util_ldap.c revision 89342f4a895e67868f8fe37a0ac77f1dd9f91868
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
*/
/*
* util_ldap.c: LDAP things
*
* Original code from auth_ldap module for Apache v1.3:
* Copyright 1998, 1999 Enbridge Pipelines Inc.
* Copyright 1999-2001 Dave Carrigan
*/
/*
* FIXME:
*
* - The compare cache presently does not have the ability to
* cache negatively. This has the negative effect of requiring
* a connect/bind/compare/unbind/disconnect when two or more
* atrributes are optional for group membership, and performance
* sucks as a result.
*/
#include <apr_ldap.h>
#ifdef APU_HAS_LDAP
#include <apr_lock.h>
#include <apr_strings.h>
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "util_ldap.h"
#include "util_ldap_cache.h"
#include <unistd.h>
int util_ldap_handler(request_rec *r);
/*
* Some definitions to help between various versions of apache.
*/
#ifndef DOCTYPE_HTML_2_0
#define DOCTYPE_HTML_2_0 "<!DOCTYPE HTML PUBLIC \"-//IETF//" \
"DTD HTML 2.0//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_3_2
#define DOCTYPE_HTML_3_2 "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 3.2 Final//EN\">\n"
#endif
#ifndef DOCTYPE_HTML_4_0S
#define DOCTYPE_HTML_4_0S "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0//EN\"\n" \
#endif
#ifndef DOCTYPE_HTML_4_0T
#define DOCTYPE_HTML_4_0T "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Transitional//EN\"\n" \
#endif
#ifndef DOCTYPE_HTML_4_0F
#define DOCTYPE_HTML_4_0F "<!DOCTYPE HTML PUBLIC \"-//W3C//" \
"DTD HTML 4.0 Frameset//EN\"\n" \
#endif
/*
* Status Handler
* --------------
*
* This handler generates a status page about the current performance of
* the LDAP cache. It is enabled as follows:
*
* <Location /ldap-status>
* SetHandler ldap-status
* </Location>
*
*/
int util_ldap_handler(request_rec *r)
{
if (r->method_number != M_GET)
return DECLINED;
return DECLINED;
}
r->content_type = "text/html";
if (r->header_only)
return OK;
"<html><head><title>LDAP Cache Information</title></head>\n", r);
ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information</h1>\n", r);
ap_rputs("<p>\n"
"<table border='0'>\n"
"<tr bgcolor='#000000'>\n"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Cache Name</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Entries</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg. Chain Len.</b></font></td>"
"<td colspan='2'><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Hits</b></font></td>"
"<td colspan='2'><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Purges</b></font></td>"
"<td><font size='-1' face='Arial,Helvetica' color='#ffffff'><b>Avg Purge Time</b></font></td>"
"</tr>\n", r
);
ap_rputs("</table>\n</p>\n", r);
return OK;
}
/* ------------------------------------------------------------------ */
/*
* Closes an LDAP connection by unlocking it. The next time
* util_ldap_connection_find() is called this connection will be
* available for reuse.
*/
{
/*
* QUESTION:
*
* Is it safe leaving bound connections floating around between the
* different modules? Keeping the user bound is a performance boost,
* but it is also a potential security problem - maybe.
*
* For now we unbind the user when we finish with a connection, but
* we don't have to...
*/
/* mark our connection as available for reuse */
}
/*
* Destroys an LDAP connection by unbinding. This function is registered
* with the pool cleanup function - causing the LDAP connections to be
* shut down cleanly on thread exit.
*/
{
/* unbinding from the LDAP server */
}
/* release the lock we were using */
return APR_SUCCESS;
}
/*
* Connect to the LDAP server and binds. Does not connect if already
* connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
*
* Returns LDAP_SUCCESS on success; and an error code on failure
*/
{
int result = 0;
int failures = 0;
if (failures++ > 10) {
/* too many failures - leave */
return result;
}
/* opening connection to LDAP server */
/* couldn't connect */
return -1;
}
/* add the cleanup to the pool */
/* Set the alias dereferencing option */
#if LDAP_VERSION_MAX == 2
#else
if (result != LDAP_SUCCESS) {
/* setting LDAP dereference option failed */
/* we ignore this error */
}
#endif /* LDAP_VERSION_MAX */
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
if (ldc->netscapessl) {
/* secure LDAP requested, but no CA cert defined */
return -1;
} else {
if (result != LDAP_SUCCESS) {
/* SSL initialisation failed */
return result;
}
if (result != LDAP_SUCCESS) {
/* SSL option failed */
return result;
}
}
}
#endif /* APU_HAS_LDAP_NETSCAPE_SSL */
#ifdef APU_HAS_LDAP_STARTTLS
int version = LDAP_VERSION3;
/* Also we have to set the connection to use protocol version 3,
* since we're using TLS. */
&version)) != LDAP_SUCCESS) {
/* setting LDAP version failed - ignore error */
}
/*
* In util_ldap_connection_find, we compare ldc->withtls to
* sec->starttls to see if we have a cache match. On the off
* chance that apache's config processing rotines set starttls to
* some other true value besides 1, we set it to 1 here to ensure
* that the comparison succeeds.
