← Back to branch summary

~ubuntu-branches/ubuntu/natty/freeradius/natty-updates

« back to all changes in this revision

Viewing changes to src/modules/rlm_ldap/rlm_ldap.c

  • Committer: Bazaar Package Importer
  • Author(s): Josip Rodin
  • Date: 2009-11-23 03:57:37 UTC
  • mfrom: (1.2.1 upstream)
  • mto: This revision was merged to the branch mainline in revision 28.
  • Revision ID: james.westby@ubuntu.com-20091123035737-zsgtzhfych8hir68
Tags: 2.1.7+dfsg-1
http://bugs.debian.org/536623
http://bugs.debian.org/513484
http://bugs.debian.org/526175
http://bugs.debian.org/533396
http://bugs.debian.org/550143
* Adopting the package, closes: #536623.
* New upstream version, closes: #513484.
  + Fixes the blooper in unlang evaluation logic, closes: #526175.
* Used quilt (and added README.source), and moved upstream file patching
  into debian/patches/. The source is no longer in collab-maint git
  (to make it simpler for me to finally get this out the door), but
  kept the .gitignore should we need that again.
* Dropped the dialup_admin/bin/backup_radacct patch (integrated upstream).
* Dropped the raddb/Makefile patch (problem no longer exists upstream).
* Dropped the lib/packet.c lib/radius.c main/listen.c patches (was from
  upstream 2.0.5 anyway).
* Dropped references to otp.conf, it no longer exists upstream.
  Keep removing the conffile statoverride in prerm.
* Dropped references to snmp.conf, it no longer exists upstream.
  Keep removing the conffile statoverride in prerm.
* Ship /etc/freeradius/modules/* in the freeradius package.
* Stop shipping sites-enabled symlinks in the package and instead create
  them only on initial install, thanks to Matej Vela, closes: #533396.
* Add export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" to the init script
  at the request of John Morrissey, closes: #550143.
* Stop installing /var/run/freeradius in the package to silence Lintian.
  The init script already recreates it at will.
* Remove executable bit from example.pl to silence Lintian.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/modules/rlm_ldap/rlm_ldap.c
19
19
 */
20
20
 
21
21
#include <freeradius-devel/ident.h>
22
 
RCSID("$Id: rlm_ldap.c,v 1.194 2008/04/17 07:59:21 aland Exp $")
 
22
RCSID("$Id$")
23
23
 
24
24
#include <freeradius-devel/radiusd.h>
25
25
#include <freeradius-devel/modules.h>
136
136
        int             default_allow;
137
137
        int             failed_conns;
138
138
        int             is_url;
 
139
        int             chase_referrals;
 
140
        int             rebind;
139
141
        char           *login;
140
142
        char           *password;
141
143
        char           *filter;
160
162
#endif
161
163
        int             ldap_debug; /* Debug flag for LDAP SDK */
162
164
        char            *xlat_name; /* name used to xlat */
 
165
        char            *auth_type;
163
166
        char            *tls_cacertfile;
164
167
        char            *tls_cacertdir;
165
168
        char            *tls_certfile;
271
274
         offsetof(ldap_instance,access_attr), NULL, NULL},
272
275
        {"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
273
276
         offsetof(ldap_instance,default_allow), NULL, "yes"},
 
277
        {"chase_referrals", PW_TYPE_BOOLEAN,
 
278
         offsetof(ldap_instance,chase_referrals), NULL, NULL},
 
279
        {"rebind", PW_TYPE_BOOLEAN,
 
280
         offsetof(ldap_instance,rebind), NULL, NULL},
274
281
 
275
282
        /*
276
283
         *      Group checks.  These could probably be done
381
388
                return -1;
382
389
        }
383
390
        memset(inst, 0, sizeof(*inst));
 
391
        inst->chase_referrals = 2; /* use OpenLDAP defaults */
 
392
        inst->rebind = 2;
384
393
 
385
394
        if (cf_section_parse(conf, inst, module_config) < 0) {
386
395
                free(inst);
414
423
        inst->conns = NULL;
415
424
        inst->failed_conns = 0;
416
425
 
 
426
#if LDAP_SET_REBIND_PROC_ARGS != 3
 
427
        /*
 
428
         *      The 2-argument rebind doesn't take an instance
 
429
         *      variable.  Our rebind function needs the instance
 
430
         *      variable for the username, password, etc.
 
