bcb4e51a409d94ae670de96afb8483a4f7855294Stephan Bosch/* Copyright (c) 2003-2018 Dovecot authors, see the included COPYING file */
44fc0a34c39f1ddb3a776918630010867a5dd04eTimo Sirainen#if defined(BUILTIN_LDAP) || defined(PLUGIN_BUILD)
0a8db75f72270a4d5964fd9ec082b618dd8d138dMartti Rannanjärvi#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2
594d203bdcbd160688bce5d5a6d65783b919ad49Timo Sirainen# define LDAP_SASL_QUIET 0 /* Doesn't exist in Solaris LDAP */
a8fc29f19ea6e2d472ba779b2dd5ca4e1f3dac79Timo Sirainen/* Older versions may require calling ldap_result() twice */
48559742084e98049335c21c53dfd1ff95f11cd8Timo Sirainen/* Solaris LDAP library doesn't have LDAP_OPT_SUCCESS */
917cac3e0f87f1c60e6569dcb6efba97ac0aa8c2Aki Tuomistatic const char *LDAP_ESCAPE_CHARS = "*,\\#+<>;\"()= ";
678d0463849ba777106eb7875f27db07a5d8e3dfTimo Sirainen /* attribute name => value */
678d0463849ba777106eb7875f27db07a5d8e3dfTimo Sirainen HASH_TABLE(char *, struct db_ldap_value *) ldap_attrs;
a84eb0599fa1d796206eaed65c4e3239f0799276Timo Sirainen#define DEF_STR(name) DEF_STRUCT_STR(name, ldap_settings)
a84eb0599fa1d796206eaed65c4e3239f0799276Timo Sirainen#define DEF_INT(name) DEF_STRUCT_INT(name, ldap_settings)
a84eb0599fa1d796206eaed65c4e3239f0799276Timo Sirainen#define DEF_BOOL(name) DEF_STRUCT_BOOL(name, ldap_settings)
ab0d9eecd85f74acae18fe88529302e0776cc500Timo Sirainenstatic struct ldap_settings default_ldap_settings = {
7bafda1813454621e03615e83d55bccfa7cc56bdTimo Sirainen .user_attrs = "homeDirectory=home,uidNumber=uid,gidNumber=gid",
7bafda1813454621e03615e83d55bccfa7cc56bdTimo Sirainen .user_filter = "(&(objectClass=posixAccount)(uid=%u))",
7bafda1813454621e03615e83d55bccfa7cc56bdTimo Sirainen .pass_attrs = "uid=user,userPassword=password",
7bafda1813454621e03615e83d55bccfa7cc56bdTimo Sirainen .pass_filter = "(&(objectClass=posixAccount)(uid=%u))",
7bafda1813454621e03615e83d55bccfa7cc56bdTimo Sirainen .iterate_filter = "(objectClass=posixAccount)",
c4457e497e01b57565d24da624968699b166e02aTimo Sirainenstatic struct ldap_connection *ldap_connections = NULL;
16133a719ce8b6a5b8cedd721340cc1607c43433Timo Sirainenstatic int db_ldap_bind(struct ldap_connection *conn);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic void db_ldap_conn_close(struct ldap_connection *conn);
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainendb_ldap_result_iterate_init_full(struct ldap_connection *conn,
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainenstatic int deref2str(const char *str, int *ref_r)
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainenstatic int scope2str(const char *str, int *scope_r)
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainenstatic int tls_require_cert2str(const char *str, int *value_r)
78361883c67c58e339697c167ca285731f50287bTimo Sirainenstatic int ldap_get_errno(struct ldap_connection *conn)
965ed6ea3fc8f7637bd0d159d2fdb283a191ce34Timo Sirainen ret = ldap_get_option(conn->ld, LDAP_OPT_ERROR_NUMBER, (void *) &err);
78361883c67c58e339697c167ca285731f50287bTimo Sirainenconst char *ldap_get_error(struct ldap_connection *conn)
c184857e1fc86878761f6e47896c9cc1fad2d666Timo Sirainen ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING, (void *)&str);
c184857e1fc86878761f6e47896c9cc1fad2d666Timo Sirainen ldap_set_option(conn->ld, LDAP_OPT_ERROR_STRING, NULL);
613daa324c2b61ec69291519a57186be7cc23286Timo Sirainenstatic void ldap_conn_reconnect(struct ldap_connection *conn)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic int ldap_handle_error(struct ldap_connection *conn)
613daa324c2b61ec69291519a57186be7cc23286Timo Sirainen /* invalid input */
613daa324c2b61ec69291519a57186be7cc23286Timo Sirainen /* connection problems */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic int db_ldap_request_bind(struct ldap_connection *conn,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen i_assert(request->type == LDAP_REQUEST_TYPE_BIND);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen i_assert(conn->conn_state == LDAP_CONN_STATE_BOUND_AUTH ||
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->conn_state == LDAP_CONN_STATE_BOUND_DEFAULT);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen request->msgid = ldap_bind(conn->ld, brequest->dn,
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen "ldap_bind(%s) failed: %s",
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* broken request, remove it */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic int db_ldap_request_search(struct ldap_connection *conn,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen i_assert(conn->conn_state == LDAP_CONN_STATE_BOUND_DEFAULT);
2219b375f50f9af1f3e69b7b38aab733ea174c24Timo Sirainen ldap_search(conn->ld, *srequest->base == '\0' ? NULL :
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen "ldap_search(%s) parsing failed: %s",
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* broken request, remove it */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic bool db_ldap_request_queue_next(struct ldap_connection *conn)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen struct ldap_request *const *requestp, *request;
89676692402d8a58415b2c11256652322091ebabTimo Sirainen /* connecting may call db_ldap_connect_finish(), which gets us back
89676692402d8a58415b2c11256652322091ebabTimo Sirainen here. so do the connection before checking the request queue. */
42ec694fb0f2e1fb1d8afcfb441382daea487bd9Timo Sirainen if (conn->pending_count == aqueue_count(conn->request_queue)) {
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* no non-pending requests */
42ec694fb0f2e1fb1d8afcfb441382daea487bd9Timo Sirainen if (conn->pending_count > DB_LDAP_MAX_PENDING_REQUESTS) {
