diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/ldaputil/cert.c | 10 | ||||
-rw-r--r-- | lib/ldaputil/init.c | 4 | ||||
-rw-r--r-- | lib/ldaputil/ldapauth.c | 895 | ||||
-rw-r--r-- | lib/ldaputil/ldapdb.c | 594 | ||||
-rw-r--r-- | lib/ldaputil/vtable.c | 223 | ||||
-rw-r--r-- | lib/libaccess/aclcache.cpp | 8 | ||||
-rw-r--r-- | lib/libaccess/aclcache.h | 1 | ||||
-rw-r--r-- | lib/libaccess/ldapacl.cpp | 857 | ||||
-rw-r--r-- | lib/libaccess/oneeval.cpp | 2 | ||||
-rw-r--r-- | lib/libaccess/register.cpp | 14 | ||||
-rw-r--r-- | lib/libaccess/utest/Makefile | 3 | ||||
-rw-r--r-- | lib/libaccess/utest/lasemail.cpp | 217 | ||||
-rw-r--r-- | lib/libaccess/utest/ustubs.cpp | 5 |
13 files changed, 13 insertions, 2820 deletions
diff --git a/lib/ldaputil/cert.c b/lib/ldaputil/cert.c index ceb57118..30fd0f4b 100644 --- a/lib/ldaputil/cert.c +++ b/lib/ldaputil/cert.c @@ -55,6 +55,8 @@ #include <ldaputil/cert.h> #include "ldaputili.h" +#include "slapi-plugin.h" + NSAPI_PUBLIC int ldapu_get_cert (void *SSLendpoint, void **cert) { /* TEMPORARY -- not implemented yet*/ @@ -209,7 +211,7 @@ _rdns_free (char*** rdns) { auto char*** rdn; for (rdn = rdns; *rdn; ++rdn) { - ldap_value_free (*rdn); + slapi_ldap_value_free (*rdn); } free (rdns); } @@ -230,12 +232,12 @@ _explode_dn (const char* dn) if (exp) { exp[expLen++] = avas; } else { - ldap_value_free (avas); + slapi_ldap_value_free (avas); break; } } else { /* parse error */ if (avas) { - ldap_value_free (avas); + slapi_ldap_value_free (avas); } if (exp) { exp[expLen] = NULL; @@ -248,7 +250,7 @@ _explode_dn (const char* dn) if (exp) { exp[expLen] = NULL; } - ldap_value_free (rdns); + slapi_ldap_value_free (rdns); } } return exp; diff --git a/lib/ldaputil/init.c b/lib/ldaputil/init.c index 51a09600..ffbde7e1 100644 --- a/lib/ldaputil/init.c +++ b/lib/ldaputil/init.c @@ -54,6 +54,8 @@ #include "ldaputil/errors.h" #include "ldaputil/init.h" +#include "slapi-plugin.h" + #ifdef XP_WIN32 #define DLL_SUFFIX ".dll" #ifndef FILE_PATHSEP @@ -200,7 +202,7 @@ NSAPI_PUBLIC int CertMapDLLInitFn(LDAPUDispatchVector_t **table) NSAPI_PUBLIC int CertMapDLLInitFn(LDAPUDispatchVector_t **table) { - *table = (LDAPUDispatchVector_t *)malloc(sizeof(LDAPUDispatchVector_t)); + *table = (LDAPUDispatchVector_t *)slapi_ch_malloc(sizeof(LDAPUDispatchVector_t)); if (!*table) return LDAPU_ERR_OUT_OF_MEMORY; diff --git a/lib/ldaputil/ldapauth.c b/lib/ldaputil/ldapauth.c index b483e42f..f01e6417 100644 --- a/lib/ldaputil/ldapauth.c +++ b/lib/ldaputil/ldapauth.c @@ -60,12 +60,7 @@ #include <ldaputili.h> -/* If we are not interested in the returned attributes, just ask for one - * attribute in the call to ldap_search. Also don't ask for the attribute - * value -- just the attr. - */ -static const char *default_search_attrs[] = { "c" , 0 }; -static int default_search_attrsonly = 1; +#include "slapi-plugin.h" /* * ldapu_find @@ -188,7 +183,7 @@ int ldapu_find_entire_tree (LDAP *ld, int scope, result_entry = ldapu_first_entry(ld, result); suffix = ldapu_get_values(ld, result_entry, suffix_attr[0]); suffix_list = suffix; - num_namingcontexts = ldap_count_values(suffix); + num_namingcontexts = slapi_ldap_count_values(suffix); /* add private suffixes to our list of suffixes to search */ if (num_private_suffix) { suffix_list = ldapu_realloc(suffix_list, @@ -249,889 +244,3 @@ int ldapu_find_entire_tree (LDAP *ld, int scope, return retval; } - - -/* - * ldapu_find_uid_attrs - * Description: - * Maps the given uid to a user dn. Caller should free res if it is not - * NULL. Accepts the attrs & attrsonly args. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's name - * base basedn (where to start the search) - * attrs list of attributes to retrieve - * attrsonly flag indicating if attr values are to be retrieved - * res A result parameter which will contain the results of - * the search upon completion of the call. - * Return Values: - * LDAPU_SUCCESS if entry is found - * LDAPU_FAILED if entry is not found - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_find_uid_attrs (LDAP *ld, const char *uid, const char *base, - const char **attrs, int attrsonly, - LDAPMessage **res) -{ - int scope = LDAP_SCOPE_SUBTREE; - char filter[ BUFSIZ ]; - int retval; - - /* setup filter as (uid=<uid>) */ - PR_snprintf(filter, sizeof(filter), ldapu_strings[LDAPU_STR_FILTER_USER], uid); - - retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, res); - - return retval; -} - -/* - * ldapu_find_uid - * Description: - * Maps the given uid to a user dn. Caller should free res if it is not - * NULL. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's name - * base basedn (where to start the search) - * res A result parameter which will contain the results of - * the search upon completion of the call. - * Return Values: - * LDAPU_SUCCESS if entry is found - * LDAPU_FAILED if entry is not found - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_find_uid (LDAP *ld, const char *uid, const char *base, - LDAPMessage **res) -{ - const char **attrs = 0; /* get all attributes ... */ - int attrsonly = 0; /* ... and their values */ - int retval; - - retval = ldapu_find_uid_attrs(ld, uid, base, attrs, attrsonly, res); - - return retval; -} - -/* - * ldapu_find_userdn - * Description: - * Maps the given uid to a user dn. Caller should free dn if it is not - * NULL. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's name - * base basedn (where to start the search) - * dn user dn - * Return Values: - * LDAPU_SUCCESS if entry is found - * LDAPU_FAILED if entry is not found - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_find_userdn (LDAP *ld, const char *uid, const char *base, - char **dn) -{ - LDAPMessage *res = 0; - int retval; - - retval = ldapu_find_uid_attrs(ld, uid, base, default_search_attrs, - default_search_attrsonly, &res); - - if (retval == LDAPU_SUCCESS) { - LDAPMessage *entry; - - entry = ldapu_first_entry(ld, res); - *dn = ldapu_get_dn(ld, entry); - } - else { - *dn = 0; - } - - if (res) ldapu_msgfree(ld, res); - - return retval; -} - -/* - * ldapu_find_group_attrs - * Description: - * Maps the given groupid to a group dn. Caller should free res if it is - * not NULL. Accepts the attrs & attrsonly args. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * groupid Groups's name - * base basedn (where to start the search) - * attrs list of attributes to retrieve - * attrsonly flag indicating if attr values are to be retrieved - * res A result parameter which will contain the results of - * the search upon completion of the call. - * Return Values: - * LDAPU_SUCCESS if entry is found - * LDAPU_FAILED if entry is not found - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_find_group_attrs (LDAP *ld, const char *groupid, - const char *base, const char **attrs, - int attrsonly, LDAPMessage **res) -{ - int scope = LDAP_SCOPE_SUBTREE; - char filter[ BUFSIZ ]; - int retval; - - /* setup the filter */ - PR_snprintf(filter, sizeof(filter), - ldapu_strings[LDAPU_STR_FILTER_GROUP], - groupid); - - retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, res); - - return retval; -} - -/* - * ldapu_find_group - * Description: - * Maps the given groupid to a group dn. Caller should free res if it is - * not NULL. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * groupid Groups's name - * base basedn (where to start the search) - * res A result parameter which will contain the results of - * the search upon completion of the call. - * Return Values: - * LDAPU_SUCCESS if entry is found - * LDAPU_FAILED if entry is not found - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_find_group (LDAP *ld, const char *groupid, const char *base, - LDAPMessage **res) -{ - const char **attrs = 0; /* get all attributes ... */ - int attrsonly = 0; /* ... and their values */ - int retval; - - retval = ldapu_find_group_attrs (ld, groupid, base, attrs, attrsonly, res); - - return retval; -} - -/* - * ldapu_find_groupdn - * Description: - * Maps the given groupid to a group dn. Caller should free dn if it is - * not NULL. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * groupid Groups's name - * base basedn (where to start the search) - * dn group dn - * Return Values: - * LDAPU_SUCCESS if entry is found - * LDAPU_FAILED if entry is not found - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_find_groupdn (LDAP *ld, const char *groupid, const char *base, - char **dn) -{ - LDAPMessage *res = 0; - int retval; - - retval = ldapu_find_group_attrs(ld, groupid, base, default_search_attrs, - default_search_attrsonly, &res); - - if (retval == LDAPU_SUCCESS) { - LDAPMessage *entry; - - /* get ldap entry */ - entry = ldapu_first_entry(ld, res); - *dn = ldapu_get_dn(ld, entry); - } - else { - *dn = 0; - } - - if (res) ldapu_msgfree(ld, res); - - return retval; -} - - -/* - * continuable_err - * Description: - * Returns true for benign errors (i.e. errors for which recursive - * search can continue. - * Return Values: - * 0 (zero) - if not a benign error - * 1 - if a benign error -- search can continue. - */ -static int continuable_err (int err) -{ - return (err == LDAPU_FAILED); -} - -int ldapu_auth_udn_gdn_recurse (LDAP *ld, const char *userdn, - const char *groupdn, const char *base, - int recurse_cnt) -{ - char filter[ BUFSIZ ]; - const char **attrs = default_search_attrs; - int attrsonly = default_search_attrsonly; - LDAPMessage *res = 0; - int retval; - char member_filter[ BUFSIZ ]; - - if (recurse_cnt >= 30) - return LDAPU_ERR_CIRCULAR_GROUPS; - - /* setup the filter */ - PR_snprintf(member_filter, sizeof(member_filter), ldapu_strings[LDAPU_STR_FILTER_MEMBER], userdn, userdn); - - retval = ldapu_find(ld, groupdn, LDAP_SCOPE_BASE, member_filter, attrs, - attrsonly, &res); - - if (res) ldap_msgfree(res); - - if (retval != LDAPU_SUCCESS && continuable_err(retval)) { - LDAPMessage *entry; - - DBG_PRINT2("Find parent groups of \"%s\"\n", userdn); - - /* Modify the filter to include the objectclass check */ - PR_snprintf(filter, sizeof(filter), ldapu_strings[LDAPU_STR_FILTER_MEMBER_RECURSE], - member_filter); - retval = ldapu_find(ld, base, LDAP_SCOPE_SUBTREE, filter, - attrs, attrsonly, &res); - - if (retval == LDAPU_SUCCESS || retval == LDAPU_ERR_MULTIPLE_MATCHES) { - /* Found at least one group the userdn is member of */ - - if (!res) { - /* this should never happen */ - retval = LDAPU_ERR_EMPTY_LDAP_RESULT; - } - else { - retval = LDAPU_ERR_MISSING_RES_ENTRY; - - for (entry = ldap_first_entry(ld, res); entry != NULL; - entry = ldap_next_entry(ld, entry)) - { - char *dn = ldap_get_dn(ld, entry); - - retval = ldapu_auth_udn_gdn_recurse(ld, dn, groupdn, - base, recurse_cnt+1); - ldap_memfree(dn); - - if (retval == LDAPU_SUCCESS || !continuable_err(retval)) { - break; - } - } - } - } - - if (res) ldap_msgfree(res); - } - - return retval; -} - -/* - * ldapu_auth_userdn_groupdn: - * Description: - * Checks if the user (userdn) belongs to the given group (groupdn). - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * userdn User's full DN -- actually it could be a group - * dn to check subgroup membership. - * groupdn Group's full DN - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of the group - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_userdn_groupdn (LDAP *ld, const char *userdn, - const char *groupdn, const char *base) -{ - return ldapu_auth_udn_gdn_recurse(ld, userdn, groupdn, base, 0); -} - - -/* - * ldapu_auth_uid_groupdn: - * Description: - * Similar to ldapu_auth_userdn_groupdn but first maps the uid to a - * full user DN before calling ldapu_auth_userdn_groupdn. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's login name - * groupdn Group's full DN - * base basedn (where to start the search) - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of the group - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_uid_groupdn (LDAP *ld, const char *uid, const char *groupdn, - const char *base) -{ - int retval; - char *dn; - - /* First find userdn for the given uid and - then call ldapu_auth_userdn_groupdn */ - retval = ldapu_find_userdn(ld, uid, base, &dn); - - if (retval == LDAPU_SUCCESS) { - - retval = ldapu_auth_userdn_groupdn(ld, dn, groupdn, base); - ldap_memfree(dn); - } - - return retval; -} - -/* - * ldapu_auth_uid_groupid: - * Description: - * Similar to ldapu_auth_uid_groupdn but first maps the groupid to a - * full group DN before calling ldapu_auth_uid_groupdn. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's login name - * groupid Group's name - * base basedn (where to start the search) - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of the group - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_uid_groupid (LDAP *ld, const char *uid, - const char *groupid, const char *base) -{ - int retval; - char *dn; - - /* First find groupdn for the given groupid and - then call ldapu_auth_uid_groupdn */ - retval = ldapu_find_groupdn(ld, groupid, base, &dn); - - if (retval == LDAPU_SUCCESS) { - retval = ldapu_auth_uid_groupdn(ld, uid, dn, base); - ldapu_memfree(ld, dn); - } - - return retval; -} - -/* - * ldapu_auth_userdn_groupid: - * Description: - * Similar to ldapu_auth_userdn_groupdn but first maps the groupid to a - * full group DN before calling ldapu_auth_userdn_groupdn. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * userdn User's full DN - * groupid Group's name - * base basedn (where to start the search) - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of the group - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_userdn_groupid (LDAP *ld, const char *userdn, - const char *groupid, const char *base) -{ - int retval; - char *groupdn; - - /* First find groupdn for the given groupid and - then call ldapu_auth_userdn_groupdn */ - retval = ldapu_find_groupdn(ld, groupid, base, &groupdn); - - if (retval == LDAPU_SUCCESS) { - retval = ldapu_auth_userdn_groupdn(ld, userdn, groupdn, base); - ldap_memfree(groupdn); - } - - return retval; -} - - -LDAPUStr_t *ldapu_str_alloc (const int size) -{ - LDAPUStr_t *lstr = (LDAPUStr_t *)ldapu_malloc(sizeof(LDAPUStr_t)); - - if (!lstr) return 0; - lstr->size = size < 0 ? 1024 : size; - lstr->str = (char *)ldapu_malloc(lstr->size*sizeof(char)); - lstr->len = 0; - lstr->str[lstr->len] = 0; - - return lstr; -} - - -void ldapu_str_free (LDAPUStr_t *lstr) -{ - if (lstr) { - if (lstr->str) ldapu_free(lstr->str); - ldapu_free((void *)lstr); - } -} - - -int ldapu_str_append(LDAPUStr_t *lstr, const char *arg) -{ - int arglen = strlen(arg); - int len = lstr->len + arglen; - - if (len >= lstr->size) { - /* realloc some more */ - lstr->size += arglen > 4095 ? arglen+1 : 4096; - lstr->str = (char *)ldapu_realloc(lstr->str, lstr->size); - if (!lstr->str) return LDAPU_ERR_OUT_OF_MEMORY; - } - - memcpy((void *)&(lstr->str[lstr->len]), (void *)arg, arglen); - lstr->len += arglen; - lstr->str[lstr->len] = 0; - return LDAPU_SUCCESS; -} - - -/* - * ldapu_auth_userdn_groupids_recurse: - * Description: - * Checks if the user is member of the given comma separated list of - * group names. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * filter filter to use in the search - * groupids some representation of group names. Example, - * a comma separated names in a string, hash - * table, etc. This function doesn't need to - * know the name of the groups. It calls the - * following function to check if one of the - * groups returned by the search is in the list. - * grpcmpfn group name comparison function. - * base basedn (where to start the search) - * recurse_cnt recursion count to detect circular groups - * group_out if successful, pointer to the user's group - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of one of the groups - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -static int ldapu_auth_userdn_groupids_recurse (LDAP *ld, const char *filter, - void *groupids, - LDAPU_GroupCmpFn_t grpcmpfn, - const char *base, - int recurse_cnt, - char **group_out) -{ - LDAPMessage *res = 0; - const char *attrs[] = { "CN", 0 }; - int attrsonly = 0; - LDAPMessage *entry; - int rv; - int retval; - int i; - int done; - - if (recurse_cnt >= 30) - return LDAPU_ERR_CIRCULAR_GROUPS; - - /* Perform the ldap lookup */ - retval = ldapu_find(ld, base, LDAP_SCOPE_SUBTREE, filter, attrs, - attrsonly, &res); - - if (retval != LDAPU_SUCCESS && retval != LDAPU_ERR_MULTIPLE_MATCHES ) { - /* user is not a member of any group */ - if (res) ldap_msgfree(res); - return retval; - } - - retval = LDAPU_FAILED; - done = 0; - - /* check if one of the matched groups is one of the given groups */ - for (entry = ldap_first_entry(ld, res); entry != NULL && !done; - entry = ldap_next_entry(ld, entry)) - { - struct berval **bvals; - - if ((bvals = ldap_get_values_len(ld, entry, "CN")) == NULL) { - /* This shouldn't happen */ - retval = LDAPU_ERR_MISSING_ATTR_VAL; - continue; - } - - /* "CN" may have multiple values */ - /* Check each value of "CN" against the 'groupids' */ - for ( i = 0; bvals[i] != NULL; i++ ) { - rv = (*grpcmpfn)(groupids, bvals[i]->bv_val, bvals[i]->bv_len); - if (rv == LDAPU_SUCCESS) { - char *group = (char *)ldapu_malloc(bvals[i]->bv_len+1); - - if (!group) { - retval = LDAPU_ERR_OUT_OF_MEMORY; - } - else { - strncpy(group, bvals[i]->bv_val, bvals[i]->bv_len); - group[bvals[i]->bv_len] = 0; - *group_out = group; - retval = LDAPU_SUCCESS; - } - done = 1; /* exit from the outer loop too */ - break; - } - } - - ldap_value_free_len(bvals); - } - - if (retval == LDAPU_FAILED) { - /* None of the matched groups is in 'groupids' */ - /* Perform the nested group membership check */ - LDAPUStr_t *filter1; - LDAPUStr_t *filter2; - char *rfilter = 0; - int rlen; - /* Finally we need a filter which looks like: - (| (& (objectclass=groupofuniquenames) - (| (uniquemember=<grp1dn>)(uniquemember=<grp2dn>) ...)) - (& (objectclass=groupofnames) - (| (member=<grp1dn>)(member=<grp2dn>) ...))) - Construct 2 sub-filters first as follows: - (uniquemember=<grp1dn>)(uniquemember=<grp2dn>)... AND - (member=<grp1dn>)(member=<grp2dn>)... - Then insert them in the main filter. - */ - filter1 = ldapu_str_alloc(1024); - filter2 = ldapu_str_alloc(1024); - if (!filter1 || !filter2) return LDAPU_ERR_OUT_OF_MEMORY; - rv = LDAPU_SUCCESS; - - for (entry = ldap_first_entry(ld, res); entry != NULL; - entry = ldap_next_entry(ld, entry)) - { - char *dn = ldap_get_dn(ld, entry); - if (((rv = ldapu_str_append(filter1, "(uniquemember=")) - != LDAPU_SUCCESS) || - ((rv = ldapu_str_append(filter1, dn)) != LDAPU_SUCCESS) || - ((rv = ldapu_str_append(filter1, ")")) != LDAPU_SUCCESS) || - ((rv = ldapu_str_append(filter2, "(member=")) - != LDAPU_SUCCESS) || - ((rv = ldapu_str_append(filter2, dn)) != LDAPU_SUCCESS) || - ((rv = ldapu_str_append(filter2, ")")) != LDAPU_SUCCESS)) - { - ldap_memfree(dn); - break; - } - ldap_memfree(dn); - } - - if (rv != LDAPU_SUCCESS) { - /* something went wrong in appending to filter1 or filter2 */ - ldapu_str_free(filter1); - ldapu_str_free(filter2); - retval = rv; - } - else { - /* Insert the 2 filters in the main filter */ - rlen = filter1->len + filter2->len + - strlen("(| (& (objectclass=groupofuniquenames)" - "(| ))" - "(& (objectclass=groupofnames)" - "(| )))") + 1; - rfilter = (char *)ldapu_malloc(rlen); - if (!rfilter) return LDAPU_ERR_OUT_OF_MEMORY; - sprintf(rfilter, - "(| (& (objectclass=groupofuniquenames)" - "(| %s))" - "(& (objectclass=groupofnames)" - "(| %s)))", - filter1->str, filter2->str); - ldapu_str_free(filter1); - ldapu_str_free(filter2); - retval = ldapu_auth_userdn_groupids_recurse(ld, rfilter, groupids, - grpcmpfn, base, - ++recurse_cnt, - group_out); - ldapu_free(rfilter); - } - - } - - if (res) ldap_msgfree(res); - return retval; -} - -/* - * ldapu_auth_userdn_groupids: - * Description: - * Checks if the user is member of the given comma separated list of - * group names. