Squid Web Cache master
Loading...
Searching...
No Matches
ldap_backend.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/*
10 * AUTHOR: Flavio Pescuma, MARA Systems AB <flavio@marasystems.com>
11 */
12#include "squid.h"
13
14#include <cstdio>
15
16#define LDAP_DEPRECATED 1
17
18#include "auth/digest/eDirectory/ldap_backend.h"
19
20#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
21
22#include <windows.h>
23#include <winldap.h>
24#ifndef LDAPAPI
25#define LDAPAPI __cdecl
26#endif
27#ifdef LDAP_VERSION3
28#ifndef LDAP_OPT_X_TLS
29#define LDAP_OPT_X_TLS 0x6000
30#endif
31/* Some tricks to allow dynamic bind with ldap_start_tls_s entry point at
32 * run time.
33 */
34#undef ldap_start_tls_s
35#if LDAP_UNICODE
36#define LDAP_START_TLS_S "ldap_start_tls_sW"
37typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlW *, IN PLDAPControlW *);
38#else
39#define LDAP_START_TLS_S "ldap_start_tls_sA"
40typedef WINLDAPAPI ULONG(LDAPAPI * PFldap_start_tls_s) (IN PLDAP, OUT PULONG, OUT LDAPMessage **, IN PLDAPControlA *, IN PLDAPControlA *);
41#endif /* LDAP_UNICODE */
42PFldap_start_tls_s Win32_ldap_start_tls_s;
43#define ldap_start_tls_s(l,s,c) Win32_ldap_start_tls_s(l, nullptr, nullptr,s,c)
44#endif /* LDAP_VERSION3 */
45
46#else
47
48#include <lber.h>
49#include <ldap.h>
50
51#endif
52#include "auth/digest/eDirectory/edir_ldapext.h"
53#define PROGRAM_NAME "digest_pw_auth(LDAP_backend)"
54
55/* Globals */
56
57static LDAP *ld = nullptr;
58static const char *passattr = nullptr;
59static char *ldapServer = nullptr;
60static const char *userbasedn = nullptr;
61static const char *userdnattr = nullptr;
62static const char *usersearchfilter = nullptr;
63static const char *binddn = nullptr;
64static const char *bindpasswd = nullptr;
65static const char *delimiter = ":";
66static int encrpass = 0;
67static int searchscope = LDAP_SCOPE_SUBTREE;
68static int persistent = 0;
69static int noreferrals = 0;
70static int port = LDAP_PORT;
71static int strip_nt_domain = 0;
72static int edir_universal_passwd = 0;
73static int aliasderef = LDAP_DEREF_NEVER;
74#if defined(NETSCAPE_SSL)
75static char *sslpath = nullptr;
76static int sslinit = 0;
77#endif
78static int connect_timeout = 0;
79static int timelimit = LDAP_NO_LIMIT;
80
81#ifdef LDAP_VERSION3
82/* Added for TLS support and version 3 */
83static int use_tls = 0;
84static int version = -1;
85#endif
86
87static void ldapconnect(void);
88static int readSecret(const char *filename);
89
90/* Yuck.. we need to glue to different versions of the API */
91
92#if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
93static void
94squid_ldap_set_aliasderef(int deref)
95{
96 ldap_set_option(ld, LDAP_OPT_DEREF, &deref);
97}
98static void
99squid_ldap_set_referrals(int referrals)
100{
101 int *value = static_cast<int*>(referrals ? LDAP_OPT_ON :LDAP_OPT_OFF);
102 ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
103}
104static void
105squid_ldap_set_timelimit(int aTimeLimit)
106{