431
         */
 
432
        if (inst->rebind == 1) {
 
433
                radlog(L_ERR, "rlm_ldap: Cannot use 'rebind' directive as this version of libldap does not support the API that we need.");
 
434
                free(inst);
 
435
                return -1;
 
436
        }
 
437
#endif
 
438
 
417
439
        DEBUG("rlm_ldap: Registering ldap_groupcmp for Ldap-Group");
418
440
        paircompare_register(PW_LDAP_GROUP, PW_USER_NAME, ldap_groupcmp, inst);
419
441
        memset(&flags, 0, sizeof(flags));
456
478
         */
457
479
        if (inst->set_auth_type) {
458
480
                DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
 
481
 
 
482
                /*
 
483
                 *      No section of *my* name, but maybe there's an
 
484
                 *      LDAP section...
 
485
                 */
 
486
                if (!dv) dv = dict_valbyname(PW_AUTH_TYPE, "LDAP");
459
487
                if (!dv) {
460
488
                        DEBUG2("rlm_ldap: Over-riding set_auth_type, as there is no module %s listed in the \"authenticate\" section.", xlat_name);
461
489
                        inst->set_auth_type = 0;
 
490
                } else {
 
491
                        inst->auth_type = dv->name; /* doesn't change on HUP */
462
492
                }
463
493
        } /* else no need to look up the value */
464
494
 
837
867
                return (RLM_MODULE_FAIL);
838
868
        }
839
869
 
840
 
        if ((ldap_count_entries(conn->ld, *result)) != 1) {
841
 
                DEBUG("rlm_ldap: object not found or got ambiguous search result");
 
870
        ldap_errno = ldap_count_entries(conn->ld, *result);
 
871
        if (ldap_errno != 1) {
 
872
                if (ldap_errno == 0) {
 
873
                        DEBUG("rlm_ldap: object not found");
 
874
                } else {
 
875
                        DEBUG("rlm_ldap: got ambiguous search result (%d results)", ldap_errno);
 
876
                }
842
877
                res = RLM_MODULE_NOTFOUND;
843
878
                ldap_msgfree(*result);
844
879
        }
1247
1282
        int             conn_id = -1;
1248
1283
        int             added_known_password = 0;
1249
1284
 
1250
 
        DEBUG("rlm_ldap: - authorize");
1251
 
 
1252
1285
        if (!request->username){
1253
 
                DEBUG2("rlm_ldap: Attribute \"User-Name\" is required for authorization.\n");
 
1286
                RDEBUG2("Attribute \"User-Name\" is required for authorization.\n");
1254
1287
                return RLM_MODULE_NOOP;
1255
1288
        }
1256
1289
 
1261
1294
         * Check for valid input, zero length names not permitted
1262
1295
         */
1263
1296
        if (request->username->vp_strvalue == 0) {
1264
 
                radlog(L_ERR, "rlm_ldap: zero length username not permitted\n");
 
1297
                DEBUG2("zero length username not permitted\n");
1265
1298
                return RLM_MODULE_INVALID;
1266
1299
        }
1267
 
        DEBUG("rlm_ldap: performing user authorization for %s",
 
1300
        RDEBUG("performing user authorization for %s",
1268
1301
               request->username->vp_strvalue);
1269
1302
 
1270
1303
        if (!radius_xlat(filter, sizeof(filter), inst->filter,
1271
1304
                         request, ldap_escape_func)) {
1272
 
                radlog (L_ERR, "rlm_ldap: unable to create filter.\n");
 
1305
                radlog(L_ERR, "rlm_ldap: unable to create filter.\n");
1273
1306
                return RLM_MODULE_INVALID;
1274
1307
        }
1275
1308
 
1276
1309
        if (!radius_xlat(basedn, sizeof(basedn), inst->basedn,
1277
1310
                         request, ldap_escape_func)) {
1278
 
                radlog (L_ERR, "rlm_ldap: unable to create basedn.\n");
 
1311
                radlog(L_ERR, "rlm_ldap: unable to create basedn.\n");
1279
1312
                return RLM_MODULE_INVALID;
1280
1313
        }
1281
1314
 
1284
1317
                return RLM_MODULE_FAIL;
1285
1318
        }
1286
1319
        if ((res = perform_search(instance, conn, basedn, LDAP_SCOPE_SUBTREE, filter, inst->atts, &result)) != RLM_MODULE_OK) {
1287
 
                DEBUG("rlm_ldap: search failed");
 
1320
                RDEBUG("search failed");
1288
1321
                if (res == RLM_MODULE_NOTFOUND){
1289
1322
                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: User not found");
1290
1323
                        module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1294
1327
                return (res);
1295
1328
        }
1296
1329
        if ((msg = ldap_first_entry(conn->ld, result)) == NULL) {
1297
 
