| /* ==================================================================== |
| * The Apache Software License, Version 1.1 |
| * |
| * Copyright (c) 2000-2001 The Apache Software Foundation. All rights |
| * reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in |
| * the documentation and/or other materials provided with the |
| * distribution. |
| * |
| * 3. The end-user documentation included with the redistribution, |
| * if any, must include the following acknowledgment: |
| * "This product includes software developed by the |
| * Apache Software Foundation (http://www.apache.org/)." |
| * Alternately, this acknowledgment may appear in the software itself, |
| * if and wherever such third-party acknowledgments normally appear. |
| * |
| * 4. The names "Apache" and "Apache Software Foundation" must |
| * not be used to endorse or promote products derived from this |
| * software without prior written permission. For written |
| * permission, please contact apache@apache.org. |
| * |
| * 5. Products derived from this software may not be called "Apache", |
| * nor may "Apache" appear in their name, without prior written |
| * permission of the Apache Software Foundation. |
| * |
| * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED |
| * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR |
| * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
| * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT |
| * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| * SUCH DAMAGE. |
| * ==================================================================== |
| * |
| * This software consists of voluntary contributions made by many |
| * individuals on behalf of the Apache Software Foundation. For more |
| * information on the Apache Software Foundation, please see |
| * <http://www.apache.org/>. |
| */ |
| |
| #ifndef UTIL_LDAP_H |
| #define UTIL_LDAP_H |
| |
| #include <apr_ldap.h> |
| |
| /* this whole thing disappears if LDAP is not enabled */ |
| #ifdef APU_HAS_LDAP |
| |
| /* APR header files */ |
| #include <apr_lock.h> |
| #include <apr_tables.h> |
| #include <apr_time.h> |
| |
| /* Apache header files */ |
| #include "ap_config.h" |
| #include "httpd.h" |
| #include "http_config.h" |
| #include "http_core.h" |
| #include "http_log.h" |
| #include "http_protocol.h" |
| #include "http_request.h" |
| |
| |
| /* |
| * LDAP Connections |
| */ |
| |
| /* Values that the deref member can have */ |
| typedef enum { |
| never=LDAP_DEREF_NEVER, |
| searching=LDAP_DEREF_SEARCHING, |
| finding=LDAP_DEREF_FINDING, |
| always=LDAP_DEREF_ALWAYS |
| } deref_options; |
| |
| /* Structure representing an LDAP connection */ |
| typedef struct util_ldap_connection_t { |
| LDAP *ldap; |
| apr_lock_t *lock; /* Lock to indicate this connection is in use */ |
| int bound; /* Flag to indicate whether this connection is bound yet */ |
| |
| const char *host; /* Name of the LDAP server (or space separated list) */ |
| int port; /* Port of the LDAP server */ |
| deref_options deref; /* how to handle alias dereferening */ |
| |
| const char *binddn; /* DN to bind to server (can be NULL) */ |
| const char *bindpw; /* Password to bind to server (can be NULL) */ |
| |
| int netscapessl; /* True if use Netscape SSL connection */ |
| const char *certtdb; /* Path to Netscape CA database */ |
| |
| int starttls; /* True if StartTLS is enabled */ |
| int withtls; /* True if StartTLS on this connection */ |
| |
| const char *reason; /* Reason for an error failure */ |
| |
| struct util_ldap_connection_t *next; |
| } util_ldap_connection_t; |
| |
| /* LDAP cache state information */ |
| typedef struct util_ldap_state_t { |
| apr_pool_t *pool; /* pool from which this state is allocated */ |
| apr_lock_t *mutex; /* mutex lock for the connection list */ |
| |
| apr_size_t cache_bytes; /* Size (in bytes) of shared memory cache */ |
| long search_cache_ttl; /* TTL for search cache */ |
| long search_cache_size; /* Size (in entries) of search cache */ |
| long compare_cache_ttl; /* TTL for compare cache */ |
| long compare_cache_size; /* Size (in entries) of compare cache */ |
| |
| struct util_ldap_connection_t *connections; |
| #ifdef APU_HAS_LDAP_NETSCAPE_SSL |
| int have_certdb; |
| #endif |
| } util_ldap_state_t; |
| |
| |
| /** |
| * Open a connection to an LDAP server |
| * @param ldc A structure containing the expanded details of the server |
| * to connect to. The handle to the LDAP connection is returned |
| * as ldc->ldap. |
| * @tip This function connects to the LDAP server and binds. It does not |
| * connect if already connected (ldc->ldap != NULL). Does not bind |
| * if already bound. |
| * @return If successful LDAP_SUCCESS is returned. |
| * @deffunc int util_ldap_connection_open(util_ldap_connection_t *ldc) |
| */ |
| int util_ldap_connection_open(util_ldap_connection_t *ldc); |
| |
| /** |
| * Close a connection to an LDAP server |
| * @param ldc A structure containing the expanded details of the server |
| that was connected. |
| * @tip This function unbinds from the LDAP server, and clears ldc->ldap. |
| * It is possible to rebind to this server again using the same ldc |
| * structure, using apr_ldap_open_connection(). |
| * @deffunc util_ldap_close_connection(util_ldap_connection_t *ldc) |
| */ |
| void util_ldap_connection_close(util_ldap_connection_t *ldc); |
| |
| /** |
| * Find a connection in a list of connections |
| * @param r The request record |
| * @param host The hostname to connect to (multiple hosts space separated) |
| * @param port The port to connect to |
