httpd/include/util_ldap.h

	util_ldap.h revision 6efdaed03d9670667ac618dc67b33156d4ef9f72
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd/* ====================================================================
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * The Apache Software License, Version 1.1
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * Copyright (c) 2000-2001 The Apache Software Foundation.  All rights
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * reserved.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * Redistribution and use in source and binary forms, with or without
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * modification, are permitted provided that the following conditions
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * are met:
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * 1. Redistributions of source code must retain the above copyright
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    notice, this list of conditions and the following disclaimer.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * 2. Redistributions in binary form must reproduce the above copyright
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    notice, this list of conditions and the following disclaimer in
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    the documentation and/or other materials provided with the
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    distribution.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * 3. The end-user documentation included with the redistribution,
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    if any, must include the following acknowledgment:
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *       "This product includes software developed by the
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *        Apache Software Foundation (http://www.apache.org/)."
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    Alternately, this acknowledgment may appear in the software itself,
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    if and wherever such third-party acknowledgments normally appear.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * 4. The names "Apache" and "Apache Software Foundation" must
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    not be used to endorse or promote products derived from this
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    software without prior written permission. For written
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    permission, please contact apache@apache.org.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * 5. Products derived from this software may not be called "Apache",
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    nor may "Apache" appear in their name, without prior written
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *    permission of the Apache Software Foundation.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * SUCH DAMAGE.
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * ====================================================================
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd *
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * This software consists of voluntary contributions made by many
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * individuals on behalf of the Apache Software Foundation.  For more
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * information on the Apache Software Foundation, please see
a751155a30bbd9ccb739c1b052635b14d39038c2wrowe * <http://www.apache.org/>.
a751155a30bbd9ccb739c1b052635b14d39038c2wrowe */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#ifndef UTIL_LDAP_H
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#define UTIL_LDAP_H
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
b17d863d3cc7f7afa03ea7f1bad65e0389713032tdonovan#include <apr_ldap.h>
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd/* this whole thing disappears if LDAP is not enabled */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#ifdef APU_HAS_LDAP
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd/* APR header files */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include <apr_thread_mutex.h>
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include <apr_thread_rwlock.h>
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include <apr_tables.h>
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include <apr_time.h>
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd/* Apache header files */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "ap_config.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "httpd.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "http_config.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "http_core.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "http_log.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "http_protocol.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd#include "http_request.h"
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd/*
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd * LDAP Connections
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd */
a751155a30bbd9ccb739c1b052635b14d39038c2wrowe
a751155a30bbd9ccb739c1b052635b14d39038c2wrowe/* Values that the deref member can have */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5ndtypedef enum {
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    never=LDAP_DEREF_NEVER,
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    searching=LDAP_DEREF_SEARCHING,
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    finding=LDAP_DEREF_FINDING,
b17d863d3cc7f7afa03ea7f1bad65e0389713032tdonovan    always=LDAP_DEREF_ALWAYS
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd} deref_options;
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd/* Structure representing an LDAP connection */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5ndtypedef struct util_ldap_connection_t {
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    LDAP *ldap;
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    apr_pool_t *pool;           /* Pool from which this connection is created */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    apr_thread_mutex_t *lock;           /* Lock to indicate this connection is in use */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    int bound;              /* Flag to indicate whether this connection is bound yet */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    const char *host;               /* Name of the LDAP server (or space separated list) */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    int port;               /* Port of the LDAP server */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    deref_options deref;        /* how to handle alias dereferening */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    const char *binddn;                 /* DN to bind to server (can be NULL) */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    const char *bindpw;                 /* Password to bind to server (can be NULL) */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    int netscapessl;            /* True if use Netscape SSL connection */
5f687b4bc4c5a435a683711d3b4bfa5791aeb2a5nd    const char *certtdb;            /* Path to Netscape CA database */

    int starttls;                   /* True if StartTLS is enabled */
    int withtls;            /* True if StartTLS on this connection */

    const char *reason;         /* Reason for an error failure */

    struct util_ldap_connection_t *next;
} util_ldap_connection_t;

/* LDAP cache state information */
typedef struct util_ldap_state_t {
    apr_pool_t *pool;       /* pool from which this state is allocated */
    apr_thread_mutex_t *mutex;      /* mutex lock for the connection list */

    apr_size_t cache_bytes; /* Size (in bytes) of shared memory cache */
    long search_cache_ttl;  /* TTL for search cache */
    long search_cache_size; /* Size (in entries) of search cache */
    long compare_cache_ttl; /* TTL for compare cache */
    long compare_cache_size;    /* Size (in entries) of compare cache */

    struct util_ldap_connection_t *connections;
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
    int have_certdb;
#endif
} util_ldap_state_t;


/**
 * Open a connection to an LDAP server
 * @param ldc A structure containing the expanded details of the server
 *            to connect to. The handle to the LDAP connection is returned
 *            as ldc->ldap.
 * @tip This function connects to the LDAP server and binds. It does not
 *      connect if already connected (ldc->ldap != NULL). Does not bind
 *      if already bound.
 * @return If successful LDAP_SUCCESS is returned.
 * @deffunc int util_ldap_connection_open(util_ldap_connection_t *ldc)
 */
int util_ldap_connection_open(util_ldap_connection_t *ldc);

/**
 * Close a connection to an LDAP server
 * @param ldc A structure containing the expanded details of the server
 *            that was connected.
 * @tip This function unbinds from the LDAP server, and clears ldc->ldap.
 *      It is possible to rebind to this server again using the same ldc
 *      structure, using apr_ldap_open_connection().
 * @deffunc util_ldap_close_connection(util_ldap_connection_t *ldc)
 */
void util_ldap_connection_close(util_ldap_connection_t *ldc);