107 ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &aTimeLimit);
108}
109static void
110squid_ldap_set_connect_timeout(int aTimeLimit)
111{
112#if defined(LDAP_OPT_NETWORK_TIMEOUT)
113 struct timeval tv;
114 tv.tv_sec = aTimeLimit;
115 tv.tv_usec = 0;
116 ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
117#elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
118 aTimeLimit *= 1000;
119 ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &aTimeLimit);
120#endif
121}
122
123static void
124squid_ldap_memfree(char *p)
125{
126 ldap_memfree(p);
127}
128
129#else
130static int
131squid_ldap_errno(LDAP * ld)
132{
133 return ld->ld_errno;
134}
135static void
136squid_ldap_set_aliasderef(int deref)
137{
138 ld->ld_deref = deref;
139}
140static void
141squid_ldap_set_referrals(int referrals)
142{
143 if (referrals)
144 ld->ld_options |= LDAP_OPT_REFERRALS;
145 else
146 ld->ld_options &= ~LDAP_OPT_REFERRALS;
147}
148static void
149squid_ldap_set_timelimit(int aTimeLimit)
150{
151 ld->ld_timelimit = aTimeLimit;
152}
153static void
154squid_ldap_set_connect_timeout(int aTimeLimit)
155{
156 fprintf(stderr, "ERROR: Connect timeouts not supported in your LDAP library\n");
157}
158static void
159squid_ldap_memfree(char *p)
160{
161 free(p);
162}
163
164#endif
165
166#ifdef LDAP_API_FEATURE_X_OPENLDAP
167#if LDAP_VENDOR_VERSION > 194
168#define HAS_URI_SUPPORT 1
169#endif
170#endif
171
172static int
173ldap_escape_value(char *escaped, int size, const char *src)
174{
175 int n = 0;
176 while (size > 4 && *src) {
177 switch (*src) {
178 case '*':
179 case '(':
180 case ')':
181 case '\\':
182 n += 3;
183 size -= 3;
184 if (size > 0) {
185 *escaped = '\\';
186 ++escaped;
187 std::snprintf(escaped, 3, "%02x", (int) *src);
188 ++src;
189 escaped += 2;
190 }
191 break;
192 default:
193 *escaped = *src;
194 ++escaped;
195 ++src;
196 ++n;
197 --size;
198 }
199 }
200 *escaped = '\0';
201 return n;
202}
203
204static char *
205getpassword(char *login, char *realm)
206{
207 LDAPMessage *res = nullptr;
208 LDAPMessage *entry;
209 char **values = nullptr;
210 char **value = nullptr;
211 char *password = nullptr;
212 int retry = 0;
213 char filter[8192];
214 *filter = '\0';
215 char searchbase[8192];
216 *searchbase = '\0';
217 char *universal_password = nullptr;
218 size_t universal_password_len = 256;
219 int nmas_res = 0;
220 int rc = -1;
221 if (ld) {
222 if (usersearchfilter) {
223 char escaped_login[1024];
224 std::snprintf(searchbase, sizeof(searchbase), "%s", userbasedn);
225 ldap_escape_value(escaped_login, sizeof(escaped_login), login);
226 std::snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
227
228retrysrch:
229 debug("user filter '%s', searchbase '%s'\n", filter, searchbase);
230
231 rc = ldap_search_s(ld, searchbase, searchscope, filter, nullptr, 0, &res);
232 if (rc != LDAP_SUCCESS) {
233 if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
234 /* Everything is fine. This is expected when referrals
235 * are disabled.
