util_ldap.c revision 09338db7fdcf82ecc189195347da3a3ed5d0287a
363N/A/* Copyright 2001-2004 The Apache Software Foundation 363N/A * Licensed under the Apache License, Version 2.0 (the "License"); 363N/A * you may not use this file except in compliance with the License. 363N/A * You may obtain a copy of the License at 363N/A * Unless required by applicable law or agreed to in writing, software 363N/A * distributed under the License is distributed on an "AS IS" BASIS, 363N/A * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 363N/A * See the License for the specific language governing permissions and 363N/A * limitations under the License. 363N/A * Original code from auth_ldap module for Apache v1.3: 363N/A * Copyright 1998, 1999 Enbridge Pipelines Inc. 363N/A * Copyright 1999-2001 Dave Carrigan 363N/A /* defines for certificate file types 363N/A * Some definitions to help between various versions of apache. 363N/A "DTD HTML 2.0//EN\">\n" 363N/A "DTD HTML 3.2 Final//EN\">\n" 363N/A "DTD HTML 4.0//EN\"\n" \
363N/A "DTD HTML 4.0 Transitional//EN\"\n" \
"DTD HTML 4.0 Frameset//EN\"\n" \
* This handler generates a status page about the current performance of * the LDAP cache. It is enabled as follows: * <Location /ldap-status> "<html><head><title>LDAP Cache Information</title></head>\n", r);
ap_rputs(
"<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information</h1>\n", r);
/* ------------------------------------------------------------------ */ * Closes an LDAP connection by unlocking it. The next time * util_ldap_connection_find() is called this connection will be * Is it safe leaving bound connections floating around between the * different modules? Keeping the user bound is a performance boost, * but it is also a potential security problem - maybe. * For now we unbind the user when we finish with a connection, but /* mark our connection as available for reuse */ * Destroys an LDAP connection by unbinding and closing the connection to * the LDAP server. It is used to bring the connection back to a known * state after an error, and during pool cleanup. * Clean up an LDAP connection by unbinding and unlocking the connection. * This function is registered with the pool cleanup function - causing * the LDAP connections to be shut down cleanly on graceful restart. /* unbind and disconnect from the LDAP server */ /* free the username and password */ * Connect to the LDAP server and binds. Does not connect if already * connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound. * Returns LDAP_SUCCESS on success; and an error code on failure /* sanity check for NULL */ /* If the connection is already bound, return ldc->
reason =
"LDAP: connection open successful (already bound)";
/* create the ldap session handle /* To work around a bug in the Netware SDK, if no client certs are * present (Netware client certs are global), we apply the SSL * settings immediately. If client certs are present, we defer the * setting of SSL on the connection until later. /* Since the host will include a port if the default port is not used, * always specify the default ports for the port parameter. This will allow * a host string that contains multiple hosts the ability to mix some * hosts with ports and some without. All hosts which do not specify * a port will use the default port. ldc->
reason =
"LDAP: ldap initialization failed";
/* set client certificates */ /* Set the alias dereferencing option */ /* always default to LDAP V3 */ /* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is * returned. Break out of the loop on Success or any other error. * NOTE: Looping is probably not a great idea. If the server isn't * responding the chances it will respond after a few tries are poor. * However, the original code looped and it only happens on /* free the handle if there was an error ldc->
reason =
"LDAP: ldap_simple_bind_s() failed";
ldc->
reason =
"LDAP: connection open successful";
* Compare client certificate arrays. * Returns 1 on compare failure, 0 otherwise. /* arrays both NULL? if so, then equal */ /* arrays different length or either NULL? If so, then not equal */ /* run an actual comparison */ /* if we got here, the cert arrays were identical */ * Find an existing ldap connection struct that matches the * provided ldap connection parameters. * If not found in the cache, a new ldc structure will be allocated from st->pool * and returned to the caller. If found in the cache, a pointer to the existing * ldc structure will be returned. /* mutex lock this function */ /* Search for an exact connection match in the list that is not /* If this connection didn't match the criteria, then we * need to unlock the mutex so it is available to be reused. /* If nothing found, search again, but we don't care about the * binddn and bindpw this time. /* the bind credentials have changed */ /* If this connection didn't match the criteria, then we * need to unlock the mutex so it is available to be reused. /* artificially disable cache */ /* If no connection what found after the second search, we * Add the new connection entry to the linked list. Note that we * don't actually establish an LDAP connection yet; that happens * the first time authentication is requested. /* create the details to the pool in st */ /* The security mode after parsing the URL will always be either * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://). * If the security setting is NONE, override it to the security * setting optionally supplied by the admin using LDAPTrustedMode /* save away a copy of the client cert list that is presently valid */ /* add the cleanup to the pool */ /* ------------------------------------------------------------------ */ * Compares two DNs to see if they're equal. The only way to do this correctly is to * search for the dn and then do ldap_get_dn() on the result. This should match the * initial dn, since it would have been also retrieved with ldap_get_dn(). This is * expensive, so if the configuration value compare_dn_on_server is * false, just does an ordinary strcmp. * The lock for the ldap cache should already be acquired. const char *