                DEBUG("rlm_ldap: ldap_first_entry() failed");
 
1330
                RDEBUG("ldap_first_entry() failed");
1298
1331
                ldap_msgfree(result);
1299
1332
                ldap_release_conn(conn_id,inst->conns);
1300
1333
                return RLM_MODULE_FAIL;
1301
1334
        }
1302
1335
        if ((user_dn = ldap_get_dn(conn->ld, msg)) == NULL) {
1303
 
                DEBUG("rlm_ldap: ldap_get_dn() failed");
 
1336
                RDEBUG("ldap_get_dn() failed");
1304
1337
                ldap_msgfree(result);
1305
1338
                ldap_release_conn(conn_id,inst->conns);
1306
1339
                return RLM_MODULE_FAIL;
1317
1350
        if (inst->access_attr) {
1318
1351
                if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) {
1319
1352
                        if (inst->default_allow){
1320
 
                                DEBUG("rlm_ldap: checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr);
 
1353
                                RDEBUG("checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr);
1321
1354
                                if (!strncmp(vals[0], "FALSE", 5)) {
1322
 
                                        DEBUG("rlm_ldap: dialup access disabled");
 
1355
                                        RDEBUG("dialup access disabled");
1323
1356
                                        snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
1324
1357
                                        module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1325
1358
                                        pairadd(&request->packet->vps, module_fmsg_vp);
1331
1364
                                ldap_value_free(vals);
1332
1365
                        }
1333
1366
                        else{
1334
 
                                DEBUG("rlm_ldap: %s attribute exists - access denied by default", inst->access_attr);
 
1367
                                RDEBUG("%s attribute exists - access denied by default", inst->access_attr);
1335
1368
                                snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
1336
1369
                                module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1337
1370
                                pairadd(&request->packet->vps, module_fmsg_vp);
1342
1375
                        }
1343
1376
                } else {
1344
1377
                        if (inst->default_allow){
1345
 
                                DEBUG("rlm_ldap: no %s attribute - access denied by default", inst->access_attr);
 
1378
                                RDEBUG("no %s attribute - access denied by default", inst->access_attr);
1346
1379
                                snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
1347
1380
                                module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1348
1381
                                pairadd(&request->packet->vps, module_fmsg_vp);
1389
1422
                                }
1390
1423
                                ldap_msgfree(def_result);
1391
1424
                        } else
1392
 
                                DEBUG("rlm_ldap: default_profile/user-profile search failed");
 
1425
                                RDEBUG("default_profile/user-profile search failed");
1393
1426
                }
1394
1427
        }
1395
1428
 
1428
1461
                                        }
1429
1462
                                        ldap_msgfree(def_attr_result);
1430
1463
                                } else
1431
 
                                        DEBUG("rlm_ldap: profile_attribute search failed");
 
1464
                                        RDEBUG("profile_attribute search failed");
1432
1465
                                i++;
1433
1466
                        }
1434
1467
                        ldap_value_free(vals);
1487
1520
                                                        strlen(inst->passwd_hdr)) == 0) {
1488
1521
                                                value += strlen(inst->passwd_hdr);
1489
1522
                                        } else {
1490
 
                                                DEBUG("rlm_ldap: Password header not found in password %s for user %s", passwd_vals[0], request->username->vp_strvalue);
 
1523
                                                RDEBUG("Password header not found in password %s for user %s", passwd_vals[0], request->username->vp_strvalue);
1491
1524
                                        }
1492
1525
                                }
1493
1526
                                if (!value) continue;
1500
1533
                                strlcpy(passwd_item->vp_strvalue, value,
1501
1534
                                        sizeof(passwd_item->vp_strvalue));
1502
1535
                                passwd_item->length = strlen(passwd_item->vp_strvalue);
1503
 
                                DEBUG("rlm_ldap: Added %s = %s in check items",
 
1536
                                RDEBUG("Added %s = %s in check items",
1504
1537
                                      passwd_item->name,
1505
1538
                                      passwd_item->vp_strvalue);
1506
1539
                                added_known_password = 1;
1537
1570
                                                if (passwd_val != NULL)
1538
1571
                                                        passwd_val += strlen((char*)inst->passwd_hdr);
1539
1572
                                                else
1540
 
                                                        DEBUG("rlm_ldap: Password header not found in password %s for user %s ",passwd_val,request->username->vp_strvalue);
 