236 */
237 rc = LDAP_SUCCESS;
238 } else {
239 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
240#if defined(NETSCAPE_SSL)
241 if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
242 int sslerr = PORT_GetError();
243 fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
244 }
245#endif
246 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error, trying to recover'%s'\n", ldap_err2string(rc));
247 ldap_msgfree(res);
248 /* try to connect to the LDAP server again, maybe my persistent conexion failed. */
249 if (!retry) {
250 ++retry;
251 ldap_unbind(ld);
252 ld = nullptr;
253 ldapconnect();
254 goto retrysrch;
255 }
256 return nullptr;
257
258 }
259 }
260 } else if (userdnattr) {
261 std::snprintf(searchbase, 8192, "%s=%s, %s", userdnattr, login, userbasedn);
262
263retrydnattr:
264 debug("searchbase '%s'\n", searchbase);
265 rc = ldap_search_s(ld, searchbase, searchscope, nullptr, nullptr, 0, &res);
266 }
267 if (rc == LDAP_SUCCESS) {
268 entry = ldap_first_entry(ld, res);
269 if (entry) {
270 const auto dn = ldap_get_dn(ld, entry);
271 if (!dn) {
272 fprintf(stderr, PROGRAM_NAME ": ERROR, could not get user DN for '%s'\n", login);
273 ldap_msgfree(res);
274 return nullptr;
275 }
276 debug("ldap dn: %s\n", dn);
277 if (edir_universal_passwd) {
278
279 /* allocate some memory for the universal password returned by NMAS */
280 universal_password = (char*)calloc(1, universal_password_len);
281 values = (char**)calloc(2, sizeof(char *));
282
283 /* actually talk to NMAS to get a password */
284 nmas_res = nds_get_password(ld, dn, &universal_password_len, universal_password);
285 if (nmas_res == LDAP_SUCCESS && universal_password) {
286 debug("NMAS returned value %s\n", universal_password);
287 values[0] = universal_password;
288 values[1] = nullptr;
289 } else {
290 debug("Error reading Universal Password: %d = %s\n", nmas_res, ldap_err2string(nmas_res));
291 }
292 } else {
293 values = ldap_get_values(ld, entry, passattr);
294 }
295 squid_ldap_memfree(dn);
296 } else {
297 ldap_msgfree(res);
298 return nullptr;
299 }
300 if (!values) {
301 debug("No attribute value found\n");
302 if (edir_universal_passwd)
303 free(universal_password);
304 ldap_msgfree(res);
305 return nullptr;
306 }
307 value = values;
308 while (*value) {
309 if (encrpass) {
310 const char *t = strtok(*value, delimiter);
311 if (t && strcmp(t, realm) == 0) {
312 password = strtok(nullptr, delimiter);
313 break;
314 }
315 } else {
316 password = *value;
317 break;
318 }
319 ++value;
320 }
321 debug("password: %s\n", password);
322 if (password)
323 password = xstrdup(password);
324 if (edir_universal_passwd) {
325 free(values);
326 free(universal_password);
327 } else {
328 ldap_value_free(values);
329 }
330 ldap_msgfree(res);
331 return password;
332 } else {
333 fprintf(stderr, PROGRAM_NAME " WARNING, LDAP error '%s'\n", ldap_err2string(rc));
334 /* try to connect to the LDAP server again, maybe my persistent conexion failed. */
335 if (!retry) {
336 ++retry;
337 ldap_unbind(ld);
338 ld = nullptr;
339 ldapconnect();
340 goto retrydnattr;
341 }
342 return nullptr;
343 }
344 }
345 return nullptr;
346}
347
348static void
349ldapconnect(void)
350{
351 int rc;
352
353 /* On Windows ldap_start_tls_s is available starting from Windows XP,
354 * so we need to bind at run-time with the function entry point
355 */
356#if _SQUID_WINDOWS_
357 if (use_tls) {
