1 /* lastbind.c - Record timestamp of the last successful bind to entries */
4 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * This work is loosely derived from the ppolicy overlay.
22 * This file implements an overlay that stores the timestamp of the
23 * last successful bind operation in a directory entry.
25 * Optimization: to avoid performing a write on each bind,
26 * a precision for this timestamp may be configured, causing it to
27 * only be updated if it is older than a given number of seconds.
30 #ifdef SLAPD_OVER_LASTBIND
37 #include <ac/string.h>
41 /* Per-instance configuration information */
42 typedef struct lastbind_info {
43 /* precision to update timestamp in authTimestamp attribute */
44 int timestamp_precision;
47 /* Operational attributes */
48 static AttributeDescription *ad_authTimestamp;
50 /* This is the definition used by ISODE, as supplied to us in
51 * ITS#6238 Followup #9
53 static struct schema_info {
55 AttributeDescription **ad;
56 } lastBind_OpSchema[] = {
57 { "( 1.3.6.1.4.1.453.16.2.188 "
58 "NAME 'authTimestamp' "
59 "DESC 'last successful authentication using any method/mech' "
60 "EQUALITY generalizedTimeMatch "
61 "ORDERING generalizedTimeOrderingMatch "
62 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
63 "SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
68 /* configuration attribute and objectclass */
69 static ConfigTable lastbindcfg[] = {
70 { "lastbind-precision", "seconds", 2, 2, 0,
72 (void *)offsetof(lastbind_info, timestamp_precision),
74 "NAME 'olcLastBindPrecision' "
75 "DESC 'Precision of authTimestamp attribute' "
76 "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
77 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
80 static ConfigOCs lastbindocs[] = {
82 "NAME 'olcLastBindConfig' "
83 "DESC 'Last Bind configuration' "
84 "SUP olcOverlayConfig "
85 "MAY ( olcLastBindPrecision ) )",
86 Cft_Overlay, lastbindcfg, NULL, NULL },
91 parse_time( char *atm )
94 struct lutil_timet tt;
95 time_t ret = (time_t)-1;
97 if ( lutil_parsetime( atm, &tm ) == 0) {
98 lutil_tm2time( &tm, &tt );
105 lastbind_bind_response( Operation *op, SlapReply *rs )
107 Modifications *mod = NULL;
108 BackendInfo *bi = op->o_bd->bd_info;
112 /* we're only interested if the bind was successful */
113 if ( rs->sr_err != LDAP_SUCCESS )
114 return SLAP_CB_CONTINUE;
116 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
117 op->o_bd->bd_info = bi;
119 if ( rc != LDAP_SUCCESS ) {
120 return SLAP_CB_CONTINUE;
124 lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
126 time_t now, bindtime = (time_t)-1;
129 char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
130 struct berval timestamp;
132 /* get the current time */
133 now = slap_get_time();
135 /* get authTimestamp attribute, if it exists */
136 if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
137 bindtime = parse_time( a->a_nvals[0].bv_val );
139 if (bindtime != (time_t)-1) {
140 /* if the recorded bind time is within our precision, we're done
141 * it doesn't need to be updated (save a write for nothing) */
142 if ((now - bindtime) < lbi->timestamp_precision) {
148 /* update the authTimestamp in the user's entry with the current time */
149 timestamp.bv_val = nowstr;
150 timestamp.bv_len = sizeof(nowstr);
151 slap_timestamp( &now, ×tamp );
153 m = ch_calloc( sizeof(Modifications), 1 );
154 m->sml_op = LDAP_MOD_REPLACE;
156 m->sml_type = ad_authTimestamp->ad_cname;
157 m->sml_desc = ad_authTimestamp;
159 m->sml_values = ch_calloc( sizeof(struct berval), 2 );
160 m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
162 ber_dupbv( &m->sml_values[0], ×tamp );
163 ber_dupbv( &m->sml_nvalues[0], ×tamp );
169 be_entry_release_r( op, e );
171 /* perform the update, if necessary */
174 SlapReply r2 = { REP_RESULT };
175 slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
177 /* This is a DSA-specific opattr, it never gets replicated. */
178 op2.o_tag = LDAP_REQ_MODIFY;
179 op2.o_callback = &cb;
180 op2.orm_modlist = mod;
181 op2.o_dn = op->o_bd->be_rootdn;
182 op2.o_ndn = op->o_bd->be_rootndn;
183 op2.o_dont_replicate = 1;
184 rc = op->o_bd->be_modify( &op2, &r2 );
185 slap_mods_free( mod, 1 );
188 op->o_bd->bd_info = bi;
189 return SLAP_CB_CONTINUE;
193 lastbind_bind( Operation *op, SlapReply *rs )
196 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
198 /* setup a callback to intercept result of this bind operation
199 * and pass along the lastbind_info struct */
200 cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
201 cb->sc_response = lastbind_bind_response;
202 cb->sc_next = op->o_callback->sc_next;
203 cb->sc_private = on->on_bi.bi_private;
204 op->o_callback->sc_next = cb;
206 return SLAP_CB_CONTINUE;
215 slap_overinst *on = (slap_overinst *) be->bd_info;
217 /* initialize private structure to store configuration */
218 on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
229 slap_overinst *on = (slap_overinst *) be->bd_info;
230 lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
232 /* free private structure to store configuration */
238 static slap_overinst lastbind;
240 int lastbind_initialize()
244 /* register operational schema for this overlay (authTimestamp attribute) */
245 for (i=0; lastBind_OpSchema[i].def; i++) {
246 code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
248 Debug( LDAP_DEBUG_ANY,
249 "lastbind_initialize: register_at failed\n", 0, 0, 0 );
254 ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
256 lastbind.on_bi.bi_type = "lastbind";
257 lastbind.on_bi.bi_db_init = lastbind_db_init;
258 lastbind.on_bi.bi_db_close = lastbind_db_close;
259 lastbind.on_bi.bi_op_bind = lastbind_bind;
261 /* register configuration directives */
262 lastbind.on_bi.bi_cf_ocs = lastbindocs;
263 code = config_register_schema( lastbindcfg, lastbindocs );
264 if ( code ) return code;
266 return overlay_register( &lastbind );
269 #if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
270 int init_module(int argc, char *argv[]) {
271 return lastbind_initialize();
275 #endif /* defined(SLAPD_OVER_LASTBIND) */