rlm_ldap.c

radius服务器

			radlog(L_ERR, "rlm_ldap: ldap_init() failed");
			*result = RLM_MODULE_FAIL;
			return (NULL);
		}
	}
	if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &(inst->net_timeout)) != LDAP_OPT_SUCCESS) {
		radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %ld.%ld", inst->net_timeout.tv_sec, inst->net_timeout.tv_usec);
	}
	if (ldap_set_option(ld, LDAP_OPT_TIMELIMIT, (void *) &(inst->timelimit)) != LDAP_OPT_SUCCESS) {
		radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_TIMELIMIT %d", inst->timelimit);
	}
	if (inst->ldap_debug && ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &(inst->ldap_debug)) != LDAP_OPT_SUCCESS) {
		radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_DEBUG_LEVEL %d", inst->ldap_debug);
	}
	ldap_version = LDAP_VERSION3;
	if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version) != LDAP_OPT_SUCCESS) {
		radlog(L_ERR, "rlm_ldap: Could not set LDAP version to V3");
	}
#ifdef HAVE_LDAP_START_TLS
        if(inst->tls_mode) {
		DEBUG("rlm_ldap: setting TLS mode to %d", inst->tls_mode);
        	if(ldap_set_option(ld, LDAP_OPT_X_TLS,
	  	           (void *) &(inst->tls_mode)) != LDAP_OPT_SUCCESS) {
			ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
 			radlog(L_ERR, "rlm_ldap: could not set LDAP_OPT_X_TLS option %s", ldap_err2string(ldap_errno));
		}
	}

	if(inst->tls_cacertfile != NULL) {
		DEBUG("rlm_ldap: setting TLS CACert File to %s", inst->tls_cacertfile);

		if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE,
							  (void *) inst->tls_cacertfile )
			 != LDAP_OPT_SUCCESS) {
			radlog(L_ERR, "rlm_ldap: could not set "
				   "LDAP_OPT_X_TLS_CACERTFILE option to %s", inst->tls_cacertfile);
		}
	}

	if(inst->tls_cacertdir != NULL) {
		DEBUG("rlm_ldap: setting TLS CACert File to %s", inst->tls_cacertdir);

		if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTDIR,
							  (void *) inst->tls_cacertdir )
			 != LDAP_OPT_SUCCESS) {
			radlog(L_ERR, "rlm_ldap: could not set "
				   "LDAP_OPT_X_TLS_CACERTDIR option to %s", inst->tls_cacertdir);
		}
	}

	if( strcmp( TLS_DEFAULT_VERIFY, inst->tls_require_cert ) != 0 ) {
		DEBUG("rlm_ldap: setting TLS Require Cert to %s",
			  inst->tls_require_cert);
	}


#ifdef HAVE_INT_TLS_CONFIG

	if ( ldap_int_tls_config( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
							  (inst->tls_require_cert) )
		 != LDAP_OPT_SUCCESS) {
		radlog(L_ERR, "rlm_ldap: could not set "
			   "LDAP_OPT_X_TLS_REQUIRE_CERT option to %s",
			   inst->tls_require_cert);
	}

#endif

	if(inst->tls_certfile != NULL) {
		DEBUG("rlm_ldap: setting TLS Cert File to %s", inst->tls_certfile);

		if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CERTFILE,
							  (void *) inst->tls_certfile )
			 != LDAP_OPT_SUCCESS) {
			radlog(L_ERR, "rlm_ldap: could not set "
				   "LDAP_OPT_X_TLS_CERTFILE option to %s",
				   inst->tls_certfile);
		}
	}

	if(inst->tls_keyfile != NULL) {
		DEBUG("rlm_ldap: setting TLS Key File to %s", inst->tls_keyfile);

		if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_KEYFILE,
							  (void *) inst->tls_keyfile )
			 != LDAP_OPT_SUCCESS) {
			radlog(L_ERR, "rlm_ldap: could not set "
				   "LDAP_OPT_X_TLS_KEYFILE option to %s",
				   inst->tls_keyfile);
		}
	}

	if(inst->tls_randfile != NULL) {
		DEBUG("rlm_ldap: setting TLS Key File to %s", inst->tls_randfile);

		if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
							  (void *) inst->tls_randfile )
			 != LDAP_OPT_SUCCESS) {
			radlog(L_ERR, "rlm_ldap: could not set "
				   "LDAP_OPT_X_TLS_RANDOM_FILE option to %s",
				   inst->tls_randfile);
		}
	}
	if (inst->start_tls) {
		DEBUG("rlm_ldap: starting TLS");
		rc = ldap_start_tls_s(ld, NULL, NULL);
		if (rc != LDAP_SUCCESS) {
			DEBUG("rlm_ldap: ldap_start_tls_s()");
			ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
			radlog(L_ERR, "rlm_ldap: could not start TLS %s", ldap_err2string(ldap_errno));
			*result = RLM_MODULE_FAIL;
			ldap_unbind_s(ld);
			return (NULL);
		}
	}
#endif /* HAVE_LDAP_START_TLS */