358
359 HMODULE WLDAP32Handle;
360
361 WLDAP32Handle = GetModuleHandle("wldap32");
362 if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) {
363 fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n");
364 exit(EXIT_FAILURE);
365 }
366 }
367#endif
368
369 if (ld == nullptr) {
370#if HAS_URI_SUPPORT
371 if (strstr(ldapServer, "://") != nullptr) {
372 rc = ldap_initialize(&ld, ldapServer);
373 if (rc != LDAP_SUCCESS) {
374 fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
375 }
376 } else
377#endif
378#if NETSCAPE_SSL
379 if (sslpath) {
380 if (!sslinit && (ldapssl_client_init(sslpath, nullptr) != LDAP_SUCCESS)) {
381 fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
382 sslpath);
383 exit(EXIT_FAILURE);
384 } else {
385 ++sslinit;
386 }
387 if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
388 fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
389 ldapServer, port);
390 exit(EXIT_FAILURE);
391 }
392 } else
393#endif
394 if ((ld = ldap_init(ldapServer, port)) == nullptr) {
395 fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port);
396 }
397 if (connect_timeout)
398 squid_ldap_set_connect_timeout(connect_timeout);
399
400#ifdef LDAP_VERSION3
401 if (version == -1) {
402 version = LDAP_VERSION2;
403 }
404 if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version)
405 != LDAP_SUCCESS) {
406 fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
407 version);
408 ldap_unbind(ld);
409 ld = nullptr;
410 }
411 if (use_tls) {
412#ifdef LDAP_OPT_X_TLS
413 if ((version == LDAP_VERSION3) && (ldap_start_tls_s(ld, nullptr, nullptr) != LDAP_SUCCESS)) {
414 fprintf(stderr, "Could not Activate TLS connection\n");
415 ldap_unbind(ld);
416 ld = nullptr;
417 }
418#else
419 fprintf(stderr, "TLS not supported with your LDAP library\n");
420 ldap_unbind(ld);
421 ld = nullptr;
422#endif
423 }
424#endif
425 squid_ldap_set_timelimit(timelimit);
426 squid_ldap_set_referrals(!noreferrals);
427 squid_ldap_set_aliasderef(aliasderef);
428 if (binddn && bindpasswd && *binddn && *bindpasswd) {
429 rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
430 if (rc != LDAP_SUCCESS) {
431 fprintf(stderr, PROGRAM_NAME " WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc));
432 ldap_unbind(ld);
433 ld = nullptr;
434 }
435 }
436 debug("Connected OK\n");
437 }
438}
439int
440LDAPArguments(int argc, char **argv)
441{
442 setbuf(stdout, nullptr);
443
444 while (argc > 1 && argv[1][0] == '-') {
445 const char *value = "";
446 char option = argv[1][1];
447 switch (option) {
448 case 'P':
449 case 'R':
450 case 'z':
451 case 'Z':
452 case 'g':
453 case 'e':
454 case 'S':
455 case 'n':
456 case 'd':
457 break;
458 default:
459 if (strlen(argv[1]) > 2) {
460 value = argv[1] + 2;
461 } else if (argc > 2) {
462 value = argv[2];
463 ++argv;
464 --argc;
465 } else
466 value = "";
467 break;
468 }
469 ++argv;
470 --argc;
471 switch (option) {
472 case 'H':
473#if !HAS_URI_SUPPORT
474 fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
475 return 1;
476#endif
477 /* Fall thru to -h */
478 case 'h':
479 if (ldapServer) {
480 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
481 char *newhost = static_cast<char*>(xmalloc(len));
482 std::snprintf(newhost, len, "%s %s", ldapServer, value);
483 free(ldapServer);
484 ldapServer = newhost;
485 } else {
486 ldapServer = xstrdup(value);
487 }
488 break;
489 case 'A':
490 passattr = value;
