util_ldap.c revision d5cff0d8e871bf2528aadd8736fb50dc044b1e6d
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding/* Copyright 2001-2004 The Apache Software Foundation
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding *
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * Licensed under the Apache License, Version 2.0 (the "License");
bc8fd1b0b1afdf89b8d28eefa8cd74e26ba97986fielding * you may not use this file except in compliance with the License.
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * You may obtain a copy of the License at
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding *
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * http://www.apache.org/licenses/LICENSE-2.0
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding *
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Unless required by applicable law or agreed to in writing, software
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * distributed under the License is distributed on an "AS IS" BASIS,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * See the License for the specific language governing permissions and
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * limitations under the License.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding */
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding/*
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * util_ldap.c: LDAP things
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding *
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * Original code from auth_ldap module for Apache v1.3:
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * Copyright 1998, 1999 Enbridge Pipelines Inc.
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * Copyright 1999-2001 Dave Carrigan
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding */
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "httpd.h"
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding#include "http_config.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "http_core.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "http_log.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "http_protocol.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "http_request.h"
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding#include "util_ldap.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "util_ldap_cache.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
64185f9824e42f21ca7b9ae6c004484215c031a7rbb#include <apr_strings.h>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#if APR_HAVE_UNISTD_H
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include <unistd.h>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#endif
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding#if !APR_HAS_LDAP
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#error mod_ldap requires APR-util to have LDAP support built in
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#endif
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#ifdef AP_NEED_SET_MUTEX_PERMS
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#include "unixd.h"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#endif
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding /* defines for certificate file types
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding */
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding#define LDAP_CA_TYPE_UNKNOWN 0
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#define LDAP_CA_TYPE_DER 1
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#define LDAP_CA_TYPE_BASE64 2
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding#define LDAP_CA_TYPE_CERT7_DB 3
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fieldingmodule AP_MODULE_DECLARE_DATA ldap_module;
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingint util_ldap_handler(request_rec *r);
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingvoid *util_ldap_create_config(apr_pool_t *p, server_rec *s);
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb/*
3568de757bac0b47256647504c186d17ca272f85rbb * Some definitions to help between various versions of apache.
3568de757bac0b47256647504c186d17ca272f85rbb */
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb#ifndef DOCTYPE_HTML_2_0
3568de757bac0b47256647504c186d17ca272f85rbb#define DOCTYPE_HTML_2_0 "<!DOCTYPE HTML PUBLIC \"-//IETF//" \
3568de757bac0b47256647504c186d17ca272f85rbb "DTD HTML 2.0//EN\">\n"
3568de757bac0b47256647504c186d17ca272f85rbb#endif
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb#ifndef DOCTYPE_HTML_3_2
3568de757bac0b47256647504c186d17ca272f85rbb#define DOCTYPE_HTML_3_2 "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
3568de757bac0b47256647504c186d17ca272f85rbb "DTD HTML 3.2 Final//EN\">\n"
3568de757bac0b47256647504c186d17ca272f85rbb#endif
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb#ifndef DOCTYPE_HTML_4_0S
3568de757bac0b47256647504c186d17ca272f85rbb#define DOCTYPE_HTML_4_0S "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
3568de757bac0b47256647504c186d17ca272f85rbb "DTD HTML 4.0//EN\"\n" \
3568de757bac0b47256647504c186d17ca272f85rbb "\"http://www.w3.org/TR/REC-html40/strict.dtd\">\n"
3568de757bac0b47256647504c186d17ca272f85rbb#endif
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb#ifndef DOCTYPE_HTML_4_0T
3568de757bac0b47256647504c186d17ca272f85rbb#define DOCTYPE_HTML_4_0T "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
3568de757bac0b47256647504c186d17ca272f85rbb "DTD HTML 4.0 Transitional//EN\"\n" \
3568de757bac0b47256647504c186d17ca272f85rbb "\"http://www.w3.org/TR/REC-html40/loose.dtd\">\n"
3568de757bac0b47256647504c186d17ca272f85rbb#endif
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb#ifndef DOCTYPE_HTML_4_0F
3568de757bac0b47256647504c186d17ca272f85rbb#define DOCTYPE_HTML_4_0F "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
3568de757bac0b47256647504c186d17ca272f85rbb "DTD HTML 4.0 Frameset//EN\"\n" \
3568de757bac0b47256647504c186d17ca272f85rbb "\"http://www.w3.org/TR/REC-html40/frameset.dtd\">\n"
3568de757bac0b47256647504c186d17ca272f85rbb#endif
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb#define LDAP_CACHE_LOCK() \
3568de757bac0b47256647504c186d17ca272f85rbb if (st->util_ldap_cache_lock) \
3568de757bac0b47256647504c186d17ca272f85rbb apr_global_mutex_lock(st->util_ldap_cache_lock)
3568de757bac0b47256647504c186d17ca272f85rbb#define LDAP_CACHE_UNLOCK() \
3568de757bac0b47256647504c186d17ca272f85rbb if (st->util_ldap_cache_lock) \
3568de757bac0b47256647504c186d17ca272f85rbb apr_global_mutex_unlock(st->util_ldap_cache_lock)
3568de757bac0b47256647504c186d17ca272f85rbb
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingstatic void util_ldap_strdup (char **str, const char *newstr)
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding{
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding if (*str) {
3568de757bac0b47256647504c186d17ca272f85rbb free(*str);
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick *str = NULL;
3568de757bac0b47256647504c186d17ca272f85rbb }
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb if (newstr) {
3568de757bac0b47256647504c186d17ca272f85rbb *str = calloc(1, strlen(newstr)+1);
db12cd62083041bf90945eeb90cc40fbd2340797trawick strcpy (*str, newstr);
db12cd62083041bf90945eeb90cc40fbd2340797trawick }
db12cd62083041bf90945eeb90cc40fbd2340797trawick}
333eac96e4fb7d6901cb75e6ca7bb22b2ccb84cetrawick
333eac96e4fb7d6901cb75e6ca7bb22b2ccb84cetrawick/*
3568de757bac0b47256647504c186d17ca272f85rbb * Status Handler
3568de757bac0b47256647504c186d17ca272f85rbb * --------------
3568de757bac0b47256647504c186d17ca272f85rbb *
3568de757bac0b47256647504c186d17ca272f85rbb * This handler generates a status page about the current performance of
3568de757bac0b47256647504c186d17ca272f85rbb * the LDAP cache. It is enabled as follows:
3568de757bac0b47256647504c186d17ca272f85rbb *
3568de757bac0b47256647504c186d17ca272f85rbb * <Location /ldap-status>
3568de757bac0b47256647504c186d17ca272f85rbb * SetHandler ldap-status
3568de757bac0b47256647504c186d17ca272f85rbb * </Location>
3568de757bac0b47256647504c186d17ca272f85rbb *
3568de757bac0b47256647504c186d17ca272f85rbb */
3568de757bac0b47256647504c186d17ca272f85rbbint util_ldap_handler(request_rec *r)
3568de757bac0b47256647504c186d17ca272f85rbb{
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module);
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz r->allowed |= (1 << M_GET);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (r->method_number != M_GET)
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return DECLINED;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (strcmp(r->handler, "ldap-status")) {
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding return DECLINED;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding }
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
8f3ec4772d2aeb347cf40e87c77627bb784dd018rbb r->content_type = "text/html";
8f3ec4772d2aeb347cf40e87c77627bb784dd018rbb if (r->header_only)
3d96ee83babeec32482c9082c9426340cee8c44dwrowe return OK;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick ap_rputs(DOCTYPE_HTML_3_2
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick "<html><head><title>LDAP Cache Information</title></head>\n", r);
3568de757bac0b47256647504c186d17ca272f85rbb ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information</h1>\n", r);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
3568de757bac0b47256647504c186d17ca272f85rbb util_ald_cache_display(r, st);
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return OK;
3568de757bac0b47256647504c186d17ca272f85rbb}
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb/* ------------------------------------------------------------------ */
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb/*
3568de757bac0b47256647504c186d17ca272f85rbb * Closes an LDAP connection by unlocking it. The next time
3568de757bac0b47256647504c186d17ca272f85rbb * util_ldap_connection_find() is called this connection will be
3568de757bac0b47256647504c186d17ca272f85rbb * available for reuse.
