2 /* SASL LDAP auxprop implementation
3 * Copyright (C) 2002,2003 Howard Chu, All rights reserved. <hyc@symas.com>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted only as authorized by the OpenLDAP
9 * A copy of this license is available in the file LICENSE in the
10 * top-level directory of the distribution or, alternatively, at
11 * <http://www.OpenLDAP.org/license.html>.
22 #ifndef SASL_VERSION_FULL
23 #define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\
24 (SASL_VERSION_MINOR << 8) |SASL_VERSION_STEP)
27 #include "plugin_common.h"
31 static char ldapdb[] = "ldapdb";
33 typedef struct ldapctx {
34 const char *uri; /* URI of LDAP server */
35 struct berval id; /* SASL authcid to bind as */
36 struct berval pw; /* password for bind */
37 struct berval mech; /* SASL mech */
38 int use_tls; /* Issue StartTLS request? */
41 static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
42 void *def, void *inter)
44 sasl_interact_t *in = inter;
48 for (;in->id != SASL_CB_LIST_END;in++)
53 case SASL_CB_GETREALM:
54 ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p.bv_val);
55 if (p.bv_val) p.bv_len = strlen(p.bv_val);
57 case SASL_CB_AUTHNAME:
66 in->result = p.bv_val;
73 typedef struct connparm {
80 static int ldapdb_connect(ldapctx *ctx, sasl_server_params_t *sparams,
81 const char *user, unsigned ulen, connparm *cp)
86 if((i=ldap_initialize(&cp->ld, ctx->uri))) {
90 authzid = sparams->utils->malloc(ulen + sizeof("u:"));
92 return LDAP_NO_MEMORY;
94 strcpy(authzid, "u:");
95 strcpy(authzid+2, user);
96 cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
97 cp->c.ldctl_value.bv_val = authzid;
98 cp->c.ldctl_value.bv_len = ulen + 2;
99 cp->c.ldctl_iscritical = 1;
102 ldap_set_option(cp->ld, LDAP_OPT_PROTOCOL_VERSION, &i);
104 /* If TLS is set and it fails, continue or bail out as requested */
105 if (ctx->use_tls && (i=ldap_start_tls_s(cp->ld, NULL, NULL)) != LDAP_SUCCESS
106 && ctx->use_tls > 1) {
107 sparams->utils->free(authzid);
111 i = ldap_sasl_interactive_bind_s(cp->ld, NULL, ctx->mech.bv_val, NULL,
112 NULL, LDAP_SASL_QUIET, ldapdb_interact, ctx);
113 if (i != LDAP_SUCCESS) {
114 sparams->utils->free(authzid);
118 cp->ctrl[0] = &cp->c;
120 i = ldap_whoami_s(cp->ld, &cp->dn, cp->ctrl, NULL);
121 if (i == LDAP_SUCCESS && cp->dn) {
122 if (!cp->dn->bv_val || strncmp(cp->dn->bv_val, "dn:", 3)) {
125 i = LDAP_INVALID_SYNTAX;
127 cp->c.ldctl_value = *(cp->dn);
130 sparams->utils->free(authzid);
134 static void ldapdb_auxprop_lookup(void *glob_context,
135 sasl_server_params_t *sparams,
140 ldapctx *ctx = glob_context;
142 int ret, i, n, *aindx;
143 const struct propval *pr;
144 struct berval **bvals;
145 LDAPMessage *msg, *res;
148 if(!ctx || !sparams || !user) return;
150 pr = sparams->utils->prop_get(sparams->propctx);
153 /* count how many attrs to fetch */
154 for(i = 0, n = 0; pr[i].name; i++) {
155 if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
157 if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
161 /* nothing to do, bail out */
164 /* alloc an array of attr names for search, and index to the props */
165 attrs = sparams->utils->malloc((n+1)*sizeof(char *)*2);
168 aindx = (int *)(attrs + n + 1);
171 for (i=0, n=0; pr[i].name; i++) {
172 if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
174 if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
176 attrs[n] = (char *)pr[i].name;
177 if (pr[i].name[0] == '*') attrs[n]++;
183 if(ldapdb_connect(ctx, sparams, user, ulen, &cp)) {
187 ret = ldap_search_ext_s(cp.ld, cp.dn->bv_val+3, LDAP_SCOPE_BASE,
