util_ldap.c revision c4f16f709c79bb7e2ddffb532bc7708eab9a9691
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* util_ldap.c: LDAP things
*
* Original code from auth_ldap module for Apache v1.3:
* Copyright 1998, 1999 Enbridge Pipelines Inc.
* Copyright 1999-2001 Dave Carrigan
*/
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "util_ldap.h"
#include "util_ldap_cache.h"
#include <apr_strings.h>
#include <unistd.h>
#endif
#if !APR_HAS_LDAP
#endif
#ifdef AP_NEED_SET_MUTEX_PERMS
#include "unixd.h"
#endif
/* Default define for ldap functions that need a SIZELIMIT but
* do not have the define
* XXX This should be removed once a supporting #define is
* released through APR-Util.
*/
#ifndef APR_LDAP_SIZELIMIT
#define APR_LDAP_SIZELIMIT -1
#endif
#define LDAP_CACHE_LOCK() do { \
if (st->util_ldap_cache_lock) \
} while (0)
#define LDAP_CACHE_UNLOCK() do { \
if (st->util_ldap_cache_lock) \
} while (0)
{
if (*str) {
}
if (newstr) {
}
}
/*
* Status Handler
* --------------
*
* This handler generates a status page about the current performance of
* the LDAP cache. It is enabled as follows:
*
* <Location /ldap-status>
* SetHandler ldap-status
* </Location>
*
*/
static int util_ldap_handler(request_rec *r)
{
&ldap_module);
if (r->method_number != M_GET)
return DECLINED;
return DECLINED;
}
ap_set_content_type(r, "text/html");
if (r->header_only)
return OK;
"<html><head><title>LDAP Cache Information</title></head>\n", r);
ap_rputs("<body bgcolor='#ffffff'><h1 align=center>LDAP Cache Information"
"</h1>\n", r);
util_ald_cache_display(r, st);
return OK;
}
/* ------------------------------------------------------------------ */
/*
* Closes an LDAP connection by unlocking it. The next time
* uldap_connection_find() is called this connection will be
* available for reuse.
*/
{
/*
* QUESTION:
*
* Is it safe leaving bound connections floating around between the
* different modules? Keeping the user bound is a performance boost,
* but it is also a potential security problem - maybe.
*
* For now we unbind the user when we finish with a connection, but
* we don't have to...
*/
/* mark our connection as available for reuse */
#if APR_HAS_THREADS
#endif
}
/*
* Destroys an LDAP connection by unbinding and closing the connection to
* the LDAP server. It is used to bring the connection back to a known
* state after an error, and during pool cleanup.
*/
{
if (ldc) {
}
}
return APR_SUCCESS;
}
/*
* Clean up an LDAP connection by unbinding and unlocking the connection.
* This function is registered with the pool cleanup function - causing
* the LDAP connections to be shut down cleanly on graceful restart.
*/
{
if (ldc) {
/* unbind and disconnect from the LDAP server */
/* free the username and password */
}
}
/* unlock this entry */
}
return APR_SUCCESS;
}
static int uldap_connection_init(request_rec *r,
{
int rc = 0, ldap_option = 0;
int version = LDAP_VERSION3;
&ldap_module);
/* Since the host will include a port if the default port is not used,
* always specify the default ports for the port parameter. This will
* allow a host string that contains multiple hosts the ability to mix
* some hosts with ports and some without. All hosts which do not
* specify a port will use the default port.
*/
&(result));
}
{
}
else {
}
}
/* always default to LDAP V3 */
/* set client certificates */
}
}
}
}
/* Set the alias dereferencing option */
/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
#ifdef APR_LDAP_OPT_VERIFY_CERT
#else
#if defined(LDAPSSL_VERIFY_SERVER)
if (st->verify_svr_cert) {
}
else {
}
#elif defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
/* This is not a per-connection setting so just pass NULL for the
Ldap connection handle */
if (st->verify_svr_cert) {
int i = LDAP_OPT_X_TLS_DEMAND;
}
else {
int i = LDAP_OPT_X_TLS_NEVER;
}
#endif
#endif
#ifdef LDAP_OPT_NETWORK_TIMEOUT
if (st->connectionTimeout > 0) {
}
if (st->connectionTimeout >= 0) {
if (APR_SUCCESS != rc) {
"LDAP: Could not set the connection timeout");
}
}
#endif
return(rc);
}
/*
* Connect to the LDAP server and binds. Does not connect if already
* connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound.
