Google Git
Sign in
apache / httpd / abb455ea0d1e4d429f6bf5d454c6d4c794693914 / . / modules / experimental / util_ldap.c
blob: 4e9ca0e501557b4a1dd411f71a746fdbb2995598 [file] [log] [blame]
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*/
/*
* util_ldap.c: LDAP things
*
* Original code from auth_ldap module for Apache v1.3:
* Copyright 1998, 1999 Enbridge Pipelines Inc.
* Copyright 1999-2001 Dave Carrigan
*/
#include <apr_ldap.h>
#ifdef APU_HAS_LDAP
#include <apr_lock.h>
#include <apr_strings.h>
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "util_ldap.h"
#include "util_ldap_cache.h"
#if APR_HAVE_UNISTD_H
#include <unistd.h>
#endif
module AP_MODULE_DECLARE_DATA ldap_module;
int util_ldap_handler(request_rec *r);
void *util_ldap_create_config(apr_pool_t *p, server_rec *s);
/*
* Some definitions to help between various versions of apache.
*/
#ifndef DOCTYPE_HTML_2_0
#define DOCTYPE_HTML_2_0 "<!DOCTYPE HTML PUBLIC \"-//IETF//" \
"DTD HTML 2.0//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_3_2
#define DOCTYPE_HTML_3_2 "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 3.2 Final//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_4_0S
#define DOCTYPE_HTML_4_0S "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0//EN\"\n" \
"\"http://www.w3.org/TR/REC-html40/strict.dtd\">\n"
#endif
#ifndef DOCTYPE_HTML_4_0T
#define DOCTYPE_HTML_4_0T "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Transitional//EN\"\n" \
"\"http://www.w3.org/TR/REC-html40/loose.dtd\">\n"
#endif
#ifndef DOCTYPE_HTML_4_0F
#define DOCTYPE_HTML_4_0F "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Frameset//EN\"\n" \
"\"http://www.w3.org/TR/REC-html40/frameset.dtd\">\n"
#endif
/*
* Status Handler
* --------------
*
* This handler generates a status page about the current performance of
* the LDAP cache. It is enabled as follows:
*
* <Location /ldap-status>
* SetHandler ldap-status
* </Location>
*
*/
int util_ldap_handler(request_rec *r)
{
r->allowed |= (1 << M_GET);
if (r->method_number != M_GET)
return DECLINED;
if (strcmp(r->handler, "ldap-status")) {
return DECLINED;
}
r->content_type = "text/html";
if (r->header_only)
return OK;
ap_rputs(DOCTYPE_HTML_3_2
"<html><head><title>LDAP Cache Information</title></head>\n", r);
ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information</h1>\n", r);
ap_rputs("<p>\n"
"<table border='0'>\n"
"<tr bgcolor='#000000'>\n"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Cache Name</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Entries</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg. Chain Len.</b></font></td>"
"<td colspan='2'><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Hits</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Ins/Rem</b></font></td>"
"<td colspan='2'><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Purges</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg Purge Time</b></font></td>"
"</tr>\n", r
);
ap_rputs(util_ald_cache_display(r->pool), r);
ap_rputs("</table>\n</p>\n", r);
return OK;
}
/* ------------------------------------------------------------------ */
/*
* Closes an LDAP connection by unlocking it. The next time
* util_ldap_connection_find() is called this connection will be
* available for reuse.
*/
void util_ldap_connection_close(util_ldap_connection_t *ldc)
{
/*
* QUESTION:
*
* Is it safe leaving bound connections floating around between the
* different modules? Keeping the user bound is a performance boost,
* but it is also a potential security problem - maybe.
*
* For now we unbind the user when we finish with a connection, but
* we don't have to...
*/
/* mark our connection as available for reuse */
apr_lock_release(ldc->lock);
}
/*
* Destroys an LDAP connection by unbinding. This function is registered
* with the pool cleanup function - causing the LDAP connections to be
* shut down cleanly on graceful restart.
