| /* ==================================================================== |
| * The Apache Software License, Version 1.1 |
| * |
| * Copyright (c) 2000-2001 The Apache Software Foundation. All rights |
| * reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in |
| * the documentation and/or other materials provided with the |
| * distribution. |
| * |
| * 3. The end-user documentation included with the redistribution, |
| * if any, must include the following acknowledgment: |
| * "This product includes software developed by the |
| * Apache Software Foundation (http://www.apache.org/)." |
| * Alternately, this acknowledgment may appear in the software itself, |
| * if and wherever such third-party acknowledgments normally appear. |
| * |
| * 4. The names "Apache" and "Apache Software Foundation" must |
| * not be used to endorse or promote products derived from this |
| * software without prior written permission. For written |
| * permission, please contact apache@apache.org. |
| * |
| * 5. Products derived from this software may not be called "Apache", |
| * nor may "Apache" appear in their name, without prior written |
| * permission of the Apache Software Foundation. |
| * |
| * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED |
| * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR |
| * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
| * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT |
| * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| * SUCH DAMAGE. |
| * ==================================================================== |
| * |
| * This software consists of voluntary contributions made by many |
| * individuals on behalf of the Apache Software Foundation. For more |
| * information on the Apache Software Foundation, please see |
| * <http://www.apache.org/>. |
| */ |
| |
| /* |
| * util_ldap.c: LDAP things |
| * |
| * Original code from auth_ldap module for Apache v1.3: |
| * Copyright 1998, 1999 Enbridge Pipelines Inc. |
| * Copyright 1999-2001 Dave Carrigan |
| */ |
| |
| #include <apr_ldap.h> |
| |
| #ifdef APU_HAS_LDAP |
| |
| #include <apr_lock.h> |
| #include <apr_strings.h> |
| |
| #include "ap_config.h" |
| #include "httpd.h" |
| #include "http_config.h" |
| #include "http_core.h" |
| #include "http_log.h" |
| #include "http_protocol.h" |
| #include "http_request.h" |
| #include "util_ldap.h" |
| #include "util_ldap_cache.h" |
| |
| #if APR_HAVE_UNISTD_H |
| #include <unistd.h> |
| #endif |
| |
| module AP_MODULE_DECLARE_DATA ldap_module; |
| |
| int util_ldap_handler(request_rec *r); |
| void *util_ldap_create_config(apr_pool_t *p, server_rec *s); |
| |
| |
| /* |
| * Some definitions to help between various versions of apache. |
| */ |
| |
| #ifndef DOCTYPE_HTML_2_0 |
| #define DOCTYPE_HTML_2_0 "<!DOCTYPE HTML PUBLIC \"-//IETF//" \ |
| "DTD HTML 2.0//EN\">\n" |
| #endif |
| |
| #ifndef DOCTYPE_HTML_3_2 |
| #define DOCTYPE_HTML_3_2 "<!DOCTYPE HTML PUBLIC \"-//W3C//" \ |
| "DTD HTML 3.2 Final//EN\">\n" |
| #endif |
| |
| #ifndef DOCTYPE_HTML_4_0S |
| #define DOCTYPE_HTML_4_0S "<!DOCTYPE HTML PUBLIC \"-//W3C//" \ |
| "DTD HTML 4.0//EN\"\n" \ |
| "\"http://www.w3.org/TR/REC-html40/strict.dtd\">\n" |
| #endif |
| |
| #ifndef DOCTYPE_HTML_4_0T |
| #define DOCTYPE_HTML_4_0T "<!DOCTYPE HTML PUBLIC \"-//W3C//" \ |
| "DTD HTML 4.0 Transitional//EN\"\n" \ |
| "\"http://www.w3.org/TR/REC-html40/loose.dtd\">\n" |
| #endif |
| |
| #ifndef DOCTYPE_HTML_4_0F |
| #define DOCTYPE_HTML_4_0F "<!DOCTYPE HTML PUBLIC \"-//W3C//" \ |
| "DTD HTML 4.0 Frameset//EN\"\n" \ |
| "\"http://www.w3.org/TR/REC-html40/frameset.dtd\">\n" |
| #endif |
| |
| /* |
| * Status Handler |
| * -------------- |
| * |
| * This handler generates a status page about the current performance of |
| * the LDAP cache. It is enabled as follows: |
| * |
| * <Location /ldap-status> |
| * SetHandler ldap-status |
| * </Location> |
| * |
| */ |
| int util_ldap_handler(request_rec *r) |
| { |
| |
| r->allowed |= (1 << M_GET); |
| if (r->method_number != M_GET) |
| return DECLINED; |
| |
| if (strcmp(r->handler, "ldap-status")) { |
| return DECLINED; |
| } |
| |
| r->content_type = "text/html"; |