*
* Returns LDAP_SUCCESS on success; and an error code on failure
*/
static int uldap_connection_open(request_rec *r,
{
int rc = 0;
int failures = 0;
/* sanity check for NULL */
if (!ldc) {
return -1;
}
/* If the connection is already bound, return
*/
{
return LDAP_SUCCESS;
}
/* create the ldap session handle
*/
{
if (LDAP_SUCCESS != rc)
{
return rc;
}
}
/* loop trying to bind up to 10 times if LDAP_SERVER_DOWN error is
* returned. Break out of the loop on Success or any other error.
*
* NOTE: Looping is probably not a great idea. If the server isn't
* responding the chances it will respond after a few tries are poor.
* However, the original code looped and it only happens on
* the error condition.
*/
{
if (LDAP_SERVER_DOWN != rc) {
break;
} else if (failures == 5) {
/* attempt to init the connection once again */
if (LDAP_SUCCESS != rc)
{
break;
}
}
}
/* free the handle if there was an error
*/
if (LDAP_SUCCESS != rc)
{
}
else {
}
return(rc);
}
/*
* Compare client certificate arrays.
*
* Returns 1 on compare failure, 0 otherwise.
*/
{
int i = 0;
/* arrays both NULL? if so, then equal */
return 0;
}
/* arrays different length or either NULL? If so, then not equal */
return 1;
}
/* run an actual comparison */
return 1;
}
}
/* if we got here, the cert arrays were identical */
return 0;
}
/*
* Find an existing ldap connection struct that matches the
* provided ldap connection parameters.
*
* If not found in the cache, a new ldc structure will be allocated
* from st->pool and returned to the caller. If found in the cache,
* a pointer to the existing ldc structure will be returned.
*/
static util_ldap_connection_t *
{
struct util_ldap_connection_t *l, *p; /* To traverse the linked list */
int secureflag = secure;
&ldap_module);
#if APR_HAS_THREADS
/* mutex lock this function */
#endif
if (secure < APR_LDAP_NONE) {
}
/* Search for an exact connection match in the list that is not
* being used.
*/
#if APR_HAS_THREADS
#endif
{
break;
}
#if APR_HAS_THREADS
/* If this connection didn't match the criteria, then we
* need to unlock the mutex so it is available to be reused.
*/
}
#endif
p = l;
}
/* If nothing found, search again, but we don't care about the
* binddn and bindpw this time.
*/
if (!l) {
#if APR_HAS_THREADS
#endif
{
/* the bind credentials have changed */
l->bound = 0;
break;
}
#if APR_HAS_THREADS
/* If this connection didn't match the criteria, then we
* need to unlock the mutex so it is available to be reused.
*/
}
#endif
p = l;
}
}
/* artificially disable cache */
/* l = NULL; */
/* If no connection what found after the second search, we
* must create one.
*/
if (!l) {
/*
* Add the new connection entry to the linked list. Note that we
* don't actually establish an LDAP connection yet; that happens
* the first time authentication is requested.
*/
/* create the details to the pool in st */
"util_ldap: Failed to create memory pool");
#if APR_HAS_THREADS
#endif
return NULL;
}
#if APR_HAS_THREADS
#endif
l->bound = 0;
/* The security mode after parsing the URL will always be either
* APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
* If the security setting is NONE, override it to the security
* setting optionally supplied by the admin using LDAPTrustedMode
*/
l->secure = secureflag;
/* save away a copy of the client cert list that is presently valid */
/* add the cleanup to the pool */
apr_pool_cleanup_register(l->pool, l,
if (p) {
p->next = l;
}
else {
st->connections = l;
}
}
#if APR_HAS_THREADS
#endif
return l;
}
/* ------------------------------------------------------------------ */
/*
* Compares two DNs to see if they're equal. The only way to do this correctly
* is to search for the dn and then do ldap_get_dn() on the result. This should
* match the initial dn, since it would have been also retrieved with
* ldap_get_dn(). This is expensive, so if the configuration value
* compare_dn_on_server is false, just does an ordinary strcmp.