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* wait until server has replied to some requests */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* we can't do binds until all existing requests are finished */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* wait until we're in bound state */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* bind to default dn first */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* we can do anything in this state */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* success */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen } else if (ret < 0) {
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* disconnected */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* broken request, remove from queue */
52c3bd140aefa777c1421137e033615ae0a58e72Timo Sirainendb_ldap_check_hanging(struct ldap_connection *conn, struct ldap_request *request)
584a5375b70caa8bf7b202248aea84092bcb9c22Timo Sirainen first_requestp = array_idx(&conn->request_array,
584a5375b70caa8bf7b202248aea84092bcb9c22Timo Sirainen secs_diff = ioloop_time - (*first_requestp)->create_time;
584a5375b70caa8bf7b202248aea84092bcb9c22Timo Sirainen if (secs_diff > DB_LDAP_REQUEST_LOST_TIMEOUT_SECS) {
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
584a5375b70caa8bf7b202248aea84092bcb9c22Timo Sirainen "Connection appears to be hanging, reconnecting");
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenvoid db_ldap_request(struct ldap_connection *conn,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic int db_ldap_connect_finish(struct ldap_connection *conn, int ret)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->set.dn == NULL ? "(none)" : conn->set.dn,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic void db_ldap_default_bind_finished(struct ldap_connection *conn,
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen ret = ldap_result2error(conn->ld, res->msg, FALSE);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* lost connection, close it */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic void db_ldap_abort_requests(struct ldap_connection *conn,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen struct ldap_request *const *requestp, *request;
63cde222abaaa2a9bdaa9a143698dbc8b23bd742Timo Sirainen while (aqueue_count(conn->request_queue) > 0 && max_count > 0) {
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* timed out, abort */
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_info(request->auth_request, AUTH_SUBSYS_DB,
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainendb_ldap_find_request(struct ldap_connection *conn, int msgid,
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen unsigned int *idx_r)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen struct ldap_request *const *requests, *request = NULL;
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen requests = array_idx(&conn->request_array, 0);
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen for (i = 0; i < count; i++) {
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen request = requests[aqueue_idx(conn->request_queue, i)];
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainenstatic int db_ldap_fields_get_dn(struct ldap_connection *conn,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen struct auth_request *auth_request = request->request.auth_request;
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen struct db_ldap_result_iterate_context *ldap_iter;
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen ldap_iter = db_ldap_result_iterate_init_full(conn, request, res->msg,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen while (db_ldap_result_iterate_next(ldap_iter, &name, &values)) {
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_warning(auth_request, AUTH_SUBSYS_DB,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen "Multiple values found for '%s', "
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen array_foreach_modifiable(&request->named_results, named_res) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen if (strcmp(named_res->field->name, name) != 0)
6264b5ea568948885d269419ac4b4e3b00045042Timo Sirainen /* In future we could also support LDAP URLs here */
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainendb_ldap_field_subquery_find(const char *data, void *context,
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainen const char **value_r,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen struct ldap_field_find_subquery_context *ctx = context;
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen const char *p;
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen if (p != NULL && strcmp(p+1, ctx->name) == 0) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen ldap_attr = p_strdup_until(unsafe_data_stack_pool,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen array_append(&ctx->attr_names, &ldap_attr, 1);
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainenldap_request_send_subquery(struct ldap_connection *conn,
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi struct auth_request *auth_request = request->request.auth_request;
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi auth_request_get_var_expand_table(auth_request, NULL);
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi ARRAY(struct var_expand_func_table) var_funcs_table;
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi for(ptr = auth_request_var_funcs_table; ptr->key != NULL; ptr++) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* get the attributes names into array (ldapAttr@name -> ldapAttr) */
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi if (var_expand_with_funcs(tmp_str, field->value, table,
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi array_idx(&var_funcs_table, 0), &ctx, &error) <= 0) {
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen "Failed to expand subquery %s: %s",
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen ldap_search(conn->ld, named_res->dn, LDAP_SCOPE_BASE,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen NULL, array_idx_modifiable(&ctx.attr_names, 0), 0);