3568de757bac0b47256647504c186d17ca272f85rbb */
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingLDAP_DECLARE(void) util_ldap_connection_close(util_ldap_connection_t *ldc)
3568de757bac0b47256647504c186d17ca272f85rbb{
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb /*
3568de757bac0b47256647504c186d17ca272f85rbb * QUESTION:
3568de757bac0b47256647504c186d17ca272f85rbb *
3568de757bac0b47256647504c186d17ca272f85rbb * Is it safe leaving bound connections floating around between the
41634f717c623556a16b27b25d7d909a66fe20f8wrowe * different modules? Keeping the user bound is a performance boost,
3568de757bac0b47256647504c186d17ca272f85rbb * but it is also a potential security problem - maybe.
3568de757bac0b47256647504c186d17ca272f85rbb *
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * For now we unbind the user when we finish with a connection, but
3568de757bac0b47256647504c186d17ca272f85rbb * we don't have to...
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz */
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* mark our connection as available for reuse */
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz#if APR_HAS_THREADS
3568de757bac0b47256647504c186d17ca272f85rbb apr_thread_mutex_unlock(ldc->lock);
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding#endif
41634f717c623556a16b27b25d7d909a66fe20f8wrowe}
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz/*
3568de757bac0b47256647504c186d17ca272f85rbb * Destroys an LDAP connection by unbinding and closing the connection to
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * the LDAP server. It is used to bring the connection back to a known
3568de757bac0b47256647504c186d17ca272f85rbb * state after an error, and during pool cleanup.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz */
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingLDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_unbind(void *param)
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding{
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz util_ldap_connection_t *ldc = param;
3568de757bac0b47256647504c186d17ca272f85rbb
fc1efab92032301e317f07e1b3a00082d9d71f3frbb if (ldc) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (ldc->ldap) {
24b534291150023e6b68eca89ddd33e475ccddc0wrowe ldap_unbind_s(ldc->ldap);
3568de757bac0b47256647504c186d17ca272f85rbb ldc->ldap = NULL;
24b534291150023e6b68eca89ddd33e475ccddc0wrowe }
3568de757bac0b47256647504c186d17ca272f85rbb ldc->bound = 0;
24b534291150023e6b68eca89ddd33e475ccddc0wrowe }
24b534291150023e6b68eca89ddd33e475ccddc0wrowe
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return APR_SUCCESS;
3568de757bac0b47256647504c186d17ca272f85rbb}
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
3568de757bac0b47256647504c186d17ca272f85rbb/*
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * Clean up an LDAP connection by unbinding and unlocking the connection.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * This function is registered with the pool cleanup function - causing
3568de757bac0b47256647504c186d17ca272f85rbb * the LDAP connections to be shut down cleanly on graceful restart.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantzLDAP_DECLARE_NONSTD(apr_status_t) util_ldap_connection_cleanup(void *param)
3568de757bac0b47256647504c186d17ca272f85rbb{
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz util_ldap_connection_t *ldc = param;
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb if (ldc) {
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb /* unbind and disconnect from the LDAP server */
3568de757bac0b47256647504c186d17ca272f85rbb util_ldap_connection_unbind(ldc);
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* free the username and password */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (ldc->bindpw) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz free((void*)ldc->bindpw);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
3568de757bac0b47256647504c186d17ca272f85rbb if (ldc->binddn) {
3568de757bac0b47256647504c186d17ca272f85rbb free((void*)ldc->binddn);
3568de757bac0b47256647504c186d17ca272f85rbb }
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb /* unlock this entry */
3568de757bac0b47256647504c186d17ca272f85rbb util_ldap_connection_close(ldc);
3568de757bac0b47256647504c186d17ca272f85rbb
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb return APR_SUCCESS;
3568de757bac0b47256647504c186d17ca272f85rbb}
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb/*
3568de757bac0b47256647504c186d17ca272f85rbb * Connect to the LDAP server and binds. Does not connect if already
3568de757bac0b47256647504c186d17ca272f85rbb * connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
3568de757bac0b47256647504c186d17ca272f85rbb *
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Returns LDAP_SUCCESS on success; and an error code on failure
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding */
3568de757bac0b47256647504c186d17ca272f85rbbLDAP_DECLARE(int) util_ldap_connection_open(request_rec *r,
239f998fbee5ac5b114b965bb76e217cce0003edstoddard util_ldap_connection_t *ldc)
78ae889ffe0fdfab72f56c6993b0f302cb48da55rbb{
3568de757bac0b47256647504c186d17ca272f85rbb int rc = 0;
6653a33e820463abd4f81915b7a1eba0f602e200brianp int failures = 0;
6653a33e820463abd4f81915b7a1eba0f602e200brianp int version = LDAP_VERSION3;
6653a33e820463abd4f81915b7a1eba0f602e200brianp apr_ldap_err_t *result = NULL;
41634f717c623556a16b27b25d7d909a66fe20f8wrowe
41634f717c623556a16b27b25d7d909a66fe20f8wrowe /* sanity check for NULL */
6653a33e820463abd4f81915b7a1eba0f602e200brianp if (!ldc) {
3568de757bac0b47256647504c186d17ca272f85rbb return -1;
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard }
6653a33e820463abd4f81915b7a1eba0f602e200brianp
3568de757bac0b47256647504c186d17ca272f85rbb /* If the connection is already bound, return
6653a33e820463abd4f81915b7a1eba0f602e200brianp */
6653a33e820463abd4f81915b7a1eba0f602e200brianp if (ldc->bound)
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm ldc->reason = "LDAP: connection open successful (already bound)";
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick return LDAP_SUCCESS;
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick }
3568de757bac0b47256647504c186d17ca272f85rbb
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding /* create the ldap session handle
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (NULL == ldc->ldap)
ca53a74f4012a45cbad48e940eddf27d866981f9dougm {
ca53a74f4012a45cbad48e940eddf27d866981f9dougm /* To work around a bug in the Netware SDK, if no client certs are
ca53a74f4012a45cbad48e940eddf27d866981f9dougm * present (Netware client certs are global), we apply the SSL
6653a33e820463abd4f81915b7a1eba0f602e200brianp * settings immediately. If client certs are present, we defer the
6653a33e820463abd4f81915b7a1eba0f602e200brianp * setting of SSL on the connection until later.
6653a33e820463abd4f81915b7a1eba0f602e200brianp */
6653a33e820463abd4f81915b7a1eba0f602e200brianp
6653a33e820463abd4f81915b7a1eba0f602e200brianp /* Since the host will include a port if the default port is not used,
6653a33e820463abd4f81915b7a1eba0f602e200brianp * always specify the default ports for the port parameter. This will allow
6653a33e820463abd4f81915b7a1eba0f602e200brianp * a host string that contains multiple hosts the ability to mix some
6653a33e820463abd4f81915b7a1eba0f602e200brianp * hosts with ports and some without. All hosts which do not specify
6653a33e820463abd4f81915b7a1eba0f602e200brianp * a port will use the default port.