*
* The lock for the ldap cache should already be acquired.
*/
const char *reqdn, int compare_dn_on_server)
{
int result = 0;
int failures = 0;
char *searchdn;
&ldap_module);
/* get cache entry (or create one) */
}
/* a simple compare? */
if (!compare_dn_on_server) {
/* unlock this read lock */
return LDAP_COMPARE_FALSE;
}
else {
return LDAP_COMPARE_TRUE;
}
}
if (curl) {
/* no - it's a server side compare */
/* is it in the compare cache? */
/* If it's in the cache, it's good */
/* unlock this read lock */
return LDAP_COMPARE_TRUE;
}
/* unlock this read lock */
}
if (failures++ > 10) {
/* too many failures */
return result;
}
/* make a server connection */
/* connect to server failed */
return result;
}
/* search for reqdn */
== LDAP_SERVER_DOWN)
{
"failed with server down";
goto start_over;
}
if (result != LDAP_SUCCESS) {
/* search for reqdn failed - no match */
return result;
}
/* compare unsuccessful */
}
else {
if (curl) {
/* compare successful - add to the compare cache */
{
}
}
}
return result;
}
/*
* Does an generic ldap_compare operation. It accepts a cache that it will use
* to lookup the compare in the cache. We cache two kinds of compares
* (require group compares) and (require user compares). Each compare has a different
* cache node: require group includes the DN; require user does not because the
* require user cache is owned by the
*
*/
{
int result = 0;
int failures = 0;
&ldap_module);
/* get cache entry (or create one) */
}
if (curl) {
/* make a comparison to the cache */
curtime = apr_time_now();
the_compare_node.result = 0;
if (compare_nodep != NULL) {
/* found it... */
/* ...but it is too old */
}
else {
/* ...and it is good */
}
}
}
else {
}
/* record the result code to return with the reason... */
/* and unlock this read lock */
return result;
}
}
/* unlock this read lock */
}
if (failures++ > 10) {
/* too many failures */
return result;
}
/* connect failed */
return result;
}
(char *)dn,
(char *)attrib,
(char *)value))
== LDAP_SERVER_DOWN) {
/* connection failed - try again */
goto start_over;
}
if ((LDAP_COMPARE_TRUE == result) ||
(LDAP_COMPARE_FALSE == result) ||
(LDAP_NO_SUCH_ATTRIBUTE == result)) {
if (curl) {
/* compare completed; caching result */
/* If the node doesn't exist then insert it, otherwise just update
* it with the last results
*/
if ( (compare_nodep == NULL)
{
void *junk;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] cache_compare: Cache insertion failure.", getpid());
}
}
else {
}
}
if (LDAP_COMPARE_TRUE == result) {
return LDAP_COMPARE_TRUE;
}
else if (LDAP_COMPARE_FALSE == result) {
return LDAP_COMPARE_FALSE;
}
else {
return LDAP_NO_SUCH_ATTRIBUTE;
}
}
return result;
}
/*
* Does a recursive lookup operation to try to find a user within (cached) nested groups.
*
* DON'T CALL THIS UNLESS YOU CALLED uldap_cache_compare FIRST!!!!!
*/
int cur_subgroup_depth, int max_subgroup_depth)
{
int result = LDAP_COMPARE_FALSE;
int failures = 0;
&ldap_module);
/*
* 1. Call uldap_cache_compare for each subgroupclass value to check the generic,
* user-agnostic, cached group entry. This will create a new generic cache entry if there
* wasn't one. If nothing returns LDAP_COMPARE_TRUE skip to step 5 since we have no groups.
* 2. Lock The cache and get the generic cache entry.
* 3. Check if there is already a subgrouplist in this generic group's cache entry.
* A. If there is, go to step 4.
* B. If there isn't:
* i) Use ldap_search to get the full list
* of subgroup "members" (which may include non-group "members").
