📄 util_ldap.c
字号:
if (st->cert_auth_file && ((rv = apr_stat (&finfo, st->cert_auth_file, APR_FINFO_MIN, cmd->pool)) != APR_SUCCESS)) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, cmd->server, "LDAP: Could not open SSL trusted certificate authority file - %s", st->cert_auth_file == NULL ? file : st->cert_auth_file); return "Invalid file path"; } return(NULL);}static const char *util_ldap_set_cert_type(cmd_parms *cmd, void *dummy, const char *Type){ util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); if (err != NULL) { return err; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "LDAP: SSL trusted certificate authority file type - %s", Type); if (0 == strcmp("DER_FILE", Type)) st->cert_file_type = LDAP_CA_TYPE_DER; else if (0 == strcmp("BASE64_FILE", Type)) st->cert_file_type = LDAP_CA_TYPE_BASE64; else if (0 == strcmp("CERT7_DB_PATH", Type)) st->cert_file_type = LDAP_CA_TYPE_CERT7_DB; else st->cert_file_type = LDAP_CA_TYPE_UNKNOWN; return(NULL);}static const char *util_ldap_set_connection_timeout(cmd_parms *cmd, void *dummy, const char *ttl){ util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, &ldap_module); const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); if (err != NULL) { return err; }#ifdef LDAP_OPT_NETWORK_TIMEOUT st->connectionTimeout = atol(ttl); ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, cmd->server, "[%d] ldap connection: Setting connection timeout to %ld seconds.", getpid(), st->connectionTimeout);#else ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, "LDAP: Connection timout option not supported by the LDAP SDK in use." );#endif return NULL;}void *util_ldap_create_config(apr_pool_t *p, server_rec *s){ util_ldap_state_t *st = (util_ldap_state_t *)apr_pcalloc(p, sizeof(util_ldap_state_t)); st->pool = p; st->cache_bytes = 100000; st->search_cache_ttl = 600000000; st->search_cache_size = 1024; st->compare_cache_ttl = 600000000; st->compare_cache_size = 1024; st->connections = NULL; st->cert_auth_file = NULL; st->cert_file_type = LDAP_CA_TYPE_UNKNOWN; st->ssl_support = 0; st->connectionTimeout = 10; return st;}static apr_status_t util_ldap_cleanup_module(void *data){#if APR_HAS_LDAP_SSL && APR_HAS_NOVELL_LDAPSDK server_rec *s = data; util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config( s->module_config, &ldap_module); if (st->ssl_support) ldapssl_client_deinit();#endif return APR_SUCCESS;}static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s){ int rc = LDAP_SUCCESS; apr_status_t result; char buf[MAX_STRING_LEN]; server_rec *s_vhost; util_ldap_state_t *st_vhost; util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(s->module_config, &ldap_module); void *data; const char *userdata_key = "util_ldap_init"; /* util_ldap_post_config() will be called twice. Don't bother * going through all of the initialization on the first call * because it will just be thrown away.*/ apr_pool_userdata_get(&data, userdata_key, s->process->pool); if (!data) { apr_pool_userdata_set((const void *)1, userdata_key, apr_pool_cleanup_null, s->process->pool);#if APR_HAS_SHARED_MEMORY /* If the cache file already exists then delete it. Otherwise we are * going to run into problems creating the shared memory. */ if (st->cache_file) { char *lck_file = apr_pstrcat (st->pool, st->cache_file, ".lck", NULL); apr_file_remove(st->cache_file, ptemp); apr_file_remove(lck_file, ptemp); }#endif return OK; }#if APR_HAS_SHARED_MEMORY /* initializing cache if shared memory size is not zero and we already don't have shm address */ if (!st->cache_shm && st->cache_bytes > 0) {#endif result = util_ldap_cache_init(p, st); if (result != APR_SUCCESS) { apr_strerror(result, buf, sizeof(buf)); ap_log_error(APLOG_MARK, APLOG_ERR, result, s, "LDAP cache: error while creating a shared memory segment: %s", buf); }#if APR_HAS_SHARED_MEMORY if (st->cache_file) { st->lock_file = apr_pstrcat (st->pool, st->cache_file, ".lck", NULL); } else#endif st->lock_file = ap_server_root_relative(st->pool, tmpnam(NULL)); result = apr_global_mutex_create(&st->util_ldap_cache_lock, st->lock_file, APR_LOCK_DEFAULT, st->pool); if (result != APR_SUCCESS) { return result; }#ifdef UTIL_LDAP_SET_MUTEX_PERMS result = unixd_set_global_mutex_perms(st->util_ldap_cache_lock); if (result != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_CRIT, result, s, "LDAP cache: failed to set mutex permissions"); return result; }#endif /* merge config in all vhost */ s_vhost = s->next; while (s_vhost) { st_vhost = (util_ldap_state_t *)ap_get_module_config(s_vhost->module_config, &ldap_module);#if APR_HAS_SHARED_MEMORY st_vhost->cache_shm = st->cache_shm; st_vhost->cache_rmm = st->cache_rmm; st_vhost->cache_file = st->cache_file; ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, result, s, "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp for VHOST: %s", st->cache_shm, st->cache_rmm, s_vhost->server_hostname);#endif st_vhost->lock_file = st->lock_file; s_vhost = s_vhost->next; }#if APR_HAS_SHARED_MEMORY } else { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "LDAP cache: LDAPSharedCacheSize is zero, disabling shared memory cache"); }#endif /* log the LDAP SDK used */ #if APR_HAS_NETSCAPE_LDAPSDK ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: Built with Netscape LDAP SDK" ); #elif APR_HAS_NOVELL_LDAPSDK ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: Built with Novell LDAP SDK" ); #elif APR_HAS_OPENLDAP_LDAPSDK ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: Built with OpenLDAP LDAP SDK" ); #elif APR_HAS_MICROSOFT_LDAPSDK ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: Built with Microsoft LDAP SDK" ); #else ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: Built with unknown LDAP SDK" ); #endif /* APR_HAS_NETSCAPE_LDAPSDK */ apr_pool_cleanup_register(p, s, util_ldap_cleanup_module, util_ldap_cleanup_module); /* initialize SSL support if requested */ if (st->cert_auth_file) { #if APR_HAS_LDAP_SSL /* compiled with ssl support */ #if APR_HAS_NETSCAPE_LDAPSDK /* Netscape sdk only supports a cert7.db file */ if (st->cert_file_type == LDAP_CA_TYPE_CERT7_DB) { rc = ldapssl_client_init(st->cert_auth_file, NULL); } else { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, "LDAP: Invalid LDAPTrustedCAType directive - " "CERT7_DB_PATH type required"); rc = -1; } #elif APR_HAS_NOVELL_LDAPSDK /* Novell SDK supports DER or BASE64 files */ if (st->cert_file_type == LDAP_CA_TYPE_DER || st->cert_file_type == LDAP_CA_TYPE_BASE64 ) { rc = ldapssl_client_init(NULL, NULL); if (LDAP_SUCCESS == rc) { if (st->cert_file_type == LDAP_CA_TYPE_BASE64) rc = ldapssl_add_trusted_cert(st->cert_auth_file, LDAPSSL_CERT_FILETYPE_B64); else rc = ldapssl_add_trusted_cert(st->cert_auth_file, LDAPSSL_CERT_FILETYPE_DER); if (LDAP_SUCCESS != rc) ldapssl_client_deinit(); } } else { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, "LDAP: Invalid LDAPTrustedCAType directive - " "DER_FILE or BASE64_FILE type required"); rc = -1; } #elif APR_HAS_OPENLDAP_LDAPSDK /* OpenLDAP SDK supports BASE64 files */ if (st->cert_file_type == LDAP_CA_TYPE_BASE64) { rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, st->cert_auth_file); } else { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, "LDAP: Invalid LDAPTrustedCAType directive - " "BASE64_FILE type required"); rc = -1; } #elif APR_HAS_MICROSOFT_LDAPSDK /* Microsoft SDK use the registry certificate store - always * assume support is always available */ rc = LDAP_SUCCESS; #else rc = -1; #endif /* APR_HAS_NETSCAPE_LDAPSDK */ #else /* not compiled with SSL Support */ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: Not built with SSL support." ); rc = -1; #endif /* APR_HAS_LDAP_SSL */ if (LDAP_SUCCESS == rc) { st->ssl_support = 1; } else { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "LDAP: SSL initialization failed"); st->ssl_support = 0; } } /* The Microsoft SDK uses the registry certificate store - * always assume support is available */ #if APR_HAS_MICROSOFT_LDAPSDK st->ssl_support = 1; #endif /* log SSL status - If SSL isn't available it isn't necessarily * an error because the modules asking for LDAP connections * may not ask for SSL support */ if (st->ssl_support) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: SSL support available" ); } else { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "LDAP: SSL support unavailable" ); } return(OK);}static void util_ldap_child_init(apr_pool_t *p, server_rec *s){ apr_status_t sts; util_ldap_state_t *st = ap_get_module_config(s->module_config, &ldap_module); if (!st->util_ldap_cache_lock) return; sts = apr_global_mutex_child_init(&st->util_ldap_cache_lock, st->lock_file, p); if (sts != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_CRIT, sts, s, "Failed to initialise global mutex %s in child process %" APR_PID_T_FMT ".", st->lock_file, getpid()); return; } else { ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s, "Initialisation of global mutex %s in child process %" APR_PID_T_FMT " successful.", st->lock_file, getpid()); }}command_rec util_ldap_cmds[] = { AP_INIT_TAKE1("LDAPSharedCacheSize", util_ldap_set_cache_bytes, NULL, RSRC_CONF, "Sets the size of the shared memory cache in bytes. " "Zero means disable the shared memory cache. Defaults to 100KB."), AP_INIT_TAKE1("LDAPSharedCacheFile", util_ldap_set_cache_file, NULL, RSRC_CONF, "Sets the file of the shared memory cache." "Nothing means disable the shared memory cache."), AP_INIT_TAKE1("LDAPCacheEntries", util_ldap_set_cache_entries, NULL, RSRC_CONF, "Sets the maximum number of entries that are possible in the LDAP " "search cache. " "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."), AP_INIT_TAKE1("LDAPCacheTTL", util_ldap_set_cache_ttl, NULL, RSRC_CONF, "Sets the maximum time (in seconds) that an item can be cached in the LDAP " "search cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), AP_INIT_TAKE1("LDAPOpCacheEntries", util_ldap_set_opcache_entries, NULL, RSRC_CONF, "Sets the maximum number of entries that are possible in the LDAP " "compare cache. " "Zero means no limit; -1 disables the cache. Defaults to 1024 entries."), AP_INIT_TAKE1("LDAPOpCacheTTL", util_ldap_set_opcache_ttl, NULL, RSRC_CONF, "Sets the maximum time (in seconds) that an item is cached in the LDAP " "operation cache. Zero means no limit. Defaults to 600 seconds (10 minutes)."), AP_INIT_TAKE1("LDAPTrustedCA", util_ldap_set_cert_auth, NULL, RSRC_CONF, "Sets the file containing the trusted Certificate Authority certificate. " "Used to validate the LDAP server certificate for SSL connections."), AP_INIT_TAKE1("LDAPTrustedCAType", util_ldap_set_cert_type, NULL, RSRC_CONF, "Specifies the type of the Certificate Authority file. " "The following types are supported: " " DER_FILE - file in binary DER format " " BASE64_FILE - file in Base64 format " " CERT7_DB_PATH - Netscape certificate database file "), AP_INIT_TAKE1("LDAPConnectionTimeout", util_ldap_set_connection_timeout, NULL, RSRC_CONF, "Specifies the LDAP socket connection timeout in seconds. " "Default is 10 seconds. "), {NULL}};static void util_ldap_register_hooks(apr_pool_t *p){ ap_hook_post_config(util_ldap_post_config,NULL,NULL,APR_HOOK_MIDDLE); ap_hook_handler(util_ldap_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_child_init(util_ldap_child_init, NULL, NULL, APR_HOOK_MIDDLE);}module ldap_module = { STANDARD20_MODULE_STUFF, NULL, /* dir config creater */ NULL, /* dir merger --- default is to override */ util_ldap_create_config, /* server config */ NULL, /* merge server config */ util_ldap_cmds, /* command table */ util_ldap_register_hooks, /* set up request processing hooks */};⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -