libldap.c

pwdutils是一套密码管理工具

  if (session->conf->rootbinddn && geteuid () == 0)
    msgid = ldap_simple_bind (session->ld,
			      session->conf->rootbinddn,
			      session->conf->rootbindpw);
  else
    msgid = ldap_simple_bind (session->ld,
			      session->conf->binddn, session->conf->bindpw);

  if (msgid == -1)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "ldap_simple_bind %s.\n",
		 ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      else
	syslog (LOG_ERR, "ldap_simple_bind %s",
		ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      return ldap_get_lderrno (session->ld, 0, 0);
    }

  timeout.tv_sec = session->conf->bind_timelimit;	/* default 10 */
  timeout.tv_usec = 0;
  rc = ldap_result (session->ld, msgid, FALSE, &timeout, &result);
  if (rc == -1 || rc == 0)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "ldap_result %s.\n",
		 ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      else
	syslog (LOG_ERR, "ldap_result %s",
		ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      return ldap_get_lderrno (session->ld, 0, 0);
    }

#ifdef HAVE_LDAP_PARSE_RESULT
  ldap_parse_result (session->ld, result, &rc, 0, 0, 0, 0, TRUE);
#else
  rc = ldap_result2error (session->ld, result, TRUE);
#endif

  if (rc != LDAP_SUCCESS)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "error trying to bind (%s).\n",
		 ldap_err2string (rc));
      else
	syslog (LOG_ERR, "error trying to bind (%s)",
		ldap_err2string (rc));
      return rc;
    }

  if (session->bind != NULL)
    session->bind->bound_as_user = 0;

  return LDAP_SUCCESS;
}

static int
connect_with_dn (ldap_session_t *session)
{
  int rc, msgid;
  struct timeval timeout;
  LDAPMessage *result;

  /* this shouldn't ever happen */
  if (session == NULL || session->bind == NULL)
    return 1;

  /* avoid binding anonymously with a DN but no password */
  if (session->bind->pw == NULL || session->bind->pw[0] == '\0')
    return 1;

  /* if we already bound as the user don't bother retrying */
  if (session->bind->bound_as_user)
    {
      abort (); /* XXX only for debugging. */
      return 1;
    }

  if (session->ld == NULL)
    {
      rc = open_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }

  msgid = ldap_simple_bind (session->ld, session->bind->dn,
			    session->bind->pw);
  if (msgid == -1)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "ldap_simple_bind %s.\n",
		 ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      else
	syslog (LOG_ERR, "ldap_simple_bind %s",
		ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      return ldap_get_lderrno (session->ld, 0, 0);
    }

  timeout.tv_sec = 10;
  timeout.tv_usec = 0;
  rc = ldap_result (session->ld, msgid, FALSE, &timeout, &result);
  if (rc == -1 || rc == 0)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "ldap_result %s.\n",
		 ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      else
	syslog (LOG_ERR, "ldap_result %s",
		ldap_err2string (ldap_get_lderrno (session->ld, 0, 0)));
      return 1;
    }

  rc = ldap_result2error (session->ld, result, TRUE);

  if (rc != LDAP_SUCCESS)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "error trying to bind as \"%s\" (%s).\n",
		 session->bind->dn, ldap_err2string (rc));
      else
	syslog (LOG_ERR, "error trying to bind as \"%s\" (%s)",
		session->bind->dn, ldap_err2string (rc));
      return rc;
    }

  session->bind->bound_as_user = 1;

  return 0;
}

static int
_escape_string (const char *str, char *buf, size_t buflen)
{
  int ret = 1;
  char *p = buf;
  char *limit = p + buflen - 3;
  const char *s = str;

  while (p < limit && *s)
    {
      switch (*s)
	{
	case '*':
	  strcpy (p, "\\2a");
	  p += 3;
	  break;
	case '(':
	  strcpy (p, "\\28");
	  p += 3;
	  break;
	case ')':
	  strcpy (p, "\\29");
	  p += 3;
	  break;
	case '\\':
	  strcpy (p, "\\5c");
	  p += 3;
	  break;
	default:
	  *p++ = *s;
	  break;
	}
      s++;
    }

  if (*s == '\0')
    {
      /* got to end */
      *p = '\0';
      ret = 0;
    }

  return ret;
}

static char *
convert_to_dn (ldap_session_t *session, const char *name,
	       const char *filterformat)
{
  char *filter, escapedName[strlen (name) * 3 + 3];
  int rc;
  char *retval;
  LDAPMessage *res, *msg;

  rc = connect_as_nobody (session);
  if (rc != 0)
    return NULL;

  if (session->bind)
    session->bind->bound_as_user = 0;

