271
274
offsetof(ldap_instance,access_attr), NULL, NULL},
272
275
{"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
273
276
offsetof(ldap_instance,default_allow), NULL, "yes"},
277
{"chase_referrals", PW_TYPE_BOOLEAN,
278
offsetof(ldap_instance,chase_referrals), NULL, NULL},
279
{"rebind", PW_TYPE_BOOLEAN,
280
offsetof(ldap_instance,rebind), NULL, NULL},
276
283
* Group checks. These could probably be done
414
423
inst->conns = NULL;
415
424
inst->failed_conns = 0;
426
#if LDAP_SET_REBIND_PROC_ARGS != 3
428
* The 2-argument rebind doesn't take an instance
429
* variable. Our rebind function needs the instance
430
* variable for the username, password, etc.
432
if (inst->rebind == 1) {
433
radlog(L_ERR, "rlm_ldap: Cannot use 'rebind' directive as this version of libldap does not support the API that we need.");
417
439
DEBUG("rlm_ldap: Registering ldap_groupcmp for Ldap-Group");
418
440
paircompare_register(PW_LDAP_GROUP, PW_USER_NAME, ldap_groupcmp, inst);
419
441
memset(&flags, 0, sizeof(flags));
457
479
if (inst->set_auth_type) {
458
480
DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
483
* No section of *my* name, but maybe there's an
486
if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP");
460
488
DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed in the \"authenticate\" section.", xlat_name);
461
489
inst->set_auth_type = 0;
491
inst->auth_type = dv->name; /* doesn't change on HUP */
463
493
} /* else no need to look up the value */
837
867
return (RLM_MODULE_FAIL);
840
if ((ldap_count_entries(conn->ld, *result)) != 1) {
841
DEBUG("rlm_ldap: object not found or got ambiguous search result");
870
ldap_errno = ldap_count_entries(conn->ld, *result);
871
if (ldap_errno != 1) {
872
if (ldap_errno == 0) {
873
DEBUG("rlm_ldap: object not found");
875
DEBUG("rlm_ldap: got ambiguous search result (%d results)", ldap_errno);
842
877
res = RLM_MODULE_NOTFOUND;
843
878
ldap_msgfree(*result);
1261
1294
* Check for valid input, zero length names not permitted
1263
1296
if (request->username->vp_strvalue == 0) {
1264
radlog(L_ERR, "rlm_ldap: zero length username not permitted\n");
1297
DEBUG2("zero length username not permitted\n");
1265
1298
return RLM_MODULE_INVALID;
1267
DEBUG("rlm_ldap: performing user authorization for %s",
1300
RDEBUG("performing user authorization for %s",
1268
1301
request->username->vp_strvalue);
1270
1303
if (!radius_xlat(filter, sizeof(filter), inst->filter,
1271
1304
request, ldap_escape_func)) {
1272
radlog (L_ERR, "rlm_ldap: unable to create filter.\n");
1305
radlog(L_ERR, "rlm_ldap: unable to create filter.\n");
1273
1306
return RLM_MODULE_INVALID;
1276
1309
if (!radius_xlat(basedn, sizeof(basedn), inst->basedn,
1277
1310
request, ldap_escape_func)) {
1278
radlog (L_ERR, "rlm_ldap: unable to create basedn.\n");
1311
radlog(L_ERR, "rlm_ldap: unable to create basedn.\n");
1279
1312
return RLM_MODULE_INVALID;
1284
1317
return RLM_MODULE_FAIL;
1286
1319
if ((res = perform_search(instance, conn, basedn, LDAP_SCOPE_SUBTREE, filter, inst->atts, &result)) != RLM_MODULE_OK) {
1287
DEBUG("rlm_ldap: search failed");
1320
RDEBUG("search failed");
1288
1321
if (res == RLM_MODULE_NOTFOUND){
1289
1322
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: User not found");
1290
1323
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1296
1329
if ((msg = ldap_first_entry(conn->ld, result)) == NULL) {
1297
DEBUG("rlm_ldap: ldap_first_entry() failed");
1330
RDEBUG("ldap_first_entry() failed");
