util_ldap.c revision 43c3e6a4b559b76b750c245ee95e2782c15b4296
08cb74ca432a8c24e39f17dedce527e6a47b8001jerenkrantz/* Copyright 2001-2005 The Apache Software Foundation or its licensors, as
08cb74ca432a8c24e39f17dedce527e6a47b8001jerenkrantz * applicable.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Licensed under the Apache License, Version 2.0 (the "License");
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * you may not use this file except in compliance with the License.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * You may obtain a copy of the License at
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Unless required by applicable law or agreed to in writing, software
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * distributed under the License is distributed on an "AS IS" BASIS,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * See the License for the specific language governing permissions and
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * limitations under the License.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * util_ldap.c: LDAP things
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Original code from auth_ldap module for Apache v1.3:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Copyright 1998, 1999 Enbridge Pipelines Inc.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Copyright 1999-2001 Dave Carrigan
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes#error mod_ldap requires APR-util to have LDAP support built in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* defines for certificate file types
b6c405caec8a41b770da7466bf8c8737ef1472d7bnicholes#define LDAP_CACHE_LOCK() do { \
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes apr_global_mutex_lock(st->util_ldap_cache_lock); \
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes#define LDAP_CACHE_UNLOCK() do { \
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes apr_global_mutex_unlock(st->util_ldap_cache_lock); \
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic void util_ldap_strdup (char **str, const char *newstr)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Status Handler
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * --------------
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * This handler generates a status page about the current performance of
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * the LDAP cache. It is enabled as follows:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * <Location /ldap-status>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * SetHandler ldap-status
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * </Location>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "<html><head><title>LDAP Cache Information</title></head>\n", r);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information"
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "</h1>\n", r);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* ------------------------------------------------------------------ */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Closes an LDAP connection by unlocking it. The next time
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * uldap_connection_find() is called this connection will be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * available for reuse.
8113dac419143273351446c3ad653f3fe5ba5cfdwrowestatic void uldap_connection_close(util_ldap_connection_t *ldc)
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * QUESTION:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Is it safe leaving bound connections floating around between the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * different modules? Keeping the user bound is a performance boost,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * but it is also a potential security problem - maybe.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * For now we unbind the user when we finish with a connection, but
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * we don't have to...
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* mark our connection as available for reuse */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Destroys an LDAP connection by unbinding and closing the connection to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * the LDAP server. It is used to bring the connection back to a known
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * state after an error, and during pool cleanup.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic apr_status_t uldap_connection_unbind(void *param)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Clean up an LDAP connection by unbinding and unlocking the connection.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * This function is registered with the pool cleanup function - causing
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * the LDAP connections to be shut down cleanly on graceful restart.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic apr_status_t uldap_connection_cleanup(void *param)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* unbind and disconnect from the LDAP server */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* free the username and password */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* unlock this entry */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Connect to the LDAP server and binds. Does not connect if already
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Returns LDAP_SUCCESS on success; and an error code on failure
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes struct timeval timeOut = {10,0}; /* 10 second connection timeout */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* sanity check for NULL */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* If the connection is already bound, return
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "LDAP: connection open successful (already bound)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* create the ldap session handle
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Since the host will include a port if the default port is not used,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * always specify the default ports for the port parameter. This will
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * allow a host string that contains multiple hosts the ability to mix
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * some hosts with ports and some without. All hosts which do not
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * specify a port will use the default port.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* set client certificates */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* switch on SSL/TLS */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Set the alias dereferencing option */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* always default to LDAP V3 */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin APR_LDAP_OPT_VERIFY_CERT, &(st->verify_svr_cert), &(result));
54d22ed1c429b903b029bbd62621f11a9e286137minfrin result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* This is not a per-connection setting so just pass NULL for the
54d22ed1c429b903b029bbd62621f11a9e286137minfrin Ldap connection handle */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
e1cc1ac970d0aa2910027f1f20445a16207a6deeminfrin result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes rc = apr_ldap_set_option(ldc->pool, ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT,
7add8f7fb048534390571801b7794f71cd9e127abnicholes "LDAP: Could not set the connection timeout");
7add8f7fb048534390571801b7794f71cd9e127abnicholes /* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is
7add8f7fb048534390571801b7794f71cd9e127abnicholes * returned. Break out of the loop on Success or any other error.
7add8f7fb048534390571801b7794f71cd9e127abnicholes * NOTE: Looping is probably not a great idea. If the server isn't
7add8f7fb048534390571801b7794f71cd9e127abnicholes * responding the chances it will respond after a few tries are poor.