* ii) Use uldap_cache_compare to strip the list down to just groups.
* iii) Lock and add this stripped down list to the cache of the generic group.
* 4. Loop through the sgl and call uldap_cache_compare (using the user info) for each
* subgroup to see if the subgroup contains the user and to get the subgroups added to the
* cache (with user-afinity, if they aren't already there).
* A. If the user is in the subgroup, then we'll be returning LDAP_COMPARE_TRUE.
* B. if the user isn't in the subgroup (LDAP_COMPARE_FALSE via uldap_cache_compare) then
* recursively call this function to get the sub-subgroups added...
* 5. Cleanup local allocations.
* 6. Return the final result.
*/
/* Stop looking at deeper levels of nested groups if we have reached the max.
* Since we already checked the top-level group in uldap_cache_compare, we don't
* need to check it again here - so if max_subgroup_depth is set to 0, we won't
* check it (i.e. that is why we check < rather than <=).
* We'll be calling uldap_cache_compare from here to check if the user is in the
* next level before we recurse into that next level looking for more subgroups.
*/
if (cur_subgroup_depth < max_subgroup_depth) {
int base_sgcIndex = 0;
int lcl_sgl_processedFlag = 0;
struct mod_auth_ldap_groupattr_entry_t *sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
/* 1. Check the "groupiness" of the specified basedn. Stopping at the first TRUE return. */
if (result != LDAP_COMPARE_TRUE) {
}
}
if (result != LDAP_COMPARE_TRUE) {
/* The dn we were handed doesn't seem to be a group, how can we check for SUB-groups if this
* isn't a group?!?!?!
*/
return result;
}
/* 2. Find previously created cache entry and check if there is already a subgrouplist. */
/* make a comparison to the cache */
the_compare_node.result = 0;
if (compare_nodep == NULL) {
/* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
return LDAP_COMPARE_FALSE;
}
else {
/* Found the generic group entry... but the user isn't in this group or we wouldn't be here. */
/* Make a local copy of the subgroup list */
int i;
tmp_local_sgl->subgroupDNs = apr_pcalloc(r->pool, sizeof(char *) * compare_nodep->subgroupList->len);
}
}
}
/* unlock this read lock */
}
else {
/* If we get here, something is wrong. Caches should have been created and
this group entry should be found in the cache. */
return LDAP_COMPARE_FALSE;
}
/* No cache entry had a processed SGL. Retrieve from LDAP server */
if ((lcl_sgl_processedFlag == 0) && (!tmp_local_sgl)) {
/* 3.B. The cache didn't have any subgrouplist yet. Go check for subgroups. */
if (failures++ > 10) {
/* too many failures */
return result;
}
/* connect failed */
return result;
}
/* try to do the search */
(char *)"cn=*", subgroupAttrs, 0,
if (result == LDAP_SERVER_DOWN) {
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
return result;
}
/*
* Get values for the provided sub-group attributes.
*/
if (subgroupAttrs) {
int indx = 0, tmp_sgcIndex;
while (subgroupAttrs[indx]) {
char **values;
int val_index = 0;
/* Get *all* matching "member" values from this group. */
if (values) {
val_index = 0;
/*
* Now we are going to pare the subgroup members of this group to *just*
* the subgroups, add them to the compare_nodep, and then proceed to check
* the new level of subgroups.