c8177e49ca88e9df9ae5b24861c9ce913fba103eAki Tuomi auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen "ldap_search(dn=%s) failed: %s",
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainenstatic int db_ldap_search_save_result(struct ldap_request_search *request,
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainen if (!array_is_created(&request->named_results)) {
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainen named_res = array_idx_modifiable(&request->named_results,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainenstatic int db_ldap_search_next_subsearch(struct ldap_connection *conn,
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainen if (!array_is_created(&request->named_results)) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* see if we need to do more LDAP queries */
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen named_res = array_append_space(&request->named_results);
b6df44e31bf9d54669b5903dfb5dd3fbbe896accTimo Sirainen if (db_ldap_fields_get_dn(conn, request, res) < 0)
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen while (request->name_idx < array_count(&request->named_results)) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* send the next LDAP query */
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen named_res = array_idx_modifiable(&request->named_results,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* dn field wasn't returned, skip this */
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainendb_ldap_handle_request_result(struct ldap_connection *conn,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen struct ldap_request *request, unsigned int idx,
f30ab1a83f91b92c6576d34c033332af6b2898b1Timo Sirainen const struct ldap_request_named_result *named_res;
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen if (request->type == LDAP_REQUEST_TYPE_BIND) {
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen i_assert(conn->conn_state == LDAP_CONN_STATE_BINDING);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->conn_state = LDAP_CONN_STATE_BOUND_AUTH;
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainen srequest = (struct ldap_request_search *)request;
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen /* we're going to ignore this */
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen i_error("LDAP: Reply with unexpected type %d",
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen if (ldap_msgtype(res->msg) == LDAP_RES_SEARCH_ENTRY) {
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen ret = ldap_result2error(conn->ld, res->msg, 0);
749f6acd6790067c3103e8f9e793692fdb5ae30aTimo Sirainen /* LDAP_NO_SUCH_OBJECT is returned for nonexistent base */
749f6acd6790067c3103e8f9e793692fdb5ae30aTimo Sirainen if (ret != LDAP_SUCCESS && ret != LDAP_NO_SUCH_OBJECT &&
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* handle search failures here */
872521e5ee7480b1002a9789a86874bd92e6aad8Timo Sirainen if (!array_is_created(&srequest->named_results)) {
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
f30ab1a83f91b92c6576d34c033332af6b2898b1Timo Sirainen "ldap_search(base=%s filter=%s) failed: %s",
872521e5ee7480b1002a9789a86874bd92e6aad8Timo Sirainen named_res = array_idx(&srequest->named_results,
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
f30ab1a83f91b92c6576d34c033332af6b2898b1Timo Sirainen "ldap_search(base=%s) failed: %s",
f2f40b6ca4ce986d80ae0fe59efb542b3b837bfaTimo Sirainen if (ret == LDAP_SUCCESS && srequest != NULL && !srequest->multi_entry) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* expand any @results */
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainen if (db_ldap_search_save_result(srequest, res) < 0) {
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen auth_request_log_error(request->auth_request, AUTH_SUBSYS_DB,
c2bae70e86bab833f1f51a6d8333c8996275ff08Timo Sirainen "LDAP search returned multiple entries");
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen /* wait for finish */
b6df44e31bf9d54669b5903dfb5dd3fbbe896accTimo Sirainen ret = db_ldap_search_next_subsearch(conn, srequest, res);
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen /* more LDAP queries left */
5acace56d99e0bef77b35e9b55113afde837680aTimo Sirainen /* wait for the final reply */
b6df44e31bf9d54669b5903dfb5dd3fbbe896accTimo Sirainen if (res != NULL && srequest != NULL && srequest->result != NULL)
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen request->callback(conn, request, srequest->result->msg);
55bfe6c008cb8872ff6a917daaabc4f2e81c0fe2Timo Sirainen request->callback(conn, request, res == NULL ? NULL : res->msg);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* see if there are timed out requests */
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainenstatic void db_ldap_result_unref(struct db_ldap_result **_res)
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainendb_ldap_request_free(struct ldap_request *request)
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen if (request->type == LDAP_REQUEST_TYPE_SEARCH) {
068afb0ee323c59fd4830d49a40a59be11ea0212Timo Sirainen if (array_is_created(&srequest->named_results)) {
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen array_foreach_modifiable(&srequest->named_results, named_res) {
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainendb_ldap_handle_result(struct ldap_connection *conn, struct db_ldap_result *res)
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen request = db_ldap_find_request(conn, msgid, &idx);
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen i_error("LDAP: Reply with unknown msgid %d", msgid);
5acace56d99e0bef77b35e9b55113afde837680aTimo Sirainen /* request is allocated from auth_request's pool */
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen if (db_ldap_handle_request_result(conn, request, idx, res))