| if (r->header_only) |
| return OK; |
| |
| ap_rputs(DOCTYPE_HTML_3_2 |
| "<html><head><title>LDAP Cache Information</title></head>\n", r); |
| ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information</h1>\n", r); |
| |
| ap_rputs("<p>\n" |
| "<table border='0'>\n" |
| "<tr bgcolor='#000000'>\n" |
| "<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Cache Name</b></font></td>" |
| "<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Entries</b></font></td>" |
| "<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg. Chain Len.</b></font></td>" |
| "<td colspan='2'><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Hits</b></font></td>" |
| "<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Ins/Rem</b></font></td>" |
| "<td colspan='2'><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Purges</b></font></td>" |
| "<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg Purge Time</b></font></td>" |
| "</tr>\n", r |
| ); |
| |
| ap_rputs(util_ald_cache_display(r->pool), r); |
| |
| ap_rputs("</table>\n</p>\n", r); |
| |
| return OK; |
| } |
| |
| /* ------------------------------------------------------------------ */ |
| |
| |
| /* |
| * Closes an LDAP connection by unlocking it. The next time |
| * util_ldap_connection_find() is called this connection will be |
| * available for reuse. |
| */ |
| void util_ldap_connection_close(util_ldap_connection_t *ldc) |
| { |
| |
| /* |
| * QUESTION: |
| * |
| * Is it safe leaving bound connections floating around between the |
| * different modules? Keeping the user bound is a performance boost, |
| * but it is also a potential security problem - maybe. |
| * |
| * For now we unbind the user when we finish with a connection, but |
| * we don't have to... |
| */ |
| |
| /* mark our connection as available for reuse */ |
| apr_lock_release(ldc->lock); |
| |
| } |
| |
| |
| /* |
| * Destroys an LDAP connection by unbinding. This function is registered |
| * with the pool cleanup function - causing the LDAP connections to be |
| * shut down cleanly on graceful restart. |
| */ |
| apr_status_t util_ldap_connection_destroy(void *param) |
| { |
| util_ldap_connection_t *ldc = param; |
| |
| /* unbinding from the LDAP server */ |
| if (ldc->ldap) { |
| ldap_unbind_s(ldc->ldap); |
| ldc->bound = 0; |
| ldc->ldap = NULL; |
| } |
| |
| /* release the lock we were using */ |
| apr_lock_release(ldc->lock); |
| |
| return APR_SUCCESS; |
| } |
| |
| |
| /* |
| * Connect to the LDAP server and binds. Does not connect if already |
| * connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound. |
| * |
| * Returns LDAP_SUCCESS on success; and an error code on failure |
| */ |
| int util_ldap_connection_open(util_ldap_connection_t *ldc) |
| { |
| int result = 0; |
| int failures = 0; |
| |
| |
| start_over: |
| if (failures++ > 10) { |
| /* too many failures - leave */ |
| return result; |
| } |
| |
| if (!ldc->ldap) { |
| ldc->bound = 0; |
| |
| /* opening connection to LDAP server */ |
| if ((ldc->ldap = ldap_init(ldc->host, ldc->port)) == NULL) { |
| /* couldn't connect */ |
| ldc->reason = "ldap_init() failed"; |
| return -1; |
| } |
| |
| /* add the cleanup to the pool */ |
| apr_pool_cleanup_register(ldc->pool, ldc, |
| util_ldap_connection_destroy, |
| apr_pool_cleanup_null); |
| |
| /* Set the alias dereferencing option */ |
| #if LDAP_VERSION_MAX == 2 |
| ldc->ldap->ld_deref = ldc->deref; |
| #else |
| result = ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref)); |
| if (result != LDAP_SUCCESS) { |
| /* setting LDAP dereference option failed */ |
| /* we ignore this error */ |
| } |
| #endif /* LDAP_VERSION_MAX */ |
| |
| #ifdef APU_HAS_LDAP_NETSCAPE_SSL |
| if (ldc->netscapessl) { |
| if (!ldc->certdb) { |
| /* secure LDAP requested, but no CA cert defined */ |
| ldc->reason = "secure LDAP requested, but no CA cert defined"; |
| return -1; |
| } else { |
| result = ldapssl_install_routines(ldc->ldap); |
| if (result != LDAP_SUCCESS) { |
| /* SSL initialisation failed */ |
| ldc->reason = "ldapssl_install_routines() failed"; |
| return result; |
| } |
| result = ldap_set_option(ldc->ldap, LDAP_OPT_SSL, LDAP_OPT_ON); |
