't need to
- * know the name of the groups. It calls the
- * following function to check if one of the
- * groups returned by the search is in the list.
- * grpcmpfn group name comparison function.
- * base basedn (where to start the search)
- * recurse_cnt recursion count to detect circular groups
- * group_out if successful, pointer to the user's group
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of one of the groups
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-static int ldapu_auth_userdn_groupids_recurse (LDAP *ld, const char *filter,
- void *groupids,
- LDAPU_GroupCmpFn_t grpcmpfn,
- const char *base,
- int recurse_cnt,
- char **group_out)
-{
- LDAPMessage *res = 0;
- const char *attrs[] = { "CN", 0 };
- int attrsonly = 0;
- LDAPMessage *entry;
- int rv;
- int retval;
- int i;
- int done;
-
- if (recurse_cnt >= 30)
- return LDAPU_ERR_CIRCULAR_GROUPS;
-
- /* Perform the ldap lookup */
- retval = ldapu_find(ld, base, LDAP_SCOPE_SUBTREE, filter, attrs,
- attrsonly, &res);
-
- if (retval != LDAPU_SUCCESS && retval != LDAPU_ERR_MULTIPLE_MATCHES ) {
- /* user is not a member of any group */
- if (res) ldap_msgfree(res);
- return retval;
- }
-
- retval = LDAPU_FAILED;
- done = 0;
-
- /* check if one of the matched groups is one of the given groups */
- for (entry = ldap_first_entry(ld, res); entry != NULL && !done;
- entry = ldap_next_entry(ld, entry))
- {
- struct berval **bvals;
-
- if ((bvals = ldap_get_values_len(ld, entry, "CN")) == NULL) {
- /* This shouldn't happen */
- retval = LDAPU_ERR_MISSING_ATTR_VAL;
- continue;
- }
-
- /* "CN" may have multiple values */
- /* Check each value of "CN" against the 'groupids' */
- for ( i = 0; bvals[i] != NULL; i++ ) {
- rv = (*grpcmpfn)(groupids, bvals[i]->bv_val, bvals[i]->bv_len);
- if (rv == LDAPU_SUCCESS) {
- char *group = (char *)ldapu_malloc(bvals[i]->bv_len+1);
-
- if (!group) {
- retval = LDAPU_ERR_OUT_OF_MEMORY;
- }
- else {
- strncpy(group, bvals[i]->bv_val, bvals[i]->bv_len);
- group[bvals[i]->bv_len] = 0;
- *group_out = group;
- retval = LDAPU_SUCCESS;
- }
- done = 1; /* exit from the outer loop too */
- break;
- }
- }
-
- ldap_value_free_len(bvals);
- }
-
- if (retval == LDAPU_FAILED) {
- /* None of the matched groups is in 'groupids' */
- /* Perform the nested group membership check */
- LDAPUStr_t *filter1;
- LDAPUStr_t *filter2;
- char *rfilter = 0;
- int rlen;
- /* Finally we need a filter which looks like:
- (| (& (objectclass=groupofuniquenames)
- (| (uniquemember=<grp1dn>)(uniquemember=<grp2dn>) ...))
- (& (objectclass=groupofnames)
- (| (member=<grp1dn>)(member=<grp2dn>) ...)))
- Construct 2 sub-filters first as follows:
- (uniquemember=<grp1dn>)(uniquemember=<grp2dn>)... AND
- (member=<grp1dn>)(member=<grp2dn>)...
- Then insert them in the main filter.
- */
- filter1 = ldapu_str_alloc(1024);
- filter2 = ldapu_str_alloc(1024);
- if (!filter1 || !filter2) return LDAPU_ERR_OUT_OF_MEMORY;
- rv = LDAPU_SUCCESS;
-
- for (entry = ldap_first_entry(ld, res); entry != NULL;
- entry = ldap_next_entry(ld, entry))
- {
- char *dn = ldap_get_dn(ld, entry);
- if (((rv = ldapu_str_append(filter1, "(uniquemember="))
- != LDAPU_SUCCESS) ||
- ((rv = ldapu_str_append(filter1, dn)) != LDAPU_SUCCESS) ||
- ((rv = ldapu_str_append(filter1, ")")) != LDAPU_SUCCESS) ||
- ((rv = ldapu_str_append(filter2, "(member="))
- != LDAPU_SUCCESS) ||
- ((rv = ldapu_str_append(filter2, dn)) != LDAPU_SUCCESS) ||
- ((rv = ldapu_str_append(filter2, ")")) != LDAPU_SUCCESS))
- {
- ldap_memfree(dn);
- break;
- }
- ldap_memfree(dn);
- }
-
- if (rv != LDAPU_SUCCESS) {
- /* something went wrong in appending to filter1 or filter2 */
- ldapu_str_free(filter1);
- ldapu_str_free(filter2);
- retval = rv;
- }
- else {
- /* Insert the 2 filters in the main filter */
- rlen = filter1->len + filter2->len +
- strlen("(| (& (objectclass=groupofuniquenames)"
- "(| ))"
- "(& (objectclass=groupofnames)"
- "(| )))") + 1;
- rfilter = (char *)ldapu_malloc(rlen);
- if (!rfilter) return LDAPU_ERR_OUT_OF_MEMORY;
- sprintf(rfilter,
- "(| (& (objectclass=groupofuniquenames)"
- "(| %s))"
- "(& (objectclass=groupofnames)"
- "(| %s)))",
- filter1->str, filter2->str);
- ldapu_str_free(filter1);
- ldapu_str_free(filter2);
- retval = ldapu_auth_userdn_groupids_recurse(ld, rfilter, groupids,
- grpcmpfn, base,
- ++recurse_cnt,
- group_out);
- ldapu_free(rfilter);
- }
-
- }
-
- if (res) ldap_msgfree(res);
- return retval;
-}
-
-/*
- * ldapu_auth_userdn_groupids:
- * Description:
- * Checks if the user is member of the given comma separated list of
- * group names.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * userdn User's full DN
- * groupids some representation of group names. Example,
- * a comma separated names in a string, hash
- * table, etc. This function doesn't need to
- * know the name of the groups. It calls the
- * following function to check if one of the
- * groups returned by the search is in the list.
- * grpcmpfn group name comparison function.
- * base basedn (where to start the search)
- * group_out if successful, pointer to the user's group
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of one of the groups
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_userdn_groupids (LDAP *ld, const char *userdn,
- void *groupids,
- LDAPU_GroupCmpFn_t grpcmpfn,
- const char *base,
- char **group_out)
-{
- char *filter;
- int len;
- int rv;
-
- *group_out = 0;
- /* allocate a big enough filter */
- /* The filter looks like:
- (| (& (objectclass=groupofuniquenames)(uniquemember=<userdn>))
- (& (objectclass=groupofnames)(member=<userdn>)))
- */
-
- len = 2 * strlen(userdn) + 1 +
- strlen("(| (& (objectclass=groupofuniquenames)(uniquemember=))"
- "(& (objectclass=groupofnames)(member=)))");
- filter = (char *)ldapu_malloc(len);
-
- if (!filter) return LDAPU_ERR_OUT_OF_MEMORY;
-
- sprintf(filter, "(| (& (objectclass=groupofuniquenames)(uniquemember=%s))"
- "(& (objectclass=groupofnames)(member=%s)))",
- userdn, userdn);
-
- rv = ldapu_auth_userdn_groupids_recurse(ld, filter, groupids,
- grpcmpfn, base,
- 0, group_out);
-
- ldapu_free(filter);
- return rv;
-}
-
-
-/*
- * ldapu_auth_userdn_attrfilter:
- * Description:
- * Checks if the user's entry has the given attributes
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * userdn User's full DN
- * attrfilter attribute filter
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of the group
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_userdn_attrfilter (LDAP *ld, const char *userdn,
- const char *attrfilter)
-{
- const char *base = userdn;
- int scope = LDAP_SCOPE_BASE;
- const char *filter = attrfilter;
- const char **attrs = default_search_attrs;
- int attrsonly = default_search_attrsonly;
- LDAPMessage *res = 0;
- int retval;
-
- retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, &res);
-
- if (res) ldapu_msgfree(ld, res);
-
- return retval;
-}
-
-/*
- * ldapu_auth_uid_attrfilter:
- * Description:
- * Checks if the user's entry has the given attributes. First maps
- the uid to userdn.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's name
- * attrfilter attribute filter
- * base basedn (where to start the search)
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user is member of the group
- * LDAPU_FAILED if user is not a member of the group
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_uid_attrfilter (LDAP *ld, const char *uid, const char *attrfilter,
- const char *base)
-{
- int scope = LDAP_SCOPE_SUBTREE;
- char filter[ BUFSIZ ];
- const char **attrs = default_search_attrs;
- int attrsonly = default_search_attrsonly;
- LDAPMessage *res = 0;
- int retval;
-
- /* setup filter as (& (uid=<uid>) (attrfilter)) */
- if (*attrfilter == '(')
- PR_snprintf(filter, sizeof(filter), "(& (uid=%s) %s)", uid, attrfilter);
- else
- PR_snprintf(filter, sizeof(filter), "(& (uid=%s) (%s))", uid, attrfilter);
-
- retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, &res);
-
- if (res) ldapu_msgfree(ld, res);
-
- return retval;
-}
-
-/*
- * ldapu_auth_userdn_password:
- * Description:
- * Checks the user's password against LDAP by binding using the
- * userdn and the password.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * userdn User's full DN
- * password User's password (clear text)
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user credentials are valid
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_userdn_password (LDAP *ld, const char *userdn, const char *password)
-{
- int retval;
-
- DBG_PRINT2("\tuserdn:\t\"%s\"\n", userdn);
- DBG_PRINT2("\tpassword:\t\"%s\"\n", password);
-
- retval = ldap_simple_bind_s(ld, userdn, password);
-
- if (retval != LDAP_SUCCESS)
- {
- DBG_PRINT2("ldap_simple_bind_s: %s\n", ldap_err2string(retval));
- return(retval);
- }
-
- return LDAPU_SUCCESS;
-}
-
-/*
- * ldapu_auth_uid_password:
- * Description:
- * First converts the uid to userdn and calls
- * ldapu_auth_userdn_password.
- * Arguments:
- * ld Pointer to LDAP (assumes connection has been
- * established and the client has called the
- * appropriate bind routine)
- * uid User's name
- * password User's password (clear text)
- * Return Values: (same as ldapu_find)
- * LDAPU_SUCCESS if user credentials are valid
- * <rv> if error, where <rv> can be passed to
- * ldap_err2string to get an error string.