url,
const char *
dn,
const char *
reqdn,
/* get cache entry (or create one) */ /* unlock this read lock */ ldc->
reason =
"DN Comparison FALSE (direct strcmp())";
ldc->
reason =
"DN Comparison TRUE (direct strcmp())";
/* no - it's a server side compare */ /* is it in the compare cache? */ /* If it's in the cache, it's good */ /* unlock this read lock */ /* unlock this read lock */ /* make a server connection */ /* connect to server failed */ "(objectclass=*)",
NULL,
1,
ldc->
reason =
"DN Comparison ldap_search_ext_s() failed with server down";
/* search for reqdn failed - no match */ ldc->
reason =
"DN Comparison ldap_search_ext_s() failed";
/* compare unsuccessful */ ldc->
reason =
"DN Comparison FALSE (checked on server)";
/* compare successful - add to the compare cache */ ldc->
reason =
"DN Comparison TRUE (checked on server)";
* Does an generic ldap_compare operation. It accepts a cache that it will use * to lookup the compare in the cache. We cache two kinds of compares * (require group compares) and (require user compares). Each compare has a different * cache node: require group includes the DN; require user does not because the * require user cache is owned by the const char *
url,
const char *
dn,
/* get cache entry (or create one) */ /* make a comparison to the cache */ /* ...but it is too old */ /* unlock this read lock */ ldc->
reason =
"Comparison no such attribute (cached)";
ldc->
reason =
"Comparison undefined (cached)";
/* unlock this read lock */ /* connection failed - try again */ ldc->
reason =
"ldap_compare_s() failed with server down";
/* compare completed; caching result */ /* If the node doesn't exist then insert it, otherwise just update it with ldc->
reason =
"Comparison true (adding to cache)";
ldc->
reason =
"Comparison false (adding to cache)";
ldc->
reason =
"Comparison no such attribute (adding to cache)";
/* Get the cache node for this url */ /* found entry in search cache... */ * Remove this item from the cache if its expired. If the sent password * doesn't match the storepassword, the entry will be removed and readded * later if the credentials pass authentication. /* ...but entry is too old */ /* ...and entry is valid */ ldc->
reason =
"Authentication successful (cached)";
/* unlock this read lock */ * At this point, there is no valid cached search, so lets do the search. * If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here. ldc->
reason =
"ldap_search_ext_s() for user failed with server down";
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */ ldc->
reason =
"ldap_search_ext_s() for user failed";
* We should have found exactly one entry; to find a different ldc->
reason =
"User is not unique (search found two or more matches)";
/* Grab the dn, copy it into the pool, and free it again */ * A bind to the server with an empty password always succeeds, so * we check to ensure that the password is not empty. This implies * that users who actually do have empty passwords will never be * able to authenticate with this module. I don't see this as a big * Attempt to bind with the retrieved dn and the password. If the bind * fails, it means that the password is wrong (the dn obviously * exists, since we just retrieved it) ldc->
reason =
"ldap_simple_bind_s() to check user credentials " "failed with server down";
/* failure? if so - return */ ldc->
reason =
"ldap_simple_bind_s() to check user credentials failed";
* We have just bound the connection to a different user and password * combination, which might be reused unintentionally next time this * connection is used from the connection pool. To ensure no confusion, * we mark the connection as unbound. * Get values for the provided attributes. * Add the new username to the search cache. /* Search again to make sure that another thread didn't ready insert this node into the cache before we got here. If it does exist then update the lastbind */ /* Nothing in cache, insert new entry */ /* Entry in cache is invalid, remove it and insert new one */ /* Cache entry is valid, update lastbind */ * This function will return the DN of the entry matching userid. * It is used to get the DN in case some other module than mod_auth_ldap * has authenticated the user. * The function is basically a copy of util_ldap_cache_checkuserid * with password checking removed. /* Get the cache node for this url */ /* found entry in search cache... */ * Remove this item from the cache if its expired. /* ...but entry is too old */ /* ...and entry is valid */ /* unlock this read lock */ * At this point, there is no valid cached search, so lets do the search. * If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here. ldc->
reason =
"ldap_search_ext_s() for user failed with server down";
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */ ldc->
reason =
"ldap_search_ext_s() for user failed";
* We should have found exactly one entry; to find a different ldc->
reason =
"User is not unique (search found two or more matches)";
/* Grab the dn, copy it into the pool, and free it again */ * Get values for the provided attributes. * Add the new username to the search cache. /* Search again to make sure that another thread didn't ready insert this node into the cache before we got here. If it does exist then update the lastbind */ /* Nothing in cache, insert new entry */ * Don't update lastbind on entries with bindpw because * we haven't verified that password. It's OK to update * the entry if there is no password in it. /* Cache entry is valid, update lastbind */ * Reports if ssl support is enabled * 1 = enabled, 0 = not enabled /* ---------------------------------------- */ "LDAP cache: Setting shared memory cache file to %s bytes.",
