1 /* SASL LDAP auxprop implementation
2 * Copyright (C) 2002,2003 Howard Chu, All rights reserved. <hyc@symas.com>
4 * Permission is granted to anyone to use this software for any purpose
5 * on any computer system, and to alter it and redistribute it, subject
6 * to the following restrictions:
8 * 1. The author is not responsible for the consequences of use of this
9 * software, no matter how awful, even if they arise from flaws in it.
11 * 2. The origin of this software must not be misrepresented, either by
12 * explicit claim or by omission. Since few users ever read sources,
13 * credits should appear in the documentation.
15 * 3. Altered versions must be plainly marked as such, and must not be
16 * misrepresented as being the original software. Since few users
17 * ever read sources, credits should appear in the documentation.
19 * 4. This notice may not be removed or altered.
30 #include "plugin_common.h"
34 static char ldapdb[] = "ldapdb";
36 typedef struct ldapctx {
37 const char *uri; /* URI of LDAP server */
38 struct berval id; /* SASL authcid to bind as */
39 struct berval pw; /* password for bind */
40 struct berval mech; /* SASL mech */
41 int use_tls; /* Issue StartTLS request? */
44 typedef struct gluectx {
46 sasl_server_params_t *lp;
49 static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
50 void *def, void *inter)
52 sasl_interact_t *in = inter;
56 for (;in->id != SASL_CB_LIST_END;in++)
61 case SASL_CB_GETREALM:
62 ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p.bv_val);
63 if (p.bv_val) p.bv_len = strlen(p.bv_val);
65 case SASL_CB_AUTHNAME:
74 in->result = p.bv_val;
81 static void ldapdb_auxprop_lookup(void *glob_context,
82 sasl_server_params_t *sparams,
87 ldapctx *ctx = glob_context;
88 int ret, i, n, *aindx;
89 const struct propval *pr;
92 struct berval *dn = NULL, **bvals;
93 LDAPMessage *msg, *res;
94 char **attrs = NULL, *authzid = NULL;
95 LDAPControl c, *ctrl[2];
97 if(!ctx || !sparams || !user) return;
99 pr = sparams->utils->prop_get(sparams->propctx);
102 /* count how many attrs to fetch */
103 for(i = 0, n = 0; pr[i].name; i++) {
104 if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
106 if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
110 /* nothing to do, bail out */
113 /* alloc an array of attr names for search, and index to the props */
114 attrs = sparams->utils->malloc((n+1)*sizeof(char *)*2);
117 aindx = (int *)(attrs + n + 1);
120 for (i=0, n=0; pr[i].name; i++) {
121 if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
123 if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
125 attrs[n] = (char *)pr[i].name;
126 if (pr[i].name[0] == '*') attrs[n]++;
132 if(ldap_initialize(&ld, ctx->uri)) {
133 sparams->utils->free(attrs);
137 authzid = sparams->utils->malloc(ulen + sizeof("u:"));
138 if (!authzid) goto done;
139 strcpy(authzid, "u:");
140 strcpy(authzid+2, user);
141 c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
142 c.ldctl_value.bv_val = authzid;
143 c.ldctl_value.bv_len = ulen + 2;
144 c.ldctl_iscritical = 1;
147 ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &i);
149 /* If TLS is set and it fails, continue or bail out as requested */
150 if (ctx->use_tls && ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
151 if (ctx->use_tls > 1) goto done;
156 ret = ldap_sasl_interactive_bind_s(ld, NULL, ctx->mech.bv_val, NULL, NULL,
157 LDAP_SASL_QUIET, ldapdb_interact, &gc);
158 if (ret != LDAP_SUCCESS) goto done;
162 ret = ldap_whoami_s(ld, &dn, ctrl, NULL);
163 if (ret != LDAP_SUCCESS || !dn) goto done;
165 if (!dn->bv_val || strncmp(dn->bv_val, "dn:", 3)) {
170 ret = ldap_search_ext_s(ld, dn->bv_val+3, LDAP_SCOPE_BASE,
171 "(objectclass=*)", attrs, 0, ctrl, NULL, NULL, 1, &res);
174 if (ret != LDAP_SUCCESS) goto done;
176 for(msg=ldap_first_message(ld, res); msg; msg=ldap_next_message(ld, msg))
178 if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
181 bvals = ldap_get_values_len(ld, msg, attrs[i]);
182 if (!bvals) continue;
183 if (pr[aindx[i]].values)
184 sparams->utils->prop_erase(sparams->propctx, pr[aindx[i]].name);
185 sparams->utils->prop_set(sparams->propctx, pr[aindx[i]].name,
186 bvals[0]->bv_val, bvals[0]->bv_len);
193 if(authzid) sparams->utils->free(authzid);
194 if(attrs) sparams->utils->free(attrs);
195 if(ld) ldap_unbind(ld);
198 static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
200 utils->free(glob_ctx);
203 static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
206 NULL, /* glob_context */
207 ldapdb_auxprop_free, /* auxprop_free */
208 ldapdb_auxprop_lookup, /* auxprop_lookup */
213 static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
216 sasl_auxprop_plug_t **plug,
217 const char *plugname __attribute__((unused)))
223 if(!out_version || !plug) return SASL_BADPARAM;
225 if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
227 memset(&tmp, 0, sizeof(tmp));
229 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
230 if(!tmp.uri) return SASL_BADPARAM;
232 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id",
233 (const char **)&tmp.id.bv_val, &len);
235 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw",
236 (const char **)&tmp.pw.bv_val, &len);
238 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
239 (const char **)&tmp.mech.bv_val, &len);
240 tmp.mech.bv_len = len;
241 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
244 if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
245 else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
247 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
250 char *str = utils->malloc(sizeof("LDAPRC=")+len);
251 if (!str) return SASL_NOMEM;
252 strcpy( str, "LDAPRC=" );
253 strcpy( str + sizeof("LDAPRC=")-1, s );
261 p = utils->malloc(sizeof(ldapctx));
262 if (!p) return SASL_NOMEM;
264 ldapdb_auxprop_plugin.glob_context = p;
266 *out_version = SASL_AUXPROP_PLUG_VERSION;
268 *plug = &ldapdb_auxprop_plugin;
273 SASL_AUXPROP_PLUG_INIT( ldapdb )