- */
-int ldapu_auth_uid_password (LDAP *ld, const char *uid,
- const char *password, const char *base)
-{
- int retval;
- char *dn;
-
- /* First find userdn for the given uid and
- then call ldapu_auth_userdn_password */
- retval = ldapu_find_userdn(ld, uid, base, &dn);
-
- if (retval == LDAPU_SUCCESS) {
- retval = ldapu_auth_userdn_password(ld, dn, password);
- ldapu_memfree(ld, dn);
- }
-
- return retval;
-}
-
-
-/* ldapu_string_set --
- * This function is not tested yet for its usefulness. This is to be used to
- * customize the strings used in the LDAP searches performed through
- * 'ldaputil'. This could also be extended to setting customized error
- * messages (and even i18n equivalent of error messages).
- */
-NSAPI_PUBLIC int ldapu_string_set (const int type, const char *filter)
-{
- if (!filter || !*filter) return LDAPU_ERR_INVALID_STRING;
-
- if (type < 0 || type >= LDAPU_STR_MAX_INDEX)
- return LDAPU_ERR_INVALID_STRING_INDEX;
-
- ldapu_strings[type] = strdup(filter);
-
- if (!ldapu_strings[type]) return LDAPU_ERR_OUT_OF_MEMORY;
-
- return LDAPU_SUCCESS;
-}
-
-
-NSAPI_PUBLIC const char *ldapu_string_get (const int type)
-{
- if (type < 0 || type >= LDAPU_STR_MAX_INDEX)
- return 0;
-
- return ldapu_strings[type];
-}
diff --git a/lib/ldaputil/ldapdb.c b/lib/ldaputil/ldapdb.c
deleted file mode 100644
index 478b4f8c..00000000
--- a/lib/ldaputil/ldapdb.c
+++ /dev/null
@@ -1,594 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This Program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; version 2 of the License.
- *
- * This Program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place, Suite 330, Boston, MA 02111-1307 USA.
- *
- * In addition, as a special exception, Red Hat, Inc. gives You the additional
- * right to link the code of this Program with code not covered under the GNU
- * General Public License ("Non-GPL Code") and to distribute linked combinations
- * including the two, subject to the limitations in this paragraph. Non-GPL Code
- * permitted under this exception must only link to the code of this Program
- * through those well defined interfaces identified in the file named EXCEPTION
- * found in the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline functions from
- * the Approved Interfaces without causing the resulting work to be covered by
- * the GNU General Public License. Only Red Hat, Inc. may make changes or
- * additions to the list of Approved Interfaces. You must obey the GNU General
- * Public License in all respects for all of the Program code and other code used
- * in conjunction with the Program except the Non-GPL Code covered by this
- * exception. If you modify this file, you may extend this exception to your
- * version of the file, but you are not obligated to do so. If you do not wish to
- * provide this exception without modification, you must delete this exception
- * statement from your version and license this file solely under the GPL without
- * exception.
- *
- *
- * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
- * Copyright (C) 2005 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-
-#ifndef DONT_USE_LDAP_SSL
-#define USE_LDAP_SSL
-#endif
-
-
-#include <string.h>
-#include <malloc.h>
-
-#include <nspr.h>
-#include <prthread.h>
-#include <prmon.h>
-
-#include "ldaputil/errors.h"
-#include "ldaputil/certmap.h"
-#include "ldaputil/ldapdb.h"
-
-#ifdef USE_LDAP_SSL
-/* removed for new ns security integration
-#include <sec.h>
-#include <key.h>
-#include "cert.h"
-*/
-#include <ssl.h>
-#include "ldap_ssl.h"
-#endif
-
-#include "ldaputili.h"
-
-#define LDAPDB_PREFIX_WITH_SLASHES "ldapdb://"
-#define LDAPDB_PREFIX_WITH_SLASHES_LEN 9
-
-uintn tsdindex;
-
-static void ldb_crit_init (LDAPDatabase_t *ldb)
-{
- ldb->crit = PR_NewMonitor();
-}
-
-static void ldb_crit_enter (LDAPDatabase_t *ldb)
-{
- PR_EnterMonitor(ldb->crit);
-}
-
-static void ldb_crit_exit (LDAPDatabase_t *ldb)
-{
- PR_ExitMonitor(ldb->crit);
-}
-
-struct ldap_error {
- int le_errno;
- char *le_matched;
- char *le_errmsg;
-};
-
-
-static void set_ld_error( int err, char *matched, char *errmsg, void *dummy )
-{
- struct ldap_error *le;
-
- if (!(le = (struct ldap_error *) PR_GetThreadPrivate(tsdindex))) {
- le = (struct ldap_error *) malloc(sizeof(struct ldap_error));
- memset((void *)le, 0, sizeof(struct ldap_error));
- PR_SetThreadPrivate(tsdindex, (void *)le);
- }
- le->le_errno = err;
- if ( le->le_matched != NULL ) {
- ldap_memfree( le->le_matched );
- }
- le->le_matched = matched;
- if ( le->le_errmsg != NULL ) {
- ldap_memfree( le->le_errmsg );
- }
- le->le_errmsg = errmsg;
-}
-
-static int get_ld_error( char **matched, char **errmsg, void *dummy )
-{
- struct ldap_error *le;
-
- le = (struct ldap_error *) PR_GetThreadPrivate( tsdindex);
- if ( matched != NULL ) {
- *matched = le->le_matched;
- }
- if ( errmsg != NULL ) {
- *errmsg = le->le_errmsg;
- }
- return( le->le_errno );
-}
-
-static void set_errno( int err )
-{
- PR_SetError( err, 0);
-}
-
-static int get_errno( void )
-{
- return( PR_GetError() );
-}
-
-#ifdef LDAP_OPT_DNS_FN_PTRS /* not supported in older LDAP SDKs */
-static LDAPHostEnt *
-ldapu_copyPRHostEnt2LDAPHostEnt( LDAPHostEnt *ldhp, PRHostEnt *prhp )
-{
- ldhp->ldaphe_name = prhp->h_name;
- ldhp->ldaphe_aliases = prhp->h_aliases;
- ldhp->ldaphe_addrtype = prhp->h_addrtype;
- ldhp->ldaphe_length = prhp->h_length;
- ldhp->ldaphe_addr_list = prhp->h_addr_list;
- return( ldhp );
-}
-
-static LDAPHostEnt *
-ldapu_gethostbyname( const char *name, LDAPHostEnt *result,
- char *buffer, int buflen, int *statusp, void *extradata )
-{
- PRHostEnt prhent;
-
- if( !statusp || ( *statusp = (int)PR_GetHostByName( name, buffer,
- buflen, &prhent )) == PR_FAILURE ) {
- return( NULL );
- }
-
- return( ldapu_copyPRHostEnt2LDAPHostEnt( result, &prhent ));
-}
-
-static LDAPHostEnt *
-ldapu_gethostbyaddr( const char *addr, int length, int type,
- LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
- void *extradata )
-{
- /* old code did this which was clearly wrong:
- return( (LDAPHostEnt *)PR_GetError() );
- which leads me to believe this is not used */
- return( NULL );
-}
-#endif /* LDAP_OPT_DNS_FN_PTRS */
-
-
-static void unescape_ldap_basedn (char *str)
-{
- if (strchr(str, '%')) {
- register int x = 0, y = 0;
- int l = strlen(str);
- char digit;
-
- while(x < l) {
- if((str[x] == '%') && (x < (l - 2))) {
- ++x;
- digit = (str[x] >= 'A' ?
- ((str[x] & 0xdf) - 'A')+10 : (str[x] - '0'));
- digit *= 16;
-
- ++x;
- digit += (str[x] >= 'A' ?
- ((str[x] & 0xdf) - 'A')+10 : (str[x] - '0'));
-
- str[y] = digit;
- }
- else {
- str[y] = str[x];
- }
- x++;
- y++;
- }
- str[y] = '\0';
- }
-}
-
-/*
- * extract_path_and_basedn:
- * Description:
- * Parses the ldapdb url and returns pathname to the lcache.conf file
- * and basedn. The caller must free the memory allocated for the
- * returned path and the basedn.
- * Arguments:
- * url URL (must begin with ldapdb://)
- * path Pathname to the lcache.conf file
- * basedn basedn for the ldapdb.
- * Return Values: (same as ldap_find)
- * LDAPU_SUCCESS if the URL is parsed successfully
- * <rv> if error, one of the LDAPU_ errors.
- */
-static int extract_path_and_basedn(const char *url_in, char **path_out,
- char **basedn_out)
-{
- char *url = strdup(url_in);
- char *basedn;
- char *path;
-
- *path_out = 0;
- *basedn_out = 0;
-
- if (!url) return LDAPU_ERR_OUT_OF_MEMORY;
-
- if (strncmp(url, LDAPDB_URL_PREFIX, LDAPDB_URL_PREFIX_LEN)) {
- free(url);
- return LDAPU_ERR_URL_INVALID_PREFIX;
- }
-
- path = url + LDAPDB_URL_PREFIX_LEN;
-
- if (strncmp(path, "//", 2)) {
- free(url);
- return LDAPU_ERR_URL_INVALID_PREFIX;
- }
-
- path += 2;
-
- /* Find base DN -- empty string is OK */
- if ((basedn = strrchr(path, '/')) == NULL) {
- free(url);
- return LDAPU_ERR_URL_NO_BASEDN;
- }
-
- *basedn++ = '\0'; /* terminate the path */
- unescape_ldap_basedn(basedn);
- *basedn_out = strdup(basedn);
- *path_out = strdup(path);
- free(url);
- return (*basedn_out && *path_out) ? LDAPU_SUCCESS : LDAPU_ERR_OUT_OF_MEMORY;
-}
-
-NSAPI_PUBLIC int ldapu_ldapdb_url_parse (const char *url,
- LDAPDatabase_t **ldb_out)
-{
- char *path = 0;
- char *basedn = 0;
- LDAPDatabase_t *ldb = 0;
- int rv;
-
- rv = extract_path_and_basedn(url, &path, &basedn);
-
- if (rv != LDAPU_SUCCESS) {
- if (path) free(path);
- if (basedn) free(basedn);
- return rv;
- }
-
- ldb = (LDAPDatabase_t *)malloc(sizeof(LDAPDatabase_t));
-
- if (!ldb) {
- if (path) free(path);
- if (basedn) free(basedn);
- return LDAPU_ERR_OUT_OF_MEMORY;
- }
-
- memset((void *)ldb, 0, sizeof(LDAPDatabase_t));
- ldb->basedn = basedn; /* extract_path_and_basedn has allocated */
- ldb->host = path; /* memory for us -- don't make a copy */
- ldb_crit_init(ldb);
- *ldb_out = ldb;
-
- return LDAPU_SUCCESS;
-}
-
-
-/*
- * ldapu_url_parse:
- * Description:
- * Parses the ldapdb or ldap url and returns a LDAPDatabase_t struct
- * Arguments:
- * url URL (must begin with ldapdb://)
- * binddn DN to use to bind to ldap server.
