From: Kurt Zeilenga <kurt@openldap.org>
Date: Sat, 15 Aug 1998 23:03:09 +0000 (+0000)
Subject: Added support for TCP_WRAPPERS (ldapd code not tested, don't have isode here).
X-Git-Tag: LDAP_3_3+prerelease
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=e66aa921027d1a8dfadbba85213a3bfcd3d4118e;p=openldap

Added support for TCP_WRAPPERS (ldapd code not tested, don't have isode here).
Cleaned up LDAP_CRYPT support.
---

diff --git a/Make-common b/Make-common
index 22d2ed4b85..567d9f3bf8 100644
--- a/Make-common
+++ b/Make-common
@@ -198,10 +198,14 @@ LDAP_DEBUG=-DLDAP_DEBUG
 # uncomment this line to enable support for LDAP referrals in libldap
 LDAP_REFERRALS=-DLDAP_REFERRALS
 
-# uncomment this line to enable support for CRYPT passwords in LDBM.
-# Requires UNIX crypt(3), you may have to add -lcrypt (or whatever)
-# to your PLATFORMLIBS  (build/platform/your-platform)
+# uncomment these lines to enable support for CRYPT passwords in LDBM.
 #LDAP_CRYPT=-DLDAP_CRYPT
+#LDAP_CRYPT_LIB=-lcrypt
+
+# uncomment these lines to enable support fro tcp_wrappers in servers.
+# Requires tcp_wrappers.
+#LDAP_TCP_WRAPPERS=-DTCP_WRAPPERS -I/usr/local/include
+#LDAP_TCP_WRAPPERS_LIB=-L/usr/local/lib -lwrap
 
 # uncomment this line to use soundex for approximate matches in slapd.
 # the default is to use the metaphone algorithm.
diff --git a/build/Make-append b/build/Make-append
index 32c3d1cc9c..67a2f29bb0 100644
--- a/build/Make-append
+++ b/build/Make-append
@@ -21,7 +21,7 @@
 # DEFS are included in CFLAGS
 DEFS	= $(PLATFORMCFLAGS) $(LDAP_DEBUG) $(KERBEROS) $(AFSKERBEROS) \
 		$(UOFM) $(UOFA) $(NO_USERINTERFACE) $(CLDAP) $(NO_CACHE) \
-		$(LDAP_REFERRALS) $(LDAP_CRYPT) $(LDAP_DNS) $(STR_TRANSLATION) \
+		$(LDAP_REFERRALS) $(LDAP_DNS) $(STR_TRANSLATION) \
 		$(LIBLDAP_CHARSETS) $(LIBLDAP_DEF_CHARSET) \
 		$(SLAPD_BACKENDS) $(LDBMBACKEND) $(LDBMINCLUDE) $(PHONETIC)
 
diff --git a/build/platforms/freebsd-gcc/Make-platform b/build/platforms/freebsd-gcc/Make-platform
index 1d78ed72c2..1b8dae7517 100644
--- a/build/platforms/freebsd-gcc/Make-platform
+++ b/build/platforms/freebsd-gcc/Make-platform
@@ -15,5 +15,3 @@ CC	= cc
 
 PLATFORMCFLAGS=	-Dfreebsd
 
-# uncomment this line if using for LDAP_CRYPT
-#PLATFORMLIBS=	-lcrypt
diff --git a/build/platforms/linux-gcc/Make-platform b/build/platforms/linux-gcc/Make-platform
index 5e2a39fc44..2699aac6f1 100644
--- a/build/platforms/linux-gcc/Make-platform
+++ b/build/platforms/linux-gcc/Make-platform
@@ -16,5 +16,3 @@ RANLIB	= "ranlib"
 
 PLATFORMCFLAGS=	-Dlinux
 
-# uncomment this if -DLDAP_CRYPT is defined
-#PLATFORMLIBS= -lcrypt
diff --git a/servers/ldapd/main.c b/servers/ldapd/main.c
index 5626a34c4f..9edd4b532e 100644
--- a/servers/ldapd/main.c
+++ b/servers/ldapd/main.c
@@ -42,6 +42,13 @@
 #include <unistd.h>
 #endif /* USE_SYSCONF */
 
+#ifdef TCP_WRAPPERS
+#include <tcpd.h>
+
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_NOTICE;
+#endif /* TCP_WRAPPERS */
+
 void log_and_exit();
 static set_socket();
 static do_queries();
@@ -393,10 +400,31 @@ char	**argv;
 