1573
                                                        RDEBUG("Password header not found in password %s for user %s ",passwd_val,request->username->vp_strvalue);
1541
1574
                                        }
1542
1575
 
1543
1576
                                        if (passwd_val){
1585
1618
                                                }
1586
1619
#endif
1587
1620
 
1588
 
                                                DEBUG("rlm_ldap: Added the eDirectory password %s in check items as %s",passwd_item->vp_strvalue,passwd_item->name);
 
1621
                                                RDEBUG("Added the eDirectory password %s in check items as %s",passwd_item->vp_strvalue,passwd_item->name);
1589
1622
                                        }
1590
1623
                                }
1591
1624
                                else {
1592
 
                                        DEBUG("rlm_ldap: Error reading Universal Password.Return Code = %d",res);
 
1625
                                        RDEBUG("Error reading Universal Password.Return Code = %d",res);
1593
1626
                                }
1594
1627
 
1595
1628
                                memset(universal_password, 0, universal_password_len);
1619
1652
                                vp_auth_opt->length = strlen(auth_option[0]);
1620
1653
                                pairadd(&request->config_items, vp_auth_opt);
1621
1654
                        }else{
1622
 
                                DEBUG("rlm_ldap: No default NMAS login sequence");
 
1655
                                RDEBUG("No default NMAS login sequence");
1623
1656
                        }
1624
1657
                }
1625
1658
        }
1626
1659
#endif
1627
1660
 
1628
 
        DEBUG("rlm_ldap: looking for check items in directory...");
 
1661
        RDEBUG("looking for check items in directory...");
1629
1662
 
1630
1663
        if ((check_tmp = ldap_pairget(conn->ld, msg, inst->check_item_map,check_pairs,1)) != NULL) {
1631
1664
                if (inst->do_xlat){
1637
1670
        }
1638
1671
 
1639
1672
 
1640
 
        DEBUG("rlm_ldap: looking for reply items in directory...");
 
1673
        RDEBUG("looking for reply items in directory...");
1641
1674
 
1642
1675
 
1643
1676
        if ((reply_tmp = ldap_pairget(conn->ld, msg, inst->reply_item_map,reply_pairs,0)) != NULL) {
1664
1697
                        vp_apc->vp_strvalue[0] = '1';
1665
1698
#endif
1666
1699
 
1667
 
                DEBUG("rlm_ldap: Pairs do not match. Rejecting user.");
 
1700
                RDEBUG("Pairs do not match. Rejecting user.");
1668
1701
                snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Pairs do not match");
1669
1702
                module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
1670
1703
                pairadd(&request->packet->vps, module_fmsg_vp);
1696
1729
            request->password &&
1697
1730
            (request->password->attribute == PW_USER_PASSWORD) &&
1698
1731
            !added_known_password) {
1699
 
                pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
1700
 
                DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name);
 
1732
                pairadd(check_pairs, pairmake("Auth-Type", inst->auth_type, T_OP_EQ));
 
1733
                RDEBUG("Setting Auth-Type = %s", inst->auth_type);
1701
1734
        }
1702
1735
 
1703
 
        DEBUG("rlm_ldap: user %s authorized to use remote access",
 
1736
        RDEBUG("user %s authorized to use remote access",
1704
1737
              request->username->vp_strvalue);
1705
1738
        ldap_msgfree(result);
1706
1739
        ldap_release_conn(conn_id,inst->conns);
1733
1766
        char            *err = NULL;
1734
1767
#endif
1735
1768
 
1736
 
        DEBUG("rlm_ldap: - authenticate");
1737
 
 
1738
1769
        /*
1739
1770
         * Ensure that we're being passed a plain-text password, and not
1740
1771
         * anything else.
1777
1808
        }
1778
1809
 
1779
1810
 
1780
 
        DEBUG("rlm_ldap: login attempt by \"%s\" with password \"%s\"",
 
1811
        RDEBUG("login attempt by \"%s\" with password \"%s\"",
1781
1812
               request->username->vp_strvalue, request->password->vp_strvalue);
1782
1813
 
1783
1814
        while ((vp_user_dn = pairfind(request->config_items,
1784
1815
                                      PW_LDAP_USERDN)) == NULL) {
1785
1816
                if (!radius_xlat(filter, sizeof(filter), inst->filter,
1786
1817
                                request, ldap_escape_func)) {
1787
 
                        radlog (L_ERR, "rlm_ldap: unable to create filter.\n");
 
1818
                        radlog(L_ERR, "rlm_ldap: unable to create filter.\n");
1788
1819
                        return RLM_MODULE_INVALID;
1789
1820
                }
1790
1821
 
