mirror of
https://github.com/ArcaneChat/android.git
synced 2026-07-03 14:05:24 +02:00
570 lines
14 KiB
C
570 lines
14 KiB
C
/* $OpenLDAP: pkg/ldap/contrib/ldapsasl/ldapdb.c,v 1.1.2.7 2003/11/29 22:10:03 hyc Exp $ */
|
|
/* SASL LDAP auxprop+canonuser implementation
|
|
* Copyright (C) 2002-2007 Howard Chu, All rights reserved. <hyc@symas.com>
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted only as authorized by the OpenLDAP
|
|
* Public License.
|
|
*
|
|
* A copy of this license is available in the file LICENSE in the
|
|
* top-level directory of the distribution or, alternatively, at
|
|
* <http://www.OpenLDAP.org/license.html>.
|
|
*/
|
|
|
|
#include <config.h>
|
|
|
|
#include <stdio.h>
|
|
#include <ctype.h>
|
|
|
|
#include "sasl.h"
|
|
#include "saslutil.h"
|
|
#include "saslplug.h"
|
|
|
|
#include "plugin_common.h"
|
|
|
|
#include <ldap.h>
|
|
|
|
static char ldapdb[] = "ldapdb";
|
|
|
|
typedef struct ldapctx {
|
|
int inited; /* Have we already read the config? */
|
|
const char *uri; /* URI of LDAP server */
|
|
struct berval id; /* SASL authcid to bind as */
|
|
struct berval pw; /* password for bind */
|
|
struct berval mech; /* SASL mech */
|
|
int use_tls; /* Issue StartTLS request? */
|
|
struct berval canon; /* Use attr in user entry for canonical name */
|
|
} ldapctx;
|
|
|
|
static ldapctx ldapdb_ctx;
|
|
|
|
static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
|
|
void *def, void *inter)
|
|
{
|
|
sasl_interact_t *in = inter;
|
|
ldapctx *ctx = def;
|
|
struct berval p;
|
|
|
|
for (;in->id != SASL_CB_LIST_END;in++)
|
|
{
|
|
p.bv_val = NULL;
|
|
switch(in->id)
|
|
{
|
|
case SASL_CB_GETREALM:
|
|
ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p.bv_val);
|
|
if (p.bv_val) p.bv_len = strlen(p.bv_val);
|
|
break;
|
|
case SASL_CB_AUTHNAME:
|
|
p = ctx->id;
|
|
break;
|
|
case SASL_CB_PASS:
|
|
p = ctx->pw;
|
|
break;
|
|
}
|
|
if (p.bv_val)
|
|
{
|
|
in->result = p.bv_val;
|
|
in->len = p.bv_len;
|
|
}
|
|
}
|
|
return LDAP_SUCCESS;
|
|
}
|
|
|
|
typedef struct connparm {
|
|
LDAP *ld;
|
|
LDAPControl c;
|
|
LDAPControl *ctrl[2];
|
|
struct berval *dn;
|
|
} connparm;
|
|
|
|
static int ldapdb_connect(ldapctx *ctx, sasl_server_params_t *sparams,
|
|
const char *user, unsigned ulen, connparm *cp)
|
|
{
|
|
int i;
|
|
char *authzid;
|
|
|
|
if((i=ldap_initialize(&cp->ld, ctx->uri))) {
|
|
return i;
|
|
}
|
|
|
|
authzid = sparams->utils->malloc(ulen + sizeof("u:"));
|
|
if (!authzid) {
|
|
return LDAP_NO_MEMORY;
|
|
}
|
|
strcpy(authzid, "u:");
|
|
strcpy(authzid+2, user);
|
|
cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
|
|
cp->c.ldctl_value.bv_val = authzid;
|
|
cp->c.ldctl_value.bv_len = ulen + 2;
|
|
cp->c.ldctl_iscritical = 1;
|
|
|
|
i = LDAP_VERSION3;
|
|
ldap_set_option(cp->ld, LDAP_OPT_PROTOCOL_VERSION, &i);
|
|
|
|
/* If TLS is set and it fails, continue or bail out as requested */
|
|
if (ctx->use_tls && (i=ldap_start_tls_s(cp->ld, NULL, NULL)) != LDAP_SUCCESS