 		hp = gethostbyaddr( (char *) &(from.sin_addr.s_addr),
 		    sizeof(from.sin_addr.s_addr), AF_INET );
+
+#ifdef TCP_WRAPPERS
+		if ( !hosts_ctl("ldapd", (hp == NULL) ? "unknown" : hp->h_name,
+			inet_ntoa( from.sin_addr ), STRING_UNKNOWN ) {
+
+			Debug( LDAP_DEBUG_ARGS, "connection from %s (%s) denied.\n",
+		   		(hp == NULL) ? "unknown" : hp->h_name,
+		   		inet_ntoa( from.sin_addr ), 0 );
+
+			if ( dosyslog ) {
+				syslog( LOG_NOTICE, "connection from %s (%s) denied.",
+				    (hp == NULL) ? "unknown" : hp->h_name,
+				    inet_ntoa( from.sin_addr ) );
+			}
+
+			close(ns);
+			continue;
+		}
+#endif /* TCP_WRAPPERS */
+
 		Debug( LDAP_DEBUG_ARGS, "connection from %s (%s)\n",
 		    (hp == NULL) ? "unknown" : hp->h_name,
 		    inet_ntoa( from.sin_addr ), 0 );
 
+
 		if ( dosyslog ) {
 			syslog( LOG_INFO, "connection from %s (%s)",
 			    (hp == NULL) ? "unknown" : hp->h_name,
diff --git a/servers/slapd/Make-template b/servers/slapd/Make-template
index bdeb881c70..48ceaf1dea 100644
--- a/servers/slapd/Make-template
+++ b/servers/slapd/Make-template
@@ -33,11 +33,11 @@ OBJS	= main.o daemon.o connection.o search.o filter.o add.o charray.o \
 		schema.o schemaparse.o monitor.o configinfo.o
 
 INCLUDES= -I. -I$(HDIR) $(KRBINCLUDEFLAG)
-DEFINES = $(DEFS) $(SERVERDEFS)
+DEFINES = $(DEFS) $(LDAP_CRYPT) $(LDAP_TCP_WRAPPERS) $(SERVERDEFS)
 CFLAGS	= $(INCLUDES) $(THREADSINCLUDE) $(DEFINES) $(ACFLAGS) $(THREADS)
 LDFLAGS	= -L$(LDIR) $(KRBLIBFLAG)
 LIBS	= $(KRBLIBS) -llber -lldbm -lavl -llthread -lldif $(THREADSLIB) \
-		$(LDBMLIB) $(ALIBS)
+		$(LDBMLIB) $(LDAP_CRYPT_LIB) $(LDAP_TCP_WRAPPERS_LIB) $(ALIBS)
 
 all: FORCE
 	@if [ -z "$(MAKESLAPD)" ]; then \
diff --git a/servers/slapd/back-ldbm/Make-template b/servers/slapd/back-ldbm/Make-template
index bc46d3a589..52a36db245 100644
--- a/servers/slapd/back-ldbm/Make-template
+++ b/servers/slapd/back-ldbm/Make-template
@@ -27,9 +27,9 @@ OBJS	= idl.o add.o search.o cache.o dbcache.o dn2id.o id2entry.o \
 		filterindex.o unbind.o kerberos.o close.o
 
 INCLUDES= -I. -I.. -I$(HDIR) $(KRBINCLUDEFLAG)
-DEFINES = $(DEFS) $(THREADS)
+DEFINES = $(DEFS) $(LDAP_CRYPT) $(THREADS)
 CFLAGS	= $(INCLUDES) $(THREADSINCLUDE) $(DEFINES) $(ACFLAGS)
-LDFLAGS	= -L$(LDIR) $(KRBLIBFLAG)
+LDFLAGS	= -L$(LDIR) $(KRBLIBFLAG) $(LDAP_CRYPT_LIB)
 
 all:	FORCE
 	-@echo "$(SLAPD_BACKENDS)" | grep LDAP_LDBM 2>&1 > /dev/null; \
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index 7dbfa2abf7..38062d9b2b 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -30,6 +30,13 @@
 #include <unistd.h>
 #endif /* USE_SYSCONF */
 
+#ifdef TCP_WRAPPERS
+#include <tcpd.h>
+
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_NOTICE;
+#endif /* TCP_WRAPPERS */
+
 extern Operation	*op_add();
 
 #ifndef SYSERRLIST_IN_STDIO
@@ -177,6 +184,9 @@ slapd_daemon(
 		struct timeval		*tvp;
 		int			len, pid;
 
+		char	*client_name;
+		char	*client_addr;
+
 		FD_ZERO( &writefds );
 		FD_ZERO( &readfds );
 		FD_SET( tcps, &readfds );
@@ -251,6 +261,7 @@ slapd_daemon(
 				Debug( LDAP_DEBUG_ANY,
 				    "FIONBIO ioctl on %d failed\n", ns, 0, 0 );
 			}
+
 			c[ns].c_sb.sb_sd = ns;
 			Debug( LDAP_DEBUG_CONNS, "new connection on %d\n", ns,
 			    0, 0 );
@@ -258,43 +269,76 @@ slapd_daemon(
 			pthread_mutex_lock( &ops_mutex );
 			c[ns].c_connid = num_conns++;
 			pthread_mutex_unlock( &ops_mutex );
+
 			len = sizeof(from);
+
 			if ( getpeername( ns, (struct sockaddr *) &from, &len )
 			    == 0 ) {
-				char	*s;
-#ifdef REVERSE_LOOKUP
+				char *s;
+				client_addr = inet_ntoa( from.sin_addr );
+
+#if defined(REVERSE_LOOKUP) || defined(TCP_WRAPPERS)
 				hp = gethostbyaddr( (char *)
 				    &(from.sin_addr.s_addr),
 				    sizeof(from.sin_addr.s_addr), AF_INET );
-#else
-				hp = NULL;
-#endif
 