1791
1822
                if (!radius_xlat(basedn, sizeof(basedn), inst->basedn,
1792
1823
                                request, ldap_escape_func)) {
1793
 
                        radlog (L_ERR, "rlm_ldap: unable to create basedn.\n");
 
1824
                        radlog(L_ERR, "rlm_ldap: unable to create basedn.\n");
1794
1825
                        return RLM_MODULE_INVALID;
1795
1826
                }
1796
1827
 
1813
1844
                        return RLM_MODULE_FAIL;
1814
1845
                }
1815
1846
                if ((user_dn = ldap_get_dn(conn->ld, msg)) == NULL) {
1816
 
                        DEBUG("rlm_ldap: ldap_get_dn() failed");
 
1847
                        RDEBUG("ldap_get_dn() failed");
1817
1848
                        ldap_msgfree(result);
1818
1849
                        ldap_release_conn(conn_id,inst->conns);
1819
1850
                        return RLM_MODULE_FAIL;
1826
1857
 
1827
1858
        user_dn = vp_user_dn->vp_strvalue;
1828
1859
 
1829
 
        DEBUG("rlm_ldap: user DN: %s", user_dn);
 
1860
        RDEBUG("user DN: %s", user_dn);
1830
1861
 
1831
1862
#ifndef NOVELL
1832
1863
        ld_user = ldap_connect(instance, user_dn, request->password->vp_strvalue,
1862
1893
 
1863
1894
                if(vp_auth_opt )
1864
1895
                {
1865
 
                        DEBUG("rlm_ldap: ldap auth option = %s", vp_auth_opt->vp_strvalue);
 
1896
                        RDEBUG("ldap auth option = %s", vp_auth_opt->vp_strvalue);
1866
1897
                        strncpy(seq, vp_auth_opt->vp_strvalue, vp_auth_opt->length);
1867
1898
                        seq[vp_auth_opt->length] = '\0';
1868
1899
                        if( strcmp(seq, "<No Default>") ){
1878
1909
 
1879
1910
                                /*  If state attribute present in request it is a reply to challenge. */
1880
1911
                                if((vp_state = pairfind(request->packet->vps, PW_STATE))!= NULL ){
1881
 
                                        DEBUG("rlm_ldap: Response to Access-Challenge");
 
1912
                                        RDEBUG("Response to Access-Challenge");
1882
1913
                                        strncpy(challenge, vp_state->vp_strvalue, sizeof(challenge));
1883
1914
                                        challenge_len = vp_state->length;
1884
1915
                                        challenge[challenge_len] = 0;
1917
1948
                                        conn1->bound = 1;
1918
1949
                                        conn1->failed_conns = 0;
1919
1950
                                }
1920
 
                                DEBUG("rlm_ldap: Performing NMAS Authentication for user: %s, seq: %s \n", user_dn,seq);
 
1951
                                RDEBUG("Performing NMAS Authentication for user: %s, seq: %s \n", user_dn,seq);
1921
1952
 
1922
1953
                                res = radLdapXtnNMASAuth(conn1->ld, user_dn, request->password->vp_strvalue, seq, host_ipaddr, &challenge_len, challenge, &auth_state );
1923
1954
 
1928
1959
                                                        res = RLM_MODULE_FAIL;
1929
1960
                                                if ( auth_state != REQUEST_CHALLENGED){
1930
1961
                                                        if (auth_state == REQUEST_ACCEPTED){
1931
 
                                                                DEBUG("rlm_ldap: user %s authenticated succesfully",request->username->vp_strvalue);
 
1962
                                                                RDEBUG("user %s authenticated succesfully",request->username->vp_strvalue);
1932
1963
                                                                res = RLM_MODULE_OK;
1933
1964
                                                        }else if(auth_state == REQUEST_REJECTED){
1934
 
                                                                DEBUG("rlm_ldap: user %s authentication failed",request->username->vp_strvalue);
 
1965
                                                                RDEBUG("user %s authentication failed",request->username->vp_strvalue);
1935
1966
                                                                res = RLM_MODULE_REJECT;
1936
1967
                                                        }
1937
1968
                                                }else{
1947
1978
                                                        free(state);
1948
1979
                                                        /* Mark the packet as a Acceess-Challenge Packet */
1949
1980
                                                        request->reply->code = PW_ACCESS_CHALLENGE;
1950
 
                                                        DEBUG("rlm_ldap: Sending Access-Challenge.");
 