6653a33e820463abd4f81915b7a1eba0f602e200brianp */
6653a33e820463abd4f81915b7a1eba0f602e200brianp apr_ldap_init(ldc->pool, &(ldc->ldap),
6653a33e820463abd4f81915b7a1eba0f602e200brianp ldc->host,
6653a33e820463abd4f81915b7a1eba0f602e200brianp APR_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
6653a33e820463abd4f81915b7a1eba0f602e200brianp apr_is_empty_array(ldc->client_certs) ? ldc->secure : APR_LDAP_NONE,
6653a33e820463abd4f81915b7a1eba0f602e200brianp &(result));
6653a33e820463abd4f81915b7a1eba0f602e200brianp
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick if (result != NULL) {
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick ldc->reason = result->reason;
239f998fbee5ac5b114b965bb76e217cce0003edstoddard }
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb if (NULL == ldc->ldap)
3568de757bac0b47256647504c186d17ca272f85rbb {
12901074f5d6b36d08be84d8637b6f2c21e0da26trawick ldc->bound = 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if (NULL == ldc->reason) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ldc->reason = "LDAP: ldap initialization failed";
3568de757bac0b47256647504c186d17ca272f85rbb }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz else {
48d2edbfb84e5559b5da0f8d614ccab805cc67a8rbb ldc->reason = result->reason;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard return(result->rc);
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding }
e0d102c882a7ed34d3eec24b36da49f097066a36stoddard
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding /* set client certificates */
3568de757bac0b47256647504c186d17ca272f85rbb if (!apr_is_empty_array(ldc->client_certs)) {
3568de757bac0b47256647504c186d17ca272f85rbb apr_ldap_set_option(ldc->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
3568de757bac0b47256647504c186d17ca272f85rbb ldc->client_certs, &(result));
3568de757bac0b47256647504c186d17ca272f85rbb if (LDAP_SUCCESS != result->rc) {
3568de757bac0b47256647504c186d17ca272f85rbb ldap_unbind_s(ldc->ldap);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ldc->ldap = NULL;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ldc->bound = 0;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ldc->reason = result->reason;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return(result->rc);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* switch on SSL/TLS */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard apr_ldap_set_option(ldc->pool, ldc->ldap,
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard APR_LDAP_OPT_TLS, &ldc->secure, &(result));
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if (LDAP_SUCCESS != result->rc) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ldap_unbind_s(ldc->ldap);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ldc->ldap = NULL;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ldc->bound = 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ldc->reason = result->reason;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard return(result->rc);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* Set the alias dereferencing option */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref));
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* always default to LDAP V3 */
e0d102c882a7ed34d3eec24b36da49f097066a36stoddard ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * returned. Break out of the loop on Success or any other error.
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard *
3568de757bac0b47256647504c186d17ca272f85rbb * NOTE: Looping is probably not a great idea. If the server isn't
3568de757bac0b47256647504c186d17ca272f85rbb * responding the chances it will respond after a few tries are poor.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * However, the original code looped and it only happens on
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * the error condition.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding */
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick for (failures=0; failures<10; failures++)
98cd3186185bb28ae6c95a3f159899fcf56a663ftrawick {
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick rc = ldap_simple_bind_s(ldc->ldap,
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick (char *)ldc->binddn,
3568de757bac0b47256647504c186d17ca272f85rbb (char *)ldc->bindpw);
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm if (LDAP_SERVER_DOWN != rc) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm break;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* free the handle if there was an error
3cbd177a6c885562f9ad0cf11695f044489c881dgregames */
3cbd177a6c885562f9ad0cf11695f044489c881dgregames if (LDAP_SUCCESS != rc)
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard {
3cbd177a6c885562f9ad0cf11695f044489c881dgregames ldap_unbind_s(ldc->ldap);
3cbd177a6c885562f9ad0cf11695f044489c881dgregames ldc->ldap = NULL;
3cbd177a6c885562f9ad0cf11695f044489c881dgregames ldc->bound = 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ldc->reason = "LDAP: ldap_simple_bind_s() failed";
5a0f707b48da7703cbe6bc087f13a6735b1c742dgregames }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz else {
5a0f707b48da7703cbe6bc087f13a6735b1c742dgregames ldc->bound = 1;
5a0f707b48da7703cbe6bc087f13a6735b1c742dgregames ldc->reason = "LDAP: connection open successful";
5a0f707b48da7703cbe6bc087f13a6735b1c742dgregames }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm return(rc);
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm}
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard/*
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm * Compare client certificate arrays.
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm *
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm * Returns 1 on compare failure, 0 otherwise.
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm */
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddardint compare_client_certs(apr_array_header_t *srcs, apr_array_header_t *dests) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard int i = 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard struct apr_ldap_opt_tls_cert_t *src, *dest;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* arrays both NULL? if so, then equal */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if (srcs == NULL && dests == NULL) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard return 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* arrays different length or either NULL? If so, then not equal */
3568de757bac0b47256647504c186d17ca272f85rbb if (srcs == NULL || dests == NULL || srcs->nelts != dests->nelts) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return 1;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm }
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb /* run an actual comparison */
74fd6d9aeadb9022086259c5c1ae00bc0dda9c9astoddard src = (struct apr_ldap_opt_tls_cert_t *)srcs->elts;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz dest = (struct apr_ldap_opt_tls_cert_t *)dests->elts;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz for (i = 0; i < srcs->nelts; i++) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (apr_strnatcmp(src[i].path, dest[i].path) ||
3568de757bac0b47256647504c186d17ca272f85rbb apr_strnatcmp(src[i].password, dest[i].password) ||
3568de757bac0b47256647504c186d17ca272f85rbb src[i].type != dest[i].type) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard return 1;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* if we got here, the cert arrays were identical */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard return 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard}
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz/*
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * Find an existing ldap connection struct that matches the
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * provided ldap connection parameters.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz *
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * If not found in the cache, a new ldc structure will be allocated from st->pool
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * and returned to the caller. If found in the cache, a pointer to the existing
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * ldc structure will be returned.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantzLDAP_DECLARE(util_ldap_connection_t *)
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard util_ldap_connection_find(request_rec *r,
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard const char *host, int port,
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard const char *binddn, const char *bindpw,
3568de757bac0b47256647504c186d17ca272f85rbb deref_options deref, int secure) {
3568de757bac0b47256647504c186d17ca272f85rbb struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
3568de757bac0b47256647504c186d17ca272f85rbb
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard util_ldap_state_t *st =
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
f714f1a7002928d785e53e70349700a7f595fee3trawick &ldap_module);
f714f1a7002928d785e53e70349700a7f595fee3trawick
3568de757bac0b47256647504c186d17ca272f85rbb
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard#if APR_HAS_THREADS
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* mutex lock this function */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (!st->mutex) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz apr_thread_mutex_create(&st->mutex, APR_THREAD_MUTEX_DEFAULT, st->pool);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
3568de757bac0b47256647504c186d17ca272f85rbb apr_thread_mutex_lock(st->mutex);
3568de757bac0b47256647504c186d17ca272f85rbb#endif
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* Search for an exact connection match in the list that is not
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * being used.
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard */
3568de757bac0b47256647504c186d17ca272f85rbb for (l=st->connections,p=NULL; l; l=l->next) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#if APR_HAS_THREADS
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#endif
3568de757bac0b47256647504c186d17ca272f85rbb if ((l->port == port) && (strcmp(l->host, host) == 0) &&
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ((!l->binddn && !binddn) || (l->binddn && binddn && !strcmp(l->binddn, binddn))) &&
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ((!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw))) &&
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard (l->deref == deref) && (l->secure == secure) &&
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard !compare_client_certs(st->client_certs, l->client_certs)) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard break;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#if APR_HAS_THREADS
3568de757bac0b47256647504c186d17ca272f85rbb /* If this connection didn't match the criteria, then we
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard * need to unlock the mutex so it is available to be reused.
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard apr_thread_mutex_unlock(l->lock);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
3568de757bac0b47256647504c186d17ca272f85rbb#endif
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard p = l;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
3568de757bac0b47256647504c186d17ca272f85rbb /* If nothing found, search again, but we don't care about the
3568de757bac0b47256647504c186d17ca272f85rbb * binddn and bindpw this time.
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if (!l) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard for (l=st->connections,p=NULL; l; l=l->next) {
3568de757bac0b47256647504c186d17ca272f85rbb#if APR_HAS_THREADS
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#endif
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard if ((l->port == port) && (strcmp(l->host, host) == 0) &&
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard (l->deref == deref) && (l->secure == secure) &&
3568de757bac0b47256647504c186d17ca272f85rbb !compare_client_certs(st->client_certs, l->client_certs)) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* the bind credentials have changed */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->bound = 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard util_ldap_strdup((char**)&(l->binddn), binddn);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard util_ldap_strdup((char**)&(l->bindpw), bindpw);
3568de757bac0b47256647504c186d17ca272f85rbb break;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz#if APR_HAS_THREADS
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* If this connection didn't match the criteria, then we
3568de757bac0b47256647504c186d17ca272f85rbb * need to unlock the mutex so it is available to be reused.