- * bindpw Password to use to bind to ldap server.
- * ldb a LDAPDatabase_t struct filled from parsing
- * the url.
- * Return Values: (same as ldap_find)
- * LDAPU_SUCCESS if the URL is parsed successfully
- * <rv> if error, one of the LDAPU_ errors.
- */
-NSAPI_PUBLIC int ldapu_url_parse (const char *url, const char *binddn,
- const char *bindpw,
- LDAPDatabase_t **ldb_out)
-{
- LDAPDatabase_t *ldb;
- LDAPURLDesc *ludp = 0;
- int rv;
-
- *ldb_out = 0;
-
- if (!strncmp(url, LDAPDB_PREFIX_WITH_SLASHES,
- LDAPDB_PREFIX_WITH_SLASHES_LEN))
- {
- return ldapu_ldapdb_url_parse(url, ldb_out);
- }
-
- /* call ldapsdk's parse function */
- rv = ldap_url_parse((char *)url, &ludp);
-
- if (rv != LDAP_SUCCESS) {
- if (ludp) ldap_free_urldesc(ludp);
- return LDAPU_ERR_URL_PARSE_FAILED;
- }
-
- ldb = (LDAPDatabase_t *)malloc(sizeof(LDAPDatabase_t));
-
- if (!ldb) {
- ldap_free_urldesc(ludp);
- return LDAPU_ERR_OUT_OF_MEMORY;
- }
-
- memset((void *)ldb, 0, sizeof(LDAPDatabase_t));
- ldb->host = ludp->lud_host ? strdup(ludp->lud_host) : 0;
- ldb->use_ssl = ludp->lud_options & LDAP_URL_OPT_SECURE;
- ldb->port = ludp->lud_port ? ludp->lud_port : ldb->use_ssl ? 636 : 389;
- ldb->basedn = ludp->lud_dn ? strdup(ludp->lud_dn) : 0;
- ldb_crit_init(ldb);
- ldap_free_urldesc(ludp);
-
- if (binddn) ldb->binddn = strdup(binddn);
-
- if (bindpw) ldb->bindpw = strdup(bindpw);
-
- /* success */
- *ldb_out = ldb;
-
- return LDAPU_SUCCESS;
-}
-
-NSAPI_PUBLIC void ldapu_free_LDAPDatabase_t (LDAPDatabase_t *ldb)
-{
- if (ldb->host) free(ldb->host);
- if (ldb->basedn) free(ldb->basedn);
- if (ldb->filter) free(ldb->filter);
- if (ldb->binddn) free(ldb->binddn);
- if (ldb->bindpw) free(ldb->bindpw);
- if (ldb->ld) ldapu_unbind(ldb->ld);
- memset((void *)ldb, 0, sizeof(LDAPDatabase_t));
- free(ldb);
-}
-
-NSAPI_PUBLIC LDAPDatabase_t *ldapu_copy_LDAPDatabase_t (const LDAPDatabase_t *ldb)
-{
- LDAPDatabase_t *nldb = (LDAPDatabase_t *)malloc(sizeof(LDAPDatabase_t));
-
- if (!nldb) return 0;
-
- memset((void *)nldb, 0, sizeof(LDAPDatabase_t));
- nldb->use_ssl = ldb->use_ssl;
- if (ldb->host) nldb->host = strdup(ldb->host);
- nldb->port = ldb->port;
- if (ldb->basedn) nldb->basedn = strdup(ldb->basedn);
- nldb->scope = ldb->scope;
- if (ldb->filter) nldb->filter = strdup(ldb->filter);
- nldb->ld = 0;
- if (ldb->binddn) nldb->binddn = strdup(ldb->binddn);
- if (ldb->bindpw) nldb->bindpw = strdup(ldb->bindpw);
- nldb->bound = 0;
- ldb_crit_init(nldb);
-
- return nldb;
-}
-
-NSAPI_PUBLIC int ldapu_is_local_db (const LDAPDatabase_t *ldb)
-{
- return ldb->port ? 0 : 1;
-}
-
-static int LDAP_CALL LDAP_CALLBACK
-ldapu_rebind_proc (LDAP *ld, char **whop, char **passwdp,
- int *authmethodp, int freeit, void *arg)
-{
- if (freeit == 0) {
- LDAPDatabase_t *ldb = (LDAPDatabase_t *)arg;
- *whop = ldb->binddn;
- *passwdp = ldb->bindpw;
- *authmethodp = LDAP_AUTH_SIMPLE;
- }
-
- return LDAP_SUCCESS;
-}
-
-NSAPI_PUBLIC int ldapu_ldap_init(LDAPDatabase_t *ldb)
-{
- LDAP *ld = 0;
-
- ldb_crit_enter(ldb);
-
-#ifdef USE_LDAP_SSL
- /* Note. This assume the security related initialization is done */
- /* The step needed is :
- PR_Init
- RNG_SystemInfoForRNG
- RNG_RNGInit
- CERT_OpenCertDBFilename
- CERT_SetDefaultCertDB
- SECMOD_init
-
- And because ldapssl_init depends on security initialization, it is
- no good for non-ssl init
- */
- if (ldb->use_ssl)
- ld = ldapssl_init(ldb->host, ldb->port, ldb->use_ssl);
- else ldap_init(ldb->host, ldb->port);
-#else
- ld = ldapu_init(ldb->host, ldb->port);
-#endif
-
- if (ld == NULL) {
- DBG_PRINT1("ldapu_ldap_init: Failed to initialize connection");
- ldb_crit_exit(ldb);
- return LDAPU_ERR_LDAP_INIT_FAILED;
- }
-
- {
- struct ldap_thread_fns tfns;
-
- PR_NewThreadPrivateIndex(&tsdindex, NULL);
-
- /* set mutex pointers */
- memset( &tfns, '\0', sizeof(struct ldap_thread_fns) );
- tfns.ltf_mutex_alloc = (void *(*)(void))PR_NewMonitor;
- tfns.ltf_mutex_free = (void (*)(void *))PR_DestroyMonitor;
- tfns.ltf_mutex_lock = (int (*)(void *)) PR_EnterMonitor;
- tfns.ltf_mutex_unlock = (int (*)(void *)) PR_ExitMonitor;
- tfns.ltf_get_errno = get_errno;
- tfns.ltf_set_errno = set_errno;
- tfns.ltf_get_lderrno = get_ld_error;
- tfns.ltf_set_lderrno = set_ld_error;
- /* set ld_errno pointers */
- if ( ldapu_set_option( ld, LDAP_OPT_THREAD_FN_PTRS, (void *) &tfns )
- != 0 ) {
- ldb_crit_exit(ldb);
- return LDAPU_ERR_LDAP_SET_OPTION_FAILED;
- }
- }
-#ifdef LDAP_OPT_DNS_FN_PTRS /* not supported in older LDAP SDKs */
- {
- /* install DNS functions */
- struct ldap_dns_fns dnsfns;
- memset( &dnsfns, '\0', sizeof(struct ldap_dns_fns) );
- dnsfns.lddnsfn_bufsize = PR_NETDB_BUF_SIZE;
- dnsfns.lddnsfn_gethostbyname = ldapu_gethostbyname;
- dnsfns.lddnsfn_gethostbyaddr = ldapu_gethostbyaddr;
- if ( ldapu_set_option( ld, LDAP_OPT_DNS_FN_PTRS, (void *)&dnsfns )
- != 0 ) {
- ldb_crit_exit(ldb);
- return LDAPU_ERR_LDAP_SET_OPTION_FAILED;
- }
- }
-#endif /* LDAP_OPT_DNS_FN_PTRS */
-
- if (ldapu_is_local_db(ldb)) {
- /* No more Local db support, force error! */
- return LDAPU_ERR_LCACHE_INIT_FAILED;
-#if 0
- int optval = 1;
-
- if (lcache_init(ld, ldb->host) != 0) {
- ldb_crit_exit(ldb);
- return LDAPU_ERR_LCACHE_INIT_FAILED;
- }
-
- if (ldap_set_option(ld, LDAP_OPT_CACHE_ENABLE, &optval) != 0) {
- ldb_crit_exit(ldb);
- return LDAPU_ERR_LDAP_SET_OPTION_FAILED;
- }
-
- optval = LDAP_CACHE_LOCALDB;
-
- if (ldap_set_option(ld, LDAP_OPT_CACHE_STRATEGY, &optval) != 0) {
- ldb_crit_exit(ldb);
- return LDAPU_ERR_LDAP_SET_OPTION_FAILED;
- }
-#endif
- }
- else if (ldb->binddn && *ldb->binddn) {
- /* Set the rebind proc */
- /* Rebind proc is used when chasing a referral */
- ldap_set_rebind_proc(ld, ldapu_rebind_proc, (void *)ldb);
- }
-
- ldb->ld = ld;
- ldb_crit_exit(ldb);
-
- return LDAPU_SUCCESS;
-}
-
-NSAPI_PUBLIC int ldapu_ldap_rebind (LDAPDatabase_t *ldb)
-{
- int retry;
- int rv = LDAPU_FAILED;
-
- ldb_crit_enter(ldb);
-
- if (ldb->ld) {
- retry = (ldb->bound != -1 ? 1 : 0); /* avoid recursion */
-
-#ifdef USE_LDAP_SSL
- if (ldb->use_ssl && !CERT_GetDefaultCertDB()) {
- /* default cert database has not been initialized */
- rv = LDAPU_ERR_NO_DEFAULT_CERTDB;
- }
- else
-#endif
- {
- rv = ldap_simple_bind_s(ldb->ld, ldb->binddn, ldb->bindpw);
- }
-
- /* retry once if the LDAP server is down */
- if (rv == LDAP_SERVER_DOWN && retry) {
- ldb->bound = -1; /* to avoid recursion */
- rv = ldapu_ldap_reinit_and_rebind(ldb);
- }
-
- if (rv == LDAPU_SUCCESS) ldb->bound = 1;
- }
-
- ldb_crit_exit(ldb);
-
- return rv;
-}
-
-NSAPI_PUBLIC int ldapu_ldap_init_and_bind (LDAPDatabase_t *ldb)
-{
- int rv = LDAPU_SUCCESS;
-
- ldb_crit_enter(ldb);
-
- if (!ldb->ld) {
- rv = ldapu_ldap_init(ldb);
- /* ldb->bound may be set to -1 to avoid recursion */
- if (ldb->bound == 1) ldb->bound = 0;
- }
-
- /* bind as binddn & bindpw if not bound already */
- if (rv == LDAPU_SUCCESS && ldb->bound != 1) {
- rv = ldapu_ldap_rebind (ldb);
- }
-
- ldb_crit_exit(ldb);
-
- return rv;
-}
-
-NSAPI_PUBLIC int ldapu_ldap_reinit_and_rebind (LDAPDatabase_t *ldb)
-{
- int rv;
-
- ldb_crit_enter(ldb);
-
- if (ldb->ld) {
- ldapu_unbind(ldb->ld);
- ldb->ld = 0;
- }
-
- rv = ldapu_ldap_init_and_bind(ldb);
- ldb_crit_exit(ldb);
- return rv;
-}
-
diff --git a/lib/ldaputil/vtable.c b/lib/ldaputil/vtable.c
index 0ead6c11..18ac0a4d 100644
--- a/lib/ldaputil/vtable.c
+++ b/lib/ldaputil/vtable.c
@@ -42,187 +42,8 @@
#include "ldaputili.h"
#include <ldap.h>
-#ifdef USE_LDAP_SSL
-#include <ldap_ssl.h>
-#endif
-
-#if defined( _WINDOWS ) && ! defined( _WIN32 )
-/* On 16-bit WINDOWS platforms, it's erroneous to call LDAP API functions
- * via a function pointer, since they are not declared LDAP_CALLBACK.