*/
if (result != LDAP_SUCCESS) {
/* start TLS failed */
return result;
}
} else {
}
#endif /* APU_HAS_LDAP_STARTTLS */
}
/*
* At this point the LDAP connection is guaranteed alive. If bound says
* that we're bound already, we can just return.
*/
return LDAP_SUCCESS;
}
/*
* configuration. It will be an anonymous bind if no u/p was
* provided.
*/
== LDAP_SERVER_DOWN) {
/* couldn't connect - try again */
goto start_over;
}
if (result != LDAP_SUCCESS) {
/* LDAP fatal error occured */
return result;
}
/* note how we are bound */
return LDAP_SUCCESS;
}
/*
* Find an existing ldap connection struct that matches the
* provided ldap connection parameters.
*
* If not found in the cache, a new ldc structure will be allocated from st->pool
* and returned to the caller. If found in the cache, a pointer to the existing
* ldc structure will be returned.
*/
int netscapessl, int starttls)
{
struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
&ldap_module);
/* mutex lock this function */
}
/* Search for an exact connection match in the list that is not
* being used.
*/
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
&& l->netscapessl == netscapessl
#endif
#ifdef APU_HAS_LDAP_STARTTLS
#endif
)
break;
p = l;
}
/* If nothing found, search again, but we don't care about the
* binddn and bindpw this time.
*/
if (!l) {
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
&& l->netscapessl == netscapessl
#endif
#ifdef APU_HAS_LDAP_STARTTLS
#endif
) {
/* the bind credentials have changed */
l->bound = 0;
break;
}
p = l;
}
}
/* artificially disable cache */
//l = NULL;
/* If no connection what found after the second search, we
* must create one.
*/
if (!l) {
/*
* Add the new connection entry to the linked list. Note that we
* don't actually establish an LDAP connection yet; that happens
* the first time authentication is requested.
*/
/* create the details to the pool in st */
apr_lock_acquire(l->lock);
l->bound = 0;
l->netscapessl = netscapessl;
l->withtls = 0;
if (p) {
p->next = l;
}
else {
st->connections = l;
}
}
return l;
}
/* ------------------------------------------------------------------ */
/*
* Compares two DNs to see if they're equal. The only way to do this correctly is to
* search for the dn and then do ldap_get_dn() on the result. This should match the
* initial dn, since it would have been also retrieved with ldap_get_dn(). This is
* expensive, so if the configuration value compare_dn_on_server is
* false, just does an ordinary strcmp.
*
* The lock for the ldap cache should already be acquired.
*/
int compare_dn_on_server)
{
int result = 0;
int failures = 0;
char *searchdn;
&ldap_module);
/* read lock this function */
if (!util_ldap_cache_lock) {
}
/* get cache entry (or create one) */
}
/* a simple compare? */
if (!compare_dn_on_server) {
/* unlock this read lock */
return LDAP_COMPARE_FALSE;
}
else {
return LDAP_COMPARE_TRUE;
}
}
/* no - it's a server side compare */
/* is it in the compare cache? */
/* If it's in the cache, it's good */
/* unlock this read lock */
return LDAP_COMPARE_TRUE;
}
/* unlock this read lock */
if (failures++ > 10) {
/* too many failures */
return result;
}
/* make a server connection */
/* connect to server failed */
return result;
}
/* search for reqdn */
goto start_over;
}
if (result != LDAP_SUCCESS) {
/* search for reqdn failed - no match */
return result;
}
/* compare unsuccessful */
}
else {
/* compare successful - add to the compare cache */
}
return result;
}
/*
* Does an generic ldap_compare operation. It accepts a cache that it will use
* to lookup the compare in the cache. We cache two kinds of compares
* (require group compares) and (require user compares). Each compare has a different
* cache node: require group includes the DN; require user does not because the
* require user cache is owned by the
*
*/
{
int result = 0;
int failures = 0;
&ldap_module);
/* read lock this function */
if (!util_ldap_cache_lock) {
}
/* get cache entry (or create one) */
}
/* make a comparison to the cache */
curtime = apr_time_now();
if (compare_nodep != NULL) {
/* found it... */
/* ...but it is too old */
}
else {
/* ...and it is good */
/* unlock this read lock */
return LDAP_COMPARE_TRUE;
}
}
/* unlock this read lock */
if (failures++ > 10) {
/* too many failures */
return result;
}
/* connect failed */
return result;
}
== LDAP_SERVER_DOWN) {
/* connection failed - try again */
goto start_over;
}
if (result == LDAP_COMPARE_TRUE) {
/* compare succeeded; caching result */
}
return result;
}
{
int result = 0;
char *dn;
int count;
int failures = 0;
&ldap_module);
/* read lock this function */
if (!util_ldap_cache_lock) {
}
/* Get the cache node for this url */
}
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired, or if the
* sent password doesn't match the storepassword.
