/* ==================================================================== * The Apache Software License, Version 1.1 * * Copyright (c) 2000-2001 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The names "Apache" and "Apache Software Foundation" must * not be used to endorse or promote products derived from this * software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache", * nor may "Apache" appear in their name, without prior written * permission of the Apache Software Foundation. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . */ /* * util_ldap.c: LDAP things * * Original code from auth_ldap module for Apache v1.3: * Copyright 1998, 1999 Enbridge Pipelines Inc. * Copyright 1999-2001 Dave Carrigan */ #include #ifdef APU_HAS_LDAP #include #include "ap_config.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" #include "http_request.h" #include "util_ldap.h" #include "util_ldap_cache.h" #if APR_HAVE_UNISTD_H #include #endif module AP_MODULE_DECLARE_DATA ldap_module; int util_ldap_handler(request_rec *r); void *util_ldap_create_config(apr_pool_t *p, server_rec *s); /* * Some definitions to help between various versions of apache. */ #ifndef DOCTYPE_HTML_2_0 #define DOCTYPE_HTML_2_0 "\n" #endif #ifndef DOCTYPE_HTML_3_2 #define DOCTYPE_HTML_3_2 "\n" #endif #ifndef DOCTYPE_HTML_4_0S #define DOCTYPE_HTML_4_0S "\n" #endif #ifndef DOCTYPE_HTML_4_0T #define DOCTYPE_HTML_4_0T "\n" #endif #ifndef DOCTYPE_HTML_4_0F #define DOCTYPE_HTML_4_0F "\n" #endif /* * Status Handler * -------------- * * This handler generates a status page about the current performance of * the LDAP cache. It is enabled as follows: * * * SetHandler ldap-status * * */ int util_ldap_handler(request_rec *r) { r->allowed |= (1 << M_GET); if (r->method_number != M_GET) return DECLINED; if (strcmp(r->handler, "ldap-status")) { return DECLINED; } r->content_type = "text/html"; if (r->header_only) return OK; ap_rputs(DOCTYPE_HTML_3_2 "LDAP Cache Information\n", r); ap_rputs("

LDAP Cache Information

\n", r); ap_rputs("

\n" "\n" "\n" "" "" "" "" "" "" "" "\n", r ); ap_rputs(util_ald_cache_display(r->pool), r); ap_rputs("
Cache NameEntriesAvg. Chain Len.HitsIns/RemPurgesAvg Purge Time
\n

\n", r); return OK; } /* ------------------------------------------------------------------ */ /* * Closes an LDAP connection by unlocking it. The next time * util_ldap_connection_find() is called this connection will be * available for reuse. */ void util_ldap_connection_close(util_ldap_connection_t *ldc) { /* * QUESTION: * * Is it safe leaving bound connections floating around between the * different modules? Keeping the user bound is a performance boost, * but it is also a potential security problem - maybe. * * For now we unbind the user when we finish with a connection, but * we don't have to... */ /* mark our connection as available for reuse */ apr_thread_mutex_unlock(ldc->lock); } /* * Destroys an LDAP connection by unbinding. This function is registered * with the pool cleanup function - causing the LDAP connections to be * shut down cleanly on graceful restart. */ apr_status_t util_ldap_connection_destroy(void *param) { util_ldap_connection_t *ldc = param; /* unbinding from the LDAP server */ if (ldc->ldap) { ldap_unbind_s(ldc->ldap); ldc->bound = 0; ldc->ldap = NULL; } /* release the lock we were using */ apr_thread_mutex_unlock(ldc->lock); return APR_SUCCESS; } /* * Connect to the LDAP server and binds. Does not connect if already * connected (i.e. ldc->ldap is non-NULL.) Does not bind if already bound. * * Returns LDAP_SUCCESS on success; and an error code on failure */ int util_ldap_connection_open(util_ldap_connection_t *ldc) { int result = 0; int failures = 0; start_over: if (failures++ > 10) { /* too many failures - leave */ return result; } if (!ldc->ldap) { ldc->bound = 0; /* opening connection to LDAP server */ if ((ldc->ldap = ldap_init(ldc->host, ldc->port)) == NULL) { /* couldn't connect */ ldc->reason = "ldap_init() failed"; return -1; } /* add the cleanup to the pool */ apr_pool_cleanup_register(ldc->pool, ldc, util_ldap_connection_destroy, apr_pool_cleanup_null); /* Set the alias dereferencing option */ #if LDAP_VERSION_MAX == 2 ldc->ldap->ld_deref = ldc->deref; #else result = ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &(ldc->deref)); if (result != LDAP_SUCCESS) { /* setting LDAP dereference option failed */ /* we ignore this error */ } #endif /* LDAP_VERSION_MAX */ #ifdef APU_HAS_LDAP_NETSCAPE_SSL if (ldc->netscapessl) { if (!ldc->certdb) { /* secure LDAP requested, but no CA cert defined */ ldc->reason = "secure LDAP requested, but no CA cert defined"; return -1; } else { result = ldapssl_install_routines(ldc->ldap); if (result != LDAP_SUCCESS) { /* SSL initialisation failed */ ldc->reason = "ldapssl_install_routines() failed"; return result; } result = ldap_set_option(ldc->ldap, LDAP_OPT_SSL, LDAP_OPT_ON); if (result != LDAP_SUCCESS) { /* SSL option failed */ ldc->reason = "ldap_set_option() failed trying to set LDAP_OPT_SSL"; return result; } } } #endif /* APU_HAS_LDAP_NETSCAPE_SSL */ #ifdef APU_HAS_LDAP_STARTTLS if (ldc->starttls) { int version = LDAP_VERSION3; /* Also we have to set the connection to use protocol version 3, * since we're using TLS. */ if ((result = ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS) { /* setting LDAP version failed - ignore error */ } /* * In util_ldap_connection_find, we compare ldc->withtls to * sec->starttls to see if we have a cache match. On the off * chance that apache's config processing rotines set starttls to * some other true value besides 1, we set it to 1 here to ensure * that the comparison succeeds. */ ldc->starttls = 1; result = ldap_start_tls_s(ldc->ldap, NULL, NULL); if (result != LDAP_SUCCESS) { /* start TLS failed */ ldc->withtls = 0; ldc->reason = "ldap_start_tls_s() failed"; return result; } ldc->withtls = 1; } else { ldc->withtls = 0; } #endif /* APU_HAS_LDAP_STARTTLS */ } /* * At this point the LDAP connection is guaranteed alive. If bound says * that we're bound already, we can just return. */ if (ldc->bound) { ldc->reason = "LDAP connection open successful (already bound)"; return LDAP_SUCCESS; } /* * Now bind with the username/password provided by the * configuration. It will be an anonymous bind if no u/p was * provided. */ if ((result = ldap_simple_bind_s(ldc->ldap, ldc->binddn, ldc->bindpw)) == LDAP_SERVER_DOWN) { /* couldn't connect - try again */ ldc->reason = "ldap_simple_bind_s() failed with server down"; goto start_over; } if (result != LDAP_SUCCESS) { /* LDAP fatal error occured */ ldc->reason = "ldap_simple_bind_s() failed"; return result; } /* note how we are bound */ ldc->bound = 1; ldc->reason = "LDAP connection open successful"; return LDAP_SUCCESS; } /* * Find an existing ldap connection struct that matches the * provided ldap connection parameters. * * If not found in the cache, a new ldc structure will be allocated from st->pool * and returned to the caller. If found in the cache, a pointer to the existing * ldc structure will be returned. */ util_ldap_connection_t *util_ldap_connection_find(request_rec *r, const char *host, int port, const char *binddn, const char *bindpw, deref_options deref, int netscapessl, int starttls) { struct util_ldap_connection_t *l, *p; /* To traverse the linked list */ util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module); /* mutex lock this function */ if (!st->mutex) { apr_thread_mutex_create(&st->mutex, APR_THREAD_MUTEX_DEFAULT, st->pool); } apr_thread_mutex_lock(st->mutex); /* Search for an exact