491 break;
492 case 'e':
493 encrpass = 1;
494 break;
495 case 'l':
496 delimiter = value;
497 break;
498 case 'b':
499 userbasedn = value;
500 break;
501 case 'F':
502 usersearchfilter = value;
503 break;
504 case 'u':
505 userdnattr = value;
506 break;
507 case 's':
508 if (strcmp(value, "base") == 0)
509 searchscope = LDAP_SCOPE_BASE;
510 else if (strcmp(value, "one") == 0)
511 searchscope = LDAP_SCOPE_ONELEVEL;
512 else if (strcmp(value, "sub") == 0)
513 searchscope = LDAP_SCOPE_SUBTREE;
514 else {
515 fprintf(stderr, PROGRAM_NAME " ERROR: Unknown search scope '%s'\n", value);
516 return 1;
517 }
518 break;
519 case 'S':
520#if defined(NETSCAPE_SSL)
521 sslpath = value;
522 if (port == LDAP_PORT)
523 port = LDAPS_PORT;
524#else
525 fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
526 return 1;
527#endif
528 break;
529 case 'c':
530 connect_timeout = atoi(value);
531 break;
532 case 't':
533 timelimit = atoi(value);
534 break;
535 case 'a':
536 if (strcmp(value, "never") == 0)
537 aliasderef = LDAP_DEREF_NEVER;
538 else if (strcmp(value, "always") == 0)
539 aliasderef = LDAP_DEREF_ALWAYS;
540 else if (strcmp(value, "search") == 0)
541 aliasderef = LDAP_DEREF_SEARCHING;
542 else if (strcmp(value, "find") == 0)
543 aliasderef = LDAP_DEREF_FINDING;
544 else {
545 fprintf(stderr, PROGRAM_NAME " ERROR: Unknown alias dereference method '%s'\n", value);
546 return 1;
547 }
548 break;
549 case 'D':
550 binddn = value;
551 break;
552 case 'w':
553 bindpasswd = value;
554 break;
555 case 'W':
556 readSecret(value);
557 break;
558 case 'P':
559 persistent = !persistent;
560 break;
561 case 'p':
562 port = atoi(value);
563 break;
564 case 'R':
565 noreferrals = !noreferrals;
566 break;
567#ifdef LDAP_VERSION3
568 case 'v':
569 switch (atoi(value)) {
570 case 2:
571 version = LDAP_VERSION2;
572 break;
573 case 3:
574 version = LDAP_VERSION3;
575 break;
576 default:
577 fprintf(stderr, "Protocol version should be 2 or 3\n");
578 return 1;
579 }
580 break;
581 case 'Z':
582 if (version == LDAP_VERSION2) {
583 fprintf(stderr, "TLS (-Z) is incompatible with version %d\n",
584 version);
585 return 1;
586 }
587 version = LDAP_VERSION3;
588 use_tls = 1;
589 break;
590#endif
591 case 'd':
592 debug_enabled = 1;
593 break;
594 case 'E':
595 strip_nt_domain = 1;
596 break;
597 case 'n':
598 edir_universal_passwd = 1;
599 break;
600 default:
601 fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
602 return 1;
603 }
604 }
605
606 while (argc > 1) {
607 char *value = argv[1];
608 if (ldapServer) {
609 int len = strlen(ldapServer) + 1 + strlen(value) + 1;
610 char *newhost = static_cast<char*>(xmalloc(len));
611 std::snprintf(newhost, len, "%s %s", ldapServer, value);
612 free(ldapServer);
613 ldapServer = newhost;
614 } else {
615 ldapServer = xstrdup(value);
616 }
617 --argc;
618 ++argv;
619 }
620
621 if (!ldapServer)
622 ldapServer = (char *) "localhost";
623
624 if (!userbasedn || !((passattr != nullptr) || (edir_universal_passwd && usersearchfilter && version == LDAP_VERSION3 && use_tls))) {
625 fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n");
626 fprintf(stderr, "\t-A password attribute(REQUIRED)\t\tUser attribute that contains the password\n");
627 fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharater(s) that divides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password\n");