*/
/* Check if this entry really is a group. */
tmp_sgcIndex = 0;
if (result != LDAP_COMPARE_TRUE) {
tmp_sgcIndex++;
}
}
/* It's a group, so add it to the array. */
if (result == LDAP_COMPARE_TRUE) {
}
val_index++;
}
}
indx++;
}
}
/* We need to fill in tmp_local_subgroups using the data from LDAP */
int sgindex;
char **group;
}
}
/* Find the generic group cache entry and add the sgl. */
the_compare_node.result = 0;
if (compare_nodep == NULL) {
/* Didn't find it. This shouldn't happen since we just called uldap_cache_compare. */
return LDAP_COMPARE_FALSE;
}
else {
/* overwrite SGL if it was previously updated between the last
** two times we looked at the cache
*/
if (tmp_local_sgl) {
}
else {
/* We didn't find a single subgroup, next time save us from looking */
}
}
/* unlock this read lock */
}
/* tmp_local_sgl has either been created, or copied out of the cache */
/* If tmp_local_sgl is NULL, there are no subgroups to process and we'll return false */
if (tmp_local_sgl) {
int sgindex = 0;
/* 4. Now loop through the subgroupList and call uldap_cache_compare to check for the user. */
if (result == LDAP_COMPARE_TRUE) {
/* 4.A. We found the user in the subgroup. Return LDAP_COMPARE_TRUE. */
" Found the user in a subgroup (%s) at level %d of %d. (7).",
}
else {
/* 4.B. We didn't find the user in this subgroup, so recurse into it and keep looking. */
}
sgindex++;
}
}
}
return result;
}
const char ***retvals)
{
int numvals = 0;
int result = 0;
char *dn;
int count;
int failures = 0;
&ldap_module);
/* Get the cache node for this url */
&curnode);
}
if (curl) {
if (search_nodep != NULL) {
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired. If the sent
* password doesn't match the storepassword, the entry will
* be removed and readded later if the credentials pass
* authentication.
*/
/* ...but entry is too old */
}
else if ( (search_nodep->bindpw)
{
/* ...and entry is valid */
if (attrs) {
int i = 0, k = 0;
while (attrs[k++]);
while (search_nodep->vals[i]) {
i++;
}
}
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
}
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
if (failures++ > 10) {
return result;
}
return result;
}
/* try do the search */
== LDAP_SERVER_DOWN)
{
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
if (count != 1)
{
if (count == 0 )
else
"or more matches)";
return LDAP_NO_SUCH_OBJECT;
}
/* Grab the dn, copy it into the pool, and free it again */
/*
* A bind to the server with an empty password always succeeds, so
* we check to ensure that the password is not empty. This implies
* that users who actually do have empty passwords will never be
* able to authenticate with this module. I don't see this as a big
* problem.
*/
return LDAP_INVALID_CREDENTIALS;
}
/*
* Attempt to bind with the retrieved dn and the password. If the bind
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
(char *)*binddn,
(char *)bindpw)) == LDAP_SERVER_DOWN) {
"failed with server down";
goto start_over;
}
/* failure? if so - return */
if (result != LDAP_SUCCESS) {
return result;
}
else {
/*
* We have just bound the connection to a different user and password
* combination, which might be reused unintentionally next time this
* connection is used from the connection pool. To ensure no confusion,
* we mark the connection as unbound.
*/
}
/*
* Get values for the provided attributes.
*/
if (attrs) {
int k = 0;
int i = 0;
while (attrs[k++]);
numvals = k;
while (attrs[i]) {
char **values;
int j = 0;
/* get values */
j++;
}
i++;
}
}
/*
* Add the new username to the search cache.
*/
if (curl) {
/* Search again to make sure that another thread didn't ready insert
* this node into the cache before we got here. If it does exist then
* update the lastbind
*/
if ((search_nodep == NULL) ||
/* Nothing in cache, insert new entry */
}
else if ((!search_nodep->bindpw) ||
/* Entry in cache is invalid, remove it and insert new one */
}
else {
/* Cache entry is valid, update lastbind */
}
}
return LDAP_SUCCESS;
}
/*
* This function will return the DN of the entry matching userid.
* It is used to get the DN in case some other module than mod_auth_ldap
* has authenticated the user.
* The function is basically a copy of uldap_cache_checkuserid
* with password checking removed.
*/
{
int numvals = 0;
int result = 0;
char *dn;
int count;
int failures = 0;
&ldap_module);
/* Get the cache node for this url */
&curnode);
}
if (curl) {
if (search_nodep != NULL) {
/* found entry in search cache... */
curtime = apr_time_now();
/*
* Remove this item from the cache if its expired.