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * userdn User's full DN - * groupids some representation of group names. Example, - * a comma separated names in a string, hash - * table, etc. This function doesn't need to - * know the name of the groups. It calls the - * following function to check if one of the - * groups returned by the search is in the list. - * grpcmpfn group name comparison function. - * base basedn (where to start the search) - * group_out if successful, pointer to the user's group - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of one of the groups - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_userdn_groupids (LDAP *ld, const char *userdn, - void *groupids, - LDAPU_GroupCmpFn_t grpcmpfn, - const char *base, - char **group_out) -{ - char *filter; - int len; - int rv; - - *group_out = 0; - /* allocate a big enough filter */ - /* The filter looks like: - (| (& (objectclass=groupofuniquenames)(uniquemember=<userdn>)) - (& (objectclass=groupofnames)(member=<userdn>))) - */ - - len = 2 * strlen(userdn) + 1 + - strlen("(| (& (objectclass=groupofuniquenames)(uniquemember=))" - "(& (objectclass=groupofnames)(member=)))"); - filter = (char *)ldapu_malloc(len); - - if (!filter) return LDAPU_ERR_OUT_OF_MEMORY; - - sprintf(filter, "(| (& (objectclass=groupofuniquenames)(uniquemember=%s))" - "(& (objectclass=groupofnames)(member=%s)))", - userdn, userdn); - - rv = ldapu_auth_userdn_groupids_recurse(ld, filter, groupids, - grpcmpfn, base, - 0, group_out); - - ldapu_free(filter); - return rv; -} - - -/* - * ldapu_auth_userdn_attrfilter: - * Description: - * Checks if the user's entry has the given attributes - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * userdn User's full DN - * attrfilter attribute filter - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of the group - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_userdn_attrfilter (LDAP *ld, const char *userdn, - const char *attrfilter) -{ - const char *base = userdn; - int scope = LDAP_SCOPE_BASE; - const char *filter = attrfilter; - const char **attrs = default_search_attrs; - int attrsonly = default_search_attrsonly; - LDAPMessage *res = 0; - int retval; - - retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, &res); - - if (res) ldapu_msgfree(ld, res); - - return retval; -} - -/* - * ldapu_auth_uid_attrfilter: - * Description: - * Checks if the user's entry has the given attributes. First maps - the uid to userdn. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's name - * attrfilter attribute filter - * base basedn (where to start the search) - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user is member of the group - * LDAPU_FAILED if user is not a member of the group - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_uid_attrfilter (LDAP *ld, const char *uid, const char *attrfilter, - const char *base) -{ - int scope = LDAP_SCOPE_SUBTREE; - char filter[ BUFSIZ ]; - const char **attrs = default_search_attrs; - int attrsonly = default_search_attrsonly; - LDAPMessage *res = 0; - int retval; - - /* setup filter as (& (uid=<uid>) (attrfilter)) */ - if (*attrfilter == '(') - PR_snprintf(filter, sizeof(filter), "(& (uid=%s) %s)", uid, attrfilter); - else - PR_snprintf(filter, sizeof(filter), "(& (uid=%s) (%s))", uid, attrfilter); - - retval = ldapu_find(ld, base, scope, filter, attrs, attrsonly, &res); - - if (res) ldapu_msgfree(ld, res); - - return retval; -} - -/* - * ldapu_auth_userdn_password: - * Description: - * Checks the user's password against LDAP by binding using the - * userdn and the password. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * userdn User's full DN - * password User's password (clear text) - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user credentials are valid - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_userdn_password (LDAP *ld, const char *userdn, const char *password) -{ - int retval; - - DBG_PRINT2("\tuserdn:\t\"%s\"\n", userdn); - DBG_PRINT2("\tpassword:\t\"%s\"\n", password); - - retval = ldap_simple_bind_s(ld, userdn, password); - - if (retval != LDAP_SUCCESS) - { - DBG_PRINT2("ldap_simple_bind_s: %s\n", ldap_err2string(retval)); - return(retval); - } - - return LDAPU_SUCCESS; -} - -/* - * ldapu_auth_uid_password: - * Description: - * First converts the uid to userdn and calls - * ldapu_auth_userdn_password. - * Arguments: - * ld Pointer to LDAP (assumes connection has been - * established and the client has called the - * appropriate bind routine) - * uid User's name - * password User's password (clear text) - * Return Values: (same as ldapu_find) - * LDAPU_SUCCESS if user credentials are valid - * <rv> if error, where <rv> can be passed to - * ldap_err2string to get an error string. - */ -int ldapu_auth_uid_password (LDAP *ld, const char *uid, - const char *password, const char *base) -{ - int retval; - char *dn; - - /* First find userdn for the given uid and - then call ldapu_auth_userdn_password */ - retval = ldapu_find_userdn(ld, uid, base, &dn); - - if (retval == LDAPU_SUCCESS) { - retval = ldapu_auth_userdn_password(ld, dn, password); - ldapu_memfree(ld, dn); - } - - return retval; -} - - -/* ldapu_string_set -- - * This function is not tested yet for its usefulness. This is to be used to - * customize the strings used in the LDAP searches performed through - * 'ldaputil'. This could also be extended to setting customized error - * messages (and even i18n equivalent of error messages). - */ -NSAPI_PUBLIC int ldapu_string_set (const int type, const char *filter) -{ - if (!filter || !*filter) return LDAPU_ERR_INVALID_STRING; - - if (type < 0 || type >= LDAPU_STR_MAX_INDEX) - return LDAPU_ERR_INVALID_STRING_INDEX; - - ldapu_strings[type] = strdup(filter); - - if (!ldapu_strings[type]) return LDAPU_ERR_OUT_OF_MEMORY; - - return LDAPU_SUCCESS; -} - - -NSAPI_PUBLIC const char *ldapu_string_get (const int type) -{ - if (type < 0 || type >= LDAPU_STR_MAX_INDEX) - return 0; - - return ldapu_strings[type]; -} diff --git a/lib/ldaputil/ldapdb.c b/lib/ldaputil/ldapdb.c deleted file mode 100644 index 478b4f8c..00000000 --- a/lib/ldaputil/ldapdb.c +++ /dev/null @@ -1,594 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * This Program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; version 2 of the License. - * - * This Program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with - * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place, Suite 330, Boston, MA 02111-1307 USA. - * - * In addition, as a special exception, Red Hat, Inc. gives You the additional - * right to link the code of this Program with code not covered under the GNU - * General Public License ("Non-GPL Code") and to distribute linked combinations - * including the two, subject to the limitations in this paragraph. Non-GPL Code - * permitted under this exception must only link to the code of this Program - * through those well defined interfaces identified in the file named EXCEPTION - * found in the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline functions from - * the Approved Interfaces without causing the resulting work to be covered by - * the GNU General Public License. Only Red Hat, Inc. may make changes or - * additions to the list of Approved Interfaces. You must obey the GNU General - * Public License in all respects for all of the Program code and other code used - * in conjunction with the Program except the Non-GPL Code covered by this - * exception. If you modify this file, you may extend this exception to your - * version of the file, but you are not obligated to do so. If you do not wish to - * provide this exception without modification, you must delete this exception - * statement from your version and license this file solely under the GPL without - * exception. - * - * - * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. - * Copyright (C) 2005 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -#ifdef HAVE_CONFIG_H -# include <config.h> -#endif - - -#ifndef DONT_USE_LDAP_SSL -#define USE_LDAP_SSL -#endif - - -#include <string.h> -#include <malloc.h> - -#include <nspr.h> -#include <prthread.h> -#include <prmon.h> - -#include "ldaputil/errors.h" -#include "ldaputil/certmap.h" -#include "ldaputil/ldapdb.h" - -#ifdef USE_LDAP_SSL -/* removed for new ns security integration -#include <sec.h> -#include <key.h> -#include "cert.h" -*/ -#include <ssl.h> -#include "ldap_ssl.h" -#endif - -#include "ldaputili.h" - -#define LDAPDB_PREFIX_WITH_SLASHES "ldapdb://" -#define LDAPDB_PREFIX_WITH_SLASHES_LEN 9 - -uintn tsdindex; - -static void ldb_crit_init (LDAPDatabase_t *ldb) -{ - ldb->crit = PR_NewMonitor(); -} - -static void ldb_crit_enter (LDAPDatabase_t *ldb) -{ - PR_EnterMonitor(ldb->crit); -} - -static void ldb_crit_exit (LDAPDatabase_t *ldb) -{ - PR_ExitMonitor(ldb->crit); -} - -struct ldap_error { - int le_errno; - char *le_matched; - char *le_errmsg; -}; - - -static void set_ld_error( int err, char *matched, char *errmsg, void *dummy ) -{ - struct ldap_error *le; - - if (!(le = (struct ldap_error *) PR_GetThreadPrivate(tsdindex))) { - le = (struct ldap_error *) malloc(sizeof(struct ldap_error)); - memset((void *)le, 0, sizeof(struct ldap_error)); - PR_SetThreadPrivate(tsdindex, (void *)le); - } - le->le_errno = err; - if ( le->le_matched != NULL ) { - ldap_memfree( le->le_matched ); - } - le->le_matched = matched; - if ( le->le_errmsg != NULL ) { - ldap_memfree( le->le_errmsg ); - } - le->le_errmsg = errmsg; -} - -static int get_ld_error( char **matched, char **errmsg, void *dummy ) -{ - struct ldap_error *le; - - le = (struct ldap_error *) PR_GetThreadPrivate( tsdindex); - if ( matched != NULL ) { - *matched = le->le_matched; - } - if ( errmsg != NULL ) { - *errmsg = le->le_errmsg; - } - return( le->le_errno ); -} - -static void set_errno( int err ) -{ - PR_SetError( err, 0); -} - -static int get_errno( void ) -{ - return( PR_GetError() ); -} - -#ifdef LDAP_OPT_DNS_FN_PTRS /* not supported in older LDAP SDKs */ -static LDAPHostEnt * -ldapu_copyPRHostEnt2LDAPHostEnt( LDAPHostEnt *ldhp, PRHostEnt *prhp ) -{ - ldhp->ldaphe_name = prhp->h_name; - ldhp->ldaphe_aliases = prhp->h_aliases; - ldhp->ldaphe_addrtype = prhp->h_addrtype; - ldhp->ldaphe_length = prhp->h_length; - ldhp->ldaphe_addr_list = prhp->h_addr_list; - return( ldhp ); -} - -static LDAPHostEnt * -ldapu_gethostbyname( const char *name, LDAPHostEnt *result, - char *buffer, int buflen, int *statusp, void *extradata ) -{ - PRHostEnt prhent; - - if( !statusp || ( *statusp = (int)PR_GetHostByName( name, buffer, - buflen, &prhent )) == PR_FAILURE ) { - return( NULL ); - } - - return( ldapu_copyPRHostEnt2LDAPHostEnt( result, &prhent )); -} - -static LDAPHostEnt * -ldapu_gethostbyaddr( const char *addr, int length, int type, - LDAPHostEnt *result, char *buffer, int buflen, int *statusp, - void *extradata ) -{ - /* old code did this which was