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_SIZELIMIT)
  rc = 1;
  ldap_set_option (session->ld, LDAP_OPT_SIZELIMIT, &rc);
#else
  session->ld->ld_sizelimit = 1;
#endif

  rc = _escape_string (name, escapedName, sizeof (escapedName));
  if (rc != 0)
    return NULL;

  if (asprintf (&filter, filterformat, escapedName) < 1)
    return NULL;

  rc = ldap_search_s (session->ld, session->conf->base,
		      session->conf->scope, filter, NULL, 0, &res);
  free (filter);

  if (rc != LDAP_SUCCESS &&
      rc != LDAP_TIMELIMIT_EXCEEDED && rc != LDAP_SIZELIMIT_EXCEEDED)
    {
      if (isatty (fileno (stderr)))
	fprintf (stderr, "ldap_search_s: %s", ldap_err2string (rc));
      else
	syslog (LOG_ERR, "ldap_search_s: %s", ldap_err2string (rc));
      return NULL;
    }

  msg = ldap_first_entry (session->ld, res);
  if (msg == NULL)
    {
      ldap_msgfree (res);
      return NULL;
    }

  retval = ldap_get_dn (session->ld, msg);

  ldap_msgfree (res);
  return retval;
}

char *
convert_user_to_dn (ldap_session_t *session, const char *user)
{
  return convert_to_dn (session, user,
			"(&(objectClass=posixAccount)(uid=%s))");
}

static char *
convert_group_to_dn (ldap_session_t *session, const char *group)
{
  return convert_to_dn (session, group,
			"(&(objectClass=posixGroup)(cn=%s))");
}

int
ldap_authentication (ldap_session_t *session, const char *user,
		     const char *binddn, const char *password)
{
  int rc = 0;

  /* Sanity checks.  */
  if (session == NULL || (binddn == NULL && user == NULL))
    return 1;

  if (session->bind == NULL)
    {
      session->bind = malloc (sizeof (bind_info_t));
      if (session->bind == NULL)
	{
	  errno = ENOMEM;
	  return 1;
	}
      memset (session->bind, 0, sizeof (bind_info_t));
    }

  if (binddn)
    {
      if (session->bind->user)
	{
	  free (session->bind->user);
	  session->bind->user = NULL;
	}
      if (session->bind->dn)
	free (session->bind->dn);
      session->bind->dn = strdup (binddn);
    }
  else if (user)
    {
      if (session->bind->user == NULL ||
	  strcmp (session->bind->user, user) != 0)
	{
	  char *cp = convert_user_to_dn (session, user);

	  if (cp == NULL)
	    return 1;

	  if (session->bind->user)
	    free (session->bind->user);
	  session->bind->user = strdup (user);

	  if (session->bind->dn)
	    free (session->bind->dn);
	  session->bind->dn = strdup (cp);
	}
    }
  else
    return 1;

  if (session->bind->pw)
    {
      free (session->bind->pw);
      session->bind->pw = NULL;
    }
  if (password)
    session->bind->pw = strdup (password);

  rc = reopen_ldap_session (session);
  if (rc != LDAP_SUCCESS)
    return rc;

  rc = connect_with_dn (session);

  return rc;
}

/* ldap_update_user: Updates an entry in the LDAP database.
   session: pointer to struct with LDAP session data.
   user: Name of the user, from which the data should be updated.
   binddn: Optional, DN as which we should bind to the server.
           If not given, we will use the user DN for binding.
   password: Password used for binding to the LDAP server.
   field: The name of the field which we wish to update.
   new_value: The new value for the field to be updated. */
int
ldap_update_user (ldap_session_t *session, const char *user,
		  const char *binddn, const char *password,
		  const char *field, const char *new_value)
{
  LDAPMod *mods[2], mod;
  char *strvals[2];
  char *userdn;
  int rc;