| if (result != LDAP_SUCCESS) { |
| /* SSL option failed */ |
| ldc->reason = "ldap_set_option() failed trying to set LDAP_OPT_SSL"; |
| return result; |
| } |
| } |
| } |
| #endif /* APU_HAS_LDAP_NETSCAPE_SSL */ |
| |
| #ifdef APU_HAS_LDAP_STARTTLS |
| if (ldc->starttls) { |
| int version = LDAP_VERSION3; |
| |
| /* Also we have to set the connection to use protocol version 3, |
| * since we're using TLS. */ |
| if ((result = ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, |
| &version)) != LDAP_SUCCESS) { |
| /* setting LDAP version failed - ignore error */ |
| } |
| |
| /* |
| * In util_ldap_connection_find, we compare ldc->withtls to |
| * sec->starttls to see if we have a cache match. On the off |
| * chance that apache's config processing rotines set starttls to |
| * some other true value besides 1, we set it to 1 here to ensure |
| * that the comparison succeeds. |
| */ |
| ldc->starttls = 1; |
| |
| result = ldap_start_tls_s(ldc->ldap, NULL, NULL); |
| if (result != LDAP_SUCCESS) { |
| /* start TLS failed */ |
| ldc->withtls = 0; |
| ldc->reason = "ldap_start_tls_s() failed"; |
| return result; |
| } |
| ldc->withtls = 1; |
| } else { |
| ldc->withtls = 0; |
| } |
| #endif /* APU_HAS_LDAP_STARTTLS */ |
| } |
| |
| /* |
| * At this point the LDAP connection is guaranteed alive. If bound says |
| * that we're bound already, we can just return. |
| */ |
| if (ldc->bound) { |
| ldc->reason = "LDAP connection open successful (already bound)"; |
| return LDAP_SUCCESS; |
| } |
| |
| /* |
| * Now bind with the username/password provided by the |
| * configuration. It will be an anonymous bind if no u/p was |
| * provided. |
| */ |
| if ((result = ldap_simple_bind_s(ldc->ldap, ldc->binddn, ldc->bindpw)) |
| == LDAP_SERVER_DOWN) { |
| /* couldn't connect - try again */ |
| ldc->reason = "ldap_simple_bind_s() failed with server down"; |
| goto start_over; |
| } |
| |
| if (result != LDAP_SUCCESS) { |
| /* LDAP fatal error occured */ |
| ldc->reason = "ldap_simple_bind_s() failed"; |
| return result; |
| } |
| |
| /* note how we are bound */ |
| ldc->bound = 1; |
| |
| ldc->reason = "LDAP connection open successful"; |
| return LDAP_SUCCESS; |
| } |
| |
| |
| /* |
| * Find an existing ldap connection struct that matches the |
| * provided ldap connection parameters. |
| * |
| * If not found in the cache, a new ldc structure will be allocated from st->pool |
| * and returned to the caller. If found in the cache, a pointer to the existing |
| * ldc structure will be returned. |
| */ |
| util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, |
| const char *binddn, const char *bindpw, deref_options deref, |
| int netscapessl, int starttls) |
| { |
| struct util_ldap_connection_t *l, *p; /* To traverse the linked list */ |
| |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(r->server->module_config, |
| &ldap_module); |
| |
| |
| /* mutex lock this function */ |
| if (!st->mutex) { |
| apr_lock_create(&st->mutex, APR_MUTEX, APR_INTRAPROCESS, NULL, st->pool); |
| } |
| apr_lock_acquire(st->mutex); |
| |
| /* Search for an exact connection match in the list that is not |
| * being used. |
| */ |
| for (l=st->connections,p=NULL; l; l=l->next) { |
| if ( (APR_SUCCESS == apr_lock_tryacquire(l->lock)) |
| && l->port == port |
| && strcmp(l->host, host) == 0 |
| && ( (!l->binddn && !binddn) || (l->binddn && binddn && !strcmp(l->binddn, binddn)) ) |
| && ( (!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw)) ) |
| && l->deref == deref |
| #ifdef APU_HAS_LDAP_NETSCAPE_SSL |
| && l->netscapessl == netscapessl |
| #endif |
| #ifdef APU_HAS_LDAP_STARTTLS |
| && l->withtls == starttls |
| #endif |
| ) |
| break; |
| p = l; |
| } |
| |
| /* If nothing found, search again, but we don't care about the |
| * binddn and bindpw this time. |
| */ |
| if (!l) { |
| for (l=st->connections,p=NULL; l; l=l->next) { |
| if ( (APR_SUCCESS == apr_lock_tryacquire(l->lock)) |
| && l->port == port |
| && strcmp(l->host, host) == 0 |
| && l->deref == deref |
| #ifdef APU_HAS_LDAP_NETSCAPE_SSL |
| && l->netscapessl == netscapessl |
| #endif |
| #ifdef APU_HAS_LDAP_STARTTLS |
