libldap.c

pwdutils是一套密码管理工具

	  free (defaultBase);
	}
      result->base = passwdBase;
    }
  else
    {
      result->base = defaultBase;
    }

  if (passwdScope != -1)
    {
      result->scope = passwdScope;
    }
  else
    {
      result->scope = defaultScope;
    }

  if (result->host == NULL
#ifdef HAVE_LDAP_INITIALIZE
      && result->uri == NULL
#endif
      )
    {
      if (isatty (fileno(stderr)))
	fprintf (stderr, "missing \"host\" in file \"ldap.conf\".\n");
      else
	syslog (LOG_ERR, "missing \"host\" in file \"ldap.conf\"");
      return NULL;
    }

  if (result->groupattr == NULL)
    {
      CHECKPOINTER (result->groupattr = strdup ("uniquemember"));
    }

  if (result->port == 0)
    {
#if defined(HAVE_LDAP_START_TLS_S)
      if (result->ssl_on == SSL_LDAPS)
	{
	  result->port = LDAPS_PORT;
	}
      else
#endif
	result->port = LDAP_PORT;
    }

  fclose (fp);

  if ((result->rootbinddn != NULL) && (geteuid () == 0))
    {
      fp = fopen (LDAP_PATH_ROOTPASSWD, "r");
      if (fp != NULL)
	{
	  if (fgets (b, sizeof (b), fp) != NULL)
	    {
	      int len;
	      len = strlen (b);
	      if (len > 0 && b[len - 1] == '\n')
		len--;

	      b[len] = '\0';
	      result->rootbindpw = strdup (b);
	    }
	  fclose (fp);
	}
      else
	{
	  int save_err = errno;

	  if (result->rootbinddn)
	    {
	      free (result->rootbinddn);
	      result->rootbinddn = NULL;
	    }
	  if (isatty (fileno(stderr)))
	    fprintf (stderr,
		     "could not open secret file %s (%s)",
		     LDAP_PATH_ROOTPASSWD, strerror (save_err));
	  else
	    syslog (LOG_WARNING,
		    "could not open secret file %s (%s)",
		    LDAP_PATH_ROOTPASSWD, strerror (save_err));
	}
    }

  memset (b, 0, BUFSIZ);
  return result;
}

ldap_session_t *
create_ldap_session (const char *configFile)
{
  ldap_session_t *session;

  session = malloc (sizeof (ldap_session_t));

  if (session == NULL)
    {
      errno = ENOMEM;
      return NULL;
    }

  memset (session, 0, sizeof (ldap_session_t));

  session->conf = read_ldap_config (configFile);
  if (session->conf == NULL)
    {
      free (session);
      return NULL;
    }

#if LDAP_SET_REBIND_PROC_ARGS < 3
  /* Ugly hack, bad idea, but not possible to solve in another way.  */
  global_session = session;
#endif

  return session;
}

#if defined HAVE_LDAP_START_TLS_S || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
/* Some global TLS-specific options need to be set before we create our
 * session context, so we set them here. */
static int
_set_ssl_default_options (ldap_session_t *session)
{
  int rc;

  /* ca cert file */
  if (session->conf->tls_cacertfile != NULL)
    {
      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
			    session->conf->tls_cacertfile);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr, "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR,
		    "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
		    ldap_err2string (rc));
	  return LDAP_OPERATIONS_ERROR;
	}
    }

  if (session->conf->tls_cacertdir != NULL)
    {
      /* ca cert directory */
      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
			    session->conf->tls_cacertdir);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr, "ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR,
		    "ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
		    ldap_err2string (rc));
	  return LDAP_OPERATIONS_ERROR;
	}
    }

