util_ldap.c revision 3a11074e78d5961088e8f5520ba3cec163faed9c
/* Copyright 2001-2004 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* util_ldap.c: LDAP things
*
* Original code from auth_ldap module for Apache v1.3:
* Copyright 1998, 1999 Enbridge Pipelines Inc.
* Copyright 1999-2001 Dave Carrigan
*/
#include <apr_ldap.h>
#include <apr_strings.h>
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "util_ldap.h"
#include "util_ldap_cache.h"
#include <unistd.h>
#endif
#if !APR_HAS_LDAP
#endif
/* defines for certificate file types
*/
#define LDAP_CA_TYPE_UNKNOWN 0
#define LDAP_CA_TYPE_DER 1
#define LDAP_CA_TYPE_BASE64 2
#define LDAP_CA_TYPE_CERT7_DB 3
int util_ldap_handler(request_rec *r);
/*
* Some definitions to help between various versions of apache.
*/
#ifndef DOCTYPE_HTML_2_0
#define DOCTYPE_HTML_2_0 "<!DOCTYPE HTML PUBLIC \"-//IETF//" \
"DTD HTML 2.0//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_3_2
#define DOCTYPE_HTML_3_2 "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 3.2 Final//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_4_0S
#define DOCTYPE_HTML_4_0S "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0//EN\"\n" \
#endif
#ifndef DOCTYPE_HTML_4_0T
#define DOCTYPE_HTML_4_0T "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Transitional//EN\"\n" \
#endif
#ifndef DOCTYPE_HTML_4_0F
#define DOCTYPE_HTML_4_0F "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Frameset//EN\"\n" \
#endif
#define LDAP_CACHE_LOCK() \
#define LDAP_CACHE_UNLOCK() \
{
if (*str) {
}
if (newstr) {
}
}
/*
* Status Handler
* --------------
*
* This handler generates a status page about the current performance of
* the LDAP cache. It is enabled as follows:
*
* <Location /ldap-status>
* SetHandler ldap-status
* </Location>
*
*/
int util_ldap_handler(request_rec *r)
{
util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module);
if (r->method_number != M_GET)
return DECLINED;
return DECLINED;
}
r->content_type = "text/html";
if (r->header_only)
return OK;
"<html><head><title>LDAP Cache Information</title></head>\n", r);
ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information</h1>\n", r);
util_ald_cache_display(r, st);
return OK;
}
/* ------------------------------------------------------------------ */
/*
* Closes an LDAP connection by unlocking it. The next time
* util_ldap_connection_find() is called this connection will be
* available for reuse.
*/
{
/*
* QUESTION:
*
* Is it safe leaving bound connections floating around between the
* different modules? Keeping the user bound is a performance boost,
* but it is also a potential security problem - maybe.
*
* For now we unbind the user when we finish with a connection, but
* we don't have to...
*/
/* mark our connection as available for reuse */
#if APR_HAS_THREADS
#endif
}
/*
* Destroys an LDAP connection by unbinding and closing the connection to
* the LDAP server. It is used to bring the connection back to a known
* state after an error, and during pool cleanup.
*/
{
if (ldc) {
}
}
return APR_SUCCESS;
}
/*
* Clean up an LDAP connection by unbinding and unlocking the connection.
* This function is registered with the pool cleanup function - causing
* the LDAP connections to be shut down cleanly on graceful restart.
*/
{
if (ldc) {
/* unbind and disconnect from the LDAP server */
/* free the username and password */
}
}
/* unlock this entry */
}
return APR_SUCCESS;
}
/*
* Connect to the LDAP server and binds. Does not connect if already
* connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
*
* Returns LDAP_SUCCESS on success; and an error code on failure
*/
{
int result = 0;
int failures = 0;
int version = LDAP_VERSION3;
/* If the connection is already bound, return
*/
{
return LDAP_SUCCESS;
}
/* create the ldap session handle
*/
{
}
{
return(-1);
}
/* Set the alias dereferencing option */
/* always default to LDAP V3 */
}
/* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is
* returned. Break out of the loop on Success or any other error.