| && l->withtls == starttls |
| #endif |
| ) { |
| /* the bind credentials have changed */ |
| l->bound = 0; |
| l->binddn = apr_pstrdup(st->pool, binddn); |
| l->bindpw = apr_pstrdup(st->pool, bindpw); |
| break; |
| } |
| p = l; |
| } |
| } |
| |
| /* artificially disable cache */ |
| //l = NULL; |
| |
| /* If no connection what found after the second search, we |
| * must create one. |
| */ |
| if (!l) { |
| |
| /* |
| * Add the new connection entry to the linked list. Note that we |
| * don't actually establish an LDAP connection yet; that happens |
| * the first time authentication is requested. |
| */ |
| /* create the details to the pool in st */ |
| l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t)); |
| apr_lock_create(&l->lock, APR_MUTEX, APR_INTRAPROCESS, NULL, st->pool); |
| apr_lock_acquire(l->lock); |
| l->pool = st->pool; |
| l->bound = 0; |
| l->host = apr_pstrdup(st->pool, host); |
| l->port = port; |
| l->deref = deref; |
| l->binddn = apr_pstrdup(st->pool, binddn); |
| l->bindpw = apr_pstrdup(st->pool, bindpw); |
| l->netscapessl = netscapessl; |
| l->starttls = starttls; |
| l->withtls = 0; |
| |
| if (p) { |
| p->next = l; |
| } |
| else { |
| st->connections = l; |
| } |
| } |
| |
| apr_lock_release(st->mutex); |
| return l; |
| } |
| |
| /* ------------------------------------------------------------------ */ |
| |
| /* |
| * Compares two DNs to see if they're equal. The only way to do this correctly is to |
| * search for the dn and then do ldap_get_dn() on the result. This should match the |
| * initial dn, since it would have been also retrieved with ldap_get_dn(). This is |
| * expensive, so if the configuration value compare_dn_on_server is |
| * false, just does an ordinary strcmp. |
| * |
| * The lock for the ldap cache should already be acquired. |
| */ |
| int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, |
| const char *url, const char *dn, const char *reqdn, |
| int compare_dn_on_server) |
| { |
| int result = 0; |
| util_url_node_t *curl; |
| util_url_node_t curnode; |
| util_dn_compare_node_t *node; |
| util_dn_compare_node_t newnode; |
| int failures = 0; |
| LDAPMessage *res, *entry; |
| char *searchdn; |
| |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(r->server->module_config, |
| &ldap_module); |
| |
| |
| /* read lock this function */ |
| if (!util_ldap_cache_lock) { |
| apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool); |
| } |
| |
| /* get cache entry (or create one) */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER); |
| curnode.url = url; |
| curl = util_ald_cache_fetch(util_ldap_cache, &curnode); |
| if (curl == NULL) { |
| curl = util_ald_create_caches(st, url); |
| } |
| apr_lock_release(util_ldap_cache_lock); |
| |
| /* a simple compare? */ |
| if (!compare_dn_on_server) { |
| /* unlock this read lock */ |
| if (strcmp(dn, reqdn)) { |
| ldc->reason = "DN Comparison FALSE (direct strcmp())"; |
| return LDAP_COMPARE_FALSE; |
| } |
| else { |
| ldc->reason = "DN Comparison TRUE (direct strcmp())"; |
| return LDAP_COMPARE_TRUE; |
| } |
| } |
| |
| /* no - it's a server side compare */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER); |
| |
| /* is it in the compare cache? */ |
| newnode.reqdn = (char *)reqdn; |
| node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode); |
| if (node != NULL) { |
| /* If it's in the cache, it's good */ |
| /* unlock this read lock */ |
| apr_lock_release(util_ldap_cache_lock); |
| ldc->reason = "DN Comparison TRUE (cached)"; |
| return LDAP_COMPARE_TRUE; |
| } |
| |
| /* unlock this read lock */ |
| apr_lock_release(util_ldap_cache_lock); |
| |
| start_over: |
| if (failures++ > 10) { |
| /* too many failures */ |
| return result; |
| } |
| |
| /* make a server connection */ |
| if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { |
| /* connect to server failed */ |
| return result; |
| } |
| |
| /* search for reqdn */ |
| if ((result = ldap_search_ext_s(ldc->ldap, const_cast(reqdn), LDAP_SCOPE_BASE, |
| "(objectclass=*)", NULL, 1, |
| NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) { |
| util_ldap_connection_close(ldc); |