  /* require cert? */
  rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
			&session->conf->tls_checkpeer);
  if (rc != LDAP_SUCCESS)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
		 ldap_err2string (rc));
      else
	syslog (LOG_ERR,
		"ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
		ldap_err2string (rc));
      return LDAP_OPERATIONS_ERROR;
    }

  if (session->conf->tls_ciphers != NULL)
    {
      /* set cipher suite, certificate and private key: */
      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
			    session->conf->tls_ciphers);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr,
		     "ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR,
		    "ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
		    ldap_err2string (rc));
	  return LDAP_OPERATIONS_ERROR;
	}
    }

  if (session->conf->tls_cert != NULL)
    {
      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
			    session->conf->tls_cert);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr, "ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR,
		    "ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
		    ldap_err2string (rc));
	  return LDAP_OPERATIONS_ERROR;
	}
    }

  if (session->conf->tls_key != NULL)
    {
      rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
			    session->conf->tls_key);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr,
		     "ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR,
		    "ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
		    ldap_err2string (rc));
	  return LDAP_OPERATIONS_ERROR;
	}
    }

  return LDAP_SUCCESS;
}
#endif

#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
#if LDAP_SET_REBIND_PROC_ARGS == 3
static int
_rebind_proc (LDAP * ld, LDAP_CONST char *url __attribute__ ((unused)),
              ber_tag_t request __attribute__ ((unused)),
              ber_int_t msgid __attribute__ ((unused)), void *arg)
#else
static int
_rebind_proc (LDAP * ld, LDAP_CONST char *url __attribute__ ((unused)),
              int request __attribute__ ((unused)),
              ber_int_t msgid __attribute__ ((unused)))
#endif
{
#if LDAP_SET_REBIND_PROC_ARGS == 3
  ldap_session_t *session = (ldap_session_t *) arg;
#else
  /* ugly hack */
  ldap_session_t *session = global_session;
#endif
  char *who, *cred;

  if (session->bind != NULL && session->bind->bound_as_user == 1)
    {
      who = session->bind->dn;
      cred = session->bind->pw;
    }
  else
    {
      if (session->conf->rootbinddn != NULL && geteuid () == 0)
	{
	  who = session->conf->rootbinddn;
	  cred = session->conf->rootbindpw;
	}
      else
	{
	  who = session->conf->binddn;
	  cred = session->conf->bindpw;
	}
    }

  return ldap_simple_bind_s (ld, who, cred);
}
#else
#if LDAP_SET_REBIND_PROC_ARGS == 3
static int
_rebind_proc (LDAP * ld,
              char **whop, char **credp, int *methodp, int freeit, void *arg)
#else
static int
_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
#endif
{
#if LDAP_SET_REBIND_PROC_ARGS == 3
  ldap_session_t *session = (ldap_session_t *) arg;
#else
  /* ugly hack */
  ldap_session_t *session = global_session;
#endif

  if (freeit)
    {
      _pam_drop (*whop);
      _pam_overwrite (*credp);
      _pam_drop (*credp);
      return LDAP_SUCCESS;
    }

  if (session->bind != NULL && session->bind->bound_as_user == 1)
    {
      /*
       * We're authenticating as a user.
       */
      *whop = strdup (session->bind->dn);
      *credp = strdup (session->bind->pw);
    }
  else
    {
      if (session->conf->rootbinddn != NULL && geteuid () == 0)
	{
	  *whop = strdup (session->conf->rootbinddn);
	  *credp = session->conf->rootbindpw != NULL ?
	    strdup (session->conf->rootbindpw) : NULL;
	}
      else
	{
	  *whop = session->conf->binddn != NULL ?
	    strdup (session->conf->binddn) : NULL;
	  *credp = session->conf->bindpw != NULL ?
	    strdup (session->conf->bindpw) : NULL;
	}
    }

  *methodp = LDAP_AUTH_SIMPLE;

  return LDAP_SUCCESS;
}
#endif

int
open_ldap_session (ldap_session_t *session)
{
#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
  /* set defaults for global TLS-related options */
  _set_ssl_default_options (session);
#endif
#ifdef HAVE_LDAP_INITIALIZE
  if (session->conf->uri != NULL)
    {
      int rc = ldap_initialize (&session->ld, session->conf->uri);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr, "ldap_initialize %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR, "ldap_initialize %s",
		    ldap_err2string (rc));
	  return rc;
	}
    }
  else
    {
#endif /* HAVE_LDAP_INTITIALIZE */
#ifdef HAVE_LDAP_INIT
      session->ld = ldap_init (session->conf->host, session->conf->port);
#else
      session->ld = ldap_open (session->conf->host, session->conf->port);
#endif /* HAVE_LDAP_INIT */
    }

  if (session->ld == NULL)
    return 1;