*/
/* ...but entry is too old */
}
/* ...but cached password doesn't match sent password */
}
else {
/* ...and entry is valid */
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
if (failures++ > 10) {
return result;
}
return result;
}
/* try do the search */
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
if (count != 1) {
return LDAP_NO_SUCH_OBJECT;
}
/* Grab the dn, copy it into the pool, and free it again */
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
return LDAP_INVALID_CREDENTIALS;
}
/*
* Attempt to bind with the retrieved dn and the password. If the bind
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
if ((result =
goto start_over;
}
/* failure? if so - return */
if (result != LDAP_SUCCESS) {
return result;
}
/*
* Add the new username to the search cache.
*/
return LDAP_SUCCESS;
}
#endif /* APU_HAS_LDAP */
/* ---------------------------------------- */
/* config directives */
{
&ldap_module);
"[%d] ldap cache: Setting shared memory cache size to %d bytes.",
return NULL;
}
{
&ldap_module);
"[%d] ldap cache: Setting cache TTL to %ld microseconds.",
return NULL;
}
{
&ldap_module);
if (st->search_cache_size < 0) {
st->search_cache_size = 0;
}
"[%d] ldap cache: Setting search cache size to %ld entries.",
return NULL;
}
{
&ldap_module);
"[%d] ldap cache: Setting operation cache TTL to %ld microseconds.",
return NULL;
}
{
&ldap_module);
if (st->compare_cache_size < 0) {
st->compare_cache_size = 0;
}
"[%d] ldap cache: Setting operation cache size to %ld entries.",
return NULL;
}
#ifdef APU_HAS_LDAPSSL_CLIENT_INIT
{
&ldap_module);
"[%d] ldap cache: Setting LDAP SSL client certificate dbpath to %s.",
return "Could not initialize SSL client";
}
else {
return NULL;
}
}
#endif
{
#ifdef APU_HAS_LDAP_NETSCAPE_SSL
st->have_certdb = 0;
#endif
return st;
}
{
&ldap_module);
char buf[MAX_STRING_LEN];
"[%d] ldap cache init: %s",
}
command_rec util_ldap_cmds[] = {
"Sets the size of the shared memory cache in bytes. "
"Zero means disable the shared memory cache. Defaults to 100KB."),
"Sets the maximum number of entries that are possible in the LDAP "
"search cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
"Sets the maximum time (in seconds) that an item can be cached in the LDAP "
"search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
"Sets the maximum number of entries that are possible in the LDAP "
"compare cache. "
"Zero means no limit; -1 disables the cache. Defaults to 1024 entries."),
"Sets the maximum time (in seconds) that an item is cached in the LDAP "
"operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."),
#ifdef APU_HAS_LDAPSSL_CLIENT_INIT
"Specifies the file containing Certificate Authority certificates "
"for validating secure LDAP server certificates. This file must be the "
"cert7.db database used by Netscape Communicator"),
#endif
{NULL}
};
static void util_ldap_register_hooks(apr_pool_t *p)
{
}
module ldap_module = {
NULL, /* dir config creater */
NULL, /* dir merger --- default is to override */
util_ldap_create_config, /* server config */
NULL, /* merge server config */
util_ldap_cmds, /* command table */
util_ldap_register_hooks, /* set up request processing hooks */
};