X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=clients%2Ftools%2Fldapsearch.c;h=9b349da6b09289d11aa0943742b4933ee13b62f7;hb=78f6d75586381f3cfa0af8a7e3e72e862a76a730;hp=e07b3ff83866dbb043de7020918fd7d6b44729d2;hpb=d2b05a3858822df66785b4a0939204b10ac1c47f;p=openldap diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c index e07b3ff838..9b349da6b0 100644 --- a/clients/tools/ldapsearch.c +++ b/clients/tools/ldapsearch.c @@ -39,52 +39,55 @@ usage( const char *s ) { fprintf( stderr, "usage: %s [options] [filter [attributes...]]\nwhere:\n" -"\tfilter\tRFC-2254 compliant LDAP search filter\n" -"\tattributes\twhitespace-separated list of attribute descriptions\n" -"\t which may include:\n" -"\t\t1.1 -- no attributes\n" -"\t\t* -- all user attributes\n" -"\t\t+ -- all operational attributes\n" +" filter\tRFC-2254 compliant LDAP search filter\n" +" attributes\twhitespace-separated list of attribute descriptions\n" +" which may include:\n" +" 1.1 no attributes\n" +" * all user attributes\n" +" + all operational attributes\n" "Search options:\n" -"\t-a deref\tdereference aliases: never (default), always, search, or find\n" -"\t-A\t\tretrieve attribute names only (no values)\n" -"\t-b basedn\tbase dn for search\n" -"\t-l limit\ttime limit (in seconds) for search\n" -"\t-L\t\tprint responses in LDIFv1 format\n" -"\t-LL\t\tprint responses in LDIF format without comments\n" -"\t-LLL\t\tprint responses in LDIF format without comments\n" -"\t\t\tand version\n" -"\t-s scope\tone of base, one, or sub (search scope)\n" -"\t-S attr\t\tsort the results by attribute `attr'\n" -"\t-t\t\twrite binary values to files in temporary directory\n" -"\t-tt\t\twrite all values to files in temporary directory\n" -"\t-T path\t\twrite files to directory specified by path (default:\n" -"\t\t\t\"" LDAP_TMPDIR "\")\n" -"\t-u\t\tinclude User Friendly entry names in the output\n" +" -a deref one of never (default), always, search, or find\n" +" -A retrieve attribute names only (no values)\n" +" -b basedn base dn for search\n" +" -l limit time limit (in seconds) for search\n" +" -L print responses in LDIFv1 format\n" +" -LL print responses in LDIF format without comments\n" +" -LLL print responses in LDIF format without comments\n" +" and version\n" +" -s scope one of base, one, or sub (search scope)\n" +" -S attr sort the results by attribute `attr'\n" +" -t write binary values to files in temporary directory\n" +" -tt write all values to files in temporary directory\n" +" -T path write files to directory specified by path (default:\n" +" " LDAP_TMPDIR ")\n" +" -u include User Friendly entry names in the output\n" +" -V prefix URL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n" +" -z limit size limit (in entries) for search\n" "Common options:\n" -"\t-d level\tset LDAP debugging level to `level'\n" -"\t-D binddn\tbind DN\n" -"\t-f file\t\tread operations from `file'\n" -"\t-h host\t\tLDAP server\n" -"\t-k\t\tuse Kerberos authentication\n" -"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n" -"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n" -"\t-n\t\tshow what would be done but don't actually search\n" -"\t-O secprops\tSASL security properties\n" -"\t-p port\t\tport on LDAP server\n" -"\t-P version\tprocotol version (default: 3)\n" -"\t-U user\t\tSASL authentication identity (username)\n" -"\t-v\t\trun in verbose mode (diagnostics to standard output)\n" -"\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n" -"\t-w passwd\tbind passwd (for simple authentication)\n" -"\t-W\t\tprompt for bind passwd\n" -"\t-x\t\tSimple authentication\n" -"\t-X id\t\tSASL authorization identity (\"dn:\" or \"u:\")\n" -"\t-Y mech\t\tSASL mechanism\n" -"\t-z limit\tsize limit (in entries) for search\n" -"\t-Z\t\tissue Start TLS request (-ZZ to require