*/
apr_status_t util_ldap_connection_destroy(void *param)
{
util_ldap_connection_t *ldc = param;
/* unbinding from the LDAP server */
if (ldc->ldap) {
ldap_unbind_s(ldc->ldap);
ldc->bound = 0;
ldc->ldap = NULL;
}
/* release the lock we were using */
apr_lock_release(ldc->lock);
return APR_SUCCESS;
}
/*
* Connect to the LDAP server and binds. Does not connect if already
* connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
*
* Returns LDAP_SUCCESS on success; and an error code on failure
*/
int util_ldap_connection_open(util_ldap_connection_t *ldc)
{
int result = 0;
int failures = 0;
start_over:
if (failures++ > 10) {
/* too many failures - leave */
return result;
}
if (!ldc->ldap) {
ldc->bound = 0;
/* opening connection to LDAP server */
if ((ldc->ldap = ldap_init(ldc->host, ldc->port)) == NULL) {
/* couldn't connect */
ldc->reason = "ldap_init() failed";
return -1;
}
/* add the cleanup to the pool */
apr_pool_cleanup_register(ldc->pool, ldc,
util_ldap_connection_destroy,
apr_pool_cleanup_null);
/* Set the alias dereferencing option */
#if LDAP_VERSION_MAX == 2
ldc->ldap->ld_deref = ldc->deref;
#else
result = ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
if (result != LDAP_SUCCESS) {
/* setting LDAP dereference option failed */
/* we ignore this error */
}
#endif /* LDAP_VERSION_MAX */
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
if (ldc->netscapessl) {
if (!ldc->certdb) {
/* secure LDAP requested, but no CA cert defined */
ldc->reason = "secure LDAP requested, but no CA cert defined";
return -1;
} else {
result = ldapssl_install_routines(ldc->ldap);
if (result != LDAP_SUCCESS) {
/* SSL initialisation failed */
ldc->reason = "ldapssl_install_routines() failed";
return result;
}
result = ldap_set_option(ldc->ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
if (result != LDAP_SUCCESS) {
/* SSL option failed */
ldc->reason = "ldap_set_option() failed trying to set LDAP_OPT_SSL";
return result;
}
}
}
#endif /* APU_HAS_LDAP_NETSCAPE_SSL */
#ifdef APU_HAS_LDAP_STARTTLS
if (ldc->starttls) {
int version = LDAP_VERSION3;
/* Also we have to set the connection to use protocol version 3,
* since we're using TLS. */
if ((result = ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION,
&version)) != LDAP_SUCCESS) {
/* setting LDAP version failed - ignore error */
}
/*
* In util_ldap_connection_find, we compare ldc->withtls to
* sec->starttls to see if we have a cache match. On the off
* chance that apache's config processing rotines set starttls to
* some other true value besides 1, we set it to 1 here to ensure
* that the comparison succeeds.
*/
ldc->starttls = 1;
result = ldap_start_tls_s(ldc->ldap, NULL, NULL);
if (result != LDAP_SUCCESS) {
/* start TLS failed */
ldc->withtls = 0;
ldc->reason = "ldap_start_tls_s() failed";
return result;
}
ldc->withtls = 1;
} else {
ldc->withtls = 0;
}
#endif /* APU_HAS_LDAP_STARTTLS */
}
/*
* At this point the LDAP connection is guaranteed alive. If bound says
* that we're bound already, we can just return.
*/
if (ldc->bound) {
ldc->reason = "LDAP connection open successful (already bound)";
return LDAP_SUCCESS;
}
/*
* Now bind with the username/password provided by the
* configuration. It will be an anonymous bind if no u/p was
* provided.
*/
if ((result = ldap_simple_bind_s(ldc->ldap, ldc->binddn, ldc->bindpw))
== LDAP_SERVER_DOWN) {
/* couldn't connect - try again */
ldc->reason = "ldap_simple_bind_s() failed with server down";
goto start_over;
}
if (result != LDAP_SUCCESS) {
/* LDAP fatal error occured */
ldc->reason = "ldap_simple_bind_s() failed";
return result;
}
/* note how we are bound */
ldc->bound = 1;
ldc->reason = "LDAP connection open successful";
return LDAP_SUCCESS;
}
/*
* Find an existing ldap connection struct that matches the
* provided ldap connection parameters.
*
* If not found in the cache, a new ldc structure will be allocated from st->pool
* and returned to the caller. If found in the cache, a pointer to the existing
* ldc structure will be returned.
*/
util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port,
const char *binddn, const char *bindpw, deref_options deref,
int netscapessl, int starttls)
{
struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
/* mutex lock this function */
if (!st->mutex) {
apr_lock_create(&st->mutex, APR_MUTEX, APR_INTRAPROCESS, NULL, st->pool);
}
apr_lock_acquire(st->mutex);
/* Search for an exact connection match in the list that is not
* being used.