3568de757bac0b47256647504c186d17ca272f85rbb */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz apr_thread_mutex_unlock(l->lock);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
3568de757bac0b47256647504c186d17ca272f85rbb#endif
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard p = l;
3568de757bac0b47256647504c186d17ca272f85rbb }
3568de757bac0b47256647504c186d17ca272f85rbb }
3568de757bac0b47256647504c186d17ca272f85rbb
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard/* artificially disable cache */
3568de757bac0b47256647504c186d17ca272f85rbb/* l = NULL; */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
3568de757bac0b47256647504c186d17ca272f85rbb /* If no connection what found after the second search, we
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick * must create one.
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick */
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick if (!l) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /*
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * Add the new connection entry to the linked list. Note that we
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * don't actually establish an LDAP connection yet; that happens
beb70d51e435dc36c56a72b6cd83556c04db9283wrowe * the first time authentication is requested.
fe6baec9bbcd36f932b71a355120cd7b5a685d6cfielding */
3568de757bac0b47256647504c186d17ca272f85rbb /* create the details to the pool in st */
3568de757bac0b47256647504c186d17ca272f85rbb l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#if APR_HAS_THREADS
3568de757bac0b47256647504c186d17ca272f85rbb apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard apr_thread_mutex_lock(l->lock);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#endif
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->pool = st->pool;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->bound = 0;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->host = apr_pstrdup(st->pool, host);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->port = port;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->deref = deref;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard util_ldap_strdup((char**)&(l->binddn), binddn);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard util_ldap_strdup((char**)&(l->bindpw), bindpw);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* The security mode after parsing the URL will always be either
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * If the security setting is NONE, override it to the security
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * setting optionally supplied by the admin using LDAPTrustedMode
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard l->secure = (APR_LDAP_NONE == secure) ?
8e9734d1a4af74c141e2a0f880bb51bb061fa03atrawick st->secure :
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard secure;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* save away a copy of the client cert list that is presently valid */
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick
3568de757bac0b47256647504c186d17ca272f85rbb /* add the cleanup to the pool */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard apr_pool_cleanup_register(l->pool, l,
cb97ae2ff6969c2789b8e03f1bc4187fa73b6bafwrowe util_ldap_connection_cleanup,
0f113d7123e8bd3e3e2e9b6373461a1a773bfccatrawick apr_pool_cleanup_null);
0f113d7123e8bd3e3e2e9b6373461a1a773bfccatrawick
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (p) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard p->next = l;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard else {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard st->connections = l;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard }
3568de757bac0b47256647504c186d17ca272f85rbb
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#if APR_HAS_THREADS
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz apr_thread_mutex_unlock(st->mutex);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard#endif
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard return l;
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard}
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbb/* ------------------------------------------------------------------ */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick/*
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * Compares two DNs to see if they're equal. The only way to do this correctly is to
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * search for the dn and then do ldap_get_dn() on the result. This should match the
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * initial dn, since it would have been also retrieved with ldap_get_dn(). This is
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * expensive, so if the configuration value compare_dn_on_server is
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * false, just does an ordinary strcmp.
f886987cd0bd4220c14043c4d9be77ec22902e73trawick *
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * The lock for the ldap cache should already be acquired.
f886987cd0bd4220c14043c4d9be77ec22902e73trawick */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawickLDAP_DECLARE(int) util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick const char *url, const char *dn, const char *reqdn,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick int compare_dn_on_server)
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick{
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz int result = 0;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz util_url_node_t *curl;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz util_url_node_t curnode;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm util_dn_compare_node_t *node;
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick util_dn_compare_node_t newnode;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm int failures = 0;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm LDAPMessage *res, *entry;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm char *searchdn;
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module);
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* get cache entry (or create one) */
3568de757bac0b47256647504c186d17ca272f85rbb LDAP_CACHE_LOCK();
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz curnode.url = url;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz if (curl == NULL) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm curl = util_ald_create_caches(st, url);
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz LDAP_CACHE_UNLOCK();
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* a simple compare? */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm if (!compare_dn_on_server) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* unlock this read lock */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm if (strcmp(dn, reqdn)) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm ldc->reason = "DN Comparison FALSE (direct strcmp())";
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm return LDAP_COMPARE_FALSE;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz else {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "DN Comparison TRUE (direct strcmp())";
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm return LDAP_COMPARE_TRUE;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (curl) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* no - it's a server side compare */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_LOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
cb97ae2ff6969c2789b8e03f1bc4187fa73b6bafwrowe /* is it in the compare cache? */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm newnode.reqdn = (char *)reqdn;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (node != NULL) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* If it's in the cache, it's good */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* unlock this read lock */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_UNLOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "DN Comparison TRUE (cached)";
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return LDAP_COMPARE_TRUE;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* unlock this read lock */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_UNLOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawickstart_over:
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (failures++ > 10) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* too many failures */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* make a server connection */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* connect to server failed */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* search for reqdn */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick "(objectclass=*)", NULL, 1,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "DN Comparison ldap_search_ext_s() failed with server down";
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick util_ldap_connection_unbind(ldc);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick goto start_over;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (result != LDAP_SUCCESS) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* search for reqdn failed - no match */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "DN Comparison ldap_search_ext_s() failed";
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick entry = ldap_first_entry(ldc->ldap, res);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick searchdn = ldap_get_dn(ldc->ldap, entry);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldap_msgfree(res);
f886987cd0bd4220c14043c4d9be77ec22902e73trawick if (strcmp(dn, searchdn) != 0) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* compare unsuccessful */
f886987cd0bd4220c14043c4d9be77ec22902e73trawick ldc->reason = "DN Comparison FALSE (checked on server)";
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick result = LDAP_COMPARE_FALSE;
f886987cd0bd4220c14043c4d9be77ec22902e73trawick }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm else {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm if (curl) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* compare successful - add to the compare cache */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm LDAP_CACHE_LOCK();
3568de757bac0b47256647504c186d17ca272f85rbb newnode.reqdn = (char *)reqdn;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm newnode.dn = (char *)dn;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if ((node == NULL) ||
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick (strcmp(reqdn, node->reqdn) != 0) || (strcmp(dn, node->dn) != 0)) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick util_ald_cache_insert(curl->dn_compare_cache, &newnode);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_UNLOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "DN Comparison TRUE (checked on server)";
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick result = LDAP_COMPARE_TRUE;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm ldap_memfree(searchdn);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return result;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick}
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick/*
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * Does an generic ldap_compare operation. It accepts a cache that it will use
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm * to lookup the compare in the cache. We cache two kinds of compares
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick * (require group compares) and (require user compares). Each compare has a different
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * cache node: require group includes the DN; require user does not because the
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm * require user cache is owned by the
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick *
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick */
f886987cd0bd4220c14043c4d9be77ec22902e73trawickLDAP_DECLARE(int) util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick const char *url, const char *dn,
cb97ae2ff6969c2789b8e03f1bc4187fa73b6bafwrowe const char *attrib, const char *value)
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick{
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm int result = 0;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm util_url_node_t *curl;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick util_url_node_t curnode;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick util_compare_node_t *compare_nodep;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm util_compare_node_t the_compare_node;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick apr_time_t curtime = 0; /* silence gcc -Wall */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick int failures = 0;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick util_ldap_state_t *st =