"[%d] ldap cache: Setting cache TTL to %ld microseconds.",
"[%d] ldap cache: Setting search cache size to %ld entries.",
"[%d] ldap cache: Setting operation cache TTL to %ld microseconds.",
"[%d] ldap cache: Setting operation cache size to %ld entries.",
* Parse the certificate type. * The type can be one of the following: * CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, * CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64 * If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned. /* Authority file in binary DER format */ /* Authority file in Base64 format */ /* Client cert file in DER format */ /* Client cert file in Base64 format */ /* Client cert file in PKCS#12 format */ /* Netscape client cert nickname */ /* Client cert key file in DER format */ /* Client cert key file in Base64 format */ /* Client cert key file in PKCS#12 format */ * Set LDAPTrustedGlobalCert. * This directive takes either two or three arguments: * - certificate file / directory / nickname * - certificate password (optional) * This directive may only be used globally. /* handle the certificate type */ "not recognised. It should be one " "of CA_DER, CA_BASE64, CA_CERT7_DB, " "CA_SECMOD, CERT_DER, CERT_BASE64, " "CERT_KEY3_DB, CERT_NICKNAME, " "KEY_DER, KEY_BASE64",
type);
return "Certificate type was not specified.";
"LDAP: SSL trusted global cert - %s (type %s)",
/* add the certificate to the global array */ /* if file is a file or path, fix the path */ "LDAP: Could not open SSL trusted certificate " return "Invalid global certificate file path";
* Set LDAPTrustedClientCert. * This directive takes either two or three arguments: * - certificate file / directory / nickname * - certificate password (optional) /* handle the certificate type */ "not recognised. It should be one " "of CERT_DER, CERT_BASE64, " "CERT_NICKNAME, CERT_PFX," "KEY_DER, KEY_BASE64, KEY_PFX",
type);
"LDAPTrustedGlobalCert directive. " "Only CERT_DER, CERT_BASE64, " "CERT_NICKNAME, KEY_DER, and " "KEY_BASE64 may be used.",
type);
return "Certificate type was not specified.";
"LDAP: SSL trusted client cert - %s (type %s)",
/* add the certificate to the global array */ /* if file is a file or path, fix the path */ "LDAP: Could not open SSL client certificate " return "Invalid client certificate file path";
* This directive sets what encryption mode to use on a connection: * - STARTTLS (TLS encryption) "LDAP: SSL trusted mode - %s",
return "Invalid LDAPTrustedMode setting: must be one of NONE, " /* util_ldap_post_config() will be called twice. Don't bother * going through all of the initialization on the first call * because it will just be thrown away.*/ /* If the cache file already exists then delete it. Otherwise we are * going to run into problems creating the shared memory. */ /* initializing cache if shared memory size is not zero and we already don't have shm address */ "LDAP cache: error while creating a shared memory segment: %s",
buf);
"LDAP cache: failed to set mutex permissions");
/* merge config in all vhost */ "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp for VHOST: %s",
* Initialize SSL support, and log the result for the benefit of the admin. * If SSL is not supported it is not necessarily an error, as the * application may not want to use it. "LDAP: SSL support available" );
"LDAP: SSL support unavailable" );
"Failed to initialise global mutex %s in child process %" "Initialisation of global mutex %s in child process %" "Sets the size of the shared memory cache in bytes. " "Zero means disable the shared memory cache. Defaults to 100KB."),
"Sets the file of the shared memory cache." "Nothing means disable the shared memory cache."),
"Sets the maximum number of entries that are possible in the LDAP " "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
"Sets the maximum time (in seconds) that an item can be cached in the LDAP " "search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
"Sets the maximum number of entries that are possible in the LDAP " "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
"Sets the maximum time (in seconds) that an item is cached in the LDAP " "operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
"Sets the file and/or directory containing the trusted " "certificate authority certificates, and global client " "certificates (Netware). Used to validate the LDAP server " "certificate for SSL/TLS connections. " "The following types are supported: " " CA_DER - Authority file in binary DER format " " CA_BASE64 - Authority file in Base64 format " " CERT_DER - Client cert file in DER format " " CERT_BASE64 - Client cert file in Base64 format " " CERT_NICKNAME - Netscape client cert nickname " " KEY_DER - Client cert key file in DER format " " KEY_BASE64 - Client cert key file in Base64 format "),
"Specifies a file containing a client certificate or private " "key, or the ID of the certificate to usethe type of the Certificate Authority file. " "The following types are supported: " " CA_DER - Authority file in binary DER format " " CA_BASE64 - Authority file in Base64 format " " CERT_DER - Client cert file in DER format " " CERT_BASE64 - Client cert file in Base64 format " " CERT_NICKNAME - Netscape client cert nickname " " KEY_DER - Client cert key file in DER format " " KEY_BASE64 - Client cert key file in Base64 format "),
"Specifies the type of security that should be applied to " "an LDAP connection. The types supported are: " " NONE - no encryption enabled " " SSL - SSL encryption enabled (forced by ldaps://) " " STARTTLS - STARTTLS MUST be enabled "),
NULL,
/* dir config creater */ NULL,
/* dir merger --- default is to override */