628 fprintf(stderr, "\t-b basedn (REQUIRED)\t\t\tbase dn under where to search for users\n");
629 fprintf(stderr, "\t-e Encrypted passwords(REQUIRED)\tPassword are stored encrypted using HHA1\n");
630 fprintf(stderr, "\t-F filter\t\t\t\tuser search filter pattern. %%s = login\n");
631 fprintf(stderr, "\t-u attribute\t\t\t\tattribute to use in combination with the basedn to create the user DN\n");
632 fprintf(stderr, "\t-s base|one|sub\t\t\t\tsearch scope\n");
633 fprintf(stderr, "\t-D binddn\t\t\t\tDN to bind as to perform searches\n");
634 fprintf(stderr, "\t-w bindpasswd\t\t\t\tpassword for binddn\n");
635 fprintf(stderr, "\t-W secretfile\t\t\t\tread password for binddn from file secretfile\n");
636#if HAS_URI_SUPPORT
637 fprintf(stderr, "\t-H URI\t\t\t\t\tLDAPURI (defaults to ldap://localhost)\n");
638#endif
639 fprintf(stderr, "\t-h server\t\t\t\tLDAP server (defaults to localhost)\n");
640 fprintf(stderr, "\t-p port\t\t\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
641 fprintf(stderr, "\t-P\t\t\t\t\tpersistent LDAP connection\n");
642#if defined(NETSCAPE_SSL)
643 fprintf(stderr, "\t-E sslcertpath\t\t\t\tenable LDAP over SSL\n");
644#endif
645 fprintf(stderr, "\t-c timeout\t\t\t\tconnect timeout\n");
646 fprintf(stderr, "\t-t timelimit\t\t\t\tsearch time limit\n");
647 fprintf(stderr, "\t-R\t\t\t\t\tdo not follow referrals\n");
648 fprintf(stderr, "\t-a never|always|search|find\t\twhen to dereference aliases\n");
649#ifdef LDAP_VERSION3
650 fprintf(stderr, "\t-v 2|3\t\t\t\t\tLDAP version\n");
651 fprintf(stderr, "\t-Z\t\t\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
652#endif
653 fprintf(stderr, "\t-S\t\t\t\t\tStrip NT domain from usernames\n");
654 fprintf(stderr, "\t-n\t\t\t\t\tGet an eDirectory Universal Password from Novell NMAS\n\t\t\t\t\t\t(requires bind credentials, version 3, TLS, and a search filter)\n");
655 fprintf(stderr, "\n");
656 fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
657 return -1;
658 }
659 return 0;
660}
661static int
662readSecret(const char *filename)
663{
664 char buf[BUFSIZ];
665 char *e = nullptr;
666 FILE *f;
667
668 if (!(f = fopen(filename, "r"))) {
669 fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
670 return 1;
671 }
672 if (!fgets(buf, sizeof(buf) - 1, f)) {
673 fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
674 fclose(f);
675 return 1;
676 }
677 /* strip whitespaces on end */
678 if ((e = strrchr(buf, '\n')))
679 *e = 0;
680 if ((e = strrchr(buf, '\r')))
681 *e = 0;
682
683 bindpasswd = xstrdup(buf);
684 if (!bindpasswd) {
685 fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n");
686 }
687 fclose(f);
688
689 return 0;
690}
691
692void
693LDAPHHA1(RequestData * requestData)
694{
695 char *password;
696 ldapconnect();
697 password = getpassword(requestData->user, requestData->realm);
698 if (password != nullptr) {
699 if (encrpass)
700 xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1));
701 else {
702 HASH HA1;
703 DigestCalcHA1("md5", requestData->user, requestData->realm, password, nullptr, nullptr, HA1, requestData->HHA1);
704 }
705 free(password);
706 } else {
707 requestData->error = -1;
708 }
709
710}
711
size
int size
Definition ModDevPoll.cc:70
use_tls
static int use_tls
Definition basic_ldap_auth.cc:165
version
static int version
Definition basic_ldap_auth.cc:166
debug_enabled
int debug_enabled
Definition debug.cc:13
debug
void debug(const char *format,...)