*/
/* ...but entry is too old */
}
else {
/* ...and entry is valid */
if (attrs) {
int i = 0, k = 0;
while (attrs[k++]);
while (search_nodep->vals[i]) {
i++;
}
}
return LDAP_SUCCESS;
}
}
/* unlock this read lock */
}
/*
* At this point, there is no valid cached search, so lets do the search.
*/
/*
* If LDAP operation fails due to LDAP_SERVER_DOWN, control returns here.
*/
if (failures++ > 10) {
return result;
}
return result;
}
/* try do the search */
== LDAP_SERVER_DOWN)
{
goto start_over;
}
/* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */
if (result != LDAP_SUCCESS) {
return result;
}
/*
* We should have found exactly one entry; to find a different
* number is an error.
*/
if (count != 1)
{
if (count == 0 )
else
"or more matches)";
return LDAP_NO_SUCH_OBJECT;
}
/* Grab the dn, copy it into the pool, and free it again */
/*
* Get values for the provided attributes.
*/
if (attrs) {
int k = 0;
int i = 0;
while (attrs[k++]);
numvals = k;
while (attrs[i]) {
char **values;
int j = 0;
/* get values */
j++;
}
i++;
}
}
/*
* Add the new username to the search cache.
*/
if (curl) {
/* Search again to make sure that another thread didn't ready insert
* this node into the cache before we got here. If it does exist then
* update the lastbind
*/
if ((search_nodep == NULL) ||
/* Nothing in cache, insert new entry */
}
/*
* Don't update lastbind on entries with bindpw because
* we haven't verified that password. It's OK to update
* the entry if there is no password in it.
*/
else if (!search_nodep->bindpw) {
/* Cache entry is valid, update lastbind */
}
}
return LDAP_SUCCESS;
}
/*
* Reports if ssl support is enabled
*
* 1 = enabled, 0 = not enabled
*/
static int uldap_ssl_supported(request_rec *r)
{
return(st->ssl_supported);
}
/* ---------------------------------------- */
/* config directives */
const char *bytes)
{
&ldap_module);
return err;
}
return NULL;
}
const char *file)
{
&ldap_module);
return err;
}
if (file) {
}
else {
}
"LDAP cache: Setting shared memory cache file to %s bytes.",
st->cache_file);
return NULL;
}
const char *ttl)
{
&ldap_module);
return err;
}
return NULL;
}
const char *size)
{
&ldap_module);
return err;
}
if (st->search_cache_size < 0) {
st->search_cache_size = 0;
}
return NULL;
}
const char *ttl)
{
&ldap_module);
return err;
}
return NULL;
}
const char *size)
{
&ldap_module);
return err;
}
if (st->compare_cache_size < 0) {
st->compare_cache_size = 0;
}
return NULL;
}
/**
* Parse the certificate type.
*
* The type can be one of the following:
* CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64,
* CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, KEY_BASE64
*
* If no matches are found, APR_LDAP_CA_TYPE_UNKNOWN is returned.
*/
static int util_ldap_parse_cert_type(const char *type)
{
/* Authority file in binary DER format */
return APR_LDAP_CA_TYPE_DER;
}
/* Authority file in Base64 format */
return APR_LDAP_CA_TYPE_BASE64;
}
return APR_LDAP_CA_TYPE_CERT7_DB;
}
return APR_LDAP_CA_TYPE_SECMOD;
}
/* Client cert file in DER format */
return APR_LDAP_CERT_TYPE_DER;
}
/* Client cert file in Base64 format */
return APR_LDAP_CERT_TYPE_BASE64;
}
/* Client cert file in PKCS#12 format */
return APR_LDAP_CERT_TYPE_PFX;
}
return APR_LDAP_CERT_TYPE_KEY3_DB;
}
/* Netscape client cert nickname */
return APR_LDAP_CERT_TYPE_NICKNAME;
}
/* Client cert key file in DER format */
return APR_LDAP_KEY_TYPE_DER;
}
/* Client cert key file in Base64 format */
return APR_LDAP_KEY_TYPE_BASE64;
}
/* Client cert key file in PKCS#12 format */
return APR_LDAP_KEY_TYPE_PFX;
}
else {
return APR_LDAP_CA_TYPE_UNKNOWN;
}
}
/**
* Set LDAPTrustedGlobalCert.