7add8f7fb048534390571801b7794f71cd9e127abnicholes * However, the original code looped and it only happens on
7add8f7fb048534390571801b7794f71cd9e127abnicholes * the error condition.
3dfeb02cfb853d8717ca0cc259b59fea610173f5bnicholes /* free the handle if there was an error
3dfeb02cfb853d8717ca0cc259b59fea610173f5bnicholes ldc->reason = "LDAP: ldap_simple_bind_s() failed";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Compare client certificate arrays.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Returns 1 on compare failure, 0 otherwise.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic int compare_client_certs(apr_array_header_t *srcs,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* arrays both NULL? if so, then equal */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* arrays different length or either NULL? If so, then not equal */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if (srcs == NULL || dests == NULL || srcs->nelts != dests->nelts) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* run an actual comparison */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes src = (struct apr_ldap_opt_tls_cert_t *)srcs->elts;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes dest = (struct apr_ldap_opt_tls_cert_t *)dests->elts;
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* if we got here, the cert arrays were identical */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * Find an existing ldap connection struct that matches the
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * provided ldap connection parameters.
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * If not found in the cache, a new ldc structure will be allocated
8a03cd420b800a2428f49f4617293de9b2387b20jorton * from st->pool and returned to the caller. If found in the cache,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * a pointer to the existing ldc structure will be returned.
54d22ed1c429b903b029bbd62621f11a9e286137minfrin struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
edc346c3223efd41e6a2057c37cea69744b73dccwrowe /* mutex lock this function */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin apr_thread_mutex_create(&st->mutex, APR_THREAD_MUTEX_DEFAULT,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Search for an exact connection match in the list that is not
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * being used.
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe if (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) {
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe if ( (l->port == port) && (strcmp(l->host, host) == 0)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes && ((!l->binddn && !binddn) || (l->binddn && binddn
8113dac419143273351446c3ad653f3fe5ba5cfdwrowe && !compare_client_certs(st->client_certs, l->client_certs))
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* If this connection didn't match the criteria, then we
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * need to unlock the mutex so it is available to be reused.
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* If nothing found, search again, but we don't care about the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * binddn and bindpw this time.
560fd0658902ab57754616c172d8953e69fc4722bnicholes if (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if ((l->port == port) && (strcmp(l->host, host) == 0) &&
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (l->deref == deref) && (l->secure == secureflag) &&
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes !compare_client_certs(st->client_certs, l->client_certs))
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* the bind credentials have changed */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* If this connection didn't match the criteria, then we
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * need to unlock the mutex so it is available to be reused.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* artificially disable cache */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* l = NULL; */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* If no connection what found after the second search, we
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * must create one.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Add the new connection entry to the linked list. Note that we
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * don't actually establish an LDAP connection yet; that happens
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * the first time authentication is requested.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* create the details to the pool in st */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
560fd0658902ab57754616c172d8953e69fc4722bnicholes apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* The security mode after parsing the URL will always be either
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * If the security setting is NONE, override it to the security
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * setting optionally supplied by the admin using LDAPTrustedMode
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* save away a copy of the client cert list that is presently valid */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* add the cleanup to the pool */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* ------------------------------------------------------------------ */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Compares two DNs to see if they're equal. The only way to do this correctly
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * is to search for the dn and then do ldap_get_dn() on the result. This should
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * match the initial dn, since it would have been also retrieved with
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * ldap_get_dn(). This is expensive, so if the configuration value
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * compare_dn_on_server is false, just does an ordinary strcmp.
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * The lock for the ldap cache should already be acquired.