clearly wrong: - return( (LDAPHostEnt *)PR_GetError() ); - which leads me to believe this is not used */ - return( NULL ); -} -#endif /* LDAP_OPT_DNS_FN_PTRS */ - - -static void unescape_ldap_basedn (char *str) -{ - if (strchr(str, '%')) { - register int x = 0, y = 0; - int l = strlen(str); - char digit; - - while(x < l) { - if((str[x] == '%') && (x < (l - 2))) { - ++x; - digit = (str[x] >= 'A' ? - ((str[x] & 0xdf) - 'A')+10 : (str[x] - '0')); - digit *= 16; - - ++x; - digit += (str[x] >= 'A' ? - ((str[x] & 0xdf) - 'A')+10 : (str[x] - '0')); - - str[y] = digit; - } - else { - str[y] = str[x]; - } - x++; - y++; - } - str[y] = '\0'; - } -} - -/* - * extract_path_and_basedn: - * Description: - * Parses the ldapdb url and returns pathname to the lcache.conf file - * and basedn. The caller must free the memory allocated for the - * returned path and the basedn. - * Arguments: - * url URL (must begin with ldapdb://) - * path Pathname to the lcache.conf file - * basedn basedn for the ldapdb. - * Return Values: (same as ldap_find) - * LDAPU_SUCCESS if the URL is parsed successfully - * <rv> if error, one of the LDAPU_ errors. - */ -static int extract_path_and_basedn(const char *url_in, char **path_out, - char **basedn_out) -{ - char *url = strdup(url_in); - char *basedn; - char *path; - - *path_out = 0; - *basedn_out = 0; - - if (!url) return LDAPU_ERR_OUT_OF_MEMORY; - - if (strncmp(url, LDAPDB_URL_PREFIX, LDAPDB_URL_PREFIX_LEN)) { - free(url); - return LDAPU_ERR_URL_INVALID_PREFIX; - } - - path = url + LDAPDB_URL_PREFIX_LEN; - - if (strncmp(path, "//", 2)) { - free(url); - return LDAPU_ERR_URL_INVALID_PREFIX; - } - - path += 2; - - /* Find base DN -- empty string is OK */ - if ((basedn = strrchr(path, '/')) == NULL) { - free(url); - return LDAPU_ERR_URL_NO_BASEDN; - } - - *basedn++ = '\0'; /* terminate the path */ - unescape_ldap_basedn(basedn); - *basedn_out = strdup(basedn); - *path_out = strdup(path); - free(url); - return (*basedn_out && *path_out) ? LDAPU_SUCCESS : LDAPU_ERR_OUT_OF_MEMORY; -} - -NSAPI_PUBLIC int ldapu_ldapdb_url_parse (const char *url, - LDAPDatabase_t **ldb_out) -{ - char *path = 0; - char *basedn = 0; - LDAPDatabase_t *ldb = 0; - int rv; - - rv = extract_path_and_basedn(url, &path, &basedn); - - if (rv != LDAPU_SUCCESS) { - if (path) free(path); - if (basedn) free(basedn); - return rv; - } - - ldb = (LDAPDatabase_t *)malloc(sizeof(LDAPDatabase_t)); - - if (!ldb) { - if (path) free(path); - if (basedn) free(basedn); - return LDAPU_ERR_OUT_OF_MEMORY; - } - - memset((void *)ldb, 0, sizeof(LDAPDatabase_t)); - ldb->basedn = basedn; /* extract_path_and_basedn has allocated */ - ldb->host = path; /* memory for us -- don't make a copy */ - ldb_crit_init(ldb); - *ldb_out = ldb; - - return LDAPU_SUCCESS; -} - - -/* - * ldapu_url_parse: - * Description: - * Parses the ldapdb or ldap url and returns a LDAPDatabase_t struct - * Arguments: - * url URL (must begin with ldapdb://) - * binddn DN to use to bind to ldap server. - * bindpw Password to use to bind to ldap server. - * ldb a LDAPDatabase_t struct filled from parsing - * the url. - * Return Values: (same as ldap_find) - * LDAPU_SUCCESS if the URL is parsed successfully - * <rv> if error, one of the LDAPU_ errors. - */ -NSAPI_PUBLIC int ldapu_url_parse (const char *url, const char *binddn, - const char *bindpw, - LDAPDatabase_t **ldb_out) -{ - LDAPDatabase_t *ldb; - LDAPURLDesc *ludp = 0; - int rv; - - *ldb_out = 0; - - if (!strncmp(url, LDAPDB_PREFIX_WITH_SLASHES, - LDAPDB_PREFIX_WITH_SLASHES_LEN)) - { - return ldapu_ldapdb_url_parse(url, ldb_out); - } - - /* call ldapsdk's parse function */ - rv = ldap_url_parse((char *)url, &ludp); - - if (rv != LDAP_SUCCESS) { - if (ludp) ldap_free_urldesc(ludp); - return LDAPU_ERR_URL_PARSE_FAILED; - } - - ldb = (LDAPDatabase_t *)malloc(sizeof(LDAPDatabase_t)); - - if (!ldb) { - ldap_free_urldesc(ludp); - return LDAPU_ERR_OUT_OF_MEMORY; - } - - memset((void *)ldb, 0, sizeof(LDAPDatabase_t)); - ldb->host = ludp->lud_host ? strdup(ludp->lud_host) : 0; - ldb->use_ssl = ludp->lud_options & LDAP_URL_OPT_SECURE; - ldb->port = ludp->lud_port ? ludp->lud_port : ldb->use_ssl ? 636 : 389; - ldb->basedn = ludp->lud_dn ? strdup(ludp->lud_dn) : 0; - ldb_crit_init(ldb); - ldap_free_urldesc(ludp); - - if (binddn) ldb->binddn = strdup(binddn); - - if (bindpw) ldb->bindpw = strdup(bindpw); - - /* success */ - *ldb_out = ldb; - - return LDAPU_SUCCESS; -} - -NSAPI_PUBLIC void ldapu_free_LDAPDatabase_t (LDAPDatabase_t *ldb) -{ - if (ldb->host) free(ldb->host); - if (ldb->basedn) free(ldb->basedn); - if (ldb->filter) free(ldb->filter); - if (ldb->binddn) free(ldb->binddn); - if (ldb->bindpw) free(ldb->bindpw); - if (ldb->ld) ldapu_unbind(ldb->ld); - memset((void *)ldb, 0, sizeof(LDAPDatabase_t)); - free(ldb); -} - -NSAPI_PUBLIC LDAPDatabase_t *ldapu_copy_LDAPDatabase_t (const LDAPDatabase_t *ldb) -{ - LDAPDatabase_t *nldb = (LDAPDatabase_t *)malloc(sizeof(LDAPDatabase_t)); - - if (!nldb) return 0; - - memset((void *)nldb, 0, sizeof(LDAPDatabase_t)); - nldb->use_ssl = ldb->use_ssl; - if (ldb->host) nldb->host = strdup(ldb->host); - nldb->port = ldb->port; - if (ldb->basedn) nldb->basedn = strdup(ldb->basedn); - nldb->scope = ldb->scope; - if (ldb->filter) nldb->filter = strdup(ldb->filter); - nldb->ld = 0; - if (ldb->binddn) nldb->binddn = strdup(ldb->binddn); - if (ldb->bindpw) nldb->bindpw = strdup(ldb->bindpw); - nldb->bound = 0; - ldb_crit_init(nldb); - - return nldb; -} - -NSAPI_PUBLIC int ldapu_is_local_db (const LDAPDatabase_t *ldb) -{ - return ldb->port ? 0 : 1; -} - -static int LDAP_CALL LDAP_CALLBACK -ldapu_rebind_proc (LDAP *ld, char **whop, char **passwdp, - int *authmethodp, int freeit, void *arg) -{ - if (freeit == 0) { - LDAPDatabase_t *ldb = (LDAPDatabase_t *)arg; - *whop = ldb->binddn; - *passwdp = ldb->bindpw; - *authmethodp = LDAP_AUTH_SIMPLE; - } - - return LDAP_SUCCESS; -} - -NSAPI_PUBLIC int ldapu_ldap_init(LDAPDatabase_t *ldb) -{ - LDAP *ld = 0; - - ldb_crit_enter(ldb); - -#ifdef USE_LDAP_SSL - /* Note. This assume the security related initialization is done */ - /* The step needed is : - PR_Init - RNG_SystemInfoForRNG - RNG_RNGInit - CERT_OpenCertDBFilename - CERT_SetDefaultCertDB - SECMOD_init - - And because ldapssl_init depends on security initialization, it is - no good for non-ssl init - */ - if (ldb->use_ssl) - ld = ldapssl_init(ldb->host, ldb->port, ldb->use_ssl); - else ldap_init(ldb->host, ldb->port); -#else - ld = ldapu_init(ldb->host, ldb->port); -#endif - - if (ld == NULL) { - DBG_PRINT1("ldapu_ldap_init: Failed to initialize connection"); - ldb_crit_exit(ldb); - return LDAPU_ERR_LDAP_INIT_FAILED; - } - - { - struct ldap_thread_fns tfns; - - PR_NewThreadPrivateIndex(&tsdindex, NULL); - - /* set mutex pointers */ - memset( &tfns, '\0', sizeof(struct ldap_thread_fns) ); - tfns.ltf_mutex_alloc = (void *(*)(void))PR_NewMonitor; - tfns.ltf_mutex_free = (void (*)(void *))PR_DestroyMonitor; - tfns.ltf_mutex_lock = (int (*)(void *)) PR_EnterMonitor; - tfns.ltf_mutex_unlock = (int (*)(void *)) PR_ExitMonitor; - tfns.ltf_get_errno = get_errno; - tfns.ltf_set_errno = set_errno; - tfns.ltf_get_lderrno = get_ld_error; - tfns.ltf_set_lderrno = set_ld_error; - /* set ld_errno pointers */ - if ( ldapu_set_option( ld, LDAP_OPT_THREAD_FN_PTRS, (void *) &tfns ) - != 0 ) { - ldb_crit_exit(ldb); - return LDAPU_ERR_LDAP_SET_OPTION_FAILED; - } - } -#ifdef LDAP_OPT_DNS_FN_PTRS /* not supported in older LDAP SDKs */ - { - /* install DNS functions */ - struct ldap_dns_fns dnsfns; - memset( &dnsfns, '\0', sizeof(struct ldap_dns_fns) ); - dnsfns.lddnsfn_bufsize = PR_NETDB_BUF_SIZE; - dnsfns.lddnsfn_gethostbyname = ldapu_gethostbyname; - dnsfns.lddnsfn_gethostbyaddr = ldapu_gethostbyaddr; - if ( ldapu_set_option( ld, LDAP_OPT_DNS_FN_PTRS, (void *)&dnsfns ) - != 0 ) { - ldb_crit_exit(ldb); - return LDAPU_ERR_LDAP_SET_OPTION_FAILED; - } - } -#endif /* LDAP_OPT_DNS_FN_PTRS */ - - if (ldapu_is_local_db(ldb)) { - /* No more Local db support, force error! */ - return LDAPU_ERR_LCACHE_INIT_FAILED; -#if 0 - int optval = 1; - - if (lcache_init(ld, ldb->host) != 0) { - ldb_crit_exit(ldb); - return LDAPU_ERR_LCACHE_INIT_FAILED; - } - - if (ldap_set_option(ld, LDAP_OPT_CACHE_ENABLE, &optval) != 0) { - ldb_crit_exit(ldb); - return LDAPU_ERR_LDAP_SET_OPTION_FAILED; - } - - optval = LDAP_CACHE_LOCALDB; - - if (ldap_set_option(ld, LDAP_OPT_CACHE_STRATEGY, &optval) != 0) { - ldb_crit_exit(ldb); - return LDAPU_ERR_LDAP_SET_OPTION_FAILED; - } -#endif - } - else if (ldb->binddn && *ldb->binddn) { - /* Set the rebind proc */ - /* Rebind proc is used when chasing a referral */ - ldap_set_rebind_proc(ld, ldapu_rebind_proc, (void *)ldb); - } - - ldb->ld = ld; - ldb_crit_exit(ldb); - - return LDAPU_SUCCESS; -} - -NSAPI_PUBLIC int ldapu_ldap_rebind (LDAPDatabase_t *ldb) -{ - int retry; - int rv = LDAPU_FAILED; - - ldb_crit_enter(ldb); - - if (ldb->ld) { - retry = (ldb->bound != -1 ? 