1981
                                                        RDEBUG("Sending Access-Challenge.");
1951
1982
                                                        res = RLM_MODULE_HANDLED;
1952
1983
                                                }
1953
1984
                                                if(challenge)
1978
2009
 
1979
2010
        if(err != NULL){
1980
2011
                /* 'err' contains the LDAP connection error description */
1981
 
                DEBUG("rlm_ldap: %s", err);
 
2012
                RDEBUG("%s", err);
1982
2013
                pairadd(&request->reply->vps, pairmake("Reply-Message", err, T_OP_EQ));
1983
2014
                ldap_memfree((void *)err);
1984
2015
        }
1992
2023
                        pairadd(&request->packet->vps, module_fmsg_vp);
1993
2024
                }
1994
2025
                if (res == RLM_MODULE_FAIL){
1995
 
                        DEBUG("rlm_ldap: ldap_connect() failed");
 
2026
                        RDEBUG("ldap_connect() failed");
1996
2027
                        inst->failed_conns++;
1997
2028
                }
1998
2029
                return (res);
1999
2030
        }
2000
2031
 
2001
 
        DEBUG("rlm_ldap: user %s authenticated succesfully",
 
2032
        RDEBUG("user %s authenticated succesfully",
2002
2033
              request->username->vp_strvalue);
2003
2034
        ldap_unbind_s(ld_user);
2004
2035
        inst->failed_conns = 0;
2073
2104
                                        /* Bind to eDirectory as the RADIUS user using the user's UP */
2074
2105
                                        vp_pwd = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
2075
2106
                                        if (vp_pwd == NULL) {
2076
 
                                                DEBUG("rlm_ldap: User's Universal Password not in config items list.");
 
2107
                                                RDEBUG("User's Universal Password not in config items list.");
2077
2108
                                                return RLM_MODULE_FAIL;
2078
2109
                                        }
2079
2110
                                        strcpy(password, vp_pwd->vp_strvalue);
2080
2111
                                }
2081
2112
 
2082
2113
                                if ((da = dict_attrbyname("Ldap-UserDn")) == NULL) {
2083
 
                                        DEBUG("rlm_ldap: Attribute for user FDN not found in dictionary. Unable to proceed");
 
2114
                                        RDEBUG("Attribute for user FDN not found in dictionary. Unable to proceed");
2084
2115
                                        return RLM_MODULE_FAIL;
2085
2116
                                }
2086
2117
 
2087
2118
                                vp_fdn = pairfind(request->config_items, da->attr);
2088
2119
                                if (vp_fdn == NULL) {
2089
 
                                        DEBUG("rlm_ldap: User's FQDN not in config items list.");
 
2120
                                        RDEBUG("User's FQDN not in config items list.");
2090
2121
                                        return RLM_MODULE_FAIL;
2091
2122
                                }
2092
2123
 
2112
2143
                                                radlog(L_ERR, "rlm_ldap: eDirectory account policy check failed.");
2113
2144
 
2114
2145
                                                if (error_msg != NULL) {
2115
 
                                                        DEBUG("rlm_ldap: %s", error_msg);
 
2146
                                                        RDEBUG("%s", error_msg);
2116
2147
                                                        pairadd(&request->reply->vps, pairmake("Reply-Message", error_msg, T_OP_EQ));
2117
2148
                                                        ldap_memfree((void *)error_msg);
2118
2149
                                                }
2127
2158
                                                conn->bound = 0;
2128
2159
                                                goto postauth_reconnect;
2129
2160
                                        }
2130
 
                                        DEBUG("rlm_ldap: eDirectory account policy check failed.");
 
2161
                                        RDEBUG("eDirectory account policy check failed.");
2131
2162
                                        ldap_get_option(conn->ld, LDAP_OPT_ERROR_STRING, &error_msg);
2132
2163
                                        if (error_msg != NULL) {
2133
 
                                                DEBUG("rlm_ldap: %s", error_msg);
 
2164
                                                RDEBUG("%s", error_msg);
2134
2165
                                                pairadd(&request->reply->vps, pairmake("Reply-Message", error_msg, T_OP_EQ));
2135
2166
                                                ldap_memfree((void *)error_msg);
2136
2167
                                        }
2147
2178
}
2148
2179
#endif
2149
2180
 
 
2181
static int ldap_rebind(LDAP *ld, LDAP_CONST char *url,
 
2182
                       UNUSED ber_tag_t request, UNUSED ber_int_t msgid,
 
2183
                       void *params )
 
2184
{
 
2185
        ldap_instance   *inst = params;
 