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic int uldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* get cache entry (or create one) */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* a simple compare? */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* unlock this read lock */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ldc->reason = "DN Comparison FALSE (direct strcmp())";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "DN Comparison TRUE (direct strcmp())";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* no - it's a server side compare */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* is it in the compare cache? */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* If it's in the cache, it's good */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* unlock this read lock */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* unlock this read lock */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* too many failures */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* make a server connection */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* connect to server failed */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* search for reqdn */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "DN Comparison ldap_search_ext_s() "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "failed with server down";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* search for reqdn failed - no match */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "DN Comparison ldap_search_ext_s() failed";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* compare unsuccessful */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "DN Comparison FALSE (checked on server)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* compare successful - add to the compare cache */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_ald_cache_insert(curl->dn_compare_cache, &newnode);
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ldc->reason = "DN Comparison TRUE (checked on server)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Does an generic ldap_compare operation. It accepts a cache that it will use
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * to lookup the compare in the cache. We cache two kinds of compares
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * (require group compares) and (require user compares). Each compare has a different
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * cache node: require group includes the DN; require user does not because the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * require user cache is owned by the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic int uldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* get cache entry (or create one) */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* make a comparison to the cache */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes compare_nodep = util_ald_cache_fetch(curl->compare_cache,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* found it... */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if (curtime - compare_nodep->lastcompare > st->compare_cache_ttl) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* ...but it is too old */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_ald_cache_remove(curl->compare_cache, compare_nodep);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* ...and it is good */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* unlock this read lock */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes else if (LDAP_COMPARE_FALSE == compare_nodep->result) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes else if (LDAP_NO_SUCH_ATTRIBUTE == compare_nodep->result) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "Comparison no such attribute (cached)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* unlock this read lock */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* too many failures */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* connect failed */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* connection failed - try again */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "ldap_compare_s() failed with server down";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* compare completed; caching result */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* If the node doesn't exist then insert it, otherwise just update
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * it with the last results
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes compare_nodep = util_ald_cache_fetch(curl->compare_cache,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes || (strcmp(the_compare_node.dn, compare_nodep->dn) != 0)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes || (strcmp(the_compare_node.attrib,compare_nodep->attrib) != 0)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes || (strcmp(the_compare_node.value, compare_nodep->value) != 0))
f43b67c5a9d29b572eac916f8335cedc80c908bebnicholes util_ald_cache_insert(curl->compare_cache, &the_compare_node);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "Comparison false (adding to cache)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "Comparison no such attribute (adding to cache)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic int uldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe const char ***retvals)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_search_node_t *search_nodep; /* Cached search node */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Get the cache node for this url */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache,
8113dac419143273351446c3ad653f3fe5ba5cfdwrowe search_nodep = util_ald_cache_fetch(curl->search_cache,
8113dac419143273351446c3ad653f3fe5ba5cfdwrowe /* found entry in search cache... */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Remove this item from the cache if its expired. If the sent
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * password doesn't match the storepassword, the entry will
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * be removed and readded later if the credentials pass
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * authentication.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* ...but entry is too old */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_ald_cache_remove(curl->search_cache, search_nodep);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* ...and entry is valid */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "Authentication successful (cached)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* unlock this read lock */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * At this point, there is no valid cached search, so lets do the search.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * If LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* try do the search */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ldc->reason = "ldap_search_ext_s() for user failed with server down";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "ldap_search_ext_s() for user failed";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * We should have found exactly one entry; to find a different
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * number is an error.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "User is not unique (search found two "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "or more matches)";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Grab the dn, copy it into the pool, and free it again */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * A bind to the server with an empty password always succeeds, so
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * we check to ensure that the password is not empty. This implies
f43b67c5a9d29b572eac916f8335cedc80c908bebnicholes * that users who actually do have empty passwords will never be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * able to authenticate with this module. I don't see this as a big
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Attempt to bind with the retrieved dn and the password. If the bind
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * fails, it means that the password is wrong (the dn obviously
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * exists, since we just retrieved it)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "ldap_simple_bind_s() to check user credentials "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "failed with server down";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* failure? if so - return */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * We have just bound the connection to a different user and password
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * combination, which might be reused unintentionally next time this
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * connection is used from the connection pool. To ensure no confusion,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * we mark the connection as unbound.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Get values for the provided attributes.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes while (attrs[k++]);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
bb07ee33bce1a448bcc60ca43720b1ab1c413f87minfrin while (attrs[i]) {
bb07ee33bce1a448bcc60ca43720b1ab1c413f87minfrin /* get values */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes values = ldap_get_values(ldc->ldap, entry, attrs[i]);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Add the new username to the search cache.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Search again to make sure that another thread didn't ready insert
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * this node into the cache before we got here. If it does exist then
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * update the lastbind
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes search_nodep = util_ald_cache_fetch(curl->search_cache,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Nothing in cache, insert new entry */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_ald_cache_insert(curl->search_cache, &the_search_node);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Entry in cache is invalid, remove it and insert new one */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_ald_cache_remove(curl->search_cache, search_nodep);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes util_ald_cache_insert(curl->search_cache, &the_search_node);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Cache entry is valid, update lastbind */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes search_nodep->lastbind = the_search_node.lastbind;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * This function will return the DN of the entry matching userid.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * It is used to get the DN in case some other module than mod_auth_ldap
8bdea88407c848c1c2693655e2f8b23abde12307bnicholes * has authenticated the user.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * The function is basically a copy of uldap_cache_checkuserid
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * with password checking removed.