*
* This directive takes either two or three arguments:
* - certificate type
* - certificate file / directory / nickname
* - certificate password (optional)
*
* This directive may only be used globally.
*/
void *dummy,
const char *type,
const char *file,
const char *password)
{
&ldap_module);
int cert_type = 0;
return err;
}
/* handle the certificate type */
if (type) {
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
"not recognised. It should be one "
"of CA_DER, CA_BASE64, CA_CERT7_DB, "
"CA_SECMOD, CERT_DER, CERT_BASE64, "
"CERT_KEY3_DB, CERT_NICKNAME, "
"KEY_DER, KEY_BASE64", type);
}
}
else {
return "Certificate type was not specified.";
}
"LDAP: SSL trusted global cert - %s (type %s)",
/* add the certificate to the global array */
/* if file is a file or path, fix the path */
if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
!= APR_SUCCESS))
{
"LDAP: Could not open SSL trusted certificate "
"authority file - %s",
return "Invalid global certificate file path";
}
}
return(NULL);
}
/**
* Set LDAPTrustedClientCert.
*
* This directive takes either two or three arguments:
* - certificate type
* - certificate file / directory / nickname
* - certificate password (optional)
*/
void *config,
const char *type,
const char *file,
const char *password)
{
&ldap_module);
int cert_type = 0;
/* handle the certificate type */
if (type) {
if (APR_LDAP_CA_TYPE_UNKNOWN == cert_type) {
"not recognised. It should be one "
"of CERT_DER, CERT_BASE64, "
"CERT_NICKNAME, CERT_PFX,"
"KEY_DER, KEY_BASE64, KEY_PFX",
type);
}
else if (APR_LDAP_CA_TYPE_DER == cert_type ||
"only valid within a "
"LDAPTrustedGlobalCert directive. "
"Only CERT_DER, CERT_BASE64, "
"CERT_NICKNAME, KEY_DER, and "
"KEY_BASE64 may be used.", type);
}
}
else {
return "Certificate type was not specified.";
}
"LDAP: SSL trusted client cert - %s (type %s)",
/* add the certificate to the global array */
/* if file is a file or path, fix the path */
if (cert_type != APR_LDAP_CA_TYPE_UNKNOWN &&
!= APR_SUCCESS))
{
"LDAP: Could not open SSL client certificate "
"file - %s",
return "Invalid client certificate file path";
}
}
return(NULL);
}
/**
* Set LDAPTrustedMode.
*
* This directive sets what encryption mode to use on a connection:
* - None (No encryption)
* - SSL (SSL encryption)
* - STARTTLS (TLS encryption)
*/
const char *mode)
{
&ldap_module);
"LDAP: SSL trusted mode - %s",
mode);
}
}
}
else {
return "Invalid LDAPTrustedMode setting: must be one of NONE, "
}
return(NULL);
}
void *dummy,
int mode)
{
&ldap_module);
return err;
}
"LDAP: SSL verify server certificate - %s",
return(NULL);
}
void *dummy,
const char *ttl)
{
&ldap_module);
return err;
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
#else
"LDAP: Connection timout option not supported by the "
"LDAP SDK in use." );
#endif
return NULL;
}
{
/* Create a per vhost pool for mod_ldap to use, serialized with
* st->mutex (also one per vhost). both are replicated by fork(),
* no shared memory managed by either.