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainenstatic void ldap_input(struct ldap_connection *conn)
14b495a09db7aea6b68146fd6427229e75d2bb39Timo Sirainen ret = ldap_result(conn->ld, LDAP_RES_ANY, 0, &timeout, &msg);
a8fc29f19ea6e2d472ba779b2dd5ca4e1f3dac79Timo Sirainen /* try again, there may be another in buffer */
c51fe409810cbb2432b72d6819bd183469fcaebcTimo Sirainen prev_reply_diff = ioloop_time - conn->last_reply_stamp;
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen /* input disabled, continue once it's enabled */
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen } else if (ret == 0) {
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* send more requests */
d39e77e1f7f58e1e21042a673b718541fa3f63c7Timo Sirainen } else if (ldap_get_errno(conn) != LDAP_SERVER_DOWN) {
613daa324c2b61ec69291519a57186be7cc23286Timo Sirainen i_error("LDAP: ldap_result() failed: %s", ldap_get_error(conn));
63cde222abaaa2a9bdaa9a143698dbc8b23bd742Timo Sirainen } else if (aqueue_count(conn->request_queue) > 0 ||
c51fe409810cbb2432b72d6819bd183469fcaebcTimo Sirainen prev_reply_diff < DB_LDAP_IDLE_RECONNECT_SECS) {
d39e77e1f7f58e1e21042a673b718541fa3f63c7Timo Sirainen i_error("LDAP: Connection lost to LDAP server, reconnecting");
d39e77e1f7f58e1e21042a673b718541fa3f63c7Timo Sirainen /* server probably disconnected an idle connection. don't
d39e77e1f7f58e1e21042a673b718541fa3f63c7Timo Sirainen reconnect until the next request comes. */
43d32cbe60fdaef2699d99f1ca259053e9350411Timo Sirainensasl_interact(LDAP *ld ATTR_UNUSED, unsigned flags ATTR_UNUSED,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen struct db_ldap_sasl_bind_context *context = defaults;
23f8c5356cacdbd1cc09a39a08ef37a39125bb74Timo Sirainen for (in = interact; in->id != SASL_CB_LIST_END; in++) {
2d0a002723dac5c58c250f6566efb1f5e474c169Timo Sirainenstatic void ldap_connection_timeout(struct ldap_connection *conn)
2d0a002723dac5c58c250f6566efb1f5e474c169Timo Sirainen i_assert(conn->conn_state == LDAP_CONN_STATE_BINDING);
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_error("LDAP %s: Initial binding to LDAP server timed out",
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilovstatic int db_ldap_bind_sasl(struct ldap_connection *conn)
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov struct db_ldap_sasl_bind_context context;
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov context.authzid = conn->set.sasl_authz_id;
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov /* There doesn't seem to be a way to do SASL binding
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov asynchronously.. */
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov ret = ldap_sasl_interactive_bind_s(conn->ld, NULL,
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov if (db_ldap_connect_finish(conn, ret) < 0)
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov conn->conn_state = LDAP_CONN_STATE_BOUND_DEFAULT;
144e0b545e5e1dac1fd825b4140b65bbf44ccb31Timo Sirainenstatic int db_ldap_bind_sasl(struct ldap_connection *conn ATTR_UNUSED)
372b7c40bf035413dd3b9677f8f50f692b3602f0Matwey V. Kornilov i_unreached(); /* already checked at init */
adb497977f0719bb75df2afcf4932125d107de4bMatwey V. Kornilovstatic int db_ldap_bind_simple(struct ldap_connection *conn)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen i_assert(conn->conn_state != LDAP_CONN_STATE_BINDING);
763fd2ac217023c0940415379abcd5eb7a0f7ba7Timo Sirainen msgid = ldap_bind(conn->ld, conn->set.dn, conn->set.dnpass,
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen i_assert(ldap_get_errno(conn) != LDAP_SUCCESS);
7cf0a6613fca9983b8a3443f9f6ef15df5a22162Timo Sirainen if (db_ldap_connect_finish(conn, ldap_get_errno(conn)) < 0) {
7cf0a6613fca9983b8a3443f9f6ef15df5a22162Timo Sirainen /* lost connection, close it */
2d0a002723dac5c58c250f6566efb1f5e474c169Timo Sirainen conn->to = timeout_add(DB_LDAP_REQUEST_LOST_TIMEOUT_SECS*1000,
adb497977f0719bb75df2afcf4932125d107de4bMatwey V. Kornilovstatic int db_ldap_bind(struct ldap_connection *conn)
b270b29d458f3cbd6e63320bb17e23f809da0045Timo Sirainenstatic void db_ldap_get_fd(struct ldap_connection *conn)
b270b29d458f3cbd6e63320bb17e23f809da0045Timo Sirainen /* get the connection's fd */
b270b29d458f3cbd6e63320bb17e23f809da0045Timo Sirainen ret = ldap_get_option(conn->ld, LDAP_OPT_DESC, (void *)&conn->fd);
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_fatal("LDAP %s: Can't get connection fd: %s",
d2ded6e1da2d07ac070888873ddc10999a6d87baTimo Sirainen /* Solaris LDAP library seems to be broken */
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_fatal("LDAP %s: Buggy LDAP library returned wrong fd: %d",
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainendb_ldap_set_opt(struct ldap_connection *conn, LDAP *ld, int opt,
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen const void *value, const char *optname, const char *value_str)
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_fatal("LDAP %s: Can't set option %s to %s: %s",
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen conn->config_path, optname, value_str, ldap_err2string(ret));
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainendb_ldap_set_opt_str(struct ldap_connection *conn, LDAP *ld, int opt,
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt(conn, ld, opt, value, optname, value);
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainenstatic void db_ldap_set_tls_options(struct ldap_connection *conn)
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CACERTFILE,
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainen conn->set.tls_ca_cert_file, "tls_ca_cert_file");
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CACERTDIR,
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainen conn->set.tls_ca_cert_dir, "tls_ca_cert_dir");
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CERTFILE,
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_KEYFILE,