connection match in the list that is not * being used. */ for (l=st->connections,p=NULL; l; l=l->next) { if ( (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) && l->port == port && strcmp(l->host, host) == 0 && ( (!l->binddn && !binddn) || (l->binddn && binddn && !strcmp(l->binddn, binddn)) ) && ( (!l->bindpw && !bindpw) || (l->bindpw && bindpw && !strcmp(l->bindpw, bindpw)) ) && l->deref == deref #ifdef APU_HAS_LDAP_NETSCAPE_SSL && l->netscapessl == netscapessl #endif #ifdef APU_HAS_LDAP_STARTTLS && l->withtls == starttls #endif ) break; p = l; } /* If nothing found, search again, but we don't care about the * binddn and bindpw this time. */ if (!l) { for (l=st->connections,p=NULL; l; l=l->next) { if ( (APR_SUCCESS == apr_thread_mutex_trylock(l->lock)) && l->port == port && strcmp(l->host, host) == 0 && l->deref == deref #ifdef APU_HAS_LDAP_NETSCAPE_SSL && l->netscapessl == netscapessl #endif #ifdef APU_HAS_LDAP_STARTTLS && l->withtls == starttls #endif ) { /* the bind credentials have changed */ l->bound = 0; l->binddn = apr_pstrdup(st->pool, binddn); l->bindpw = apr_pstrdup(st->pool, bindpw); break; } p = l; } } /* artificially disable cache */ //l = NULL; /* If no connection what found after the second search, we * must create one. */ if (!l) { /* * Add the new connection entry to the linked list. Note that we * don't actually establish an LDAP connection yet; that happens * the first time authentication is requested. */ /* create the details to the pool in st */ l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t)); apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool); apr_thread_mutex_lock(l->lock); l->pool = st->pool; l->bound = 0; l->host = apr_pstrdup(st->pool, host); l->port = port; l->deref = deref; l->binddn = apr_pstrdup(st->pool, binddn); l->bindpw = apr_pstrdup(st->pool, bindpw); l->netscapessl = netscapessl; l->starttls = starttls; l->withtls = 0; if (p) { p->next = l; } else { st->connections = l; } } apr_thread_mutex_unlock(st->mutex); return l; } /* ------------------------------------------------------------------ */ /* * Compares two DNs to see if they're equal. The only way to do this correctly is to * search for the dn and then do ldap_get_dn() on the result. This should match the * initial dn, since it would have been also retrieved with ldap_get_dn(). This is * expensive, so if the configuration value compare_dn_on_server is * false, just does an ordinary strcmp. * * The lock for the ldap cache should already be acquired. */ int util_ldap_cache_comparedn(request_rec *r, util_ldap_connection_t *ldc, const char *url, const char *dn, const char *reqdn, int compare_dn_on_server) { int result = 0; util_url_node_t *curl; util_url_node_t curnode; util_dn_compare_node_t *node; util_dn_compare_node_t newnode; int failures = 0; LDAPMessage *res, *entry; char *searchdn; util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module); /* read lock this function */ if (!util_ldap_cache_lock) { apr_thread_rwlock_create(&util_ldap_cache_lock, st->pool); } /* get cache entry (or create one) */ apr_thread_rwlock_wrlock(util_ldap_cache_lock); curnode.url = url; curl = util_ald_cache_fetch(util_ldap_cache, &curnode); if (curl == NULL) { curl = util_ald_create_caches(st, url); } apr_thread_rwlock_unlock(util_ldap_cache_lock); /* a simple compare? */ if (!compare_dn_on_server) { /* unlock this read lock */ if (strcmp(dn, reqdn)) { ldc->reason = "DN Comparison FALSE (direct strcmp())"; return LDAP_COMPARE_FALSE; } else { ldc->reason = "DN Comparison TRUE (direct strcmp())"; return LDAP_COMPARE_TRUE; } } /* no - it's a server side compare */ apr_thread_rwlock_rdlock(util_ldap_cache_lock); /* is it in the compare cache? */ newnode.reqdn = (char *)reqdn; node = util_ald_cache_fetch(curl->dn_compare_cache, &newnode); if (node != NULL) { /* If it's in the cache, it's good */ /* unlock this read lock */ apr_thread_rwlock_unlock(util_ldap_cache_lock); ldc->reason = "DN Comparison TRUE (cached)"; return LDAP_COMPARE_TRUE; } /* unlock this read lock */ apr_thread_rwlock_unlock(util_ldap_cache_lock); start_over: if (failures++ > 10) { /* too many failures */ return result; } /* make a server connection */ if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { /* connect to server failed */ return result; } /* search for reqdn */ if ((result = ldap_search_ext_s(ldc->ldap, const_cast(reqdn), LDAP_SCOPE_BASE, "(objectclass=*)", NULL, 1, NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) { util_ldap_connection_close(ldc); ldc->reason = "DN Comparison ldap_search_ext_s() failed with server down"; goto start_over; } if (result != LDAP_SUCCESS) { /* search for reqdn failed - no match */ ldc->reason = "DN Comparison ldap_search_ext_s() failed"; return result; } entry = ldap_first_entry(ldc->ldap, res); searchdn = ldap_get_dn(ldc->ldap, entry); ldap_msgfree(res); if (strcmp(dn, searchdn) != 0) { /* compare unsuccessful */ ldc->reason = "DN Comparison FALSE (checked on server)"; result = LDAP_COMPARE_FALSE; } else { /* compare successful - add to the compare cache */ apr_thread_rwlock_rdlock(util_ldap_cache_lock); newnode.reqdn = (char *)reqdn; newnode.dn = (char *)dn; util_ald_cache_insert(curl->dn_compare_cache, &newnode); apr_thread_rwlock_unlock(util_ldap_cache_lock); ldc->reason = "DN Comparison TRUE (checked on server)"; result = LDAP_COMPARE_TRUE; } ldap_memfree(searchdn); return result; } /* * Does an generic ldap_compare operation. It accepts a cache that it will use * to lookup the compare in the cache. We cache two kinds of compares * (require group compares) and (require user compares). Each compare has a different * cache node: require group includes the DN; require user does not because the * require user cache is owned by the * */ int util_ldap_cache_compare(request_rec *r, util_ldap_connection_t *ldc, const char *url, const char *dn, const char *attrib, const char *value) { int result = 0; util_url_node_t *curl; util_url_node_t curnode; util_compare_node_t *compare_nodep; util_compare_node_t the_compare_node; apr_time_t curtime; int failures = 0; util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module); /* read lock this function */ if (!util_ldap_cache_lock) { apr_thread_rwlock_create(&util_ldap_cache_lock, st->pool); } /* get cache entry (or create one) */ apr_thread_rwlock_wrlock(util_ldap_cache_lock); curnode.url = url; curl = util_ald_cache_fetch(util_ldap_cache, &curnode); if (curl == NULL) { curl = util_ald_create_caches(st, url); } apr_thread_rwlock_unlock(util_ldap_cache_lock); /* make a comparison to the cache */ apr_thread_rwlock_rdlock(util_ldap_cache_lock); curtime = apr_time_now(); the_compare_node.dn = (char *)dn; the_compare_node.attrib = (char *)attrib; the_compare_node.value = (char *)value; the_compare_node.result = 0; compare_nodep = util_ald_cache_fetch(curl->compare_cache, &the_compare_node); if (compare_nodep != NULL) { /* found it... */ if (curtime - compare_nodep->lastcompare > st->compare_cache_ttl) { /* ...but it is too old */ util_ald_cache_remove(curl->compare_cache, compare_nodep); } else { /* ...and it is good */ /* unlock this read lock */ apr_thread_rwlock_unlock(util_ldap_cache_lock); if (LDAP_COMPARE_TRUE == compare_nodep->result) { ldc->reason = "Comparison true (cached)"; return compare_nodep->result; } else if (LDAP_COMPARE_FALSE == compare_nodep->result) { ldc->reason = "Comparison false (cached)"; return compare_nodep->result; } else if (LDAP_NO_SUCH_ATTRIBUTE == compare_nodep->result) { ldc->reason = "Comparison no such attribute (cached)"; return