  /* Sanity check.  */
  if (session == NULL || user == NULL)
    return 1;

  if (session->bind == NULL)
    {
      int i;
      /* If no binding is created yet, call ldap_authentication,
	 which creates the binding and checks the password.  */
      if ((i = ldap_authentication (session, user, binddn, password)) != 0)
	{
	  fprintf (stderr, _("Authentication failure.\n"));
	  return i;
	}
    }

  /* Check, if our user is also the user we used for binding.  */
  if (session->bind->user && strcmp (user, session->bind->user) == 0)
    userdn = session->bind->dn;
  else
    userdn = convert_user_to_dn (session, user);

  if (userdn == NULL)
    return 1;


  /* update field */
  strvals[0] = strdupa (new_value);
  strvals[1] = NULL;

  mod.mod_values = strvals;
  mod.mod_type = strdupa (field);
  mod.mod_op = LDAP_MOD_REPLACE;

  mods[0] = &mod;
  mods[1] = NULL;

  if (!session->bind->bound_as_user)
    {
      rc = reopen_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;

      rc = connect_with_dn (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }

  rc = ldap_modify_s (session->ld, userdn, mods);

  return rc;
}

/* ldap_delete_user: Deletes a user entry in the LDAP database.
   session: pointer to struct with LDAP session data.
   user: Name of the user account, which should be deleted.
   binddn: DN as which we should bind to the server.
   password: Password used for binding to the LDAP server.  */
int
ldap_delete_user (ldap_session_t *session, const char *user,
		  const char *binddn, const char *password)
{
  char *userdn;
  int rc;

  /* Sanity check.  */
  if (session == NULL || user == NULL || binddn == NULL)
    return 1;

  if (session->bind == NULL)
    {
      int i;
      /* If no binding is created yet, call ldap_authentication,
	 which creates the binding and checks the password.  */
      if ((i = ldap_authentication (session, NULL, binddn, password)) != 0)
	{
	  fprintf (stderr, _("Authentication failure.\n"));
	  return i;
	}
    }

  userdn = convert_user_to_dn (session, user);

  if (userdn == NULL)
    return 1;

  if (!session->bind->bound_as_user)
    {
      rc = reopen_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;

      rc = connect_with_dn (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }

  rc = ldap_delete_s (session->ld, userdn);
  return rc;
}


/* ldap_update_group: Updates an entry in the LDAP database.
   session: pointer to struct with LDAP session data.
   user: Name of the user, from which the data should be updated.
   binddn: Optional, DN as which we should bind to the server.
           If not given, we will use the user DN for binding.
   password: Password used for binding to the LDAP server.
   field: The name of the field which we wish to update.
   new_value: The new value for the field to be updated. */
int
ldap_update_group (ldap_session_t *session, const char *group,
		   const char *binddn, const char *password,
		   int op, const char *field, const char *new_value)
{
  LDAPMod *mods[2], mod;
  char *strvals[2];
  char *groupdn;
  int rc;

  /* Sanity check.  */
  if (session == NULL || group == NULL)
    return 1;

  if (session->bind == NULL)
    {
      int i;
      /* If no binding is created yet, call ldap_authentication,
	 which creates the binding and checks the password.  */
      if ((i = ldap_authentication (session, NULL, binddn, password)) != 0)
	{
	  fprintf (stderr, _("Authentication failure.\n"));
	  return i;
	}
    }

  groupdn = convert_group_to_dn (session, group);
  if (groupdn == NULL)
    return 1;


  /* update field */
  strvals[0] = strdupa (new_value);
  strvals[1] = NULL;

  mod.mod_values = strvals;
  mod.mod_type = strdupa (field);
  mod.mod_op = op;

  mods[0] = &mod;
  mods[1] = NULL;

  if (!session->bind->bound_as_user)
    {
      rc = reopen_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;

      rc = connect_with_dn (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }

  rc = ldap_modify_s (session->ld, groupdn, mods);

  return rc;