- * So, we define the following functions, which are LDAP_CALLBACK, and
- * simply delegate to their counterparts in the LDAP API.
- */
-
-#ifdef USE_LDAP_SSL
-static LDAP_CALL LDAP_CALLBACK LDAP*
-ldapuVd_ssl_init( const char *host, int port, int encrypted )
-{
- return ldapssl_init (host, port, encrypted);
-}
-#else
-static LDAP_CALL LDAP_CALLBACK LDAP*
-ldapuVd_init ( const char *host, int port )
-{
- return ldap_init (host, port);
-}
-#endif
-
-static LDAP_CALL LDAP_CALLBACK int
-ldapuVd_set_option( LDAP *ld, int opt, const void *val )
-{
- return ldap_set_option (ld, opt, val);
-}
-
-static LDAP_CALL LDAP_CALLBACK int
-ldapuVd_simple_bind_s( LDAP* ld, const char *username, const char *passwd )
-{
- return ldap_simple_bind_s (ld, username, passwd);
-}
-
-static LDAP_CALL LDAP_CALLBACK int
-ldapuVd_unbind( LDAP *ld )
-{
- return ldap_unbind (ld);
-}
-
-static LDAP_CALL LDAP_CALLBACK int
-ldapuVd_search_s( LDAP* ld, const char* baseDN, int scope, const char* filter,
- char** attrs, int attrsonly, LDAPMessage** result )
-{
- return ldap_search_s (ld, baseDN, scope, filter, attrs, attrsonly, result);
-}
-
-static LDAP_CALL LDAP_CALLBACK int
-ldapuVd_count_entries( LDAP* ld, LDAPMessage* msg )
-{
- return ldap_count_entries (ld, msg);
-}
-
-static LDAP_CALL LDAP_CALLBACK LDAPMessage*
-ldapuVd_first_entry( LDAP* ld, LDAPMessage* msg )
-{
- return ldap_first_entry (ld, msg);
-}
-
-static LDAP_CALL LDAP_CALLBACK LDAPMessage*
-ldapuVd_next_entry( LDAP* ld, LDAPMessage* entry )
-{
- return ldap_next_entry(ld, entry);
-}
-
-static LDAP_CALL LDAP_CALLBACK char*
-ldapuVd_get_dn( LDAP* ld, LDAPMessage* entry )
-{
- return ldap_get_dn (ld, entry);
-}
-
-static LDAP_CALL LDAP_CALLBACK char*
-ldapuVd_first_attribute( LDAP* ld, LDAPMessage* entry, BerElement** iter )
-{
- return ldap_first_attribute (ld, entry, iter);
-}
-
-static LDAP_CALL LDAP_CALLBACK char*
-ldapuVd_next_attribute( LDAP* ld, LDAPMessage* entry, BerElement* iter)
-{
- return ldap_next_attribute (ld, entry, iter);
-}
-
-static LDAP_CALL LDAP_CALLBACK char**
-ldapuVd_get_values( LDAP *ld, LDAPMessage *entry, const char *desc )
-{
- return ldap_get_values (ld, entry, desc);
-}
-
-static LDAP_CALL LDAP_CALLBACK struct berval**
-ldapuVd_get_values_len( LDAP *ld, LDAPMessage *entry, const char *desc )
-{
- return ldap_get_values_len (ld, entry, desc);
-}
-
-#else
-/* On other platforms, an LDAP API function can be called via a pointer. */
-#ifdef USE_LDAP_SSL
-#define ldapuVd_ssl_init ldapssl_init
-#else
-#define ldapuVd_init ldap_init
-#endif
-#define ldapuVd_set_option ldap_set_option
-#define ldapuVd_simple_bind_s ldap_simple_bind_s
-#define ldapuVd_unbind ldap_unbind
-#define ldapuVd_simple_bind_s ldap_simple_bind_s
-#define ldapuVd_unbind ldap_unbind
-#define ldapuVd_search_s ldap_search_s
-#define ldapuVd_count_entries ldap_count_entries
-#define ldapuVd_first_entry ldap_first_entry
-#define ldapuVd_next_entry ldap_next_entry
-#define ldapuVd_get_dn ldap_get_dn
-#define ldapuVd_first_attribute ldap_first_attribute
-#define ldapuVd_next_attribute ldap_next_attribute
-#define ldapuVd_get_values ldap_get_values
-#define ldapuVd_get_values_len ldap_get_values_len
-
-#endif
-
-/* Several functions in the standard LDAP API have no LDAP* parameter,
- but all the VTable functions do. Here are some little functions that
- make up the difference, by ignoring their LDAP* parameter:
-*/
-static int LDAP_CALL LDAP_CALLBACK
-ldapuVd_msgfree( LDAP *ld, LDAPMessage *chain )
-{
- return ldap_msgfree (chain);
-}
-
-static void LDAP_CALL LDAP_CALLBACK
-ldapuVd_memfree( LDAP *ld, void *dn )
-{
- ldap_memfree (dn);
-}
-
-static void LDAP_CALL LDAP_CALLBACK
-ldapuVd_ber_free( LDAP *ld, BerElement *ber, int freebuf )
-{
- ldap_ber_free (ber, freebuf);
-}
-
-static void LDAP_CALL LDAP_CALLBACK
-ldapuVd_value_free( LDAP *ld, char **vals )
-{
- ldap_value_free (vals);
-}
-static void LDAP_CALL LDAP_CALLBACK
-ldapuVd_value_free_len( LDAP *ld, struct berval **vals )
-{
- ldap_value_free_len (vals);
-}
-
-static LDAPUVTable_t ldapu_VTable = {
-/* By default, the VTable points to the standard LDAP API. */
-#ifdef USE_LDAP_SSL
- ldapuVd_ssl_init,
-#else
- ldapuVd_init,
-#endif
- ldapuVd_set_option,
- ldapuVd_simple_bind_s,
- ldapuVd_unbind,
- ldapuVd_search_s,
- ldapuVd_count_entries,
- ldapuVd_first_entry,
- ldapuVd_next_entry,
- ldapuVd_msgfree,
- ldapuVd_get_dn,
- ldapuVd_memfree,
- ldapuVd_first_attribute,
- ldapuVd_next_attribute,
- ldapuVd_ber_free,
- ldapuVd_get_values,
- ldapuVd_value_free,
- ldapuVd_get_values_len,
- ldapuVd_value_free_len
-};
+static LDAPUVTable_t ldapu_VTable = {};
/* Replace ldapu_VTable. Subsequently, ldaputil will call the
functions in 'from' (not the LDAP API) to access the directory.
@@ -235,26 +56,6 @@ ldapu_VTable_set (LDAPUVTable_t* from)
}
}
-#ifdef USE_LDAP_SSL
-LDAP*
-ldapu_ssl_init( const char *defhost, int defport, int defsecure )
-{
- if (ldapu_VTable.ldapuV_ssl_init) {
- return ldapu_VTable.ldapuV_ssl_init (defhost, defport, defsecure);
- }
- return NULL;
-}
-#else
-LDAP*
-ldapu_init( const char *defhost, int defport )
-{
- if (ldapu_VTable.ldapuV_init) {
- return ldapu_VTable.ldapuV_init (defhost, defport);
- }
- return NULL;
-}
-#endif
-
int
ldapu_set_option( LDAP *ld, int option, void *optdata )
{
@@ -422,28 +223,6 @@ ldapu_get_values_len( LDAP *ld, LDAPMessage *entry, const char *desc )
{
if (ldapu_VTable.ldapuV_get_values_len) {
return ldapu_VTable.ldapuV_get_values_len (ld, entry, desc);
- } else if (!ldapu_VTable.ldapuV_value_free_len
- && ldapu_VTable.ldapuV_get_values) {
- auto char** vals =
- ldapu_VTable.ldapuV_get_values (ld, entry, desc);
- if (vals) {
- auto struct berval** bvals = (struct berval**)
- ldapu_malloc ((ldap_count_values (vals) + 1)
- * sizeof(struct berval*));
- if (bvals) {
- auto char** val;
- auto struct berval** bval;
- for (val = vals, bval = bvals; *val; ++val, ++bval) {
- auto const size_t len = strlen(*val);
- *bval = (struct berval*) ldapu_malloc (sizeof(struct berval) + len);
- (*bval)->bv_len = len;
- (*bval)->bv_val = ((char*)(*bval)) + sizeof(struct berval);
- memcpy ((*bval)->bv_val, *val, len);
- }
- *bval = NULL;
- return bvals;
- }
- }
}
return NULL;
}
diff --git a/lib/libaccess/aclcache.cpp b/lib/libaccess/aclcache.cpp
index aede1220..e474601a 100644
--- a/lib/libaccess/aclcache.cpp
+++ b/lib/libaccess/aclcache.cpp
@@ -51,7 +51,6 @@
#include <libaccess/aclglobal.h>
#include <libaccess/usrcache.h>
#include <libaccess/las.h>
-#include <libaccess/ldapacl.h>
#include "aclutil.h"
#include "permhash.h"
#include "aclcache.h"
@@ -565,8 +564,6 @@ ACL_Init(void)
ACL_ListHashInit();
ACL_LasHashInit();
ACL_Init2();
- init_ldb_rwlock();
- ACL_RegisterInit();
return 0;
}
@@ -587,11 +584,6 @@ ACL_Init2(void)
#ifdef MCC_ADMSERV
ACL_LasRegister(NULL, "program", LASProgramEval, (LASFlushFunc_t)NULL);
#endif
-
- ACL_AttrGetterRegister(NULL, ACL_ATTR_USERDN,
- get_userdn_ldap,
- ACL_METHOD_ANY, ACL_DBTYPE_ANY,
- ACL_AT_END, NULL);
return;
}
diff --git a/lib/libaccess/aclcache.h b/lib/libaccess/aclcache.h
index 8849cf63..65e618d1 100644
--- a/lib/libaccess/aclcache.h
+++ b/lib/libaccess/aclcache.h
@@ -57,7 +57,6 @@ extern int ACL_CacheCheck(char *uri, ACLListHandle_t **acllist_p);
extern void ACL_CacheEnter(char *uri, ACLListHandle_t **acllist_p);
extern void ACL_CacheAbort(ACLListHandle_t **acllist_p);
extern void ACL_Init2(void);
-extern int ACL_RegisterInit ();
NSPR_END_EXTERN_C
diff --git a/lib/libaccess/ldapacl.cpp b/lib/libaccess/ldapacl.cpp
deleted file mode 100644
index 4b7fdc8b..00000000
--- a/lib/libaccess/ldapacl.cpp
+++ /dev/null
@@ -1,857 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This Program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; version 2 of the License.