1298
1331
ldap_msgfree(result);
1299
1332
ldap_release_conn(conn_id,inst->conns);
1300
1333
return RLM_MODULE_FAIL;
1302
1335
if ((user_dn = ldap_get_dn(conn->ld, msg)) == NULL) {
1303
DEBUG("rlm_ldap: ldap_get_dn() failed");
1336
RDEBUG("ldap_get_dn() failed");
1304
1337
ldap_msgfree(result);
1305
1338
ldap_release_conn(conn_id,inst->conns);
1306
1339
return RLM_MODULE_FAIL;
1317
1350
if (inst->access_attr) {
1318
1351
if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) {
1319
1352
if (inst->default_allow){
1320
DEBUG("rlm_ldap: checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr);
1353
RDEBUG("checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr);
1321
1354
if (!strncmp(vals[0], "FALSE", 5)) {
1322
DEBUG("rlm_ldap: dialup access disabled");
1355
RDEBUG("dialup access disabled");
1323
1356
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
1324
1357
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1325
1358
pairadd(&request->packet->vps, module_fmsg_vp);
1331
1364
ldap_value_free(vals);
1334
DEBUG("rlm_ldap: %s attribute exists - access denied by default", inst->access_attr);
1367
RDEBUG("%s attribute exists - access denied by default", inst->access_attr);
1335
1368
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
1336
1369
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1337
1370
pairadd(&request->packet->vps, module_fmsg_vp);
1344
1377
if (inst->default_allow){
1345
DEBUG("rlm_ldap: no %s attribute - access denied by default", inst->access_attr);
1378
RDEBUG("no %s attribute - access denied by default", inst->access_attr);
1346
1379
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
1347
1380
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1348
1381
pairadd(&request->packet->vps, module_fmsg_vp);
1500
1533
strlcpy(passwd_item->vp_strvalue, value,
1501
1534
sizeof(passwd_item->vp_strvalue));
1502
1535
passwd_item->length = strlen(passwd_item->vp_strvalue);
1503
DEBUG("rlm_ldap: Added %s = %s in check items",
1536
RDEBUG("Added %s = %s in check items",
1504
1537
passwd_item->name,
1505
1538
passwd_item->vp_strvalue);
1506
1539
added_known_password = 1;
1588
DEBUG("rlm_ldap: Added the eDirectory password %s in check items as %s",passwd_item->vp_strvalue,passwd_item->name);
1621
RDEBUG("Added the eDirectory password %s in check items as %s",passwd_item->vp_strvalue,passwd_item->name);
1592
DEBUG("rlm_ldap: Error reading Universal Password.Return Code = %d",res);
1625
RDEBUG("Error reading Universal Password.Return Code = %d",res);
1595
1628
memset(universal_password, 0, universal_password_len);
1619
1652
vp_auth_opt->length = strlen(auth_option[0]);
1620
1653
pairadd(&request->config_items, vp_auth_opt);
1622
DEBUG("rlm_ldap: No default NMAS login sequence");
1655
RDEBUG("No default NMAS login sequence");
1628
DEBUG("rlm_ldap: looking for check items in directory...");
1661
RDEBUG("looking for check items in directory...");
1630
1663
if ((check_tmp = ldap_pairget(conn->ld, msg, inst->check_item_map,check_pairs,1)) != NULL) {
1631
1664
if (inst->do_xlat){
1664
1697
vp_apc->vp_strvalue[0] = '1';
1667
DEBUG("rlm_ldap: Pairs do not match. Rejecting user.");
1700
RDEBUG("Pairs do not match. Rejecting user.");
1668
1701
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Pairs do not match");
1669
1702
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1670
1703
pairadd(&request->packet->vps, module_fmsg_vp);
1696
1729
request->password &&
1697
1730
(request->password->attribute == PW_USER_PASSWORD) &&