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick &ldap_module);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* get cache entry (or create one) */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_LOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick curnode.url = url;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick curl = util_ald_cache_fetch(st->util_ldap_cache, &curnode);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (curl == NULL) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick curl = util_ald_create_caches(st, url);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_UNLOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (curl) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* make a comparison to the cache */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_LOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick curtime = apr_time_now();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick the_compare_node.dn = (char *)dn;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick the_compare_node.attrib = (char *)attrib;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick the_compare_node.value = (char *)value;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick the_compare_node.result = 0;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (compare_nodep != NULL) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* found it... */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (curtime - compare_nodep->lastcompare > st->compare_cache_ttl) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* ...but it is too old */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick util_ald_cache_remove(curl->compare_cache, compare_nodep);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick else {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* ...and it is good */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* unlock this read lock */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_UNLOCK();
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (LDAP_COMPARE_TRUE == compare_nodep->result) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "Comparison true (cached)";
f886987cd0bd4220c14043c4d9be77ec22902e73trawick return compare_nodep->result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
f886987cd0bd4220c14043c4d9be77ec22902e73trawick else if (LDAP_COMPARE_FALSE == compare_nodep->result) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "Comparison false (cached)";
f886987cd0bd4220c14043c4d9be77ec22902e73trawick return compare_nodep->result;
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm else if (LDAP_NO_SUCH_ATTRIBUTE == compare_nodep->result) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm ldc->reason = "Comparison no such attribute (cached)";
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm return compare_nodep->result;
3568de757bac0b47256647504c186d17ca272f85rbb }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm else {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ldc->reason = "Comparison undefined (cached)";
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return compare_nodep->result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* unlock this read lock */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick LDAP_CACHE_UNLOCK();
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm }
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawickstart_over:
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if (failures++ > 10) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* too many failures */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick return result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) {
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* connect failed */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm return result;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick }
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if ((result = ldap_compare_s(ldc->ldap,
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick (char *)dn,
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick (char *)attrib,
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz (char *)value))
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick == LDAP_SERVER_DOWN) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* connection failed - try again */
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe ldc->reason = "ldap_compare_s() failed with server down";
3568de757bac0b47256647504c186d17ca272f85rbb util_ldap_connection_unbind(ldc);
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe goto start_over;
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe }
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe
f886987cd0bd4220c14043c4d9be77ec22902e73trawick ldc->reason = "Comparison complete";
f886987cd0bd4220c14043c4d9be77ec22902e73trawick if ((LDAP_COMPARE_TRUE == result) ||
f886987cd0bd4220c14043c4d9be77ec22902e73trawick (LDAP_COMPARE_FALSE == result) ||
f886987cd0bd4220c14043c4d9be77ec22902e73trawick (LDAP_NO_SUCH_ATTRIBUTE == result)) {
f886987cd0bd4220c14043c4d9be77ec22902e73trawick if (curl) {
f886987cd0bd4220c14043c4d9be77ec22902e73trawick /* compare completed; caching result */
f886987cd0bd4220c14043c4d9be77ec22902e73trawick LDAP_CACHE_LOCK();
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe the_compare_node.lastcompare = curtime;
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe the_compare_node.result = result;
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe /* If the node doesn't exist then insert it, otherwise just update it with
3568de757bac0b47256647504c186d17ca272f85rbb the last results */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick if ((compare_nodep == NULL) ||
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz (strcmp(the_compare_node.dn, compare_nodep->dn) != 0) ||
3568de757bac0b47256647504c186d17ca272f85rbb (strcmp(the_compare_node.attrib, compare_nodep->attrib) != 0) ||
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz (strcmp(the_compare_node.value, compare_nodep->value) != 0)) {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz util_ald_cache_insert(curl->compare_cache, &the_compare_node);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz else {
3568de757bac0b47256647504c186d17ca272f85rbb compare_nodep->lastcompare = curtime;
3568de757bac0b47256647504c186d17ca272f85rbb compare_nodep->result = result;
3568de757bac0b47256647504c186d17ca272f85rbb }
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz LDAP_CACHE_UNLOCK();
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
3568de757bac0b47256647504c186d17ca272f85rbb if (LDAP_COMPARE_TRUE == result) {
3568de757bac0b47256647504c186d17ca272f85rbb ldc->reason = "Comparison true (adding to cache)";
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding return LDAP_COMPARE_TRUE;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding }
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding else if (LDAP_COMPARE_FALSE == result) {
3568de757bac0b47256647504c186d17ca272f85rbb ldc->reason = "Comparison false (adding to cache)";
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return LDAP_COMPARE_FALSE;
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz }
3568de757bac0b47256647504c186d17ca272f85rbb else {
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ldc->reason = "Comparison no such attribute (adding to cache)";
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz return LDAP_NO_SUCH_ATTRIBUTE;
3568de757bac0b47256647504c186d17ca272f85rbb }
3568de757bac0b47256647504c186d17ca272f85rbb }
3568de757bac0b47256647504c186d17ca272f85rbb return result;
3568de757bac0b47256647504c186d17ca272f85rbb}
3568de757bac0b47256647504c186d17ca272f85rbb
3568de757bac0b47256647504c186d17ca272f85rbbLDAP_DECLARE(int) util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
ec020ca384efb30d501a5af796ddc3bb237d7b8fgregames const char *url, const char *basedn, int scope, char **attrs,
3568de757bac0b47256647504c186d17ca272f85rbb const char *filter, const char *bindpw, const char **binddn,
ce03576b2434cec77f2921db9d5b6a0510581c23rederpj const char ***retvals)
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick{
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick const char **vals = NULL;
9d0665da83d1e22c0ea0e5f6f940f70f75bf5237ianh int result = 0;
3568de757bac0b47256647504c186d17ca272f85rbb LDAPMessage *res, *entry;
3568de757bac0b47256647504c186d17ca272f85rbb char *dn;
73e8b26287de5c06fa470d36162e103dbac9c7e5wrowe int count;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding int failures = 0;
b980ad7fdc218b4855cde9f75a747527f50c554dwrowe util_url_node_t *curl; /* Cached URL node */
3568de757bac0b47256647504c186d17ca272f85rbb util_url_node_t curnode;
ca53a74f4012a45cbad48e940eddf27d866981f9dougm util_search_node_t *search_nodep; /* Cached search node */
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding util_search_node_t the_search_node;
3d96ee83babeec32482c9082c9426340cee8c44dwrowe apr_time_t curtime;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj util_ldap_state_t *st =
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz &ldap_module);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* Get the cache node for this url */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz LDAP_CACHE_LOCK();
3568de757bac0b47256647504c186d17ca272f85rbb curnode.url = url;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache, &curnode);
3568de757bac0b47256647504c186d17ca272f85rbb if (curl == NULL) {
curl = util_ald_create_caches(st, url);
}
LDAP_CACHE_UNLOCK();
if (curl) {
LDAP_CACHE_LOCK();
the_search_node.username = filter;
search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node);
if (search_nodep != NULL) {
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired. If the sent password
* doesn't match the storepassword, the entry will be removed and readded
* later if the credentials pass authentication.
*/
if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
/* ...but entry is too old */
util_ald_cache_remove(curl->search_cache, search_nodep);
}
else if ((search_nodep->bindpw) && (search_nodep->bindpw[0] != '\0') &&
(strcmp(search_nodep->bindpw, bindpw) == 0)) {
/* ...and entry is valid */
*binddn = search_nodep->dn;
*retvals = search_nodep->vals;
LDAP_CACHE_UNLOCK();
ldc->reason = "Authentication successful (cached)";
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
LDAP_CACHE_UNLOCK();
}
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
start_over:
if (failures++ > 10) {
return result;
}
if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) {
return result;
}
/* try do the search */
if ((result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) {
ldc->reason = "ldap_search_ext_s() for user failed with server down";
util_ldap_connection_unbind(ldc);
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
ldc->reason = "ldap_search_ext_s() for user failed";
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
count = ldap_count_entries(ldc->ldap, res);
if (count != 1)
{
if (count == 0 )
ldc->reason = "User not found";
else
ldc->reason = "User is not unique (search found two or more matches)";
ldap_msgfree(res);
return LDAP_NO_SUCH_OBJECT;
}
entry = ldap_first_entry(ldc->ldap, res);
/* Grab the dn, copy it into the pool, and free it again */
dn = ldap_get_dn(ldc->ldap, entry);
*binddn = apr_pstrdup(r->pool, dn);
ldap_memfree(dn);
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
if (!bindpw || strlen(bindpw) <= 0) {
ldap_msgfree(res);
ldc->reason = "Empty password not allowed";
return LDAP_INVALID_CREDENTIALS;
}
/*
* Attempt to bind with the retrieved dn and the password. If the bind
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
if ((result = ldap_simple_bind_s(ldc->ldap,
(char *)*binddn,
(char *)bindpw)) == LDAP_SERVER_DOWN) {
ldc->reason = "ldap_simple_bind_s() to check user credentials "
"failed with server down";
ldap_msgfree(res);
util_ldap_connection_unbind(ldc);
goto start_over;
}
/* failure? if so - return */
if (result != LDAP_SUCCESS) {
ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
ldap_msgfree(res);
util_ldap_connection_unbind(ldc);
return result;
}
else {
/*
* We have just bound the connection to a different user and password
* combination, which might be reused unintentionally next time this
* connection is used from the connection pool. To ensure no confusion,
* we mark the connection as unbound.