- *
- * This Program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place, Suite 330, Boston, MA 02111-1307 USA.
- *
- * In addition, as a special exception, Red Hat, Inc. gives You the additional
- * right to link the code of this Program with code not covered under the GNU
- * General Public License ("Non-GPL Code") and to distribute linked combinations
- * including the two, subject to the limitations in this paragraph. Non-GPL Code
- * permitted under this exception must only link to the code of this Program
- * through those well defined interfaces identified in the file named EXCEPTION
- * found in the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline functions from
- * the Approved Interfaces without causing the resulting work to be covered by
- * the GNU General Public License. Only Red Hat, Inc. may make changes or
- * additions to the list of Approved Interfaces. You must obey the GNU General
- * Public License in all respects for all of the Program code and other code used
- * in conjunction with the Program except the Non-GPL Code covered by this
- * exception. If you modify this file, you may extend this exception to your
- * version of the file, but you are not obligated to do so. If you do not wish to
- * provide this exception without modification, you must delete this exception
- * statement from your version and license this file solely under the GPL without
- * exception.
- *
- *
- * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
- * Copyright (C) 2005 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-
-/* #define DBG_PRINT */
-
-#include <netsite.h>
-#include <base/rwlock.h>
-#include <base/ereport.h>
-#include <libaccess/acl.h>
-#include "aclpriv.h"
-#include <libaccess/aclproto.h>
-#include <libaccess/las.h>
-#include "aclutil.h"
-#include <ldaputil/errors.h>
-#include <ldaputil/certmap.h>
-#include <ldaputil/ldaputil.h>
-#include <ldaputil/dbconf.h>
-#include <ldaputil/ldapauth.h>
-#include <libaccess/authdb.h>
-#include <libaccess/ldapacl.h>
-#include <libaccess/usrcache.h>
-#include <libaccess/dbtlibaccess.h>
-#include <libaccess/aclglobal.h>
-#include <libaccess/aclerror.h>
-
-#define BIG_LINE 1024
-
-static int need_ldap_over_ssl = 0;
-static RWLOCK ldb_rwlock = (RWLOCK)0;
-
-void init_ldb_rwlock ()
-{
- ldb_rwlock = rwlock_Init();
-}
-
-void ldb_write_rwlock (LDAPDatabase_t *ldb, RWLOCK lock)
-{
- DBG_PRINT1("ldb_write_rwlock\n");
- /* Don't lock for local database -- let ldapsdk handle thread safety*/
- if (!ldapu_is_local_db(ldb))
- rwlock_WriteLock(lock);
-}
-
-void ldb_read_rwlock (LDAPDatabase_t *ldb, RWLOCK lock)
-{
- DBG_PRINT1("ldb_read_rwlock\n");
- /* Don't lock for local database -- let ldapsdk handle thread safety*/
- if (!ldapu_is_local_db(ldb))
- rwlock_ReadLock(lock);
-}
-
-void ldb_unlock_rwlock (LDAPDatabase_t *ldb, RWLOCK lock)
-{
- DBG_PRINT1("ldb_unlock_rwlock\n");
- /* we don't lock for local database */
- if (!ldapu_is_local_db(ldb))
- rwlock_Unlock(lock);
-}
-
-int ACL_NeedLDAPOverSSL ()
-{
- return need_ldap_over_ssl;
-}
-
-NSAPI_PUBLIC int parse_ldap_url (NSErr_t *errp, ACLDbType_t dbtype,
- const char *dbname, const char *url,
- PList_t plist, void **db)
-{
- LDAPDatabase_t *ldb;
- char *binddn = 0;
- char *bindpw = 0;
- int rv;
-
- *db = 0;
-
- if (!url || !*url) {
- nserrGenerate(errp, ACLERRINVAL, ACLERR5800, ACL_Program, 1, XP_GetAdminStr(DBT_ldapaclDatabaseUrlIsMissing));
- return -1;
- }
-
- if (!dbname || !*dbname) {
- nserrGenerate(errp, ACLERRINVAL, ACLERR5810, ACL_Program, 1, XP_GetAdminStr(DBT_ldapaclDatabaseNameIsMissing));
- return -1;
- }
-
- /* look for binddn and bindpw in the plist */
- if (plist) {
- PListFindValue(plist, LDAPU_ATTR_BINDDN, (void **)&binddn, NULL);
- PListFindValue(plist, LDAPU_ATTR_BINDPW, (void **)&bindpw, NULL);
- }
-
- rv = ldapu_url_parse(url, binddn, bindpw, &ldb);
-
- if (rv != LDAPU_SUCCESS) {
- nserrGenerate(errp, ACLERRINVAL, ACLERR5820, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclErrorParsingLdapUrl), ldapu_err2string(rv));
- return -1;
- }
-
- /* success */
- *db = ldb;
-
- /* Check if we need to do LDAP over SSL */
- if (!need_ldap_over_ssl) {
- need_ldap_over_ssl = ldb->use_ssl;
- }
-
- return 0;
-}
-
-int get_is_valid_password_basic_ldap (NSErr_t *errp, PList_t subject,
- PList_t resource, PList_t auth_info,
- PList_t global_auth, void *unused)
-{
- /* If the raw-user-name and raw-user-password attributes are present then
- * verify the password against the LDAP database.
- * Otherwise call AttrGetter for raw-user-name.
- */
- char *raw_user;
- char *raw_pw;
- char *userdn = 0;
- int rv;
- char *dbname;
- ACLDbType_t dbtype;
- LDAPDatabase_t *ldb;
- time_t *req_time = 0;
- pool_handle_t *subj_pool = PListGetPool(subject)
-
- DBG_PRINT1("get_is_valid_password_basic_ldap\n");
- rv = ACL_GetAttribute(errp, ACL_ATTR_RAW_USER, (void **)&raw_user,
- subject, resource, auth_info, global_auth);
-
- if (rv != LAS_EVAL_TRUE) {
- return rv;
- }
-
- rv = ACL_GetAttribute(errp, ACL_ATTR_RAW_PASSWORD, (void **)&raw_pw,
- subject, resource, auth_info, global_auth);
-
- if (rv != LAS_EVAL_TRUE) {
- return rv;
- }
-
- if (!raw_pw || !*raw_pw) {
- /* Null password is not allowed in LDAP since most LDAP servers let
- * the bind call succeed as anonymous login (with limited privileges).
- */
- return LAS_EVAL_FALSE;
- }
-
- /* Authenticate the raw_user and raw_pw against LDAP database. */
- rv = ACL_AuthInfoGetDbname(auth_info, &dbname);
-
- if (rv < 0) {
- char rv_str[16];
- sprintf(rv_str, "%d", rv);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5830, ACL_Program, 2,
- XP_GetAdminStr(DBT_ldapaclUnableToGetDatabaseName), rv_str);
- return LAS_EVAL_FAIL;
- }
-
- rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb);
-
- if (rv != LAS_EVAL_TRUE) {
- nserrGenerate(errp, ACLERRFAIL, ACLERR5840, ACL_Program, 2,
- XP_GetAdminStr(DBT_ldapaclUnableToGetParsedDatabaseName), dbname);
- return rv;
- }
-
- if (acl_usr_cache_enabled()) {
- /* avoid unnecessary system call to get time if cache is disabled */
- req_time = acl_get_req_time(resource);
-
- /* We have user name and password. */
- /* Check the cache to see if the password is valid */
- rv = acl_usr_cache_passwd_check(raw_user, dbname, raw_pw, *req_time,
- &userdn, subj_pool);
- }
- else {
- rv = LAS_EVAL_FALSE;
- }
-
- if (rv != LAS_EVAL_TRUE) {
- LDAPMessage *res = 0;
- const char *some_attrs[] = { "C", 0 };
- LDAP *ld;
- char *udn;
- /* Not found in the cache */
-
- /* Since we will bind with the user/password and other code relying on
- * ldb being bound as ldb->binddn and ldb->bindpw may fail. So block
- * them until we are done.
- */
- ldb_write_rwlock(ldb, ldb_rwlock);
- rv = ldapu_ldap_init_and_bind(ldb);
-
- if (rv != LDAPU_SUCCESS) {
- ldb_unlock_rwlock(ldb, ldb_rwlock);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5850, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclCoudlntInitializeConnectionToLdap), ldapu_err2string(rv));
- return LAS_EVAL_FAIL;
- }
-
- /* LDAPU_REQ will reconnect & retry once if LDAP server went down */
- ld = ldb->ld;
- LDAPU_REQ(rv, ldb, ldapu_find_uid_attrs(ld, raw_user,
- ldb->basedn, some_attrs,
- 1, &res));
-
- if (rv == LDAPU_SUCCESS) {
- LDAPMessage *entry = ldap_first_entry(ld, res);
-
- userdn = ldap_get_dn(ld, entry);
-
- /* LDAPU_REQ will reconnect & retry once if LDAP server went down */
- LDAPU_REQ(rv, ldb, ldapu_auth_userdn_password(ld, userdn, raw_pw));
-
- /* Make sure we rebind with the server's DN
- * ignore errors from ldapu_ldap_rebind -- we will get the same
- * errors in subsequent calls to LDAP. Return status from the
- * above call is our only interest now.