188 "(objectclass=*)", attrs, 0, cp.ctrl, NULL, NULL, 1, &res);
191 if (ret != LDAP_SUCCESS) goto done;
193 for(msg=ldap_first_message(cp.ld, res); msg; msg=ldap_next_message(cp.ld, msg))
195 if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
198 bvals = ldap_get_values_len(cp.ld, msg, attrs[i]);
199 if (!bvals) continue;
200 if (pr[aindx[i]].values)
201 sparams->utils->prop_erase(sparams->propctx, pr[aindx[i]].name);
202 sparams->utils->prop_set(sparams->propctx, pr[aindx[i]].name,
203 bvals[0]->bv_val, bvals[0]->bv_len);
210 if(attrs) sparams->utils->free(attrs);
211 if(cp.ld) ldap_unbind(cp.ld);
214 #if SASL_VERSION_FULL >= 0x020110
215 static int ldapdb_auxprop_store(void *glob_context,
216 sasl_server_params_t *sparams,
217 struct propctx *prctx,
221 ldapctx *ctx = glob_context;
223 const struct propval *pr;
227 /* just checking if we are enabled */
228 if (!prctx) return SASL_OK;
230 if (!sparams || !user) return SASL_BADPARAM;
232 pr = sparams->utils->prop_get(prctx);
233 if (!pr) return SASL_BADPARAM;
235 for (n=0; pr[n].name; n++);
236 if (!n) return SASL_BADPARAM;
238 mods = sparams->utils->malloc((n+1) * sizeof(LDAPMod*) + n * sizeof(LDAPMod));
239 if (!mods) return SASL_NOMEM;
241 if((i=ldapdb_connect(ctx, sparams, user, ulen, &cp)) == 0) {
243 for (i=0; i<n; i++) {
244 mods[i] = (LDAPMod *)((char *)(mods+n+1) + i * sizeof(LDAPMod));
245 mods[i]->mod_op = LDAP_MOD_REPLACE;
246 mods[i]->mod_type = (char *)pr[i].name;
247 mods[i]->mod_values = (char **)pr[i].values;
251 i = ldap_modify_ext_s(cp.ld, cp.dn->bv_val+3, mods, cp.ctrl, NULL);
255 sparams->utils->free(mods);
258 sparams->utils->seterror(sparams->utils->conn, 0,
260 if (i == LDAP_NO_MEMORY) i = SASL_NOMEM;
263 if (cp.ld) ldap_unbind(cp.ld);
266 #endif /* SASL_VERSION_FULL >= 2.1.16 */
268 static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
270 utils->free(glob_ctx);
273 static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
276 NULL, /* glob_context */
277 ldapdb_auxprop_free, /* auxprop_free */
278 ldapdb_auxprop_lookup, /* auxprop_lookup */
280 #if SASL_VERSION_FULL >=0x020110
281 ldapdb_auxprop_store /* spare if <2.1.16*/
287 static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
290 sasl_auxprop_plug_t **plug,
291 const char *plugname __attribute__((unused)))
297 if(!out_version || !plug) return SASL_BADPARAM;
299 if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
301 memset(&tmp, 0, sizeof(tmp));
303 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
304 if(!tmp.uri) return SASL_BADPARAM;
306 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id",
307 (const char **)&tmp.id.bv_val, &len);
309 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw",
310 (const char **)&tmp.pw.bv_val, &len);
312 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
313 (const char **)&tmp.mech.bv_val, &len);
314 tmp.mech.bv_len = len;
315 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
318 if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
319 else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
321 utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
324 char *str = utils->malloc(sizeof("LDAPRC=")+len);
325 if (!str) return SASL_NOMEM;
326 strcpy( str, "LDAPRC=" );
327 strcpy( str + sizeof("LDAPRC=")-1, s );
335 p = utils->malloc(sizeof(ldapctx));
336 if (!p) return SASL_NOMEM;
338 ldapdb_auxprop_plugin.glob_context = p;
340 *out_version = SASL_AUXPROP_PLUG_VERSION;
342 *plug = &ldapdb_auxprop_plugin;
347 SASL_AUXPROP_PLUG_INIT( ldapdb )