2186
 
 
2187
        DEBUG("rlm_ldap: rebind to URL %s",url);
 
2188
        return ldap_bind_s(ld, inst->login, inst->password, LDAP_AUTH_SIMPLE);
 
2189
}
 
2190
 
2150
2191
static LDAP *ldap_connect(void *instance, const char *dn, const char *password,
2151
2192
                          int auth, int *result, char **err)
2152
2193
{
2178
2219
        tv.tv_usec = 0;
2179
2220
        if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
2180
2221
                            (void *) &tv) != LDAP_OPT_SUCCESS) {
2181
 
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %d", inst->net_timeout);
 
2222
                ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
 
2223
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %d: %s", inst->net_timeout, ldap_err2string(ldap_errno));
 
2224
        }
 
2225
 
 
2226
        /*
 
2227
         *      Leave "chase_referrals" unset to use the OpenLDAP
 
2228
         *      default.
 
2229
         */
 
2230
        if (inst->chase_referrals != 2) {
 
2231
                if (inst->chase_referrals) {
 
2232
                        rc=ldap_set_option(ld, LDAP_OPT_REFERRALS,
 
2233
                                           LDAP_OPT_ON);
 
2234
                        
 
2235
                        if (inst->rebind == 1) {
 
2236
                                ldap_set_rebind_proc(ld, ldap_rebind,
 
2237
                                                     inst);
 
2238
                        }
 
2239
                } else {
 
2240
                        rc=ldap_set_option(ld, LDAP_OPT_REFERRALS,
 
2241
                                           LDAP_OPT_OFF);
 
2242
                }
 
2243
                if (rc != LDAP_OPT_SUCCESS) {
 
2244
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
 
2245
                        radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS=%d  %s", inst->chase_referrals, ldap_err2string(ldap_errno));
 
2246
                }
2182
2247
        }
2183
2248
 
2184
2249
        if (ldap_set_option(ld, LDAP_OPT_TIMELIMIT,
2185
2250
                            (void *) &(inst->timelimit)) != LDAP_OPT_SUCCESS) {
2186
 
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_TIMELIMIT %d", inst->timelimit);
 
2251
                ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
 
2252
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_TIMELIMIT %d: %s", inst->timelimit, ldap_err2string(ldap_errno));
2187
2253
        }
2188
2254
 
2189
2255
        if (inst->ldap_debug && ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &(inst->ldap_debug)) != LDAP_OPT_SUCCESS) {
2190
 
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_DEBUG_LEVEL %d", inst->ldap_debug);
 
2256
                ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
 
2257
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_DEBUG_LEVEL %d: %s", inst->ldap_debug, ldap_err2string(ldap_errno));
2191
2258
        }
2192
2259
 
2193
2260
        ldap_version = LDAP_VERSION3;
2194
2261
        if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
2195
2262
                            &ldap_version) != LDAP_OPT_SUCCESS) {
2196
 
                radlog(L_ERR, "rlm_ldap: Could not set LDAP version to V3");
 
2263
                ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
 
2264
                radlog(L_ERR, "rlm_ldap: Could not set LDAP version to V3: %s", ldap_err2string(ldap_errno));
2197
2265
        }
2198
2266
 
2199
2267
#ifdef HAVE_LDAP_START_TLS
2202
2270
                if (ldap_set_option(ld, LDAP_OPT_X_TLS,
2203
2271
                                    (void *) &(inst->tls_mode)) != LDAP_OPT_SUCCESS) {
2204
2272
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2205
 
                        radlog(L_ERR, "rlm_ldap: could not set LDAP_OPT_X_TLS option %s", ldap_err2string(ldap_errno));
 
2273
                        radlog(L_ERR, "rlm_ldap: could not set LDAP_OPT_X_TLS option %s:", ldap_err2string(ldap_errno));
2206
2274
                }
2207
2275
        }
2208
2276
 
2212
2280
                if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE,
2213
2281
                                      (void *) inst->tls_cacertfile )
2214
2282
                     != LDAP_OPT_SUCCESS) {
 
2283
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2215
2284
                        radlog(L_ERR, "rlm_ldap: could not set "
2216
 
                               "LDAP_OPT_X_TLS_CACERTFILE option to %s", inst->tls_cacertfile);
 
2285
                               "LDAP_OPT_X_TLS_CACERTFILE option to %s: %s",
 
2286
                               inst->tls_cacertfile,
 
2287
                               ldap_err2string(ldap_errno));
2217
2288
                }
2218
2289
        }
2219
2290
 
2223
2294
                if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTDIR,
2224
2295
                                      (void *) inst->tls_cacertdir )
2225
2296
                     != LDAP_OPT_SUCCESS) {
 