Definition debug.cc:19
BUFSIZ
#define BUFSIZ
Definition defines.h:20
squid_ldap_set_referrals
static void squid_ldap_set_referrals(int referrals)
Definition ldap_backend.cc:141
passattr
static const char * passattr
Definition ldap_backend.cc:58
ldap_escape_value
static int ldap_escape_value(char *escaped, int size, const char *src)
Definition ldap_backend.cc:173
persistent
static int persistent
Definition ldap_backend.cc:68
noreferrals
static int noreferrals
Definition ldap_backend.cc:69
LDAPArguments
int LDAPArguments(int argc, char **argv)
Definition ldap_backend.cc:440
ldapServer
static char * ldapServer
Definition ldap_backend.cc:59
PROGRAM_NAME
#define PROGRAM_NAME
Definition ldap_backend.cc:53
edir_universal_passwd
static int edir_universal_passwd
Definition ldap_backend.cc:72
bindpasswd
static const char * bindpasswd
Definition ldap_backend.cc:64
userbasedn
static const char * userbasedn
Definition ldap_backend.cc:60
port
static int port
Definition ldap_backend.cc:70
usersearchfilter
static const char * usersearchfilter
Definition ldap_backend.cc:62
delimiter
static const char * delimiter
Definition ldap_backend.cc:65
binddn
static const char * binddn
Definition ldap_backend.cc:63
squid_ldap_set_timelimit
static void squid_ldap_set_timelimit(int aTimeLimit)
Definition ldap_backend.cc:149
LDAPHHA1
void LDAPHHA1(RequestData *requestData)
Definition ldap_backend.cc:693
searchscope
static int searchscope
Definition ldap_backend.cc:67
ld
static LDAP * ld
Definition ldap_backend.cc:57
squid_ldap_set_connect_timeout
static void squid_ldap_set_connect_timeout(int aTimeLimit)
Definition ldap_backend.cc:154
connect_timeout
static int connect_timeout
Definition ldap_backend.cc:78
ldapconnect
static void ldapconnect(void)
Definition ldap_backend.cc:349
timelimit
static int timelimit
Definition ldap_backend.cc:79
strip_nt_domain
static int strip_nt_domain
Definition ldap_backend.cc:71
userdnattr
static const char * userdnattr
Definition ldap_backend.cc:61
getpassword
static char * getpassword(char *login, char *realm)
Definition ldap_backend.cc:205
squid_ldap_set_aliasderef
static void squid_ldap_set_aliasderef(int deref)
Definition ldap_backend.cc:136
squid_ldap_memfree
static void squid_ldap_memfree(char *p)
Definition ldap_backend.cc:159
readSecret
static int readSecret(const char *filename)
Definition ldap_backend.cc:662
squid_ldap_errno
static int squid_ldap_errno(LDAP *ld)
Definition ldap_backend.cc:131
aliasderef
static int aliasderef
Definition ldap_backend.cc:73
encrpass
static int encrpass
Definition ldap_backend.cc:66
ldap_backend.h
nds_get_password
int nds_get_password(LDAP *ld, char *object_dn, size_t *pwd_len, char *pwd)
Definition edir_ldapext.cc:497
edir_ldapext.h
xstrdup
#define xstrdup
Definition negotiate_wrapper.cc:47
xmalloc
#define xmalloc
Definition negotiate_wrapper.cc:44
DigestCalcHA1
void DigestCalcHA1(const char *pszAlg, const char *pszUserName, const char *pszRealm, const char *pszPassword, const char *pszNonce, const char *pszCNonce, HASH HA1, HASHHEX SessionKey)
Definition rfc2617.c:88
HASH
char HASH[HASHLEN]
Definition rfc2617.h:31
_request_data
Definition digest_common.h:39
_request_data::HHA1
HASHHEX HHA1
Definition digest_common.h:44
_request_data::error
int error
Definition digest_common.h:46
_request_data::user
char * user
Definition digest_common.h:41
_request_data::realm
char * realm
Definition digest_common.h:42
NULL
#define NULL
Definition types.h:145
xstrncpy
char * xstrncpy(char *dst, const char *src, size_t n)
Definition xstring.cc:37