1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
/** BEGIN COPYRIGHT BLOCK
* Copyright 2001 Sun Microsystems, Inc.
* Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#include <stdio.h>
#include <certmap.h>
#ifdef __cplusplus
extern "C" {
#endif
/* The init function must be defined extern "C" if using a C++ compiler */
int plugin_init_fn (void *certmap_info, const char *issuerName,
const char *issuerDN);
#ifdef __cplusplus
}
#endif
static int extract_ldapdn_and_filter (const char *subjdn, void *certmap_info,
char **ldapDN, char **filter)
{
/* extract the ldapDN and filter from subjdn */
/* You can also use the ldapu_certmap_info_attrval function to get value
of a config file parameter for the certmap_info. */
return LDAPU_SUCCESS;
}
static int plugin_mapping_fn (void *cert, LDAP *ld, void *certmap_info,
char **ldapDN, char **filter)
{
char *subjdn;
int rv;
fprintf(stderr, "plugin_mapping_fn called.\n");
rv = ldapu_get_cert_subject_dn(cert, &subjdn);
if (rv != LDAPU_SUCCESS) return rv;
*ldapDN = 0;
*filter = 0;
rv = extract_ldapdn_and_filter(subjdn, certmap_info, ldapDN, filter);
if (rv != LDAPU_SUCCESS) {
/* This function must return LDAPU_FAILED or
LDAPU_CERT_MAP_FUNCTION_FAILED on error */
return LDAPU_CERT_MAP_FUNCTION_FAILED;
}
return LDAPU_SUCCESS;
}
static int plugin_cmp_certs (void *subject_cert,
void *entry_cert_binary,
unsigned long entry_cert_len)
{
/* compare the certs */
return LDAPU_SUCCESS;
}
static int plugin_verify_fn (void *cert, LDAP *ld, void *certmap_info,
LDAPMessage *res, LDAPMessage **entry_out)
{
LDAPMessage *entry;
struct berval **bvals;
char *cert_attr = "userCertificate;binary";
int i;
int rv;
fprintf(stderr, "plugin_verify_fn called.\n");
*entry_out = 0;
for (entry = ldap_first_entry(ld, res); entry != NULL;
entry = ldap_next_entry(ld, entry))
{
if ((bvals = ldap_get_values_len(ld, entry, cert_attr)) == NULL) {
rv = LDAPU_CERT_VERIFY_FUNCTION_FAILED;
/* Maybe one of the remaining entries will match */
continue;
}
for ( i = 0; bvals[i] != NULL; i++ ) {
rv = plugin_cmp_certs (cert,
bvals[i]->bv_val,
bvals[i]->bv_len);
if (rv == LDAPU_SUCCESS) {
break;
}
}
ldap_value_free_len(bvals);
if (rv == LDAPU_SUCCESS) {
*entry_out = entry;
break;
}
}
return rv;
}
int plugin_init_fn (void *certmap_info, const char *issuerName,
const char *issuerDN)
{
fprintf(stderr, "plugin_init_fn called.\n");
ldapu_set_cert_mapfn(issuerDN, plugin_mapping_fn);
ldapu_set_cert_verifyfn(issuerDN, plugin_verify_fn);
return LDAPU_SUCCESS;
}
|