*
* NOTE: Looping is probably not a great idea. If the server isn't
* responding the chances it will respond after a few tries are poor.
* However, the original code looped and it only happens on
* the error condition.
*/
{
if (LDAP_SERVER_DOWN != result)
break;
}
/* free the handle if there was an error
*/
if (LDAP_SUCCESS != result)
{
}
else {
}
return(result);
}
/*
* Find an existing ldap connection struct that matches the
* provided ldap connection parameters.
*
* If not found in the cache, a new ldc structure will be allocated from st->pool
* and returned to the caller. If found in the cache, a pointer to the existing
* ldc structure will be returned.
*/
LDAP_DECLARE(util_ldap_connection_t *)util_ldap_connection_find(request_rec *r, const char *host, int port,
int secure )
{
struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
&ldap_module);
#if APR_HAS_THREADS
/* mutex lock this function */
}
#endif
/* Search for an exact connection match in the list that is not
* being used.
*/
#if APR_HAS_THREADS
#endif
break;
}
#if APR_HAS_THREADS
/* If this connection didn't match the criteria, then we
* need to unlock the mutex so it is available to be reused.
*/
}
#endif
p = l;
}
/* If nothing found, search again, but we don't care about the
* binddn and bindpw this time.
*/
if (!l) {
#if APR_HAS_THREADS
#endif
/* the bind credentials have changed */
l->bound = 0;
break;
}
#if APR_HAS_THREADS
/* If this connection didn't match the criteria, then we
* need to unlock the mutex so it is available to be reused.
*/
}
#endif
p = l;
}
}
/* artificially disable cache */
/* l = NULL; */
/* If no connection what found after the second search, we
* must create one.
*/
if (!l) {
/*
* Add the new connection entry to the linked list. Note that we
* don't actually establish an LDAP connection yet; that happens
* the first time authentication is requested.
*/
/* create the details to the pool in st */
#if APR_HAS_THREADS
#endif
l->bound = 0;
/* add the cleanup to the pool */
apr_pool_cleanup_register(l->pool, l,
if (p) {
p->next = l;
}
else {
st->connections = l;
}
}
#if APR_HAS_THREADS
#endif
return l;
}
/* ------------------------------------------------------------------ */
/*
* Compares two DNs to see if they're equal. The only way to do this correctly is to
* search for the dn and then do ldap_get_dn() on the result. This should match the
* initial dn, since it would have been also retrieved with ldap_get_dn(). This is
* expensive, so if the configuration value compare_dn_on_server is
* false, just does an ordinary strcmp.
*
* The lock for the ldap cache should already be acquired.
*/
int compare_dn_on_server)
{
int result = 0;
int failures = 0;
char *searchdn;
util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module);
/* get cache entry (or create one) */
}
/* a simple compare? */
if (!compare_dn_on_server) {
/* unlock this read lock */
return LDAP_COMPARE_FALSE;
}
else {
return LDAP_COMPARE_TRUE;
}
}
if (curl) {
/* no - it's a server side compare */
/* is it in the compare cache? */
/* If it's in the cache, it's good */
/* unlock this read lock */
return LDAP_COMPARE_TRUE;
}
/* unlock this read lock */
}
if (failures++ > 10) {
/* too many failures */
return result;
}
/* make a server connection */
/* connect to server failed */
return result;
}
/* search for reqdn */