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowestatic int uldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes util_search_node_t *search_nodep; /* Cached search node */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Get the cache node for this url */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache,
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes search_nodep = util_ald_cache_fetch(curl->search_cache,
8113dac419143273351446c3ad653f3fe5ba5cfdwrowe /* found entry in search cache... */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * Remove this item from the cache if its expired.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* ...but entry is too old */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes util_ald_cache_remove(curl->search_cache, search_nodep);
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* ...and entry is valid */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* unlock this read lock */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * At this point, there is no valid cached search, so lets do the search.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * If LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes if (LDAP_SUCCESS != (result = uldap_connection_open(r, ldc))) {
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* try do the search */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes ldc->reason = "ldap_search_ext_s() for user failed with server down";
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes ldc->reason = "ldap_search_ext_s() for user failed";
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * We should have found exactly one entry; to find a different
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * number is an error.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes ldc->reason = "User is not unique (search found two "
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes "or more matches)";
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* Grab the dn, copy it into the pool, and free it again */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * Get values for the provided attributes.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes while (attrs[k++]);
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes while (attrs[i]) {
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* get values */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes values = ldap_get_values(ldc->ldap, entry, attrs[i]);
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL)
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * Add the new username to the search cache.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* Search again to make sure that another thread didn't ready insert
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * this node into the cache before we got here. If it does exist then
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * update the lastbind
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes search_nodep = util_ald_cache_fetch(curl->search_cache,
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* Nothing in cache, insert new entry */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes util_ald_cache_insert(curl->search_cache, &the_search_node);
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * Don't update lastbind on entries with bindpw because
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * we haven't verified that password. It's OK to update
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * the entry if there is no password in it.
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes /* Cache entry is valid, update lastbind */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes search_nodep->lastbind = the_search_node.lastbind;
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * Reports if ssl support is enabled
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes * 1 = enabled, 0 = not enabled
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes/* ---------------------------------------- */
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes/* config directives */
0c8aa496e9d7676ff8101783398f17c0da1900f7bnicholesstatic const char *util_ldap_set_cache_bytes(cmd_parms *cmd, void *dummy,
0c8aa496e9d7676ff8101783398f17c0da1900f7bnicholes const char *bytes)
0c8aa496e9d7676ff8101783398f17c0da1900f7bnicholes (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
03f4448f864e31ade79856ac8c264a5e6dce3b10bnicholes "[%" APR_PID_T_FMT "] ldap cache: Setting shared memory "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic const char *util_ldap_set_cache_file(cmd_parms *cmd, void *dummy,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const char *file)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes st->cache_file = ap_server_root_relative(st->pool, file);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "LDAP cache: Setting shared memory cache file to %s bytes.",
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic const char *util_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const char *ttl)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "[%" APR_PID_T_FMT "] ldap cache: Setting cache TTL to %ld microseconds.",
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowestatic const char *util_ldap_set_cache_entries(cmd_parms *cmd, void *dummy,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const char *size)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "[%" APR_PID_T_FMT "] ldap cache: Setting search cache size to %ld entries.",
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowestatic const char *util_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe const char *ttl)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache TTL to %ld microseconds.",
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowestatic const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe const char *size)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "[%" APR_PID_T_FMT "] ldap cache: Setting operation cache size to %ld "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * Parse the certificate type.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * The type can be one of the following:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic int util_ldap_parse_cert_type(const char *type)
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* Authority file in binary DER format */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* Authority file in Base64 format */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Netscape certificate database file/directory */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Netscape secmod file/directory */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* Client cert file in DER format */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Client cert file in Base64 format */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Client cert file in PKCS#12 format */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Netscape client cert database file/directory */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Netscape client cert nickname */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Client cert key file in DER format */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Client cert key file in Base64 format */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* Client cert key file in PKCS#12 format */
09338db7fdcf82ecc189195347da3a3ed5d0287abnicholes * Set LDAPTrustedGlobalCert.
09338db7fdcf82ecc189195347da3a3ed5d0287abnicholes * This directive takes either two or three arguments:
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - certificate type
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - certificate file / directory / nickname
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - certificate password (optional)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * This directive may only be used globally.