|
|
&& ctx->use_tls > 1) {
|
|
sparams->utils->free(authzid);
|
|
return i;
|
|
}
|
|
|
|
i = ldap_sasl_interactive_bind_s(cp->ld, NULL, ctx->mech.bv_val, NULL,
|
|
NULL, LDAP_SASL_QUIET, ldapdb_interact, ctx);
|
|
if (i != LDAP_SUCCESS) {
|
|
sparams->utils->free(authzid);
|
|
return i;
|
|
}
|
|
|
|
cp->ctrl[0] = &cp->c;
|
|
cp->ctrl[1] = NULL;
|
|
i = ldap_whoami_s(cp->ld, &cp->dn, cp->ctrl, NULL);
|
|
if (i == LDAP_SUCCESS && cp->dn) {
|
|
if (!cp->dn->bv_val || strncmp(cp->dn->bv_val, "dn:", 3)) {
|
|
ber_bvfree(cp->dn);
|
|
cp->dn = NULL;
|
|
i = LDAP_INVALID_SYNTAX;
|
|
} else {
|
|
cp->c.ldctl_value = *(cp->dn);
|
|
}
|
|
}
|
|
sparams->utils->free(authzid);
|
|
return i;
|
|
}
|
|
|
|
static int ldapdb_auxprop_lookup(void *glob_context,
|
|
sasl_server_params_t *sparams,
|
|
unsigned flags,
|
|
const char *user,
|
|
unsigned ulen)
|
|
{
|
|
ldapctx *ctx = glob_context;
|
|
connparm cp;
|
|
int ret, i, n, *aindx;
|
|
int result;
|
|
int j;
|
|
const struct propval *pr;
|
|
struct berval **bvals;
|
|
LDAPMessage *msg, *res;
|
|
char **attrs = NULL;
|
|
|
|
if(!ctx || !sparams || !user) return SASL_BADPARAM;
|
|
|
|
pr = sparams->utils->prop_get(sparams->propctx);
|
|
if (!pr) return SASL_FAIL;
|
|
|
|
/* count how many attrs to fetch */
|
|
for(i = 0, n = 0; pr[i].name; i++) {
|
|
if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
|
|
continue;
|
|
if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
|
|
continue;
|
|
n++;
|
|
}
|
|
|
|
/* nothing to do, bail out */
|
|
if (!n) return SASL_OK;
|
|
|
|
/* alloc an array of attr names for search, and index to the props */
|
|
attrs = sparams->utils->malloc((n+1)*sizeof(char *)*2);
|
|
if (!attrs) {
|
|
result = SASL_NOMEM;
|
|
goto done;
|
|
}
|
|
|
|
aindx = (int *)(attrs + n + 1);
|
|
|
|
/* copy attr list */
|
|
for (i=0, n=0; pr[i].name; i++) {
|
|
if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
|
|
continue;
|
|
if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
|
|
continue;
|
|
attrs[n] = (char *)pr[i].name;
|
|
if (pr[i].name[0] == '*') attrs[n]++;
|
|
aindx[n] = i;
|
|
n++;
|
|
}
|
|
attrs[n] = NULL;
|
|
|
|
if ((ret = ldapdb_connect(ctx, sparams, user, ulen, &cp)) != LDAP_SUCCESS) {
|
|
goto process_ldap_error;
|
|
}
|
|
|
|
ret = ldap_search_ext_s(cp.ld, cp.dn->bv_val+3, LDAP_SCOPE_BASE,
|
|
"(objectclass=*)", attrs, 0, cp.ctrl, NULL, NULL, 1, &res);
|
|
ber_bvfree(cp.dn);
|
|
|
|
if (ret != LDAP_SUCCESS) {
|
|
goto process_ldap_error;
|
|
}
|
|
|
|
/* Assume no user by default */
|
|
ret = LDAP_NO_SUCH_OBJECT;
|
|
|
|
for (msg = ldap_first_message(cp.ld, res);
|
|
msg;
|
|
msg = ldap_next_message(cp.ld, msg)) {
|
|
if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
|
|
|
|
/* Presence of a search result response indicates that the user exists */
|
|
ret = LDAP_SUCCESS;
|
|
|
|
for (i = 0; i < n; i++) {
|
|
bvals = ldap_get_values_len(cp.ld, msg, attrs[i]);
|