goto start_over;
}
if (result != LDAP_SUCCESS) {
/* search for reqdn failed - no match */
return result;
}
/* compare unsuccessful */
}
else {
if (curl) {
/* compare successful - add to the compare cache */
}
}
}
return result;
}
/*
* Does an generic ldap_compare operation. It accepts a cache that it will use
* to lookup the compare in the cache. We cache two kinds of compares
* (require group compares) and (require user compares). Each compare has a different
* cache node: require group includes the DN; require user does not because the
* require user cache is owned by the
*
*/
{
int result = 0;
int failures = 0;
&ldap_module);
/* get cache entry (or create one) */
}
if (curl) {
/* make a comparison to the cache */
curtime = apr_time_now();
the_compare_node.result = 0;
if (compare_nodep != NULL) {
/* found it... */
/* ...but it is too old */
}
else {
/* ...and it is good */
/* unlock this read lock */
return compare_nodep->result;
}
return compare_nodep->result;
}
return compare_nodep->result;
}
else {
return compare_nodep->result;
}
}
}
/* unlock this read lock */
}
if (failures++ > 10) {
/* too many failures */
return result;
}
/* connect failed */
return result;
}
== LDAP_SERVER_DOWN) {
/* connection failed - try again */
goto start_over;
}
if ((LDAP_COMPARE_TRUE == result) ||
(LDAP_COMPARE_FALSE == result) ||
(LDAP_NO_SUCH_ATTRIBUTE == result)) {
if (curl) {
/* compare completed; caching result */
/* If the node doesn't exist then insert it, otherwise just update it with
the last results */
if ((compare_nodep == NULL) ||
}
else {
}
}
if (LDAP_COMPARE_TRUE == result) {
return LDAP_COMPARE_TRUE;
}
else if (LDAP_COMPARE_FALSE == result) {
return LDAP_COMPARE_FALSE;
}
else {
return LDAP_NO_SUCH_ATTRIBUTE;
}
}
return result;
}
const char ***retvals)
{
int result = 0;
char *dn;
int count;
int failures = 0;
&ldap_module);
/* Get the cache node for this url */
}
if (curl) {
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired, or if the
* sent password doesn't match the storepassword.
*/
/* ...but entry is too old */
}
/* ...but cached password doesn't match sent password */
}
else {
/* ...and entry is valid */
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
}
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
if (failures++ > 10) {
return result;
}
return result;
}
/* try do the search */
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
if (count != 1)
{
if (count == 0 )
else
return LDAP_NO_SUCH_OBJECT;
}
/* Grab the dn, copy it into the pool, and free it again */
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
return LDAP_INVALID_CREDENTIALS;
}
/*
* Attempt to bind with the retrieved dn and the password. If the bind
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
if ((result =
goto start_over;
}
/* failure? if so - return */
if (result != LDAP_SUCCESS) {
return result;
}
else {
/*
* We have just bound the connection to a different user and password
* combination, which might be reused unintentionally next time this
* connection is used from the connection pool. To ensure no confusion,
* we mark the connection as unbound.
*/
}
/*
* Get values for the provided attributes.
*/
if (attrs) {
int k = 0;
int i = 0;
while (attrs[k++]);
while (attrs[i]) {
char **values;
int j = 0;
/* get values */
j++;
}
i++;
}
}
/*
* Add the new username to the search cache.