*/
for (l=st->connections,p=NULL; l; l=l->next) {
if ( (APR_SUCCESS == apr_lock_tryacquire(l->lock))
&& l->port == port
&& strcmp(l->host, host) == 0
&& ( (!l->binddn && !binddn) || (l->binddn && binddn && !strcmp(l->binddn, binddn)) )
&& ( (!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw)) )
&& l->deref == deref
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
&& l->netscapessl == netscapessl
#endif
#ifdef APU_HAS_LDAP_STARTTLS
&& l->withtls == starttls
#endif
)
break;
p = l;
}
/* If nothing found, search again, but we don't care about the
* binddn and bindpw this time.
*/
if (!l) {
for (l=st->connections,p=NULL; l; l=l->next) {
if ( (APR_SUCCESS == apr_lock_tryacquire(l->lock))
&& l->port == port
&& strcmp(l->host, host) == 0
&& l->deref == deref
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
&& l->netscapessl == netscapessl
#endif
#ifdef APU_HAS_LDAP_STARTTLS
&& l->withtls == starttls
#endif
) {
/* the bind credentials have changed */
l->bound = 0;
l->binddn = apr_pstrdup(st->pool, binddn);
l->bindpw = apr_pstrdup(st->pool, bindpw);
break;
}
p = l;
}
}
/* artificially disable cache */
//l = NULL;
/* If no connection what found after the second search, we
* must create one.
*/
if (!l) {
/*
* Add the new connection entry to the linked list. Note that we
* don't actually establish an LDAP connection yet; that happens
* the first time authentication is requested.
*/
/* create the details to the pool in st */
l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
apr_lock_create(&l->lock, APR_MUTEX, APR_INTRAPROCESS, NULL, st->pool);
apr_lock_acquire(l->lock);
l->pool = st->pool;
l->bound = 0;
l->host = apr_pstrdup(st->pool, host);
l->port = port;
l->deref = deref;
l->binddn = apr_pstrdup(st->pool, binddn);
l->bindpw = apr_pstrdup(st->pool, bindpw);
l->netscapessl = netscapessl;
l->starttls = starttls;
l->withtls = 0;
if (p) {
p->next = l;
}
else {
st->connections = l;
}
}
apr_lock_release(st->mutex);
return l;
}
/* ------------------------------------------------------------------ */
/*
* Compares two DNs to see if they're equal. The only way to do this correctly is to
* search for the dn and then do ldap_get_dn() on the result. This should match the
* initial dn, since it would have been also retrieved with ldap_get_dn(). This is
* expensive, so if the configuration value compare_dn_on_server is
* false, just does an ordinary strcmp.
*
* The lock for the ldap cache should already be acquired.
*/
int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
const char *url, const char *dn, const char *reqdn,
int compare_dn_on_server)
{
int result = 0;
util_url_node_t *curl;
util_url_node_t curnode;
util_dn_compare_node_t *node;
util_dn_compare_node_t newnode;
int failures = 0;
LDAPMessage *res, *entry;
char *searchdn;
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
/* read lock this function */
if (!util_ldap_cache_lock) {
apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool);
}
/* get cache entry (or create one) */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER);
curnode.url = url;
curl = util_ald_cache_fetch(util_ldap_cache, &curnode);
if (curl == NULL) {
curl = util_ald_create_caches(st, url);
}
apr_lock_release(util_ldap_cache_lock);
/* a simple compare? */
if (!compare_dn_on_server) {
/* unlock this read lock */
if (strcmp(dn, reqdn)) {
ldc->reason = "DN Comparison FALSE (direct strcmp())";
return LDAP_COMPARE_FALSE;
}
else {
ldc->reason = "DN Comparison TRUE (direct strcmp())";
return LDAP_COMPARE_TRUE;
}
}
/* no - it's a server side compare */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER);
/* is it in the compare cache? */
newnode.reqdn = (char *)reqdn;
node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
if (node != NULL) {
/* If it's in the cache, it's good */
/* unlock this read lock */
apr_lock_release(util_ldap_cache_lock);
ldc->reason = "DN Comparison TRUE (cached)";
return LDAP_COMPARE_TRUE;
}
/* unlock this read lock */
apr_lock_release(util_ldap_cache_lock);
start_over:
if (failures++ > 10) {
/* too many failures */
return result;
}
/* make a server connection */
if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) {
/* connect to server failed */
return result;
}
/* search for reqdn */