| ldc->reason = "DN Comparison ldap_search_ext_s() failed with server down"; |
| goto start_over; |
| } |
| if (result != LDAP_SUCCESS) { |
| /* search for reqdn failed - no match */ |
| ldc->reason = "DN Comparison ldap_search_ext_s() failed"; |
| return result; |
| } |
| |
| entry = ldap_first_entry(ldc->ldap, res); |
| searchdn = ldap_get_dn(ldc->ldap, entry); |
| |
| ldap_msgfree(res); |
| if (strcmp(dn, searchdn) != 0) { |
| /* compare unsuccessful */ |
| ldc->reason = "DN Comparison FALSE (checked on server)"; |
| result = LDAP_COMPARE_FALSE; |
| } |
| else { |
| /* compare successful - add to the compare cache */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER); |
| newnode.reqdn = (char *)reqdn; |
| newnode.dn = (char *)dn; |
| util_ald_cache_insert(curl->dn_compare_cache, &newnode); |
| apr_lock_release(util_ldap_cache_lock); |
| ldc->reason = "DN Comparison TRUE (checked on server)"; |
| result = LDAP_COMPARE_TRUE; |
| } |
| ldap_memfree(searchdn); |
| return result; |
| |
| } |
| |
| /* |
| * Does an generic ldap_compare operation. It accepts a cache that it will use |
| * to lookup the compare in the cache. We cache two kinds of compares |
| * (require group compares) and (require user compares). Each compare has a different |
| * cache node: require group includes the DN; require user does not because the |
| * require user cache is owned by the |
| * |
| */ |
| int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, |
| const char *url, const char *dn, |
| const char *attrib, const char *value) |
| { |
| int result = 0; |
| util_url_node_t *curl; |
| util_url_node_t curnode; |
| util_compare_node_t *compare_nodep; |
| util_compare_node_t the_compare_node; |
| apr_time_t curtime; |
| int failures = 0; |
| |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(r->server->module_config, |
| &ldap_module); |
| |
| |
| /* read lock this function */ |
| if (!util_ldap_cache_lock) { |
| apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool); |
| } |
| |
| /* get cache entry (or create one) */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER); |
| curnode.url = url; |
| curl = util_ald_cache_fetch(util_ldap_cache, &curnode); |
| if (curl == NULL) { |
| curl = util_ald_create_caches(st, url); |
| } |
| apr_lock_release(util_ldap_cache_lock); |
| |
| /* make a comparison to the cache */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER); |
| curtime = apr_time_now(); |
| |
| the_compare_node.dn = (char *)dn; |
| the_compare_node.attrib = (char *)attrib; |
| the_compare_node.value = (char *)value; |
| the_compare_node.result = 0; |
| |
| compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node); |
| |
| if (compare_nodep != NULL) { |
| /* found it... */ |
| if (curtime - compare_nodep->lastcompare > st->compare_cache_ttl) { |
| /* ...but it is too old */ |
| util_ald_cache_remove(curl->compare_cache, compare_nodep); |
| } |
| else { |
| /* ...and it is good */ |
| /* unlock this read lock */ |
| apr_lock_release(util_ldap_cache_lock); |
| if (LDAP_COMPARE_TRUE == compare_nodep->result) { |
| ldc->reason = "Comparison true (cached)"; |
| return compare_nodep->result; |
| } |
| else if (LDAP_COMPARE_FALSE == compare_nodep->result) { |
| ldc->reason = "Comparison false (cached)"; |
| return compare_nodep->result; |
| } |
| else if (LDAP_NO_SUCH_ATTRIBUTE == compare_nodep->result) { |
| ldc->reason = "Comparison no such attribute (cached)"; |
| return compare_nodep->result; |
| } |
| else { |
| ldc->reason = "Comparison undefined (cached)"; |
| return compare_nodep->result; |
| } |
| } |
| } |
| /* unlock this read lock */ |
| apr_lock_release(util_ldap_cache_lock); |
| |
| |
| start_over: |
| if (failures++ > 10) { |
| /* too many failures */ |
| return result; |
| } |
| if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { |
| /* connect failed */ |
| return result; |
| } |
| |
| if ((result = ldap_compare_s(ldc->ldap, const_cast(dn), |
| const_cast(attrib), const_cast(value))) |
| == LDAP_SERVER_DOWN) { |
| /* connection failed - try again */ |
| util_ldap_connection_close(ldc); |
| ldc->reason = "ldap_compare_s() failed with server down"; |
| goto start_over; |
| } |
| |
| ldc->reason = "Comparison complete"; |
| if ((LDAP_COMPARE_TRUE == result) || |
| (LDAP_COMPARE_FALSE == result) || |
| (LDAP_NO_SUCH_ATTRIBUTE == result)) { |
| /* compare completed; caching result */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER); |
| the_compare_node.lastcompare = curtime; |
| the_compare_node.result = result; |
| util_ald_cache_insert(curl->compare_cache, &the_compare_node); |
| apr_lock_release(util_ldap_cache_lock); |
| if (LDAP_COMPARE_TRUE == result) { |
| ldc->reason = "Comparison true (adding to cache)"; |
| return LDAP_COMPARE_TRUE; |
| } |
| else if (LDAP_COMPARE_FALSE == result) { |
| ldc->reason = "Comparison false (adding to cache)"; |
| return LDAP_COMPARE_FALSE; |
| } |
| else { |
| ldc->reason = "Comparison no such attribute (adding to cache)"; |
| return LDAP_NO_SUCH_ATTRIBUTE; |
| } |
| } |
| return result; |
| } |
| |
| int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, |
| const char *url, const char *basedn, int scope, char **attrs, |
| const char *filter, const char *bindpw, const char **binddn, |
| const char ***retvals) |
| { |
| const char **vals = NULL; |
| int result = 0; |
| LDAPMessage *res, *entry; |
| char *dn; |
| int count; |
| int failures = 0; |
| util_url_node_t *curl; /* Cached URL node */ |
| util_url_node_t curnode; |
| util_search_node_t *search_nodep; /* Cached search node */ |
| util_search_node_t the_search_node; |
| apr_time_t curtime; |
| |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(r->server->module_config, |
| &ldap_module); |
| |
| /* read lock this function */ |
| if (!util_ldap_cache_lock) { |
| apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool); |
| } |
| |
| /* Get the cache node for this url */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER); |
| curnode.url = url; |
| curl = (util_url_node_t *)util_ald_cache_fetch(util_ldap_cache, &curnode); |
| if (curl == NULL) { |
| curl = util_ald_create_caches(st, url); |
| } |
| apr_lock_release(util_ldap_cache_lock); |
| |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER); |
| the_search_node.username = filter; |
| search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node); |
| if (search_nodep != NULL && search_nodep->bindpw) { |
| |
| /* found entry in search cache... */ |
| curtime = apr_time_now(); |
| |
| /* |
| * Remove this item from the cache if its expired, or if the |
| * sent password doesn't match the storepassword. |
| */ |
| if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) { |
| /* ...but entry is too old */ |
| util_ald_cache_remove(curl->search_cache, search_nodep); |
| } |
| else if (strcmp(search_nodep->bindpw, bindpw) != 0) { |
| /* ...but cached password doesn't match sent password */ |
| util_ald_cache_remove(curl->search_cache, search_nodep); |
| } |
| else { |
| /* ...and entry is valid */ |
| *binddn = search_nodep->dn; |
| *retvals = search_nodep->vals; |
| apr_lock_release(util_ldap_cache_lock); |
| ldc->reason = "Authentication successful (cached)"; |
| return LDAP_SUCCESS; |
| } |
| } |
| /* unlock this read lock */ |
| apr_lock_release(util_ldap_cache_lock); |
| |
| |
| /* |
| * At this point, there is no valid cached search, so lets do the search. |
| */ |
| |
| /* |
| * If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here. |
| */ |
| start_over: |
| if (failures++ > 10) { |
| return result; |
| } |
| if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { |
| return result; |
| } |
| |
| /* try do the search */ |
| if ((result = ldap_search_ext_s(ldc->ldap, |
| basedn, scope, |
| filter, attrs, 0, |
| NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) { |
| ldc->reason = "ldap_search_ext_s() for user failed with server down"; |
| goto start_over; |
| } |
| |
| /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */ |
| if (result != LDAP_SUCCESS) { |
| ldc->reason = "ldap_search_ext_s() for user failed"; |
| return result; |
| } |
| |
| /* |
| * We should have found exactly one entry; to find a different |
| * number is an error. |
| */ |
| count = ldap_count_entries(ldc->ldap, res); |
| if (count != 1) { |
| ldap_msgfree(res); |