/**
 * Destroy a connection to an LDAP server
 * @param ldc A structure containing the expanded details of the server
 *            that was connected.
 * @tip This function is registered with the pool cleanup to close down the
 *      LDAP connections when the server is finished with them.
 * @deffunc apr_status_t util_ldap_connection_destroy(util_ldap_connection_t *ldc)
 */
apr_status_t util_ldap_connection_destroy(void *param);

/**
 * Find a connection in a list of connections
 * @param r The request record
 * @param host The hostname to connect to (multiple hosts space separated)
 * @param port The port to connect to
 * @param binddn The DN to bind with
 * @param bindpw The password to bind with
 * @param deref The dereferencing behavior
 * @param netscapessl Start SSL on the connection using ldapssl_client_init() [0|1]
 * @param starttls Start TLS using STARTTLS parameter [0|1]
 * @tip Once a connection is found and returned, a lock will be acquired to
 *      lock that particular connection, so that another thread does not try and
 *      use this connection while it is busy. Once you are finished with a connection,
 *      apr_ldap_connection_close() must be called to release this connection.
 * @deffunc util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port,
 *                                                           const char *binddn, const char *bindpw, deref_options deref,
 *                                                           int netscapessl, int starttls)
 */
util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port,
                                                  const char *binddn, const char *bindpw, deref_options deref,
                                                  int netscapessl, int starttls);


/**
 * Compare two DNs for sameness
 * @param r The request record
 * @param ldc The LDAP connection being used.
 * @param url The URL of the LDAP connection - used for deciding which cache to use.
 * @param dn The first DN to compare.
 * @param reqdn The DN to compare the first DN to.
 * @param compare_dn_on_server Flag to determine whether the DNs should be checked using
 *                             LDAP calls or with a direct string comparision. A direct
 *                             string comparison is faster, but not as accurate - false
 *                             negative comparisons are possible.
 * @tip Two DNs can be equal and still fail a string comparison. Eg "dc=example,dc=com"
 *      and "dc=example, dc=com". Use the compare_dn_on_server unless there are serious
 *      performance issues.
 * @deffunc int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
 *                                        const char *url, const char *dn, const char *reqdn,
 *                                        int compare_dn_on_server)
 */
int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
                              const char *url, const char *dn, const char *reqdn,
                              int compare_dn_on_server);

/**
 * A generic LDAP compare function
 * @param r The request record
 * @param ldc The LDAP connection being used.
 * @param url The URL of the LDAP connection - used for deciding which cache to use.
 * @param dn The DN of the object in which we do the compare.
 * @param attrib The attribute within the object we are comparing for.
 * @param value The value of the attribute we are trying to compare for.
 * @tip Use this function to determine whether an attribute/value pair exists within an
 *      object. Typically this would be used to determine LDAP group membership.
 * @deffunc int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
 *                                      const char *url, const char *dn, const char *attrib, const char *value)
 */
int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
                            const char *url, const char *dn, const char *attrib, const char *value);

/**
 * Checks a username/password combination by binding to the LDAP server
 * @param r The request record
 * @param ldc The LDAP connection being used.
 * @param url The URL of the LDAP connection - used for deciding which cache to use.
 * @param basedn The Base DN to search for the user in.
 * @param scope LDAP scope of the search.
 * @param attrs LDAP attributes to return in search.
 * @param filter The user to search for in the form of an LDAP filter. This filter must return
 *               exactly one user for the check to be successful.
 * @param bindpw The user password to bind as.
 * @param binddn The DN of the user will be returned in this variable.
 * @param retvals The values corresponding to the attributes requested in the attrs array.
 * @tip The filter supplied will be searched for. If a single entry is returned, an attempt
 *      is made to bind as that user. If this bind succeeds, the user is not validated.
 * @deffunc int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
 *                                          char *url, const char *basedn, int scope, char **attrs,
 *                                          char *filter, char *bindpw, char **binddn, char ***retvals)
 */
int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
                              const char *url, const char *basedn, int scope, char **attrs,
                              const char *filter, const char *bindpw, const char **binddn, const char ***retvals);

/* from apr_ldap_cache.c */

/**
 * Init the LDAP cache
 * @param pool The pool to use to initialise the cache
 * @param reqsize The size of the shared memory segement to request. A size
 *                of zero requests the max size possible from
 *                apr_shmem_init()
 * @deffunc void util_ldap_cache_init(apr_pool_t *p)
 * @return The status code returned is the status code of the
 *         apr_smmem_init() call. Regardless of the status, the cache
 *         will be set up at least for in-process or in-thread operation.
 */
apr_status_t util_ldap_cache_init(apr_pool_t *pool, apr_size_t reqsize);

/**
 * Display formatted stats for cache
 * @param The pool to allocate the returned string from
 * @tip This function returns a string allocated from the provided pool that describes
 *      various stats about the cache.
 * @deffunc char *util_ald_cache_display(apr_pool_t *pool)
 */
char *util_ald_cache_display(apr_pool_t *pool);


/* from apr_ldap_cache_mgr.c */

/**
 * Display formatted stats for cache
 * @param The pool to allocate the returned string from
 * @tip This function returns a string allocated from the provided pool that describes
 *      various stats about the cache.
 * @deffunc char *util_ald_cache_display(apr_pool_t *pool)
 */
char *util_ald_cache_display(apr_pool_t *pool);

#endif /* APU_HAS_LDAP */
#endif /* UTIL_LDAP_H */