2297
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2226
2298
                        radlog(L_ERR, "rlm_ldap: could not set "
2227
 
                               "LDAP_OPT_X_TLS_CACERTDIR option to %s", inst->tls_cacertdir);
 
2299
                               "LDAP_OPT_X_TLS_CACERTDIR option to %s: %s",
 
2300
                               inst->tls_cacertdir,
 
2301
                               ldap_err2string(ldap_errno));
2228
2302
                }
2229
2303
        }
2230
2304
 
2237
2311
#ifdef HAVE_LDAP_INT_TLS_CONFIG
2238
2312
        if (ldap_int_tls_config(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
2239
2313
                                (inst->tls_require_cert)) != LDAP_OPT_SUCCESS) {
 
2314
                ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2240
2315
                radlog(L_ERR, "rlm_ldap: could not set "
2241
 
                       "LDAP_OPT_X_TLS_REQUIRE_CERT option to %s",
2242
 
                       inst->tls_require_cert);
 
2316
                       "LDAP_OPT_X_TLS_REQUIRE_CERT option to %s: %s",
 
2317
                       inst->tls_require_cert,
 
2318
                       ldap_err2string(ldap_errno));
2243
2319
        }
2244
2320
#endif
2245
2321
 
2249
2325
                if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
2250
2326
                                    (void *) inst->tls_certfile)
2251
2327
                    != LDAP_OPT_SUCCESS) {
 
2328
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2252
2329
                        radlog(L_ERR, "rlm_ldap: could not set "
2253
 
                               "LDAP_OPT_X_TLS_CERTFILE option to %s",
2254
 
                               inst->tls_certfile);
 
2330
                               "LDAP_OPT_X_TLS_CERTFILE option to %s: %s",
 
2331
                               inst->tls_certfile,
 
2332
                               ldap_err2string(ldap_errno));
2255
2333
                }
2256
2334
        }
2257
2335
 
2262
2340
                if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_KEYFILE,
2263
2341
                                      (void *) inst->tls_keyfile )
2264
2342
                     != LDAP_OPT_SUCCESS) {
 
2343
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2265
2344
                        radlog(L_ERR, "rlm_ldap: could not set "
2266
 
                               "LDAP_OPT_X_TLS_KEYFILE option to %s",
2267
 
                               inst->tls_keyfile);
 
2345
                               "LDAP_OPT_X_TLS_KEYFILE option to %s: %s",
 
2346
                               inst->tls_keyfile, ldap_err2string(ldap_errno));
2268
2347
                }
2269
2348
        }
2270
2349
 
2275
2354
                if (ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
2276
2355
                                    (void *) inst->tls_randfile)
2277
2356
                    != LDAP_OPT_SUCCESS) {
 
2357
                        ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
2278
2358
                        radlog(L_ERR, "rlm_ldap: could not set "
2279
 
                               "LDAP_OPT_X_TLS_RANDOM_FILE option to %s",
2280
 
                               inst->tls_randfile);
 
2359
                               "LDAP_OPT_X_TLS_RANDOM_FILE option to %s: %s",
 
2360
                               inst->tls_randfile, ldap_err2string(ldap_errno));
2281
2361
                }
2282
2362
        }
2283
2363
 
2531
2611
        char          **vals;
2532
2612
        int             vals_count;
2533
2613
        int             vals_idx;
2534
 
        char           *ptr;
2535
 
        char           *value;
 
2614
        const char      *ptr;
 
2615
        const char     *value;
2536
2616
        TLDAP_RADIUS   *element;
2537
2617
        FR_TOKEN      token, operator;
2538
2618
        int             is_generic_attribute;
2645
2725
                                                   do_xlat ? NULL : value,
2646
2726
                                                   operator);
2647
2727
                                if (newpair == NULL) {
2648
 
                                        radlog(L_ERR, "rlm_ldap: Failed to create the pair: %s", librad_errstr);
 
2728
                                        radlog(L_ERR, "rlm_ldap: Failed to create the pair: %s", fr_strerror());
2649
2729
                                        continue;
2650
2730
                                }
2651
2731
 
2657
2737
                                }
2658
2738
                                vp_prints(print_buffer, sizeof(print_buffer),
2659
2739
                                          newpair);
2660
 
                                DEBUG("rlm_ldap: LDAP attribute %s as RADIUS attribute %s",
 
2740
                                DEBUG("rlm_ldap: %s -> %s",
2661
2741
                                      element->attr, print_buffer);
2662
2742
 
2663
2743