compare_nodep->result; } else { ldc->reason = "Comparison undefined (cached)"; return compare_nodep->result; } } } /* unlock this read lock */ apr_thread_rwlock_unlock(util_ldap_cache_lock); start_over: if (failures++ > 10) { /* too many failures */ return result; } if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { /* connect failed */ return result; } if ((result = ldap_compare_s(ldc->ldap, const_cast(dn), const_cast(attrib), const_cast(value))) == LDAP_SERVER_DOWN) { /* connection failed - try again */ util_ldap_connection_close(ldc); ldc->reason = "ldap_compare_s() failed with server down"; goto start_over; } ldc->reason = "Comparison complete"; if ((LDAP_COMPARE_TRUE == result) || (LDAP_COMPARE_FALSE == result) || (LDAP_NO_SUCH_ATTRIBUTE == result)) { /* compare completed; caching result */ apr_thread_rwlock_wrlock(util_ldap_cache_lock); the_compare_node.lastcompare = curtime; the_compare_node.result = result; util_ald_cache_insert(curl->compare_cache, &the_compare_node); apr_thread_rwlock_unlock(util_ldap_cache_lock); if (LDAP_COMPARE_TRUE == result) { ldc->reason = "Comparison true (adding to cache)"; return LDAP_COMPARE_TRUE; } else if (LDAP_COMPARE_FALSE == result) { ldc->reason = "Comparison false (adding to cache)"; return LDAP_COMPARE_FALSE; } else { ldc->reason = "Comparison no such attribute (adding to cache)"; return LDAP_NO_SUCH_ATTRIBUTE; } } return result; } int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc, const char *url, const char *basedn, int scope, char **attrs, const char *filter, const char *bindpw, const char **binddn, const char ***retvals) { const char **vals = NULL; int result = 0; LDAPMessage *res, *entry; char *dn; int count; int failures = 0; util_url_node_t *curl; /* Cached URL node */ util_url_node_t curnode; util_search_node_t *search_nodep; /* Cached search node */ util_search_node_t the_search_node; apr_time_t curtime; util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module); /* read lock this function */ if (!util_ldap_cache_lock) { apr_thread_rwlock_create(&util_ldap_cache_lock, st->pool); } /* Get the cache node for this url */ apr_thread_rwlock_wrlock(util_ldap_cache_lock); curnode.url = url; curl = (util_url_node_t *)util_ald_cache_fetch(util_ldap_cache, &curnode); if (curl == NULL) { curl = util_ald_create_caches(st, url); } apr_thread_rwlock_unlock(util_ldap_cache_lock); apr_thread_rwlock_rdlock(util_ldap_cache_lock); the_search_node.username = filter; search_nodep = util_ald_cache_fetch(curl->search_cache, &the_search_node); if (search_nodep != NULL && search_nodep->bindpw) { /* found entry in search cache... */ curtime = apr_time_now(); /* * Remove this item from the cache if its expired, or if the * sent password doesn't match the storepassword. */ if ((curtime - search_nodep->lastbind) > st->search_cache_ttl) { /* ...but entry is too old */ util_ald_cache_remove(curl->search_cache, search_nodep); } else if (strcmp(search_nodep->bindpw, bindpw) != 0) { /* ...but cached password doesn't match sent password */ util_ald_cache_remove(curl->search_cache, search_nodep); } else { /* ...and entry is valid */ *binddn = search_nodep->dn; *retvals = search_nodep->vals; apr_thread_rwlock_unlock(util_ldap_cache_lock); ldc->reason = "Authentication successful (cached)"; return LDAP_SUCCESS; } } /* unlock this read lock */ apr_thread_rwlock_unlock(util_ldap_cache_lock); /* * At this point, there is no valid cached search, so lets do the search. */ /* * If any LDAP operation fails due to LDAP_SERVER_DOWN, control returns here. */ start_over: if (failures++ > 10) { return result; } if (LDAP_SUCCESS != (result = util_ldap_connection_open(ldc))) { return result; } /* try do the search */ if ((result = ldap_search_ext_s(ldc->ldap, basedn, scope, filter, attrs, 