if ((result = ldap_search_ext_s(ldc->ldap, const_cast(reqdn), LDAP_SCOPE_BASE,
"(objectclass=*)", NULL, 1,
NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
util_ldap_connection_close(ldc);
ldc->reason = "DN Comparison ldap_search_ext_s() failed with server down";
goto start_over;
}
if (result != LDAP_SUCCESS) {
/* search for reqdn failed - no match */
ldc->reason = "DN Comparison ldap_search_ext_s() failed";
return result;
}
entry = ldap_first_entry(ldc->ldap, res);
searchdn = ldap_get_dn(ldc->ldap, entry);
ldap_msgfree(res);
if (strcmp(dn, searchdn) != 0) {
/* compare unsuccessful */
ldc->reason = "DN Comparison FALSE (checked on server)";
result = LDAP_COMPARE_FALSE;
}
else {
/* compare successful - add to the compare cache */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER);
newnode.reqdn = (char *)reqdn;
newnode.dn = (char *)dn;
util_ald_cache_insert(curl->dn_compare_cache, &newnode);
apr_lock_release(util_ldap_cache_lock);
ldc->reason = "DN Comparison TRUE (checked on server)";
result = LDAP_COMPARE_TRUE;
}
ldap_memfree(searchdn);
return result;
}
/*
* Does an generic ldap_compare operation. It accepts a cache that it will use
* to lookup the compare in the cache. We cache two kinds of compares
* (require group compares) and (require user compares). Each compare has a different
* cache node: require group includes the DN; require user does not because the
* require user cache is owned by the
*
*/
int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
const char *url, const char *dn,
const char *attrib, const char *value)
{
int result = 0;
util_url_node_t *curl;
util_url_node_t curnode;
util_compare_node_t *compare_nodep;
util_compare_node_t the_compare_node;
apr_time_t curtime;
int failures = 0;
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
/* read lock this function */
if (!util_ldap_cache_lock) {
apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool);
}
/* get cache entry (or create one) */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER);
curnode.url = url;
curl = util_ald_cache_fetch(util_ldap_cache, &curnode);
if (curl == NULL) {
curl = util_ald_create_caches(st, url);
}
apr_lock_release(util_ldap_cache_lock);
/* make a comparison to the cache */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER);
curtime = apr_time_now();
the_compare_node.dn = (char *)dn;
the_compare_node.attrib = (char *)attrib;
the_compare_node.value = (char *)value;
the_compare_node.result = 0;
compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
if (compare_nodep != NULL) {
/* found it... */
if (curtime - compare_nodep->lastcompare > st->compare_cache_ttl) {
/* ...but it is too old */
util_ald_cache_remove(curl->compare_cache, compare_nodep);
}
else {
/* ...and it is good */
/* unlock this read lock */
apr_lock_release(util_ldap_cache_lock);
if (LDAP_COMPARE_TRUE == compare_nodep->result) {
ldc->reason = "Comparison true (cached)";
return compare_nodep->result;
}
else if (LDAP_COMPARE_FALSE == compare_nodep->result) {
ldc->reason = "Comparison false (cached)";
return compare_nodep->result;
}
else if (LDAP_NO_SUCH_ATTRIBUTE == compare_nodep->result) {
ldc->reason = "Comparison no such attribute (cached)";
return compare_nodep->result;
}
else {
ldc->reason = "Comparison undefined (cached)";
return compare_nodep->result;
}
}
}
/* unlock this read lock */
apr_lock_release(util_ldap_cache_lock);
start_over:
if (failures++ > 10) {
/* too many failures */
return result;
}
if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) {
/* connect failed */
return result;
}
if ((result = ldap_compare_s(ldc->ldap, const_cast(dn),
const_cast(attrib), const_cast(value)))
== LDAP_SERVER_DOWN) {
/* connection failed - try again */
util_ldap_connection_close(ldc);
ldc->reason = "ldap_compare_s() failed with server down";
goto start_over;
}
ldc->reason = "Comparison complete";
if ((LDAP_COMPARE_TRUE == result) ||
(LDAP_COMPARE_FALSE == result) ||
(LDAP_NO_SUCH_ATTRIBUTE == result)) {
/* compare completed; caching result */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER);
the_compare_node.lastcompare = curtime;
the_compare_node.result = result;
util_ald_cache_insert(curl->compare_cache, &the_compare_node);
apr_lock_release(util_ldap_cache_lock);
if (LDAP_COMPARE_TRUE == result) {