*/
ldc->bound = 0;
}
/*
* Get values for the provided attributes.
*/
if (attrs) {
int k = 0;
int i = 0;
while (attrs[k++]);
vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
while (attrs[i]) {
char **values;
int j = 0;
char *str = NULL;
/* get values */
values = ldap_get_values(ldc->ldap, entry, attrs[i]);
while (values && values[j]) {
str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]);
j++;
}
ldap_value_free(values);
vals[i] = str;
i++;
}
*retvals = vals;
}
/*
* Add the new username to the search cache.
*/
if (curl) {
LDAP_CACHE_LOCK();
the_search_node.username = filter;
the_search_node.dn = *binddn;
the_search_node.bindpw = bindpw;
the_search_node.lastbind = apr_time_now();
the_search_node.vals = vals;
/* Search again to make sure that another thread didn't ready insert this node
into the cache before we got here. If it does exist then update the lastbind */
search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node);
if ((search_nodep == NULL) ||
(strcmp(*binddn, search_nodep->dn) != 0)) {
/* Nothing in cache, insert new entry */
util_ald_cache_insert(curl->search_cache, &the_search_node);
}
else if ((!search_nodep->bindpw) ||
(strcmp(bindpw, search_nodep->bindpw) != 0)) {
/* Entry in cache is invalid, remove it and insert new one */
util_ald_cache_remove(curl->search_cache, search_nodep);
util_ald_cache_insert(curl->search_cache, &the_search_node);
}
else {
/* Cache entry is valid, update lastbind */
search_nodep->lastbind = the_search_node.lastbind;
}
LDAP_CACHE_UNLOCK();
}
ldap_msgfree(res);
ldc->reason = "Authentication successful";
return LDAP_SUCCESS;
}
/*
* This function will return the DN of the entry matching userid.
* It is used to get the DN in case some other module than mod_auth_ldap
* has authenticated the user.
* The function is basically a copy of util_ldap_cache_checkuserid
* with password checking removed.
*/
LDAP_DECLARE(int) util_ldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
const char *url, const char *basedn, int scope, char **attrs,
const char *filter, const char **binddn,
const char ***retvals)
{
const char **vals = NULL;
int result = 0;
LDAPMessage *res, *entry;
char *dn;
int count;
int failures = 0;
util_url_node_t *curl; /* Cached URL node */
util_url_node_t curnode;
util_search_node_t *search_nodep; /* Cached search node */
util_search_node_t the_search_node;
apr_time_t curtime;
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
/* Get the cache node for this url */
LDAP_CACHE_LOCK();
curnode.url = url;
curl = (util_url_node_t *)util_ald_cache_fetch(st->util_ldap_cache, &curnode);
if (curl == NULL) {
curl = util_ald_create_caches(st, url);
}
LDAP_CACHE_UNLOCK();
if (curl) {
LDAP_CACHE_LOCK();
the_search_node.username = filter;
search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node);
if (search_nodep != NULL) {
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired.
*/
if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) {
/* ...but entry is too old */
util_ald_cache_remove(curl->search_cache, search_nodep);
}
else {
/* ...and entry is valid */
*binddn = search_nodep->dn;
*retvals = search_nodep->vals;
LDAP_CACHE_UNLOCK();
ldc->reason = "Search successful (cached)";
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
LDAP_CACHE_UNLOCK();
}
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
start_over:
if (failures++ > 10) {
return result;
}
if (LDAP_SUCCESS != (result = util_ldap_connection_open(r, ldc))) {
return result;
}
/* try do the search */
if ((result = ldap_search_ext_s(ldc->ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
NULL, NULL,
NULL, -1, &res)) == LDAP_SERVER_DOWN) {
ldc->reason = "ldap_search_ext_s() for user failed with server down";
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
ldc->reason = "ldap_search_ext_s() for user failed";
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
count = ldap_count_entries(ldc->ldap, res);
if (count != 1)
{
if (count == 0 )
ldc->reason = "User not found";
else
ldc->reason = "User is not unique (search found two or more matches)";
ldap_msgfree(res);
return LDAP_NO_SUCH_OBJECT;
}
entry = ldap_first_entry(ldc->ldap, res);
/* Grab the dn, copy it into the pool, and free it again */
dn = ldap_get_dn(ldc->ldap, entry);
*binddn = apr_pstrdup(st->pool, dn);
ldap_memfree(dn);
/*
* Get values for the provided attributes.
*/
if (attrs) {
int k = 0;
int i = 0;
while (attrs[k++]);
vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1));
while (attrs[i]) {
char **values;
int j = 0;
char *str = NULL;
/* get values */
values = ldap_get_values(ldc->ldap, entry, attrs[i]);
while (values && values[j]) {
str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]);
j++;
}
ldap_value_free(values);
vals[i] = str;
i++;
}
*retvals = vals;
}
/*
* Add the new username to the search cache.
*/
if (curl) {
LDAP_CACHE_LOCK();
the_search_node.username = filter;
the_search_node.dn = *binddn;
the_search_node.bindpw = NULL;
the_search_node.lastbind = apr_time_now();
the_search_node.vals = vals;
/* Search again to make sure that another thread didn't ready insert this node
into the cache before we got here. If it does exist then update the lastbind */
search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node);
if ((search_nodep == NULL) ||
(strcmp(*binddn, search_nodep->dn) != 0)) {
/* Nothing in cache, insert new entry */
util_ald_cache_insert(curl->search_cache, &the_search_node);
}
/*
* Don't update lastbind on entries with bindpw because
* we haven't verified that password. It's OK to update
* the entry if there is no password in it.
*/
else if (!search_nodep->bindpw) {
/* Cache entry is valid, update lastbind */
search_nodep->lastbind = the_search_node.lastbind;
}
LDAP_CACHE_UNLOCK();
}
ldap_msgfree(res);
ldc->reason = "Search successful";
return LDAP_SUCCESS;
}
/*
* Reports if ssl support is enabled
*
* 1 = enabled, 0 = not enabled
*/
LDAP_DECLARE(int) util_ldap_ssl_supported(request_rec *r)
{
util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
r->server->module_config, &ldap_module);
return(st->ssl_supported);
}
/* ---------------------------------------- */
/* config directives */
static const char *util_ldap_set_cache_bytes(cmd_parms *cmd, void *dummy, const char *bytes)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->cache_bytes = atol(bytes);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%" APR_PID_T_FMT "] ldap cache: Setting shared memory "
" cache size to %" APR_SIZE_T_FMT " bytes.",
getpid(), st->cache_bytes);
return NULL;
}
static const char *util_ldap_set_cache_file(cmd_parms *cmd, void *dummy, const char *file)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
if (file) {
st->cache_file = ap_server_root_relative(st->pool, file);
}
else {
st->cache_file = NULL;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"LDAP cache: Setting shared memory cache file to %s bytes.",
st->cache_file);
return NULL;
}
static const char *util_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy, const char *ttl)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->search_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting cache TTL to %ld microseconds.",
getpid(), st->search_cache_ttl);
return NULL;
}
static const char *util_ldap_set_cache_entries(cmd_parms *cmd, void *dummy, const char *size)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->search_cache_size = atol(size);
if (st->search_cache_size < 0) {
st->search_cache_size = 0;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting search cache size to %ld entries.",
getpid(), st->search_cache_size);
return NULL;
}
static const char *util_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy, const char *ttl)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->compare_cache_ttl = atol(ttl) * 1000000;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting operation cache TTL to %ld microseconds.",
getpid(), st->compare_cache_ttl);
return NULL;
}
static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy, const char *size)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
st->compare_cache_size = atol(size);
if (st->compare_cache_size < 0) {
st->compare_cache_size = 0;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"[%d] ldap cache: Setting operation cache size to %ld entries.",
getpid(), st->compare_cache_size);
return NULL;
}
/**
* Parse the certificate type.