| ldc->reason = "User is not unique (search found two or more matches)"; |
| return LDAP_NO_SUCH_OBJECT; |
| } |
| |
| entry = ldap_first_entry(ldc->ldap, res); |
| |
| /* Grab the dn, copy it into the pool, and free it again */ |
| dn = ldap_get_dn(ldc->ldap, entry); |
| *binddn = apr_pstrdup(st->pool, dn); |
| ldap_memfree(dn); |
| |
| /* |
| * A bind to the server with an empty password always succeeds, so |
| * we check to ensure that the password is not empty. This implies |
| * that users who actually do have empty passwords will never be |
| * able to authenticate with this module. I don't see this as a big |
| * problem. |
| */ |
| if (strlen(bindpw) <= 0) { |
| ldap_msgfree(res); |
| ldc->reason = "Empty password not allowed"; |
| return LDAP_INVALID_CREDENTIALS; |
| } |
| |
| /* |
| * Attempt to bind with the retrieved dn and the password. If the bind |
| * fails, it means that the password is wrong (the dn obviously |
| * exists, since we just retrieved it) |
| */ |
| if ((result = |
| ldap_simple_bind_s(ldc->ldap, *binddn, bindpw)) == |
| LDAP_SERVER_DOWN) { |
| ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down"; |
| goto start_over; |
| } |
| |
| /* failure? if so - return */ |
| if (result != LDAP_SUCCESS) { |
| ldc->reason = "ldap_simple_bind_s() to check user credentials failed"; |
| return result; |
| } |
| |
| /* |
| * Get values for the provided attributes. |
| */ |
| if (attrs) { |
| int k = 0; |
| int i = 0; |
| while (attrs[k++]); |
| vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1)); |
| while (attrs[i]) { |
| char **values; |
| int j = 0; |
| char *str = NULL; |
| /* get values */ |
| values = ldap_get_values(ldc->ldap, entry, attrs[i]); |
| while (values && values[j]) { |
| str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]); |
| j++; |
| } |
| vals[i] = str; |
| i++; |
| } |
| *retvals = vals; |
| } |
| |
| /* |
| * Add the new username to the search cache. |
| */ |
| apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER); |
| the_search_node.username = filter; |
| the_search_node.dn = *binddn; |
| the_search_node.bindpw = bindpw; |
| the_search_node.lastbind = apr_time_now(); |
| the_search_node.vals = vals; |
| util_ald_cache_insert(curl->search_cache, &the_search_node); |
| ldap_msgfree(res); |
| apr_lock_release(util_ldap_cache_lock); |
| |
| ldc->reason = "Authentication successful"; |
| return LDAP_SUCCESS; |
| } |
| |
| #endif /* APU_HAS_LDAP */ |
| |
| |
| |
| /* ---------------------------------------- */ |
| /* config directives */ |
| |
| |
| static const char *util_ldap_set_cache_bytes(cmd_parms *cmd, void *dummy, const char *bytes) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, |
| &ldap_module); |
| |
| st->cache_bytes = atol(bytes); |
| |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| "[%d] ldap cache: Setting shared memory cache size to %d bytes.", |
| getpid(), st->cache_bytes); |
| |
| return NULL; |
| } |
| |
| static const char *util_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy, const char *ttl) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, |
| &ldap_module); |
| |
| st->search_cache_ttl = atol(ttl) * 1000000; |
| |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| "[%d] ldap cache: Setting cache TTL to %ld microseconds.", |
| getpid(), st->search_cache_ttl); |
| |
| return NULL; |
| } |
| |
| static const char *util_ldap_set_cache_entries(cmd_parms *cmd, void *dummy, const char *size) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, |
| &ldap_module); |
| |
| |
| st->search_cache_size = atol(size); |
| if (st->search_cache_size < 0) { |
| st->search_cache_size = 0; |
| } |
| |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| "[%d] ldap cache: Setting search cache size to %ld entries.", |
| getpid(), st->search_cache_size); |
| |
| return NULL; |
| } |
| |
| static const char *util_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy, const char *ttl) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, |
| &ldap_module); |
| |
| st->compare_cache_ttl = atol(ttl) * 1000000; |
| |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| "[%d] ldap cache: Setting operation cache TTL to %ld microseconds.", |