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *type,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *file,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *password)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* handle the certificate type */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return apr_psprintf(cmd->pool, "The certificate type %s is "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "not recognised. It should be one "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "of CA_DER, CA_BASE64, CA_CERT7_DB, "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "CA_SECMOD, CERT_DER, CERT_BASE64, "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "CERT_KEY3_DB, CERT_NICKNAME, "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return "Certificate type was not specified.";
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "LDAP: SSL trusted global cert - %s (type %s)",
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* add the certificate to the global array */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* if file is a file or path, fix the path */
d5cff0d8e871bf2528aadd8736fb50dc044b1e6dbnicholes cert->path = ap_server_root_relative(cmd->pool, file);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ((rv = apr_stat (&finfo, cert->path, APR_FINFO_MIN, cmd->pool))
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAP: Could not open SSL trusted certificate "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "authority file - %s",
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return "Invalid global certificate file path";
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * Set LDAPTrustedClientCert.
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * This directive takes either two or three arguments:
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - certificate type
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - certificate file / directory / nickname
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - certificate password (optional)
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,
d5cff0d8e871bf2528aadd8736fb50dc044b1e6dbnicholes const char *type,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *file,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *password)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* handle the certificate type */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "not recognised. It should be one "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "of CERT_DER, CERT_BASE64, "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "CERT_NICKNAME, CERT_PFX,"
5aa455d45abacfa675c88d4ff53fbe97c44ce545bnicholes "KEY_DER, KEY_BASE64, KEY_PFX",
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "only valid within a "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAPTrustedGlobalCert directive. "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "Only CERT_DER, CERT_BASE64, "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "CERT_NICKNAME, KEY_DER, and "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe return "Certificate type was not specified.";
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAP: SSL trusted client cert - %s (type %s)",
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* add the certificate to the global array */
d5cff0d8e871bf2528aadd8736fb50dc044b1e6dbnicholes cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* if file is a file or path, fix the path */
09338db7fdcf82ecc189195347da3a3ed5d0287abnicholes cert->path = ap_server_root_relative(cmd->pool, file);
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ((rv = apr_stat (&finfo, cert->path, APR_FINFO_MIN, cmd->pool))
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAP: Could not open SSL client certificate "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "file - %s",
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return "Invalid client certificate file path";
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * Set LDAPTrustedMode.
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * This directive sets what encryption mode to use on a connection:
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - None (No encryption)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - SSL (SSL encryption)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * - STARTTLS (TLS encryption)
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy,
d5cff0d8e871bf2528aadd8736fb50dc044b1e6dbnicholes const char *mode)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAP: SSL trusted mode - %s",
54d22ed1c429b903b029bbd62621f11a9e286137minfrin return "Invalid LDAPTrustedMode setting: must be one of NONE, "
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic const char *util_ldap_set_verify_srv_cert(cmd_parms *cmd,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAP: SSL verify server certificate - %s",
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *ttl)
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "[%" APR_PID_T_FMT "] ldap connection: Setting connection timeout to "
141e1368614dc7564e1627671361b01b4869b491bnicholes ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
141e1368614dc7564e1627671361b01b4869b491bnicholes "LDAP: Connection timout option not supported by the "
141e1368614dc7564e1627671361b01b4869b491bnicholes "LDAP SDK in use." );
141e1368614dc7564e1627671361b01b4869b491bnicholesstatic void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
141e1368614dc7564e1627671361b01b4869b491bnicholes (util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t));
0894cd17fe3f614bf01dbf84f1414756bd5a34c3bnicholes st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
0894cd17fe3f614bf01dbf84f1414756bd5a34c3bnicholes st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowestatic void *util_ldap_merge_config(apr_pool_t *p, void *basev,
4990e910dd8574b9b40beda0cf1aaa72334d6837bnicholes util_ldap_state_t *st = apr_pcalloc(p, sizeof(util_ldap_state_t));
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe util_ldap_state_t *base = (util_ldap_state_t *) basev;
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe util_ldap_state_t *overrides = (util_ldap_state_t *) overridesv;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes st->compare_cache_size = base->compare_cache_size;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes st->global_certs = apr_array_append(p, base->global_certs,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes st->client_certs = apr_array_append(p, base->client_certs,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes st->secure = (overrides->secure_set == 0) ? base->secure
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic apr_status_t util_ldap_cleanup_module(void *data)
0894cd17fe3f614bf01dbf84f1414756bd5a34c3bnicholes util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe /* util_ldap_post_config() will be called twice. Don't bother
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * going through all of the initialization on the first call
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * because it will just be thrown away.*/
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes apr_pool_userdata_get(&data, userdata_key, s->process->pool);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes apr_pool_userdata_set((const void *)1, userdata_key,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* If the cache file already exists then delete it. Otherwise we are
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * going to run into problems creating the shared memory. */
54d22ed1c429b903b029bbd62621f11a9e286137minfrin char *lck_file = apr_pstrcat(st->pool, st->cache_file, ".lck",
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* initializing cache if shared memory size is not zero and we already
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * don't have shm address
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "LDAP cache: could not create shared memory segment");
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes st->lock_file = apr_pstrcat(st->pool, st->cache_file, ".lck",
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes result = apr_global_mutex_create(&st->util_ldap_cache_lock,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe result = unixd_set_global_mutex_perms(st->util_ldap_cache_lock);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "LDAP cache: failed to set mutex permissions");
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* merge config in all vhost */
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "LDAP cache: LDAPSharedCacheSize is zero, disabling "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "shared memory cache");
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* log the LDAP SDK used
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%s", result->reason);
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton apr_pool_cleanup_register(p, s, util_ldap_cleanup_module,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Initialize SSL support, and log the result for the benefit of the admin.