ldc->reason = "Comparison true (adding to cache)";
return LDAP_COMPARE_TRUE;
}
else if (LDAP_COMPARE_FALSE == result) {
ldc->reason = "Comparison false (adding to cache)";
return LDAP_COMPARE_FALSE;
}
else {
ldc->reason = "Comparison no such attribute (adding to cache)";
return LDAP_NO_SUCH_ATTRIBUTE;
}
}
return result;
}
int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
const char *url, const char *basedn, int scope, char **attrs,
const char *filter, const char *bindpw, const char **binddn,
const char ***retvals)
{
const char **vals = NULL;
int result = 0;
LDAPMessage *res, *entry;
char *dn;
int count;
int failures = 0;
util_url_node_t *curl; /* Cached URL node */
util_url_node_t curnode;
util_search_node_t *search_nodep; /* Cached search node */
util_search_node_t the_search_node;
apr_time_t curtime;
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
/* read lock this function */
if (!util_ldap_cache_lock) {
apr_lock_create(&util_ldap_cache_lock, APR_READWRITE, APR_INTRAPROCESS, NULL, st->pool);
}
/* Get the cache node for this url */
apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER);
curnode.url = url;
curl = (util_url_node_t *)util_ald_cache_fetch(util_ldap_cache, &curnode);
if (curl == NULL) {
curl = util_ald_create_caches(st, url);
}
apr_lock_release(util_ldap_cache_lock);
apr_lock_acquire_rw(util_ldap_cache_lock, APR_READER);
the_search_node.username = filter;
search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node);
if (search_nodep != NULL && search_nodep->bindpw) {
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired, or if the
* sent password doesn't match the storepassword.
*/
if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
/* ...but entry is too old */
util_ald_cache_remove(curl->search_cache, search_nodep);
}
else if (strcmp(search_nodep->bindpw, bindpw) != 0) {
/* ...but cached password doesn't match sent password */
util_ald_cache_remove(curl->search_cache, search_nodep);
}
else {
/* ...and entry is valid */
*binddn = search_nodep->dn;
*retvals = search_nodep->vals;
apr_lock_release(util_ldap_cache_lock);
ldc->reason = "Authentication successful (cached)";
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
apr_lock_release(util_ldap_cache_lock);
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
start_over:
if (failures++ > 10) {
return result;
}
if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) {
return result;
}
/* try do the search */
if ((result = ldap_search_ext_s(ldc->ldap,
basedn, scope,
filter, attrs, 0,
NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
ldc->reason = "ldap_search_ext_s() for user failed with server down";
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
ldc->reason = "ldap_search_ext_s() for user failed";
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
count = ldap_count_entries(ldc->ldap, res);
if (count != 1) {
ldap_msgfree(res);
ldc->reason = "User is not unique (search found two or more matches)";
return LDAP_NO_SUCH_OBJECT;
}
entry = ldap_first_entry(ldc->ldap, res);
/* Grab the dn, copy it into the pool, and free it again */
dn = ldap_get_dn(ldc->ldap, entry);
*binddn = apr_pstrdup(st->pool, dn);
ldap_memfree(dn);
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
if (strlen(bindpw) <= 0) {
ldap_msgfree(res);
ldc->reason = "Empty password not allowed";
return LDAP_INVALID_CREDENTIALS;
}
/*
* Attempt to bind with the retrieved dn and the password. If the bind
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
if ((result =
ldap_simple_bind_s(ldc->ldap, *binddn, bindpw)) ==
LDAP_SERVER_DOWN) {
ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down";
goto start_over;
}
/* failure? if so - return */
if (result != LDAP_SUCCESS) {
ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
return result;
}
/*
* Get values for the provided attributes.
*/
if (attrs) {
int k = 0;
int i = 0;
while (attrs[k++]);
vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
while (attrs[i]) {
char **values;
int j = 0;
char *str = NULL;
/* get values */
values = ldap_get_values(ldc->ldap, entry, attrs[i]);
while (values && values[j]) {
str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]);
j++;
}
vals[i] = str;
i++;
}
*retvals = vals;
}
/*
* Add the new username to the search cache.