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt_str(conn, NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainen conn->set.tls_cipher_suite, "tls_cipher_suite");
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt(conn, NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &conn->set.ldap_tls_require_cert_parsed,
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainen "tls_require_cert", conn->set.tls_require_cert);
d492e2f0d022289c8068abfbfda86b73a66f1a50Timo Sirainen i_fatal("LDAP %s: tls_* settings aren't supported by your LDAP library - they must not be set",
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainenstatic void db_ldap_set_options(struct ldap_connection *conn)
fb3178a1924dae52151d88c4d4ded879df43dd3fTimo Sirainen tv.tv_sec = DB_LDAP_CONNECT_TIMEOUT_SECS; tv.tv_usec = 0;
fb3178a1924dae52151d88c4d4ded879df43dd3fTimo Sirainen ret = ldap_set_option(conn->ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
fb3178a1924dae52151d88c4d4ded879df43dd3fTimo Sirainen i_fatal("LDAP %s: Can't set network-timeout: %s",
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt(conn, conn->ld, LDAP_OPT_DEREF, &conn->set.ldap_deref,
c93aca832ee532010ead91b85fa9f614132e1be2Stephan Bosch if (str_to_int(conn->set.debug_level, &value) >= 0 && value != 0) {
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt(conn, NULL, LDAP_OPT_DEBUG_LEVEL, &value,
cc3cbeae65642023018d7e38eb325fea509c3e66Timo Sirainen db_ldap_set_opt(conn, conn->ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version,
e885bb21d4f65f0239a8d05f5a8f17b56d5e9954Timo Sirainenstatic void db_ldap_init_ld(struct ldap_connection *conn)
e885bb21d4f65f0239a8d05f5a8f17b56d5e9954Timo Sirainen ret = ldap_initialize(&conn->ld, conn->set.uris);
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_fatal("LDAP %s: ldap_initialize() failed with uris %s: %s",
e885bb21d4f65f0239a8d05f5a8f17b56d5e9954Timo Sirainen conn->ld = ldap_init(conn->set.hosts, LDAP_PORT);
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_fatal("LDAP %s: ldap_init() failed with hosts: %s",
b96dcd982888d89e6f2508258d6d9588d79c7a26Timo Sirainenint db_ldap_connect(struct ldap_connection *conn)
c93aca832ee532010ead91b85fa9f614132e1be2Stephan Bosch if (str_to_int(conn->set.debug_level, &debug_level) >= 0)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen if (conn->conn_state != LDAP_CONN_STATE_DISCONNECTED)
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_error("LDAP %s: ldap_start_tls_s() failed: %s",
eaa9884158bc0cf98379939f72061e31c359cf39Timo Sirainen i_debug("LDAP initialization took %d msecs", msecs);
16133a719ce8b6a5b8cedd721340cc1607c43433Timo Sirainen conn->io = io_add(conn->fd, IO_READ, ldap_input, conn);
99363aeac519d37553b7776b322e60b8a23cd2b9Timo Sirainenstatic void db_ldap_connect_callback(struct ldap_connection *conn)
cd58b6bbd3bf060beb34cb5b56ef8781b36f4f05Timo Sirainen i_assert(conn->conn_state == LDAP_CONN_STATE_DISCONNECTED);
99363aeac519d37553b7776b322e60b8a23cd2b9Timo Sirainenvoid db_ldap_connect_delayed(struct ldap_connection *conn)
99363aeac519d37553b7776b322e60b8a23cd2b9Timo Sirainen conn->to = timeout_add_short(0, db_ldap_connect_callback, conn);
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainenvoid db_ldap_enable_input(struct ldap_connection *conn, bool enable)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen conn->io = io_add(conn->fd, IO_READ, ldap_input, conn);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic void db_ldap_disconnect_timeout(struct ldap_connection *conn)
1512eb3e1f8d7366122089a03e3c8688986a5a26Timo Sirainen DB_LDAP_REQUEST_DISCONNECT_TIMEOUT_SECS, FALSE,
1512eb3e1f8d7366122089a03e3c8688986a5a26Timo Sirainen "Aborting (timeout), we're not connected to LDAP server");
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen /* no requests left, remove this timeout handler */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainenstatic void db_ldap_conn_close(struct ldap_connection *conn)
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen struct ldap_request *const *requests, *request;
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen unsigned int i;
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->conn_state = LDAP_CONN_STATE_DISCONNECTED;
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen requests = array_idx(&conn->request_array, 0);
63cde222abaaa2a9bdaa9a143698dbc8b23bd742Timo Sirainen request = requests[aqueue_idx(conn->request_queue, i)];
5f1d689131a75c39f064cbd4202373e7edf78f18Josef 'Jeff' Sipek /* the fd may have already been closed before ldap_unbind(),
5f1d689131a75c39f064cbd4202373e7edf78f18Josef 'Jeff' Sipek so we'll have to use io_remove_closed(). */
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->to = timeout_add(DB_LDAP_REQUEST_DISCONNECT_TIMEOUT_SECS *
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainendb_ldap_field_find(const char *data, void *context,
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainen const char **value_r,
63cf2e557bdd9dd8bb4e2ecb84763ef884231f18Timo Sirainen struct ldap_field_find_context *ctx = context;
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainen ldap_attr = p_strdup(ctx->pool, t_strcut(data, ':'));
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen array_append(&ctx->attr_names, &ldap_attr, 1);
9f431ccfb6932746db56245c8a3d3415717ef545Timo Sirainenvoid db_ldap_set_attrs(struct ldap_connection *conn, const char *attrlist,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen char ***attr_names_r, ARRAY_TYPE(ldap_field) *attr_map,
63cf2e557bdd9dd8bb4e2ecb84763ef884231f18Timo Sirainen static struct var_expand_func_table var_funcs_table[] = {
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen const char *const *attr, *attr_data, *p, *error;
63cf2e557bdd9dd8bb4e2ecb84763ef884231f18Timo Sirainen unsigned int i;
63cf2e557bdd9dd8bb4e2ecb84763ef884231f18Timo Sirainen p_array_init(&ctx.attr_names, conn->pool, 16);