- */
- ldapu_ldap_rebind(ldb);
- }
-
- if (res) ldap_msgfree(res);
- ldb_unlock_rwlock(ldb, ldb_rwlock);
-
- if (rv == LDAPU_FAILED || rv == LDAP_INVALID_CREDENTIALS) {
- /* user entry not found or incorrect password */
- if (userdn) ldap_memfree(userdn);
- return LAS_EVAL_FALSE;
- }
- else if (rv != LDAPU_SUCCESS) {
- /* some unexpected LDAP error */
- nserrGenerate(errp, ACLERRFAIL, ACLERR5860, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclPassworkCheckLdapError), ldapu_err2string(rv));
- if (userdn) ldap_memfree(userdn);
- return LAS_EVAL_FAIL;
- }
-
- /* Make an entry in the cache */
- if (acl_usr_cache_enabled()) {
- acl_usr_cache_insert(raw_user, dbname, userdn, raw_pw, 0, 0,
- *req_time);
- }
- udn = pool_strdup(subj_pool, userdn);
- ldap_memfree(userdn);
- userdn = udn;
- }
-
- PListInitProp(subject, ACL_ATTR_IS_VALID_PASSWORD_INDEX, ACL_ATTR_IS_VALID_PASSWORD, raw_user, 0);
- PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN, userdn, 0);
- return LAS_EVAL_TRUE;
-}
-
-static int acl_grpcmpfn (const void *groupids, const char *group,
- const int len)
-{
- const char *token = (const char *)groupids;
- int tlen;
- char delim = ',';
-
- while((token = acl_next_token_len(token, delim, &tlen)) != NULL) {
- if (tlen > 0 && tlen == len && !strncmp(token, group, len))
- return LDAPU_SUCCESS;
- else if (tlen == 0 || 0 != (token = strchr(token+tlen, delim)))
- token++;
- else
- break;
- }
-
- return LDAPU_FAILED;
-}
-
-int get_user_ismember_ldap (NSErr_t *errp, PList_t subject,
- PList_t resource, PList_t auth_info,
- PList_t global_auth, void *unused)
-{
- int retval;
- int rv;
- char *userdn;
- char *groups;
- char *member_of = 0;
- LDAPDatabase_t *ldb;
- char *dbname;
- ACLDbType_t dbtype;
-
- DBG_PRINT1("get_user_ismember_ldap\n");
-
- rv = ACL_GetAttribute(errp, ACL_ATTR_USERDN, (void **)&userdn, subject,
- resource, auth_info, global_auth);
-
- if (rv != LAS_EVAL_TRUE) {
- return LAS_EVAL_FAIL;
- }
-
- rv = ACL_GetAttribute(errp, ACL_ATTR_GROUPS, (void **)&groups, subject,
- resource, auth_info, global_auth);
-
- if (rv != LAS_EVAL_TRUE) {
- return rv;
- }
-
- rv = ACL_AuthInfoGetDbname(auth_info, &dbname);
-
- if (rv < 0) {
- char rv_str[16];
- sprintf(rv_str, "%d", rv);
- nserrGenerate(errp, ACLERRINVAL, ACLERR5900, ACL_Program, 2, XP_GetAdminStr(DBT_GetUserIsMemberLdapUnabelToGetDatabaseName), rv_str);
- return rv;
- }
-
- rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb);
-
- if (rv != LAS_EVAL_TRUE) {
- nserrGenerate(errp, ACLERRINVAL, ACLERR5910, ACL_Program, 2, XP_GetAdminStr(DBT_GetUserIsMemberLdapUnableToGetParsedDatabaseName), dbname);
- return rv;
- }
-
- ldb_read_rwlock(ldb, ldb_rwlock);
- rv = ldapu_ldap_init_and_bind(ldb);
-
- if (rv != LDAPU_SUCCESS) {
- ldb_unlock_rwlock(ldb, ldb_rwlock);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5930, ACL_Program, 2,
- XP_GetAdminStr(DBT_GetUserIsMemberLdapCouldntInitializeConnectionToLdap), ldapu_err2string(rv));
- return LAS_EVAL_FAIL;
- }
-
- /* check if the user is member of any of the groups */
- /* LDAPU_REQ will reconnect & retry once if LDAP server went down */
- LDAPU_REQ(rv, ldb, ldapu_auth_userdn_groupids(ldb->ld,
- userdn,
- groups,
- acl_grpcmpfn,
- ldb->basedn,
- &member_of));
-
- ldb_unlock_rwlock(ldb, ldb_rwlock);
-
- if (rv == LDAPU_SUCCESS) {
- /* User is a member of one of the groups */
- if (member_of) {
- PListInitProp(subject, ACL_ATTR_USER_ISMEMBER_INDEX,
- ACL_ATTR_USER_ISMEMBER,
- pool_strdup(PListGetPool(subject), member_of), 0);
- retval = LAS_EVAL_TRUE;
- }
- else {
- /* This shouldn't happen */
- retval = LAS_EVAL_FALSE;
- }
- }
- else if (rv == LDAPU_FAILED) {
- /* User is not a member of any of the groups */
- retval = LAS_EVAL_FALSE;
- }
- else {
- /* unexpected LDAP error */
- nserrGenerate(errp, ACLERRFAIL, ACLERR5950, ACL_Program, 2,
- XP_GetAdminStr(DBT_GetUserIsMemberLdapError),
- ldapu_err2string(rv));
- retval = LAS_EVAL_FAIL;
- }
-
- return retval;
-}
-
-
-/* This function returns LDAPU error codes so that the caller can call
- * ldapu_err2string to get the error string.
- */
-int acl_map_cert_to_user (NSErr_t *errp, const char *dbname,
- LDAPDatabase_t *ldb, void *cert,
- PList_t resource, pool_handle_t *pool,
- char **user, char **userdn)
-{
- int rv;
- LDAPMessage *res;
- LDAPMessage *entry;
- char *uid;
- time_t *req_time = 0;
-
- if (acl_usr_cache_enabled()) {
- req_time = acl_get_req_time(resource);
-
- rv = acl_cert_cache_get_uid (cert, dbname, *req_time, user, userdn,
- pool);
- }
- else {
- rv = LAS_EVAL_FALSE;
- }
-
- if (rv != LAS_EVAL_TRUE) {
- /* Not found in the cache */
-
- ldb_read_rwlock(ldb, ldb_rwlock);
- rv = ldapu_ldap_init_and_bind(ldb);
-
- /* LDAPU_REQ will reconnect & retry once if LDAP server went down */
- /* it sets the variable rv */
- if (rv == LDAPU_SUCCESS) {
-
- LDAPU_REQ(rv, ldb, ldapu_cert_to_user(cert, ldb->ld, ldb->basedn,
- &res, &uid));
-
- if (rv == LDAPU_SUCCESS) {
- char *dn;
-
- *user = pool_strdup(pool, uid);
- if (!*user) rv = LDAPU_ERR_OUT_OF_MEMORY;
- free(uid);
-
- entry = ldap_first_entry(ldb->ld, res);
- dn = ldap_get_dn(ldb->ld, entry);
- if (acl_usr_cache_enabled()) {
- acl_cert_cache_insert (cert, dbname, *user, dn, *req_time);
- }
- *userdn = dn ? pool_strdup(pool, dn) : 0;
- if (!*userdn) rv = LDAPU_ERR_OUT_OF_MEMORY;
- ldap_memfree(dn);
- }
- if (res) ldap_msgfree(res);
- }
- ldb_unlock_rwlock(ldb, ldb_rwlock);
- }
- else {
- rv = LDAPU_SUCCESS;
- }
-
- return rv;
-}
-
-
-/*
- * ACL_LDAPDatabaseHandle -
- * Finds the internal structure representing the 'dbname'. If it is an LDAP
- * database, returns the 'LDAP *ld' pointer. Also, binds to the LDAP server.
- * The LDAP *ld handle can be used in calls to LDAP API.
- * Returns LAS_EVAL_TRUE if successful, otherwise logs an error in
- * LOG_SECURITY and returns LAS_EVAL_FAIL.
- */
-int ACL_LDAPDatabaseHandle (NSErr_t *errp, const char *dbname, LDAP **ld,
- char **basedn)
-{
- int rv;
- ACLDbType_t dbtype;
- void *db;
- LDAPDatabase_t *ldb;
-
- *ld = 0;
- if (!dbname || !*dbname) dbname = DBCONF_DEFAULT_DBNAME;
-
- /* Check if the ldb is already in the ACLUserLdbHash */
- ldb = (LDAPDatabase_t *)PR_HashTableLookup(ACLUserLdbHash, dbname);
-
- if (!ldb) {
-
- rv = ACL_DatabaseFind(errp, dbname, &dbtype, &db);
-
- if (rv != LAS_EVAL_TRUE) {
- nserrGenerate(errp, ACLERRINVAL, ACLERR6000, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleNotARegisteredDatabase), dbname);
- return LAS_EVAL_FAIL;
- }
-
- if (!ACL_DbTypeIsEqual(errp, dbtype, ACL_DbTypeLdap)) {
- /* Not an LDAP database -- error */
- nserrGenerate(errp, ACLERRINVAL, ACLERR6010, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleNotAnLdapDatabase), dbname);
- return LAS_EVAL_FAIL;
- }
-
- ldb = ldapu_copy_LDAPDatabase_t((LDAPDatabase_t *)db);
-
- if (!ldb) {
- /* Not an LDAP database -- error */
- nserrGenerate(errp, ACLERRNOMEM, ACLERR6020, ACL_Program, 1, XP_GetAdminStr(DBT_LdapDatabaseHandleOutOfMemory));
- return LAS_EVAL_FAIL;
- }
-
- PR_HashTableAdd(ACLUserLdbHash, PERM_STRDUP(dbname), ldb);
- }
-
- if (!ldb->ld) {
- rv = ldapu_ldap_init_and_bind(ldb);
-
- if (rv != LDAPU_SUCCESS) {
- nserrGenerate(errp, ACLERRFAIL, ACLERR6030, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleCouldntInitializeConnectionToLdap), ldapu_err2string(rv));
- return LAS_EVAL_FAIL;
- }
- }
-
- /*
- * Force the rebind -- we don't know whether the customer has used this ld
- * to bind as somebody else. It will also check if the LDAP server is up
- * and running, reestablish the connection if the LDAP server has rebooted
- * since it was last used.