*/
if (curl) {
/* Search again to make sure that another thread didn't ready insert this node
into the cache before we got here. If it does exist then update the lastbind */
if ((search_nodep == NULL) ||
}
else {
}
}
return LDAP_SUCCESS;
}
/*
* Reports if ssl support is enabled
*
* 1 = enabled, 0 = not enabled
*/
{
return(st->ssl_support);
}
/* ---------------------------------------- */
/* config directives */
{
&ldap_module);
return NULL;
}
{
&ldap_module);
if (file) {
}
else {
}
"LDAP cache: Setting shared memory cache file to %s bytes.",
st->cache_file);
return NULL;
}
{
&ldap_module);
"[%d] ldap cache: Setting cache TTL to %ld microseconds.",
return NULL;
}
{
&ldap_module);
if (st->search_cache_size < 0) {
st->search_cache_size = 0;
}
"[%d] ldap cache: Setting search cache size to %ld entries.",
return NULL;
}
{
&ldap_module);
"[%d] ldap cache: Setting operation cache TTL to %ld microseconds.",
return NULL;
}
{
&ldap_module);
if (st->compare_cache_size < 0) {
st->compare_cache_size = 0;
}
"[%d] ldap cache: Setting operation cache size to %ld entries.",
return NULL;
}
{
&ldap_module);
return err;
}
"LDAP: SSL trusted certificate authority file - %s",
file);
if (st->cert_auth_file &&
{
"LDAP: Could not open SSL trusted certificate authority file - %s",
return "Invalid file path";
}
return(NULL);
}
{
&ldap_module);
return err;
}
"LDAP: SSL trusted certificate authority file type - %s",
Type);
else
return(NULL);
}
{
st->ssl_support = 0;
return st;
}
{
server_rec *s = data;
s->module_config, &ldap_module);
if (st->ssl_support) {
}
return APR_SUCCESS;
}
{
char buf[MAX_STRING_LEN];
void *data;
const char *userdata_key = "util_ldap_init";
/* util_ldap_post_config() will be called twice. Don't bother
* going through all of the initialization on the first call
* because it will just be thrown away.*/
if (!data) {
/* If the cache file already exists then delete it. Otherwise we are
* going to run into problems creating the shared memory. */
if (st->cache_file) {
}
#endif
return OK;
}
/* initializing cache if shared memory size is not zero and we already don't have shm address */
#endif
if (result != APR_SUCCESS) {
"LDAP cache: error while creating a shared memory segment: %s", buf);
}
if (st->cache_file) {
}
else
#endif
result = apr_global_mutex_create(&st->util_ldap_cache_lock, st->lock_file, APR_LOCK_DEFAULT, st->pool);
if (result != APR_SUCCESS) {
return result;
}
/* merge config in all vhost */
while (s_vhost) {
"LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp for VHOST: %s",
#endif
}
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "LDAP cache: LDAPSharedCacheSize is zero, disabling shared memory cache");
}
#endif
/* log the LDAP SDK used
*/
{
apr_ldap_info(p, &(result));
}
}
/* initialize SSL support if requested
*/
if (st->cert_auth_file) {
int rc = apr_ldap_ssl_init(p,
&(result));
if (LDAP_SUCCESS == rc) {
}
st->ssl_support = 0;
}
}
/* log SSL status - If SSL isn't available it isn't necessarily
* an error because the modules asking for LDAP connections
* may not ask for SSL support
*/
if (st->ssl_support) {
"LDAP: SSL support available" );
}
else {
"LDAP: SSL support unavailable" );
}
return(OK);
}
{
if (sts != APR_SUCCESS) {
return;
}
else {
}
}
command_rec util_ldap_cmds[] = {
"Sets the size of the shared memory cache in bytes. "
"Zero means disable the shared memory cache. Defaults to 100KB."),
"Sets the file of the shared memory cache."
"Nothing means disable the shared memory cache."),
"Sets the maximum number of entries that are possible in the LDAP "
"search cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
"Sets the maximum time (in seconds) that an item can be cached in the LDAP "
"search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
"Sets the maximum number of entries that are possible in the LDAP "
"compare cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
"Sets the maximum time (in seconds) that an item is cached in the LDAP "
"operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
"Sets the file containing the trusted Certificate Authority certificate. "
"Used to validate the LDAP server certificate for SSL connections."),
"Specifies the type of the Certificate Authority file. "
"The following types are supported: "
" DER_FILE - file in binary DER format "
" BASE64_FILE - file in Base64 format "
" CERT7_DB_PATH - Netscape certificate database file "),
{NULL}
};
static void util_ldap_register_hooks(apr_pool_t *p)
{
}
module ldap_module = {
NULL, /* dir config creater */
NULL, /* dir merger --- default is to override */
util_ldap_create_config, /* server config */
NULL, /* merge server config */
util_ldap_cmds, /* command table */
util_ldap_register_hooks, /* set up request processing hooks */
};