99ee694f4099ea3dcc3b6b8331b093a8f1a2c604Timo Sirainen /* allow spaces here so "foo=1, bar=2" works */
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_attr = name = p_strdup(conn->pool, attr_data);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_attr = p_strdup_until(conn->pool, attr_data, p);
914d477534d4d502d3c3432e7910f9332366064fTimo Sirainen /* =foo static value */
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen if (var_expand_with_funcs(tmp_str, templ, NULL,
ec8e55a73623e40dfce9bfb5a60abf047788b222Martti Rannanjärvi /* This var_expand_with_funcs call fills the
ec8e55a73623e40dfce9bfb5a60abf047788b222Martti Rannanjärvi * ldap_field_find_context in ctx, but the
ec8e55a73623e40dfce9bfb5a60abf047788b222Martti Rannanjärvi * resulting string_t is not used, and the
ec8e55a73623e40dfce9bfb5a60abf047788b222Martti Rannanjärvi * return value or error_r is not checked since
ec8e55a73623e40dfce9bfb5a60abf047788b222Martti Rannanjärvi * it gives errors for non-ldap variable
ec8e55a73623e40dfce9bfb5a60abf047788b222Martti Rannanjärvi * expansions. */
9a8727ac119e429f8318262d9a2ba54aa4299306Timo Sirainen /* backwards compatibility:
9a8727ac119e429f8318262d9a2ba54aa4299306Timo Sirainen attr=name=prefix means same as
9a8727ac119e429f8318262d9a2ba54aa4299306Timo Sirainen attr=name=prefix%$ when %vars are missing */
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_error("LDAP %s: Invalid attrs entry: %s", conn->config_path, attr_data);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen else if (skip_attr == NULL || strcmp(skip_attr, name) != 0) {
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* @name=ldapField */
626a206050bbe60b1f758c8918d09dad8accf225Timo Sirainen } else if (name[0] == '!' && name == ldap_attr) {
626a206050bbe60b1f758c8918d09dad8accf225Timo Sirainen /* !ldapAttr */
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen /* root request's attribute */
63cf2e557bdd9dd8bb4e2ecb84763ef884231f18Timo Sirainen *attr_names_r = array_idx_modifiable(&ctx.attr_names, 0);
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainenstatic const struct var_expand_table *
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainendb_ldap_value_get_var_expand_table(struct auth_request *auth_request,
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainen table = auth_request_get_var_expand_table_full(auth_request, NULL,
917cac3e0f87f1c60e6569dcb6efba97ac0aa8c2Aki Tuomi ((((unsigned char)(c)) & 0x80) != 0 || strchr(LDAP_ESCAPE_CHARS, (c)) != NULL)
43d32cbe60fdaef2699d99f1ca259053e9350411Timo Sirainen const struct auth_request *auth_request ATTR_UNUSED)
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainenldap_field_hide_password(struct db_ldap_result_iterate_context *ctx,
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi if (ctx->ldap_request->auth_request->set->debug_passwords)
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen if (strcmp(field->ldap_attr_name, attr) == 0) {
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen strcmp(field->name, "password_noscheme") == 0)
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainenget_ldap_fields(struct db_ldap_result_iterate_context *ctx,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen struct ldap_connection *conn, LDAPMessage *entry,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen attr = ldap_first_attribute(conn->ld, entry, &ber);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen vals = ldap_get_values(conn->ld, entry, attr);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_value = p_new(ctx->pool, struct db_ldap_value, 1);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_value->values = p_new(ctx->pool, const char *, 1);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen for (count = 0; vals[count] != NULL; count++) ;
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_value->values = p_new(ctx->pool, const char *, count + 1);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen for (i = 0; i < count; i++)
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_value->values[i] = p_strdup(ctx->pool, vals[i]);
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen str_printfa(ctx->debug, " %s%s=", attr, suffix);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen str_append(ctx->debug, ldap_value->values[0]);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen attr = ldap_next_attribute(conn->ld, entry, ber);
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainendb_ldap_result_iterate_init_full(struct ldap_connection *conn,
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen const struct ldap_request_named_result *named_res;
1b81b28b2e7856748cffd7d01052a944b6c80b23Timo Sirainen pool = pool_alloconly_create(MEMPOOL_GROWING"ldap result iter", 1024);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ctx = p_new(pool, struct db_ldap_result_iterate_context, 1);
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi ctx->ldap_request = &ldap_request->request;
678d0463849ba777106eb7875f27db07a5d8e3dfTimo Sirainen hash_table_create(&ctx->ldap_attrs, pool, 0, strcase_hash, strcasecmp);
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi if (ctx->ldap_request->auth_request->debug)
068afb0ee323c59fd4830d49a40a59be11ea0212Timo Sirainen if (array_is_created(&ldap_request->named_results)) {
068afb0ee323c59fd4830d49a40a59be11ea0212Timo Sirainen array_foreach(&ldap_request->named_results, named_res) {
068afb0ee323c59fd4830d49a40a59be11ea0212Timo Sirainen suffix = t_strdup_printf("@%s", named_res->field->name);
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainendb_ldap_result_iterate_init(struct ldap_connection *conn,
190ba2ebc899bd114e1e4ab9ee119be10f0cc0ecTimo Sirainen return db_ldap_result_iterate_init_full(conn, ldap_request, res,
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainenstatic const char *db_ldap_field_get_default(const char *data)
