util_ldap.h revision 9ad7b260be233be7d7b5576979825cac72e15498
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @file util_ldap.h
* @brief Apache LDAP library
*/
#ifndef UTIL_LDAP_H
#define UTIL_LDAP_H
/* APR header files */
#include "apr.h"
#include "apr_thread_mutex.h"
#include "apr_thread_rwlock.h"
#include "apr_tables.h"
#include "apr_time.h"
#include "apr_ldap.h"
#include "apr_ldap_rebind.h"
#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN \
||(s) == LDAP_UNAVAILABLE)
#else
#define AP_LDAP_IS_SERVER_DOWN(s) ((s) == LDAP_SERVER_DOWN)
#endif
#include "apr_rmm.h"
#include "apr_shm.h"
#endif
/* this whole thing disappears if LDAP is not enabled */
#if APR_HAS_LDAP
/* Apache header files */
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "apr_optional.h"
/* Create a set of LDAP_DECLARE macros with appropriate export
* and import tags for the platform
*/
#if !defined(WIN32)
#define LDAP_DECLARE_DATA
#elif defined(LDAP_DECLARE_STATIC)
#define LDAP_DECLARE_DATA
#elif defined(LDAP_DECLARE_EXPORT)
#else
#endif
#ifdef __cplusplus
extern "C" {
#endif
/*
* LDAP Connections
*/
/* Values that the deref member can have */
typedef enum {
/* Structure representing an LDAP connection */
typedef struct util_ldap_connection_t {
#if APR_HAS_THREADS
#endif
int bound; /* Flag to indicate whether this connection is bound yet */
const char *host; /* Name of the LDAP server (or space separated list) */
int port; /* Port of the LDAP server */
const char *binddn; /* DN to bind to server (can be NULL) */
const char *bindpw; /* Password to bind to server (can be NULL) */
const char *reason; /* Reason for an error failure */
int ChaseReferrals; /* [on|off] (on=1, off=0, default = On)*/
int ReferralHopLimit; /* # of referral hops to follow (default = 5) */
struct util_ldap_connection_t *next;
int keep; /* Will this connection be kept when it's unlocked */
typedef struct util_ldap_config_t {
int ChaseReferrals;
int ReferralHopLimit;
/* LDAP cache state information */
typedef struct util_ldap_state_t {
#if APR_HAS_THREADS
#endif
char *cache_file; /* filename for shm */
long search_cache_ttl; /* TTL for search cache */
long search_cache_size; /* Size (in entries) of search cache */
long compare_cache_ttl; /* TTL for compare cache */
long compare_cache_size; /* Size (in entries) of compare cache */
struct util_ldap_connection_t *connections;
int ssl_supported;
int secure;
int secure_set;
#endif
/* cache ald */
void *util_ldap_cache;
char *lock_file; /* filename for shm lock mutex */
long connectionTimeout;
int verify_svr_cert;
struct mod_auth_ldap_groupattr_entry_t {
char *name;
};
/**
* Open a connection to an LDAP server
* @param ldc A structure containing the expanded details of the server
* to connect to. The handle to the LDAP connection is returned
* as ldc->ldap.
* @tip This function connects to the LDAP server and binds. It does not
* connect if already connected (ldc->ldap != NULL). Does not bind
* if already bound.
* @return If successful LDAP_SUCCESS is returned.
* @fn int util_ldap_connection_open(request_rec *r,
* util_ldap_connection_t *ldc)
*/
/**
* Close a connection to an LDAP server
* @param ldc A structure containing the expanded details of the server
* that was connected.
* @tip This function unbinds from the LDAP server, and clears ldc->ldap.
* It is possible to rebind to this server again using the same ldc
* structure, using apr_ldap_open_connection().
* @fn util_ldap_close_connection(util_ldap_connection_t *ldc)
*/
/**
* Unbind a connection to an LDAP server
* @param ldc A structure containing the expanded details of the server
* that was connected.
* @tip This function unbinds the LDAP connection, and disconnects from
* the server. It is used during error conditions, to bring the LDAP
* connection back to a known state.
* @fn apr_status_t util_ldap_connection_unbind(util_ldap_connection_t *ldc)
*/
/**
* Cleanup a connection to an LDAP server
* @param ldc A structure containing the expanded details of the server
* that was connected.
* @tip This functions unbinds and closes the connection to the LDAP server
* @fn apr_status_t util_ldap_connection_cleanup(util_ldap_connection_t *ldc)
*/
/**
* Find a connection in a list of connections
* @param r The request record
* @param host The hostname to connect to (multiple hosts space separated)
* @param port The port to connect to
* @param binddn The DN to bind with
* @param bindpw The password to bind with
* @param deref The dereferencing behavior
* @param secure use SSL on the connection
* @tip Once a connection is found and returned, a lock will be acquired to
* lock that particular connection, so that another thread does not try and
* use this connection while it is busy. Once you are finished with a connection,
* apr_ldap_connection_close() must be called to release this connection.
* @fn util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port,
* const char *binddn, const char *bindpw, deref_options deref,
* int netscapessl, int starttls)
*/
APR_DECLARE_OPTIONAL_FN(util_ldap_connection_t *,uldap_connection_find,(request_rec *r, const char *host, int port,
int secure));
/**
* Compare two DNs for sameness
* @param r The request record
* @param ldc The LDAP connection being used.