*
* The type can be one of the following:
* CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64,
* CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64
*
* If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned.
*/
static const int util_ldap_parse_cert_type(const char *type) {
/* Authority file in binary DER format */
if (0 == strcasecmp("CA_DER", type)) {
return APR_LDAP_CA_TYPE_DER;
}
/* Authority file in Base64 format */
else if (0 == strcasecmp("CA_BASE64", type)) {
return APR_LDAP_CA_TYPE_BASE64;
}
/* Netscape certificate database file/directory */
else if (0 == strcasecmp("CA_CERT7_DB", type)) {
return APR_LDAP_CA_TYPE_CERT7_DB;
}
/* Netscape secmod file/directory */
else if (0 == strcasecmp("CA_SECMOD", type)) {
return APR_LDAP_CA_TYPE_SECMOD;
}
/* Client cert file in DER format */
else if (0 == strcasecmp("CERT_DER", type)) {
return APR_LDAP_CERT_TYPE_DER;
}
/* Client cert file in Base64 format */
else if (0 == strcasecmp("CERT_BASE64", type)) {
return APR_LDAP_CERT_TYPE_BASE64;
}
/* Netscape client cert database file/directory */
else if (0 == strcasecmp("CERT_KEY3_DB", type)) {
return APR_LDAP_CERT_TYPE_KEY3_DB;
}
/* Netscape client cert nickname */
else if (0 == strcasecmp("CERT_NICKNAME", type)) {
return APR_LDAP_CERT_TYPE_NICKNAME;
}
/* Client cert key file in DER format */
else if (0 == strcasecmp("KEY_DER", type)) {
return APR_LDAP_KEY_TYPE_DER;
}
/* Client cert key file in Base64 format */
else if (0 == strcasecmp("KEY_BASE64", type)) {
return APR_LDAP_KEY_TYPE_BASE64;
}
else {
return APR_LDAP_CA_TYPE_UNKNOWN;
}
}
/**
* Set LDAPTrustedGlobalCert.
*
* This directive takes either two or three arguments:
* - certificate type
* - certificate file / directory / nickname
* - certificate password (optional)
*
* This directive may only be used globally.
*/
static const char *util_ldap_set_trusted_global_cert(cmd_parms *cmd, void *dummy, const char *type, const char *file, const char *password)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
apr_ldap_opt_tls_cert_t *cert;
if (err != NULL) {
return err;
}
/* handle the certificate type */
if (type) {
cert_type = util_ldap_parse_cert_type(type);
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type %s is "
"not recognised. It should be one "
"of CA_DER, CA_BASE64, CA_CERT7_DB, "
"CA_SECMOD, CERT_DER, CERT_BASE64, "
"CERT_KEY3_DB, CERT_NICKNAME, "
"KEY_DER, KEY_BASE64", type);
}
}
else {
return "Certificate type was not specified.";
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"LDAP: SSL trusted global cert - %s (type %s)",
file, type);
/* add the certificate to the global array */
cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
/* if file is a file or path, fix the path */
if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
cert->path = ap_server_root_relative(cmd->pool, file);
if (cert->path &&
((rv = apr_stat (&finfo, cert->path, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS)) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
"LDAP: Could not open SSL trusted certificate "
"authority file - %s",
cert->path == NULL ? file : cert->path);
return "Invalid global certificate file path";
}
}
return(NULL);
}
/**
* Set LDAPTrustedClientCert.
*
* This directive takes either two or three arguments:
* - certificate type
* - certificate file / directory / nickname
* - certificate password (optional)
*/
static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd, void *config, const char *type, const char *file, const char *password)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
apr_finfo_t finfo;
apr_status_t rv;
int cert_type = 0;
apr_ldap_opt_tls_cert_t *cert;
/* handle the certificate type */
if (type) {
cert_type = util_ldap_parse_cert_type(type);
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"not recognised. It should be one "
"of CERT_DER, CERT_BASE64, "
"CERT_NICKNAME, "
"KEY_DER, KEY_BASE64", type);
}
else if (APR_LDAP_CA_TYPE_DER == cert_type ||
APR_LDAP_CA_TYPE_BASE64 == cert_type ||
APR_LDAP_CA_TYPE_CERT7_DB == cert_type ||
APR_LDAP_CA_TYPE_SECMOD == cert_type ||
APR_LDAP_CERT_TYPE_KEY3_DB == cert_type) {
return apr_psprintf(cmd->pool, "The certificate type \"%s\" is "
"only valid within a "
"LDAPTrustedGlobalCert directive. "
"Only CERT_DER, CERT_BASE64, "
"CERT_NICKNAME, KEY_DER, and "
"KEY_BASE64 may be used.", type);
}
}
else {
return "Certificate type was not specified.";
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"LDAP: SSL trusted client cert - %s (type %s)",
file, type);
/* add the certificate to the global array */
cert = (apr_ldap_opt_tls_cert_t *)apr_array_push(st->global_certs);
cert->type = cert_type;
cert->path = file;
cert->password = password;
/* if file is a file or path, fix the path */
if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
cert_type != APR_LDAP_CERT_TYPE_NICKNAME) {
cert->path = ap_server_root_relative(cmd->pool, file);
if (cert->path &&
((rv = apr_stat (&finfo, cert->path, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS)) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server,
"LDAP: Could not open SSL client certificate "
"file - %s",
cert->path == NULL ? file : cert->path);
return "Invalid client certificate file path";
}
}
return(NULL);
}
/**
* Set LDAPTrustedMode.
*
* This directive sets what encryption mode to use on a connection:
* - None (No encryption)
* - SSL (SSL encryption)
* - STARTTLS (TLS encryption)
*/
static const char *util_ldap_set_trusted_mode(cmd_parms *cmd, void *dummy, const char *mode)
{
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server,
"LDAP: SSL trusted mode - %s",
mode);
if (0 == strcasecmp("NONE", mode)) {
st->secure = APR_LDAP_NONE;
}
else if (0 == strcasecmp("SSL", mode)) {
st->secure = APR_LDAP_SSL;
}
else if (0 == strcasecmp("TLS", mode) || 0 == strcasecmp("STARTTLS", mode)) {
st->secure = APR_LDAP_STARTTLS;
}
else {
return "Invalid LDAPTrustedMode setting: must be one of NONE, "
"SSL, or TLS/STARTTLS";
}
st->secure_set = 1;
return(NULL);
}
void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
{
util_ldap_state_t *st =
(util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t));
st->pool = p;
st->cache_bytes = 100000;
st->search_cache_ttl = 600000000;
st->search_cache_size = 1024;
st->compare_cache_ttl = 600000000;
st->compare_cache_size = 1024;
st->connections = NULL;
st->ssl_supported = 0;
st->global_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
st->client_certs = apr_array_make(p, 10, sizeof(apr_ldap_opt_tls_cert_t));
st->secure = APR_LDAP_NONE;
st->secure_set = 0;
return st;
}
static void *util_ldap_merge_config(apr_pool_t *p, void *basev, void *overridesv)
{
util_ldap_state_t *st = apr_pcalloc(p, sizeof(util_ldap_state_t));
util_ldap_state_t *base = (util_ldap_state_t *) basev;
util_ldap_state_t *overrides = (util_ldap_state_t *) overridesv;
st->pool = p;
st->cache_bytes = base->cache_bytes;
st->search_cache_ttl = base->search_cache_ttl;
st->search_cache_size = base->search_cache_size;
st->compare_cache_ttl = base->compare_cache_ttl;
st->compare_cache_size = base->compare_cache_size;
st->connections = base->connections;
st->ssl_supported = base->ssl_supported;
st->global_certs = apr_array_append(p, base->global_certs, overrides->global_certs);
st->client_certs = apr_array_append(p, base->client_certs, overrides->client_certs);
st->secure = (overrides->secure_set == 0) ? base->secure : overrides->secure;
return st;
}
static apr_status_t util_ldap_cleanup_module(void *data)
{
server_rec *s = data;
util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
s->module_config, &ldap_module);
if (st->ssl_supported) {
apr_ldap_ssl_deinit();
}
return APR_SUCCESS;
}
static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
apr_status_t result;
char buf[MAX_STRING_LEN];
server_rec *s_vhost;