	if (inst->is_url){
		DEBUG("rlm_ldap: bind as %s/%s to %s", dn, password, inst->server);
	}
	else{
		DEBUG("rlm_ldap: bind as %s/%s to %s:%d", dn, password, inst->server, inst->port);
	}
	msgid = ldap_bind(ld, dn, password,LDAP_AUTH_SIMPLE);
	if (msgid == -1) {
		ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
		if (inst->is_url)
			radlog(L_ERR, "rlm_ldap: %s bind to %s failed: %s",
			 	dn, inst->server, ldap_err2string(ldap_errno));
		else
			radlog(L_ERR, "rlm_ldap: %s bind to %s:%d failed: %s",
			 	dn, inst->server, inst->port,
			 	ldap_err2string(ldap_errno));
		*result = RLM_MODULE_FAIL;
		ldap_unbind_s(ld);
		return (NULL);
	}
	DEBUG("rlm_ldap: waiting for bind result ...");

	rc = ldap_result(ld, msgid, 1, &(inst->timeout), &res);

	if(rc < 1) {
		DEBUG("rlm_ldap: ldap_result()");
		ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
		if (inst->is_url)
			radlog(L_ERR, "rlm_ldap: %s bind to %s failed: %s",
				dn, inst->server, (rc == 0) ? "timeout" : ldap_err2string(ldap_errno));
		else
			radlog(L_ERR, "rlm_ldap: %s bind to %s:%d failed: %s",
				dn, inst->server, inst->port,
				(rc == 0) ? "timeout" : ldap_err2string(ldap_errno));
		*result = RLM_MODULE_FAIL;
		ldap_unbind_s(ld);
		return (NULL);
	}
	ldap_errno = ldap_result2error(ld, res, 1);
	switch (ldap_errno) {
	case LDAP_SUCCESS:
		DEBUG("rlm_ldap: Bind was successful");
		*result = RLM_MODULE_OK;
		break;

	case LDAP_INVALID_CREDENTIALS:
		if (auth){
			DEBUG("rlm_ldap: Bind failed with invalid credentials");
			*result = RLM_MODULE_REJECT;
		}
		else {
			radlog(L_ERR, "rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf");
			*result = RLM_MODULE_FAIL;
		}
		break;

	default:
		if (inst->is_url)
			radlog(L_ERR,"rlm_ldap: %s bind to %s failed %s",
				dn, inst->server, ldap_err2string(ldap_errno));
		else
			radlog(L_ERR,"rlm_ldap: %s bind to %s:%d failed %s",
				dn, inst->server, inst->port,
				ldap_err2string(ldap_errno));
		*result = RLM_MODULE_FAIL;
	}

	if (*result != RLM_MODULE_OK) {
		ldap_unbind_s(ld);
		ld = NULL;
	}
	return ld;
}

/*****************************************************************************
 *
 *	Detach from the LDAP server and cleanup internal state.
 *
 *****************************************************************************/
static int
ldap_detach(void *instance)
{
	ldap_instance  *inst = instance;
	TLDAP_RADIUS *pair, *nextpair;

	if (inst->server)
		free((char *) inst->server);
	if (inst->login)
		free((char *) inst->login);
	if (inst->password)
		free((char *) inst->password);
	if (inst->basedn)
		free((char *) inst->basedn);
	if (inst->dictionary_mapping)
		free(inst->dictionary_mapping);
	if (inst->filter)
		free((char *) inst->filter);
	if (inst->base_filter)
		free((char *) inst->base_filter);
	if (inst->passwd_hdr)
		free((char *) inst->passwd_hdr);
	if (inst->passwd_attr)
		free((char *) inst->passwd_attr);
	if (inst->groupname_attr)
		free((char *) inst->groupname_attr);
	if (inst->groupmemb_filt)
		free((char *) inst->groupmemb_filt);
	if (inst->groupmemb_attr)
		free((char *) inst->groupmemb_attr);
	if (inst->access_attr)
		free((char *) inst->access_attr);
	if (inst->profile_attr)
		free((char *) inst->profile_attr);
	if (inst->conns){
		int i=0;