|
if (!bvals) continue;
|
|
|
|
if (pr[aindx[i]].values) {
|
|
sparams->utils->prop_erase(sparams->propctx, pr[aindx[i]].name);
|
|
}
|
|
|
|
for ( j = 0; bvals[j] != NULL; j++ ) {
|
|
sparams->utils->prop_set(sparams->propctx,
|
|
pr[aindx[i]].name,
|
|
bvals[j]->bv_val,
|
|
bvals[j]->bv_len);
|
|
}
|
|
ber_bvecfree(bvals);
|
|
}
|
|
}
|
|
ldap_msgfree(res);
|
|
|
|
process_ldap_error:
|
|
switch (ret) {
|
|
case LDAP_SUCCESS:
|
|
result = SASL_OK;
|
|
break;
|
|
|
|
case LDAP_NO_SUCH_OBJECT:
|
|
result = SASL_NOUSER;
|
|
break;
|
|
|
|
case LDAP_NO_MEMORY:
|
|
result = SASL_NOMEM;
|
|
break;
|
|
|
|
case LDAP_SERVER_DOWN:
|
|
case LDAP_BUSY:
|
|
case LDAP_UNAVAILABLE:
|
|
case LDAP_CONNECT_ERROR:
|
|
result = SASL_UNAVAIL;
|
|
break;
|
|
|
|
#if defined(LDAP_PROXY_AUTHZ_FAILURE)
|
|
case LDAP_PROXY_AUTHZ_FAILURE:
|
|
#endif
|
|
case LDAP_INAPPROPRIATE_AUTH:
|
|
case LDAP_INVALID_CREDENTIALS:
|
|
case LDAP_INSUFFICIENT_ACCESS:
|
|
result = SASL_BADAUTH;
|
|
break;
|
|
|
|
default:
|
|
result = SASL_FAIL;
|
|
break;
|
|
}
|
|
|
|
done:
|
|
if(attrs) sparams->utils->free(attrs);
|
|
if(cp.ld) ldap_unbind_ext(cp.ld, NULL, NULL);
|
|
|
|
return result;
|
|
}
|
|
|
|
static int ldapdb_auxprop_store(void *glob_context,
|
|
sasl_server_params_t *sparams,
|
|
struct propctx *prctx,
|
|
const char *user,
|
|
unsigned ulen)
|
|
{
|
|
ldapctx *ctx = glob_context;
|
|
connparm cp;
|
|
const struct propval *pr;
|
|
int i, n;
|
|
LDAPMod **mods;
|
|
|
|
/* just checking if we are enabled */
|
|
if (!prctx) return SASL_OK;
|
|
|
|
if (!sparams || !user) return SASL_BADPARAM;
|
|
|
|
pr = sparams->utils->prop_get(prctx);
|
|
if (!pr) return SASL_BADPARAM;
|
|
|
|
for (n=0; pr[n].name; n++);
|
|
if (!n) return SASL_BADPARAM;
|
|
|
|
mods = sparams->utils->malloc((n+1) * sizeof(LDAPMod*) + n * sizeof(LDAPMod));
|
|
if (!mods) return SASL_NOMEM;
|
|
|
|
if((i=ldapdb_connect(ctx, sparams, user, ulen, &cp)) == 0) {
|
|
|
|
for (i=0; i<n; i++) {
|
|
mods[i] = (LDAPMod *)((char *)(mods+n+1) + i * sizeof(LDAPMod));
|
|
mods[i]->mod_op = LDAP_MOD_REPLACE;
|
|
mods[i]->mod_type = (char *)pr[i].name;
|
|
mods[i]->mod_values = (char **)pr[i].values;
|
|
}
|
|
mods[i] = NULL;
|
|
|
|
i = ldap_modify_ext_s(cp.ld, cp.dn->bv_val+3, mods, cp.ctrl, NULL);
|
|
ber_bvfree(cp.dn);
|
|
}
|
|
|
|
sparams->utils->free(mods);
|
|
|
|
if (i) {
|
|
sparams->utils->seterror(sparams->utils->conn, 0,
|
|
ldap_err2string(i));
|
|
if (i == LDAP_NO_MEMORY) i = SASL_NOMEM;
|
|
else i = SASL_FAIL;
|
|
}
|
|
if(cp.ld) ldap_unbind_ext(cp.ld, NULL, NULL);
|
|
return i;
|
|
}
|
|
|
|
static int
|
|
ldapdb_canon_server(void *glob_context,
|
|
sasl_server_params_t *sparams,
|
|
const char *user,
|
|
unsigned ulen,
|
|
unsigned flags,
|
|
char *out,
|
|
unsigned out_max,
|
|
unsigned *out_ulen)
|
|
{
|
|
ldapctx *ctx = glob_context;
|
|
connparm cp;
|
|
struct berval **bvals;
|
|
LDAPMessage *msg, *res;
|
|
char *rdn, *attrs[2];
|
|
unsigned len;