successful response)\n" +" -d level set LDAP debugging level to `level'\n" +" -D binddn bind DN\n" +" -f file read operations from `file'\n" +" -h host LDAP server\n" +" -I use SASL Interactive mode\n" +" -k use Kerberos authentication\n" +" -K like -k, but do only step 1 of the Kerberos bind\n" +" -M enable Manage DSA IT control (-MM to make critical)\n" +" -n show what would be done but don't actually search\n" +" -O props SASL security properties\n" +" -p port port on LDAP server\n" +" -P version procotol version (default: 3)\n" +" -Q use SASL Quiet mode\n" +" -R realm SASL realm\n" +" -U user SASL authentication identity (username)\n" +" -v run in verbose mode (diagnostics to standard output)\n" +" -w passwd bind passwd (for simple authentication)\n" +" -W prompt for bind passwd\n" +" -x Simple authentication\n" +" -X id SASL authorization identity (\"dn:\" or \"u:\")\n" +" -Y mech SASL mechanism\n" +" -Z Start TLS request (-ZZ to require successful response)\n" , s ); exit( EXIT_FAILURE ); @@ -137,12 +140,16 @@ static int dosearch LDAP_P(( static char *tmpdir = NULL; static char *urlpre = NULL; +static char *prog = NULL; static char *binddn = NULL; static struct berval passwd = { 0, NULL }; static char *base = NULL; static char *ldaphost = NULL; +static char *ldapuri = NULL; static int ldapport = 0; #ifdef HAVE_CYRUS_SASL +static unsigned sasl_flags = LDAP_SASL_AUTOMATIC; +static char *sasl_realm = NULL; static char *sasl_authc_id = NULL; static char *sasl_authz_id = NULL; static char *sasl_mech = NULL; @@ -155,12 +162,12 @@ static int verbose, not, includeufn, vals2tmp, ldif; int main( int argc, char **argv ) { - char *prog, *infile, *filtpattern, **attrs, line[BUFSIZ]; + char *infile, *filtpattern, **attrs, line[BUFSIZ]; FILE *fp = NULL; int rc, i, first, scope, deref, attrsonly, manageDSAit; int referrals, timelimit, sizelimit, debug; int authmethod, version, want_bindpw; - LDAP *ld; + LDAP *ld = NULL; infile = NULL; debug = verbose = not = vals2tmp = referrals = @@ -171,8 +178,10 @@ main( int argc, char **argv ) scope = LDAP_SCOPE_SUBTREE; authmethod = -1; + prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : prog + 1; + while (( i = getopt( argc, argv, - "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z")) != EOF ) + "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:H:IkKMnO:p:P:QRU:vw:WxX:Y:Z")) != EOF ) { switch( i ) { /* Search Options */ @@ -193,7 +202,14 @@ main( int argc, char **argv ) case 'A': /* retrieve attribute names only -- no values */ ++attrsonly; break; + case 'b': /* search base */ + base = strdup( optarg ); + break; case 'f': /* input file */ + if( infile != NULL ) { + fprintf( stderr, "%s: -f previously specified\n" ); + return EXIT_FAILURE; + } infile = strdup( optarg ); break; case 'l': /* time limit */ @@ -243,11 +259,60 @@ main( int argc, char **argv ) debug |= atoi( optarg ); break; case 'D': /* bind DN */ + if( binddn != NULL ) { + fprintf( stderr, "%s: -D previously specified\n" ); + return EXIT_FAILURE; + } binddn = strdup( optarg ); break; case 'h': /* ldap host */ + if( ldapuri != NULL ) { + fprintf( stderr, "%s: -h incompatible with -H\n" ); + return EXIT_FAILURE; + } + if( ldaphost != NULL ) { + fprintf( stderr, "%s: -h previously specified\n" ); + return EXIT_FAILURE; + } ldaphost = strdup( optarg ); break; + case 'H': /* ldap URI */ + if( ldaphost != NULL ) { + fprintf( stderr, "%s: -H incompatible with -h\n" ); + return EXIT_FAILURE; + } + if( ldapport ) { + fprintf( stderr, "%s: -H incompatible with -p\n" ); + return EXIT_FAILURE; + } + if( ldapuri != NULL ) { + fprintf( stderr, "%s: -H previously specified\n" ); + return EXIT_FAILURE; + } + ldapuri = strdup( optarg ); + break; + case 'I': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -I incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_flags = LDAP_SASL_INTERACTIVE; + break; +#else + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif case 'k': /* kerberos bind */ #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND if( version > LDAP_VERSION2 ) { @@ -302,8 +367,12 @@ main( int argc, char **argv ) break; case 'O': #ifdef HAVE_CYRUS_SASL + if( sasl_secprops != NULL ) { + fprintf( stderr, "%s: -O previously specified\n" ); + return EXIT_FAILURE; + } if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s -O incompatible with LDAPv%d\n", + fprintf( stderr, "%s: -O incompatible with LDAPv%d\n", prog, version ); return EXIT_FAILURE; } @@ -312,9 +381,9 @@ main( int argc, char **argv ) "authentication choice\n", prog ); return EXIT_FAILURE; } - sasl_secprops = strdup( optarg ); authmethod = LDAP_AUTH_SASL; version = LDAP_VERSION3; + sasl_secprops = strdup( optarg ); #else fprintf( stderr, "%s: not compiled with SASL support\n", prog ); @@ -322,6 +391,10 @@ main( int argc, char **argv ) #endif break; case 'p': + if( ldapport ) { + fprintf( stderr, "%s: -p previously specified\n" ); + return EXIT_FAILURE; + } ldapport = atoi( optarg ); break; case 'P': @@ -348,8 +421,60 @@ main( int argc, char **argv ) usage( prog ); return( EXIT_FAILURE ); } break; + case 'Q': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Q incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_flags = LDAP_SASL_QUIET; + break; +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + case 'R': +#ifdef HAVE_CYRUS_SASL + if( sasl_realm != NULL ) { + fprintf( stderr, "%s: -R previously specified\n" ); + return EXIT_FAILURE; + } + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -R incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_realm = strdup( optarg ); +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; case 'U': #ifdef HAVE_CYRUS_SASL + if( sasl_authc_id != NULL ) { + fprintf( stderr, "%s: -U previously specified\n" ); + return EXIT_FAILURE; + } if( version == LDAP_VERSION2 ) { fprintf( stderr, "%s: -U incompatible with version %d\n", prog, version ); @@ -363,11 +488,9 @@ main( int argc, char **argv ) } authmethod = LDAP_AUTH_SASL; version = LDAP_VERSION3; - sasl_authc_id = strdup( optarg ); - authmethod = LDAP_AUTH_SASL; #else - fprintf( stderr, "%s: was not compiled with SASL support\n", + fprintf( stderr, "%s: not compiled with SASL support\n", prog ); return( EXIT_FAILURE ); #endif @@ -381,7 +504,7 @@ main( int argc, char **argv ) char* p; for( p = optarg; *p == '\0'; p++ ) { - *p = '*'; + *p = '\0'; } } passwd.bv_len = strlen( passwd.bv_val ); @@ -391,6 +514,10 @@ main( int argc, char **argv ) break; case 'Y': #ifdef HAVE_CYRUS_SASL + if( sasl_mech != NULL ) { + fprintf( stderr, "%s: -Y previously specified\n" ); + return EXIT_FAILURE; + } if( version == LDAP_VERSION2 ) { fprintf( stderr, "%s: -Y incompatible with version %d\n", prog, version ); @@ -400,11 +527,11 @@ main( int argc, char **argv ) fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); return EXIT_FAILURE; } - authmethod = LDAP_AUTH_SASL; version = LDAP_VERSION3; + sasl_mech = strdup( optarg ); #else - fprintf( stderr, "%s: was not compiled with SASL support\n", + fprintf( stderr, "%s: not compiled with SASL support\n", prog ); return( EXIT_FAILURE ); #endif @@ -419,6 +546,10 @@ main( int argc, char **argv ) break; case 'X': #ifdef HAVE_CYRUS_SASL + if( sasl_authz_id != NULL ) { + fprintf( stderr, "%s: -X previously specified\n" ); + return EXIT_FAILURE; + } if( version == LDAP_VERSION2 ) { fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", prog, version ); @@ -431,9 +562,7 @@ main( int argc, char **argv ) } authmethod = LDAP_AUTH_SASL; version = LDAP_VERSION3; - sasl_authz_id = strdup( optarg ); - authmethod = LDAP_AUTH_SASL; #else fprintf( stderr, "%s: not compiled with SASL support\n", prog ); @@ -443,7 +572,7 @@ main( int argc, char **argv ) case 'Z': #ifdef HAVE_TLS if( version == LDAP_VERSION2 ) { - fprintf( stderr, "%s -Z incompatible with version %d\n", + fprintf( stderr, "%s: -Z incompatible with version %d\n", prog, version ); return EXIT_FAILURE; } @@ -456,6 +585,8 @@ main( int argc, char **argv ) #endif break; default: + fprintf( stderr, "%s: unrecongized option -%c\n", + prog, optopt ); usage( argv[0] ); } } @@ -464,11 +595,16 @@ main( int argc, char **argv ) version = LDAP_VERSION3; } if (authmethod == -1 && version > LDAP_VERSION2) { +#ifdef HAVE_CYRUS_SASL authmethod = LDAP_AUTH_SASL; +#else + authmethod = LDAP_AUTH_SIMPLE; +#endif } if (( argc - optind < 1 ) || - ( strchr( argv[optind], '=' ) == NULL ) ) + ( *argv[optind] != '(' /*')'*/ && + ( strchr( argv[optind], '=' ) == NULL ) ) ) { filtpattern = "(objectclass=*)"; } else { @@ -526,15 +662,26 @@ main( int argc, char **argv ) (void) SIGNAL( SIGPIPE, SIG_IGN ); #endif - if ( verbose ) { - fprintf( stderr, - (ldapport ? "ldap_init( %s, %d )\n" : "ldap_init( %s, )\n"), - (ldaphost != NULL) ? ldaphost : "", - ldapport ); + + if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) { + if ( verbose ) { + fprintf( stderr, "ldap_init( %s, %d )\n", + ldaphost != NULL ? ldaphost : "", + ldapport ); + } + ld = ldap_init( ldaphost, ldapport ); + + } else { + if ( verbose ) { + fprintf( stderr, "ldap_initialize( %s )\n", + ldapuri != NULL ? ldapuri : "" ); + } + (void) ldap_initialize( &ld, ldapuri ); } - if (( ld = ldap_init( ldaphost, ldapport )) == NULL ) { - perror( "ldap_init" ); + if( ld == NULL ) { + fprintf( stderr, "Could not create LDAP session handle (%d): %s\n", + rc, ldap_err2string(rc) ); return EXIT_FAILURE; } @@ -578,9 +725,13 @@ main( int argc, char **argv ) return EXIT_FAILURE; } - if ( use_tls && ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) { - if ( use_tls > 1 ) { + if ( use_tls ) { + rc = ldap_start_tls_s( ld, NULL, NULL ); + + if ( rc != LDAP_SUCCESS && use_tls > 1 ) { ldap_perror( ld, "ldap_start_tls" ); + fprintf( stderr, "Could not start TLS %d: %s\n", + rc, ldap_err2string( rc ) ); return EXIT_FAILURE; } fprintf( stderr, "WARNING: could not start TLS\n" ); @@ -593,6 +744,8 @@ main( int argc, char **argv ) if ( authmethod == LDAP_AUTH_SASL ) { #ifdef HAVE_CYRUS_SASL + void *defaults; + if( sasl_secprops != NULL ) { rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, (void *) sasl_secprops ); @@ -605,16 +758,24 @@ main( int argc, char **argv ) } } + defaults = lutil_sasl_defaults( ld, + sasl_mech, + sasl_realm, + sasl_authc_id, + passwd.bv_val, + sasl_authz_id ); + rc = ldap_sasl_interactive_bind_s( ld, binddn, - sasl_mech, NULL, NULL, lutil_sasl_interact ); + sasl_mech, NULL, NULL, + sasl_flags, lutil_sasl_interact, defaults ); if( rc != LDAP_SUCCESS ) { ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); return( EXIT_FAILURE ); } #else - fprintf( stderr, "%s was not compiled with SASL support\n", - argv[0] ); + fprintf( stderr, "%s: not compiled with SASL support\n", + prog, argv[0] ); return( EXIT_FAILURE ); #endif } else { @@ -637,7 +798,7 @@ main( int argc, char **argv ) c.ldctl_value.bv_len = 0; c.ldctl_iscritical = manageDSAit > 1; - err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, &ctrls ); + err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls ); if( err != LDAP_OPT_SUCCESS ) { fprintf( stderr, "Could not set ManageDSAit %scontrol\n", @@ -761,8 +922,8 @@ static int dosearch( sctrls, cctrls, timelimit, sizelimit, &msgid ); if( rc != LDAP_SUCCESS ) { - fprintf( stderr, "ldapsearch: ldap_search_ext: %s (%d)\n", - ldap_err2string( rc ), rc ); + fprintf( stderr, "%s: ldap_search_ext: %s (%d)\n", + prog, ldap_err2string( rc ), rc ); return( rc ); }