1 : 0); /* avoid recursion */ - -#ifdef USE_LDAP_SSL - if (ldb->use_ssl && !CERT_GetDefaultCertDB()) { - /* default cert database has not been initialized */ - rv = LDAPU_ERR_NO_DEFAULT_CERTDB; - } - else -#endif - { - rv = ldap_simple_bind_s(ldb->ld, ldb->binddn, ldb->bindpw); - } - - /* retry once if the LDAP server is down */ - if (rv == LDAP_SERVER_DOWN && retry) { - ldb->bound = -1; /* to avoid recursion */ - rv = ldapu_ldap_reinit_and_rebind(ldb); - } - - if (rv == LDAPU_SUCCESS) ldb->bound = 1; - } - - ldb_crit_exit(ldb); - - return rv; -} - -NSAPI_PUBLIC int ldapu_ldap_init_and_bind (LDAPDatabase_t *ldb) -{ - int rv = LDAPU_SUCCESS; - - ldb_crit_enter(ldb); - - if (!ldb->ld) { - rv = ldapu_ldap_init(ldb); - /* ldb->bound may be set to -1 to avoid recursion */ - if (ldb->bound == 1) ldb->bound = 0; - } - - /* bind as binddn & bindpw if not bound already */ - if (rv == LDAPU_SUCCESS && ldb->bound != 1) { - rv = ldapu_ldap_rebind (ldb); - } - - ldb_crit_exit(ldb); - - return rv; -} - -NSAPI_PUBLIC int ldapu_ldap_reinit_and_rebind (LDAPDatabase_t *ldb) -{ - int rv; - - ldb_crit_enter(ldb); - - if (ldb->ld) { - ldapu_unbind(ldb->ld); - ldb->ld = 0; - } - - rv = ldapu_ldap_init_and_bind(ldb); - ldb_crit_exit(ldb); - return rv; -} - diff --git a/lib/ldaputil/vtable.c b/lib/ldaputil/vtable.c index 0ead6c11..18ac0a4d 100644 --- a/lib/ldaputil/vtable.c +++ b/lib/ldaputil/vtable.c @@ -42,187 +42,8 @@ #include "ldaputili.h" #include <ldap.h> -#ifdef USE_LDAP_SSL -#include <ldap_ssl.h> -#endif - -#if defined( _WINDOWS ) && ! defined( _WIN32 ) -/* On 16-bit WINDOWS platforms, it's erroneous to call LDAP API functions - * via a function pointer, since they are not declared LDAP_CALLBACK. - * So, we define the following functions, which are LDAP_CALLBACK, and - * simply delegate to their counterparts in the LDAP API. - */ - -#ifdef USE_LDAP_SSL -static LDAP_CALL LDAP_CALLBACK LDAP* -ldapuVd_ssl_init( const char *host, int port, int encrypted ) -{ - return ldapssl_init (host, port, encrypted); -} -#else -static LDAP_CALL LDAP_CALLBACK LDAP* -ldapuVd_init ( const char *host, int port ) -{ - return ldap_init (host, port); -} -#endif - -static LDAP_CALL LDAP_CALLBACK int -ldapuVd_set_option( LDAP *ld, int opt, const void *val ) -{ - return ldap_set_option (ld, opt, val); -} - -static LDAP_CALL LDAP_CALLBACK int -ldapuVd_simple_bind_s( LDAP* ld, const char *username, const char *passwd ) -{ - return ldap_simple_bind_s (ld, username, passwd); -} - -static LDAP_CALL LDAP_CALLBACK int -ldapuVd_unbind( LDAP *ld ) -{ - return ldap_unbind (ld); -} - -static LDAP_CALL LDAP_CALLBACK int -ldapuVd_search_s( LDAP* ld, const char* baseDN, int scope, const char* filter, - char** attrs, int attrsonly, LDAPMessage** result ) -{ - return ldap_search_s (ld, baseDN, scope, filter, attrs, attrsonly, result); -} - -static LDAP_CALL LDAP_CALLBACK int -ldapuVd_count_entries( LDAP* ld, LDAPMessage* msg ) -{ - return ldap_count_entries (ld, msg); -} - -static LDAP_CALL LDAP_CALLBACK LDAPMessage* -ldapuVd_first_entry( LDAP* ld, LDAPMessage* msg ) -{ - return ldap_first_entry (ld, msg); -} - -static LDAP_CALL LDAP_CALLBACK LDAPMessage* -ldapuVd_next_entry( LDAP* ld, LDAPMessage* entry ) -{ - return ldap_next_entry(ld, entry); -} - -static LDAP_CALL LDAP_CALLBACK char* -ldapuVd_get_dn( LDAP* ld, LDAPMessage* entry ) -{ - return ldap_get_dn (ld, entry); -} - -static LDAP_CALL LDAP_CALLBACK char* -ldapuVd_first_attribute( LDAP* ld, LDAPMessage* entry, BerElement** iter ) -{ - return ldap_first_attribute (ld, entry, iter); -} - -static LDAP_CALL LDAP_CALLBACK char* -ldapuVd_next_attribute( LDAP* ld, LDAPMessage* entry, BerElement* iter) -{ - return ldap_next_attribute (ld, entry, iter); -} - -static LDAP_CALL LDAP_CALLBACK char** -ldapuVd_get_values( LDAP *ld, LDAPMessage *entry, const char *desc ) -{ - return ldap_get_values (ld, entry, desc); -} - -static LDAP_CALL LDAP_CALLBACK struct berval** -ldapuVd_get_values_len( LDAP *ld, LDAPMessage *entry, const char *desc ) -{ - return ldap_get_values_len (ld, entry, desc); -} - -#else -/* On other platforms, an LDAP API function can be called via a pointer. */ -#ifdef USE_LDAP_SSL -#define ldapuVd_ssl_init ldapssl_init -#else -#define ldapuVd_init ldap_init -#endif -#define ldapuVd_set_option ldap_set_option -#define ldapuVd_simple_bind_s ldap_simple_bind_s -#define ldapuVd_unbind ldap_unbind -#define ldapuVd_simple_bind_s ldap_simple_bind_s -#define ldapuVd_unbind ldap_unbind -#define ldapuVd_search_s ldap_search_s -#define ldapuVd_count_entries ldap_count_entries -#define ldapuVd_first_entry ldap_first_entry -#define ldapuVd_next_entry ldap_next_entry -#define ldapuVd_get_dn ldap_get_dn -#define ldapuVd_first_attribute ldap_first_attribute -#define ldapuVd_next_attribute ldap_next_attribute -#define ldapuVd_get_values ldap_get_values -#define ldapuVd_get_values_len ldap_get_values_len - -#endif - -/* Several functions in the standard LDAP API have no LDAP* parameter, - but all the VTable functions do. Here are some little functions that - make up the difference, by ignoring their LDAP* parameter: -*/ -static int LDAP_CALL LDAP_CALLBACK -ldapuVd_msgfree( LDAP *ld, LDAPMessage *chain ) -{ - return ldap_msgfree (chain); -} - -static void LDAP_CALL LDAP_CALLBACK -ldapuVd_memfree( LDAP *ld, void *dn ) -{ - ldap_memfree (dn); -} - -static void LDAP_CALL LDAP_CALLBACK -ldapuVd_ber_free( LDAP *ld, BerElement *ber, int freebuf ) -{ - ldap_ber_free (ber, freebuf); -} - -static void LDAP_CALL LDAP_CALLBACK -ldapuVd_value_free( LDAP *ld, char **vals ) -{ - ldap_value_free (vals); -} -static void LDAP_CALL LDAP_CALLBACK -ldapuVd_value_free_len( LDAP *ld, struct berval **vals ) -{ - ldap_value_free_len (vals); -} - -static LDAPUVTable_t ldapu_VTable = { -/* By default, the VTable points to the standard LDAP API. */ -#ifdef USE_LDAP_SSL - ldapuVd_ssl_init, -#else - ldapuVd_init, -#endif - ldapuVd_set_option, - ldapuVd_simple_bind_s, - ldapuVd_unbind, - ldapuVd_search_s, - ldapuVd_count_entries, - ldapuVd_first_entry, - ldapuVd_next_entry, - ldapuVd_msgfree, - ldapuVd_get_dn, - ldapuVd_memfree, - ldapuVd_first_attribute, - ldapuVd_next_attribute, - ldapuVd_ber_free, - ldapuVd_get_values, - ldapuVd_value_free, - ldapuVd_get_values_len, - ldapuVd_value_free_len -}; +static LDAPUVTable_t ldapu_VTable = {}; /* Replace ldapu_VTable. Subsequently, ldaputil will call the functions in 'from' (not the LDAP API) to access the directory. @@ -235,26 +56,6 @@ ldapu_VTable_set (LDAPUVTable_t* from) } } -#ifdef USE_LDAP_SSL -LDAP* -ldapu_ssl_init( const char *defhost, int defport, int defsecure ) -{ - if (ldapu_VTable.ldapuV_ssl_init) { - return ldapu_VTable.ldapuV_ssl_init (defhost, defport, defsecure); - } - return NULL; -} -#else -LDAP* -ldapu_init( const char *defhost, int defport ) -{ - if (ldapu_VTable.ldapuV_init) { - return ldapu_VTable.ldapuV_init (defhost, defport); - } - return NULL; -} -#endif - int ldapu_set_option( LDAP *ld, int option, void *optdata ) { @@ -422,28 +223,6 @@ ldapu_get_values_len( LDAP *ld, LDAPMessage *entry, const char *desc ) { if (ldapu_VTable.ldapuV_get_values_len) { return ldapu_VTable.ldapuV_get_values_len (ld, entry, desc); - } else if (!ldapu_VTable.ldapuV_value_free_len - && ldapu_VTable.ldapuV_get_values) { - auto char** vals = - ldapu_VTable.ldapuV_get_values (ld, entry, desc); - if (vals) { - auto struct berval** bvals = (struct berval**) - ldapu_malloc ((ldap_count_values (vals) + 1) - * sizeof(struct berval*)); - if (bvals) { - auto char** val; - auto struct berval** bval; - for (val = vals, bval = bvals; *val; ++val, ++bval) { - auto const size_t len = strlen(*val); - *bval = (struct berval*) ldapu_malloc (sizeof(struct berval) + len); - (*bval)->bv_len = len; - (*bval)->bv_val = ((char*)(*bval)) + sizeof(struct berval); - memcpy ((*bval)->bv_val, *val, len); - } - *bval = NULL; - return bvals; - } - } } return NULL; } diff --git a/lib/libaccess/aclcache.cpp b/lib/libaccess/aclcache.cpp index aede1220..e474601a 100644 --- a/lib/libaccess/aclcache.cpp +++ b/lib/libaccess/aclcache.cpp @@ -51,7 +51,6 @@ #include <libaccess/aclglobal.h> #include <libaccess/usrcache.h> #include <libaccess/las.h> -#include <libaccess/ldapacl.h> #include "aclutil.h" #include "permhash.h" #include "aclcache.h" @@ -565,8 +564,6 @@ ACL_Init(void) ACL_ListHashInit(); ACL_LasHashInit(); ACL_Init2(); - init_ldb_rwlock(); - ACL_RegisterInit(); return 0; } @@ -587,11 +584,6 @@ ACL_Init2(void) #ifdef MCC_ADMSERV ACL_LasRegister(NULL, "program", LASProgramEval, (LASFlushFunc_t)NULL); #endif - - ACL_AttrGetterRegister(NULL, ACL_ATTR_USERDN, - get_userdn_ldap, - ACL_METHOD_ANY, ACL_DBTYPE_ANY, - ACL_AT_END, NULL); return; } diff --git a/lib/libaccess/aclcache.h b/lib/libaccess/aclcache.h index 8849cf63..65e618d1 100644 --- a/lib/libaccess/aclcache.h +++ b/lib/libaccess/aclcache.h @@ -57,7 +57,6 @@ extern int ACL_CacheCheck(char *uri, ACLListHandle_t **acllist_p); extern void ACL_CacheEnter(char *uri, ACLListHandle_t **acllist_p); extern void ACL_CacheAbort(ACLListHandle_t **acllist_p); extern void ACL_Init2(void); -extern int ACL_RegisterInit (); NSPR_END_EXTERN_C diff --git a/lib/libaccess/ldapacl.cpp b/lib/libaccess/ldapacl.cpp deleted file mode 100644 index 4b7fdc8b..00000000 --- a/lib/libaccess/ldapacl.cpp +++ /dev/null @@ -1,857 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * This Program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; version 2 of the License. - * - * This Program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with - * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place, Suite 330, Boston, MA 02111-1307 USA. - * - * In addition, as a special exception, Red Hat, Inc. gives You the additional - * right to link the code of this Program with code not covered under the GNU - * General Public License ("Non-GPL Code") and to distribute linked combinations - * including the two, subject to the limitations in this paragraph. Non-GPL Code - * permitted under this exception must only link to the code of this Program - * through those well defined interfaces identified in the file named EXCEPTION - * found in the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline functions from - * the Approved Interfaces without causing the resulting work to be covered by - * the GNU General Public License. Only Red Hat, Inc. may make changes or - * additions to the list of Approved Interfaces. You must obey the GNU General - * Public License in all respects for all of the Program code and other code used - * in conjunction with the Program except the Non-GPL Code covered by this - * exception. If you modify this file, you may extend this exception to your - * version of the file, but you are not obligated to do so. If you do not wish to - * provide this exception without modification, you must delete this exception - * statement from your version and license this file solely under the GPL without - * exception. - * - * - * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. - * Copyright (C) 2005 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -#ifdef HAVE_CONFIG_H -# include <config.h> -#endif - - -/* #define DBG_PRINT */ - -#include <netsite.h> -#include <base/rwlock.h> -#include <base/ereport.h> -#include <libaccess/acl.h> -#include "aclpriv.h" -#include <libaccess/aclproto.h> -#include <libaccess/las.h> -#include "aclutil.h" -#include <ldaputil/errors.h> -#include <ldaputil/certmap.h> -#include <ldaputil/ldaputil.h> -#include <ldaputil/dbconf.h> -#include <ldaputil/ldapauth.h> -#include <libaccess/authdb.h> -#include <libaccess/ldapacl.h> -#include <libaccess/usrcache.h> -#include <libaccess/dbtlibaccess.h> -#include <libaccess/aclglobal.h> -#include <libaccess/aclerror.h> - -#define BIG_LINE 1024 - -static int need_ldap_over_ssl = 0; -static RWLOCK ldb_rwlock = (RWLOCK)0; - -void init_ldb_rwlock () -{ - ldb_rwlock = rwlock_Init(); -} - -void ldb_write_rwlock (LDAPDatabase_t *ldb, RWLOCK lock) -{ - DBG_PRINT1("ldb_write_rwlock\n"); - /* Don't lock for local database -- let ldapsdk handle thread safety*/ - if (!ldapu_is_local_db(ldb)) - rwlock_WriteLock(lock); -} - -void ldb_read_rwlock (LDAPDatabase_t *ldb, RWLOCK lock) -{ - DBG_PRINT1("ldb_read_rwlock\n"); - /* Don't lock for local database -- let ldapsdk handle thread safety*/ - if (!ldapu_is_local_db(ldb)) - rwlock_ReadLock(lock); -} - -void ldb_unlock_rwlock (LDAPDatabase_t *ldb, RWLOCK lock) -{ - DBG_PRINT1("ldb_unlock_rwlock\n"); - /* we don't lock for local database */ - if (!ldapu_is_local_db(ldb)) - rwlock_Unlock(lock); -} - -int ACL_NeedLDAPOverSSL () -{ - return need_ldap_over_ssl; -} - -NSAPI_PUBLIC int parse_ldap_url (NSErr_t *errp, ACLDbType_t dbtype, - const char *dbname, const char *url, - PList_t plist, void **db) -{ - LDAPDatabase_t *ldb; - char *binddn = 0; - char *bindpw = 0; - int rv; - - *db = 0; - - if (!url || !