| getpid(), st->compare_cache_ttl); |
| |
| return NULL; |
| } |
| |
| static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy, const char *size) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, |
| &ldap_module); |
| |
| st->compare_cache_size = atol(size); |
| if (st->compare_cache_size < 0) { |
| st->compare_cache_size = 0; |
| } |
| |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| "[%d] ldap cache: Setting operation cache size to %ld entries.", |
| getpid(), st->compare_cache_size); |
| |
| return NULL; |
| } |
| |
| #ifdef APU_HAS_LDAPSSL_CLIENT_INIT |
| static const char *util_ldap_set_certdbpath(cmd_parms *cmd, void *dummy, const char *path) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, |
| &ldap_module); |
| |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, |
| "[%d] ldap cache: Setting LDAP SSL client certificate dbpath to %s.", |
| getpid(), path); |
| |
| st->have_certdb = 1; |
| if (ldapssl_client_init(path, NULL) != 0) { |
| return "Could not initialize SSL client"; |
| } |
| else { |
| return NULL; |
| } |
| } |
| #endif |
| |
| void *util_ldap_create_config(apr_pool_t *p, server_rec *s) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t)); |
| |
| st->pool = p; |
| |
| st->cache_bytes = 100000; |
| st->search_cache_ttl = 600000000; |
| st->search_cache_size = 1024; |
| st->compare_cache_ttl = 600000000; |
| st->compare_cache_size = 1024; |
| |
| st->connections = NULL; |
| #ifdef APU_HAS_LDAP_NETSCAPE_SSL |
| st->have_certdb = 0; |
| #endif |
| |
| return st; |
| } |
| |
| static void util_ldap_init_module(apr_pool_t *pool, server_rec *s) |
| { |
| util_ldap_state_t *st = |
| (util_ldap_state_t *)ap_get_module_config(s->module_config, |
| &ldap_module); |
| |
| apr_status_t result = util_ldap_cache_init(pool, st->cache_bytes); |
| char buf[MAX_STRING_LEN]; |
| |
| apr_strerror(result, buf, sizeof(buf)); |
| ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, result, s, |
| "[%d] ldap cache init: %s", |
| getpid(), buf); |
| } |
| |
| |
| command_rec util_ldap_cmds[] = { |
| AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes, NULL, RSRC_CONF, |
| "Sets the size of the shared memory cache in bytes. " |
| "Zero means disable the shared memory cache. Defaults to 100KB."), |
| |
| AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries, NULL, RSRC_CONF, |
| "Sets the maximum number of entries that are possible in the LDAP " |
| "search cache. " |
| "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."), |
| |
| AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl, NULL, RSRC_CONF, |
| "Sets the maximum time (in seconds) that an item can be cached in the LDAP " |
| "search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), |
| |
| AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries, NULL, RSRC_CONF, |
| "Sets the maximum number of entries that are possible in the LDAP " |
| "compare cache. " |
| "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."), |
| |
| AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl, NULL, RSRC_CONF, |
| "Sets the maximum time (in seconds) that an item is cached in the LDAP " |
| "operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), |
| |
| #ifdef APU_HAS_LDAPSSL_CLIENT_INIT |
| AP_INIT_TAKE1("LDAPCertDBPath", util_ldap_set_certdbpath, NULL, RSRC_CONF, |
| "Specifies the file containing Certificate Authority certificates " |
| "for validating secure LDAP server certificates. This file must be the " |
| "cert7.db database used by Netscape Communicator"), |
| #endif |
| |
| {NULL} |
| }; |
| |
| static void util_ldap_register_hooks(apr_pool_t *p) |
| { |
| ap_hook_child_init(util_ldap_init_module, NULL, NULL, APR_HOOK_MIDDLE); |
| ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE); |
| } |
| |
| module ldap_module = { |
| STANDARD20_MODULE_STUFF, |
| NULL, /* dir config creater */ |
| NULL, /* dir merger --- default is to override */ |
| util_ldap_create_config, /* server config */ |
| NULL, /* merge server config */ |
| util_ldap_cmds, /* command table */ |
| util_ldap_register_hooks, /* set up request processing hooks */ |
| }; |