1698
1731
!added_known_password) {
1699
pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
1700
DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name);
1732
pairadd(check_pairs, pairmake("Auth-Type", inst->auth_type, T_OP_EQ));
1733
RDEBUG("Setting Auth-Type = %s", inst->auth_type);
1703
DEBUG("rlm_ldap: user %s authorized to use remote access",
1736
RDEBUG("user %s authorized to use remote access",
1704
1737
request->username->vp_strvalue);
1705
1738
ldap_msgfree(result);
1706
1739
ldap_release_conn(conn_id,inst->conns);
1780
DEBUG("rlm_ldap: login attempt by \"%s\" with password \"%s\"",
1811
RDEBUG("login attempt by \"%s\" with password \"%s\"",
1781
1812
request->username->vp_strvalue, request->password->vp_strvalue);
1783
1814
while ((vp_user_dn = pairfind(request->config_items,
1784
1815
PW_LDAP_USERDN)) == NULL) {
1785
1816
if (!radius_xlat(filter, sizeof(filter), inst->filter,
1786
1817
request, ldap_escape_func)) {
1787
radlog (L_ERR, "rlm_ldap: unable to create filter.\n");
1818
radlog(L_ERR, "rlm_ldap: unable to create filter.\n");
1788
1819
return RLM_MODULE_INVALID;
1791
1822
if (!radius_xlat(basedn, sizeof(basedn), inst->basedn,
1792
1823
request, ldap_escape_func)) {
1793
radlog (L_ERR, "rlm_ldap: unable to create basedn.\n");
1824
radlog(L_ERR, "rlm_ldap: unable to create basedn.\n");
1794
1825
return RLM_MODULE_INVALID;
1863
1894
if(vp_auth_opt )
1865
DEBUG("rlm_ldap: ldap auth option = %s", vp_auth_opt->vp_strvalue);
1896
RDEBUG("ldap auth option = %s", vp_auth_opt->vp_strvalue);
1866
1897
strncpy(seq, vp_auth_opt->vp_strvalue, vp_auth_opt->length);
1867
1898
seq[vp_auth_opt->length] = '\0';
1868
1899
if( strcmp(seq, "<No Default>") ){
1879
1910
/* If state attribute present in request it is a reply to challenge. */
1880
1911
if((vp_state = pairfind(request->packet->vps, PW_STATE))!= NULL ){
1881
DEBUG("rlm_ldap: Response to Access-Challenge");
1912
RDEBUG("Response to Access-Challenge");
1882
1913
strncpy(challenge, vp_state->vp_strvalue, sizeof(challenge));
1883
1914
challenge_len = vp_state->length;
1884
1915
challenge[challenge_len] = 0;
1917
1948
conn1->bound = 1;
1918
1949
conn1->failed_conns = 0;
1920
DEBUG("rlm_ldap: Performing NMAS Authentication for user: %s, seq: %s \n", user_dn,seq);
1951
RDEBUG("Performing NMAS Authentication for user: %s, seq: %s \n", user_dn,seq);
1922
1953
res = radLdapXtnNMASAuth(conn1->ld, user_dn, request->password->vp_strvalue, seq, host_ipaddr, &challenge_len, challenge, &auth_state );
1928
1959
res = RLM_MODULE_FAIL;
1929
1960
if ( auth_state != REQUEST_CHALLENGED){
1930
1961
if (auth_state == REQUEST_ACCEPTED){
1931
DEBUG("rlm_ldap: user %s authenticated succesfully",request->username->vp_strvalue);
1962
RDEBUG("user %s authenticated succesfully",request->username->vp_strvalue);
1932
1963
res = RLM_MODULE_OK;
1933
1964
}else if(auth_state == REQUEST_REJECTED){
1934
DEBUG("rlm_ldap: user %s authentication failed",request->username->vp_strvalue);
1965
RDEBUG("user %s authentication failed",request->username->vp_strvalue);
1935
1966
res = RLM_MODULE_REJECT;
1992
2023
pairadd(&request->packet->vps, module_fmsg_vp);
1994
2025
if (res == RLM_MODULE_FAIL){
1995
DEBUG("rlm_ldap: ldap_connect() failed");
2026
RDEBUG("ldap_connect() failed");
1996
2027
inst->failed_conns++;
2001
DEBUG("rlm_ldap: user %s authenticated succesfully",
2032
RDEBUG("user %s authenticated succesfully",
2002
2033
request->username->vp_strvalue);
2003
2034