*url) { - nserrGenerate(errp, ACLERRINVAL, ACLERR5800, ACL_Program, 1, XP_GetAdminStr(DBT_ldapaclDatabaseUrlIsMissing)); - return -1; - } - - if (!dbname || !*dbname) { - nserrGenerate(errp, ACLERRINVAL, ACLERR5810, ACL_Program, 1, XP_GetAdminStr(DBT_ldapaclDatabaseNameIsMissing)); - return -1; - } - - /* look for binddn and bindpw in the plist */ - if (plist) { - PListFindValue(plist, LDAPU_ATTR_BINDDN, (void **)&binddn, NULL); - PListFindValue(plist, LDAPU_ATTR_BINDPW, (void **)&bindpw, NULL); - } - - rv = ldapu_url_parse(url, binddn, bindpw, &ldb); - - if (rv != LDAPU_SUCCESS) { - nserrGenerate(errp, ACLERRINVAL, ACLERR5820, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclErrorParsingLdapUrl), ldapu_err2string(rv)); - return -1; - } - - /* success */ - *db = ldb; - - /* Check if we need to do LDAP over SSL */ - if (!need_ldap_over_ssl) { - need_ldap_over_ssl = ldb->use_ssl; - } - - return 0; -} - -int get_is_valid_password_basic_ldap (NSErr_t *errp, PList_t subject, - PList_t resource, PList_t auth_info, - PList_t global_auth, void *unused) -{ - /* If the raw-user-name and raw-user-password attributes are present then - * verify the password against the LDAP database. - * Otherwise call AttrGetter for raw-user-name. - */ - char *raw_user; - char *raw_pw; - char *userdn = 0; - int rv; - char *dbname; - ACLDbType_t dbtype; - LDAPDatabase_t *ldb; - time_t *req_time = 0; - pool_handle_t *subj_pool = PListGetPool(subject) - - DBG_PRINT1("get_is_valid_password_basic_ldap\n"); - rv = ACL_GetAttribute(errp, ACL_ATTR_RAW_USER, (void **)&raw_user, - subject, resource, auth_info, global_auth); - - if (rv != LAS_EVAL_TRUE) { - return rv; - } - - rv = ACL_GetAttribute(errp, ACL_ATTR_RAW_PASSWORD, (void **)&raw_pw, - subject, resource, auth_info, global_auth); - - if (rv != LAS_EVAL_TRUE) { - return rv; - } - - if (!raw_pw || !*raw_pw) { - /* Null password is not allowed in LDAP since most LDAP servers let - * the bind call succeed as anonymous login (with limited privileges). - */ - return LAS_EVAL_FALSE; - } - - /* Authenticate the raw_user and raw_pw against LDAP database. */ - rv = ACL_AuthInfoGetDbname(auth_info, &dbname); - - if (rv < 0) { - char rv_str[16]; - sprintf(rv_str, "%d", rv); - nserrGenerate(errp, ACLERRFAIL, ACLERR5830, ACL_Program, 2, - XP_GetAdminStr(DBT_ldapaclUnableToGetDatabaseName), rv_str); - return LAS_EVAL_FAIL; - } - - rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb); - - if (rv != LAS_EVAL_TRUE) { - nserrGenerate(errp, ACLERRFAIL, ACLERR5840, ACL_Program, 2, - XP_GetAdminStr(DBT_ldapaclUnableToGetParsedDatabaseName), dbname); - return rv; - } - - if (acl_usr_cache_enabled()) { - /* avoid unnecessary system call to get time if cache is disabled */ - req_time = acl_get_req_time(resource); - - /* We have user name and password. */ - /* Check the cache to see if the password is valid */ - rv = acl_usr_cache_passwd_check(raw_user, dbname, raw_pw, *req_time, - &userdn, subj_pool); - } - else { - rv = LAS_EVAL_FALSE; - } - - if (rv != LAS_EVAL_TRUE) { - LDAPMessage *res = 0; - const char *some_attrs[] = { "C", 0 }; - LDAP *ld; - char *udn; - /* Not found in the cache */ - - /* Since we will bind with the user/password and other code relying on - * ldb being bound as ldb->binddn and ldb->bindpw may fail. So block - * them until we are done. - */ - ldb_write_rwlock(ldb, ldb_rwlock); - rv = ldapu_ldap_init_and_bind(ldb); - - if (rv != LDAPU_SUCCESS) { - ldb_unlock_rwlock(ldb, ldb_rwlock); - nserrGenerate(errp, ACLERRFAIL, ACLERR5850, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclCoudlntInitializeConnectionToLdap), ldapu_err2string(rv)); - return LAS_EVAL_FAIL; - } - - /* LDAPU_REQ will reconnect & retry once if LDAP server went down */ - ld = ldb->ld; - LDAPU_REQ(rv, ldb, ldapu_find_uid_attrs(ld, raw_user, - ldb->basedn, some_attrs, - 1, &res)); - - if (rv == LDAPU_SUCCESS) { - LDAPMessage *entry = ldap_first_entry(ld, res); - - userdn = ldap_get_dn(ld, entry); - - /* LDAPU_REQ will reconnect & retry once if LDAP server went down */ - LDAPU_REQ(rv, ldb, ldapu_auth_userdn_password(ld, userdn, raw_pw)); - - /* Make sure we rebind with the server's DN - * ignore errors from ldapu_ldap_rebind -- we will get the same - * errors in subsequent calls to LDAP. Return status from the - * above call is our only interest now. - */ - ldapu_ldap_rebind(ldb); - } - - if (res) ldap_msgfree(res); - ldb_unlock_rwlock(ldb, ldb_rwlock); - - if (rv == LDAPU_FAILED || rv == LDAP_INVALID_CREDENTIALS) { - /* user entry not found or incorrect password */ - if (userdn) ldap_memfree(userdn); - return LAS_EVAL_FALSE; - } - else if (rv != LDAPU_SUCCESS) { - /* some unexpected LDAP error */ - nserrGenerate(errp, ACLERRFAIL, ACLERR5860, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclPassworkCheckLdapError), ldapu_err2string(rv)); - if (userdn) ldap_memfree(userdn); - return LAS_EVAL_FAIL; - } - - /* Make an entry in the cache */ - if (acl_usr_cache_enabled()) { - acl_usr_cache_insert(raw_user, dbname, userdn, raw_pw, 0, 0, - *req_time); - } - udn = pool_strdup(subj_pool, userdn); - ldap_memfree(userdn); - userdn = udn; - } - - PListInitProp(subject, ACL_ATTR_IS_VALID_PASSWORD_INDEX, ACL_ATTR_IS_VALID_PASSWORD, raw_user, 0); - PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN, userdn, 0); - return LAS_EVAL_TRUE; -} - -static int acl_grpcmpfn (const void *groupids, const char *group, - const int len) -{ - const char *token = (const char *)groupids; - int tlen; - char delim = ','; - - while((token = acl_next_token_len(token, delim, &tlen)) != NULL) { - if (tlen > 0 && tlen == len && !strncmp(token, group, len)) - return LDAPU_SUCCESS; - else if (tlen == 0 || 0 != (token = strchr(token+tlen, delim))) - token++; - else - break; - } - - return LDAPU_FAILED; -} - -int get_user_ismember_ldap (NSErr_t *errp, PList_t subject, - PList_t resource, PList_t auth_info, - PList_t global_auth, void *unused) -{ - int retval; - int rv; - char *userdn; - char *groups; - char *member_of = 0; - LDAPDatabase_t *ldb; - char *dbname; - ACLDbType_t dbtype; - - DBG_PRINT1("get_user_ismember_ldap\n"); - - rv = ACL_GetAttribute(errp, ACL_ATTR_USERDN, (void **)&userdn, subject, - resource, auth_info, global_auth); - - if (rv != LAS_EVAL_TRUE) { - return LAS_EVAL_FAIL; - } - - rv = ACL_GetAttribute(errp, ACL_ATTR_GROUPS, (void **)&groups, subject, - resource, auth_info, global_auth); - - if (rv != LAS_EVAL_TRUE) { - return rv; - } - - rv = ACL_AuthInfoGetDbname(auth_info, &dbname); - - if (rv < 0) { - char rv_str[16]; - sprintf(rv_str, "%d", rv); - nserrGenerate(errp, ACLERRINVAL, ACLERR5900, ACL_Program, 2, XP_GetAdminStr(DBT_GetUserIsMemberLdapUnabelToGetDatabaseName), rv_str); - return rv; - } - - rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb); - - if (rv != LAS_EVAL_TRUE) { - nserrGenerate(errp, ACLERRINVAL, ACLERR5910, ACL_Program, 2, XP_GetAdminStr(DBT_GetUserIsMemberLdapUnableToGetParsedDatabaseName), dbname); - return rv; - } - - ldb_read_rwlock(ldb, ldb_rwlock); - rv = ldapu_ldap_init_and_bind(ldb); - - if (rv != LDAPU_SUCCESS) { - ldb_unlock_rwlock(ldb, ldb_rwlock); - nserrGenerate(errp, ACLERRFAIL, ACLERR5930, ACL_Program, 2, - XP_GetAdminStr(DBT_GetUserIsMemberLdapCouldntInitializeConnectionToLdap), ldapu_err2string(rv)); - return LAS_EVAL_FAIL; - } - - /* check if the user is member of any of the groups */ - /* LDAPU_REQ will reconnect & retry once if LDAP server went down */ - LDAPU_REQ(rv, ldb, ldapu_auth_userdn_groupids(ldb->ld, - userdn, - groups, - acl_grpcmpfn, - ldb->basedn, - &member_of)); - - ldb_unlock_rwlock(ldb, ldb_rwlock); - - if (rv == LDAPU_SUCCESS) { - /* User is a member of one of the groups */ - if (member_of) { - PListInitProp(subject, ACL_ATTR_USER_ISMEMBER_INDEX, - ACL_ATTR_USER_ISMEMBER, - pool_strdup(PListGetPool(subject), member_of), 0); - retval = LAS_EVAL_TRUE; - } - else { - /* This shouldn't happen */ - retval = LAS_EVAL_FALSE; - } - } - else if (rv == LDAPU_FAILED) { - /* User is not a member of any of the groups */ - retval = LAS_EVAL_FALSE; - } - else { - /* unexpected LDAP error */ - nserrGenerate(errp, ACLERRFAIL, ACLERR5950, ACL_Program, 2, - XP_GetAdminStr(DBT_GetUserIsMemberLdapError), - ldapu_err2string(rv)); - retval = LAS_EVAL_FAIL; - } - - return retval; -} - - -/* This function returns LDAPU error codes so that the caller can call - * ldapu_err2string to get the error string. - */ -int acl_map_cert_to_user (NSErr_t *errp, const char *dbname, - LDAPDatabase_t *ldb, void *cert, - PList_t resource, pool_handle_t *pool, - char **user, char **userdn) -{ - int rv; - LDAPMessage *res; - LDAPMessage *entry; - char *uid; - time_t *req_time = 0; - - if (acl_usr_cache_enabled()) { - req_time = acl_get_req_time(resource); - - rv = acl_cert_cache_get_uid (cert, dbname, *req_time, user, userdn, - pool); - } - else { - rv = LAS_EVAL_FALSE; - } - - if (rv != LAS_EVAL_TRUE) { - /* Not found in the cache */ - - ldb_read_rwlock(ldb, ldb_rwlock); - rv = ldapu_ldap_init_and_bind(ldb); - - /* LDAPU_REQ will reconnect & retry once if LDAP server went down */ - /* it sets the variable rv */ - if (rv == LDAPU_SUCCESS) { - - LDAPU_REQ(rv, ldb, ldapu_cert_to_user(cert, ldb->ld, ldb->basedn, - &res, &uid)); - - if (rv == LDAPU_SUCCESS) { - char *dn; - - *user = pool_strdup(pool, uid); - if (!