*/
#if APR_HAS_THREADS
#endif
st->ssl_supported = 0;
st->secure_set = 0;
return st;
}
void *overridesv)
{
#if APR_HAS_THREADS
#endif
/* The cache settings can not be modified in a
virtual host since all server use the same
shared memory cache. */
st->ssl_supported = 0;
/* These LDAP connection settings can not be overwritten in
a virtual host. Once set in the base server, they must
remain the same. None of the LDAP SDKs seem to be able
to handle setting the verify_svr_cert flag on a
per-connection basis. The OpenLDAP client appears to be
able to handle the connection timeout per-connection
but the Novell SDK cannot. Allowing the timeout to
be set by each vhost is of little value so rather than
trying to make special expections for one LDAP SDK, GLOBAL_ONLY
is being enforced on this setting as well. */
return st;
}
{
server_rec *s = data;
s->module_config, &ldap_module);
if (st->ssl_supported) {
}
return APR_SUCCESS;
}
{
&ldap_module);
void *data;
const char *userdata_key = "util_ldap_init";
int rc;
/* util_ldap_post_config() will be called twice. Don't bother
* going through all of the initialization on the first call
* because it will just be thrown away.*/
if (!data) {
/* If the cache file already exists then delete it. Otherwise we are
* going to run into problems creating the shared memory. */
if (st->cache_file) {
NULL);
}
#endif
return OK;
}
/* initializing cache if shared memory size is not zero and we already
* don't have shm address
*/
#endif
if (result != APR_SUCCESS) {
"LDAP cache: could not create shared memory segment");
return DONE;
}
if (st->cache_file) {
NULL);
}
#endif
if (result != APR_SUCCESS) {
return result;
}
#ifdef AP_NEED_SET_MUTEX_PERMS
if (result != APR_SUCCESS) {
"LDAP cache: failed to set mutex permissions");
return result;
}
#endif
/* merge config in all vhost */
while (s_vhost) {
st_vhost = (util_ldap_state_t *)
&ldap_module);
"LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp "
#endif
}
}
else {
"LDAP cache: LDAPSharedCacheSize is zero, disabling "
"shared memory cache");
}
#endif
/* log the LDAP SDK used
*/
{
apr_ldap_info(p, &(result));
}
}
/*
* Initialize SSL support, and log the result for the benefit of the admin.
*
* If SSL is not supported it is not necessarily an error, as the
* application may not want to use it.
*/
rc = apr_ldap_ssl_init(p,
NULL,
0,
&(result_err));
if (APR_SUCCESS == rc) {
}
if (APR_SUCCESS == rc) {
"LDAP: SSL support available" );
}
else {
st->ssl_supported = 0;
"LDAP: SSL support unavailable%s%s",
}
return(OK);
}
{
&ldap_module);
if (!st->util_ldap_cache_lock) return;
if (sts != APR_SUCCESS) {
"Failed to initialise global mutex %s in child process %"
APR_PID_T_FMT ".",
}
}
static const command_rec util_ldap_cmds[] = {
"Set the size of the shared memory cache (in bytes). Use "
"0 to disable the shared memory cache. (default: 100000)"),
"Set the file name for the shared memory cache."),
"Set the maximum number of entries that are possible in the "
"LDAP search cache. Use 0 for no limit. "
"-1 disables the cache. (default: 1024)"),
"Set the maximum time (in seconds) that an item can be "
"cached in the LDAP search cache. Use 0 for no limit. "
"(default 600)"),
"Set the maximum number of entries that are possible "
"in the LDAP compare cache. Use 0 for no limit. "
"Use -1 to disable the cache. (default: 1024)"),
"Set the maximum time (in seconds) that an item is cached "
"in the LDAP operation cache. Use 0 for no limit. "
"(default: 600)"),
"the trusted CA certificates (and global client certs "
"for Netware) used to validate the LDAP server. Second "
"arg is the cert type for the first arg, one of CA_DER, "
"CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
"CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
"Third arg is an optional passphrase if applicable."),
"the client certificate, or certificate ID used to "
"validate this LDAP client. Second arg is the cert type "
"for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
"CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
"CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
"optional passphrase if applicable."),
"Specify the type of security that should be applied to "
"an LDAP connection. One of; NONE, SSL or STARTTLS."),
"Set to 'ON' requires that the server certificate be verified "
"before a secure LDAP connection can be establish. Default 'ON'"),
"Specify the LDAP socket connection timeout in seconds "
"(default: 10)"),
{NULL}
};
static void util_ldap_register_hooks(apr_pool_t *p)
{
}
NULL, /* create dir config */
NULL, /* merge dir config */
util_ldap_create_config, /* create server config */
util_ldap_merge_config, /* merge server config */
util_ldap_cmds, /* command table */
util_ldap_register_hooks, /* set up request processing hooks */
};