		for(;i<inst->num_conns;i++){
			if (inst->conns[i].ld){
				ldap_unbind_s(inst->conns[i].ld);
			}
			pthread_mutex_destroy(&inst->conns[i].mutex);
		}
		free(inst->conns);
	}

	pair = inst->check_item_map;

	while (pair != NULL) {
		nextpair = pair->next;
		free(pair->attr);
		free(pair->radius_attr);
		free(pair);
		pair = nextpair;
	}

	pair = inst->reply_item_map;

	while (pair != NULL) {
		nextpair = pair->next;
		free(pair->attr);
		free(pair->radius_attr);
		free(pair);
		pair = nextpair;
	}

	if (inst->atts)
		free(inst->atts);

	paircompare_unregister(PW_LDAP_GROUP, ldap_groupcmp);
	xlat_unregister(inst->xlat_name,ldap_xlat);
	free(inst->xlat_name);

	free(inst);

	return 0;
}

#ifdef FIELDCPY
static void
fieldcpy(char *string, char **uptr)
{
	char           *ptr;

	ptr = *uptr;
	while (*ptr == ' ' || *ptr == '\t') {
		ptr++;
	}
	if (*ptr == '"') {
		ptr++;
		while (*ptr != '"' && *ptr != '\0' && *ptr != '\n') {
			*string++ = *ptr++;
		}
		*string = '\0';
		if (*ptr == '"') {
			ptr++;
		}
		*uptr = ptr;
		return;
	}
	while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0' && *ptr != '\n' &&
	       *ptr != '=' && *ptr != ',') {
		*string++ = *ptr++;
	}
	*string = '\0';
	*uptr = ptr;
	return;
}
#endif
/*****************************************************************************
 *	Get RADIUS attributes from LDAP object
 *	( according to draft-adoba-radius-05.txt
 *	  <http://www.ietf.org/internet-drafts/draft-adoba-radius-05.txt> )
 *
 *****************************************************************************/

static VALUE_PAIR *
ldap_pairget(LDAP * ld, LDAPMessage * entry,
	     TLDAP_RADIUS * item_map, VALUE_PAIR **pairs,char is_check)
{
	char          **vals;
	int             vals_count;
	int             vals_idx;
	char           *ptr;
	TLDAP_RADIUS   *element;
	LRAD_TOKEN      token;
	int             is_generic_attribute;
	char            value[256];
	VALUE_PAIR     *pairlist = NULL;
	VALUE_PAIR     *newpair = NULL;

	/* check if there is a mapping from this LDAP attribute to a RADIUS attribute */
	for (element = item_map; element != NULL; element = element->next) {
	if ((vals = ldap_get_values(ld,entry,element->attr)) != NULL){
			/* check whether this is a one-to-one-mapped ldap attribute or a generic
			   attribute and set flag accordingly */

			if (strcasecmp(element->radius_attr, GENERIC_ATTRIBUTE_ID)==0)
				is_generic_attribute = 1;
			else
				is_generic_attribute = 0;

			/* find out how many values there are for the attribute and extract all of them */

			vals_count = ldap_count_values(vals);

			for (vals_idx = 0; vals_idx < vals_count; vals_idx++) {
				ptr = vals[vals_idx];

				if (is_generic_attribute) {
					/* this is a generic attribute */
					LRAD_TOKEN dummy; /* makes pairread happy */

					/* not sure if using pairread here is ok ... */
					if ( (newpair = pairread(&ptr, &dummy)) != NULL) {
						DEBUG("rlm_ldap: extracted attribute %s from generic item %s",
						      newpair->name, vals[vals_idx]);
						pairadd(&pairlist, newpair);
					} else {
						radlog(L_ERR, "rlm_ldap: parsing %s failed: %s",
						       element->attr, vals[vals_idx]);
					}
				} else {
					/* this is a one-to-one-mapped attribute */
					token = gettoken(&ptr, value, sizeof(value) - 1);
					if (token < T_EQSTART || token > T_EQEND) {
						token = (is_check) ? T_OP_CMP_EQ : T_OP_EQ;
					} else {
						gettoken(&ptr, value, sizeof(value) - 1);
					}
					if (value[0] == 0) {
						DEBUG("rlm_ldap: Attribute %s has no value", element->attr);
						break;
					}
					DEBUG("rlm_ldap: Adding %s as %s, value %s & op=%d", element->attr, element->radius_attr, value, token);
						if ((newpair = pairmake(element->radius_attr, value, token)) == NULL)
						continue;
					if (! vals_idx){
						pairdelete(pairs,newpair->attribute);
					}
					pairadd(&pairlist, newpair);
				}
			}
			ldap_value_free(vals);
		}
	}

	return (pairlist);
}

/* globally exported name */
module_t