*user) rv = LDAPU_ERR_OUT_OF_MEMORY; - free(uid); - - entry = ldap_first_entry(ldb->ld, res); - dn = ldap_get_dn(ldb->ld, entry); - if (acl_usr_cache_enabled()) { - acl_cert_cache_insert (cert, dbname, *user, dn, *req_time); - } - *userdn = dn ? pool_strdup(pool, dn) : 0; - if (!*userdn) rv = LDAPU_ERR_OUT_OF_MEMORY; - ldap_memfree(dn); - } - if (res) ldap_msgfree(res); - } - ldb_unlock_rwlock(ldb, ldb_rwlock); - } - else { - rv = LDAPU_SUCCESS; - } - - return rv; -} - - -/* - * ACL_LDAPDatabaseHandle - - * Finds the internal structure representing the 'dbname'. If it is an LDAP - * database, returns the 'LDAP *ld' pointer. Also, binds to the LDAP server. - * The LDAP *ld handle can be used in calls to LDAP API. - * Returns LAS_EVAL_TRUE if successful, otherwise logs an error in - * LOG_SECURITY and returns LAS_EVAL_FAIL. - */ -int ACL_LDAPDatabaseHandle (NSErr_t *errp, const char *dbname, LDAP **ld, - char **basedn) -{ - int rv; - ACLDbType_t dbtype; - void *db; - LDAPDatabase_t *ldb; - - *ld = 0; - if (!dbname || !*dbname) dbname = DBCONF_DEFAULT_DBNAME; - - /* Check if the ldb is already in the ACLUserLdbHash */ - ldb = (LDAPDatabase_t *)PR_HashTableLookup(ACLUserLdbHash, dbname); - - if (!ldb) { - - rv = ACL_DatabaseFind(errp, dbname, &dbtype, &db); - - if (rv != LAS_EVAL_TRUE) { - nserrGenerate(errp, ACLERRINVAL, ACLERR6000, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleNotARegisteredDatabase), dbname); - return LAS_EVAL_FAIL; - } - - if (!ACL_DbTypeIsEqual(errp, dbtype, ACL_DbTypeLdap)) { - /* Not an LDAP database -- error */ - nserrGenerate(errp, ACLERRINVAL, ACLERR6010, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleNotAnLdapDatabase), dbname); - return LAS_EVAL_FAIL; - } - - ldb = ldapu_copy_LDAPDatabase_t((LDAPDatabase_t *)db); - - if (!ldb) { - /* Not an LDAP database -- error */ - nserrGenerate(errp, ACLERRNOMEM, ACLERR6020, ACL_Program, 1, XP_GetAdminStr(DBT_LdapDatabaseHandleOutOfMemory)); - return LAS_EVAL_FAIL; - } - - PR_HashTableAdd(ACLUserLdbHash, PERM_STRDUP(dbname), ldb); - } - - if (!ldb->ld) { - rv = ldapu_ldap_init_and_bind(ldb); - - if (rv != LDAPU_SUCCESS) { - nserrGenerate(errp, ACLERRFAIL, ACLERR6030, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleCouldntInitializeConnectionToLdap), ldapu_err2string(rv)); - return LAS_EVAL_FAIL; - } - } - - /* - * Force the rebind -- we don't know whether the customer has used this ld - * to bind as somebody else. It will also check if the LDAP server is up - * and running, reestablish the connection if the LDAP server has rebooted - * since it was last used. - */ - rv = ldapu_ldap_rebind(ldb); - - if (rv != LDAPU_SUCCESS) { - nserrGenerate(errp, ACLERRFAIL, ACLERR6040, ACL_Program, 2, XP_GetAdminStr(DBT_LdapDatabaseHandleCouldntBindToLdapServer), ldapu_err2string(rv)); - return LAS_EVAL_FAIL; - } - - *ld = ldb->ld; - - if (basedn) { - /* They asked for the basedn too */ - *basedn = PERM_STRDUP(ldb->basedn); - } - - return LAS_EVAL_TRUE; -} - -int get_userdn_ldap (NSErr_t *errp, PList_t subject, - PList_t resource, PList_t auth_info, - PList_t global_auth, void *unused) -{ - char *uid; - char *dbname; - char *userdn; - time_t *req_time = 0; - pool_handle_t *subj_pool = PListGetPool(subject); - int rv; - - rv = ACL_GetAttribute(errp, ACL_ATTR_USER, (void **)&uid, subject, - resource, auth_info, global_auth); - - if (rv != LAS_EVAL_TRUE) { - return LAS_EVAL_FAIL; - } - - /* The getter for ACL_ATTR_USER may have put the USERDN on the PList */ - rv = PListGetValue(subject, ACL_ATTR_USERDN_INDEX, (void **)&userdn, NULL); - - if (rv >= 0) { - /* Nothing to do */ - return LAS_EVAL_TRUE; - } - - rv = ACL_AuthInfoGetDbname(auth_info, &dbname); - - if (rv < 0) { - char rv_str[16]; - sprintf(rv_str, "%d", rv); - nserrGenerate(errp, ACLERRFAIL, ACLERR5830, ACL_Program, 2, - XP_GetAdminStr(DBT_ldapaclUnableToGetDatabaseName), rv_str); - return LAS_EVAL_FAIL; - } - - /* Check if the userdn is available in the usr_cache */ - if (acl_usr_cache_enabled()) { - /* avoid unnecessary system call to get time if cache is disabled */ - req_time = acl_get_req_time(resource); - - rv = acl_usr_cache_get_userdn(uid, dbname, *req_time, &userdn, - subj_pool); - } - else { - rv = LAS_EVAL_FALSE; - } - - if (rv == LAS_EVAL_TRUE) { - /* Found in the cache */ - PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN, - userdn, 0); - } - else { - ACLDbType_t dbtype; - LDAPDatabase_t *ldb = 0; - - /* Perform LDAP lookup */ - rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb); - - if (rv != LAS_EVAL_TRUE) { - nserrGenerate(errp, ACLERRFAIL, ACLERR5840, ACL_Program, 2, - XP_GetAdminStr(DBT_ldapaclUnableToGetParsedDatabaseName), dbname); - return rv; - } - - ldb_read_rwlock(ldb, ldb_rwlock); - rv = ldapu_ldap_init_and_bind(ldb); - - if (rv != LDAPU_SUCCESS) { - ldb_unlock_rwlock(ldb, ldb_rwlock); - nserrGenerate(errp, ACLERRFAIL, ACLERR5850, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclCoudlntInitializeConnectionToLdap), ldapu_err2string(rv)); - return LAS_EVAL_FAIL; - } - - LDAPU_REQ(rv, ldb, ldapu_find_userdn(ldb->ld, uid, ldb->basedn, - &userdn)); - - ldb_unlock_rwlock(ldb, ldb_rwlock); - - if (rv == LDAPU_SUCCESS) { - /* Found it. Store it in the cache also. */ - PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN, - pool_strdup(subj_pool, userdn), 0); - if (acl_usr_cache_enabled()) { - acl_usr_cache_set_userdn(uid, dbname, userdn, *req_time); - } - ldapu_free(userdn); - rv = LAS_EVAL_TRUE; - } - else if (rv == LDAPU_FAILED) { - /* Not found but not an error */ - rv = LAS_EVAL_FALSE; - } - else { - /* some unexpected LDAP error */ - nserrGenerate(errp, ACLERRFAIL, ACLERR5860, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclPassworkCheckLdapError), ldapu_err2string(rv)); - rv = LAS_EVAL_FAIL; - } - } - - return rv; -} - -/* Attr getter for LDAP database to check if the user exists */ -int get_user_exists_ldap (NSErr_t *errp, PList_t subject, - PList_t resource, PList_t auth_info, - PList_t global_auth, void *unused) -{ - int rv; - char *user; - char *userdn; - - /* See if the userdn is already available */ - rv = PListGetValue(subject, ACL_ATTR_USERDN_INDEX, (void **)&userdn, NULL); - - if (rv >= 0) { - /* Check if the DN is still valid against the database */ - /* Get the database name */ - char *dbname; - ACLDbType_t dbtype; - LDAPDatabase_t *ldb = 0; - LDAPMessage *res; - const char *some_attrs[] = { "c", 0 }; - - rv = ACL_AuthInfoGetDbname(auth_info, &dbname); - - if (rv < 0) { - char rv_str[16]; - sprintf(rv_str, "%d", rv); - nserrGenerate(errp, ACLERRFAIL, ACLERR5830, ACL_Program, 2, - XP_GetAdminStr(DBT_ldapaclUnableToGetDatabaseName), rv_str); - return LAS_EVAL_FAIL; - } - - /* Perform LDAP lookup */ - rv = ACL_DatabaseFind(errp, dbname, &dbtype, (void **)&ldb); - - if (rv != LAS_EVAL_TRUE) { - nserrGenerate(errp, ACLERRFAIL, ACLERR5840, ACL_Program, 2, - XP_GetAdminStr(DBT_ldapaclUnableToGetParsedDatabaseName), dbname); - return rv; - } - - ldb_read_rwlock(ldb, ldb_rwlock); - rv = ldapu_ldap_init_and_bind(ldb); - - if (rv != LDAPU_SUCCESS) { - ldb_unlock_rwlock(ldb, ldb_rwlock); - nserrGenerate(errp, ACLERRFAIL, ACLERR5850, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclCoudlntInitializeConnectionToLdap), ldapu_err2string(rv)); - return LAS_EVAL_FAIL; - } - - LDAPU_REQ(rv, ldb, ldapu_find (ldb->ld, ldb->basedn, LDAP_SCOPE_BASE, - NULL, some_attrs, 1, &res)); - - ldb_unlock_rwlock(ldb, ldb_rwlock); - - if (rv == LDAPU_SUCCESS) { - /* Found it. */ - rv = LAS_EVAL_TRUE; - } - else if (rv == LDAPU_FAILED) { - /* Not found but not an error */ - rv = LAS_EVAL_FALSE; - } - else { - /* some unexpected LDAP error */ - nserrGenerate(errp, ACLERRFAIL, ACLERR5860, ACL_Program, 2, XP_GetAdminStr(DBT_ldapaclPassworkCheckLdapError), ldapu_err2string(rv)); - rv = LAS_EVAL_FAIL; - } - } - else { - /* If the DN doesn't exist, should we just return an error ? */ - /* If yes, we don't need rest of the code */ - - /* If we don't have a DN, we must have a user at least */ - rv = PListGetValue(subject, ACL_ATTR_USER_INDEX, (void **)&user, NULL); - - if (rv < 0) { - /* We don't even have a user name */ - return LAS_EVAL_FAIL; - } - - rv = ACL_GetAttribute(errp, ACL_ATTR_USERDN, (void **)&userdn, subject, - resource, auth_info, global_auth); - } - - /* If we can get the userdn then the user exists */ - if (rv == LAS_EVAL_TRUE) { - PListInitProp(subject, ACL_ATTR_USER_EXISTS_INDEX, - ACL_ATTR_USER_EXISTS, userdn, 0); - } - - return rv; -} - -/* acl_user_exists - */ -/* Function to check if the user still exists */ -/* This function works for all kinds of databases */ -/* Returns 0 on success and -ve value on failure */ -NSAPI_PUBLIC int acl_user_exists (const char *user, const char *userdn, - const char *dbname, const int logerr) -{ - NSErr_t err = NSERRINIT; - NSErr_t *errp = &err; - pool_handle_t *pool = 0; - time_t *req_time = 0; - PList_t subject = 0; - PList_t resource = 0; - PList_t auth_info = 0; - PList_t global_auth = NULL; - int rv = 0; - - /* Check if the userdn is available in the usr_cache */ - if (acl_usr_cache_enabled() && userdn) { - /* avoid unnecessary system call to get time if cache is disabled */ - req_time = (time_t *)MALLOC(sizeof(time_t)); - - if (req_time) { - time(req_time); - rv = acl_usr_cache_userdn_check(user, dbname, userdn, *req_time); - FREE((void *)req_time); - } - - if (rv == LAS_EVAL_TRUE) - { - /* Found in the cache with the same DN */ - return 0; - } - } - - pool = pool_create(); - subject = PListCreate(pool, ACL_ATTR_INDEX_MAX, 0, 0); - resource = PListCreate(pool, ACL_ATTR_INDEX_MAX, 0, 0); - auth_info = PListCreate(pool, ACL_ATTR_INDEX_MAX, 0, 0); - - if (!pool || !subject || !resource || !auth_info) { - /* ran out of memory */ - goto no_mem; - } - - /* store a pointer to the user rather than a copy */ - rv = PListInitProp(subject, ACL_ATTR_USER_INDEX, ACL_ATTR_USER, - user, 0); - if (rv < 