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainen const char *p;
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainen /* default value given */
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainendb_ldap_field_expand(const char *data, void *context,
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainen const char **value_r, const char **error_r ATTR_UNUSED)
c349375340580e4ef10b427323c6e67c14ae4996Timo Sirainen struct db_ldap_result_iterate_context *ctx = context;
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainen ldap_value = hash_table_lookup(ctx->ldap_attrs, field_name);
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainen /* requested ldap attribute wasn't returned at all */
74d5f3c4e3fd49d966a87f317f439a71954b3c70Timo Sirainen str_printfa(ctx->debug, "; %s missing", field_name);
c349375340580e4ef10b427323c6e67c14ae4996Timo Sirainen /* no value for ldap attribute */
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi auth_request_log_warning(ctx->ldap_request->auth_request,
c349375340580e4ef10b427323c6e67c14ae4996Timo Sirainen "Multiple values found for '%s', using value '%s'",
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainendb_ldap_field_ptr_expand(const char *data, void *context,
a9b698e78ff0b4c71b1966c5a5d568c77632474cTimo Sirainen struct db_ldap_result_iterate_context *ctx = context;
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainen if ((ret = db_ldap_field_expand(data, ctx, &field_name, error_r)) <= 0)
a9b698e78ff0b4c71b1966c5a5d568c77632474cTimo Sirainen field_name = t_strconcat(field_name, suffix, NULL);
bcf1cf2afb9692b0db555e6ecf662a2fbd19793dTimo Sirainen return db_ldap_field_expand(field_name, ctx, value_r, error_r);
aec3f901e5895a6be413b8e7cf34de89d856ad21Sergey Kitovdb_ldap_field_dn_expand(const char *data ATTR_UNUSED, void *context ATTR_UNUSED,
aec3f901e5895a6be413b8e7cf34de89d856ad21Sergey Kitov const char **value_r, const char **error_r ATTR_UNUSED)
aec3f901e5895a6be413b8e7cf34de89d856ad21Sergey Kitov struct db_ldap_result_iterate_context *ctx = context;
a8adad33c80f82beb3c3529065a3d2b936cfd2fcTimo Sirainen char *dn = ldap_get_dn(ctx->ld, ctx->ldap_msg);
86c4dc0121015e403f9dd94ff7816b2baa5bd692Timo Sirainenstatic struct var_expand_func_table ldap_var_funcs_table[] = {
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainenstatic const char *const *
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainendb_ldap_result_return_value(struct db_ldap_result_iterate_context *ctx,
7c85bb54c14c0ca3e7171431f99a594615792086Timo Sirainen /* LDAP attribute doesn't exist */
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen /* use the LDAP attribute's value */
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen /* template */
7783bfe16d9f2c3076e519c5bf190c37a3aa7774Timo Sirainen if (values[0] == NULL && *field->ldap_attr_name != '\0') {
7783bfe16d9f2c3076e519c5bf190c37a3aa7774Timo Sirainen /* ldapAttr=key=template%$, but ldapAttr doesn't
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi auth_request_log_warning(ctx->ldap_request->auth_request,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen "Multiple values found for '%s', "
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen "using value '%s'",
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainen /* do this lookup separately for each expansion, because:
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainen 1) the values are allocated from data stack
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainen 2) if "user" field is updated, we want %u/%n/%d updated
4bbc8a478be20d0be16e92179fc32327004ebf86Timo Sirainen (and less importantly the same for other variables) */
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi var_table = db_ldap_value_get_var_expand_table(
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi ctx->ldap_request->auth_request, values[0]);
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen if (var_expand_with_funcs(ctx->var, field->value, var_table,
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi auth_request_log_warning(ctx->ldap_request->auth_request,
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen "Failed to expand template %s: %s",
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainenbool db_ldap_result_iterate_next(struct db_ldap_result_iterate_context *ctx,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen const char **name_r,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen const char *const **values_r)
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen if (ctx->attr_idx == array_count(ctx->attr_map))
3fb1531681f9cbe49928f8e32357a692bf901c83Timo Sirainen field = array_idx(ctx->attr_map, ctx->attr_idx++);
626a206050bbe60b1f758c8918d09dad8accf225Timo Sirainen } while (field->value_is_dn != ctx->iter_dn_values ||
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen ldap_value = *field->ldap_attr_name == '\0' ? NULL :
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen hash_table_lookup(ctx->ldap_attrs, field->ldap_attr_name);
23bdbb7b1831785c6ba6df190f6369da882d2b9dTimo Sirainen else if (ctx->debug != NULL && *field->ldap_attr_name != '\0')
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen str_printfa(ctx->debug, "; %s missing", field->ldap_attr_name);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen *values_r = db_ldap_result_return_value(ctx, field, ldap_value);
86c4dc0121015e403f9dd94ff7816b2baa5bd692Timo Sirainen /* expand %variables also for LDAP name fields. we'll use the
86c4dc0121015e403f9dd94ff7816b2baa5bd692Timo Sirainen same ctx->var, which may already contain the value. */
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen if (var_expand_with_funcs(ctx->var, field->name, tab,
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi auth_request_log_warning(ctx->ldap_request->auth_request,
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen "Failed to expand %s: %s", field->name, error);