util_ldap_state_t *st_vhost;
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(s->module_config, &ldap_module);
void *data;
const char *userdata_key = "util_ldap_init";
apr_ldap_err_t *result_err = NULL;
int rc;
/* util_ldap_post_config() will be called twice. Don't bother
* going through all of the initialization on the first call
* because it will just be thrown away.*/
apr_pool_userdata_get(&data, userdata_key, s->process->pool);
if (!data) {
apr_pool_userdata_set((const void *)1, userdata_key,
apr_pool_cleanup_null, s->process->pool);
#if APR_HAS_SHARED_MEMORY
/* If the cache file already exists then delete it. Otherwise we are
* going to run into problems creating the shared memory. */
if (st->cache_file) {
char *lck_file = apr_pstrcat (st->pool, st->cache_file, ".lck", NULL);
apr_file_remove(st->cache_file, ptemp);
apr_file_remove(lck_file, ptemp);
}
#endif
return OK;
}
#if APR_HAS_SHARED_MEMORY
/* initializing cache if shared memory size is not zero and we already don't have shm address */
if (!st->cache_shm && st->cache_bytes > 0) {
#endif
result = util_ldap_cache_init(p, st);
if (result != APR_SUCCESS) {
apr_strerror(result, buf, sizeof(buf));
ap_log_error(APLOG_MARK, APLOG_ERR, result, s,
"LDAP cache: error while creating a shared memory segment: %s", buf);
}
#if APR_HAS_SHARED_MEMORY
if (st->cache_file) {
st->lock_file = apr_pstrcat (st->pool, st->cache_file, ".lck", NULL);
}
else
#endif
st->lock_file = ap_server_root_relative(st->pool, tmpnam(NULL));
result = apr_global_mutex_create(&st->util_ldap_cache_lock, st->lock_file, APR_LOCK_DEFAULT, st->pool);
if (result != APR_SUCCESS) {
return result;
}
#ifdef AP_NEED_SET_MUTEX_PERMS
result = unixd_set_global_mutex_perms(st->util_ldap_cache_lock);
if (result != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_CRIT, result, s,
"LDAP cache: failed to set mutex permissions");
return result;
}
#endif
/* merge config in all vhost */
s_vhost = s->next;
while (s_vhost) {
st_vhost = (util_ldap_state_t *)ap_get_module_config(s_vhost->module_config, &ldap_module);
#if APR_HAS_SHARED_MEMORY
st_vhost->cache_shm = st->cache_shm;
st_vhost->cache_rmm = st->cache_rmm;
st_vhost->cache_file = st->cache_file;
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, result, s,
"LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp for VHOST: %s",
st->cache_shm, st->cache_rmm, s_vhost->server_hostname);
#endif
st_vhost->lock_file = st->lock_file;
s_vhost = s_vhost->next;
}
#if APR_HAS_SHARED_MEMORY
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "LDAP cache: LDAPSharedCacheSize is zero, disabling shared memory cache");
}
#endif
/* log the LDAP SDK used
*/
{
apr_ldap_err_t *result = NULL;
apr_ldap_info(p, &(result));
if (result != NULL) {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "%s", result->reason);
}
}
apr_pool_cleanup_register(p, s, util_ldap_cleanup_module,
util_ldap_cleanup_module);
/*
* Initialize SSL support, and log the result for the benefit of the admin.
*
* If SSL is not supported it is not necessarily an error, as the
* application may not want to use it.
*/
rc = apr_ldap_ssl_init(p,
NULL,
0,
&(result_err));
if (APR_SUCCESS == rc) {
rc = apr_ldap_set_option(p, NULL, APR_LDAP_OPT_TLS_CERT,
(void *)st->global_certs, &(result_err));
}
if (APR_SUCCESS == rc) {
st->ssl_supported = 1;
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
"LDAP: SSL support available" );
}
else {
st->ssl_supported = 0;
if (NULL != result_err) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "%s", result_err->reason);
}
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
"LDAP: SSL support unavailable" );
}
return(OK);
}
static void util_ldap_child_init(apr_pool_t *p, server_rec *s)
{
apr_status_t sts;
util_ldap_state_t *st = ap_get_module_config(s->module_config, &ldap_module);
if (!st->util_ldap_cache_lock) return;
sts = apr_global_mutex_child_init(&st->util_ldap_cache_lock, st->lock_file, p);
if (sts != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_CRIT, sts, s,
"Failed to initialise global mutex %s in child process %"
APR_PID_T_FMT
".",
st->lock_file, getpid());
return;
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s,
"Initialisation of global mutex %s in child process %"
APR_PID_T_FMT
" successful.",
st->lock_file, getpid());
}
}
command_rec util_ldap_cmds[] = {
AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes, NULL, RSRC_CONF,
"Sets the size of the shared memory cache in bytes. "
"Zero means disable the shared memory cache. Defaults to 100KB."),
AP_INIT_TAKE1("LDAPSharedCacheFile", util_ldap_set_cache_file, NULL, RSRC_CONF,
"Sets the file of the shared memory cache."
"Nothing means disable the shared memory cache."),
AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries, NULL, RSRC_CONF,
"Sets the maximum number of entries that are possible in the LDAP "
"search cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl, NULL, RSRC_CONF,
"Sets the maximum time (in seconds) that an item can be cached in the LDAP "
"search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries, NULL, RSRC_CONF,
"Sets the maximum number of entries that are possible in the LDAP "
"compare cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl, NULL, RSRC_CONF,
"Sets the maximum time (in seconds) that an item is cached in the LDAP "
"operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert, NULL, RSRC_CONF,
"Sets the file and/or directory containing the trusted "
"certificate authority certificates, and global client "
"certificates (Netware). Used to validate the LDAP server "
"certificate for SSL/TLS connections. "
"The following types are supported: "
" CA_DER - Authority file in binary DER format "
" CA_BASE64 - Authority file in Base64 format "
" CA_CERT7_DB - Netscape certificate database file/directory "
" CA_SECMOD - Netscape secmod file/directory "
" CERT_DER - Client cert file in DER format "
" CERT_BASE64 - Client cert file in Base64 format "
" CERT_KEY3_DB - Netscape client cert database file/directory "
" CERT_NICKNAME - Netscape client cert nickname "
" KEY_DER - Client cert key file in DER format "
" KEY_BASE64 - Client cert key file in Base64 format "),
AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert, NULL, OR_ALL,
"Specifies a file containing a client certificate or private "
"key, or the ID of the certificate to usethe type of the Certificate Authority file. "
"The following types are supported: "
" CA_DER - Authority file in binary DER format "
" CA_BASE64 - Authority file in Base64 format "
" CA_CERT7_DB - Netscape certificate database file/directory "
" CA_SECMOD - Netscape secmod file/directory "
" CERT_DER - Client cert file in DER format "
" CERT_BASE64 - Client cert file in Base64 format "
" CERT_KEY3_DB - Netscape client cert database file/directory "
" CERT_NICKNAME - Netscape client cert nickname "
" KEY_DER - Client cert key file in DER format "
" KEY_BASE64 - Client cert key file in Base64 format "),
AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode, NULL, OR_ALL,
"Specifies the type of security that should be applied to "
"an LDAP connection. The types supported are: "
" NONE - no encryption enabled "
" SSL - SSL encryption enabled (forced by ldaps://) "
" STARTTLS - STARTTLS MUST be enabled "),
{NULL}
};
static void util_ldap_register_hooks(apr_pool_t *p)
{
ap_hook_post_config(util_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init(util_ldap_child_init, NULL, NULL, APR_HOOK_MIDDLE);
}
module ldap_module = {
STANDARD20_MODULE_STUFF,
NULL, /* dir config creater */
NULL, /* dir merger --- default is to override */
util_ldap_create_config, /* server config */
util_ldap_merge_config, /* merge server config */
util_ldap_cmds, /* command table */
util_ldap_register_hooks, /* set up request processing hooks */
};