| * @param binddn The DN to bind with |
| * @param bindpw The password to bind with |
| * @param deref The dereferencing behavior |
| * @param netscapessl Start SSL on the connection using ldapssl_client_init() [0|1] |
| * @param starttls Start TLS using STARTTLS parameter [0|1] |
| * @tip Once a connection is found and returned, a lock will be acquired to |
| * lock that particular connection, so that another thread does not try and |
| * use this connection while it is busy. Once you are finished with a connection, |
| * apr_ldap_connection_close() must be called to release this connection. |
| * @deffunc util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, |
| * const char *binddn, const char *bindpw, deref_options deref, |
| * int netscapessl, int starttls) |
| */ |
| util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, |
| const char *binddn, const char *bindpw, deref_options deref, |
| int netscapessl, int starttls); |
| |
| |
| /** |
| * Compare two DNs for sameness |
| * @param r The request record |
| * @param ldc The LDAP connection being used. |
| * @param url The URL of the LDAP connection - used for deciding which cache to use. |
| * @param dn The first DN to compare. |
| * @param reqdn The DN to compare the first DN to. |
| * @param compare_dn_on_server Flag to determine whether the DNs should be checked using |
| * LDAP calls or with a direct string comparision. A direct |
| * string comparison is faster, but not as accurate - false |
| * negative comparisons are possible. |
| * @tip Two DNs can be equal and still fail a string comparison. Eg "dc=example,dc=com" |
| * and "dc=example, dc=com". Use the compare_dn_on_server unless there are serious |
| * performance issues. |
| * @deffunc int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, |
| * const char *url, const char *dn, const char *reqdn, |
| * int compare_dn_on_server) |
| */ |
| int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, |
| const char *url, const char *dn, const char *reqdn, |
| int compare_dn_on_server); |
| |
| /** |
| * A generic LDAP compare function |
| * @param r The request record |
| * @param ldc The LDAP connection being used. |
| * @param url The URL of the LDAP connection - used for deciding which cache to use. |
| * @param dn The DN of the object in which we do the compare. |
| * @param attrib The attribute within the object we are comparing for. |
| * @param value The value of the attribute we are trying to compare for. |
| * @tip Use this function to determine whether an attribute/value pair exists within an |
| * object. Typically this would be used to determine LDAP group membership. |
| * @deffunc int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, |
| * const char *url, const char *dn, const char *attrib, const char *value) |
| */ |
| int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, |
| const char *url, const char *dn, const char *attrib, const char *value); |
| |
| /** |
| * Checks a username/password combination by binding to the LDAP server |
| * @param r The request record |
| * @param ldc The LDAP connection being used. |
| * @param url The URL of the LDAP connection - used for deciding which cache to use. |
| * @param basedn The Base DN to search for the user in. |
| * @param scope LDAP scope of the search. |
| * @param filter The user to search for in the form of an LDAP filter. This filter must return |
| * exactly one user for the check to be successful. |
| * @param bindpw The user password to bind as. |
| * @param binddn The DN of the user will be returned in this variable. |
| * @tip The filter supplied will be searched for. If a single entry is returned, an attempt |
| * is made to bind as that user. If this bind succeeds, the user is not validated. |
| * @deffunc int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, |
| * char *url, const char *basedn, int scope, |
| * char *filter, char *bindpw, char **binddn) |
| */ |
| int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, |
| const char *url, const char *basedn, int scope, |
| const char *filter, const char *bindpw, const char **binddn); |
| |
| /* from apr_ldap_cache.c */ |
| |
| /** |
| * Init the LDAP cache |
| * @param pool The pool to use to initialise the cache |
| * @param reqsize The size of the shared memory segement to request. A size |
| * of zero requests the max size possible from |
| * apr_shmem_init() |
| * @deffunc void util_ldap_cache_init(apr_pool_t *p) |
| * @return The status code returned is the status code of the |
| * apr_smmem_init() call. Regardless of the status, the cache |
| * will be set up at least for in-process or in-thread operation. |
| */ |
| apr_status_t util_ldap_cache_init(apr_pool_t *pool, apr_size_t reqsize); |
| |
| /** |
| * Display formatted stats for cache |
| * @param The pool to allocate the returned string from |
| * @tip This function returns a string allocated from the provided pool that describes |
| * various stats about the cache. |
| * @deffunc char *util_ald_cache_display(apr_pool_t *pool) |
| */ |
| char *util_ald_cache_display(apr_pool_t *pool); |
| |
| |
| /* from apr_ldap_cache_mgr.c */ |
| |
| /** |
| * Display formatted stats for cache |
| * @param The pool to allocate the returned string from |
| * @tip This function returns a string allocated from the provided pool that describes |
| * various stats about the cache. |
| * @deffunc char *util_ald_cache_display(apr_pool_t *pool) |
| */ |
| char *util_ald_cache_display(apr_pool_t *pool); |
| |
| #endif /* APU_HAS_LDAP */ |
| #endif /* UTIL_LDAP_H */ |