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
  if (session->conf->ssl_on == SSL_LDAPS)
    {
      int tls = LDAP_OPT_X_TLS_HARD;
      int rc = ldap_set_option (session->ld, LDAP_OPT_X_TLS, &tls);
      if (rc != LDAP_SUCCESS)
	{
	  if (isatty (fileno (stderr)))
	    fprintf (stderr, "ldap_set_option(LDAP_OPT_X_TLS) %s",
		     ldap_err2string (rc));
	  else
	    syslog (LOG_ERR, "ldap_set_option(LDAP_OPT_X_TLS) %s",
		    ldap_err2string (rc));
	  return rc;
	}
    }
#endif /* LDAP_OPT_X_TLS */

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
  ldap_set_option (session->ld, LDAP_OPT_PROTOCOL_VERSION,
		   &session->conf->version);
#else
  session->ld->ld_version = session->conf->version;
#endif

#if LDAP_SET_REBIND_PROC_ARGS == 3
  ldap_set_rebind_proc (session->ld, _rebind_proc, (void *) session);
#elif LDAP_SET_REBIND_PROC_ARGS == 2
  ldap_set_rebind_proc (session->ld, _rebind_proc);
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
  ldap_set_option (session->ld, LDAP_OPT_DEREF, &session->conf->deref);
#else
  session->ld->ld_deref = session->conf->deref;
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
  ldap_set_option (session->ld, LDAP_OPT_TIMELIMIT, &session->conf->timelimit);
#else
  session->ld->ld_timelimit = session->conf->timelimit;
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
  ldap_set_option (session->ld, LDAP_OPT_REFERRALS,
		   session->
		   conf->referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
  ldap_set_option (session->ld, LDAP_OPT_RESTART,
		   session->
		   conf->restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
#endif

#ifdef HAVE_LDAP_START_TLS_S
  if (session->conf->ssl_on == SSL_START_TLS)
    {
      int version, rc;

      if (ldap_get_option (session->ld, LDAP_OPT_PROTOCOL_VERSION, &version)
	  == LDAP_SUCCESS)
	{
	  if (version < LDAP_VERSION3)
	    {
	      version = LDAP_VERSION3;
	      ldap_set_option (session->ld, LDAP_OPT_PROTOCOL_VERSION,
			       &version);
	    }

	  rc = ldap_start_tls_s (session->ld, NULL, NULL);
	  if (rc != LDAP_SUCCESS)
	    {
	      if (isatty (fileno (stderr)))
		fprintf (stderr, "ldap_starttls_s: %s",
			 ldap_err2string (rc));
	      else
		syslog (LOG_ERR, "ldap_starttls_s: %s",
			ldap_err2string (rc));
	      return rc;
	    }
	}
    }
#endif /* HAVE_LDAP_START_TLS_S */
  return 0;
}

int
close_ldap_session (ldap_session_t *session)
{
  if (session->ld != NULL)
    {
      ldap_unbind (session->ld);
      session->ld = NULL;
    }

  /* XXX free all the other stuff, too. */

  return 0;
}

static int
reopen_ldap_session (ldap_session_t *session)
{
  /* FYI: V3 lets us avoid five unneeded binds in a password change */
  if (session->conf->version == LDAP_VERSION2)
    {
      close_ldap_session (session);

      if (session->bind != NULL)
	session->bind->bound_as_user = 0;

      return open_ldap_session (session);
    }
  return 0;
}

static int
connect_as_nobody (ldap_session_t *session)
{
  int rc;
  int msgid;
  struct timeval timeout;
  LDAPMessage *result;

  if (session->ld == NULL)
    {
      rc = open_ldap_session (session);
      if (rc != 0)
	return rc;
    }