- */
- rv = ldapu_ldap_rebind(ldb);
-
- if (rv != LDAPU_SUCCESS) {
- nserrGenerate(errp, ACLERRFAIL, ACLERR6040, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleCouldntBindToLdapServer), ldapu_err2string(rv));
- return LAS_EVAL_FAIL;
- }
-
- *ld = ldb->ld;
-
- if (basedn) {
- /* They asked for the basedn too */
- *basedn = PERM_STRDUP(ldb->basedn);
- }
-
- return LAS_EVAL_TRUE;
-}
-
-int get_userdn_ldap (NSErr_t *errp, PList_t subject,
- PList_t resource, PList_t auth_info,
- PList_t global_auth, void *unused)
-{
- char *uid;
- char *dbname;
- char *userdn;
- time_t *req_time = 0;
- pool_handle_t *subj_pool = PListGetPool(subject);
- int rv;
-
- rv = ACL_GetAttribute(errp, ACL_ATTR_USER, (void **)&uid, subject,
- resource, auth_info, global_auth);
-
- if (rv != LAS_EVAL_TRUE) {
- return LAS_EVAL_FAIL;
- }
-
- /* The getter for ACL_ATTR_USER may have put the USERDN on the PList */
- rv = PListGetValue(subject, ACL_ATTR_USERDN_INDEX, (void **)&userdn, NULL);
-
- if (rv >= 0) {
- /* Nothing to do */
- return LAS_EVAL_TRUE;
- }
-
- rv = ACL_AuthInfoGetDbname(auth_info, &dbname);
-
- if (rv < 0) {
- char rv_str[16];
- sprintf(rv_str, "%d", rv);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5830, ACL_Program, 2,
- XP_GetAdminStr(DBT_ldapaclUnableToGetDatabaseName), rv_str);
- return LAS_EVAL_FAIL;
- }
-
- /* Check if the userdn is available in the usr_cache */
- if (acl_usr_cache_enabled()) {
- /* avoid unnecessary system call to get time if cache is disabled */
- req_time = acl_get_req_time(resource);
-
- rv = acl_usr_cache_get_userdn(uid, dbname, *req_time, &userdn,
- subj_pool);
- }
- else {
- rv = LAS_EVAL_FALSE;
- }
-
- if (rv == LAS_EVAL_TRUE) {
- /* Found in the cache */
- PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN,
- userdn, 0);
- }
- else {
- ACLDbType_t dbtype;
- LDAPDatabase_t *ldb = 0;
-
- /* Perform LDAP lookup */
- rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb);
-
- if (rv != LAS_EVAL_TRUE) {
- nserrGenerate(errp, ACLERRFAIL, ACLERR5840, ACL_Program, 2,
- XP_GetAdminStr(DBT_ldapaclUnableToGetParsedDatabaseName), dbname);
- return rv;
- }
-
- ldb_read_rwlock(ldb, ldb_rwlock);
- rv = ldapu_ldap_init_and_bind(ldb);
-
- if (rv != LDAPU_SUCCESS) {
- ldb_unlock_rwlock(ldb, ldb_rwlock);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5850, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclCoudlntInitializeConnectionToLdap), ldapu_err2string(rv));
- return LAS_EVAL_FAIL;
- }
-
- LDAPU_REQ(rv, ldb, ldapu_find_userdn(ldb->ld, uid, ldb->basedn,
- &userdn));
-
- ldb_unlock_rwlock(ldb, ldb_rwlock);
-
- if (rv == LDAPU_SUCCESS) {
- /* Found it. Store it in the cache also. */
- PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN,
- pool_strdup(subj_pool, userdn), 0);
- if (acl_usr_cache_enabled()) {
- acl_usr_cache_set_userdn(uid, dbname, userdn, *req_time);
- }
- ldapu_free(userdn);
- rv = LAS_EVAL_TRUE;
- }
- else if (rv == LDAPU_FAILED) {
- /* Not found but not an error */
- rv = LAS_EVAL_FALSE;
- }
- else {
- /* some unexpected LDAP error */
- nserrGenerate(errp, ACLERRFAIL, ACLERR5860, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclPassworkCheckLdapError), ldapu_err2string(rv));
- rv = LAS_EVAL_FAIL;
- }
- }
-
- return rv;
-}
-
-/* Attr getter for LDAP database to check if the user exists */
-int get_user_exists_ldap (NSErr_t *errp, PList_t subject,
- PList_t resource, PList_t auth_info,
- PList_t global_auth, void *unused)
-{
- int rv;
- char *user;
- char *userdn;
-
- /* See if the userdn is already available */
- rv = PListGetValue(subject, ACL_ATTR_USERDN_INDEX, (void **)&userdn, NULL);
-
- if (rv >= 0) {
- /* Check if the DN is still valid against the database */
- /* Get the database name */
- char *dbname;
- ACLDbType_t dbtype;
- LDAPDatabase_t *ldb = 0;
- LDAPMessage *res;
- const char *some_attrs[] = { "c", 0 };
-
- rv = ACL_AuthInfoGetDbname(auth_info, &dbname);
-
- if (rv < 0) {
- char rv_str[16];
- sprintf(rv_str, "%d", rv);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5830, ACL_Program, 2,
- XP_GetAdminStr(DBT_ldapaclUnableToGetDatabaseName), rv_str);
- return LAS_EVAL_FAIL;
- }
-
- /* Perform LDAP lookup */
- rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb);
-
- if (rv != LAS_EVAL_TRUE) {
- nserrGenerate(errp, ACLERRFAIL, ACLERR5840, ACL_Program, 2,
- XP_GetAdminStr(DBT_ldapaclUnableToGetParsedDatabaseName), dbname);
- return rv;
- }
-
- ldb_read_rwlock(ldb, ldb_rwlock);
- rv = ldapu_ldap_init_and_bind(ldb);
-
- if (rv != LDAPU_SUCCESS) {
- ldb_unlock_rwlock(ldb, ldb_rwlock);
- nserrGenerate(errp, ACLERRFAIL, ACLERR5850, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclCoudlntInitializeConnectionToLdap), ldapu_err2string(rv));
- return LAS_EVAL_FAIL;
- }
-
- LDAPU_REQ(rv, ldb, ldapu_find (ldb->ld, ldb->basedn, LDAP_SCOPE_BASE,
- NULL, some_attrs, 1, &res));
-
- ldb_unlock_rwlock(ldb, ldb_rwlock);
-
- if (rv == LDAPU_SUCCESS) {
- /* Found it. */
- rv = LAS_EVAL_TRUE;
- }
- else if (rv == LDAPU_FAILED) {
- /* Not found but not an error */
- rv = LAS_EVAL_FALSE;
- }
- else {
- /* some unexpected LDAP error */
- nserrGenerate(errp, ACLERRFAIL, ACLERR5860, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclPassworkCheckLdapError), ldapu_err2string(rv));
- rv = LAS_EVAL_FAIL;
- }
- }
- else {
- /* If the DN doesn't exist, should we just return an error ? */
- /* If yes, we don't need rest of the code */
-
- /* If we don't have a DN, we must have a user at least */
- rv = PListGetValue(subject, ACL_ATTR_USER_INDEX, (void **)&user, NULL);
-
- if (rv < 0) {
- /* We don't even have a user name */
- return LAS_EVAL_FAIL;
- }
-
- rv = ACL_GetAttribute(errp, ACL_ATTR_USERDN, (void **)&userdn, subject,
- resource, auth_info, global_auth);
- }
-
- /* If we can get the userdn then the user exists */
- if (rv == LAS_EVAL_TRUE) {
- PListInitProp(subject, ACL_ATTR_USER_EXISTS_INDEX,
- ACL_ATTR_USER_EXISTS, userdn, 0);
- }
-
- return rv;
-}
-
-/* acl_user_exists - */
-/* Function to check if the user still exists */
-/* This function works for all kinds of databases */
-/* Returns 0 on success and -ve value on failure */
-NSAPI_PUBLIC int acl_user_exists (const char *user, const char *userdn,
- const char *dbname, const int logerr)
-{
- NSErr_t err = NSERRINIT;
- NSErr_t *errp = &err;
- pool_handle_t *pool = 0;
- time_t *req_time = 0;
- PList_t subject = 0;
- PList_t resource = 0;
- PList_t auth_info = 0;
- PList_t global_auth = NULL;
- int rv = 0;
-
- /* Check if the userdn is available in the usr_cache */
- if (acl_usr_cache_enabled() && userdn) {
- /* avoid unnecessary system call to get time if cache is disabled */
- req_time = (time_t *)MALLOC(sizeof(time_t));
-
- if (req_time) {
- time(req_time);
- rv = acl_usr_cache_userdn_check(user, dbname, userdn, *req_time);
- FREE((void *)req_time);
- }
-
- if (rv == LAS_EVAL_TRUE)
- {
- /* Found in the cache with the same DN */
- return 0;
- }
- }
-
- pool = pool_create();
- subject = PListCreate(pool, ACL_ATTR_INDEX_MAX, 0, 0);
- resource = PListCreate(pool, ACL_ATTR_INDEX_MAX, 0, 0);
- auth_info = PListCreate(pool, ACL_ATTR_INDEX_MAX, 0, 0);
-
- if (!pool || !subject || !resource || !auth_info) {
- /* ran out of memory */
- goto no_mem;
- }
-
- /* store a pointer to the user rather than a copy */
- rv = PListInitProp(subject, ACL_ATTR_USER_INDEX, ACL_ATTR_USER,
- user, 0);
- if (rv < 0) { /* Plist error */ goto plist_err; }
-
- if (userdn && *userdn) {
- /* store a pointer to the userdn rather than a copy */
- rv = PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN,
- userdn, 0);
- if (rv < 0) { /* Plist error */ goto plist_err; }
- }
-
- /* store the cached dbname on auth_info */
- rv = ACL_AuthInfoSetDbname(errp, auth_info, dbname);
- if (rv < 0) { /* auth_info error */ goto err; }
-
- rv = ACL_GetAttribute(errp, ACL_ATTR_USER_EXISTS, (void **)&user,
- subject, resource, auth_info, global_auth);
-
- if (rv == LAS_EVAL_TRUE) {
- /* User still exists */
- rv = 0;
- }
- else if (rv == LAS_EVAL_FALSE) {
- /* User doesn't exist anymore */
- nserrGenerate(errp, ACLERRFAIL, 5880, ACL_Program, 2, XP_GetAdminStr(DBT_AclUserExistsNot), user);
- goto err;
- }
- else {
- /* Unexpected error while checking the existence of the user */
- goto err;
- }
-
- goto done;
-
-plist_err:
- nserrGenerate(errp, ACLERRFAIL, 5890, ACL_Program, 1, XP_GetAdminStr(DBT_AclUserPlistError));
- goto err;
-
-no_mem:
- nserrGenerate(errp, ACLERRNOMEM, 5870, ACL_Program, 1, XP_GetAdminStr(DBT_AclUserExistsOutOfMemory));
- goto err;
-
-err:
- if (logerr) {
- /* Unexpected error while checking the existence of the user */
- char buf[BIG_LINE];
- /* generate error message (upto depth 6) into buf */
- aclErrorFmt(errp, buf, BIG_LINE, 6);
- ereport(LOG_SECURITY, "Error while checking the existence of user: %s", buf);
- }
-
- nserrDispose(errp);
- rv = -1;
-
-done:
- /* Destroy the PLists & the pool */
- if (subject) PListDestroy(subject);
- if (resource) PListDestroy(resource);
- if (auth_info) PListDestroy(auth_info);
- if (pool) pool_destroy(pool);
- return rv;
-}
diff --git a/lib/libaccess/oneeval.cpp b/lib/libaccess/oneeval.cpp
index 05de0e36..14b15740 100644
--- a/lib/libaccess/oneeval.cpp
+++ b/lib/libaccess/oneeval.cpp
@@ -129,7 +129,7 @@ static ACLDispatchVector_t __nsacl_vector = {
ACL_DatabaseRegister,
ACL_DatabaseFind,
ACL_DatabaseSetDefault,
- ACL_LDAPDatabaseHandle,
+ NULL,
ACL_AuthInfoGetDbname,
ACL_CacheFlushRegister,
ACL_CacheFlush,
diff --git a/lib/libaccess/register.cpp b/lib/libaccess/register.cpp
index beed23d9..af8a79a8 100644
--- a/lib/libaccess/register.cpp
+++ b/lib/libaccess/register.cpp
@@ -55,7 +55,6 @@
#include "aclpriv.h"
#include <libaccess/aclproto.h>
#include <libaccess/aclglobal.h>
-#include <libaccess/ldapacl.h>
#include "aclcache.h"
#include <libaccess/dbtlibaccess.h>
#include <libaccess/aclerror.h>
@@ -843,16 +842,3 @@ ACL_AttrGetterNext(ACLAttrGetterList_t *getters, ACLAttrGetter_t *last)
return next;
}
-
-int
-ACL_RegisterInit ()
-{
- NSErr_t *errp = 0;
- int rv;
-
- /* Register the ldap database */
- rv = ACL_DbTypeRegister(errp, ACL_DBTYPE_LDAP, parse_ldap_url, &ACL_DbTypeLdap);
-
- return rv;
-}
-
diff --git a/lib/libaccess/utest/Makefile b/lib/libaccess/utest/Makefile
index 81a0eb70..39096b1a 100644
--- a/lib/libaccess/utest/Makefile
+++ b/lib/libaccess/utest/Makefile
@@ -137,9 +137,6 @@ coverage: acltest.o ustubs.o $(XOBJ)
rm -f *.pcv
acltestcov
-lasemail: lasemail.o
- $(LD) -G -h lasemail.so -o lasemail.so lasemail.o
-
#$(XOBJ): $(XSRC)
# cd ..; gmake OBJDEST=$(UTESTDEST) CC=$(OCC) TESTFLAGS=$(TESTFLAGS)
diff --git a/lib/libaccess/utest/lasemail.cpp b/lib/libaccess/utest/lasemail.cpp
deleted file mode 100644
index eed8d337..00000000
--- a/lib/libaccess/utest/lasemail.cpp
+++ /dev/null
@@ -1,217 +0,0 @@
-/** BEGIN COPYRIGHT BLOCK
- * This Program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; version 2 of the License.