190ba2ebc899bd114e1e4ab9ee119be10f0cc0ecTimo Sirainen if (ctx->skip_null_values && (*values_r)[0] == NULL) {
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen /* no values. don't confuse the caller with this reply. */
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen return db_ldap_result_iterate_next(ctx, name_r, values_r);
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainendb_ldap_result_finish_debug(struct db_ldap_result_iterate_context *ctx)
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi auth_request_log_debug(ctx->ldap_request->auth_request,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen "no fields returned by the server");
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen iter = hash_table_iterate_init(ctx->ldap_attrs);
a75d470c9223a75801418fcdda258885c36317e0Timo Sirainen while (hash_table_iterate(iter, ctx->ldap_attrs, &name, &value)) {
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen str_truncate(ctx->debug, str_len(ctx->debug)-1);
5ced9eb9ef70b745462ff3ac238fb7af94581cb2Martti Rannanjärvi auth_request_log_debug(ctx->ldap_request->auth_request, AUTH_SUBSYS_DB,
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainenvoid db_ldap_result_iterate_deinit(struct db_ldap_result_iterate_context **_ctx)
0a8926b91a84abf462afdc1ed95def229377d7ffTimo Sirainen struct db_ldap_result_iterate_context *ctx = *_ctx;
965ed6ea3fc8f7637bd0d159d2fdb283a191ce34Timo Sirainenstatic const char *parse_setting(const char *key, const char *value,
965ed6ea3fc8f7637bd0d159d2fdb283a191ce34Timo Sirainen return parse_setting_from_defs(conn->pool, setting_defs,
c4457e497e01b57565d24da624968699b166e02aTimo Sirainenstatic struct ldap_connection *ldap_conn_find(const char *config_path)
c4457e497e01b57565d24da624968699b166e02aTimo Sirainen for (conn = ldap_connections; conn != NULL; conn = conn->next) {
c4457e497e01b57565d24da624968699b166e02aTimo Sirainen if (strcmp(conn->config_path, config_path) == 0)
964c86de7158ccafdfe665853579d71232e2634eTimo Sirainenstruct ldap_connection *db_ldap_init(const char *config_path, bool userdb)
c4457e497e01b57565d24da624968699b166e02aTimo Sirainen /* see if it already exists */
2e1e493b248dec0127b1eabeea5a8bc330378fcdTimo Sirainen i_fatal("LDAP: Configuration file path not given");
965ed6ea3fc8f7637bd0d159d2fdb283a191ce34Timo Sirainen pool = pool_alloconly_create("ldap_connection", 1024);
965ed6ea3fc8f7637bd0d159d2fdb283a191ce34Timo Sirainen conn = p_new(pool, struct ldap_connection, 1);
fc4ff2356fee6389d4cf2b3f12f4098a436f0502Timo Sirainen conn->conn_state = LDAP_CONN_STATE_DISCONNECTED;
c4457e497e01b57565d24da624968699b166e02aTimo Sirainen conn->config_path = p_strdup(pool, config_path);
803197abb1cc0e81abb668c026c22394bfef820dTimo Sirainen if (!settings_read_nosection(config_path, parse_setting, conn, &error))
f2dda28eb05337cabcd66b909a66affe79de1b4aTimo Sirainen i_fatal("LDAP %s: No base given", config_path);
b1504ccfa93e77d906e39e6aa31a592d69f6b5b4Timo Sirainen if (conn->set.uris == NULL && conn->set.hosts == NULL)
f2dda28eb05337cabcd66b909a66affe79de1b4aTimo Sirainen i_fatal("LDAP %s: No uris or hosts set", config_path);
f2dda28eb05337cabcd66b909a66affe79de1b4aTimo Sirainen i_fatal("LDAP %s: uris set, but Dovecot compiled without support for LDAP uris "
f2dda28eb05337cabcd66b909a66affe79de1b4aTimo Sirainen "(ldap_initialize() not supported by LDAP library)", config_path);
f2dda28eb05337cabcd66b909a66affe79de1b4aTimo Sirainen i_fatal("LDAP %s: tls=yes, but your LDAP library doesn't support TLS", config_path);
67d650c5a18d0a03271bcb299e34ef7660835ac6Timo Sirainen i_fatal("LDAP %s: sasl_bind=yes but no SASL support compiled in", conn->config_path);
41e360a76aa9cf0d69aded3e0d5b0d5b5e91b50fTimo Sirainen i_fatal("LDAP %s: sasl_bind=yes requires ldap_version=3", config_path);
41e360a76aa9cf0d69aded3e0d5b0d5b5e91b50fTimo Sirainen i_fatal("LDAP %s: tls=yes requires ldap_version=3", config_path);
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainen if (tls_require_cert2str(conn->set.tls_require_cert,
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainen i_fatal("LDAP %s: Unknown tls_require_cert value '%s'",
f8464772990b52cb8de4553bc1135adcf72813b8Timo Sirainen if (str != NULL && strcmp(str, conn->set.ldaprc_path) != 0) {
f2dda28eb05337cabcd66b909a66affe79de1b4aTimo Sirainen i_fatal("LDAP %s: Multiple different ldaprc_path "
f8464772990b52cb8de4553bc1135adcf72813b8Timo Sirainen "settings not allowed (%s and %s)",
f8464772990b52cb8de4553bc1135adcf72813b8Timo Sirainen env_put(t_strconcat("LDAPRC=", conn->set.ldaprc_path, NULL));
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainen if (deref2str(conn->set.deref, &conn->set.ldap_deref) < 0)
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainen i_fatal("LDAP %s: Unknown deref option '%s'", config_path, conn->set.deref);
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainen if (scope2str(conn->set.scope, &conn->set.ldap_scope) < 0)
6332ef7522d7a77a18c1bec4fc80d92ee597336cTimo Sirainen i_fatal("LDAP %s: Unknown scope option '%s'", config_path, conn->set.scope);
63cde222abaaa2a9bdaa9a143698dbc8b23bd742Timo Sirainen conn->request_queue = aqueue_init(&conn->request_array.arr);
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainenvoid db_ldap_unref(struct ldap_connection **_conn)
b321df9603081896b70ec44635af96d674a9839aTimo Sirainen for (p = &ldap_connections; *p != NULL; p = &(*p)->next) {
8ae72ad7d0c69e972cfa65d1e2ce4e3e9a8b765cTimo Sirainen db_ldap_abort_requests(conn, UINT_MAX, 0, FALSE, "Shutting down");
be20a7ddf87cb56ee63016dd0029f0c523be09b6Timo Sirainen/* Building a plugin */
cc03958ccda8258252c512412f8d5600ce383b14Timo Sirainenextern struct passdb_module_interface passdb_ldap_plugin;
cc03958ccda8258252c512412f8d5600ce383b14Timo Sirainenextern struct userdb_module_interface userdb_ldap_plugin;
cc03958ccda8258252c512412f8d5600ce383b14Timo Sirainen passdb_unregister_module(&passdb_ldap_plugin);