* @param url The URL of the LDAP connection - used for deciding which cache to use.
* @param dn The first DN to compare.
* @param reqdn The DN to compare the first DN to.
* @param compare_dn_on_server Flag to determine whether the DNs should be checked using
* LDAP calls or with a direct string comparision. A direct
* string comparison is faster, but not as accurate - false
* negative comparisons are possible.
* @tip Two DNs can be equal and still fail a string comparison. Eg "dc=example,dc=com"
* and "dc=example, dc=com". Use the compare_dn_on_server unless there are serious
* performance issues.
* @fn int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
* const char *url, const char *dn, const char *reqdn,
* int compare_dn_on_server)
*/
int compare_dn_on_server));
/**
* A generic LDAP compare function
* @param r The request record
* @param ldc The LDAP connection being used.
* @param url The URL of the LDAP connection - used for deciding which cache to use.
* @param dn The DN of the object in which we do the compare.
* @param attrib The attribute within the object we are comparing for.
* @param value The value of the attribute we are trying to compare for.
* object. Typically this would be used to determine LDAP top-level group
* membership.
* @fn int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
* const char *url, const char *dn, const char *attrib, const char *value)
*/
/**
* An LDAP function that checks if the specified user is a member of a subgroup.
* @param r The request record
* @param ldc The LDAP connection being used.
* @param url The URL of the LDAP connection - used for deciding which cache to use.
* @param dn The DN of the object in which we find subgroups to search within.
* @param attrib The attribute within group objects that identify users.
* @param value The user attribute value we are trying to compare for.
* @param subgroupAttrs The attributes within group objects that identify subgroups.
* Array of strings.
* @param subgroupclasses The objectClass values used to identify groups (and
* subgroups). apr_array_header_t *.
* @param cur_subgroup_depth Current recursive depth during subgroup processing.
* @param max_subgroup_depth Maximum depth of recursion allowed during subgroup
* processing.
* starting group object or one of its nested subgroups. Typically this would be
* used to determine LDAP nested group membership.
* @deffunc int util_ldap_cache_check_subgroups(request_rec *r, util_ldap_connection_t
* *ldc, const char *url, const char *dn,
* const char *attrib, const char value,
* char **subgroupAttrs, apr_array_header_t
* *subgroupclasses, int cur_subgroup_depth, int
* max_subgroup_depth )
*/
APR_DECLARE_OPTIONAL_FN(int,uldap_cache_check_subgroups,(request_rec *r, util_ldap_connection_t *ldc,
int cur_subgroup_depth, int max_subgroup_depth));
/**
* @param r The request record
* @param ldc The LDAP connection being used.
* @param url The URL of the LDAP connection - used for deciding which cache to use.
* @param basedn The Base DN to search for the user in.
* @param scope LDAP scope of the search.
* @param attrs LDAP attributes to return in search.
* @param filter The user to search for in the form of an LDAP filter. This filter must return
* exactly one user for the check to be successful.
* @param bindpw The user password to bind as.
* @param binddn The DN of the user will be returned in this variable.
* @param retvals The values corresponding to the attributes requested in the attrs array.
* @tip The filter supplied will be searched for. If a single entry is returned, an attempt
* is made to bind as that user. If this bind succeeds, the user is not validated.
* @fn int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
* char *url, const char *basedn, int scope, char **attrs,
* char *filter, char *bindpw, char **binddn, char ***retvals)
*/
/**
* Searches for a specified user object in an LDAP directory
* @param r The request record
* @param ldc The LDAP connection being used.
* @param url The URL of the LDAP connection - used for deciding which cache to use.
* @param basedn The Base DN to search for the user in.
* @param scope LDAP scope of the search.
* @param attrs LDAP attributes to return in search.
* @param filter The user to search for in the form of an LDAP filter. This filter must return
* exactly one user for the check to be successful.
* @param binddn The DN of the user will be returned in this variable.
* @param retvals The values corresponding to the attributes requested in the attrs array.
* @tip The filter supplied will be searched for. If a single entry is returned, an attempt
* is made to bind as that user. If this bind succeeds, the user is not validated.
* @fn int util_ldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
* char *url, const char *basedn, int scope, char **attrs,
* char *filter, char **binddn, char ***retvals)
*/
/**
* Checks if SSL support is available in mod_ldap
* @fn int util_ldap_ssl_supported(request_rec *r)
*/
/* from apr_ldap_cache.c */
/**
* Init the LDAP cache
* @param pool The pool to use to initialise the cache
* @param reqsize The size of the shared memory segement to request. A size
* of zero requests the max size possible from
* apr_shmem_init()
* @fn void util_ldap_cache_init(apr_pool_t *p, util_ldap_state_t *st)
* @return The status code returned is the status code of the
* apr_smmem_init() call. Regardless of the status, the cache
* will be set up at least for in-process or in-thread operation.
*/
/* from apr_ldap_cache_mgr.c */
/**
* Display formatted stats for cache
* @param The pool to allocate the returned string from
* @tip This function returns a string allocated from the provided pool that describes
* various stats about the cache.
* @fn char *util_ald_cache_display(apr_pool_t *pool, util_ldap_state_t *st)
*/
#ifdef __cplusplus
}
#endif
#endif /* APR_HAS_LDAP */
#endif /* UTIL_LDAP_H */