- *
- * This Program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place, Suite 330, Boston, MA 02111-1307 USA.
- *
- * In addition, as a special exception, Red Hat, Inc. gives You the additional
- * right to link the code of this Program with code not covered under the GNU
- * General Public License ("Non-GPL Code") and to distribute linked combinations
- * including the two, subject to the limitations in this paragraph. Non-GPL Code
- * permitted under this exception must only link to the code of this Program
- * through those well defined interfaces identified in the file named EXCEPTION
- * found in the source code files (the "Approved Interfaces"). The files of
- * Non-GPL Code may instantiate templates or use macros or inline functions from
- * the Approved Interfaces without causing the resulting work to be covered by
- * the GNU General Public License. Only Red Hat, Inc. may make changes or
- * additions to the list of Approved Interfaces. You must obey the GNU General
- * Public License in all respects for all of the Program code and other code used
- * in conjunction with the Program except the Non-GPL Code covered by this
- * exception. If you modify this file, you may extend this exception to your
- * version of the file, but you are not obligated to do so. If you do not wish to
- * provide this exception without modification, you must delete this exception
- * statement from your version and license this file solely under the GPL without
- * exception.
- *
- *
- * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
- * Copyright (C) 2005 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
-
-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-
-/* lasemail.cpp
- * This file contains the Email LAS code.
- */
-
-#include <ldap.h>
-#include <nsacl/aclapi.h>
-
-#define ACL_ATTR_EMAIL "email"
-
-extern "C" {
-extern int LASEmailEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, char *attr_pattern, ACLCachable_t *cachable, void **LAS_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
-extern void LASEmailFlush(void **las_cookie);
-extern int LASEmailModuleInit();
-}
-
-
-/*
- * LASEmailEval
- * INPUT
- * attr_name The string "email" - in lower case.
- * comparator CMP_OP_EQ or CMP_OP_NE only
- * attr_pattern A comma-separated list of emails
- * (we currently support only one e-mail addr)
- * *cachable Always set to ACL_NOT_CACHABLE.
- * subject Subject property list
- * resource Resource property list
- * auth_info Authentication info, if any
- * RETURNS
- * retcode The usual LAS return codes.
- */
-int LASEmailEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
- char *attr_pattern, ACLCachable_t *cachable,
- void **LAS_cookie, PList_t subject, PList_t resource,
- PList_t auth_info, PList_t global_auth)
-{
- char *uid;
- char *email;
- int rv;
- LDAP *ld;
- char *basedn;
- LDAPMessage *res;
- int numEntries;
- char filter[1024];
- int matched;
-
- *cachable = ACL_NOT_CACHABLE;
- *LAS_cookie = (void *)0;
-
- if (strcmp(attr_name, ACL_ATTR_EMAIL) != 0) {
- fprintf(stderr, "LASEmailEval called for incorrect attr \"%s\"\n",
- attr_name);
- return LAS_EVAL_INVALID;
- }
-
- if ((comparator != CMP_OP_EQ) && (comparator != CMP_OP_NE)) {
- fprintf(stderr, "LASEmailEval called with incorrect comparator %d\n",
- comparator);
- return LAS_EVAL_INVALID;
- }
-
- if (!strcmp(attr_pattern, "anyone")) {
- *cachable = ACL_INDEF_CACHABLE;
- return comparator == CMP_OP_EQ ? LAS_EVAL_TRUE : LAS_EVAL_FALSE;
- }
-
- /* get the authenticated user name */
- rv = ACL_GetAttribute(errp, ACL_ATTR_USER, (void **)&uid,
- subject, resource, auth_info, global_auth);
-
- if (rv != LAS_EVAL_TRUE) {
- return rv;
- }
-
- /* We have an authenticated user */
- if (!strcmp(attr_pattern, "all")) {
- return comparator == CMP_OP_EQ ? LAS_EVAL_TRUE : LAS_EVAL_FALSE;
- }
-
- /* do an ldap lookup for: (& (uid=<user>) (mail=<email>)) */
- rv = ACL_LDAPDatabaseHandle(errp, NULL, &ld, &basedn);
-
- if (rv != LAS_EVAL_TRUE) {
- fprintf(stderr, "unable to get LDAP handle\n");
- return rv;
- }
-
- /* Formulate the filter -- assume single e-mail in attr_pattern */
- /* If we support multiple comma separated e-mail addresses in the
- * attr_pattern then the filter will look like:
- * (& (uid=<user>) (| (mail=<email1>) (mail=<email2>)))
- */
- sprintf(filter, "(& (uid=%s) (mail=%s))", uid, attr_pattern);
-
- rv = ldap_search_s(ld, basedn, LDAP_SCOPE_SUBTREE, filter,
- 0, 0, &res);
-
- if (rv != LDAP_SUCCESS)
- {
- fprintf(stderr, "ldap_search_s: %s\n", ldap_err2string(rv));
- return LAS_EVAL_FAIL;
- }
-
- numEntries = ldap_count_entries(ld, res);
-
- if (numEntries == 1) {
- /* success */
- LDAPMessage *entry = ldap_first_entry(ld, res);
- char *dn = ldap_get_dn(ld, entry);
-
- fprintf(stderr, "ldap_search_s: Entry found. DN: \"%s\"\n", dn);
- ldap_memfree(dn);
- matched = 1;
- }
- else if (numEntries == 0) {
- /* not found -- but not an error */
- fprintf(stderr, "ldap_search_s: Entry not found. Filter: \"%s\"\n",
- filter);
- matched = 0;
- }
- else if (numEntries > 0) {
- /* Found more than one entry! */
- fprintf(stderr, "ldap_search_s: Found more than one entry. Filter: \"%s\"\n",
- filter);
- return LAS_EVAL_FAIL;
- }
-
- if (comparator == CMP_OP_EQ) {
- rv = (matched ? LAS_EVAL_TRUE : LAS_EVAL_FALSE);
- }
- else {
- rv = (matched ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
- }
-
- return rv;
-}
-
-
-/* LASEmailFlush
- * Deallocates any memory previously allocated by the LAS
- */
-void
-LASEmailFlush(void **las_cookie)
-{
- /* do nothing */
- return;
-}
-
-/* LASEmailModuleInit --
- * Register the e-mail LAS.
- *
- * To load this functions in the web server, compile the file in
- * "lasemail.so" and add the following lines to the
- * <ServerRoot>/https-<name>/config/obj.conf file. Be sure to change the
- * "lasemail.so" portion to the full pathname. E.g. /nshome/lib/lasemail.so.
- *
- * Init fn="load-modules" funcs="LASEmailModuleInit" shlib="lasemail.so"
- * Init fn="acl-register-module" module="lasemail" func="LASEmailModuleInit"
- */
-int LASEmailModuleInit ()
-{
- NSErr_t err = NSERRINIT;
- NSErr_t *errp = &err;
- int rv;
-
- rv = ACL_LasRegister(errp, ACL_ATTR_EMAIL, LASEmailEval, LASEmailFlush);
-
- if (rv < 0) {
- fprintf(stderr, "ACL_LasRegister failed. Error: %d\n", rv);
- return rv;
- }
-
- return rv;
-}
-
diff --git a/lib/libaccess/utest/ustubs.cpp b/lib/libaccess/utest/ustubs.cpp
index 425bf11e..61a0845e 100644
--- a/lib/libaccess/utest/ustubs.cpp
+++ b/lib/libaccess/utest/ustubs.cpp
@@ -86,11 +86,6 @@ ldapu_err2string(int err)
return errbuf;
}
-
-void init_ldb_rwlock ()
-{
-}
-
#ifdef notdef
char *system_errmsg()
{
generated by cgit (git 2.34.1) at 2024-05-01 18:22:09 +0000