-				Statslog( LDAP_DEBUG_STATS,
-				    "conn=%d fd=%d connection from %s (%s)\n",
-				    c[ns].c_connid, ns, hp == NULL ? "unknown"
-				    : hp->h_name, inet_ntoa( from.sin_addr ),
-				    0 );
+				if(hp) {
+					client_name = hp->h_name;
 
-				if ( c[ns].c_addr != NULL ) {
-					free( c[ns].c_addr );
-				}
-				c[ns].c_addr = strdup( inet_ntoa(
-				    from.sin_addr ) );
-				if ( c[ns].c_domain != NULL ) {
-					free( c[ns].c_domain );
-				}
-				c[ns].c_domain = strdup( hp == NULL ? "" :
-				    hp->h_name );
-				/* normalize the domain */
-				for ( s = c[ns].c_domain; *s; s++ ) {
-					*s = TOLOWER( *s );
+					/* normalize the domain */
+					for ( s = client_name; *s; s++ ) {
+						*s = TOLOWER( *s );
+					}
+
+				} else {
+					client_name = NULL;
 				}
+#else
+				client_name = NULL;
+#endif
+
 			} else {
+				client_name = NULL;;
+				client_addr = NULL;
+			}
+
+#ifdef TCP_WRAPPERS
+			if(!hosts_ctl("slapd", client_name, client_addr,
+				STRING_UNKNOWN))
+			{
+				/* DENY ACCESS */
 				Statslog( LDAP_DEBUG_STATS,
-				    "conn=%d fd=%d connection from unknown\n",
-				    c[ns].c_connid, ns, 0, 0, 0 );
+			   	 "conn=%d fd=%d connection from %s (%s) denied.\n",
+			   	 	c[ns].c_connid, ns,
+						client_name == NULL ? "unknown" : client_name,
+						client_addr == NULL ? "unknown" : client_addr,
+			   	  0 );
+
+				close(ns);
+				pthread_mutex_unlock( &new_conn_mutex );
+				continue;
 			}
+#endif /* TCP_WRAPPERS */
+
+			Statslog( LDAP_DEBUG_STATS,
+			    "conn=%d fd=%d connection from %s (%s) accepted.\n",
+			    	c[ns].c_connid, ns,
+					client_name == NULL ? "unknown" : client_name,
+					client_addr == NULL ? "unknown" : client_addr,
+			     0 );
+
+			if ( c[ns].c_addr != NULL ) {
+				free( c[ns].c_addr );
+			}
+			c[ns].c_addr = strdup( client_addr );
+
+			if ( c[ns].c_domain != NULL ) {
+				free( c[ns].c_domain );
+			}
+
+			c[ns].c_domain = strdup( client_name == NULL
+				? "" : client_name );
+
 			pthread_mutex_lock( &c[ns].c_dnmutex );
 			if ( c[ns].c_dn != NULL ) {
 				free( c[ns].c_dn );
diff --git a/servers/slapd/tools/Make-template b/servers/slapd/tools/Make-template
index 14b013ad30..e815fd8cf2 100644
--- a/servers/slapd/tools/Make-template
+++ b/servers/slapd/tools/Make-template
@@ -27,12 +27,12 @@ OBJS2	= ../config.o ../ch_malloc.o ../backend.o ../charray.o \
 		../schemaparse.o ../regex.o ../strdup.o
 
 INCLUDES= -I. -I$(HDIR) $(EXINCLUDES)
-DEFINES = $(DEFS) $(SERVERDEFS) $(THREADS)
+DEFINES = $(DEFS) $(LDAP_CRYPT) $(SERVERDEFS) $(THREADS)
 CFLAGS	= $(INCLUDES) $(DEFINES) $(ACFLAGS)
 LDFLAGS	= -L$(LDIR) $(EXLDFLAGS)
 LIBS	= -lldif -lldap -llber -lldbm -lavl $(LDBMLIB) $(EXLIBS) $(ALIBS)
 LIBS2	= -lldif -lldbm -lavl $(LDBMLIB) -llber $(KRBLIBFLAG) $(KRBLIBS) \
-		-llthread $(THREADSLIB) $(ALIBS)
+		-llthread $(THREADSLIB) $(ALIBS) $(LDAP_CRYPT_LIB)
 
 all:	build-edb2ldif ldif2index ldif2ldbm ldbmcat ldif2id2entry \
 		ldif2id2children centipede ldbmtest ldif