0) { /* Plist error */ goto plist_err; } - - if (userdn && *userdn) { - /* store a pointer to the userdn rather than a copy */ - rv = PListInitProp(subject, ACL_ATTR_USERDN_INDEX, ACL_ATTR_USERDN, - userdn, 0); - if (rv < 0) { /* Plist error */ goto plist_err; } - } - - /* store the cached dbname on auth_info */ - rv = ACL_AuthInfoSetDbname(errp, auth_info, dbname); - if (rv < 0) { /* auth_info error */ goto err; } - - rv = ACL_GetAttribute(errp, ACL_ATTR_USER_EXISTS, (void **)&user, - subject, resource, auth_info, global_auth); - - if (rv == LAS_EVAL_TRUE) { - /* User still exists */ - rv = 0; - } - else if (rv == LAS_EVAL_FALSE) { - /* User doesn't exist anymore */ - nserrGenerate(errp, ACLERRFAIL, 5880, ACL_Program, 2, XP_GetAdminStr(DBT_AclUserExistsNot), user); - goto err; - } - else { - /* Unexpected error while checking the existence of the user */ - goto err; - } - - goto done; - -plist_err: - nserrGenerate(errp, ACLERRFAIL, 5890, ACL_Program, 1, XP_GetAdminStr(DBT_AclUserPlistError)); - goto err; - -no_mem: - nserrGenerate(errp, ACLERRNOMEM, 5870, ACL_Program, 1, XP_GetAdminStr(DBT_AclUserExistsOutOfMemory)); - goto err; - -err: - if (logerr) { - /* Unexpected error while checking the existence of the user */ - char buf[BIG_LINE]; - /* generate error message (upto depth 6) into buf */ - aclErrorFmt(errp, buf, BIG_LINE, 6); - ereport(LOG_SECURITY, "Error while checking the existence of user: %s", buf); - } - - nserrDispose(errp); - rv = -1; - -done: - /* Destroy the PLists & the pool */ - if (subject) PListDestroy(subject); - if (resource) PListDestroy(resource); - if (auth_info) PListDestroy(auth_info); - if (pool) pool_destroy(pool); - return rv; -} diff --git a/lib/libaccess/oneeval.cpp b/lib/libaccess/oneeval.cpp index 05de0e36..14b15740 100644 --- a/lib/libaccess/oneeval.cpp +++ b/lib/libaccess/oneeval.cpp @@ -129,7 +129,7 @@ static ACLDispatchVector_t __nsacl_vector = { ACL_DatabaseRegister, ACL_DatabaseFind, ACL_DatabaseSetDefault, - ACL_LDAPDatabaseHandle, + NULL, ACL_AuthInfoGetDbname, ACL_CacheFlushRegister, ACL_CacheFlush, diff --git a/lib/libaccess/register.cpp b/lib/libaccess/register.cpp index beed23d9..af8a79a8 100644 --- a/lib/libaccess/register.cpp +++ b/lib/libaccess/register.cpp @@ -55,7 +55,6 @@ #include "aclpriv.h" #include <libaccess/aclproto.h> #include <libaccess/aclglobal.h> -#include <libaccess/ldapacl.h> #include "aclcache.h" #include <libaccess/dbtlibaccess.h> #include <libaccess/aclerror.h> @@ -843,16 +842,3 @@ ACL_AttrGetterNext(ACLAttrGetterList_t *getters, ACLAttrGetter_t *last) return next; } - -int -ACL_RegisterInit () -{ - NSErr_t *errp = 0; - int rv; - - /* Register the ldap database */ - rv = ACL_DbTypeRegister(errp, ACL_DBTYPE_LDAP, parse_ldap_url, &ACL_DbTypeLdap); - - return rv; -} - diff --git a/lib/libaccess/utest/Makefile b/lib/libaccess/utest/Makefile index 81a0eb70..39096b1a 100644 --- a/lib/libaccess/utest/Makefile +++ b/lib/libaccess/utest/Makefile @@ -137,9 +137,6 @@ coverage: acltest.o ustubs.o $(XOBJ) rm -f *.pcv acltestcov -lasemail: lasemail.o - $(LD) -G -h lasemail.so -o lasemail.so lasemail.o - #$(XOBJ): $(XSRC) # cd ..; gmake OBJDEST=$(UTESTDEST) CC=$(OCC) TESTFLAGS=$(TESTFLAGS) diff --git a/lib/libaccess/utest/lasemail.cpp b/lib/libaccess/utest/lasemail.cpp deleted file mode 100644 index eed8d337..00000000 --- a/lib/libaccess/utest/lasemail.cpp +++ /dev/null @@ -1,217 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * This Program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; version 2 of the License. - * - * This Program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with - * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place, Suite 330, Boston, MA 02111-1307 USA. - * - * In addition, as a special exception, Red Hat, Inc. gives You the additional - * right to link the code of this Program with code not covered under the GNU - * General Public License ("Non-GPL Code") and to distribute linked combinations - * including the two, subject to the limitations in this paragraph. Non-GPL Code - * permitted under this exception must only link to the code of this Program - * through those well defined interfaces identified in the file named EXCEPTION - * found in the source code files (the "Approved Interfaces"). The files of - * Non-GPL Code may instantiate templates or use macros or inline functions from - * the Approved Interfaces without causing the resulting work to be covered by - * the GNU General Public License. Only Red Hat, Inc. may make changes or - * additions to the list of Approved Interfaces. You must obey the GNU General - * Public License in all respects for all of the Program code and other code used - * in conjunction with the Program except the Non-GPL Code covered by this - * exception. If you modify this file, you may extend this exception to your - * version of the file, but you are not obligated to do so. If you do not wish to - * provide this exception without modification, you must delete this exception - * statement from your version and license this file solely under the GPL without - * exception. - * - * - * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. - * Copyright (C) 2005 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -#ifdef HAVE_CONFIG_H -# include <config.h> -#endif - - -/* lasemail.cpp - * This file contains the Email LAS code. - */ - -#include <ldap.h> -#include <nsacl/aclapi.h> - -#define ACL_ATTR_EMAIL "email" - -extern "C" { -extern int LASEmailEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, char *attr_pattern, ACLCachable_t *cachable, void **LAS_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth); -extern void LASEmailFlush(void **las_cookie); -extern int LASEmailModuleInit(); -} - - -/* - * LASEmailEval - * INPUT - * attr_name The string "email" - in lower case. - * comparator CMP_OP_EQ or CMP_OP_NE only - * attr_pattern A comma-separated list of emails - * (we currently support only one e-mail addr) - * *cachable Always set to ACL_NOT_CACHABLE. - * subject Subject property list - * resource Resource property list - * auth_info Authentication info, if any - * RETURNS - * retcode The usual LAS return codes. - */ -int LASEmailEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, - char *attr_pattern, ACLCachable_t *cachable, - void **LAS_cookie, PList_t subject, PList_t resource, - PList_t auth_info, PList_t global_auth) -{ - char *uid; - char *email; - int rv; - LDAP *ld; - char *basedn; - LDAPMessage *res; - int numEntries; - char filter[1024]; - int matched; - - *cachable = ACL_NOT_CACHABLE; - *LAS_cookie = (void *)0; - - if (strcmp(attr_name, ACL_ATTR_EMAIL) != 0) { - fprintf(stderr, "LASEmailEval called for incorrect attr \"%s\"\n", - attr_name); - return LAS_EVAL_INVALID; - } - - if ((comparator != CMP_OP_EQ) && (comparator != CMP_OP_NE)) { - fprintf(stderr, "LASEmailEval called with incorrect comparator %d\n", - comparator); - return LAS_EVAL_INVALID; - } - - if (!strcmp(attr_pattern, "anyone")) { - *cachable = ACL_INDEF_CACHABLE; - return comparator == CMP_OP_EQ ? LAS_EVAL_TRUE : LAS_EVAL_FALSE; - } - - /* get the authenticated user name */ - rv = ACL_GetAttribute(errp, ACL_ATTR_USER, (void **)&uid, - subject, resource, auth_info, global_auth); - - if (rv != LAS_EVAL_TRUE) { - return rv; - } - - /* We have an authenticated user */ - if (!strcmp(attr_pattern, "all")) { - return comparator == CMP_OP_EQ ? LAS_EVAL_TRUE : LAS_EVAL_FALSE; - } - - /* do an ldap lookup for: (& (uid=<user>) (mail=<email>)) */ - rv = ACL_LDAPDatabaseHandle(errp, NULL, &ld, &basedn); - - if (rv != LAS_EVAL_TRUE) { - fprintf(stderr, "unable to get LDAP handle\n"); - return rv; - } - - /* Formulate the filter -- assume single e-mail in attr_pattern */ - /* If we support multiple comma separated e-mail addresses in the - * attr_pattern then the filter will look like: - * (& (uid=<user>) (| (mail=<email1>) (mail=<email2>))) - */ - sprintf(filter, "(& (uid=%s) (mail=%s))", uid, attr_pattern); - - rv = ldap_search_s(ld, basedn, LDAP_SCOPE_SUBTREE, filter, - 0, 0, &res); - - if (rv != LDAP_SUCCESS) - { - fprintf(stderr, "ldap_search_s: %s\n", ldap_err2string(rv)); - return LAS_EVAL_FAIL; - } - - numEntries = ldap_count_entries(ld, res); - - if (numEntries == 1) { - /* success */ - LDAPMessage *entry = ldap_first_entry(ld, res); - char *dn = ldap_get_dn(ld, entry); - - fprintf(stderr, "ldap_search_s: Entry found. DN: \"%s\"\n", dn); - ldap_memfree(dn); - matched = 1; - } - else if (numEntries == 0) { - /* not found -- but not an error */ - fprintf(stderr, "ldap_search_s: Entry not found. Filter: \"%s\"\n", - filter); - matched = 0; - } - else if (numEntries > 0) { - /* Found more than one entry! */ - fprintf(stderr, "ldap_search_s: Found more than one entry. Filter: \"%s\"\n", - filter); - return LAS_EVAL_FAIL; - } - - if (comparator == CMP_OP_EQ) { - rv = (matched ? LAS_EVAL_TRUE : LAS_EVAL_FALSE); - } - else { - rv = (matched ? LAS_EVAL_FALSE : LAS_EVAL_TRUE); - } - - return rv; -} - - -/* LASEmailFlush - * Deallocates any memory previously allocated by the LAS - */ -void -LASEmailFlush(void **las_cookie) -{ - /* do nothing */ - return; -} - -/* LASEmailModuleInit -- - * Register the e-mail LAS. - * - * To load this functions in the web server, compile the file in - * "lasemail.so" and add the following lines to the - * <ServerRoot>/https-<name>/config/obj.conf file. Be sure to change the - * "lasemail.so" portion to the full pathname. E.g. /nshome/lib/lasemail.so. - * - * Init fn="load-modules" funcs="LASEmailModuleInit" shlib="lasemail.so" - * Init fn="acl-register-module" module="lasemail" func="LASEmailModuleInit" - */ -int LASEmailModuleInit () -{ - NSErr_t err = NSERRINIT; - NSErr_t *errp = &err; - int rv; - - rv = ACL_LasRegister(errp, ACL_ATTR_EMAIL, LASEmailEval, LASEmailFlush); - - if (rv < 0) { - fprintf(stderr, "ACL_LasRegister failed. Error: %d\n", rv); - return rv; - } - - return rv; -} - diff --git a/lib/libaccess/utest/ustubs.cpp b/lib/libaccess/utest/ustubs.cpp index 425bf11e..61a0845e 100644 --- a/lib/libaccess/utest/ustubs.cpp +++ b/lib/libaccess/utest/ustubs.cpp @@ -86,11 +86,6 @@ ldapu_err2string(int err) return errbuf; } - -void init_ldb_rwlock () -{ -} - #ifdef notdef char *system_errmsg() { |