|
|
int ret;
|
|
|
|
if(!ctx || !sparams || !user) return SASL_BADPARAM;
|
|
|
|
/* If no canon attribute was configured, we can't do anything */
|
|
if(!ctx->canon.bv_val) return SASL_BADPARAM;
|
|
|
|
/* Trim whitespace */
|
|
while(isspace(*(unsigned char *)user)) {
|
|
user++;
|
|
ulen--;
|
|
}
|
|
while(isspace((unsigned char)user[ulen-1])) {
|
|
ulen--;
|
|
}
|
|
|
|
if (!ulen) {
|
|
sparams->utils->seterror(sparams->utils->conn, 0,
|
|
"All-whitespace username.");
|
|
return SASL_FAIL;
|
|
}
|
|
|
|
ret = ldapdb_connect(ctx, sparams, user, ulen, &cp);
|
|
if ( ret ) goto done;
|
|
|
|
/* See if the RDN uses the canon attr. If so, just use the RDN
|
|
* value, we don't need to do a search.
|
|
*/
|
|
rdn = cp.dn->bv_val+3;
|
|
if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
|
|
rdn[ctx->canon.bv_len] == '=') {
|
|
char *comma;
|
|
rdn += ctx->canon.bv_len + 1;
|
|
comma = strchr(rdn, ',');
|
|
if ( comma )
|
|
len = comma - rdn;
|
|
else
|
|
len = cp.dn->bv_len - (rdn - cp.dn->bv_val);
|
|
if ( len > out_max )
|
|
len = out_max;
|
|
memcpy(out, rdn, len);
|
|
out[len] = '\0';
|
|
*out_ulen = len;
|
|
ret = SASL_OK;
|
|
ber_bvfree(cp.dn);
|
|
goto done;
|
|
}
|
|
|
|
/* Have to read the user's entry */
|
|
attrs[0] = ctx->canon.bv_val;
|
|
attrs[1] = NULL;
|
|
ret = ldap_search_ext_s(cp.ld, cp.dn->bv_val+3, LDAP_SCOPE_BASE,
|
|
"(objectclass=*)", attrs, 0, cp.ctrl, NULL, NULL, 1, &res);
|
|
ber_bvfree(cp.dn);
|
|
|
|
if (ret != LDAP_SUCCESS) goto done;
|
|
|
|
for(msg=ldap_first_message(cp.ld, res); msg; msg=ldap_next_message(cp.ld, msg))
|
|
{
|
|
if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
|
|
bvals = ldap_get_values_len(cp.ld, msg, attrs[0]);
|
|
if (!bvals) continue;
|
|
len = bvals[0]->bv_len;
|
|
if ( len > out_max )
|
|
len = out_max;
|
|
memcpy(out, bvals[0]->bv_val, len);
|
|
*out_ulen = len;
|
|
ber_bvecfree(bvals);
|
|
}
|
|
ldap_msgfree(res);
|
|
|
|
done:
|
|
if(cp.ld) ldap_unbind_ext(cp.ld, NULL, NULL);
|
|
if (ret) {
|
|
sparams->utils->seterror(sparams->utils->conn, 0,
|
|
ldap_err2string(ret));
|
|
if (ret == LDAP_NO_MEMORY) ret = SASL_NOMEM;
|
|
else ret = SASL_FAIL;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static int
|
|
ldapdb_canon_client(void *glob_context,
|
|
sasl_client_params_t *cparams,
|
|
const char *user,
|
|
unsigned ulen,
|
|
unsigned flags,
|
|
char *out,
|
|
unsigned out_max,
|
|
unsigned *out_ulen)
|
|
{
|
|
if(!cparams || !user) return SASL_BADPARAM;
|
|
|
|
/* Trim whitespace */
|
|
while(isspace(*(unsigned char *)user)) {
|
|
user++;
|
|
ulen--;
|
|
}
|
|
while(isspace((unsigned char)user[ulen-1])) {
|
|
ulen--;
|
|
}
|
|
|
|
if (!ulen) {
|
|
cparams->utils->seterror(cparams->utils->conn, 0,
|
|
"All-whitespace username.");
|
|
return SASL_FAIL;
|
|
}
|
|
|
|
if (ulen > out_max) return SASL_BUFOVER;
|
|
|
|
memcpy(out, user, ulen);
|
|
out[ulen] = '\0';
|
|
*out_ulen = ulen;
|
|
return SASL_OK;
|
|
}
|
|
|
|