ldap_unbind_s(ld_user);
2004
2035
inst->failed_conns = 0;
2073
2104
/* Bind to eDirectory as the RADIUS user using the user's UP */
2074
2105
vp_pwd = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
2075
2106
if (vp_pwd == NULL) {
2076
DEBUG("rlm_ldap: User's Universal Password not in config items list.");
2107
RDEBUG("User's Universal Password not in config items list.");
2077
2108
return RLM_MODULE_FAIL;
2079
2110
strcpy(password, vp_pwd->vp_strvalue);
2082
2113
if ((da = dict_attrbyname("Ldap-UserDn")) == NULL) {
2083
DEBUG("rlm_ldap: Attribute for user FDN not found in dictionary. Unable to proceed");
2114
RDEBUG("Attribute for user FDN not found in dictionary. Unable to proceed");
2084
2115
return RLM_MODULE_FAIL;
2087
2118
vp_fdn = pairfind(request->config_items, da->attr);
2088
2119
if (vp_fdn == NULL) {
2089
DEBUG("rlm_ldap: User's FQDN not in config items list.");
2120
RDEBUG("User's FQDN not in config items list.");
2090
2121
return RLM_MODULE_FAIL;
2127
2158
conn->bound = 0;
2128
2159
goto postauth_reconnect;
2130
DEBUG("rlm_ldap: eDirectory account policy check failed.");
2161
RDEBUG("eDirectory account policy check failed.");
2131
2162
ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING, &error_msg);
2132
2163
if (error_msg != NULL) {
2133
DEBUG("rlm_ldap: %s", error_msg);
2164
RDEBUG("%s", error_msg);
2134
2165
pairadd(&request->reply->vps, pairmake("Reply-Message", error_msg, T_OP_EQ));
2135
2166
ldap_memfree((void *)error_msg);
2181
static int ldap_rebind(LDAP *ld, LDAP_CONST char *url,
2182
UNUSED ber_tag_t request, UNUSED ber_int_t msgid,
2185
ldap_instance *inst = params;
2187
DEBUG("rlm_ldap: rebind to URL %s",url);
2188
return ldap_bind_s(ld, inst->login, inst->password, LDAP_AUTH_SIMPLE);
2150
2191
static LDAP *ldap_connect(void *instance, const char *dn, const char *password,
2151
2192
int auth, int *result, char **err)
2178
2219
tv.tv_usec = 0;
2179
2220
if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
2180
2221
(void *) &tv) != LDAP_OPT_SUCCESS) {
2181
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %d", inst->net_timeout);
2222
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2223
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %d: %s", inst->net_timeout, ldap_err2string(ldap_errno));
2227
* Leave "chase_referrals" unset to use the OpenLDAP
2230
if (inst->chase_referrals != 2) {
2231
if (inst->chase_referrals) {
2232
rc=ldap_set_option(ld, LDAP_OPT_REFERRALS,
2235
if (inst->rebind == 1) {
2236
ldap_set_rebind_proc(ld, ldap_rebind,
2240
rc=ldap_set_option(ld, LDAP_OPT_REFERRALS,
2243
if (rc != LDAP_OPT_SUCCESS) {
2244
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2245
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS=%d %s", inst->chase_referrals, ldap_err2string(ldap_errno));
2184
2249
if (ldap_set_option(ld, LDAP_OPT_TIMELIMIT,
2185
2250
(void *) &(inst->timelimit)) != LDAP_OPT_SUCCESS) {
2186
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_TIMELIMIT %d", inst->timelimit);
2251
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2252
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_TIMELIMIT %d: %s", inst->timelimit, ldap_err2string(ldap_errno));
2189
2255
if (inst->ldap_debug && ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &(inst->ldap_debug)) != LDAP_OPT_SUCCESS) {
2190
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_DEBUG_LEVEL %d", inst->ldap_debug);
2256
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2257
radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_DEBUG_LEVEL %d: %s", inst->ldap_debug, ldap_err2string(ldap_errno));
2193
2260
ldap_version = LDAP_VERSION3;
2194
2261
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
2195
2262
&ldap_version) != LDAP_OPT_SUCCESS) {
2196
radlog(L_ERR, "rlm_ldap: Could not set LDAP version to V3");
2263
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2264
radlog(L_ERR, "rlm_ldap: Could not set LDAP version to V3: %s", ldap_err2string(ldap_errno));
2199
2267
#ifdef HAVE_LDAP_START_TLS
2202
2270
if (ldap_set_option(ld, LDAP_OPT_X_TLS,
2203
2271
(void *) &(inst->tls_mode)) != LDAP_OPT_SUCCESS) {
2204
2272
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2205
radlog(L_ERR, "rlm_ldap: could not set LDAP_OPT_X_TLS option %s", ldap_err2string(ldap_errno));
2273
radlog(L_ERR, "rlm_ldap: could not set LDAP_OPT_X_TLS option %s:", ldap_err2string(ldap_errno));
2212
2280
if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE,
2213
2281
(void *) inst->tls_cacertfile )
2214
2282
!= LDAP_OPT_SUCCESS) {
2283
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2215
2284
radlog(L_ERR, "rlm_ldap: could not set "
2216
"LDAP_OPT_X_TLS_CACERTFILE option to %s", inst->tls_cacertfile);
2285
"LDAP_OPT_X_TLS_CACERTFILE option to %s: %s",
2286
inst->tls_cacertfile,
2287
ldap_err2string(ldap_errno));
2223
2294
if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTDIR,
2224
2295
(void *) inst->tls_cacertdir )
2225
2296
!= LDAP_OPT_SUCCESS) {
2297
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2226
2298
radlog(L_ERR, "rlm_ldap: could not set "
2227
"LDAP_OPT_X_TLS_CACERTDIR option to %s", inst->tls_cacertdir);
2299
"LDAP_OPT_X_TLS_CACERTDIR option to %s: %s",
2300
inst->tls_cacertdir,
2301
ldap_err2string(ldap_errno));
2237
2311
#ifdef HAVE_LDAP_INT_TLS_CONFIG
2238
2312
if (ldap_int_tls_config(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
2239
2313
(inst->tls_require_cert)) != LDAP_OPT_SUCCESS) {
2314
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2240
2315
radlog(L_ERR, "rlm_ldap: could not set "
2241
"LDAP_OPT_X_TLS_REQUIRE_CERT option to %s",
2242
inst->tls_require_cert);
2316
"LDAP_OPT_X_TLS_REQUIRE_CERT option to %s: %s",
2317
inst->tls_require_cert,
2318
ldap_err2string(ldap_errno));
2249
2325
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
2250
2326
(void *) inst->tls_certfile)
2251
2327
!= LDAP_OPT_SUCCESS) {
2328
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2252
2329
radlog(L_ERR, "rlm_ldap: could not set "
2253
"LDAP_OPT_X_TLS_CERTFILE option to %s",
2254
inst->tls_certfile);
2330
"LDAP_OPT_X_TLS_CERTFILE option to %s: %s",
2332
ldap_err2string(ldap_errno));
2262
2340
if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_KEYFILE,
2263
2341
(void *) inst->tls_keyfile )
2264
2342
!= LDAP_OPT_SUCCESS) {
2343
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2265
2344
radlog(L_ERR, "rlm_ldap: could not set "
2266
"LDAP_OPT_X_TLS_KEYFILE option to %s",
2345
"LDAP_OPT_X_TLS_KEYFILE option to %s: %s",
2346
inst->tls_keyfile, ldap_err2string(ldap_errno));
2275
2354
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
2276
2355
(void *) inst->tls_randfile)
2277
2356
!= LDAP_OPT_SUCCESS) {
2357
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2278
2358
radlog(L_ERR, "rlm_ldap: could not set "
2279
"LDAP_OPT_X_TLS_RANDOM_FILE option to %s",
2280
inst->tls_randfile);
2359
"LDAP_OPT_X_TLS_RANDOM_FILE option to %s: %s",
2360
inst->tls_randfile, ldap_err2string(ldap_errno));