*/
apr_lock_acquire_rw(util_ldap_cache_lock, APR_WRITER);
the_search_node.username = filter;
the_search_node.dn = *binddn;
the_search_node.bindpw = bindpw;
the_search_node.lastbind = apr_time_now();
the_search_node.vals = vals;
util_ald_cache_insert(curl->search_cache, &the_search_node);
ldap_msgfree(res);
apr_lock_release(util_ldap_cache_lock);
ldc->reason = "Authentication successful";
return LDAP_SUCCESS;
}
#endif /* APU_HAS_LDAP */
/* ---------------------------------------- */
/* config directives */
static const char *util_ldap_set_cache_bytes(cmd_parms *cmd, void *dummy, const char *bytes)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->cache_bytes = atol(bytes);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting shared memory cache size to %d bytes.",
getpid(), st->cache_bytes);
return NULL;
}
static const char *util_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy, const char *ttl)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->search_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting cache TTL to %ld microseconds.",
getpid(), st->search_cache_ttl);
return NULL;
}
static const char *util_ldap_set_cache_entries(cmd_parms *cmd, void *dummy, const char *size)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->search_cache_size = atol(size);
if (st->search_cache_size < 0) {
st->search_cache_size = 0;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting search cache size to %ld entries.",
getpid(), st->search_cache_size);
return NULL;
}
static const char *util_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy, const char *ttl)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->compare_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting operation cache TTL to %ld microseconds.",
getpid(), st->compare_cache_ttl);
return NULL;
}
static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy, const char *size)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->compare_cache_size = atol(size);
if (st->compare_cache_size < 0) {
st->compare_cache_size = 0;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting operation cache size to %ld entries.",
getpid(), st->compare_cache_size);
return NULL;
}
#ifdef APU_HAS_LDAPSSL_CLIENT_INIT
static const char *util_ldap_set_certdbpath(cmd_parms *cmd, void *dummy, const char *path)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting LDAP SSL client certificate dbpath to %s.",
getpid(), path);
st->have_certdb = 1;
if (ldapssl_client_init(path, NULL) != 0) {
return "Could not initialize SSL client";
}
else {
return NULL;
}
}
#endif
void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
{
util_ldap_state_t *st =
(util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t));
st->pool = p;
st->cache_bytes = 100000;
st->search_cache_ttl = 600000000;
st->search_cache_size = 1024;
st->compare_cache_ttl = 600000000;
st->compare_cache_size = 1024;
st->connections = NULL;
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
st->have_certdb = 0;
#endif
return st;
}
static void util_ldap_init_module(apr_pool_t *pool, server_rec *s)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(s->module_config,
&ldap_module);
apr_status_t result = util_ldap_cache_init(pool, st->cache_bytes);
char buf[MAX_STRING_LEN];
apr_strerror(result, buf, sizeof(buf));
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, result, s,
"[%d] ldap cache init: %s",
getpid(), buf);
}
command_rec util_ldap_cmds[] = {
AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes, NULL, RSRC_CONF,
"Sets the size of the shared memory cache in bytes. "
"Zero means disable the shared memory cache. Defaults to 100KB."),
AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries, NULL, RSRC_CONF,
"Sets the maximum number of entries that are possible in the LDAP "
"search cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl, NULL, RSRC_CONF,
"Sets the maximum time (in seconds) that an item can be cached in the LDAP "
"search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries, NULL, RSRC_CONF,
"Sets the maximum number of entries that are possible in the LDAP "
"compare cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl, NULL, RSRC_CONF,
"Sets the maximum time (in seconds) that an item is cached in the LDAP "
"operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
#ifdef APU_HAS_LDAPSSL_CLIENT_INIT
AP_INIT_TAKE1("LDAPCertDBPath", util_ldap_set_certdbpath, NULL, RSRC_CONF,
"Specifies the file containing Certificate Authority certificates "
"for validating secure LDAP server certificates. This file must be the "
"cert7.db database used by Netscape Communicator"),
#endif
{NULL}
};
static void util_ldap_register_hooks(apr_pool_t *p)
{
ap_hook_child_init(util_ldap_init_module, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE);
}
module ldap_module = {
STANDARD20_MODULE_STUFF,
NULL, /* dir config creater */
NULL, /* dir merger --- default is to override */
util_ldap_create_config, /* server config */
NULL, /* merge server config */
util_ldap_cmds, /* command table */
util_ldap_register_hooks, /* set up request processing hooks */
};