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * If SSL is not supported it is not necessarily an error, as the
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe * application may not want to use it.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes rc = apr_ldap_set_option(p, NULL, APR_LDAP_OPT_TLS_CERT,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "LDAP: SSL support available" );
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "LDAP: SSL support unavailable%s%s",
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic void util_ldap_child_init(apr_pool_t *p, server_rec *s)
3a11074e78d5961088e8f5520ba3cec163faed9cjorton util_ldap_state_t *st = ap_get_module_config(s->module_config,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes sts = apr_global_mutex_child_init(&st->util_ldap_cache_lock,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "Failed to initialise global mutex %s in child process %"
d5cff0d8e871bf2528aadd8736fb50dc044b1e6dbnicholes AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "Set the size of the shared memory cache (in bytes). Use "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "0 to disable the shared memory cache. (default: 100000)"),
54d22ed1c429b903b029bbd62621f11a9e286137minfrin AP_INIT_TAKE1("LDAPSharedCacheFile", util_ldap_set_cache_file,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "Set the file name for the shared memory cache."),
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "Set the maximum number of entries that are possible in the "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "LDAP search cache. Use 0 for no limit. "
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "-1 disables the cache. (default: 1024)"),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "Set the maximum time (in seconds) that an item can be "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "cached in the LDAP search cache. Use 0 for no limit. "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "(default 600)"),
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "Set the maximum number of entries that are possible "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "in the LDAP compare cache. Use 0 for no limit. "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "Use -1 to disable the cache. (default: 1024)"),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl,
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton "Set the maximum time (in seconds) that an item is cached "
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton "in the LDAP operation cache. Use 0 for no limit. "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "(default: 600)"),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert,
af6d8b02b2fd4ea9a0f6bfb95940d6075030e9a7minfrin "Takes three args; the file and/or directory containing "
41774018aa66ddb54ce7fd8fe049ccf3b3f7262aminfrin "the trusted CA certificates (and global client certs "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "for Netware) used to validate the LDAP server. Second "
af6d8b02b2fd4ea9a0f6bfb95940d6075030e9a7minfrin "arg is the cert type for the first arg, one of CA_DER, "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "Third arg is an optional passphrase if applicable."),
41774018aa66ddb54ce7fd8fe049ccf3b3f7262aminfrin AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
41774018aa66ddb54ce7fd8fe049ccf3b3f7262aminfrin "Takes three args; the file and/or directory containing "
af6d8b02b2fd4ea9a0f6bfb95940d6075030e9a7minfrin "the client certificate, or certificate ID used to "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "validate this LDAP client. Second arg is the cert type "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "optional passphrase if applicable."),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "Specify the type of security that should be applied to "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "an LDAP connection. One of; NONE, SSL or STARTTLS."),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe AP_INIT_FLAG("LDAPVerifyServerCert", util_ldap_set_verify_srv_cert,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "Set to 'ON' requires that the server certificate be verified "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "before a secure LDAP connection can be establish. Default 'ON'"),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout,
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "Specify the LDAP socket connection timeout in seconds "
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe "(default: 10)"),
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ap_hook_post_config(util_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE);
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe ap_hook_child_init(util_ldap_child_init, NULL, NULL, APR_HOOK_MIDDLE);
482f676c6c19b1c5bb5cca04dad11509c1da3a4cwrowe util_ldap_register_hooks, /* set up request processing hooks */