static int
|
|
ldapdb_config(const sasl_utils_t *utils)
|
|
{
|
|
ldapctx *p = &ldapdb_ctx;
|
|
const char *s;
|
|
unsigned len;
|
|
|
|
if(p->inited) return SASL_OK;
|
|
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &p->uri, NULL);
|
|
if(!p->uri) return SASL_BADPARAM;
|
|
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id",
|
|
(const char **)&p->id.bv_val, &len);
|
|
p->id.bv_len = len;
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw",
|
|
(const char **)&p->pw.bv_val, &len);
|
|
p->pw.bv_len = len;
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
|
|
(const char **)&p->mech.bv_val, &len);
|
|
p->mech.bv_len = len;
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
|
|
if (s)
|
|
{
|
|
if (!strcasecmp(s, "demand")) p->use_tls = 2;
|
|
else if (!strcasecmp(s, "try")) p->use_tls = 1;
|
|
}
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
|
|
if (s)
|
|
{
|
|
char *str = utils->malloc(sizeof("LDAPRC=")+len);
|
|
if (!str) return SASL_NOMEM;
|
|
strcpy( str, "LDAPRC=" );
|
|
strcpy( str + sizeof("LDAPRC=")-1, s );
|
|
if (putenv(str))
|
|
{
|
|
utils->free(str);
|
|
return SASL_NOMEM;
|
|
}
|
|
}
|
|
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_canon_attr",
|
|
(const char **)&p->canon.bv_val, &len);
|
|
p->canon.bv_len = len;
|
|
p->inited = 1;
|
|
|
|
return SASL_OK;
|
|
}
|
|
|
|
static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
|
|
0, /* Features */
|
|
0, /* spare */
|
|
&ldapdb_ctx, /* glob_context */
|
|
NULL, /* auxprop_free */
|
|
ldapdb_auxprop_lookup, /* auxprop_lookup */
|
|
ldapdb, /* name */
|
|
ldapdb_auxprop_store /* auxprop store */
|
|
};
|
|
|
|
int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
|
|
int max_version,
|
|
int *out_version,
|
|
sasl_auxprop_plug_t **plug,
|
|
const char *plugname __attribute__((unused)))
|
|
{
|
|
int rc;
|
|
|
|
if(!out_version || !plug) return SASL_BADPARAM;
|
|
|
|
if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
|
|
|
|
rc = ldapdb_config(utils);
|
|
|
|
*out_version = SASL_AUXPROP_PLUG_VERSION;
|
|
|
|
*plug = &ldapdb_auxprop_plugin;
|
|
|
|
return rc;
|
|
}
|
|
|
|
static sasl_canonuser_plug_t ldapdb_canonuser_plugin = {
|
|
0, /* features */
|
|
0, /* spare */
|
|
&ldapdb_ctx, /* glob_context */
|
|
ldapdb, /* name */
|
|
NULL, /* canon_user_free */
|
|
ldapdb_canon_server, /* canon_user_server */
|
|
ldapdb_canon_client, /* canon_user_client */
|
|
NULL,
|
|
NULL,
|
|
NULL
|
|
};
|
|
|
|
int ldapdb_canonuser_plug_init(const sasl_utils_t *utils,
|
|
int max_version,
|
|
int *out_version,
|
|
sasl_canonuser_plug_t **plug,
|
|
const char *plugname __attribute__((unused)))
|
|
{
|
|
int rc;
|
|
|
|
if(!out_version || !plug) return SASL_BADPARAM;
|
|
|
|
if(max_version < SASL_CANONUSER_PLUG_VERSION) return SASL_BADVERS;
|
|
|
|
rc = ldapdb_config(utils);
|
|
|
|
*out_version = SASL_CANONUSER_PLUG_VERSION;
|
|
|
|
*plug = &ldapdb_canonuser_plugin;
|
|
|
|
return rc;
|
|
}
|