0, NULL, NULL, NULL, -1, &res)) == LDAP_SERVER_DOWN) { ldc->reason = "ldap_search_ext_s() for user failed with server down"; goto start_over; } /* if there is an error (including LDAP_NO_SUCH_OBJECT) return now */ if (result != LDAP_SUCCESS) { ldc->reason = "ldap_search_ext_s() for user failed"; return result; } /* * We should have found exactly one entry; to find a different * number is an error. */ count = ldap_count_entries(ldc->ldap, res); if (count != 1) { ldap_msgfree(res); ldc->reason = "User is not unique (search found two or more matches)"; return LDAP_NO_SUCH_OBJECT; } entry = ldap_first_entry(ldc->ldap, res); /* Grab the dn, copy it into the pool, and free it again */ dn = ldap_get_dn(ldc->ldap, entry); *binddn = apr_pstrdup(st->pool, dn); ldap_memfree(dn); /* * A bind to the server with an empty password always succeeds, so * we check to ensure that the password is not empty. This implies * that users who actually do have empty passwords will never be * able to authenticate with this module. I don't see this as a big * problem. */ if (strlen(bindpw) <= 0) { ldap_msgfree(res); ldc->reason = "Empty password not allowed"; return LDAP_INVALID_CREDENTIALS; } /* * Attempt to bind with the retrieved dn and the password. If the bind * fails, it means that the password is wrong (the dn obviously * exists, since we just retrieved it) */ if ((result = ldap_simple_bind_s(ldc->ldap, *binddn, bindpw)) == LDAP_SERVER_DOWN) { ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down"; goto start_over; } /* failure? if so - return */ if (result != LDAP_SUCCESS) { ldc->reason = "ldap_simple_bind_s() to check user credentials failed"; return result; } /* * Get values for the provided attributes. */ if (attrs) { int k = 0; int i = 0; while (attrs[k++]); vals = apr_pcalloc(r->pool, sizeof(char *) * (k+1)); while (attrs[i]) { char **values; int j = 0; char *str = NULL; /* get values */ values = ldap_get_values(ldc->ldap, entry, attrs[i]); while (values && values[j]) { str = str ? apr_pstrcat(r->pool, str, "; ", values[j], NULL) : apr_pstrdup(r->pool, values[j]); j++; } vals[i] = str; i++; } *retvals = vals; } /* * Add the new username to the search cache. */ apr_thread_rwlock_wrlock(util_ldap_cache_lock); the_search_node.username = filter; the_search_node.dn = *binddn; the_search_node.bindpw = bindpw; the_search_node.lastbind = apr_time_now(); the_search_node.vals = vals; util_ald_cache_insert(curl->search_cache, &the_search_node); ldap_msgfree(res); apr_thread_rwlock_unlock(util_ldap_cache_lock); ldc->reason = "Authentication successful"; return LDAP_SUCCESS; } #endif /* APU_HAS_LDAP */ /* ---------------------------------------- */ /* config directives */ static const char *util_ldap_set_cache_bytes(cmd_parms *cmd, void *dummy, const char *bytes) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); st->cache_bytes = atol(bytes); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap cache: Setting shared memory cache size to %d bytes.", getpid(), st->cache_bytes); return NULL; } static const char *util_ldap_set_cache_ttl(cmd_parms *cmd, void *dummy, const char *ttl) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); st->search_cache_ttl = atol(ttl) * 1000000; ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap cache: Setting cache TTL to %ld microseconds.", getpid(), st->search_cache_ttl); return NULL; } static const char *util_ldap_set_cache_entries(cmd_parms *cmd, void *dummy, const char *size) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); st->search_cache_size = atol(size); if (st->search_cache_size < 0) { st->search_cache_size = 0; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap cache: Setting search cache size to %ld entries.", getpid(), st->search_cache_size); return NULL; } static const char *util_ldap_set_opcache_ttl(cmd_parms *cmd, void *dummy, const char *ttl) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); st->compare_cache_ttl = atol(ttl) * 1000000; ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap cache: Setting operation cache TTL to %ld microseconds.", getpid(), st->compare_cache_ttl); return NULL; } static const char *util_ldap_set_opcache_entries(cmd_parms *cmd, void *dummy, const char *size) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); st->compare_cache_size = atol(size); if (st->compare_cache_size < 0) { st->compare_cache_size = 0; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap cache: Setting operation cache size to %ld entries.", getpid(), st->compare_cache_size); return NULL; } #ifdef APU_HAS_LDAPSSL_CLIENT_INIT static const char *util_ldap_set_certdbpath(cmd_parms *cmd, void *dummy, const char *path) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap cache: Setting LDAP SSL client certificate dbpath to %s.", getpid(), path); st->have_certdb = 1; if (ldapssl_client_init(path, NULL) != 0) { return "Could not initialize SSL client"; } else { return NULL; } } #endif void *util_ldap_create_config(apr_pool_t *p, server_rec *s) { util_ldap_state_t *st = (util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t)); st->pool = p; st->cache_bytes = 100000; st->search_cache_ttl = 600000000; st->search_cache_size = 1024; st->compare_cache_ttl = 600000000; st->compare_cache_size = 1024; st->connections = NULL; #ifdef APU_HAS_LDAP_NETSCAPE_SSL st->have_certdb = 0; #endif return st; } static void util_ldap_init_module(apr_pool_t *pool, server_rec *s) { util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(s->module_config, &ldap_module); apr_status_t result = util_ldap_cache_init(pool, st->cache_bytes); char buf[MAX_STRING_LEN]; apr_strerror(result, buf, sizeof(buf)); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, result, s, "[%d] ldap cache init: %s", getpid(), buf); } command_rec util_ldap_cmds[] = { AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes, NULL, RSRC_CONF, "Sets the size of the shared memory cache in bytes. " "Zero means disable the shared memory cache. Defaults to 100KB."), AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries, NULL, RSRC_CONF, "Sets the maximum number of entries that are possible in the LDAP " "search cache. " "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."), AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl, NULL, RSRC_CONF, "Sets the maximum time (in seconds) that an item can be cached in the LDAP " "search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries, NULL, RSRC_CONF, "Sets the maximum number of entries that are possible in the LDAP " "compare cache. " "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."), AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl, NULL, RSRC_CONF, "Sets the maximum time (in seconds) that an item is cached in the LDAP " "operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), #ifdef APU_HAS_LDAPSSL_CLIENT_INIT AP_INIT_TAKE1("LDAPCertDBPath", util_ldap_set_certdbpath, NULL, RSRC_CONF, "Specifies the file containing Certificate Authority certificates " "for validating secure LDAP server certificates. This file must be the " "cert7.db database used by Netscape Communicator"), #endif {NULL} }; static void util_ldap_register_hooks(apr_pool_t *p) { ap_hook_child_init(util_ldap_init_module, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE); } module ldap_module = { STANDARD20_MODULE_STUFF, NULL, /* dir config creater */ NULL, /* dir merger --- default is to override */ util_ldap_create_config, /* server config */ NULL, /* merge server config */ util_ldap_cmds, /* command table */ util_ldap_register_hooks, /* set up request processing hooks */ };